Monday, February 20, 2017

Security enhancements

The cat-and-mouse game between online criminals and computer security experts affects every popular software product. Microsoft’s commitment to securing Windows is substantial, and it includes some groundbreaking advanced features. As part of the ongoing effort to make computing safer, Windows 8 introduced major new security features, Windows 8.1 added still more improvements, and Windows 10 ups the ante yet again.

The most significant new Windows 10 security feature involves a major improvement in authentication, based on biometric factors.

On Windows 10 devices that include the appropriate hardware, two new features will significantly ease the process of authenticating to the device and to online services:

■ Windows Hello This feature uses biometric authentication—facial recognition, an iris scan, or a fingerprint—to unlock devices. The technology is significantly more advanced than existing biometric methods that are supported for basic authentication in Windows 8.1. For example, Windows Hello requires an infrared-equipped camera to prevent spoofing identification using a photograph.

Enabling Windows Hello requires enrolling a Windows 10 device (PC, tablet, or phone) as trusted for the purposes of authentication. In that scenario, the enrolled device itself works as an additional proof of identity, supporting multifactor authentication.

■ Microsoft Passport The second feature is based on a new API that works in conjunction with biometric authentication on an enrolled device to sign in to any supported mobile service. The Passport framework allows enterprise IT managers, developers, and website administrators to provide a more secure alternative to passwords. During the authentication process, no password is sent over the wire or stored on remote servers, cutting off the two most common avenues for security breaches.

Windows 10 also leverages security features found in modern hardware (and originally enabled in Windows 8 and Windows 8.1) to ensure that the boot process isn’t compromised by rootkits and other aggressive types of malware. On devices equipped with the Unified Extensible Firmware Interface (UEFI), the Secure Boot process validates and ensures that startup files, including the OS loader, are trusted and properly signed, preventing the system from starting with an untrusted operating system. After the OS loader hands over control to Windows 10, two additional security features are available:

■ Trusted boot This feature protects the integrity of the remainder of the boot process, including the kernel, system files, boot-critical drivers, and even the antimalware software itself. Early Launch Antimalware (ELAM) drivers are initialized before other third-party applications and kernel-mode drivers are allowed to start. This configuration prevents antimalware software from being tampered with and allows the operating system to identify and block attempts to tamper with the boot process.

■ Measured boot On devices that include a Trusted Platform Module (TPM), Windows 10 can perform comprehensive chain-of-integrity measurements during the boot process and store those results securely in the TPM. On subsequent startups, the system measures the operating-system kernel components and all boot drivers, including third-party drivers. This information can be evaluated by a remote service to confirm that those key components have not been improperly modified and to further validate a computer’s integrity before granting it access to resources, a process called remote attestation.

To block malicious software after the boot process is complete, Windows 10 includes two signature features that will be new to any organization that is migrating directly from Windows 7:

■ Windows Defender Previous Windows versions included a limited antispyware feature called Windows Defender. Beginning with Windows 8, the same name describes a full-featured antimalware program that is the successor to Microsoft Security Essentials. Windows Defender is unobtrusive in everyday use, has minimal impact on system resources, and updates both its signatures and the antimalware engine regularly. Windows Defender includes network behavior monitoring as well. If you install a different antimalware solution, Windows Defender disables its real-time protection but remains available.

■ Windows SmartScreen Windows SmartScreen is a safety feature that uses application reputation-based technologies to help protect Windows users from malicious software. This browser-independent technology checks any new application before installation, blocking potentially high-risk applications that have not yet established a reputation. The Windows SmartScreen app reputation feature works with the SmartScreen feature in the default Windows browser, which also protects users from websites seeking to acquire personal information such as user names, passwords, and billing data.

An all-new feature in Windows 10, Credential Guard, uses virtualization-based security to isolate secrets (including domain passwords) so that only privileged system software can access them. This feature prevents common credential-theft attacks such as Pass-The-Hash and Pass-The-Ticket. Credential Guard must be enabled for each PC in an organization and works only with Windows 10 Enterprise edition.

Windows 10 adds information-protection capabilities that make it possible to protect corporate data even on employee-owned devices. Network administrators can define policies that automatically encrypt sensitive information, including corporate apps, data, email, and the contents of intranet sites. Support for this encryption is built into common Windows controls, such as Open and Save dialog boxes.

For tighter security, administrators can create lists of apps that are allowed to access encrypted data as well as those that are denied access—a network administrator might choose to deny access to a consumer cloud file-storage service, for example, to prevent sensitive files from being shared outside the organization.

Two features should be of significant interest to anyone with responsibility for sensitive enterprise data:
■ Enterprise Data Protection This feature is an evolution of Remote Business Data Removal (RBDR), a feature introduced in Windows 8.1 and significantly enhanced for Windows 10. Using this feature, administrators can mark and encrypt corporate content to distinguish it from ordinary user data. Policies control what employees can do with data marked as such, and when the relationship between the organization and the user ends, the encrypted corporate data is no longer available to the now-unauthorized user. This is a significant new feature, due to arrive in Windows 10 in 2016 but not available in current releases.

■ Pervasive Device Encryption Device encryption is available in all editions of Windows 10. It is enabled out of the box and can be configured with additional BitLocker protection and management capability on the Pro and Enterprise editions. Devices that support the InstantGo feature (formerly known as Connected Standby) are automatically encrypted and protected when using a Microsoft account.

Organizations that need to manage encryption can easily enable additional BitLocker protection options and manageability to these devices. On unmanaged Windows 10 devices, BitLocker Drive Encryption can be turned on by the user, with the recovery key saved to a Microsoft account.
BitLocker in Windows 10 supports encrypted drives, which are hard drives that come pre-encrypted from the manufacturer. On this type of storage device, BitLocker offloads the cryptographic operations to hardware, increasing overall encryption performance and decreasing CPU and power consumption.

On devices without hardware encryption, BitLocker encrypts data more quickly than you’ve grown accustomed to in Windows 7 environments. With BitLocker, you can choose to encrypt only the used space on a disk instead of the entire disk. In this configuration, free space is encrypted when it’s first used. This results in a faster, less disruptive encryption process so that enterprises can provision BitLocker quickly without an extended time commitment.

A final security measure is appropriate for organizations with high-security needs, such as regulated industries, defense contractors, and government agencies concerned about online espionage. With Windows 10 Enterprise edition, administrators will be able to use the Device Guard feature to completely lock down devices so that they’re unable to run untrusted code.

In this configuration, the only apps that will be allowed to run are those signed by a Microsoft-issued, code-signing certificate. That includes any app from the Windows Store as well as desktop apps that an organization has submitted to Microsoft to be digitally signed. These signed apps also can be delivered to employees through a customized Business Store. If your enterprise uses internal line-of-business apps that are sideloaded, they will need to be signed by an enterprise certificate.

Source of Information : Microsoft Introducing Windows 10 For IT Professionals

No comments: