windows 10 security
DESCRIPTION
Windows 10TRANSCRIPT
-
Page | 2 www.Windows10update.com
CopyrightNotice
INTRODUCTIONTOWINDOWS10SECURITY-BYONUORAAMOBI
UPDATEDSEPTEMBER15TH,2015
2015NnigmaInc.
Allrightsreserved.
Anyunauthorizeduse,sharing,reproductionordistributionofthesematerialsbyanymeans,electronic,mechanical,orotherwiseisstrictlyprohibited.
Noportionofthesematerialsmaybereproducedinanymannerwhatsoever,withouttheexpresswrittenconsentofthePublisherorAuthor.
PublishedundertheCopyrightLawsofTheUnitedStatesofAmericaby:
NnigmaInc.
3579EastFoothillBlvd,Suite#254
Pasadena,CA91107
www.Nnigma.com
-
Page | 3 www.Windows10update.com
LegalNotice
Whileallattemptshavebeenmadetoverifyinformationprovidedinthispublication,neithertheauthornorthepublisherassumesanyresponsibilityforerrors,omissionsorcontradictoryinterpretationofthesubjectmatterherein.
Thispublicationisnotintendedtobeusedasasourceofbindingtechnical,technological,legaloraccountingadvice.
Pleaserememberthattheinformationcontainedmaybesubjecttovaryingstateand/orlocallawsorregulationsthatmayapplytotheusersparticularpractice.
Thepurchaserorreaderofthispublicationassumesresponsibilityfortheuseofthesematerialsandinformation.
Adherencetoallapplicablelawsandregulations,bothfederal,state,andlocal,governingprofessionallicensing,businesspractices,advertisingandanyotheraspectsofdoingbusinessintheUSoranyotherjurisdictionisthesoleresponsibilityofthepurchaserorreader.
NnigmaInc.assumesnoresponsibilityorliabilitywhatsoeveronbehalfofanypurchaserorreaderofthesematerials.
Windows10,Windows9,Windows8.1,Windows8.1Update1,Windows8,Windows7,WindowsVista,WindowsXP,SurfaceHub,WindowsHolographicandallotherrelatedtermsareregisteredtrademarksoftheMicrosoftCorporation.
AllRightsReserved.
Allothertrademarksarethepropertyoftheirrespectiveowners.
Alltrademarksandcopyrightsarefreelyacknowledged.
-
Page | 4 www.Windows10update.com
TableofContents
IntroductiontoWindows10Security ..................................................................................................................... 6MicrosoftandtheFIDOAlliance ............................................................................................................................. 7ThecomparisontoWindows7and8Securityfeatures ......................................................................................... 9HowMicrosoftWindows10WillProtectYourIdentity ........................................................................................ 11
Windows10ProtectingYourIdentityandControllingAccess ....................................................................... 11TheProsandConsofBiometrics ....................................................................................................................... 12FacialAuthentication ........................................................................................................................................ 16WindowsHello .................................................................................................................................................. 18
NewSecurityFeaturesinWindows10 ................................................................................................................. 19MicrosoftPassport ............................................................................................................................................ 19Passport2Go ...................................................................................................................................................... 22BitLockerandTPM ............................................................................................................................................ 30
HowDoesBitLockerDriveEncryptionWork? ....................................................................................................... 32DeviceGuard ..................................................................................................................................................... 33
RequiredHardwareandSoftwareforDeviceGuard ............................................................................................ 34WhyuseDeviceGuard? .................................................................................................................................... 35EnterpriseDataProtection(EDP) ...................................................................................................................... 37
HowDoesEDPWork? ........................................................................................................................................... 38LevelsofProtection ........................................................................................................................................... 38EDPAllowsBetterWorkFlow ........................................................................................................................... 39ChangingtheProtectionLevelsonDocuments ................................................................................................ 39EnterpriseDataSecurity .................................................................................................................................... 40WipeEnterpriseDataRemotely ........................................................................................................................ 40CopyingorDownloadingEnterpriseData ......................................................................................................... 41PrivilegedAppsandRestrictions ....................................................................................................................... 41PersistentDataEncryption ................................................................................................................................ 42HelpsPreventAccidentalDataSharing ............................................................................................................. 42
TheBenefitsofEDP ............................................................................................................................................... 43Enterprisescenarios .......................................................................................................................................... 43
WindowsDefender ................................................................................................................................................ 44ConfigurationandExclusions ............................................................................................................................ 44
UEFI ........................................................................................................................................................................ 45AdvancedThreatAnalytics .................................................................................................................................... 47
HowDoesItWork? ........................................................................................................................................... 48VirtualSecureMode .......................................................................................................................................... 50MicrosoftVirtualizationStrategyandSecurity ................................................................................................. 51SecurityImprovements ..................................................................................................................................... 52
-
Page | 5 www.Windows10update.com
EnterpriseMobilityIdentityintheEnterprise ................................................................................................... 53CloudAppDiscovery ......................................................................................................................................... 55
ManagingYourDirectoryontheCloud ....................................................................................................... 56HowMicrosoftWindows10WillProtectYourData ............................................................................................. 57
AzureRightsManagementandInformationRightsManagement ................................................................... 57AzureAdministrativeTasks ............................................................................................................................... 57DataProtectioninAzure ................................................................................................................................... 58VirtualMachinesWindows/LINUX ................................................................................................................. 58Key Vault Security ............................................................................................................................................ 59AzureStorageBlobs,Tables,Queues ............................................................................................................. 59SQLServerandSQLDatabase ........................................................................................................................... 59AccessControlandAuditing ............................................................................................................................. 60
MitigatetheRiskofCompromisedAccounts .............................................................................................. 60LimitingPermissions ..................................................................................................................................... 60PrivilegedAccounts ...................................................................................................................................... 61
WhatistheOperationsManagementSuite? ........................................................................................................ 62MobileSecurity ................................................................................................................................................. 63MDMMobileDeviceManagementandtheBusinessStore .......................................................................... 69BrowserSecurity ............................................................................................................................................... 74EnterpriseMobilitySuite ................................................................................................................................... 75Office365 .......................................................................................................................................................... 76ConditionalAccesstoAzureADConnectedApplications ................................................................................. 77
WindowsasaServiceMoreSecurityviasecureupdates .................................................................................. 79WindowsUpdateforBusiness ..................................................................................................................... 80
Windows10andtheInternetofThings ................................................................................................................ 81AllSeenandAllJoyn ........................................................................................................................................... 81WhereDoesWindows10ComeIn? .................................................................................................................. 82IoTAzureSecurity .............................................................................................................................................. 82
Summary ............................................................................................................................................................... 85
-
Page | 6 www.Windows10update.com
IntroductiontoWindows10Security
Security has always been an issue for computer users. However, over the last couple ofdecades,securitythreatshavebecomemuchworse.
WhileyoumaythinkyouhavethebestsecuritysystempossibleonyourPCitislikelythatyouprobablydont.Why?Becausethelandscapeofcyber-threatsischangingtoofastforordinarysecuritysoftwaretokeepupwith.
Heck, you could buy a new security system for your computer right now and within 72hours;itwouldrequireasecurityupdate.
Cyber threats are becoming more complex and attackers more cunning. Viruses andmalwareforexample,havegainednewabilitiestohideandremainundetected.
Cyber-attacks aremore sophisticatedandhighly targeted comparedwith years agowhenhackerscouldonlyhopeforindiscriminateandunfocuseddamage.
Intheearlydays,wehadScriptKiddies,whichwereaimedatcausingmischiefratherthandamage.
TodaycriminalgangsconductcrimessuchasclickfraudandIDtheft,conductedpurelyforillicitprofit.WealsohaveactivistsandtheInternetterrorgroupswhosesoleaimistocauseasmuchdisruptionanddamageastheycan,aswellasstealidentities.
In themidst of this very treacherous landscape,Microsoft has taken up the challenge ofkeeping computer users safe. With Windows 10, the software company is introducingunprecedentedlevelsofsecuritysafeguardsintotheveryfabricoftheOperatingSystem.
IwrotethisbookbecauseIwantedtotakeabrieflookbehindthecurtaintoseewhattypesofsecuritywereembeddedinWindows10.
HereswhatIfound.
-
Page | 7 www.Windows10update.com
MicrosoftandtheFIDOAlliance
TheFIDO(FastIdentityOnline)Alliancewaslaunchedin2012asawayofaddressingthelackofinteroperabilitybetweenstrongauthenticationdevicesandtheproblemsusershaveinrememberingmultipleusernamesandpasswords.PayPalandLenovo,twoofthebiggestnamesintheindustry,werefoundingmembersofFIDO.Injustoverayearafterlaunch,manymorebignameshadjoinedthealliance,includingGoogle,Blackberry,Visa,SecureKeysandofcourse,Microsoft.So,howdoestheFIDOAlliancefactorintoWindows10?Togettothat,weneedtogobackasteportwo,totalkaboutwhyMicrosoftoptedtojointheAlliance.Securityproblemsonourdevicesaregettingworse,partlybecauseofthesignificantjumpinmaliciousattacksandpartlybecauseofuserbehaviour.Yousee,itoftencomesdowntopasswords.Computerusersoftengetsloppyandlax,andsharetheirpasswordswithothers.Thatisnttheonlyproblem,though;thenextpartofthepuzzleinvolvesthewebsiteswevisit.Theissueisnotthattheyareunsafebecausemostofthemaresafe.Itsjustthat,once
-
Page | 8 www.Windows10update.com
again,thatlazygenecomesoutandwesticktousingthesamepasswordforeverysinglesitethatwehavetologinto.Whydowedothat?Becausenotonlyisittime-consumingtohavetocomeupwithadifferentcomplexpasswordforeachsite,wehavetorememberthemaswell.Thehumanbraincanonlyholdsomuchinformationandtohelpusout,wewritethosepasswordsdownwhichcomesbacktobeinglaxandsloppyaboutsecurity.Becauseweareusingthesamelogindetailsforeverysite,itmakesiteasyforthosedetailstobestolen.Amaliciousattackerwillgoforaweakwebsite,onewhichdoesnthavesomuchsecurityonit,andoncetheyhaveyourdetailsfromthatsite,itdoesnttakeageniustoguessthatyouprobablyusedthesameonestologineverywhereelse!Thatgivestheattackeranopenpass,amasterkeyifyoulike,toeverythingyouhaveaccessto.Thefinalpieceofthepuzzle,oneoftheweakestlinks,isthedevicethatyouareusing.Itsnotthatitsnogood,itsjustthat,upuntilnow,anyapplicationwouldrunonyourapp,regardlessofcontent,untilitwasproventobeabadapple.Theonlywaythatappwouldnotrunisifyouranti-virussoftwareorfirewallpickeditupandkickeditout.NoteveryonehasantivirussoftwareinstalledortheydontusetheonethatisalreadyprovidedwithWindows.Thatmeansthatsomuchmalwaregetsthroughthenetthatonceitstarts,itisdifficulttostopit.SohowdoesMicrosoftintendtofixthis?ThecurrentPKI(publickeyinfrastructure)iswaytooexpensiveandcomplextomaintain,anditisconstantlyunderattack.ThecurrentCA(certificateauthority)systemisalsounderattack.AnattackercangettoyourcertificatedetailsbeforeyourIDP(IdentityProvider)cangiveyouatoken,andthatleaveseverydoorinthehousewideopen.And,ifthatwerentenough,limiteduseofMFA(multi-factorauthentication)leavesweakspotseverywhere,weakspotsthattakelittleefforttogetthrough.InWindows10,MicrosoftismakingiteasierforyoutologinwhiletighteningthesecuritynetwithMFA.Withacombinationofbiometrics,PINaccessandtyingasymmetricalkeypairstoaspecificdevice,Microsoftisaimingtomakeitsothatnooneelse,exceptforyou,canaccessyourresourcesandyourapplications.WithWindows10,Microsoftisbringingtomarketthenextgenerationofusercredentials.Wellrunthroughthemonebyoneinthisbook.
-
Page | 9 www.Windows10update.com
ThecomparisontoWindows7and8Securityfeatures
MicrosofthadtotakeanewapproachtoWindows10securityforacoupleofreasons.
First, security problems and challenges continue to evolve rapidly, and it was clear thattherewerenewchallengesthatneededtobesolved.
It was also clear that some of these challengeswere a little bitmore sophisticated thanWindows7andWindows8weredesignedtohandle.
Togiveyouaquickoverview,takealookatthetablebelow,showingyouthefundamentaldifferencesinsecuritybetweenWindows7andWindows10:
Function Windows7 Windows10
IdentityProtection Passwordtheftistoocommonnowandcurrentmulti-factorsolutionsaresimplytooexpensiveandtoodifficulttodeploy.
Comescompletewithaneasy-to-deploymulti-factorsolution,completewithanti-phishingandanti-theftfeatures.Password-protectionandPINsareincludedinmulti-factorsecuritysolutions.
DataProtection OfferstheoptionofconfigurablediskencryptionbutdoesnthaveintegratedDataLossPrevention(DLP).Canusethirdpartysolutionsbutnotalwayssuccessful.
Hasmarketleadingdiskencryption,verymanageableandincreasedout-of-band(OOB)securityupdates.DataseparationandDLPisfullyintegrated.
ThreatResistance Appsarealwaystrusteduntilthey Desktopmachinescanbelockeddown
-
Page | 10 www.Windows10update.com
areathreat,andthereisnowayofdetectingthousandsofnewthreatsthatappeareveryday.
toamobilelevel.Thereistheabilitytohaveatrustedappmodelwherethoseappsthatareuntrustedcannotrun.
DeviceSecurity Theplatformissecurelybuilt,butbuiltonsoftwarealone,meaningmalwarecanhidefromsecurity,embeddingitselfindevices.
Theplatformisbuiltonintegratedhardwareandsoftwaresecurityandoffersprotectionfrombeingswitchedontobeingshutdown.Therearenopossibilitiesforsystemtamperingandmalwarehasnoplacetohide.
Basically Microsoft took a holistic look at security and decided to attack some of thefundamentalsecurityflawsandchallengesfromadeeparchitecturalperspective.
With Windows 10, Microsoft has implemented a wide variety of security solutions thatprotectbothyoursoftwareandthehardware:
WindowsHelloandWindowsPassporthandleIDprotection.
BitLockerandEnterpriseDataProtectionhandledataprotection.
DeviceGuardandWindowsDefenderprotectagainstmultifacetedthreats.
UEFISecureBoot,TPM2.0andVirtualizationkeepyourhardwaresafe.
Letstakeacloserlookateachofthesesolutions.
-
Page | 11 www.Windows10update.com
HowMicrosoftWindows10WillProtectYourIdentity
Firstupis identityprotection.Identitytheft istheonethingthatconcernscomputerusersthemost.
Every day,more stories are published about people whose identity has been stolen andusedtocommitfraudand,that,quiteunderstandably,makeconsumersnervous.Windows10 looks set tomake users feel good about using a computer again, tomake them feelsecure.
Windows10ProtectingYourIdentityandControllingAccess
Thenexttopicofdiscussionisanewsolutiontoprotectonesidentity,asolutionthatleavesbehindtheoldfashioneduseofsinglefactorauthentication,likepasswords.Itisasolutionthatprotectsyouwhenabreachhappensinthedatacenter.
Italsoprotectsyourdatafrombeingstolenifyourdevicehappenstobecompromisedanditstopsphishingattacksintheirtracks.
Onceyouareenrolledinthesystem,yourdevicebecomesoneofthetwofactorsthatyouneedforauthentication;theother isaPINnumberorbiometric information,suchasyourfingerprint.
ThesystemsinquestionareWindowsHelloandWindowsPassport,twosystemsthatworktogethertoprovidetheultimateinidentityprotection.Letsgoalittledeeperandexaminewhateachsystemhastooffer.
This security solution benefits consumers and business users alike and provides theconvenience of using a password without all the hassle of having to remember it orforgettingwhoyougaveitto.Microsoftistakingsecuritytoawholenewleveltobringitscustomerscompleteidentityprotectionwithmultifactorauthentication.
-
Page | 12 www.Windows10update.com
LetstakealookatthesystemsthatMicrosoftchosetouseandwhytheychosethem.First,biometrics.Whatisitexactly?Biometricsisthestudyofbiologicalcharacteristicsthatcanbemeasured.Incomputersecurity,biometricsisincreasinglyusedtomakeitmoredifficultforsystemstobehackedthroughtheold-fashionedpasswordsystem.
Thebiometrics in this instance refer tophysical characteristics that caneasilybe checkedagainst what information is stored in the system. There are a number of ways thatbiometricsareusedforauthentication:
Facial:theanalysisofdifferentfacialcharacteristics
Fingerprint:analysisoftheuniquefingerprintsofeachperson
HandGeometry:theshapeofthehandsandthefingerlength
Retinal:analysisofthecapillaryvesselsattherearoftheeye
Iris:analysisofthecoloredringsurroundingthepupilintheeye
Signature:howapersonsignshisorhername
Vein:patternoftheveinsonthebackofahandandinthewrist
Voice:toneandpitchofavoice,aswellasthefrequencyandcadence
Biometrics isstillarelativelynewdevelopmentbut it is fastbecomingthewaytogowithcomputersecuritysystems.
TheProsandConsofBiometrics
Thereareprosandconstoeveryformofbiometricauthentication.GiventhatMicrosofthaschosentoadoptthisasasecuritymeasure,itisimportanttoreviewtheargumentsforandagainsttheuseofthenewtechnology.
-
Page | 13 www.Windows10update.com
Theargumentsforusing it fornetworkaccessrevolvemainlyaroundthreekeyareas.Thefirstandperhapsthemostobviousisthatbiometricauthenticationusesattributesthatareuniquetotheindividual,makingittheidealformofsecurity.
Thesecondargumentforusingbiometricsisthatuserswillnolongerbeabletoforgettheirpasswords,orsharethemwithothers,knowinglyorinadvertently.Passwordadministrationsystems and overheads are considerably reduced as well and this is one of the drivingfactorsinadoptingbiometricauthentication.The third argument is that it will be incredibly difficult for a persons biometriccharacteristicstobereplicated,farmoredifficultthanit istoreplicateapasswordoruserID.Also,whereastokenscanbestolenorlost,biometriccharacteristicscannot.Arguments against the use of biometrics aremany, showing just how controversially it isviewed in some quarters. First and foremost, it is still expensive to implement biometricauthenticationmeasures,meaningthatmanyorganizationscannotaffordit.The cost of both the hardware and software requiredmaybeprohibitive tomany, alongwithcostofintegratingitwithcurrentsystemsinplace.There isalso theargument that rightnow,biometric systemsareonly suited to simplisticnetworks.Thisispairedwithsomecurrentthinkingthat,asanall-or-nothingtechnology,itmaynotsuitmanyorganizationsatthisstage.All-or-nothingmeansthatyoucangototheexpenseofhavingbiometricauthenticationoneverysinglecomputeronthenetwork,butitcountsfornothingifausercanlogontothesystemfromaremotelocationwithoutneedingtouseit;thatwouldundermineeverything
-
Page | 14 www.Windows10update.com
andmaketheexpenseacompletewasteoftime.There is also the argument that the storage of biometric information is an invasion ofprivacy, but those in favor of it say that it is only a representation of the data, not theoriginaldatathatisbeingstored.Ofcourse,there isanotherangletothisgiventherateatwhichasuccessfultechnologywillspread,thereisconcernthat,shouldausersbiometricdatabecompromised,notonlydoes it affectnetwork security, thatdata couldalsobeused fora largenumberof illegalactivities.
Onefinalbutsignificantconcernisthatusingbiometricdataisnotthesameasusingakeyanddoesnothavethesamerandom,secretnatureofakey.Neitherdoesithavetheabilitytoupdateanddestroyitself.Ifapersonsbiometricdataiscompromised, it isnota simplecaseof issuingnewbiometricdataclearly thatcantbedone!So, given all the controversy surrounding the use of biometrics for security, why hasMicrosoftoptedtoadoptit?Thesimpleanswer is reliability.Theconsequencesofhavingasystemthatrunsusingold-fashionedmethodscanbedamaging,withconfidentialinformationstolenanddataintegritycompromised.Also lets face it,manyof theapplicationsweuse inourdaily lives requiresomeformofauthentication.AsfarasMicrosoftisconcerned,byusingbiometricauthenticationtogetintoWindows10,youcanalsouse it toaccessall yourMicrosoftaccountsandapps there isntaneed to
-
Page | 15 www.Windows10update.com
rememberseparatepasswordsforeachapp.Passwordscanbestolenorreplicated,biometricinformationcannot.Inaddition,biometricinformationcanbepositivelylinkedtoaspecificpersonforexample,acreditcardcanbeused without the actual user being there, whereas biometrics requires you to be at thecomputingdevicetologin.Windows10issetuptoprovidemodernbiometriccapabilitiesthatallowuserstoeasilyunlocktheirdevicesandtounlockNGCNextGenerationCredentialsforamuchmoreimprovedandsecurepassword-freeexistence.TheInternetcanbeahostileplaceandconsumerswantasafer,morereliableexperienceandabetterauthenticationsystemthanwehavenow.Theywantasystemthatissecure;asystemthatleavespasswordsinthedust,yetstillgivesthemaccesstoeverythingtheyneed.WithWindows10,Microsoftsetouttodojustthat,settingoutaseriesofgoalstheywantedtomeet:
Toenablebothconsumersandenterpriseuserstobeabletounlocktheirdevices,makepaymentsandsecuretheircontentallwithoutusingapasswordandinamoresecureway
Todevelophardwaresolutionsthat,attheveryleastmeet,ifnotexceed,theexpectationsofthecustomer,hardwarethatisrobustandeasytouse
TodeliverbiometricdevicesthatareinnovativeandgivethecustomervalueTothisend,Windows10hasbeendevelopedtosupportawiderangeofbiometricsfingerprint,facialoririsrecognition-whicheversuitstheuserbest.SpecialhardwareisrequiredtosupportthisandthosedevicesthatmeettherequirementsofWindows10forbiometricauthenticationwillbenefitinanumberofways:
Easyandconvenientlogonandverystrongauthentication EnterpriselevelsecuritywithaccesstoHBI(HighBusinessImpact)resources ConsistentinboxenrolmentandusageacrossWindowsenabledbiometricdevices
Inaddition,Windows10alsosupportsaninboxFaceAuthenticationsolutionthatisavailableforallOEMsthatprovidethesupportedhardware,withouttheneedtorelyonthirdparties.
-
Page | 16 www.Windows10update.com
FacialAuthentication
Windows10bringsanewlevelofFaceRecognitiontothetable;asystemthatallowsfortheeasyauthenticationandunlockingofWindowsdevices,aswellasaccesstocontentthatisNGC-supported.Thisisallwithouttheneedtousepasswordsoranyadditionalauthenticationfactors.Features:Windows10FaceAuthenticationfeaturesinclude:
Aninterfacethatisuser-friendly,providingthecapabilityforsinglesign-on.Thereisnoneedfortheuseofpasswordsaswell,oranyotherauthenticationcredentials.
Enterprisegradeauthentication,aswellasaccesstoNGCsupportedcontentnetworkresources,purchasedcontentandwebsites.
Anti-spoofingmeasuresareincludedtoeliminatethechanceofphysicalattacknooneexceptyoucanlogontoyoursystem.
UsingCleanInfrared,cleanandconsistentimagescanbeproduced,evenindiverselightingsituations.Thesystemalsoallowsforslightchangesinappearance,suchastheadditionorremovaloffacialhair,makeup,glasses,etc.
UseCasesTherearethreeprimaryusecasesforFaceAuthentication:
1. Authenticationneededtounlockorlogin
-
Page | 17 www.Windows10update.com
Onaverage,thesystemtakeslessthan2secondstorecognizeyourface,althoughitmaytakeupto30secondsbutnomorethanthat.Thisisexpectedtobeusedatahighfrequencysinceitisrequiredwheneverauserneedstoauthenticatetheirdeviceandgetpastthelockscreen.
2. AuthenticationtoPurchaseOnaverage,thesystemwillrecognizeafaceinlessthan2seconds,butuptoamaximumof30seconds.Thisisrequiredeverytimeanapplicationneedsausertore-authenticatetheirdetailsandisnotexpectedtobeafrequentlyoccurringusecase.
3. PresenceTheaveragedurationofrecognitionis1.5to30secondsalthoughitmaytakelonger.Thefrequencyofusageisexpectedtobelowand,usingnewpresenceAPIs,applicationswillbeabletousesensorstodetermineiftheauthenticatedpersonispresentatthedeviceorifitisanunknownorguestuser.
SoletstalkalittlebitaboutMicrosoftsfacialdetectionsecuritymechanism
-
Page | 18 www.Windows10update.com
WindowsHello
WindowsHelloprovidesbiometricauthentication,allowingyouinstantaccesstoanyofyourWindows10devices,whetherdesktopormobile.
ForgettryingtoremembercumbersomepasswordswithWindowsHelloyouwillbeabletolook at your webcam or use your fingerprint to be immediately recognized and allowedaccess.
As well as being much more convenient, it is also a more secure method than using apassword.
Windows10 introducesanewsystemthatallowsyou toauthenticateenterprisecontent,applications,andevenonlineexperienceswithouthavingapasswordstoredwhereitcanbestolen.
Windows Hello works with your face, your iris or with a fingerprint, (you will need acompatiblewebcam and/or fingerprint sensor). After implementation, only you and yourpartnereddevicecanbeusedtoaccessyourWindows10apps,websites,anddata.Thisisdoneusingaseriesofmodernsensorsthatwillrecognizecharacteristicsthatarepersonaltoyou.
UnlessyourdevicealreadyhasanIntelRealSensecompatiblecameraorfingerprintsensor,youwillneed toupgrade tooneofa largenumberofWindows10devices thatwill soonsupportWindowsHello.
For facial detection, Windows Hello uses software and special hardware to verify youridentityitwontworkifsomeoneholdsupaphotographofyou,forinstance.
-
Page | 19 www.Windows10update.com
TheIntelRealSenseenabledcamerasuseinfraredtechnologytotakeaverycomprehensive3Dimageofyourface.Thisallowsfornotonlyagreatfeelforthelookofyourface,butthedepthaswell.
Thecamerasarestunninglyreliableandcanverifyyouridentityinawiderangeoflightingconditions.
WindowsHello isasolution thatwillbeusednotonlybyconsumersbutalsobydefense,government,healthorganizations,financialorganizationsandotherstobringbettersecurityandeliminatethethreatofimpostersorhackers.
NewSecurityFeaturesinWindows10
ThefollowingaresomemoreofthenewandexcitingsecurityfeaturesthatWindows10isbringingtothetable.
MicrosoftPassport
WindowsHello is not thewhole story, however.Microsoft has also introducedMicrosoftPassport.
Passport is designed to do away with passwords, allowing system IT managers, websiteauthors,andsoftwaredeveloperstoincludeamoresecurewayoflettingyousignintotheirappsorsites.
-
Page | 20 www.Windows10update.com
Insteadofusingtheold-fashionedmethodofapassword,WindowsPassportisdesignedtosecurelyverifyyouridentityandauthenticateyouonwebsites,applications,andnetworkswithouttheneedtostoreapasswordontheserversthuseliminatingthethreatoftheftthroughhacking.
Windows 10 replaces the password systemwith a private key or PIN thatwill allow youaccesstoeitheryourownpersonaldataortoyourorganizationsdata.ThatPINislinkedtoyourdeviceonlyandwillnotworkwithoutit.
IfyoutriedtologinusingyourPINonanotherdevice,youwouldbebarredfromentering.Obviously,youwillneedtosetupaseparatePINforeachdevicethatyouintendtousebutthatjustaddsafurtherlayerofsecurityno-onecanaccessyourdatafromjustanydeviceanylonger,makingyourdataandyouridentitysafefromunwantedattention.
WhydidMicrosoftgodowntherouteofusingaPINnumber?Surelythatis justasbadasusingapassword,isntit?No.APINissignificantlyfastertouseandiswaymoresecurethanapassword.NextquestionhowcansuchashortPINbemoresecurethanacomplexpassword?Thisisbecauseitdoesntreallyhaveanythingtodowithsize.
-
Page | 21 www.Windows10update.com
WherethePINdiffers fromapassword is thatapasswordcanbeused foraccess onanydevice;thePINisuniquetoaspecificdevice.ThatmeansthatifsomeoneweretostealyourPINandtrytoaccessyourdata,theycouldntdoit,unlesstheywereusingthedevicethePINwaslinkedto.Eventhen,theywouldstillneedtogetpastthebiometricloginandthatcannotbedonebyanyoneotherthanyou.Makesense?ThinkofitasbeinglikeyourcreditcardPIN.A person could not steal your PIN number and then use it on their own card in a cashmachine.ThatPINistiedtothatcardandthatishowtheMicrosoftPassportPINworkstoo.NoneofthisisrequireditisentirelyyourchoiceifyouchoosetouseMicrosoftWindowsHelloandPassport.Youmaybeconcernedthatyouruniquebiometric informationcanbestolen and used, and it is for that reason that Microsoft stores your unique biometricinformationonyourdeviceonly,notonanyeternalsystemorserverandit issharedonlywithyou.
Itcanonlybeusedasamethodofunlockingyourdeviceandisneverusedtoauthenticateyouoveranopennetwork.
-
Page | 22 www.Windows10update.com
Passport2Go
Passport2GoispartofthePassportsystemthatallowsyoutospecifywhetheradeviceisforpersonalorforbusinessuse.LetsgothroughanexampleofPassport2Goinuse.
FunFact:MicrosoftusesthefictionalContosoCompanyforexamplesinmanyoftheirpresentationsanddocuments
IrwinworksforaconsultingcompanythatprovidesitsservicestoContoso.Contosogivesitspartnerscloud-onlyaccountsthroughAzureActiveDirectory(AAD)whenitisnecessary.Irwinhasalong-runningengagementthatrequireshimtohaveanAADaccountand,throughhisworkforContoso,hehasanallowance,whichletshimbuyadevicethatisONLYforuseforhisContosowork.Howdoeshesetthisdeviceupsothathecanonlyuseitinthisway?
ByenablingPassport2Go.WhenyousignuptoPassport2Go,youdefinewhetheryourdeviceisapersonalorbusinessusedevice.Onthenextpage,letswalkthroughtheexample:
-
Page | 23 www.Windows10update.com
Inourexample,choosingorganizationusegivesIrwinaccesstoalltheresourcesthatheneedsforhiswork.
NextIrwinhastodeterminehowheisgoingtoconnect.BecauseContosoprovideshimwithanAADaccount,thatistheoptionheselects.
IrwinisnowtakentotheAADsigninpagewherehesignsinwithhisMicrosoftorOffice365credentials,startingwithhisemailaddress.
-
Page | 24 www.Windows10update.com
Thenhispassword...
-
Page | 25 www.Windows10update.com
IrwinisthendirectedtotheContososigninpageonAAD.
NowitstimeforIrwintosetuphisPINnumberwhichwillallowhimtounlockthedeviceandaccesseverythingheneedsinordertodohiswork.
PINnumbersarefarmoresecurethanpasswordsandaremuchshorter.Aswementionedbefore,youmayquestionhowashorterPINnumbercouldbemoresecurethanalongandcomplexpassword.Microsofthastheanswertothat:
-
Page | 26 www.Windows10update.com
ThenextstepforIrwinistochoosehowtoverifyhisaccount.Hehasachoiceoffouroptionstextmessage,phonecall,anotificationthatissenttohisauthenticatorapp,orusingtheauthenticatorapptogenerateasecuritycode.
Irwinoptsforthetextmessage
-
Page | 27 www.Windows10update.com
Oncehehasreceivedthemessageverifyinghisaccount,IrwincancreatehisPIN.
Becausehehastickedtheboxthatsays,Usea4-digitPIN,hisnewPINisnotacceptedandheseesamessagethattellshimtherearespecialrequirementsforthePIN.
-
Page | 28 www.Windows10update.com
ContosohassetspecificrequirementsforthecomplexityofthePINandtheseinstructionsarenowrevealedtoIrwin,allowinghimtocreateaPINthattiesinwithwhattheywant.
-
Page | 29 www.Windows10update.com
OnceIrwinhassuccessfullysethisPINup,thechangesareapplied,whichmaytakeafewsecondstoacoupleofminutes.
Finally,theNGC(NextGenerationCredentials)containerisloadedandIrwinhasfullaccesstoalltheappsandsystemsheneedsforwork.
-
Page | 30 www.Windows10update.com
BitLockerandTPM
WindowsBitLockerDriveEncryptionisabrandnewsecurityfeaturethatprotectsyourdatamoreefficiently. Itdoesthisbyencryptingeverysinglepieceofdatathat isstoredontheWindowsOSsystemvolumethepartitionsonyourharddisks.
TPMtheTrustedPlatformModuleisaspecialchipthatstoresakeypairthatiscalledtheEndorsementKey.ThekeypairiskeptinsidetheTPMchipandisnotaccessiblebysoftware.
Whentheuseroranadministratortakesonownershipofadevice,aStorageRootKey iscreated.ThekeypairisgeneratedbytheTPMandisbasedontheEndorsementKeyandapasswordspecifiedbytheowner.
Anotherkey,whichiscalledtheAttestationIdentityKey,workstoprotectthedevicefromunauthorizedmodificationsby softwareor firmware. Itdoes thisbyhashingvitalpartsofthesoftwareandfirmwarebeforetheycanbeexecuted.
Whenthesystemtriestoconnecttoanetwork,aservertocheckthattheymatchexpectedvaluesthenverifiesthosehashes.
Ifanyofthehasheshavebeenmodifiedsincetheywerelastverified,therewillbenomatchandthesystemwillnotbeabletogainentrancetothenetwork.
WindowsBitLockerusesTPMtoprotecttheoperatingsystemandalltheuserdata.Italsohelpstoprotecttheuserscomputerfrombeingtamperedwith,evenifitislostorstolen.
-
Page | 31 www.Windows10update.com
That said, BitLocker can be used without TPM but, from 2016, Microsoft will requirecomputerstohaveTPM2.0.
If youdouse itwithoutTPM,youmustconfigureBitLocker to storeyourencryptionkeysontoaUSBflashdrive,whichmustthenbeusedwheneveryouwanttounlockthedatathatisstoredonaparticularvolume.
Trusted Platform Module, or TPM, provides a number of essential security services,including:
Securelyrecordingbootprocessmeasurements. Derivingandsealingkeysbasedonaspecificbootsequence. ProvidingarootoftrusttotheCloud. Protectingeveryoneoftheseprocessesfrommalwareoramalicioususer.
TPM2.0goesalittlefurtherthanthatandupdatesthecapabilitiesprovidedinTPM1.2:
Cryptographicstrengthisupdatedtomeetmodernstandardsinsecurity. Ismoreflexibleoncryptographicalgorithmsinordertobettersupportgovernment
needs. Bettermanagementconsistencyacrossallimplementations.
-
Page | 32 www.Windows10update.com
HowDoesBitLockerDriveEncryptionWork?
Inanutshell,itprotectsyourentiresystembyencryptingallofthedata.
IfaTPMisusedtolocktheencryptionkeys,thosekeyscannotbeaccesseduntilthestateofthecomputerhasbeenverifiedbytheTPM.
Ifthereareanysignsoftampering,TPMwillnotauthorizethereleaseofthekeys.
Byencryptingtheentirecontentsofthevolume,youareprotectingeverythingyourownpersonaldata,theoperatingsystemitself,temporaryfiles,Windowsregistryfiles,andthehibernationfile.
BecausethekeysarelockedbytheTPM,evenifyourharddrivewerestolenandinsertedintoanotherdevice,thethiefwouldnotbeabletoreadyourdata.
Whenyoustartyourdevice,theTPMcomparesahashofsystemconfigurationvalues,alongwithasnapshotthatwastakenearlier,toverifythestartupprocess.
Ifall isOK, theTPMwill releasethekey,andtheencrypteddatacanbeunlocked. IfyourWindowsinstallationshowssignsoftampering,thekeywontbereleased;itsassimpleasthat.
Bydefault,BitLockerissetuptoworkwiththeTPM,andyoucanalsocombinethiswithauser-enteredPINor another startup key that is storedon aUSB flashdrive. This key is arequirementifyoudonothaveacompatibleTPMandyouwantthelockingkeys.
-
Page | 33 www.Windows10update.com
BitLocker goes a step further than that inWindows 10 it can also be used to encryptindividual files.While it isnormallyused for theentiredrive, if youneed to send specificfilesusingemailoraUSBkey,theyhavetobeencryptedonafile-by-filelevel.
Userscanopttoencrypt their files fromtheSave-AsdialogueboxorbyusingWindowsFile Explorer. In this case, all you need to do is right click on a file and choose from theencryption options. All encrypted files then show up in green, allowing you to see at aglancewhathasandhasnotbeenprotected.
One of themore common uses of BitLocker is downloading sensitive documents from awebsite. In this case,web filesareautomaticallyencrypted,givingyou thepeaceofmindthatcomesfromknowingthattheinformationiscompletelysecure.
DeviceGuard
-
Page | 34 www.Windows10update.com
So,Microsoftisgoingtoprotectyouridentityandyourdatabutwhataboutthedeviceyouareusing?Windows10includesanumberofwaystolockdownyourdevice,addinginextraprotectionand threat resistance. Users inadvertently download most malware onto a device, soMicrosoft is introducinganewsystemofonlyallowingtrustedappstobeinstalledand/orrunonyourdevice.TrustedappsarethosethathavebeensignedbytheMicrosoftsigningservice,althoughthedevicewillhavetobeconfiguredforthis.ThatnewfeatureiscalledDeviceGuard.DeviceGuard isanewpieceoffirmwarethatrunsathardwarelevelbeforeandduringthebootupprocess.Itisdesignedtoonlyallowapplicationsandscriptsthathavebeenproperlysignedtoloadupandisalreadyprovingtobeapopularfeature,withmanyOEMsreadytoinstallitonnewdevices.Device Guard is a combination of software and hardware features that need to beconfiguredtogether.Whenthisisdone,thedevicewillbelockeddowntoonlyruntrustedapplications.Itworksbyusingthenewvirtualization-basedsecurityfeaturethatWindows10includesasystemthatisolatestheCodeIntegrityservicerightfromtheWindowskernelandallowingtheservicetouseenterprise-controlledpolicydefendsignaturestodeterminewhatcanandwhatcantbetrusted.ThebasicfunctionofDeviceGuardistotestouteachprocessthatisbeingloadedupintothememorytobeexecuted.Itwillrunthistestbothbeforeandduringthebootupprocessandwill check tosee if theprocess isgenuinebasedonsignaturesandwill stopanythingthatdoesnothavethepropersignaturefromloading.The technology that Device Guard uses is embedded at hardware level, as opposed tosoftware,which isntalways100%accurateatdetectingmalware. Itusesvirtualizationforthecorrectdecisionmakingprocess,totellthedevicewhatitshouldandshouldntallowtoloadupintothememory.
Thislevelofisolationshouldstopmalwareinitstracks,asitwontbeallowedtoloadontothedevice,even if theattackeralreadyhascontrolof thesystemswhereDeviceGuard isinstalled.
AccordingtoMicrosoft,thissystemismoresecurethanthetraditionalanti-virusmethodsweusetoday,evenmoresecurethanappcontroltechnologies,likeBit9andAppLocker,asthesecanbetamperedwith,eitherthroughmalwareorthroughsystemadministration.
RequiredHardwareandSoftwareforDeviceGuard
InordertouseDeviceGuard,youwillneedtoinstallthefollowinghardwareandsoftwareandthenconfigureit:
-
Page | 35 www.Windows10update.com
DeviceGuardwillonlyworkwithWindows10 UEFISecureBoothelpstoprotecttheintegrityofthedeviceathardwarelevel TrustedBootdesignedtohelpprotectagainstattacksattherootkitlevel Virtualization-basedSecurityHyper-Vprotectedcontainerthatseparateswindows
10processes PackageInspectorToolHelpsuserstocreatealistofthefilesthatmustbesigned
forClassicWindowsapplications
WhyuseDeviceGuard?
Every single day, thousands of new malicious files are created and using the traditionalmethodofsignature-baseddetectiontofightthemalwareisnotadequateanymore.WithDeviceGuard,thatmalwarecannotbedownloadedbecausetheappsthatcontain itarenot trusted.Uptoand includingWindows8.1,anappwouldbetrustedautomaticallyunlessafirewalloranti-virusblockeditwithWindows10,anappwontwillrununlessitistrustedfirst.Device Guard will also help to protect against Zero Day attacks and will also combatchallengesputupbypolymorphicviruses.Inanenterprisesetting,theCodeIntegritypolicymustbesetuptodeterminewhichappsaretrusted.Aswellasthat,specificsoftwareandhardwareconfigurationsarerequired:
UMCIUserModeCodeIntegrity
-
Page | 36 www.Windows10update.com
Kernel code integrity rules that include WHQL signing constraints WindowsHardwareQualityLabs
SecureBootthathasdb/dbxdatabaserestrictions OPTIONAL virtualization based security to protect kernel mode apps, system
memoryanddriversfromtampering OPTIONALTPM2.0
Before you can use Device Guard, you should enable the virtualization-based securityfeatureoncapabledevices,makesurethattheCodeIntegritypolicyisconfigured,andthenconfigureanyothersettingsthatarerequiredbyyouforWindows10.Afterthat,DeviceGuardwillworklikethis:
1. Your device boots up with U Secure Boot this will stop rootkits from running,allowingWindows10tostartupfirst.
2. Once safely started up, Windows 10 will start the Hyper-V virtualization-basedsecurity features, includingKernelMode Integrity. Thesewillprotect theWindowskernel, any privileged drivers and your system anti-malware solutions by stoppingmalware from running in the boot process or in the kernel once the device hasstartedup
3. UsingUMCI, DeviceGuard checks your system tomake sure that anything that ismeant to run in UserMode is trusted, including ClassicWindows apps, UniversalWindowsPlatform,oraservice.Onlybinariesthataretrustedwillbeallowedtorun.
4. AsWindows 10 is starting up, TPM starts up as well, helping to protect sensitiveinformation by providing a hardware component that is isolated from everythingelse.Thisprotectsyourcertificatesandusercredentialsfromattackortheft.
-
Page | 37 www.Windows10update.com
EnterpriseDataProtection(EDP)
MicrosoftalsohasanewDLPdatalosspreventionsystem.
Whileconsumerscanuseit,itisaimedmainlyatcorporations,duetothelargenumberofemployee-owned devices that are now being used under the BYOD Bring Your OwnDevicebanner.
Due to the large numbers of these devices, the risk of accidental data disclosure is nowmuchhigherthaniteverwas,basicallybecauseofthenumberofexternalappsandservicesthatarealsoinuseonthedeviceoutsideofthecontroloftheenterprise.
Thisincludesemail,socialmediaandcloudservices,andalltheapplicationsweuseonourmobiledevicesonadailybasis.
Yes,therearesolutionsthatattempttoaddressthisbyaskingemployeestoswitchbetweencontainersforpersonalandcorporateusebutthisisntaveryefficientwayofworking.
ThenewfeatureinWindows10iscalledEDPEnterpriseDataProtectionanditoffersupa much better user experience while, at the same time, helps to keep personal andcorporateactivitiesseparate.
EDP helps to protect corporate apps and data from the risk of disclosurewithout askinguserstochangethesystemtheyareworkingon.
Furthermore,inconjunctionwithRMSRightsManagementServicesEDPcanalsoprotectyourcorporatedataonalocalbasis,evenwhenyourdataisroamingorisbeingshared.
-
Page | 38 www.Windows10update.com
HowDoesEDPWork?
Enterprise Data Protection is designed to counteract and address everyday workplacechallenges,suchas:
Dealingwithseveredataprotectionleaks
Maintainingenterprisedataprivacy
Managingthoseappsthatarenotpolicy-aware,inparticular,onmobiledevices
Handles a previous inability to lock down an employee device, which wouldpotentiallyallowdatatobeleaked
LevelsofProtection
EDPcanbesettofourdifferentlevelsofprotection:
Block: The feature looks for data sharing that is not appropriate and blocks theemployeefromcompletingtheshare.
Override: The featurewill look foranydatasharing that isnotappropriate, tellingtherelevantemployeesthattheyaredoingsomethingwrong.However,thiscanbe
-
Page | 39 www.Windows10update.com
overriddenat theemployee levelandthedatacanstillbesharedbut theactionwillbeloggedontheauditlog.
Audit:EDPrunsquietlyinthebackground,loggingalldatasharingandflaggingthosethatareinappropriate.However,itwillnotblockanything,onlymonitorandrecord.
Off:EDPisnotactiveanddoesnotprotectanyofyourdata.
EDPAllowsBetterWorkFlow
Becauseemployeeswillnolongerhavetoswitchbetweenenvironmentsorappstoprotectenterprise data, workflow is uninterrupted and productivity can potentially increasesignificantly.
Anexampleofthiswouldbeifanemployeeischeckingtheircorporateemailaccountandtheyreceiveapersonalemail.Insteadofhavingtoexitoutoftheircorporateaccount,bothmessageswouldappearonthescreentogether.
ChangingtheProtectionLevelsonDocuments
Employees have the ability to change the protection levels set on documents underEnterpriseDataProtection.
Theycanonlydothisifthedocumentisapersonaloneandhasbeenincorrectlymarkedasenterprise. Todo this, it requiresemployees to takeanactionand thiswill be logged formanagementtosee.
-
Page | 40 www.Windows10update.com
EnterpriseDataSecurity
Enterpriseadminsneedtobeabletomaintaintheconfidentialityandthesecurityoftheirdata. With Enterprise Data Protection, you can make sure that corporate data is fullyprotectedondevicesownedbyemployees,evenwhenthedeviceisnotbeingused.
Whenyouremployeescreatecontentontheirdevices,theyareaskedtodefinewhetheritispersonalorcorporatedata if it iscorporate, it is immediatelybroughtunderthe localdataprotection.
WipeEnterpriseDataRemotely
EDPalsooffersmanagers theoptionof remotelywiping all corporatedata fromadevicethatismanagedbythecorporationandusedbytheemployee,withouttouchinganyofthepersonaldataonthatdevice.Thisisofhugebenefitwhenadeviceisstolenoranemployeeleavesthecompany.
Corporatedocumentsarestoredlocallyonthedeviceandareencryptedusinganenterpriseidentity.
Whenyouwanttowipethedevice,youwillneedtogothroughaverificationprocess,afterwhichacommandcanbesent throughthemobilemanagementsystemtoremotelywipethe data. When the device is connected to a network, the data is removed and theencryptionkeysareirretrievablyrevoked.
-
Page | 41 www.Windows10update.com
Thiswillonlyhappenondevicesthathavebeenspecificallytargetedallotherdeviceswillworknormally.
CopyingorDownloadingEnterpriseData
WhendataistargetedfordownloadfromacorporatesourcelikeSharePointorOffice365,itisdeterminedtobeenterprisedataandwillbeencryptedbeforebeingstoredlocally.
The samewill apply to any data that is copied from the enterprise to a USB flash drive.Because the data is already marked down as being enterprise data, the encryption willfollowthedatatothenewstoragedevice.
PrivilegedAppsandRestrictions
With Enterprise Data Protection, you will be able to control which apps can and cannotaccessenterprisedata.
Thosethatcanareaddedtoaprivilegedapplistandaresubsequentlyallowedtoaccessand use enterprise data. Anything that is not on this list is classified as personal and areblockedfromaccessingdata,dependingofcourse,onthelevelofprotectionyouhaveset.
Privilegedappswillactdifferentlyfrompersonalornon-privilegedapps.Whenauserwantstocopyandpastedata,aprivilegedappwillallowit;non-privilegedoneswont.
Should a person try to copy enterprise data to a non-privileged app, they will see anotification advising that policy restrictions are in place and the action could not becompleted.
-
Page | 42 www.Windows10update.com
PersistentDataEncryption
Enterprise Data Protection allows you to keep your data safe even when the device isroaming. Apps such asOneNote andOfficework in conjunctionwith EDP to persist dataencryptionacrossservicesandlocations.
For example, an employee opens content inOutlook that is EDP encrypted,makes somechanges to it and then attempts to save it under a new name, to try and get rid of theencryption.
ThatwontworkbecauseOutlookwill automatically apply EDP to thenewversionof thedocument,ensuringthatthedataiskeptfullyencryptedandsecure.
HelpsPreventAccidentalDataSharing
EDPalsohelpstoprotectcorporatedatafrombeingaccidentallysharedinpublicspaceslikethecloud.Say,forexampleanemployeeputsadocumentinafoldercalledDOCUMENTS.
ThisfolderissyncedautomaticallywithOneDrive,whichisonyourprivilegedapplist.Itisthenencryptedonalocallevelitwillnotbesyncedtotheemployeespersonalcloud.
-
Page | 43 www.Windows10update.com
Datasharingalsocoversotherdevices.Undertheoldsystemitwaspossiblefordatatobeleaked to another devicewhile it was being transferred between them. For example, anemployeesavescorporatedataontoaUSBflashdrivethatalsohaspersonaldataonit.
Thecorporatedataisencryptedwhilethepersonaldataremainsopen.Aswellasthat,theencryptionfollowsthedata,soevenifitiscopiedtoanotherdevice,itwillstayencrypted.
TheBenefitsofEDP
ThebenefitsofEDPinclude:
Protection against the leakage of enterprise data, with little to no impact on theworkpracticesoftheemployees
Separation of personal and corporate datawith no need for employees to switchappsorenvironments
Extradataprotectionforexistingbusinessappswithouthavingtoupdatethem
The ability to wipe all corporate data off a device while leaving personal datauntouched
Auditreportstohelpwithtrackingissues
Fully integrates with your current management system or mobile devicemanagementsystemtoconfigureEDPforyourcorporation,aswellasdeployingandmanagingit
Extraprotectionwhileroamingorsharingdata
Enterprisescenarios
EDPaddressesthefollowingenterprisescenarios:
Enterprisedatacanbeencryptedonbothemployeeandcorporateowneddevices
Enterprisedatacanbewipedoffremotelywithouttouchingpersonaldata
Specificappscanbechosen,calledPrivilegedapps,whichcanaccessenterprisedata.Theseappsareclearlyrecognizedbyemployees.Nonprivilegedappscanbeblockedfromhavingaccesstoenterprisedata
Employees dont need to switch between enterprise or personal apps, thuseliminatinginterruptiontoworkflow,providedenterprisepolicieshavebeenputinplace.
-
Page | 44 www.Windows10update.com
WindowsDefender
Windows 10 users will still need to use specific anti-malware software to protect frommalwarethatcomesfromothersources.
ThisisbecauseDeviceGuardonlyprotectsagainstmalicioussoftwarethatattemptstoloadduring thebootprocess at this stage, no anti-malware software is able toprotect yourdevice.
Insteadof taking the chance thatuserswill forget todownloadaprogram,Microsofthasincluded Windows Defender, also available in Windows 8. Defender is automaticallyenabledonyoursystemandrunssilentlyinthebackground.
Thisensures that,whetheryouopt fora third-party solutionornot, youwillhave,at theveryleast,abaselineantivirusprotection.However,unlikeWindows7,Windows10willnotkickupafussifyouchoosetoinstallathirdpartyoptionaswell.
Instead, itwill simplydisableWindowsDefender, stopping it fromprotectingyourdevice.Should you opt to uninstall the third party malware software, Windows Defender willautomaticallybere-enabled,thusensuringthatyourdeviceisneverleftwithoutsomekindofmalwareprotection.
FormerlycalledMicrosoftSecurityEssentials,Defenderrunsquietly,scanningevery fileasandwhenyouaccessthem,beforetheyareactuallyopened.
Ifitfindsmalwareoranythingelsethatcouldcauseathreattoyourmachineandyourdata,itwillcleanitupandquarantinetheoffendingfileautomatically.
YouwillgetanotificationthatDefenderhasdetectedmalware,tellingyouthatit istakingthe necessary action to clean it up. The antivirus definitions will also be automaticallyupdatedthroughWindowsUpdateandthisprocessdoesnotrequirearebootofthedevice.
ConfigurationandExclusions
ThesettingsforWindowsDefenderarealready integratedwithWindows10, inthebrandnew Settings app. This can be accessed via the Start menu, in the Update and Security
-
Page | 45 www.Windows10update.com
category under Settings. By default, it will automatically be enabled for real-time, cloud-based, and sample submission protection. If you disable the real-time protection for anyreason,WindowsDefenderwillautomaticallyre-enableit,tokeepyousafe.Both Cloud and sample submission protection let Defender share any information that itfindsaboutthreats,alongwiththeactualmalwarefile,withMicrosoft.ThisisdoneinabidtokeepthedefinitionscompletelyuptodateandtoallowMicrosofttocontinueimprovingandupdatingtheirsecuritysystems.Fromthesamemenu,youcanalsosetupExclusionsthesecanbespecificfiles,filetypes,foldersandprocesses.If, for example, Defender is slowing down your device performance because it keeps onscanningappsorfilesthatyouknowtobesafe,youcansetanexclusionandtell itnottoscanthem.TheseexclusionsaretobeusedasandwhenabsolutelynecessarybecausehavingtoomanyexclusionswillrenderDefenderuseless,andleavesyourdeviceopentoallkindsofthreats.
UEFI
Unified Extensible Firmware Interface, or UEFI Secure Boot, is a more up to datereplacementforBIOS,traditionallyusedtostartupacomputer.SecureBootisdesignedtoshutoutlow-levelmalwareandstopitfrominfectingandtaking
-
Page | 46 www.Windows10update.com
over thebootprocessonanydevice. In thepast, vendors thatwanted the Designed forWindowscertificationhadtohaveUEFISecureBootontheirhardware.Inorder toallowusersofothersystemssuchasLINUX,Microsofthad to includea togglethatwouldallowauser to turnoffSecureBoot,at thevery least forX-86hardware.Thisallowedausertoopenthedoorandinstallwhatevertheychoseontheircomputers.InWindows10,Microsofthadoriginallysaidthattheywouldnotbesupportingtheon/offtoggleandthatallnewhardwaremustshipwithUEFISecureBootenabled.However,itnowtranspiresthat,whileSecureBootmustbeenabledonallnewWindows10hardware,OEMshavetheoptionofwhethertoallowtheendusertodisableitornot.Thatisonly fordesktopmachines; forWindows10mobile retaildevices, theoption todisableSecureBootisnotincluded.Theideaistorestrictthepossiblyofmalwarebeingdownloadedbyuserswhoinstallanalternativeoperatingsystemtodualboottheirmachines.Atthetimeofthiswriting,Microsofthasnotfinalizedtheirspecsand,assuch,thedecisiontoputtheonusontheOEMtoincludethetogglemaybechanged.
-
Page | 47 www.Windows10update.com
AdvancedThreatAnalytics
Securityattackstodayaremorepersistent,frequent,andsophisticatedthaneverbefore.
Regardlessofwhichtypeofdeviceyouareusing, it issafertoassumethatyouhavebeenbreachedandthatattackersmayalreadyberesidinginyoursystemthanitistogoblindlyaboutyourworkignoringpotentialthreats.
Thefollowingstatisticstellaverysoberingstory:
200+daysitisntunusualforattackerstoremaininsideyoursystemforthislongwithoutdetection.Theycandothisbecausetheytakeadvantageofuseraccounts,privileged or otherwise, and hide inside the network. It takes sophisticated andadvanced technology to find them and stop them, and to prevent others fromattackingthesystem.
75% + - this is the percentage of network intrusions that result from a userscredentialsbeingcompromised.
$500 billion this represents the estimated cost of cybercrime to the globaleconomy.
$3.5milliontheaveragecosttoacompanyforadatabreach.
This is why Microsoft has come up with a brand new feature called Advanced ThreatAnalytics or ATA. ATA is designed as an on-premises threat analytics tool that works todetectthreatsandabnormalbehaviour(seebelow)beforetheycancausedamage.
-
Page | 48 www.Windows10update.com
To illustrate how it works, say you have a credit card and your provider monitors yourspendingbehaviour.
If there is any suspicious activity, or activity outside your normal pattern, the providercontactsyoutoverifythattheactivitywasyours.Theymayalsoplaceatemporarystoponthecardwhiletheyverifyit.ThisistheconceptthatMicrosoftwantstobringtoenterpriseusers.
ThebenefitsofATAare:
Threatsaredetectedusingbehaviouralanalysisoftheuser,monitoringhowtheyusethesystem,andbeingalertedwhenthere isanychangeto thatpattern that lookssuspicious.
ATAisconstantlyevolving,foreverlearningfromtheusersbehaviour,andadaptingitselftoreflectchangeswithinadynamicorganization.
It uses a simple attack timeline to focus onwhat is important a very clear andefficient system thatmonitors anddraws attention to the right things at the righttime.Inaddition,itprovidesyouwiththeinformationyouneed,i.e.thewho,when,andwhereaspectsof theattack.ATAalsoprovides recommendations for thenextstep.
ATAwill also identify known risks and alert the right people risks such asweakpasswords,brokentrust,weakandvulnerableprotocols,etc.
ATAalsoreducestheriskoffalsepositives.
HowDoesItWork?
After ATA is installed, a non-intrusive port-mirroring configuration will copy all ActiveDirectoryrelatedtraffictoATA,butwillremaininvisibletoanyhoveringattackers.ATAwillthenanalysethedataandworkwithSIEMSecurityInformationandEventManagementto look at related traffic and relevant events. All the information is stored locally, on-premisesbyATA,andneverleavestheorganization.
-
Page | 49 www.Windows10update.com
TheATAdetectionenginebegins learningandprofiling thebehaviorofallusersand thenusesmachinelearningtechnologytopaintanoverviewoftheeverydayactivity.
Once it is familiarwithyournormalusebehaviour, itwillbeginto look foranomaliesandstrangebehaviour.
If these arise, itwill raise a red flag and alert security teams, as soon as the system hascomparedandaggregatedtheanomalywithnearreal-timedetectionofsecuritybreachesandadvancedattackstobuildthetimeline.
This also reduces the chance of false positives and better identifiesmalicious attacks, asshownbelow.
Microsoft ATA is a non-intrusive system that works quietly in the background withoutdetection.
-
Page | 50 www.Windows10update.com
VirtualSecureMode
Windows10ismadeupofanumberofdifferentcontainers,oneofwhichhousestheactualoperatingsystem.However,thesecuritytokenforActiveDirectorythatallowsyoutoaccessyour companynetwork,and theLSAauthentication service that issues it, arehoused inaseparatecontainerthatrunsontopoftheHyper-Vvirtualizationcontainer.These security tokens are the target for a good percentage of Pass the Hash securityattacks.Oncetheyhavethattoken,theyhaveyouridentity,whichisasgoodasgivingthemyourlogindetails.Theyhaveaccesstoadminprivilegesandareabletorunatool,whichcanaccessandtakethetoken.Oncetheyhaveit,theycangetaroundthenetworksandaccessserverswithouttheneedforapassword.Microsoft has made things more difficult for them by taking those tokens out of thesoftwarerepositorywheretheywerepreviouslystoredandwheretheyweresusceptibletomalware, and have locked them in a container. Once inside that container, not evenWindowshasaccesstothem,evenifthecontaineriscompromisedinanyway.The container will not release any tokens or hashes; instead, when they are passed toWindows, it is done in a new format that cannot be replayed on the device. In addition,NTLMhashesareseparatedfromthelogonprocess,arerandomizedandmanagedinsuchawayastoprotectthemagainstabruteforceattack.ThatcontaineriscalledVSMVirtualSecureMode.
-
Page | 51 www.Windows10update.com
TheVSMis,ineffect,aminiversionoftheoperatingsystem,aWindowsCoreOS.Itrequiresjust1GBofmemoryandhassufficientcapabilitytobeabletoruntheLSAservicethat isneededforauthenticationpurposes.Itwillhavelittletonoeffectontheperformanceofthedevicebut youdoneedWindows10, thenext versionofWindowsServeronyourActiveDirectorydomaincontroller,andaCPUthathassupportforhardwarevirtualization.Inbrief:
VirtualSecureModeisolatesthesensitiveprocessesintoaHyper-Vcontainer VSMrunsWindowskernelandTrustletsinsideofthatcontainer VSMprotectsthekernelandTrustletsevenwhenWindowsKerneliscompromised,
thuskeepingthosetokenssafe
MicrosoftVirtualizationStrategyandSecurity
For the last ten years or so, one of the biggest topics in the IT industry has beenvirtualization,mainlybecauseofthesheernumberofbenefitsthatcomewithitforITstaff.
Itbringstheabilitytomakemoreoutofhardwareutilizationcapabilities,whileatthesametimeoffering sufficient scalability to get away fromperformance issues. There is also thecapability to migrate virtual machines and cut down on downtime, and finally, theconveniencethatcomeswithbeingabletodeploynewvirtualmachinesquicklymanuallyorautomatedthusreducingtheworkloadoftheITdepartment.
Microsoft has a goal in mind what Hyper-V has done for server deployment andmanagement;theywanttodowiththedatacenter.Todothat, theywantedtobringthewholestructuredowntothesoftwarelevel,whichgivesuserstheabilitytoautomatemanymoredatacenteraspects,andgainmuchmoreefficiency.
-
Page | 52 www.Windows10update.com
OverthelastfewversionsofWindowsServer,MicrosofthascomealongwayinimprovingHyper-V and bringing it up, together with the supporting technologies, to a software-defineddatacenter,packedwithusefulfeatures.Thosefeaturescovereverysingleaspectofthedatacenternetworking,storage,andcompute.
The last two versions of Windows Server introduced Storage Spaces, IP AddressManagement and multi-tenant site-to-site VPNs. Server 2016 is building on those andbringingadditionalfeatureslikeStorageReplica.
SecurityImprovements
Windows Server 2016 also addresses a number of security issues in Hyper-V that aredesignedtobringmoreprotectiontoVirtualMachinesandhaltingmalware,administratorattacks,andotherattackvectorsintheirtracks.
Microsoft is completelyawareofoneof thebiggest reasonswhy theCloudhasnotbeenadopted in the way they had hoped, and that is corporate trust. Microsoft is nowdeterminedtoprove toeveryone,bothcorporateandconsumer, thatcloudsolutionscanofferdatacentersecuritythatisatleastcomparable,ifnotbetter,thaniteverusedtobe.
Windows Server 2016 also offers support for a virtual TPM to be enabled in the virtualmachine,andthenconfigured.
ThemainbenefitofthisistheabilitytobeabletoenableBitLockerencryptionforallguestvirtualmachines,whichwillhavethebenefitofstoppingunauthorizedaccesstoanyfilesortothesystemthatiscontainedinthevirtualdrives.
-
Page | 53 www.Windows10update.com
ShieldedVirtualMachinesinServer2016isyetanothersecurityfeaturethatallowsaguestvirtualmachinetobeprotectedfromthehostserveradministrator.
Inthisscenario,whileanadministratorcanstoporstarttheshieldedVM,theycannotalterits configuration, seewhat is on the virtual disks, or view processes that the guestOS isrunning.
This is the ideal solution for largeenvironments thatdontwant themanagement side toseewhatisonacustomervirtualmachine,orforthoseindustriesthatoperateaneed-to-knowpolicyorstrictlyenforcedseparationofduties.
EnterpriseMobilityIdentityintheEnterprise
Rightnow,managingidentitieswithintheEnterprisesettingiscumbersome.Windows10isgoingtochangeallofthatandallowempowermentofenterprisemobility.Thewaythingsaresetupnowisasfollows:alltheusersintheenterprisewanttoaccesseverything,fromanywhere,andfromanydevice.Managementwantstocontroleverything;aswellasensuringthatdataissecureandprotected.Thisbecomesdifficultwhenend-usershavethesamelogindetailsfromeverysitethattheyvisit,andusethesamepassword.Whilethismightbeeasytostartwith,itallfallsapartwhenonesiterequestsapassword
-
Page | 54 www.Windows10update.com
changeandthenanotheronedoesandanotherandsoon.Theenduserhastorememberallofthesedifferentpasswords.So,instepstheHRdepartment,withtheircompanycreditcardtohand,andbuysthelatestsoftwaretomanageeverything.Thentheyhaveaproblemsecurity.ThustheycometotheITdepartment,confesswhattheyvedone,andthenhandtheproblemoverforthemtosolve.ThatswhereWindows10changeseverything.Identityisthefoundationtobuildingtheenterprisemobilitystrategy.Mostbusinessesalreadyhaveon-premisesidentitystrategies,useActiveDirectoryandotherdirectories,andhavetheirfirewallsalreadysetup.Theyalsohaveaccesstocloudappsonaseparateinfrastructure.Windows10bringssomethingalittlebitdifferentandawholelotbetter.
ItscalledAzureActiveDirectoryanditbringstogetheron-premisesandcloudaccessinoneeasyplace.Allyouneedisonesimpleconnectiontojointhetwotogether,andWindows10providesallthetoolsyouneedtomakethatconnection.WhatAzureActiveDirectorybringstoenterpriseusersisonesinglesignonthatgivesyouaccesstoeverythingthatyouneed.Beforewegoanyfurther,letsjustspendaminutetalkingaboutAzureActiveDirectory.Whatisit,exactly?
-
Page | 55 www.Windows10update.com
AADisanidentityandaccessmanagementsolutionthatcombines:
Directoryservices Advancedidentitygovernance Appaccessmanagement Standardsbasedplatformfordevelopers
AzureADallowsyouruserstoaccess1000sofappsthroughonesinglesignon.Betterthanthatthough,italsoallowsyoutopickandchoosewhichappstheyhaveaccesstothroughanumberofdifferentoptions.AADis:
Easytouse.Itprovidesenterpriseswithasimplewayofmanagingidentityandaccesstoorganizationalappsandservices,bothon-premisesandinthecloud.Therearemorethan2000appsalreadyreintegratedanditiseasytointegrateyourownappswiththesinglesign-onsupport.
Designedtoempowerusersbyallowingthemtosignonwitheitheraworkorapersonalaccountforaccesstoon-premiseswebandcloudapplications.Withself-servicecapabilities,theyarealsoabletoperformmanyoftheirownadministrativetaskswithouthavingtocontactthehelpdesk.
Designedwithenhancedsecurityinmind.Yourenterprisecanprotecton-premisesandclouddatabyensuringthatproperaccessisgiven.Youcanalsomonitorthesystemforanyanomalousactivityanddetectanddealwithpotentialthreats.
Setuptoallowhybrididentities.Thisallowsyoutointegrateon-premisesdirectoriesandenableworkerstoaccesscorporateresourcesbothsecurelyandconsistently,withjustonesingleorganizationaccount.AADcanbeusedtoenhanceon-premisesinfrastructure,allowingself-service,securitytoolsandbuilt-inappconnectivity.
Setuptoprovideacomprehensivereportingandanalyticssystemthatenhancesyoursecurity,allowsyoutomonitorusageandviewtheperformanceofyourenvironment.
CloudAppDiscovery
Cloudappdiscoveryallowsyoutomonitorappsinthecloud.Rightnow,intheaverageenterprise,thereareabouttentimesmorecloudappsinusethantheITdepartmentrealizes.Cloudappdiscoveryallowsyoutoseeexactlywhichappsarebeingused,whoisusingthem,andhowoftentheyareused.Youcanexportthedetailsfromyourreportsdirectlytoareportingtoolandincludethemaspartofyourregularreportsaswellasusingitfordata
-
Page | 56 www.Windows10update.com
analysis.ManagingYourDirectoryontheCloudAnotherusefulfeatureincludedinAADistheMicrosoftIdentityManager.Thisallowsyoutomanageyouron-premisesidentitiesandconnectandshareon-premisesdirectoriestoAzure.Therearealreadymorethan2,400SaaSappsinthegalleryandmorecanbeintegratedandaddedasneeded,includingthosethatarepublishedusingAADApplicationProxy.BecauseAADstandsinthemiddle,alloftheseappsanddirectoriescanbeaccessedon-premisesandfrommobiledevices.
AADAppProxyincludesaconnectorthatautomaticallyconnectsittothecloud,allowingforseamlesssyncing.AADalsoincludesacomprehensiveidentityandaccessmanagementconsole,providingcentralizedaccessadminforallapps,bothreintegratedandothercloudbasedapps.Thismakeslifemucheasierfortheenduserbecausetheadmincan:
Putusersingroupsandallowgroupstoaccessdifferentsetsofapps. Setupenterpriseaccountsforcertainappsoneaccount,multipleusersandonly
theadminwillknowthelogindetails.Thispreventsaccidentalsharing. Theadmincanalsoprovisionorde-provisionusers.Ifauserleavesaparticulargroup
orleavestheorganizationcompletely,heorshewillautomaticallybede-provisioned,cancellingaccesstoalloftheseapps.
Therearealsootherbuiltinsecurityfeaturestoprotectenterpriseapps,namely:
Securityreportingthatmonitorsanddetectsinconsistentaccesspatternsandthrowsupalerts.
Theopportunityforanadmintostepupanapptomulti-factorauthenticationiftheydoubtthatauseriswhotheysaytheyare,forexample,theycanaddanothersteptotheauthenticationprocesswhichwillblockaccessuntilthatstephasbeensuccessfullycompleted.Thestepcouldbeaphonecalloratextmessage.
Theaccesspolicieswilldependonthestateofausersdevice,theirlocation,andgroupmembership.
-
Page | 57 www.Windows10update.com
HowMicrosoftWindows10WillProtectYourData
Aswellasprotectingyouridentity,anareathatMicrosoftismakinggreatstridesin,theyarealsoworkinghardoncomingupwithnewsolutionstoprotectyourdataandinformation.
Next to identity, theft of data is the nextmost serious consideration for consumers andorganizationsalike.CurrentsecuritysystemsonlyprotectabouthalfofyourITsystemandeventhen,thatisntfullyprotected.
Every time you switch on your computer orWindows mobile device, or every time youaccessthe Internetoropenanemail,youruntheriskofahackerswooping inandtakingcontrol.Microsoftintendstostopthatinitstrackswithtwoupgradedsystems.
AzureRightsManagementandInformationRightsManagement
Whendata leavesyourdevice,Microsofthas something calledAzureRightsManagementand InformationRightsManagement,bothofwhichhelp toprotect the lossofdata fromdocuments.
Asofnow,ausertypicallyhastoopt intoactivatetheprotectionthatthesetwoservicesofferandthatcanleaveanenterprisewithabitofaproblemagapthroughwhichdatacanbeleaked,whetherdeliberatelyorinadvertently.
AzureAdministrativeTasks
Theendusercanperformmanyoftheirownadministrativetasksbyvisitinghttp://myapps.microsoft.com,orthroughtherelevantapponAndroidoriOS.Throughthat,theycanseehowmanyappstheyhaveaccessto,fromanydevice.TheycanalsoseealloftheirmanageddevicesandcanresettheirownpasswordswithouttheneedfortheITdepartmenttogetinvolved.Lastly,theycanalsorequestaccesstoappsand/orgroupsthroughtheself-serviceoptions.AzureActiveDirectoryisembeddedinWindows10andisavailablethroughthreesubscriptionoptions,dependingonyourneedsfree,basicandpremium.Overthenextyear,MicrosoftisinvestingmoretimeandmoneyinimprovingthefollowingareasofAAD:
AdminUnitsabilitytosplitadmindutiesintogroups Business-To-Businessanewfeaturethatwillbeavailablethatallowsyoutoshare
yourresourceswithbusinesspartnersthroughAAD B2CIdentitiesforbusinesstoconsumers ConditionalAccessAbilitytoblockoutsideaccess PrivilegedIdentityManagementOptionstomakeadminaccesstemporaryor
permanent AADJoinAADcontrolseverythingandisfullyembeddedwithWindows10
-
Page | 58 www.Windows10update.com
DataProtectioninAzure
Globalcyber-attacksareontheriseandsoarethecostsassociatedwithit. It isestimatedthatcybercrimeextractsaround15-20%ofthevaluethatiscreatedbytheInternet.
Inthelast2yearsintheUKalone,morethan80%oflargebusinessesand60%ofsmallonesreportedacyber-breachand,globally, thenumberofsecuritycompromisesreportedroseby about 34% in 2014. The estimated cost of cyber-attacks, in terms of lost growth andproductivity,isthoughttobearound$3trillion.
In order to protect their customers data,Microsoft has introduced a number of securitymeasures inAzureActiveDirectory.Bydefault,AADprovides strongprotectionand thereare also options that customers can choose to enable as well. First, lets look at data intransit.
Bythis,Imeandatathatissentandreceivedbetweenauserandtheservice,betweendatacentersandbetweenusers.DatathatcomesthroughtheMicrosoftAzurePortalorthroughstorage API is automatically encrypted using https, alongwith strong ciphers. By default,FIPS140-2supportisenabledtocomplywithgovernmentsecuritystandards.
All data that is imported or exported is encrypted with BitLocker, which is built in toWindows10andallcustomerdatathatgoesbetweenthedatacenterandstoragefacilitiesisalsoencrypted.
Forcustomers thataccessdata inastorage facilityorcontainer, thereare twooptionsofaccesshttpandhttpsMicrosoftrecommendsusinghttpsasthisissecureandencrypted.
Ifacustomerchoosestoaccessorsenddatausingawebclient,TLSshouldbeimplemented TLS is Transport Layer Security and it is a protocol that makes sure that third partiescannot intercept or eavesdrop on data that is being sent between applications and theirInternetusers.
Whenwetalkaboutdataatrest,wearetalkingaboutdatathatisstoredinoneofanumberofdifferentcontainers. ThecontainersthatMicrosoftprovidedataprotectionoptionsforarelistedbelow.
VirtualMachinesWindows/LINUX
Azure disk encryption is provided using BitLocker for Windows or DM-Crypt for LINUX.Virtualharddrives(VHD)areencryptedforbothWindowsandLinuxVMs.Thecustomerisgiven theoptionofenablingdiskencryptiononboth thebootand thedatavolumes; theencryptions keys are stored in the key vault. This also applies to Azure Gallery and torunningaVMinAzure.
HowitWorks
ThecustomeruploadstheirencryptedVHDtotheirAzurestorageaccount
-
Page | 59 www.Windows10update.com
TheyprovisiontheirBitLockerencryptionkeysorLINUXpassphraseintheirkeyvaultandgivesaccesstotheplatformtoprovisiontheVM
Atthispoint,theyoptintodiskencryption
Azure service management updates the service model with the key vault andencryptionconfiguration
TheplatformprovisionstheencryptedVM
Key Vault Security
Everything revolvesaround thekey vaultbecause this iswhere thekeysare stored theencryptionkeys thatareprotectingyourdata.Thesekeysarekept inan isolatedvault sothat,shouldyourstoragecontainerbecomecompromised,onlyanimageofyourdatecanbestolenthisisuselesstoanythiefbecausethekeysthatunlockthedataareelsewhere.
Itisimportanttonotethat:
Onlythecustomercancontrolaccesstothekeysthatareintheirprivatevault
Thecustomercanenablemonitoringandlogging,collectingthelogsintheirstorageaccountthisenablesthemtoseewhohasaccessorwhohasattemptedaccesstotheirvault
EncrypteddisksarestoredinthecustomersstorageaccountandAzurestoragewillautomaticallyreplicatethemthecustomerhascontroloverhowmanycopiesaremade
Azure has no default access to the key vault the customermust grant Read orWritepermission.
Azurecannotaccessthediskencryptionfeatureinthevault
AzureStorageBlobs,Tables,Queues
Client sideencryptionallowsusers toencrypt theirdatabefore it isuploaded toAzureaswellasdecryptingitagainafterdownloading.Again,thekeysarekeptsafeinthekeyvaultandthestorageservicewillneverseethekeys,norisitcapableofdecryptinganydata.Forcloud-integratedstorage,alldataisencryptedonpremisesandisbackedupinAzure.
SQLServerandSQLDatabase
-
Page | 60 www.Windows10update.com
UsingTDETransparentDataEncryptiontechnology,theentirecontentsofadatabaseinstoragecanbeencryptedusingadatabaseencryptionkey,whichisanAES-256symmetrickey.
Thiskeyisprotectedwithaservice-managedcertificate,whichisprotectedbySQLDatabaseServer. Thecertificate issetona90-daycycle,afterwhichanewonemustbeproduced,thusloweringthechancesofcompromisethroughstandingaccess.
HDInsightusesAzurestorageandSQLAzureDBencryptiontoprotectyourdatawhileAzureBackup Service uses Azure Disk Encryption to ensure your data cannot be lost, stolen orcompromisedinanyotherway.
AccessControlandAuditing
So,MicrosoftAzureADhasencryptedandprotectedallyourdataandyourkeysarestoredawaysafelyinavaultthatonlyyouhaveaccessto.Thatsnotallthereistoitthough.Manyofthefundamentalsecurityrisksstillexistonpremises.
MitigatetheRiskofCompromisedAccountsWeakauthentication is thekeyproblemtosecurity.Weakpasswords,passwords thatarewritten down or shared, or passwords that are stolen are the biggest way in for anyattacker.Microsoftislookingtoeradicatepasswordsandbringmultifactorauthenticationinacrosstheboard.
AlluseraccountscanbesecuredusingAzureMFA,usablewithbothAzureActiveDirectoryor theWindows Server Active Directory Federation Services, and this is backed up by asecondfactorforidentification,usuallyatextoraphonecall.
Users can also use existing PKI smart cards or virtual smart cards to protect theiraccountsusingADFSwiththeon-premisesinfrastructure.
LimitingPermissionsThisisoneofthemostdifficultconceptstogetoverbutpermissionsshouldfollowaLeastPrivilegeprinciple,i.e.accessisonlygrantedwhenitisnecessaryforaspecificrole.AzureRBACRole-BasedAccessControlnowcontains20differentrulesthatcanbeassignedtousers,undertheheadingsofowners,contributorsandreaders,aswellascustomroles.
-
Page | 61 www.Windows10update.com
Ownershavefullaccesstothedata;contributorscanaddtoitbutcannotdoanythingelse,whilereaderscanonlydojustthatreadthecontentbutcannotmakeanychanges.Userswithintheenterprise,orwithingroupscanbegivenaccesstodataunderoneofthoseroles,allowingITtocontrolwhodoeswhat.
PrivilegedAccountsSuperuseraccountsdeservespecialmanagementbecausetheyproduceaspecialrisk.JITJust-In-Time access can be enabled, removing the risk of an attack through standingpermissionsorstandingaccess.
JITgivesauseraccesstoadminwhentheyneeditforalimitedperiodoftimeandonlytothe feature theyneedaccess to.Managerscanalsoset somethingcalledAzureADPIMPrivilegedInformationManagement.
This iswheretheycanmonitorthesystem,seewhohasaccessandwhowants it,andsetthepoliciesthattransitionpermanentaccesstotemporary.
Using auditing and logging, management can also detect suspicious activity, includingirregular logins,down touser level, through theuseofadvanceddetection tools thatareconstantlymonitoringeveryuseraccount. Inthisway, threatscanbedetectedandactiontakenbeforetheybecomeaproblem.
-
Page | 62 www.Windows10update.com
WhatistheOperationsManagementSuite?
OMS,orOperationsManagementSuite is anothernew feature inWindows10and it is asimplifiedITmanagementsolution.
ItsahybridmanagementservicethatsupportsAzureAD,AWS,VMWare,OpenStack,LINUXandWindowsServer,anditconnectstoon-premisesdatacenterandcloudenvironments,givingITmanagersonesingleportalthatallowsthemtocollect,analyzeandsearchthroughthousands of pieces of data and records that are spread access the workloads and theservers.
Thesedays,thereissomuchinformation,somuchdata,andsomanyappsthatarespreadacrosstheinfrastructure,acrossthecloudandcloudservices,it isgettingdifficulttoknowhowtohandleitall.
ITmanagersstillhavethetaskofmanagingandsecuringallthatdata,nomatterwhereitiskeptandOMSmakesthateasiertohandle.
ThebenefitsgainedfromOMSare:
LogAnalytics:Collectand searchacrossmanymachine sourcesofdata to identifywheretheproblemslieinoperationalissues.
Availability: Regardless of where servers and apps are, OMS includes integratedrecoveryforthemall,whichisenabledbydefault.
Automation:Orchestrationofcomplexandrepetitiveoperationstoprovideamoreefficientandcosteffectivehybridcloudmanagementsystem.
Security: The ability tomonitor and identify the status of malware, findmissingsystem updates and implement them and to collect security related events foranalysisandauditpurposes.
-
Page | 63 www.Windows10update.com
ExtendedSystemCenter:OMScombineswiththeexistingSystemCentertoextenditscapabilitytodeliverthefullhybridcloudmanagementsystemacrossanycloudoranydatacenter.
HybridandOpen:VeryfeworganizationsarenowhousedinasingledatacenterandOMS steps in to manage your hybrid cloud, irrespective of the topology or thetechnology being used, and integrating seamlessly with the existing on premisesinfrastructure.
All of this makes protecting your data and preventing breaches and compromises easierthaneverbefore.
MobileSecurity
Thesedays,notonlydoweuseourdevicesforpersonaluse,wealsousethemforbusiness.MoreandmorebusinessemployeesusesmartphonesandtabletsforworkandWindows10Mobile, formerlyWindows Phone, is designed around segregating personal and businessuseson thedeviceandproviding the right levelof securityandcontrolover thebusinessside.Mobiledevicesarethenumberonetargetforacyber-attackand,upuntilnow,theyhavebeenmoredifficulttoprotect.
-
Page | 64 www.Windows10update.com
Microsoft has added in a number of security layers to protect aWindowsmobile devicefrom any number of malware and malicious attacks, allowing both end users andenterprisestorelaxalittle,knowingthattheirsecurityisingoodhands.The first line of defense is a layer of security to protect the actual hardware. All newWindowdevicesareequippedwithaTPM2.0chipandhaveUEFISecureBootenabled.ThisisaWindowsrequirementandcannotbedisabledbyanyone.TheUEFISecureBootsystemisdesignedtostartcheckingyoursystemassoonasthedeviceispoweredon,checkingthattheTPMistherealthingandthatthefirmware,andanyothersoftwarethatstartsup,isgenuineandhasbeensigned.If ithasnot, itwontrun,itsthatsimple.Onceeverythingisdeclaredasfitforwork,UEFIwillbootintotheWindowsBootManagerandthenintotheOSitself.The only exception to this is if there is a need to replace the OS through the use of arecoveryapplication,inwhichcase,thebootmanagerwillbootintoflashmode.JusthowsecureisUEFIthough?Duringthemanufacturingprocess,anumberofpublickeyhashesarefused.Thesehasheslinktospecificprocessesthattakeplaceinthedevice.
All thedrivers, loaders, applicationsand firmwarewithinUEFImustbe signedandaUEFIdatabasewilllistallkeys,imagehashesandcertificateauthorities,statingwhethertheyaretrustedoruntrusted.AsecuredrollbacksystemisinplaceonceUEFIhascheckedasystemanddeclaredittobeasafeandgenuineenvironment,securedrollbackpreventsarollbacktoanyversionotherthan that one, effectively stopping malware that could have been hiding in an insecure
-
Page | 65 www.Windows10update.com
versionfrombeinginstalled.UEFIwillbekeptfullyup-to-datethroughtheWindowsUpdatesystem.Other security of the hardware includes TPM, which was discussed earlier and whichenableskeystobeisolatedfromtheOSthismeansthatifthesystemisbreachedinanyway,thosekeyscannotbestolennoteventheOSitselfcanaccessthem.Health attestation completes the hardware protection layer. Health attestation is vastlyimprovedfromtheversionthatcamewithWindows8.1anditallowsWindows10tocarryoutahealthchecktotheCloudbeforeitcangainaccesstoanyinternalresources.Features checked include Secure Boot, BitLocker, and other operation-essential featuresthatneedtobe100%healthybeforeWindows10canrunfully.The next layer of security is theWindowsOneCore.We examine theApp Platform first,becauseitiswhatusersinteractwithwhentheyuseWindows10ontheirmobiledevices.
Windows 10 only supportsmodern apps or RT apps depending on your system, and notWin32apps.Thenewsecuritylayerfortheappplatformmodelworkslikethis:
TheOS runs inaTCBTrustedComputerBasewherenobodycanaccess it andnobodycanmakechangestoit.
Appsthatare installedvia thestoreorareshippedwithadeviceare installed inasandbox, or in a Least Privilege Chamber (LPC). When the app is put into thechamber, it is givenpermissionsbasedonwhat itneeds to runandnomore.Thismeansthatitwillonlydowhatitsaysontheboxandcannotbetouchedbymalwarethat tries to order it to deviate from that. Thepermissions that are linked to thatchambercannotbechangedorelevatedbyanyone,onlybyanupgradewithanewmanifest.
Windows10forMobilewillcomewithanumberofpreinstalledapps,asfollows:
-
Page | 66 www.Windows10update.com
Allofthesearemodernappsandcanbefullyupdatedwithnewfunctionswithouttheneedto go through themobile operator to deliver the update instead, theywill be updatedthroughWindowsUpdates,underafeaturecalledWindowsasaService.
Access to apps and services has always caused concern in terms of security.Microsoft isimplementinganumberofnew featuresonboth theDesktopand theMobileversionsofWindows10thatwillsecureaccessmorethaneverbefore.
Manyusersarefedupwiththecurrentpasswordsystem.Notonlyisittoomuchtohavetoremembermultiple passwords, it is simply not secure.Most people tend to stick to thesamepasswordforeverythingtherearesomanyplacesthatrequireIDtobeprovednowthatyoucouldprobablyproduceabookfilledwithallthedifferentaccessdetailsyouwouldneed.
Businesseswantmorecontroloverwhattheirend-usersareaccessing,nottobenosybuttobetter understand patterns and to detect potential threats and/or security leaks. SoMicrosofthascomeupwithWindowsHello.
WeknowallaboutthisfromthedesktopversionandtheMobileversionisthesame,sotorecap:
WindowHelloisabiometricsystem
ItusescleanIRforirisorfacialrecognition,orafingerprintreader
Newhardwarewillneedtobeproducedtocomplementthisfeaturebecausetodaysmobiles do not have the capabilities to recognize facial or iris details; somemayhaveanintegratedfingerprintreader,thismayalsoneedtobeupdated;devicesalsoneedtobecapableof3Dvisionfordetectionpurposes
-
Page | 67 www.Windows10update.com
Microsoft is working hard to increase the FALSE Acceptance Rate currently at1/100,000,andtoreducetheFALSERejectionRate,whichiscurrentlybetween2-4%
Passwords and/or PIN numbersmay still be used, but the difference here is thatthesecanbecoveredbyMDMMobileDeviceManagementespecially inBYODsituations
MicrosoftPassport isanother systemthatwillbeonWindows10 fordesktopandmobileand is a replacement for the old password system. Instead of a password, a key pair isgenerated, one public and one private, after a user has created trust with their IDP identityprovider.
Theprivatekeywillneverleavethedeviceitispairedwith.Usershaveachoiceofproviders,anyonethatisapartoftheFIDOAlliance,suchasMicrosoftthemselves,Google,Facebook,Twitter,etc.
The differencewith business users is that an end-userwill create their Passport account,specifyingwhethertheaccountisforbusinessorpersonaluse.Whentheuserhastocreatetrust,theIDPmayrequirethatasecondlayerofauthenticationisincludedtoproveidentity,perhapsaphonecallortextmessage.
Once the trust has been created, the keys are produced and, when validated, anauthentication token is sent to thedevice. That tokencan thenbeusedonanumberofthird-partyrelyingresourcesthattrustthosetokens.
AnaccesstokeniscreatedandthiscanbecontrolledbyMDMyoucansetatimelimitontheaccesstheuserhastoaparticularsite,meaningthattheywillneedtore-authenticateafterthatlimitexpiresiftheywanttogainaccesstothesiteagain.
Enterprise expectations for corporate access are anytime, anywhere, secure remoteaccess,asshownbelow:
-
Page | 68 www.Windows10update.com
Furthermore,toenabledataandaccesstobeprotectedtoandfromadevice,Microsofthasexpanded their VPN capabilities inWindows 10. Again, these can beMDM-managed in atwomainways:
Onaper-applicationbasis ITcangiveuseraccess tospecificsites throughaVPNandthisisfullyintegratedwithEnterpriseDataProtection
Onan Always-Onbasis,whichmeansuserswill access sites throughaVPNonapermanentbasis,untiltheyturnitoff;thiscanbemanagedandITdecideswhethertoallowausertodisabletheVPNornot
BitLockerisalsopresentonalldevices,andthisisdesignedtoprotectthedataonamobiledevic