Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Lockdown! Harden Windows 10 for maximum security

Fahmida Y. Rashid | Sept. 23, 2016
To make the most of Windows 10's security improvements, you must target the right edition and hardware for your needs

Older systems that don’t support TPM 2.0 -- either because they don’t have the chip installed or are old enough that they have only TPM 1.2 -- will need to get a TPM 2.0-enabled chip installed. Otherwise, they will not be able to upgrade to Anniversary Update at all.

While some of the security features work with TPM 1.2, it’s better to get TPM 2.0 whenever possible. TPM 1.2 allows only for RSA and SHA-1 hashing algorithm, and considering the SHA-1 to SHA-2 migration is well under way, sticking with TPM 1.2 is problematic. TPM 2.0 is much more flexible, as it supports SHA-256 and elliptical curve cryptography.

Unified Extensible Firmware Interface (UEFI) BIOS is the next piece of must-have hardware for achieving the most secure Windows 10 experience. The device needs to be shipped with UEFI BIOS enabled to allow Secure Boot, which ensures that only operating system software, kernels, and kernel modules signed with a known key can be executed during boot time. Secure Boot blocks rootkits and BIOS-malware from executing malicious code. Secure Boot requires firmware that supports UEFI v2.3.1 Errata B and has the Microsoft Windows Certification Authority in the UEFI signature database. While a boon from a security perspective, Microsoft designating Secure Boot mandatory for Windows 10 has run into controversy, as it makes it harder to run unsigned Linux distributions (such as Linux Mint) on Windows 10-capable hardware.

Anniversary Update won’t install unless your device is UEFI 2.31-compliant or later.

A short list of Windows 10 features and hardware requirements
Windows 10 featureTPMInput/output memory management unitVirtualization extensionsSLATUEFI 2.3.1For x64 architecture only
Credential Guard Recommended Not used Required Required Required Required
Device Guard Not used Required Required Required Required Required
BitLocker Recommended Not required Not required Not required Not required Not required
Configurable code integrity Not required Not required Not required Not required Recommended Recommended
Microsoft Hello Recommended Not required Not required Not required Not required Not required
VBS Not required Required Required Required Not required Required
UEFI Secure Boot Recommended Not required Not required Not required Required Not required
Device health attestation through Measured Boot Requires TPM 2.0 Not required Not required Not required Required Required

Beefing up authentication, identity

Password security has been a significant issue in the past few years, and Windows Hello moves us closer to a password-free world as it integrates and extends biometric logins and two-factor authentication to "recognize" users without passwords. Windows Hello also manages to be simultaneously the most accessible and inaccessible security feature of Windows 10. Yes, it is available across all Win10 editions, but it requires significant hardware investment to get the most of what it has to offer.

To protect credentials and keys, Hello requires TPM 1.2 or later. But for devices where TPM is not installed or configured, Hello can use software-based protection to secure credentials and keys instead, so Windows Hello is accessible to pretty much any Windows 10 device.

But the best way to use Hello is to store biometric data and other authentication information in the on-board TPM chip, as the hardware protection makes it more difficult for attackers to steal them. Further, to take full advantage of biometric authentication, additional hardware -- such as a specialized illuminated infrared camera or a dedicated iris or fingerprint reader -- is necessary. Most business-class laptops and several lines of consumer laptops ship with fingerprint scanners, enabling businesses to get started with Hello under any edition of Windows 10. But the marketplace is still limited when it comes to depth-sensing 3D cameras for facial recognition and retina scanners for iris-scanning, so Windows Hello’s more advanced biometrics is a future possibility for most, rather than a daily reality.

 

Previous Page  1  2  3  4  5  Next Page 

Sign up for CIO Asia eNewsletters.