How to get the most out of Windows 10 enterprise security features

Although the return of the Start menu and putting the focus back on the desktop are moves calculated to help Windows 10 appeal to business users, the security improvements may be a more strategic reason for considering an upgrade. But some key features won’t be available until the fall.

Windows 10 action center

The Action Center displays notifications and offers access to commonly-used settings.

The enterprise edition of Windows 10 may be available only a day after the consumer version, with some immediately useful improvements for business. But some of the most important security features in Windows 10 Enterprise will either be included in a major update (that you can think of much like a service pack) that will ship sometime this fall, or will rely on enterprises and online sites and services making some substantial changes to move away from passwords. That means that, as with most upgrades, getting the most from Windows 10 security improvements will require planning.

There are some immediate security improvements that IT managers will appreciate, particularly if they have users bringing Windows 10 devices to work. Some of these are simple policy changes.

For instance, most consumer PCs come with a trial anti-virus subscription; when that trial ends – and if it doesn’t get renewed (which Microsoft says happens on close to 10 percent of consumer PCs) – Windows Defender will automatically turn itself on after a set time. That’s currently three days, because anti-virus vendors don’t want it to happen immediately, but it does give you better protection when employees connect from a home system that you’re not monitoring.

Also of note, an offline version of Windows Defender is now built into the Windows recovery environment, to protect against malware while you're repairing a system.

[Related: Optional Windows 10 utility blocks bad updates from messing with your PC]

Microsoft’s new Edge browser improves security in a variety of ways, from running in the app container sandbox to removing ActiveX controls, VBScript, toolbars and Browser Helper Objects. That makes general browsing safer, but may require you to tweak some line of business apps (or more likely, configure employee PCs to use Internet Explorer to access those sites). And while it’s fast and implements many modern Web standards, Edge is also clearly a work in progress and will be getting a major feature update later this year.

There are also security features carried over from Windows 8 that will be new to you if you’re upgrading from Windows 7 or earlier. The trusted boot malware protection that loads anti-virus software before any other software, for instance, lets you choose to run only operating system components that have been digitally signed to block rootkits, and can store the proof that the system booted securely in the Trusted Platform Module (TPM) – so you can check for that before allowing devices to connect to critical systems, especially when you’re using the TPM as a virtual smart card.

BitLocker whole disk encryption is still available only in Windows Pro and Enterprise editions, but even Windows 10 Home systems have the device encryption option from Windows 8.1 (as long as they have suitable hardware).

Other security features in Windows 10 are far more foundational, but they’ll require you to make changes in the way you handle identity, authentication and access to get the most from them.

Going beyond the password

Biometrics aren’t new to PCs, but the hardware in new PCs makes them faster and more flexible and the new Windows Hello login feature is easy to use. New fingerprint readers are capacitive, as on the iPhone, so users press down their finger rather than swiping across a narrow sensor, and they look at both the 3D structure of the fingerprint the ‘liveness’ of the finger. Now that Intel has included an  interconnect for attaching biometric sensors on its motherboards, they should start to become more common in devices.

Windows 10 also works with hardware for palm vein prints, iris recognition and 3D facial recognition, using the Intel RealSense camera that’s being built into various notebook computers. The feature also accounts for temperature using infrared sensors, so it won’t be fooled by photos and masks.

Replacing the standard Windows user password with biometrics protects you against employees who are fooled by phishing attempts, and against releases of usernames and passwords from hacked cloud services where employees have simply reused their work passwords. It doesn’t help with the increasingly common horizontal attacks, where attackers who have managed to get malware onto one PC can harvest the access tokens and Kerberos credentials generated when a user logs in to Windows; those may also give them access to email, file shares, SharePoint sites, line of business apps, company databases and other data stores.

[Related: Windows 10 review: It's familiar, it's powerful, but the Edge browser falls short]

These attacks are known as “pass the hash” and “pass the ticket” attacks, depending on which credentials they target, explains Microsoft’s Chris Hallum. “Once attackers have that token, they have your identity; it's as good as having your username and password. If they can gain admin privileges they can run a tool to extract the token and take it, and then move around the network and access all these servers without ever being asked for a password.”

In Windows 10 Enterprise (and Windows Server 2016), the logon process runs in what Microsoft calls Virtual Secure Mode – a secure, virtualized container with no admin privileges and very constrained access, that has only enough capabilities to run the logon service used for authentication brokering. Access tokens and tickets are all stored here, in fully randomized and managed, full-length hashes to avoid brute force attacks. “Even if the Windows kernel is compromised, it doesn’t have access to take information out of that container,” Hallum says, ”so we can isolate one of the most important Windows components.”

But to get this Credential Guard protection for enterprise credentials, you won’t just need Windows Enterprise running on PCs with hardware virtualization and a TPM; you’ll also need to move your domain controller to Windows Server 2016.

Replacing passwords

You’ll also need to plan ahead to use Windows Passport, the Fast Identity Online (FIDO) -compliant next-generation credentials in Windows 10. These can be certificates distributed using an existing Public Key Infrastructure or key pairs generated by Windows itself, and they’re stored securely in the TPM, and unlocked using biometrics or a PIN (or a picture password). Each device can be enrolled using a smartcard or a one-time password, so the PC itself becomes a second factor for authentication, or you can use a Bluetooth or Wi-Fi-connected phone to authenticate multiple other devices for a user.

You can set the PIN length and complexity (up to 20 characters, including upper and lower case characters, symbols and spaces as well as numbers) by policy, and you can have separate PIN requirements for enterprise credentials, which you can wipe without affecting consumer ones.

In the longer term, many sites and online services are expected to adopt FIDO-compliant credentials, but you can start using Passport with your own line-of-business apps and services. It will work with any well-designed application, Hallum says “every app should be able to take advantage of this unless you’ve done something that is not best practice, like the app forcing the user to type in their username and password instead of using Windows to prompt for a password.” But again, you will need Windows Server 2016 and either Azure Active Directory or some updates to your own AD infrastructure.

If you do choose Azure AD, you can use that to provision the built-in Mobile Device Management (MDM) client in Windows 10 for setting up single sign-on to domain resources and a wide range of cloud services as soon as employees set up their PCs. Microsoft Intune is the first MDM service that can manage Windows 10 devices, but Microsoft is working with other MDM suppliers to add Windows 10 support, which lets you set policies for access control based on where someone is logging in from, whether their device is healthy and in compliance, and how sensitive an application is, as well as the usual user roles and group settings that set access restrictions.

[Related: How to use Microsoft Edge, Windows 10's new browser]

If you want even greater control over what can run on a device, look for PCs with the new Device Guard option; this requires BIOS and UEFI lockdown by the OEM, so you need to buy hardware that’s ready for it, but you’ll be able to limit exactly what software they can run. That includes apps from the Windows Store – both desktop and Universal apps, and chosen apps from software vendors, as well as your own apps that you upload to the Store – and software that you sign locally, using a certificate that chains up to Microsoft. As long as those signing certificates are well-protected by enterprises and software vendors, this should help keep malware off your most critical devices.

Every document in a container

Later this year Microsoft will also add another key security option to Windows 10: Enterprise Data Protection (EDP). This takes the container approach now common on smartphones to protect enterprise files, using policies that automatically store corporate content in encrypted locations, without encryption needing to be turned on manually for each file. But unlike most smartphone container systems, every file goes in its own container, with Windows acting as an access broker.

“Windows 10 is able to differentiate between corporate and personal data, based on where the data comes from,” says Hallum. “You'll be able to set locations on the network, and say we consider these to be corporate; this is the corporate mail server, these are the corporate files servers, on these IP address ranges, using these DNS addresses. When content comes from those locations, the network knows where it comes from and we can say let's go ahead and encrypt that at the file level.” For files created on the device, you can use policy to specify which apps are personal and which are corporate, and encrypt files from business apps automatically.

This will be a cross-platform solution, so files can be opened on OS X, iOS and Android. That will be easy for Office documents, which will need the 2016 versions of Office – including the free Office Mobile apps that come with Windows 10, though you’ll need a business subscription to cover them for commercial use. Only the Mac version of Office 2016 is currently out of preview, so the availability of Windows 10 containers will likely come at the same time as the Windows version of Office. Microsoft Intune is the only MDM service that can manage Office applications, but you’ll be able to manage EDP containers using a range of MDM services or System Center Configuration Manager to provision keys and policies.

As with the other significant security technologies in Windows 10, this will require investment to make the most of it. But the opportunities for protecting credentials, apps and files with the combination of Windows 10 and Windows Server 2016 offer a level of security that just hasn’t been available in previous Windows ecosystems.

To comment on this article and other CIO content, visit us on Facebook, LinkedIn or Twitter.
Download the CIO October 2016 Digital Magazine
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.