windows 10 security

Page | 2 www.Windows10update.com

CopyrightNotice

INTRODUCTIONTOWINDOWS10SECURITY-BYONUORAAMOBI

UPDATEDSEPTEMBER15TH,2015

2015NnigmaInc.

Allrightsreserved.

Anyunauthorizeduse,sharing,reproductionordistributionofthesematerialsbyanymeans,electronic,mechanical,orotherwiseisstrictlyprohibited.

Noportionofthesematerialsmaybereproducedinanymannerwhatsoever,withouttheexpresswrittenconsentofthePublisherorAuthor.

PublishedundertheCopyrightLawsofTheUnitedStatesofAmericaby:

NnigmaInc.

3579EastFoothillBlvd,Suite#254

Pasadena,CA91107

www.Nnigma.com


LegalNotice

Whileallattemptshavebeenmadetoverifyinformationprovidedinthispublication,neithertheauthornorthepublisherassumesanyresponsibilityforerrors,omissionsorcontradictoryinterpretationofthesubjectmatterherein.

Thispublicationisnotintendedtobeusedasasourceofbindingtechnical,technological,legaloraccountingadvice.

Pleaserememberthattheinformationcontainedmaybesubjecttovaryingstateand/orlocallawsorregulationsthatmayapplytotheusersparticularpractice.

Thepurchaserorreaderofthispublicationassumesresponsibilityfortheuseofthesematerialsandinformation.

Adherencetoallapplicablelawsandregulations,bothfederal,state,andlocal,governingprofessionallicensing,businesspractices,advertisingandanyotheraspectsofdoingbusinessintheUSoranyotherjurisdictionisthesoleresponsibilityofthepurchaserorreader.

NnigmaInc.assumesnoresponsibilityorliabilitywhatsoeveronbehalfofanypurchaserorreaderofthesematerials.

Windows10,Windows9,Windows8.1,Windows8.1Update1,Windows8,Windows7,WindowsVista,WindowsXP,SurfaceHub,WindowsHolographicandallotherrelatedtermsareregisteredtrademarksoftheMicrosoftCorporation.

AllRightsReserved.

Allothertrademarksarethepropertyoftheirrespectiveowners.

Alltrademarksandcopyrightsarefreelyacknowledged.


TableofContents

IntroductiontoWindows10Security ..................................................................................................................... 6MicrosoftandtheFIDOAlliance ............................................................................................................................. 7ThecomparisontoWindows7and8Securityfeatures ......................................................................................... 9HowMicrosoftWindows10WillProtectYourIdentity ........................................................................................ 11

Windows10ProtectingYourIdentityandControllingAccess ....................................................................... 11TheProsandConsofBiometrics ....................................................................................................................... 12FacialAuthentication ........................................................................................................................................ 16WindowsHello .................................................................................................................................................. 18

NewSecurityFeaturesinWindows10 ................................................................................................................. 19MicrosoftPassport ............................................................................................................................................ 19Passport2Go ...................................................................................................................................................... 22BitLockerandTPM ............................................................................................................................................ 30

HowDoesBitLockerDriveEncryptionWork? ....................................................................................................... 32DeviceGuard ..................................................................................................................................................... 33

RequiredHardwareandSoftwareforDeviceGuard ............................................................................................ 34WhyuseDeviceGuard? .................................................................................................................................... 35EnterpriseDataProtection(EDP) ...................................................................................................................... 37

HowDoesEDPWork? ........................................................................................................................................... 38LevelsofProtection ........................................................................................................................................... 38EDPAllowsBetterWorkFlow ........................................................................................................................... 39ChangingtheProtectionLevelsonDocuments ................................................................................................ 39EnterpriseDataSecurity .................................................................................................................................... 40WipeEnterpriseDataRemotely ........................................................................................................................ 40CopyingorDownloadingEnterpriseData ......................................................................................................... 41PrivilegedAppsandRestrictions ....................................................................................................................... 41PersistentDataEncryption ................................................................................................................................ 42HelpsPreventAccidentalDataSharing ............................................................................................................. 42

TheBenefitsofEDP ............................................................................................................................................... 43Enterprisescenarios .......................................................................................................................................... 43

WindowsDefender ................................................................................................................................................ 44ConfigurationandExclusions ............................................................................................................................ 44

UEFI ........................................................................................................................................................................ 45AdvancedThreatAnalytics .................................................................................................................................... 47

HowDoesItWork? ........................................................................................................................................... 48VirtualSecureMode .......................................................................................................................................... 50MicrosoftVirtualizationStrategyandSecurity ................................................................................................. 51SecurityImprovements ..................................................................................................................................... 52


EnterpriseMobilityIdentityintheEnterprise ................................................................................................... 53CloudAppDiscovery ......................................................................................................................................... 55

ManagingYourDirectoryontheCloud ....................................................................................................... 56HowMicrosoftWindows10WillProtectYourData ............................................................................................. 57

AzureRightsManagementandInformationRightsManagement ................................................................... 57AzureAdministrativeTasks ............................................................................................................................... 57DataProtectioninAzure ................................................................................................................................... 58VirtualMachinesWindows/LINUX ................................................................................................................. 58Key Vault Security ............................................................................................................................................ 59AzureStorageBlobs,Tables,Queues ............................................................................................................. 59SQLServerandSQLDatabase ........................................................................................................................... 59AccessControlandAuditing ............................................................................................................................. 60

MitigatetheRiskofCompromisedAccounts .............................................................................................. 60LimitingPermissions ..................................................................................................................................... 60PrivilegedAccounts ...................................................................................................................................... 61

WhatistheOperationsManagementSuite? ........................................................................................................ 62MobileSecurity ................................................................................................................................................. 63MDMMobileDeviceManagementandtheBusinessStore .......................................................................... 69BrowserSecurity ............................................................................................................................................... 74EnterpriseMobilitySuite ................................................................................................................................... 75Office365 .......................................................................................................................................................... 76ConditionalAccesstoAzureADConnectedApplications ................................................................................. 77

WindowsasaServiceMoreSecurityviasecureupdates .................................................................................. 79WindowsUpdateforBusiness ..................................................................................................................... 80

Windows10andtheInternetofThings ................................................................................................................ 81AllSeenandAllJoyn ........................................................................................................................................... 81WhereDoesWindows10ComeIn? .................................................................................................................. 82IoTAzureSecurity .............................................................................................................................................. 82

Summary ............................................................................................................................................................... 85


IntroductiontoWindows10Security

Security has always been an issue for computer users. However, over the last couple ofdecades,securitythreatshavebecomemuchworse.

WhileyoumaythinkyouhavethebestsecuritysystempossibleonyourPCitislikelythatyouprobablydont.Why?Becausethelandscapeofcyber-threatsischangingtoofastforordinarysecuritysoftwaretokeepupwith.

Heck, you could buy a new security system for your computer right now and within 72hours;itwouldrequireasecurityupdate.

Cyber threats are becoming more complex and attackers more cunning. Viruses andmalwareforexample,havegainednewabilitiestohideandremainundetected.

Cyber-attacks aremore sophisticatedandhighly targeted comparedwith years agowhenhackerscouldonlyhopeforindiscriminateandunfocuseddamage.

Intheearlydays,wehadScriptKiddies,whichwereaimedatcausingmischiefratherthandamage.

TodaycriminalgangsconductcrimessuchasclickfraudandIDtheft,conductedpurelyforillicitprofit.WealsohaveactivistsandtheInternetterrorgroupswhosesoleaimistocauseasmuchdisruptionanddamageastheycan,aswellasstealidentities.

In themidst of this very treacherous landscape,Microsoft has taken up the challenge ofkeeping computer users safe. With Windows 10, the software company is introducingunprecedentedlevelsofsecuritysafeguardsintotheveryfabricoftheOperatingSystem.

IwrotethisbookbecauseIwantedtotakeabrieflookbehindthecurtaintoseewhattypesofsecuritywereembeddedinWindows10.

HereswhatIfound.


MicrosoftandtheFIDOAlliance

TheFIDO(FastIdentityOnline)Alliancewaslaunchedin2012asawayofaddressingthelackofinteroperabilitybetweenstrongauthenticationdevicesandtheproblemsusershaveinrememberingmultipleusernamesandpasswords.PayPalandLenovo,twoofthebiggestnamesintheindustry,werefoundingmembersofFIDO.Injustoverayearafterlaunch,manymorebignameshadjoinedthealliance,includingGoogle,Blackberry,Visa,SecureKeysandofcourse,Microsoft.So,howdoestheFIDOAlliancefactorintoWindows10?Togettothat,weneedtogobackasteportwo,totalkaboutwhyMicrosoftoptedtojointheAlliance.Securityproblemsonourdevicesaregettingworse,partlybecauseofthesignificantjumpinmaliciousattacksandpartlybecauseofuserbehaviour.Yousee,itoftencomesdowntopasswords.Computerusersoftengetsloppyandlax,andsharetheirpasswordswithothers.Thatisnttheonlyproblem,though;thenextpartofthepuzzleinvolvesthewebsiteswevisit.Theissueisnotthattheyareunsafebecausemostofthemaresafe.Itsjustthat,once


again,thatlazygenecomesoutandwesticktousingthesamepasswordforeverysinglesitethatwehavetologinto.Whydowedothat?Becausenotonlyisittime-consumingtohavetocomeupwithadifferentcomplexpasswordforeachsite,wehavetorememberthemaswell.Thehumanbraincanonlyholdsomuchinformationandtohelpusout,wewritethosepasswordsdownwhichcomesbacktobeinglaxandsloppyaboutsecurity.Becauseweareusingthesamelogindetailsforeverysite,itmakesiteasyforthosedetailstobestolen.Amaliciousattackerwillgoforaweakwebsite,onewhichdoesnthavesomuchsecurityonit,andoncetheyhaveyourdetailsfromthatsite,itdoesnttakeageniustoguessthatyouprobablyusedthesameonestologineverywhereelse!Thatgivestheattackeranopenpass,amasterkeyifyoulike,toeverythingyouhaveaccessto.Thefinalpieceofthepuzzle,oneoftheweakestlinks,isthedevicethatyouareusing.Itsnotthatitsnogood,itsjustthat,upuntilnow,anyapplicationwouldrunonyourapp,regardlessofcontent,untilitwasproventobeabadapple.Theonlywaythatappwouldnotrunisifyouranti-virussoftwareorfirewallpickeditupandkickeditout.NoteveryonehasantivirussoftwareinstalledortheydontusetheonethatisalreadyprovidedwithWindows.Thatmeansthatsomuchmalwaregetsthroughthenetthatonceitstarts,itisdifficulttostopit.SohowdoesMicrosoftintendtofixthis?ThecurrentPKI(publickeyinfrastructure)iswaytooexpensiveandcomplextomaintain,anditisconstantlyunderattack.ThecurrentCA(certificateauthority)systemisalsounderattack.AnattackercangettoyourcertificatedetailsbeforeyourIDP(IdentityProvider)cangiveyouatoken,andthatleaveseverydoorinthehousewideopen.And,ifthatwerentenough,limiteduseofMFA(multi-factorauthentication)leavesweakspotseverywhere,weakspotsthattakelittleefforttogetthrough.InWindows10,MicrosoftismakingiteasierforyoutologinwhiletighteningthesecuritynetwithMFA.Withacombinationofbiometrics,PINaccessandtyingasymmetricalkeypairstoaspecificdevice,Microsoftisaimingtomakeitsothatnooneelse,exceptforyou,canaccessyourresourcesandyourapplications.WithWindows10,Microsoftisbringingtomarketthenextgenerationofusercredentials.Wellrunthroughthemonebyoneinthisbook.


ThecomparisontoWindows7and8Securityfeatures

MicrosofthadtotakeanewapproachtoWindows10securityforacoupleofreasons.

First, security problems and challenges continue to evolve rapidly, and it was clear thattherewerenewchallengesthatneededtobesolved.

It was also clear that some of these challengeswere a little bitmore sophisticated thanWindows7andWindows8weredesignedtohandle.

Togiveyouaquickoverview,takealookatthetablebelow,showingyouthefundamentaldifferencesinsecuritybetweenWindows7andWindows10:

Function Windows7 Windows10

IdentityProtection Passwordtheftistoocommonnowandcurrentmulti-factorsolutionsaresimplytooexpensiveandtoodifficulttodeploy.

Comescompletewithaneasy-to-deploymulti-factorsolution,completewithanti-phishingandanti-theftfeatures.Password-protectionandPINsareincludedinmulti-factorsecuritysolutions.

DataProtection OfferstheoptionofconfigurablediskencryptionbutdoesnthaveintegratedDataLossPrevention(DLP).Canusethirdpartysolutionsbutnotalwayssuccessful.

Hasmarketleadingdiskencryption,verymanageableandincreasedout-of-band(OOB)securityupdates.DataseparationandDLPisfullyintegrated.

ThreatResistance Appsarealwaystrusteduntilthey Desktopmachinescanbelockeddown


areathreat,andthereisnowayofdetectingthousandsofnewthreatsthatappeareveryday.

toamobilelevel.Thereistheabilitytohaveatrustedappmodelwherethoseappsthatareuntrustedcannotrun.

DeviceSecurity Theplatformissecurelybuilt,butbuiltonsoftwarealone,meaningmalwarecanhidefromsecurity,embeddingitselfindevices.

Theplatformisbuiltonintegratedhardwareandsoftwaresecurityandoffersprotectionfrombeingswitchedontobeingshutdown.Therearenopossibilitiesforsystemtamperingandmalwarehasnoplacetohide.

Basically Microsoft took a holistic look at security and decided to attack some of thefundamentalsecurityflawsandchallengesfromadeeparchitecturalperspective.

With Windows 10, Microsoft has implemented a wide variety of security solutions thatprotectbothyoursoftwareandthehardware:

WindowsHelloandWindowsPassporthandleIDprotection.

BitLockerandEnterpriseDataProtectionhandledataprotection.

DeviceGuardandWindowsDefenderprotectagainstmultifacetedthreats.

UEFISecureBoot,TPM2.0andVirtualizationkeepyourhardwaresafe.

Letstakeacloserlookateachofthesesolutions.


HowMicrosoftWindows10WillProtectYourIdentity

Firstupis identityprotection.Identitytheft istheonethingthatconcernscomputerusersthemost.

Every day,more stories are published about people whose identity has been stolen andusedtocommitfraudand,that,quiteunderstandably,makeconsumersnervous.Windows10 looks set tomake users feel good about using a computer again, tomake them feelsecure.

Windows10ProtectingYourIdentityandControllingAccess

Thenexttopicofdiscussionisanewsolutiontoprotectonesidentity,asolutionthatleavesbehindtheoldfashioneduseofsinglefactorauthentication,likepasswords.Itisasolutionthatprotectsyouwhenabreachhappensinthedatacenter.

Italsoprotectsyourdatafrombeingstolenifyourdevicehappenstobecompromisedanditstopsphishingattacksintheirtracks.

Onceyouareenrolledinthesystem,yourdevicebecomesoneofthetwofactorsthatyouneedforauthentication;theother isaPINnumberorbiometric information,suchasyourfingerprint.

ThesystemsinquestionareWindowsHelloandWindowsPassport,twosystemsthatworktogethertoprovidetheultimateinidentityprotection.Letsgoalittledeeperandexaminewhateachsystemhastooffer.

This security solution benefits consumers and business users alike and provides theconvenience of using a password without all the hassle of having to remember it orforgettingwhoyougaveitto.Microsoftistakingsecuritytoawholenewleveltobringitscustomerscompleteidentityprotectionwithmultifactorauthentication.


LetstakealookatthesystemsthatMicrosoftchosetouseandwhytheychosethem.First,biometrics.Whatisitexactly?Biometricsisthestudyofbiologicalcharacteristicsthatcanbemeasured.Incomputersecurity,biometricsisincreasinglyusedtomakeitmoredifficultforsystemstobehackedthroughtheold-fashionedpasswordsystem.

Thebiometrics in this instance refer tophysical characteristics that caneasilybe checkedagainst what information is stored in the system. There are a number of ways thatbiometricsareusedforauthentication:

Facial:theanalysisofdifferentfacialcharacteristics

Fingerprint:analysisoftheuniquefingerprintsofeachperson

HandGeometry:theshapeofthehandsandthefingerlength

Retinal:analysisofthecapillaryvesselsattherearoftheeye

Iris:analysisofthecoloredringsurroundingthepupilintheeye

Signature:howapersonsignshisorhername

Vein:patternoftheveinsonthebackofahandandinthewrist

Voice:toneandpitchofavoice,aswellasthefrequencyandcadence

Biometrics isstillarelativelynewdevelopmentbut it is fastbecomingthewaytogowithcomputersecuritysystems.

TheProsandConsofBiometrics

Thereareprosandconstoeveryformofbiometricauthentication.GiventhatMicrosofthaschosentoadoptthisasasecuritymeasure,itisimportanttoreviewtheargumentsforandagainsttheuseofthenewtechnology.


Theargumentsforusing it fornetworkaccessrevolvemainlyaroundthreekeyareas.Thefirstandperhapsthemostobviousisthatbiometricauthenticationusesattributesthatareuniquetotheindividual,makingittheidealformofsecurity.

Thesecondargumentforusingbiometricsisthatuserswillnolongerbeabletoforgettheirpasswords,orsharethemwithothers,knowinglyorinadvertently.Passwordadministrationsystems and overheads are considerably reduced as well and this is one of the drivingfactorsinadoptingbiometricauthentication.The third argument is that it will be incredibly difficult for a persons biometriccharacteristicstobereplicated,farmoredifficultthanit istoreplicateapasswordoruserID.Also,whereastokenscanbestolenorlost,biometriccharacteristicscannot.Arguments against the use of biometrics aremany, showing just how controversially it isviewed in some quarters. First and foremost, it is still expensive to implement biometricauthenticationmeasures,meaningthatmanyorganizationscannotaffordit.The cost of both the hardware and software requiredmaybeprohibitive tomany, alongwithcostofintegratingitwithcurrentsystemsinplace.There isalso theargument that rightnow,biometric systemsareonly suited to simplisticnetworks.Thisispairedwithsomecurrentthinkingthat,asanall-or-nothingtechnology,itmaynotsuitmanyorganizationsatthisstage.All-or-nothingmeansthatyoucangototheexpenseofhavingbiometricauthenticationoneverysinglecomputeronthenetwork,butitcountsfornothingifausercanlogontothesystemfromaremotelocationwithoutneedingtouseit;thatwouldundermineeverything


andmaketheexpenseacompletewasteoftime.There is also the argument that the storage of biometric information is an invasion ofprivacy, but those in favor of it say that it is only a representation of the data, not theoriginaldatathatisbeingstored.Ofcourse,there isanotherangletothisgiventherateatwhichasuccessfultechnologywillspread,thereisconcernthat,shouldausersbiometricdatabecompromised,notonlydoes it affectnetwork security, thatdata couldalsobeused fora largenumberof illegalactivities.

Onefinalbutsignificantconcernisthatusingbiometricdataisnotthesameasusingakeyanddoesnothavethesamerandom,secretnatureofakey.Neitherdoesithavetheabilitytoupdateanddestroyitself.Ifapersonsbiometricdataiscompromised, it isnota simplecaseof issuingnewbiometricdataclearly thatcantbedone!So, given all the controversy surrounding the use of biometrics for security, why hasMicrosoftoptedtoadoptit?Thesimpleanswer is reliability.Theconsequencesofhavingasystemthatrunsusingold-fashionedmethodscanbedamaging,withconfidentialinformationstolenanddataintegritycompromised.Also lets face it,manyof theapplicationsweuse inourdaily lives requiresomeformofauthentication.AsfarasMicrosoftisconcerned,byusingbiometricauthenticationtogetintoWindows10,youcanalsouse it toaccessall yourMicrosoftaccountsandapps there isntaneed to


rememberseparatepasswordsforeachapp.Passwordscanbestolenorreplicated,biometricinformationcannot.Inaddition,biometricinformationcanbepositivelylinkedtoaspecificpersonforexample,acreditcardcanbeused without the actual user being there, whereas biometrics requires you to be at thecomputingdevicetologin.Windows10issetuptoprovidemodernbiometriccapabilitiesthatallowuserstoeasilyunlocktheirdevicesandtounlockNGCNextGenerationCredentialsforamuchmoreimprovedandsecurepassword-freeexistence.TheInternetcanbeahostileplaceandconsumerswantasafer,morereliableexperienceandabetterauthenticationsystemthanwehavenow.Theywantasystemthatissecure;asystemthatleavespasswordsinthedust,yetstillgivesthemaccesstoeverythingtheyneed.WithWindows10,Microsoftsetouttodojustthat,settingoutaseriesofgoalstheywantedtomeet:

Toenablebothconsumersandenterpriseuserstobeabletounlocktheirdevices,makepaymentsandsecuretheircontentallwithoutusingapasswordandinamoresecureway

Todevelophardwaresolutionsthat,attheveryleastmeet,ifnotexceed,theexpectationsofthecustomer,hardwarethatisrobustandeasytouse

TodeliverbiometricdevicesthatareinnovativeandgivethecustomervalueTothisend,Windows10hasbeendevelopedtosupportawiderangeofbiometricsfingerprint,facialoririsrecognition-whicheversuitstheuserbest.SpecialhardwareisrequiredtosupportthisandthosedevicesthatmeettherequirementsofWindows10forbiometricauthenticationwillbenefitinanumberofways:

Easyandconvenientlogonandverystrongauthentication EnterpriselevelsecuritywithaccesstoHBI(HighBusinessImpact)resources ConsistentinboxenrolmentandusageacrossWindowsenabledbiometricdevices

Inaddition,Windows10alsosupportsaninboxFaceAuthenticationsolutionthatisavailableforallOEMsthatprovidethesupportedhardware,withouttheneedtorelyonthirdparties.


FacialAuthentication

Windows10bringsanewlevelofFaceRecognitiontothetable;asystemthatallowsfortheeasyauthenticationandunlockingofWindowsdevices,aswellasaccesstocontentthatisNGC-supported.Thisisallwithouttheneedtousepasswordsoranyadditionalauthenticationfactors.Features:Windows10FaceAuthenticationfeaturesinclude:

Aninterfacethatisuser-friendly,providingthecapabilityforsinglesign-on.Thereisnoneedfortheuseofpasswordsaswell,oranyotherauthenticationcredentials.

Enterprisegradeauthentication,aswellasaccesstoNGCsupportedcontentnetworkresources,purchasedcontentandwebsites.

Anti-spoofingmeasuresareincludedtoeliminatethechanceofphysicalattacknooneexceptyoucanlogontoyoursystem.

UsingCleanInfrared,cleanandconsistentimagescanbeproduced,evenindiverselightingsituations.Thesystemalsoallowsforslightchangesinappearance,suchastheadditionorremovaloffacialhair,makeup,glasses,etc.

UseCasesTherearethreeprimaryusecasesforFaceAuthentication:

1. Authenticationneededtounlockorlogin


Onaverage,thesystemtakeslessthan2secondstorecognizeyourface,althoughitmaytakeupto30secondsbutnomorethanthat.Thisisexpectedtobeusedatahighfrequencysinceitisrequiredwheneverauserneedstoauthenticatetheirdeviceandgetpastthelockscreen.

2. AuthenticationtoPurchaseOnaverage,thesystemwillrecognizeafaceinlessthan2seconds,butuptoamaximumof30seconds.Thisisrequiredeverytimeanapplicationneedsausertore-authenticatetheirdetailsandisnotexpectedtobeafrequentlyoccurringusecase.

3. PresenceTheaveragedurationofrecognitionis1.5to30secondsalthoughitmaytakelonger.Thefrequencyofusageisexpectedtobelowand,usingnewpresenceAPIs,applicationswillbeabletousesensorstodetermineiftheauthenticatedpersonispresentatthedeviceorifitisanunknownorguestuser.

SoletstalkalittlebitaboutMicrosoftsfacialdetectionsecuritymechanism


WindowsHello

WindowsHelloprovidesbiometricauthentication,allowingyouinstantaccesstoanyofyourWindows10devices,whetherdesktopormobile.

ForgettryingtoremembercumbersomepasswordswithWindowsHelloyouwillbeabletolook at your webcam or use your fingerprint to be immediately recognized and allowedaccess.

As well as being much more convenient, it is also a more secure method than using apassword.

Windows10 introducesanewsystemthatallowsyou toauthenticateenterprisecontent,applications,andevenonlineexperienceswithouthavingapasswordstoredwhereitcanbestolen.

Windows Hello works with your face, your iris or with a fingerprint, (you will need acompatiblewebcam and/or fingerprint sensor). After implementation, only you and yourpartnereddevicecanbeusedtoaccessyourWindows10apps,websites,anddata.Thisisdoneusingaseriesofmodernsensorsthatwillrecognizecharacteristicsthatarepersonaltoyou.

UnlessyourdevicealreadyhasanIntelRealSensecompatiblecameraorfingerprintsensor,youwillneed toupgrade tooneofa largenumberofWindows10devices thatwill soonsupportWindowsHello.

For facial detection, Windows Hello uses software and special hardware to verify youridentityitwontworkifsomeoneholdsupaphotographofyou,forinstance.


TheIntelRealSenseenabledcamerasuseinfraredtechnologytotakeaverycomprehensive3Dimageofyourface.Thisallowsfornotonlyagreatfeelforthelookofyourface,butthedepthaswell.

Thecamerasarestunninglyreliableandcanverifyyouridentityinawiderangeoflightingconditions.

WindowsHello isasolution thatwillbeusednotonlybyconsumersbutalsobydefense,government,healthorganizations,financialorganizationsandotherstobringbettersecurityandeliminatethethreatofimpostersorhackers.

NewSecurityFeaturesinWindows10

ThefollowingaresomemoreofthenewandexcitingsecurityfeaturesthatWindows10isbringingtothetable.

MicrosoftPassport

WindowsHello is not thewhole story, however.Microsoft has also introducedMicrosoftPassport.

Passport is designed to do away with passwords, allowing system IT managers, websiteauthors,andsoftwaredeveloperstoincludeamoresecurewayoflettingyousignintotheirappsorsites.


Insteadofusingtheold-fashionedmethodofapassword,WindowsPassportisdesignedtosecurelyverifyyouridentityandauthenticateyouonwebsites,applications,andnetworkswithouttheneedtostoreapasswordontheserversthuseliminatingthethreatoftheftthroughhacking.

Windows 10 replaces the password systemwith a private key or PIN thatwill allow youaccesstoeitheryourownpersonaldataortoyourorganizationsdata.ThatPINislinkedtoyourdeviceonlyandwillnotworkwithoutit.

IfyoutriedtologinusingyourPINonanotherdevice,youwouldbebarredfromentering.Obviously,youwillneedtosetupaseparatePINforeachdevicethatyouintendtousebutthatjustaddsafurtherlayerofsecurityno-onecanaccessyourdatafromjustanydeviceanylonger,makingyourdataandyouridentitysafefromunwantedattention.

WhydidMicrosoftgodowntherouteofusingaPINnumber?Surelythatis justasbadasusingapassword,isntit?No.APINissignificantlyfastertouseandiswaymoresecurethanapassword.NextquestionhowcansuchashortPINbemoresecurethanacomplexpassword?Thisisbecauseitdoesntreallyhaveanythingtodowithsize.


WherethePINdiffers fromapassword is thatapasswordcanbeused foraccess onanydevice;thePINisuniquetoaspecificdevice.ThatmeansthatifsomeoneweretostealyourPINandtrytoaccessyourdata,theycouldntdoit,unlesstheywereusingthedevicethePINwaslinkedto.Eventhen,theywouldstillneedtogetpastthebiometricloginandthatcannotbedonebyanyoneotherthanyou.Makesense?ThinkofitasbeinglikeyourcreditcardPIN.A person could not steal your PIN number and then use it on their own card in a cashmachine.ThatPINistiedtothatcardandthatishowtheMicrosoftPassportPINworkstoo.NoneofthisisrequireditisentirelyyourchoiceifyouchoosetouseMicrosoftWindowsHelloandPassport.Youmaybeconcernedthatyouruniquebiometric informationcanbestolen and used, and it is for that reason that Microsoft stores your unique biometricinformationonyourdeviceonly,notonanyeternalsystemorserverandit issharedonlywithyou.

Itcanonlybeusedasamethodofunlockingyourdeviceandisneverusedtoauthenticateyouoveranopennetwork.


Passport2Go

Passport2GoispartofthePassportsystemthatallowsyoutospecifywhetheradeviceisforpersonalorforbusinessuse.LetsgothroughanexampleofPassport2Goinuse.

FunFact:MicrosoftusesthefictionalContosoCompanyforexamplesinmanyoftheirpresentationsanddocuments

IrwinworksforaconsultingcompanythatprovidesitsservicestoContoso.Contosogivesitspartnerscloud-onlyaccountsthroughAzureActiveDirectory(AAD)whenitisnecessary.Irwinhasalong-runningengagementthatrequireshimtohaveanAADaccountand,throughhisworkforContoso,hehasanallowance,whichletshimbuyadevicethatisONLYforuseforhisContosowork.Howdoeshesetthisdeviceupsothathecanonlyuseitinthisway?

ByenablingPassport2Go.WhenyousignuptoPassport2Go,youdefinewhetheryourdeviceisapersonalorbusinessusedevice.Onthenextpage,letswalkthroughtheexample:


Inourexample,choosingorganizationusegivesIrwinaccesstoalltheresourcesthatheneedsforhiswork.

NextIrwinhastodeterminehowheisgoingtoconnect.BecauseContosoprovideshimwithanAADaccount,thatistheoptionheselects.

IrwinisnowtakentotheAADsigninpagewherehesignsinwithhisMicrosoftorOffice365credentials,startingwithhisemailaddress.


Thenhispassword...


IrwinisthendirectedtotheContososigninpageonAAD.

NowitstimeforIrwintosetuphisPINnumberwhichwillallowhimtounlockthedeviceandaccesseverythingheneedsinordertodohiswork.

PINnumbersarefarmoresecurethanpasswordsandaremuchshorter.Aswementionedbefore,youmayquestionhowashorterPINnumbercouldbemoresecurethanalongandcomplexpassword.Microsofthastheanswertothat:


ThenextstepforIrwinistochoosehowtoverifyhisaccount.Hehasachoiceoffouroptionstextmessage,phonecall,anotificationthatissenttohisauthenticatorapp,orusingtheauthenticatorapptogenerateasecuritycode.

Irwinoptsforthetextmessage


Oncehehasreceivedthemessageverifyinghisaccount,IrwincancreatehisPIN.

Becausehehastickedtheboxthatsays,Usea4-digitPIN,hisnewPINisnotacceptedandheseesamessagethattellshimtherearespecialrequirementsforthePIN.


ContosohassetspecificrequirementsforthecomplexityofthePINandtheseinstructionsarenowrevealedtoIrwin,allowinghimtocreateaPINthattiesinwithwhattheywant.


OnceIrwinhassuccessfullysethisPINup,thechangesareapplied,whichmaytakeafewsecondstoacoupleofminutes.

Finally,theNGC(NextGenerationCredentials)containerisloadedandIrwinhasfullaccesstoalltheappsandsystemsheneedsforwork.


BitLockerandTPM

WindowsBitLockerDriveEncryptionisabrandnewsecurityfeaturethatprotectsyourdatamoreefficiently. Itdoesthisbyencryptingeverysinglepieceofdatathat isstoredontheWindowsOSsystemvolumethepartitionsonyourharddisks.

TPMtheTrustedPlatformModuleisaspecialchipthatstoresakeypairthatiscalledtheEndorsementKey.ThekeypairiskeptinsidetheTPMchipandisnotaccessiblebysoftware.

Whentheuseroranadministratortakesonownershipofadevice,aStorageRootKey iscreated.ThekeypairisgeneratedbytheTPMandisbasedontheEndorsementKeyandapasswordspecifiedbytheowner.

Anotherkey,whichiscalledtheAttestationIdentityKey,workstoprotectthedevicefromunauthorizedmodificationsby softwareor firmware. Itdoes thisbyhashingvitalpartsofthesoftwareandfirmwarebeforetheycanbeexecuted.

Whenthesystemtriestoconnecttoanetwork,aservertocheckthattheymatchexpectedvaluesthenverifiesthosehashes.

Ifanyofthehasheshavebeenmodifiedsincetheywerelastverified,therewillbenomatchandthesystemwillnotbeabletogainentrancetothenetwork.

WindowsBitLockerusesTPMtoprotecttheoperatingsystemandalltheuserdata.Italsohelpstoprotecttheuserscomputerfrombeingtamperedwith,evenifitislostorstolen.


That said, BitLocker can be used without TPM but, from 2016, Microsoft will requirecomputerstohaveTPM2.0.

If youdouse itwithoutTPM,youmustconfigureBitLocker to storeyourencryptionkeysontoaUSBflashdrive,whichmustthenbeusedwheneveryouwanttounlockthedatathatisstoredonaparticularvolume.

Trusted Platform Module, or TPM, provides a number of essential security services,including:

Securelyrecordingbootprocessmeasurements. Derivingandsealingkeysbasedonaspecificbootsequence. ProvidingarootoftrusttotheCloud. Protectingeveryoneoftheseprocessesfrommalwareoramalicioususer.

TPM2.0goesalittlefurtherthanthatandupdatesthecapabilitiesprovidedinTPM1.2:

Cryptographicstrengthisupdatedtomeetmodernstandardsinsecurity. Ismoreflexibleoncryptographicalgorithmsinordertobettersupportgovernment

needs. Bettermanagementconsistencyacrossallimplementations.


HowDoesBitLockerDriveEncryptionWork?

Inanutshell,itprotectsyourentiresystembyencryptingallofthedata.

IfaTPMisusedtolocktheencryptionkeys,thosekeyscannotbeaccesseduntilthestateofthecomputerhasbeenverifiedbytheTPM.

Ifthereareanysignsoftampering,TPMwillnotauthorizethereleaseofthekeys.

Byencryptingtheentirecontentsofthevolume,youareprotectingeverythingyourownpersonaldata,theoperatingsystemitself,temporaryfiles,Windowsregistryfiles,andthehibernationfile.

BecausethekeysarelockedbytheTPM,evenifyourharddrivewerestolenandinsertedintoanotherdevice,thethiefwouldnotbeabletoreadyourdata.

Whenyoustartyourdevice,theTPMcomparesahashofsystemconfigurationvalues,alongwithasnapshotthatwastakenearlier,toverifythestartupprocess.

Ifall isOK, theTPMwill releasethekey,andtheencrypteddatacanbeunlocked. IfyourWindowsinstallationshowssignsoftampering,thekeywontbereleased;itsassimpleasthat.

Bydefault,BitLockerissetuptoworkwiththeTPM,andyoucanalsocombinethiswithauser-enteredPINor another startup key that is storedon aUSB flashdrive. This key is arequirementifyoudonothaveacompatibleTPMandyouwantthelockingkeys.


BitLocker goes a step further than that inWindows 10 it can also be used to encryptindividual files.While it isnormallyused for theentiredrive, if youneed to send specificfilesusingemailoraUSBkey,theyhavetobeencryptedonafile-by-filelevel.

Userscanopttoencrypt their files fromtheSave-AsdialogueboxorbyusingWindowsFile Explorer. In this case, all you need to do is right click on a file and choose from theencryption options. All encrypted files then show up in green, allowing you to see at aglancewhathasandhasnotbeenprotected.

One of themore common uses of BitLocker is downloading sensitive documents from awebsite. In this case,web filesareautomaticallyencrypted,givingyou thepeaceofmindthatcomesfromknowingthattheinformationiscompletelysecure.

DeviceGuard


So,Microsoftisgoingtoprotectyouridentityandyourdatabutwhataboutthedeviceyouareusing?Windows10includesanumberofwaystolockdownyourdevice,addinginextraprotectionand threat resistance. Users inadvertently download most malware onto a device, soMicrosoft is introducinganewsystemofonlyallowingtrustedappstobeinstalledand/orrunonyourdevice.TrustedappsarethosethathavebeensignedbytheMicrosoftsigningservice,althoughthedevicewillhavetobeconfiguredforthis.ThatnewfeatureiscalledDeviceGuard.DeviceGuard isanewpieceoffirmwarethatrunsathardwarelevelbeforeandduringthebootupprocess.Itisdesignedtoonlyallowapplicationsandscriptsthathavebeenproperlysignedtoloadupandisalreadyprovingtobeapopularfeature,withmanyOEMsreadytoinstallitonnewdevices.Device Guard is a combination of software and hardware features that need to beconfiguredtogether.Whenthisisdone,thedevicewillbelockeddowntoonlyruntrustedapplications.Itworksbyusingthenewvirtualization-basedsecurityfeaturethatWindows10includesasystemthatisolatestheCodeIntegrityservicerightfromtheWindowskernelandallowingtheservicetouseenterprise-controlledpolicydefendsignaturestodeterminewhatcanandwhatcantbetrusted.ThebasicfunctionofDeviceGuardistotestouteachprocessthatisbeingloadedupintothememorytobeexecuted.Itwillrunthistestbothbeforeandduringthebootupprocessandwill check tosee if theprocess isgenuinebasedonsignaturesandwill stopanythingthatdoesnothavethepropersignaturefromloading.The technology that Device Guard uses is embedded at hardware level, as opposed tosoftware,which isntalways100%accurateatdetectingmalware. Itusesvirtualizationforthecorrectdecisionmakingprocess,totellthedevicewhatitshouldandshouldntallowtoloadupintothememory.

Thislevelofisolationshouldstopmalwareinitstracks,asitwontbeallowedtoloadontothedevice,even if theattackeralreadyhascontrolof thesystemswhereDeviceGuard isinstalled.

AccordingtoMicrosoft,thissystemismoresecurethanthetraditionalanti-virusmethodsweusetoday,evenmoresecurethanappcontroltechnologies,likeBit9andAppLocker,asthesecanbetamperedwith,eitherthroughmalwareorthroughsystemadministration.

RequiredHardwareandSoftwareforDeviceGuard

InordertouseDeviceGuard,youwillneedtoinstallthefollowinghardwareandsoftwareandthenconfigureit:


DeviceGuardwillonlyworkwithWindows10 UEFISecureBoothelpstoprotecttheintegrityofthedeviceathardwarelevel TrustedBootdesignedtohelpprotectagainstattacksattherootkitlevel Virtualization-basedSecurityHyper-Vprotectedcontainerthatseparateswindows

10processes PackageInspectorToolHelpsuserstocreatealistofthefilesthatmustbesigned

forClassicWindowsapplications

WhyuseDeviceGuard?

Every single day, thousands of new malicious files are created and using the traditionalmethodofsignature-baseddetectiontofightthemalwareisnotadequateanymore.WithDeviceGuard,thatmalwarecannotbedownloadedbecausetheappsthatcontain itarenot trusted.Uptoand includingWindows8.1,anappwouldbetrustedautomaticallyunlessafirewalloranti-virusblockeditwithWindows10,anappwontwillrununlessitistrustedfirst.Device Guard will also help to protect against Zero Day attacks and will also combatchallengesputupbypolymorphicviruses.Inanenterprisesetting,theCodeIntegritypolicymustbesetuptodeterminewhichappsaretrusted.Aswellasthat,specificsoftwareandhardwareconfigurationsarerequired:

UMCIUserModeCodeIntegrity


Kernel code integrity rules that include WHQL signing constraints WindowsHardwareQualityLabs

SecureBootthathasdb/dbxdatabaserestrictions OPTIONAL virtualization based security to protect kernel mode apps, system

memoryanddriversfromtampering OPTIONALTPM2.0

Before you can use Device Guard, you should enable the virtualization-based securityfeatureoncapabledevices,makesurethattheCodeIntegritypolicyisconfigured,andthenconfigureanyothersettingsthatarerequiredbyyouforWindows10.Afterthat,DeviceGuardwillworklikethis:

1. Your device boots up with U Secure Boot this will stop rootkits from running,allowingWindows10tostartupfirst.

2. Once safely started up, Windows 10 will start the Hyper-V virtualization-basedsecurity features, includingKernelMode Integrity. Thesewillprotect theWindowskernel, any privileged drivers and your system anti-malware solutions by stoppingmalware from running in the boot process or in the kernel once the device hasstartedup

3. UsingUMCI, DeviceGuard checks your system tomake sure that anything that ismeant to run in UserMode is trusted, including ClassicWindows apps, UniversalWindowsPlatform,oraservice.Onlybinariesthataretrustedwillbeallowedtorun.

4. AsWindows 10 is starting up, TPM starts up as well, helping to protect sensitiveinformation by providing a hardware component that is isolated from everythingelse.Thisprotectsyourcertificatesandusercredentialsfromattackortheft.


EnterpriseDataProtection(EDP)

MicrosoftalsohasanewDLPdatalosspreventionsystem.

Whileconsumerscanuseit,itisaimedmainlyatcorporations,duetothelargenumberofemployee-owned devices that are now being used under the BYOD Bring Your OwnDevicebanner.

Due to the large numbers of these devices, the risk of accidental data disclosure is nowmuchhigherthaniteverwas,basicallybecauseofthenumberofexternalappsandservicesthatarealsoinuseonthedeviceoutsideofthecontroloftheenterprise.

Thisincludesemail,socialmediaandcloudservices,andalltheapplicationsweuseonourmobiledevicesonadailybasis.

Yes,therearesolutionsthatattempttoaddressthisbyaskingemployeestoswitchbetweencontainersforpersonalandcorporateusebutthisisntaveryefficientwayofworking.

ThenewfeatureinWindows10iscalledEDPEnterpriseDataProtectionanditoffersupa much better user experience while, at the same time, helps to keep personal andcorporateactivitiesseparate.

EDP helps to protect corporate apps and data from the risk of disclosurewithout askinguserstochangethesystemtheyareworkingon.

Furthermore,inconjunctionwithRMSRightsManagementServicesEDPcanalsoprotectyourcorporatedataonalocalbasis,evenwhenyourdataisroamingorisbeingshared.


HowDoesEDPWork?

Enterprise Data Protection is designed to counteract and address everyday workplacechallenges,suchas:

Dealingwithseveredataprotectionleaks

Maintainingenterprisedataprivacy

Managingthoseappsthatarenotpolicy-aware,inparticular,onmobiledevices

Handles a previous inability to lock down an employee device, which wouldpotentiallyallowdatatobeleaked

LevelsofProtection

EDPcanbesettofourdifferentlevelsofprotection:

Block: The feature looks for data sharing that is not appropriate and blocks theemployeefromcompletingtheshare.

Override: The featurewill look foranydatasharing that isnotappropriate, tellingtherelevantemployeesthattheyaredoingsomethingwrong.However,thiscanbe


overriddenat theemployee levelandthedatacanstillbesharedbut theactionwillbeloggedontheauditlog.

Audit:EDPrunsquietlyinthebackground,loggingalldatasharingandflaggingthosethatareinappropriate.However,itwillnotblockanything,onlymonitorandrecord.

Off:EDPisnotactiveanddoesnotprotectanyofyourdata.

EDPAllowsBetterWorkFlow

Becauseemployeeswillnolongerhavetoswitchbetweenenvironmentsorappstoprotectenterprise data, workflow is uninterrupted and productivity can potentially increasesignificantly.

Anexampleofthiswouldbeifanemployeeischeckingtheircorporateemailaccountandtheyreceiveapersonalemail.Insteadofhavingtoexitoutoftheircorporateaccount,bothmessageswouldappearonthescreentogether.

ChangingtheProtectionLevelsonDocuments

Employees have the ability to change the protection levels set on documents underEnterpriseDataProtection.

Theycanonlydothisifthedocumentisapersonaloneandhasbeenincorrectlymarkedasenterprise. Todo this, it requiresemployees to takeanactionand thiswill be logged formanagementtosee.


EnterpriseDataSecurity

Enterpriseadminsneedtobeabletomaintaintheconfidentialityandthesecurityoftheirdata. With Enterprise Data Protection, you can make sure that corporate data is fullyprotectedondevicesownedbyemployees,evenwhenthedeviceisnotbeingused.

Whenyouremployeescreatecontentontheirdevices,theyareaskedtodefinewhetheritispersonalorcorporatedata if it iscorporate, it is immediatelybroughtunderthe localdataprotection.

WipeEnterpriseDataRemotely

EDPalsooffersmanagers theoptionof remotelywiping all corporatedata fromadevicethatismanagedbythecorporationandusedbytheemployee,withouttouchinganyofthepersonaldataonthatdevice.Thisisofhugebenefitwhenadeviceisstolenoranemployeeleavesthecompany.

Corporatedocumentsarestoredlocallyonthedeviceandareencryptedusinganenterpriseidentity.

Whenyouwanttowipethedevice,youwillneedtogothroughaverificationprocess,afterwhichacommandcanbesent throughthemobilemanagementsystemtoremotelywipethe data. When the device is connected to a network, the data is removed and theencryptionkeysareirretrievablyrevoked.


Thiswillonlyhappenondevicesthathavebeenspecificallytargetedallotherdeviceswillworknormally.

CopyingorDownloadingEnterpriseData

WhendataistargetedfordownloadfromacorporatesourcelikeSharePointorOffice365,itisdeterminedtobeenterprisedataandwillbeencryptedbeforebeingstoredlocally.

The samewill apply to any data that is copied from the enterprise to a USB flash drive.Because the data is already marked down as being enterprise data, the encryption willfollowthedatatothenewstoragedevice.

PrivilegedAppsandRestrictions

With Enterprise Data Protection, you will be able to control which apps can and cannotaccessenterprisedata.

Thosethatcanareaddedtoaprivilegedapplistandaresubsequentlyallowedtoaccessand use enterprise data. Anything that is not on this list is classified as personal and areblockedfromaccessingdata,dependingofcourse,onthelevelofprotectionyouhaveset.

Privilegedappswillactdifferentlyfrompersonalornon-privilegedapps.Whenauserwantstocopyandpastedata,aprivilegedappwillallowit;non-privilegedoneswont.

Should a person try to copy enterprise data to a non-privileged app, they will see anotification advising that policy restrictions are in place and the action could not becompleted.


PersistentDataEncryption

Enterprise Data Protection allows you to keep your data safe even when the device isroaming. Apps such asOneNote andOfficework in conjunctionwith EDP to persist dataencryptionacrossservicesandlocations.

For example, an employee opens content inOutlook that is EDP encrypted,makes somechanges to it and then attempts to save it under a new name, to try and get rid of theencryption.

ThatwontworkbecauseOutlookwill automatically apply EDP to thenewversionof thedocument,ensuringthatthedataiskeptfullyencryptedandsecure.

HelpsPreventAccidentalDataSharing

EDPalsohelpstoprotectcorporatedatafrombeingaccidentallysharedinpublicspaceslikethecloud.Say,forexampleanemployeeputsadocumentinafoldercalledDOCUMENTS.

ThisfolderissyncedautomaticallywithOneDrive,whichisonyourprivilegedapplist.Itisthenencryptedonalocallevelitwillnotbesyncedtotheemployeespersonalcloud.


Datasharingalsocoversotherdevices.Undertheoldsystemitwaspossiblefordatatobeleaked to another devicewhile it was being transferred between them. For example, anemployeesavescorporatedataontoaUSBflashdrivethatalsohaspersonaldataonit.

Thecorporatedataisencryptedwhilethepersonaldataremainsopen.Aswellasthat,theencryptionfollowsthedata,soevenifitiscopiedtoanotherdevice,itwillstayencrypted.

TheBenefitsofEDP

ThebenefitsofEDPinclude:

Protection against the leakage of enterprise data, with little to no impact on theworkpracticesoftheemployees

Separation of personal and corporate datawith no need for employees to switchappsorenvironments

Extradataprotectionforexistingbusinessappswithouthavingtoupdatethem

The ability to wipe all corporate data off a device while leaving personal datauntouched

Auditreportstohelpwithtrackingissues

Fully integrates with your current management system or mobile devicemanagementsystemtoconfigureEDPforyourcorporation,aswellasdeployingandmanagingit

Extraprotectionwhileroamingorsharingdata

Enterprisescenarios

EDPaddressesthefollowingenterprisescenarios:

Enterprisedatacanbeencryptedonbothemployeeandcorporateowneddevices

Enterprisedatacanbewipedoffremotelywithouttouchingpersonaldata

Specificappscanbechosen,calledPrivilegedapps,whichcanaccessenterprisedata.Theseappsareclearlyrecognizedbyemployees.Nonprivilegedappscanbeblockedfromhavingaccesstoenterprisedata

Employees dont need to switch between enterprise or personal apps, thuseliminatinginterruptiontoworkflow,providedenterprisepolicieshavebeenputinplace.


WindowsDefender

Windows 10 users will still need to use specific anti-malware software to protect frommalwarethatcomesfromothersources.

ThisisbecauseDeviceGuardonlyprotectsagainstmalicioussoftwarethatattemptstoloadduring thebootprocess at this stage, no anti-malware software is able toprotect yourdevice.

Insteadof taking the chance thatuserswill forget todownloadaprogram,Microsofthasincluded Windows Defender, also available in Windows 8. Defender is automaticallyenabledonyoursystemandrunssilentlyinthebackground.

Thisensures that,whetheryouopt fora third-party solutionornot, youwillhave,at theveryleast,abaselineantivirusprotection.However,unlikeWindows7,Windows10willnotkickupafussifyouchoosetoinstallathirdpartyoptionaswell.

Instead, itwill simplydisableWindowsDefender, stopping it fromprotectingyourdevice.Should you opt to uninstall the third party malware software, Windows Defender willautomaticallybere-enabled,thusensuringthatyourdeviceisneverleftwithoutsomekindofmalwareprotection.

FormerlycalledMicrosoftSecurityEssentials,Defenderrunsquietly,scanningevery fileasandwhenyouaccessthem,beforetheyareactuallyopened.

Ifitfindsmalwareoranythingelsethatcouldcauseathreattoyourmachineandyourdata,itwillcleanitupandquarantinetheoffendingfileautomatically.

YouwillgetanotificationthatDefenderhasdetectedmalware,tellingyouthatit istakingthe necessary action to clean it up. The antivirus definitions will also be automaticallyupdatedthroughWindowsUpdateandthisprocessdoesnotrequirearebootofthedevice.

ConfigurationandExclusions

ThesettingsforWindowsDefenderarealready integratedwithWindows10, inthebrandnew Settings app. This can be accessed via the Start menu, in the Update and Security


category under Settings. By default, it will automatically be enabled for real-time, cloud-based, and sample submission protection. If you disable the real-time protection for anyreason,WindowsDefenderwillautomaticallyre-enableit,tokeepyousafe.Both Cloud and sample submission protection let Defender share any information that itfindsaboutthreats,alongwiththeactualmalwarefile,withMicrosoft.ThisisdoneinabidtokeepthedefinitionscompletelyuptodateandtoallowMicrosofttocontinueimprovingandupdatingtheirsecuritysystems.Fromthesamemenu,youcanalsosetupExclusionsthesecanbespecificfiles,filetypes,foldersandprocesses.If, for example, Defender is slowing down your device performance because it keeps onscanningappsorfilesthatyouknowtobesafe,youcansetanexclusionandtell itnottoscanthem.TheseexclusionsaretobeusedasandwhenabsolutelynecessarybecausehavingtoomanyexclusionswillrenderDefenderuseless,andleavesyourdeviceopentoallkindsofthreats.

UEFI

Unified Extensible Firmware Interface, or UEFI Secure Boot, is a more up to datereplacementforBIOS,traditionallyusedtostartupacomputer.SecureBootisdesignedtoshutoutlow-levelmalwareandstopitfrominfectingandtaking


over thebootprocessonanydevice. In thepast, vendors thatwanted the Designed forWindowscertificationhadtohaveUEFISecureBootontheirhardware.Inorder toallowusersofothersystemssuchasLINUX,Microsofthad to includea togglethatwouldallowauser to turnoffSecureBoot,at thevery least forX-86hardware.Thisallowedausertoopenthedoorandinstallwhatevertheychoseontheircomputers.InWindows10,Microsofthadoriginallysaidthattheywouldnotbesupportingtheon/offtoggleandthatallnewhardwaremustshipwithUEFISecureBootenabled.However,itnowtranspiresthat,whileSecureBootmustbeenabledonallnewWindows10hardware,OEMshavetheoptionofwhethertoallowtheendusertodisableitornot.Thatisonly fordesktopmachines; forWindows10mobile retaildevices, theoption todisableSecureBootisnotincluded.Theideaistorestrictthepossiblyofmalwarebeingdownloadedbyuserswhoinstallanalternativeoperatingsystemtodualboottheirmachines.Atthetimeofthiswriting,Microsofthasnotfinalizedtheirspecsand,assuch,thedecisiontoputtheonusontheOEMtoincludethetogglemaybechanged.


AdvancedThreatAnalytics

Securityattackstodayaremorepersistent,frequent,andsophisticatedthaneverbefore.

Regardlessofwhichtypeofdeviceyouareusing, it issafertoassumethatyouhavebeenbreachedandthatattackersmayalreadyberesidinginyoursystemthanitistogoblindlyaboutyourworkignoringpotentialthreats.

Thefollowingstatisticstellaverysoberingstory:

200+daysitisntunusualforattackerstoremaininsideyoursystemforthislongwithoutdetection.Theycandothisbecausetheytakeadvantageofuseraccounts,privileged or otherwise, and hide inside the network. It takes sophisticated andadvanced technology to find them and stop them, and to prevent others fromattackingthesystem.

75% + - this is the percentage of network intrusions that result from a userscredentialsbeingcompromised.

$500 billion this represents the estimated cost of cybercrime to the globaleconomy.

$3.5milliontheaveragecosttoacompanyforadatabreach.

This is why Microsoft has come up with a brand new feature called Advanced ThreatAnalytics or ATA. ATA is designed as an on-premises threat analytics tool that works todetectthreatsandabnormalbehaviour(seebelow)beforetheycancausedamage.


To illustrate how it works, say you have a credit card and your provider monitors yourspendingbehaviour.

If there is any suspicious activity, or activity outside your normal pattern, the providercontactsyoutoverifythattheactivitywasyours.Theymayalsoplaceatemporarystoponthecardwhiletheyverifyit.ThisistheconceptthatMicrosoftwantstobringtoenterpriseusers.

ThebenefitsofATAare:

Threatsaredetectedusingbehaviouralanalysisoftheuser,monitoringhowtheyusethesystem,andbeingalertedwhenthere isanychangeto thatpattern that lookssuspicious.

ATAisconstantlyevolving,foreverlearningfromtheusersbehaviour,andadaptingitselftoreflectchangeswithinadynamicorganization.

It uses a simple attack timeline to focus onwhat is important a very clear andefficient system thatmonitors anddraws attention to the right things at the righttime.Inaddition,itprovidesyouwiththeinformationyouneed,i.e.thewho,when,andwhereaspectsof theattack.ATAalsoprovides recommendations for thenextstep.

ATAwill also identify known risks and alert the right people risks such asweakpasswords,brokentrust,weakandvulnerableprotocols,etc.

ATAalsoreducestheriskoffalsepositives.

HowDoesItWork?

After ATA is installed, a non-intrusive port-mirroring configuration will copy all ActiveDirectoryrelatedtraffictoATA,butwillremaininvisibletoanyhoveringattackers.ATAwillthenanalysethedataandworkwithSIEMSecurityInformationandEventManagementto look at related traffic and relevant events. All the information is stored locally, on-premisesbyATA,andneverleavestheorganization.


TheATAdetectionenginebegins learningandprofiling thebehaviorofallusersand thenusesmachinelearningtechnologytopaintanoverviewoftheeverydayactivity.

Once it is familiarwithyournormalusebehaviour, itwillbeginto look foranomaliesandstrangebehaviour.

If these arise, itwill raise a red flag and alert security teams, as soon as the system hascomparedandaggregatedtheanomalywithnearreal-timedetectionofsecuritybreachesandadvancedattackstobuildthetimeline.

This also reduces the chance of false positives and better identifiesmalicious attacks, asshownbelow.

Microsoft ATA is a non-intrusive system that works quietly in the background withoutdetection.


VirtualSecureMode

Windows10ismadeupofanumberofdifferentcontainers,oneofwhichhousestheactualoperatingsystem.However,thesecuritytokenforActiveDirectorythatallowsyoutoaccessyour companynetwork,and theLSAauthentication service that issues it, arehoused inaseparatecontainerthatrunsontopoftheHyper-Vvirtualizationcontainer.These security tokens are the target for a good percentage of Pass the Hash securityattacks.Oncetheyhavethattoken,theyhaveyouridentity,whichisasgoodasgivingthemyourlogindetails.Theyhaveaccesstoadminprivilegesandareabletorunatool,whichcanaccessandtakethetoken.Oncetheyhaveit,theycangetaroundthenetworksandaccessserverswithouttheneedforapassword.Microsoft has made things more difficult for them by taking those tokens out of thesoftwarerepositorywheretheywerepreviouslystoredandwheretheyweresusceptibletomalware, and have locked them in a container. Once inside that container, not evenWindowshasaccesstothem,evenifthecontaineriscompromisedinanyway.The container will not release any tokens or hashes; instead, when they are passed toWindows, it is done in a new format that cannot be replayed on the device. In addition,NTLMhashesareseparatedfromthelogonprocess,arerandomizedandmanagedinsuchawayastoprotectthemagainstabruteforceattack.ThatcontaineriscalledVSMVirtualSecureMode.


TheVSMis,ineffect,aminiversionoftheoperatingsystem,aWindowsCoreOS.Itrequiresjust1GBofmemoryandhassufficientcapabilitytobeabletoruntheLSAservicethat isneededforauthenticationpurposes.Itwillhavelittletonoeffectontheperformanceofthedevicebut youdoneedWindows10, thenext versionofWindowsServeronyourActiveDirectorydomaincontroller,andaCPUthathassupportforhardwarevirtualization.Inbrief:

VirtualSecureModeisolatesthesensitiveprocessesintoaHyper-Vcontainer VSMrunsWindowskernelandTrustletsinsideofthatcontainer VSMprotectsthekernelandTrustletsevenwhenWindowsKerneliscompromised,

thuskeepingthosetokenssafe

MicrosoftVirtualizationStrategyandSecurity

For the last ten years or so, one of the biggest topics in the IT industry has beenvirtualization,mainlybecauseofthesheernumberofbenefitsthatcomewithitforITstaff.

Itbringstheabilitytomakemoreoutofhardwareutilizationcapabilities,whileatthesametimeoffering sufficient scalability to get away fromperformance issues. There is also thecapability to migrate virtual machines and cut down on downtime, and finally, theconveniencethatcomeswithbeingabletodeploynewvirtualmachinesquicklymanuallyorautomatedthusreducingtheworkloadoftheITdepartment.

Microsoft has a goal in mind what Hyper-V has done for server deployment andmanagement;theywanttodowiththedatacenter.Todothat, theywantedtobringthewholestructuredowntothesoftwarelevel,whichgivesuserstheabilitytoautomatemanymoredatacenteraspects,andgainmuchmoreefficiency.


OverthelastfewversionsofWindowsServer,MicrosofthascomealongwayinimprovingHyper-V and bringing it up, together with the supporting technologies, to a software-defineddatacenter,packedwithusefulfeatures.Thosefeaturescovereverysingleaspectofthedatacenternetworking,storage,andcompute.

The last two versions of Windows Server introduced Storage Spaces, IP AddressManagement and multi-tenant site-to-site VPNs. Server 2016 is building on those andbringingadditionalfeatureslikeStorageReplica.

SecurityImprovements

Windows Server 2016 also addresses a number of security issues in Hyper-V that aredesignedtobringmoreprotectiontoVirtualMachinesandhaltingmalware,administratorattacks,andotherattackvectorsintheirtracks.

Microsoft is completelyawareofoneof thebiggest reasonswhy theCloudhasnotbeenadopted in the way they had hoped, and that is corporate trust. Microsoft is nowdeterminedtoprove toeveryone,bothcorporateandconsumer, thatcloudsolutionscanofferdatacentersecuritythatisatleastcomparable,ifnotbetter,thaniteverusedtobe.

Windows Server 2016 also offers support for a virtual TPM to be enabled in the virtualmachine,andthenconfigured.

ThemainbenefitofthisistheabilitytobeabletoenableBitLockerencryptionforallguestvirtualmachines,whichwillhavethebenefitofstoppingunauthorizedaccesstoanyfilesortothesystemthatiscontainedinthevirtualdrives.


ShieldedVirtualMachinesinServer2016isyetanothersecurityfeaturethatallowsaguestvirtualmachinetobeprotectedfromthehostserveradministrator.

Inthisscenario,whileanadministratorcanstoporstarttheshieldedVM,theycannotalterits configuration, seewhat is on the virtual disks, or view processes that the guestOS isrunning.

This is the ideal solution for largeenvironments thatdontwant themanagement side toseewhatisonacustomervirtualmachine,orforthoseindustriesthatoperateaneed-to-knowpolicyorstrictlyenforcedseparationofduties.

EnterpriseMobilityIdentityintheEnterprise

Rightnow,managingidentitieswithintheEnterprisesettingiscumbersome.Windows10isgoingtochangeallofthatandallowempowermentofenterprisemobility.Thewaythingsaresetupnowisasfollows:alltheusersintheenterprisewanttoaccesseverything,fromanywhere,andfromanydevice.Managementwantstocontroleverything;aswellasensuringthatdataissecureandprotected.Thisbecomesdifficultwhenend-usershavethesamelogindetailsfromeverysitethattheyvisit,andusethesamepassword.Whilethismightbeeasytostartwith,itallfallsapartwhenonesiterequestsapassword


changeandthenanotheronedoesandanotherandsoon.Theenduserhastorememberallofthesedifferentpasswords.So,instepstheHRdepartment,withtheircompanycreditcardtohand,andbuysthelatestsoftwaretomanageeverything.Thentheyhaveaproblemsecurity.ThustheycometotheITdepartment,confesswhattheyvedone,andthenhandtheproblemoverforthemtosolve.ThatswhereWindows10changeseverything.Identityisthefoundationtobuildingtheenterprisemobilitystrategy.Mostbusinessesalreadyhaveon-premisesidentitystrategies,useActiveDirectoryandotherdirectories,andhavetheirfirewallsalreadysetup.Theyalsohaveaccesstocloudappsonaseparateinfrastructure.Windows10bringssomethingalittlebitdifferentandawholelotbetter.

ItscalledAzureActiveDirectoryanditbringstogetheron-premisesandcloudaccessinoneeasyplace.Allyouneedisonesimpleconnectiontojointhetwotogether,andWindows10providesallthetoolsyouneedtomakethatconnection.WhatAzureActiveDirectorybringstoenterpriseusersisonesinglesignonthatgivesyouaccesstoeverythingthatyouneed.Beforewegoanyfurther,letsjustspendaminutetalkingaboutAzureActiveDirectory.Whatisit,exactly?


AADisanidentityandaccessmanagementsolutionthatcombines:

Directoryservices Advancedidentitygovernance Appaccessmanagement Standardsbasedplatformfordevelopers

AzureADallowsyouruserstoaccess1000sofappsthroughonesinglesignon.Betterthanthatthough,italsoallowsyoutopickandchoosewhichappstheyhaveaccesstothroughanumberofdifferentoptions.AADis:

Easytouse.Itprovidesenterpriseswithasimplewayofmanagingidentityandaccesstoorganizationalappsandservices,bothon-premisesandinthecloud.Therearemorethan2000appsalreadyreintegratedanditiseasytointegrateyourownappswiththesinglesign-onsupport.

Designedtoempowerusersbyallowingthemtosignonwitheitheraworkorapersonalaccountforaccesstoon-premiseswebandcloudapplications.Withself-servicecapabilities,theyarealsoabletoperformmanyoftheirownadministrativetaskswithouthavingtocontactthehelpdesk.

Designedwithenhancedsecurityinmind.Yourenterprisecanprotecton-premisesandclouddatabyensuringthatproperaccessisgiven.Youcanalsomonitorthesystemforanyanomalousactivityanddetectanddealwithpotentialthreats.

Setuptoallowhybrididentities.Thisallowsyoutointegrateon-premisesdirectoriesandenableworkerstoaccesscorporateresourcesbothsecurelyandconsistently,withjustonesingleorganizationaccount.AADcanbeusedtoenhanceon-premisesinfrastructure,allowingself-service,securitytoolsandbuilt-inappconnectivity.

Setuptoprovideacomprehensivereportingandanalyticssystemthatenhancesyoursecurity,allowsyoutomonitorusageandviewtheperformanceofyourenvironment.

CloudAppDiscovery

Cloudappdiscoveryallowsyoutomonitorappsinthecloud.Rightnow,intheaverageenterprise,thereareabouttentimesmorecloudappsinusethantheITdepartmentrealizes.Cloudappdiscoveryallowsyoutoseeexactlywhichappsarebeingused,whoisusingthem,andhowoftentheyareused.Youcanexportthedetailsfromyourreportsdirectlytoareportingtoolandincludethemaspartofyourregularreportsaswellasusingitfordata


analysis.ManagingYourDirectoryontheCloudAnotherusefulfeatureincludedinAADistheMicrosoftIdentityManager.Thisallowsyoutomanageyouron-premisesidentitiesandconnectandshareon-premisesdirectoriestoAzure.Therearealreadymorethan2,400SaaSappsinthegalleryandmorecanbeintegratedandaddedasneeded,includingthosethatarepublishedusingAADApplicationProxy.BecauseAADstandsinthemiddle,alloftheseappsanddirectoriescanbeaccessedon-premisesandfrommobiledevices.

AADAppProxyincludesaconnectorthatautomaticallyconnectsittothecloud,allowingforseamlesssyncing.AADalsoincludesacomprehensiveidentityandaccessmanagementconsole,providingcentralizedaccessadminforallapps,bothreintegratedandothercloudbasedapps.Thismakeslifemucheasierfortheenduserbecausetheadmincan:

Putusersingroupsandallowgroupstoaccessdifferentsetsofapps. Setupenterpriseaccountsforcertainappsoneaccount,multipleusersandonly

theadminwillknowthelogindetails.Thispreventsaccidentalsharing. Theadmincanalsoprovisionorde-provisionusers.Ifauserleavesaparticulargroup

orleavestheorganizationcompletely,heorshewillautomaticallybede-provisioned,cancellingaccesstoalloftheseapps.

Therearealsootherbuiltinsecurityfeaturestoprotectenterpriseapps,namely:

Securityreportingthatmonitorsanddetectsinconsistentaccesspatternsandthrowsupalerts.

Theopportunityforanadmintostepupanapptomulti-factorauthenticationiftheydoubtthatauseriswhotheysaytheyare,forexample,theycanaddanothersteptotheauthenticationprocesswhichwillblockaccessuntilthatstephasbeensuccessfullycompleted.Thestepcouldbeaphonecalloratextmessage.

Theaccesspolicieswilldependonthestateofausersdevice,theirlocation,andgroupmembership.


HowMicrosoftWindows10WillProtectYourData

Aswellasprotectingyouridentity,anareathatMicrosoftismakinggreatstridesin,theyarealsoworkinghardoncomingupwithnewsolutionstoprotectyourdataandinformation.

Next to identity, theft of data is the nextmost serious consideration for consumers andorganizationsalike.CurrentsecuritysystemsonlyprotectabouthalfofyourITsystemandeventhen,thatisntfullyprotected.

Every time you switch on your computer orWindows mobile device, or every time youaccessthe Internetoropenanemail,youruntheriskofahackerswooping inandtakingcontrol.Microsoftintendstostopthatinitstrackswithtwoupgradedsystems.

AzureRightsManagementandInformationRightsManagement

Whendata leavesyourdevice,Microsofthas something calledAzureRightsManagementand InformationRightsManagement,bothofwhichhelp toprotect the lossofdata fromdocuments.

Asofnow,ausertypicallyhastoopt intoactivatetheprotectionthatthesetwoservicesofferandthatcanleaveanenterprisewithabitofaproblemagapthroughwhichdatacanbeleaked,whetherdeliberatelyorinadvertently.

AzureAdministrativeTasks

Theendusercanperformmanyoftheirownadministrativetasksbyvisitinghttp://myapps.microsoft.com,orthroughtherelevantapponAndroidoriOS.Throughthat,theycanseehowmanyappstheyhaveaccessto,fromanydevice.TheycanalsoseealloftheirmanageddevicesandcanresettheirownpasswordswithouttheneedfortheITdepartmenttogetinvolved.Lastly,theycanalsorequestaccesstoappsand/orgroupsthroughtheself-serviceoptions.AzureActiveDirectoryisembeddedinWindows10andisavailablethroughthreesubscriptionoptions,dependingonyourneedsfree,basicandpremium.Overthenextyear,MicrosoftisinvestingmoretimeandmoneyinimprovingthefollowingareasofAAD:

AdminUnitsabilitytosplitadmindutiesintogroups Business-To-Businessanewfeaturethatwillbeavailablethatallowsyoutoshare

yourresourceswithbusinesspartnersthroughAAD B2CIdentitiesforbusinesstoconsumers ConditionalAccessAbilitytoblockoutsideaccess PrivilegedIdentityManagementOptionstomakeadminaccesstemporaryor

permanent AADJoinAADcontrolseverythingandisfullyembeddedwithWindows10


DataProtectioninAzure

Globalcyber-attacksareontheriseandsoarethecostsassociatedwithit. It isestimatedthatcybercrimeextractsaround15-20%ofthevaluethatiscreatedbytheInternet.

Inthelast2yearsintheUKalone,morethan80%oflargebusinessesand60%ofsmallonesreportedacyber-breachand,globally, thenumberofsecuritycompromisesreportedroseby about 34% in 2014. The estimated cost of cyber-attacks, in terms of lost growth andproductivity,isthoughttobearound$3trillion.

In order to protect their customers data,Microsoft has introduced a number of securitymeasures inAzureActiveDirectory.Bydefault,AADprovides strongprotectionand thereare also options that customers can choose to enable as well. First, lets look at data intransit.

Bythis,Imeandatathatissentandreceivedbetweenauserandtheservice,betweendatacentersandbetweenusers.DatathatcomesthroughtheMicrosoftAzurePortalorthroughstorage API is automatically encrypted using https, alongwith strong ciphers. By default,FIPS140-2supportisenabledtocomplywithgovernmentsecuritystandards.

All data that is imported or exported is encrypted with BitLocker, which is built in toWindows10andallcustomerdatathatgoesbetweenthedatacenterandstoragefacilitiesisalsoencrypted.

Forcustomers thataccessdata inastorage facilityorcontainer, thereare twooptionsofaccesshttpandhttpsMicrosoftrecommendsusinghttpsasthisissecureandencrypted.

Ifacustomerchoosestoaccessorsenddatausingawebclient,TLSshouldbeimplemented TLS is Transport Layer Security and it is a protocol that makes sure that third partiescannot intercept or eavesdrop on data that is being sent between applications and theirInternetusers.

Whenwetalkaboutdataatrest,wearetalkingaboutdatathatisstoredinoneofanumberofdifferentcontainers. ThecontainersthatMicrosoftprovidedataprotectionoptionsforarelistedbelow.

VirtualMachinesWindows/LINUX

Azure disk encryption is provided using BitLocker for Windows or DM-Crypt for LINUX.Virtualharddrives(VHD)areencryptedforbothWindowsandLinuxVMs.Thecustomerisgiven theoptionofenablingdiskencryptiononboth thebootand thedatavolumes; theencryptions keys are stored in the key vault. This also applies to Azure Gallery and torunningaVMinAzure.

HowitWorks

ThecustomeruploadstheirencryptedVHDtotheirAzurestorageaccount


TheyprovisiontheirBitLockerencryptionkeysorLINUXpassphraseintheirkeyvaultandgivesaccesstotheplatformtoprovisiontheVM

Atthispoint,theyoptintodiskencryption

Azure service management updates the service model with the key vault andencryptionconfiguration

TheplatformprovisionstheencryptedVM

Key Vault Security

Everything revolvesaround thekey vaultbecause this iswhere thekeysare stored theencryptionkeys thatareprotectingyourdata.Thesekeysarekept inan isolatedvault sothat,shouldyourstoragecontainerbecomecompromised,onlyanimageofyourdatecanbestolenthisisuselesstoanythiefbecausethekeysthatunlockthedataareelsewhere.

Itisimportanttonotethat:

Onlythecustomercancontrolaccesstothekeysthatareintheirprivatevault

Thecustomercanenablemonitoringandlogging,collectingthelogsintheirstorageaccountthisenablesthemtoseewhohasaccessorwhohasattemptedaccesstotheirvault

EncrypteddisksarestoredinthecustomersstorageaccountandAzurestoragewillautomaticallyreplicatethemthecustomerhascontroloverhowmanycopiesaremade

Azure has no default access to the key vault the customermust grant Read orWritepermission.

Azurecannotaccessthediskencryptionfeatureinthevault

AzureStorageBlobs,Tables,Queues

Client sideencryptionallowsusers toencrypt theirdatabefore it isuploaded toAzureaswellasdecryptingitagainafterdownloading.Again,thekeysarekeptsafeinthekeyvaultandthestorageservicewillneverseethekeys,norisitcapableofdecryptinganydata.Forcloud-integratedstorage,alldataisencryptedonpremisesandisbackedupinAzure.

SQLServerandSQLDatabase


UsingTDETransparentDataEncryptiontechnology,theentirecontentsofadatabaseinstoragecanbeencryptedusingadatabaseencryptionkey,whichisanAES-256symmetrickey.

Thiskeyisprotectedwithaservice-managedcertificate,whichisprotectedbySQLDatabaseServer. Thecertificate issetona90-daycycle,afterwhichanewonemustbeproduced,thusloweringthechancesofcompromisethroughstandingaccess.

HDInsightusesAzurestorageandSQLAzureDBencryptiontoprotectyourdatawhileAzureBackup Service uses Azure Disk Encryption to ensure your data cannot be lost, stolen orcompromisedinanyotherway.

AccessControlandAuditing

So,MicrosoftAzureADhasencryptedandprotectedallyourdataandyourkeysarestoredawaysafelyinavaultthatonlyyouhaveaccessto.Thatsnotallthereistoitthough.Manyofthefundamentalsecurityrisksstillexistonpremises.

MitigatetheRiskofCompromisedAccountsWeakauthentication is thekeyproblemtosecurity.Weakpasswords,passwords thatarewritten down or shared, or passwords that are stolen are the biggest way in for anyattacker.Microsoftislookingtoeradicatepasswordsandbringmultifactorauthenticationinacrosstheboard.

AlluseraccountscanbesecuredusingAzureMFA,usablewithbothAzureActiveDirectoryor theWindows Server Active Directory Federation Services, and this is backed up by asecondfactorforidentification,usuallyatextoraphonecall.

Users can also use existing PKI smart cards or virtual smart cards to protect theiraccountsusingADFSwiththeon-premisesinfrastructure.

LimitingPermissionsThisisoneofthemostdifficultconceptstogetoverbutpermissionsshouldfollowaLeastPrivilegeprinciple,i.e.accessisonlygrantedwhenitisnecessaryforaspecificrole.AzureRBACRole-BasedAccessControlnowcontains20differentrulesthatcanbeassignedtousers,undertheheadingsofowners,contributorsandreaders,aswellascustomroles.


Ownershavefullaccesstothedata;contributorscanaddtoitbutcannotdoanythingelse,whilereaderscanonlydojustthatreadthecontentbutcannotmakeanychanges.Userswithintheenterprise,orwithingroupscanbegivenaccesstodataunderoneofthoseroles,allowingITtocontrolwhodoeswhat.

PrivilegedAccountsSuperuseraccountsdeservespecialmanagementbecausetheyproduceaspecialrisk.JITJust-In-Time access can be enabled, removing the risk of an attack through standingpermissionsorstandingaccess.

JITgivesauseraccesstoadminwhentheyneeditforalimitedperiodoftimeandonlytothe feature theyneedaccess to.Managerscanalsoset somethingcalledAzureADPIMPrivilegedInformationManagement.

This iswheretheycanmonitorthesystem,seewhohasaccessandwhowants it,andsetthepoliciesthattransitionpermanentaccesstotemporary.

Using auditing and logging, management can also detect suspicious activity, includingirregular logins,down touser level, through theuseofadvanceddetection tools thatareconstantlymonitoringeveryuseraccount. Inthisway, threatscanbedetectedandactiontakenbeforetheybecomeaproblem.


WhatistheOperationsManagementSuite?

OMS,orOperationsManagementSuite is anothernew feature inWindows10and it is asimplifiedITmanagementsolution.

ItsahybridmanagementservicethatsupportsAzureAD,AWS,VMWare,OpenStack,LINUXandWindowsServer,anditconnectstoon-premisesdatacenterandcloudenvironments,givingITmanagersonesingleportalthatallowsthemtocollect,analyzeandsearchthroughthousands of pieces of data and records that are spread access the workloads and theservers.

Thesedays,thereissomuchinformation,somuchdata,andsomanyappsthatarespreadacrosstheinfrastructure,acrossthecloudandcloudservices,it isgettingdifficulttoknowhowtohandleitall.

ITmanagersstillhavethetaskofmanagingandsecuringallthatdata,nomatterwhereitiskeptandOMSmakesthateasiertohandle.

ThebenefitsgainedfromOMSare:

LogAnalytics:Collectand searchacrossmanymachine sourcesofdata to identifywheretheproblemslieinoperationalissues.

Availability: Regardless of where servers and apps are, OMS includes integratedrecoveryforthemall,whichisenabledbydefault.

Automation:Orchestrationofcomplexandrepetitiveoperationstoprovideamoreefficientandcosteffectivehybridcloudmanagementsystem.

Security: The ability tomonitor and identify the status of malware, findmissingsystem updates and implement them and to collect security related events foranalysisandauditpurposes.


ExtendedSystemCenter:OMScombineswiththeexistingSystemCentertoextenditscapabilitytodeliverthefullhybridcloudmanagementsystemacrossanycloudoranydatacenter.

HybridandOpen:VeryfeworganizationsarenowhousedinasingledatacenterandOMS steps in to manage your hybrid cloud, irrespective of the topology or thetechnology being used, and integrating seamlessly with the existing on premisesinfrastructure.

All of this makes protecting your data and preventing breaches and compromises easierthaneverbefore.

MobileSecurity

Thesedays,notonlydoweuseourdevicesforpersonaluse,wealsousethemforbusiness.MoreandmorebusinessemployeesusesmartphonesandtabletsforworkandWindows10Mobile, formerlyWindows Phone, is designed around segregating personal and businessuseson thedeviceandproviding the right levelof securityandcontrolover thebusinessside.Mobiledevicesarethenumberonetargetforacyber-attackand,upuntilnow,theyhavebeenmoredifficulttoprotect.


Microsoft has added in a number of security layers to protect aWindowsmobile devicefrom any number of malware and malicious attacks, allowing both end users andenterprisestorelaxalittle,knowingthattheirsecurityisingoodhands.The first line of defense is a layer of security to protect the actual hardware. All newWindowdevicesareequippedwithaTPM2.0chipandhaveUEFISecureBootenabled.ThisisaWindowsrequirementandcannotbedisabledbyanyone.TheUEFISecureBootsystemisdesignedtostartcheckingyoursystemassoonasthedeviceispoweredon,checkingthattheTPMistherealthingandthatthefirmware,andanyothersoftwarethatstartsup,isgenuineandhasbeensigned.If ithasnot, itwontrun,itsthatsimple.Onceeverythingisdeclaredasfitforwork,UEFIwillbootintotheWindowsBootManagerandthenintotheOSitself.The only exception to this is if there is a need to replace the OS through the use of arecoveryapplication,inwhichcase,thebootmanagerwillbootintoflashmode.JusthowsecureisUEFIthough?Duringthemanufacturingprocess,anumberofpublickeyhashesarefused.Thesehasheslinktospecificprocessesthattakeplaceinthedevice.

All thedrivers, loaders, applicationsand firmwarewithinUEFImustbe signedandaUEFIdatabasewilllistallkeys,imagehashesandcertificateauthorities,statingwhethertheyaretrustedoruntrusted.AsecuredrollbacksystemisinplaceonceUEFIhascheckedasystemanddeclaredittobeasafeandgenuineenvironment,securedrollbackpreventsarollbacktoanyversionotherthan that one, effectively stopping malware that could have been hiding in an insecure


versionfrombeinginstalled.UEFIwillbekeptfullyup-to-datethroughtheWindowsUpdatesystem.Other security of the hardware includes TPM, which was discussed earlier and whichenableskeystobeisolatedfromtheOSthismeansthatifthesystemisbreachedinanyway,thosekeyscannotbestolennoteventheOSitselfcanaccessthem.Health attestation completes the hardware protection layer. Health attestation is vastlyimprovedfromtheversionthatcamewithWindows8.1anditallowsWindows10tocarryoutahealthchecktotheCloudbeforeitcangainaccesstoanyinternalresources.Features checked include Secure Boot, BitLocker, and other operation-essential featuresthatneedtobe100%healthybeforeWindows10canrunfully.The next layer of security is theWindowsOneCore.We examine theApp Platform first,becauseitiswhatusersinteractwithwhentheyuseWindows10ontheirmobiledevices.

Windows 10 only supportsmodern apps or RT apps depending on your system, and notWin32apps.Thenewsecuritylayerfortheappplatformmodelworkslikethis:

TheOS runs inaTCBTrustedComputerBasewherenobodycanaccess it andnobodycanmakechangestoit.

Appsthatare installedvia thestoreorareshippedwithadeviceare installed inasandbox, or in a Least Privilege Chamber (LPC). When the app is put into thechamber, it is givenpermissionsbasedonwhat itneeds to runandnomore.Thismeansthatitwillonlydowhatitsaysontheboxandcannotbetouchedbymalwarethat tries to order it to deviate from that. Thepermissions that are linked to thatchambercannotbechangedorelevatedbyanyone,onlybyanupgradewithanewmanifest.

Windows10forMobilewillcomewithanumberofpreinstalledapps,asfollows:


Allofthesearemodernappsandcanbefullyupdatedwithnewfunctionswithouttheneedto go through themobile operator to deliver the update instead, theywill be updatedthroughWindowsUpdates,underafeaturecalledWindowsasaService.

Access to apps and services has always caused concern in terms of security.Microsoft isimplementinganumberofnew featuresonboth theDesktopand theMobileversionsofWindows10thatwillsecureaccessmorethaneverbefore.

Manyusersarefedupwiththecurrentpasswordsystem.Notonlyisittoomuchtohavetoremembermultiple passwords, it is simply not secure.Most people tend to stick to thesamepasswordforeverythingtherearesomanyplacesthatrequireIDtobeprovednowthatyoucouldprobablyproduceabookfilledwithallthedifferentaccessdetailsyouwouldneed.

Businesseswantmorecontroloverwhattheirend-usersareaccessing,nottobenosybuttobetter understand patterns and to detect potential threats and/or security leaks. SoMicrosofthascomeupwithWindowsHello.

WeknowallaboutthisfromthedesktopversionandtheMobileversionisthesame,sotorecap:

WindowHelloisabiometricsystem

ItusescleanIRforirisorfacialrecognition,orafingerprintreader

Newhardwarewillneedtobeproducedtocomplementthisfeaturebecausetodaysmobiles do not have the capabilities to recognize facial or iris details; somemayhaveanintegratedfingerprintreader,thismayalsoneedtobeupdated;devicesalsoneedtobecapableof3Dvisionfordetectionpurposes


Microsoft is working hard to increase the FALSE Acceptance Rate currently at1/100,000,andtoreducetheFALSERejectionRate,whichiscurrentlybetween2-4%

Passwords and/or PIN numbersmay still be used, but the difference here is thatthesecanbecoveredbyMDMMobileDeviceManagementespecially inBYODsituations

MicrosoftPassport isanother systemthatwillbeonWindows10 fordesktopandmobileand is a replacement for the old password system. Instead of a password, a key pair isgenerated, one public and one private, after a user has created trust with their IDP identityprovider.

Theprivatekeywillneverleavethedeviceitispairedwith.Usershaveachoiceofproviders,anyonethatisapartoftheFIDOAlliance,suchasMicrosoftthemselves,Google,Facebook,Twitter,etc.

The differencewith business users is that an end-userwill create their Passport account,specifyingwhethertheaccountisforbusinessorpersonaluse.Whentheuserhastocreatetrust,theIDPmayrequirethatasecondlayerofauthenticationisincludedtoproveidentity,perhapsaphonecallortextmessage.

Once the trust has been created, the keys are produced and, when validated, anauthentication token is sent to thedevice. That tokencan thenbeusedonanumberofthird-partyrelyingresourcesthattrustthosetokens.

AnaccesstokeniscreatedandthiscanbecontrolledbyMDMyoucansetatimelimitontheaccesstheuserhastoaparticularsite,meaningthattheywillneedtore-authenticateafterthatlimitexpiresiftheywanttogainaccesstothesiteagain.

Enterprise expectations for corporate access are anytime, anywhere, secure remoteaccess,asshownbelow:


Furthermore,toenabledataandaccesstobeprotectedtoandfromadevice,Microsofthasexpanded their VPN capabilities inWindows 10. Again, these can beMDM-managed in atwomainways:

Onaper-applicationbasis ITcangiveuseraccess tospecificsites throughaVPNandthisisfullyintegratedwithEnterpriseDataProtection

Onan Always-Onbasis,whichmeansuserswill access sites throughaVPNonapermanentbasis,untiltheyturnitoff;thiscanbemanagedandITdecideswhethertoallowausertodisabletheVPNornot

BitLockerisalsopresentonalldevices,andthisisdesignedtoprotectthedataonamobiledevic