Application-vetting and biometric authentication headline the new main security features in Microsoft's new Windows 10 operating system, which the company today said will begin shipping for free on July 29 to users of Windows 7 and 8.
Windows 10's arrival can't come too soon amid doom-and-gloom predictions of the demise of Windows after Microsoft's failed makeover of Windows with the tile interface-heavy and startup menu-missing Windows 8. Aside from the return of the beloved startup menu, a personal assistant called Cortana and a new faster and more personalized browser called Edge, Microsoft also is launching some significant new security features in Windows 10, most of which are available in the first release.
Windows security expert Marc Maiffret says with the new Windows 10 security features combined with the new Windows Store for authorized and vetted applications, Microsoft is making the desktop ecosystem look a lot more like the smartphone -- which is good news for security. "There are interesting security implications to that: part of what all of us are fighting is how to better control apps and code in environments," he says.
1. Device Guard
Microsoft's new Device Guard is aimed at blocking zero-day attacks by vetting applications that try to access a Windows 10 machine and its network. It basically blocks any applications that are not signed by specific software vendors, the Windows app store, and an enterprise itself.
Acer, Fujitsu, HP, NCR, Lenovo, Par, and Toshiba, have teamed up with Microsoft to use Device Guard on their Windows-based devices. It supports point-of-sale systems, ATM machines, and other Internet of Things-type devices running Windows.
"To help protect users from malware, when an app is executed, Windows makes a determination on whether that app is trustworthy, and notifies the user if it is not. Device Guard can use hardware technology and virtualization to isolate that decision-making function from the rest of the Windows operating system, which helps provide protection from attackers or malware that have managed to gain full system privilege," blogged Microsoft's Chris Hallum recently on the new Windows app feature.
Microsoft's Hallum argues that Device Guard, unlike antivirus and whitelisting software, isn't an susceptible to insider tampering or credential hijacking or unknown malware sneaking past, but the feature likely will work in concert with AV and whitelisting or other app-control products.
"Traditional AV solutions and app control technologies will be able to depend on Device Guard to help block executable and script based malware while AV will continue to cover areas that Device Guard doesn’t such as JIT based apps (e.g.: Java) and macros within documents," Hallum said.
Interestingly, Device Guard also operates virtually so that if the Windows kernel is compromised, Device Guard is not, according to Microsoft. It requires policy provision software.
2. Windows Hello
Windows Hello has been touted by Microsoft as a password-killer feature that uses biometrics -- your face, iris, or your fingerprint -- to launch Windows 10 devices rather than those pesky and vulnerable passwords.
Joe Belfiore, corporate vice president of Microsoft's operating systems group, says Hello is more secure because it allows you to authenticate applications, enterprise content, and online experiences without storing a password on the user device or on a network server.
The catch is you need a machine with a fingerprint reader and scanning software and hardware for the infrared technology to identify a user by his face or iris. And the devices require Windows Biometric Framework support.
"We're working closely with our hardware partners to deliver Windows Hello capable devices that will ship with Windows 10 and we are excited to announce that all OEM systems incorporating the Intel RealSense 3D Camera (F200) will support the facial unlock features of Windows Hello, including automatic sign-in to Windows, and support to unlock 'Passport' without the need for a PIN," Belfiore said in a post about Windows 10 today.
Maiffret says Microsoft appears to have developed Hello as a viable form of authentication for the enterprise as well. "They've gone the lengths to make this secure from a crypto perspective, so it can be ... accepted as a real form of authentication in the enterprise," he says.
[Harder to spoof and easier on users, behavioral biometrics may be bigger than passwords soon. Read Behavioral Biometrics On The Rise At RSA Conference.]
Also in sync with the theme of password liberation is Windows 10's new Passport feature that lets users authenticate to applications, websites, and networks sans passwords.
"Windows 10 will ask you to verify that you have possession of your device before it authenticates on your behalf, with a PIN or Windows Hello on devices with biometric sensors. Once authenticated with “Passport”, you will be able to instantly access a growing set of websites and services … favorite commerce sites, email and social networking services, financial institutions, business networks" and others, according to Microsoft.
Passport will work with Microsoft's Azure Active Directory Services, according to Microsoft, and the user's biometric "signature" is secured and stored locally on the user device and used only to unlock it and for Passport; it's not used to authenticate via the network.
Microsoft isn't dictating the death of passwords, however, although now as part of the FIDO Alliance it's working to help replace passwords in the future. So users or organizations who can't bear to part with their passwords and password management don't have to deploy Windows Hello and Passport in Windows 10 at all.
Meanwhile, Microsoft also has made some subtle but key changes in Windows 10 "under the hood" using containers and virtualized sandboxes to better secure desktops, Maiffret says. "But I'm sure at Black Hat or next year someone will do a talk on how to break out of the [Windows 10] sandbox. that's inevitable."
Even so, Microsoft's taking that approach with Windows is a game changer for the OS, he says.