Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

6/1/2015
03:00 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Microsoft Windows 10: Three Security Features To Know About

Microsoft's next-generation operating system Windows 10 will be available as a free upgrade to Windows 7 and 8.1 users on July 29. But Windows Enterprise version customers will have to wait until later this year.

Application-vetting and biometric authentication headline the new main security features in Microsoft's new Windows 10 operating system, which the company today said will begin shipping for free on July 29 to users of Windows 7 and 8.

Windows 10's arrival can't come too soon amid doom-and-gloom predictions of the demise of Windows after Microsoft's failed makeover of Windows with the tile interface-heavy and startup menu-missing Windows 8. Aside from the return of the beloved startup menu, a personal assistant called Cortana and a new faster and more personalized browser called Edge, Microsoft also is launching some significant new security features in Windows 10, most of which are available in the first release.

Windows security expert Marc Maiffret says with the new Windows 10 security features combined with the new Windows Store for authorized and vetted applications, Microsoft is making the desktop ecosystem look a lot more like the smartphone -- which is good news for security. "There are interesting security implications to that: part of what all of us are fighting is how to better control apps and code in environments," he says.

 

1.  Device Guard

Microsoft's new Device Guard is aimed at blocking zero-day attacks by vetting applications that try to access a Windows 10 machine and its network. It basically blocks any applications that are not signed by specific software vendors, the Windows app store, and an enterprise itself.

Acer, Fujitsu, HP, NCR, Lenovo, Par, and Toshiba, have teamed up with Microsoft to use Device Guard on their Windows-based devices. It supports point-of-sale systems, ATM machines, and other Internet of Things-type devices running Windows.

"To help protect users from malware, when an app is executed, Windows makes a determination on whether that app is trustworthy, and notifies the user if it is not. Device Guard can use hardware technology and virtualization to isolate that decision-making function from the rest of the Windows operating system, which helps provide protection from attackers or malware that have managed to gain full system privilege," blogged Microsoft's Chris Hallum recently on the new Windows app feature.

Microsoft's Hallum argues that Device Guard, unlike antivirus and whitelisting software, isn't an susceptible to insider tampering or credential hijacking or unknown malware sneaking past, but the feature likely will work in concert with AV and whitelisting or other app-control products.

"Traditional AV solutions and app control technologies will be able to depend on Device Guard to help block executable and script based malware while AV will continue to cover areas that Device Guard doesn’t such as JIT based apps (e.g.: Java) and macros within documents," Hallum said.

Interestingly, Device Guard also operates virtually so that if the Windows kernel is compromised, Device Guard is not, according to Microsoft. It requires policy provision software.

2.  Windows Hello

Windows Hello has been touted by Microsoft as a password-killer feature that uses biometrics -- your face, iris, or your fingerprint -- to launch Windows 10 devices rather than those pesky and vulnerable passwords.

Joe Belfiore, corporate vice president of Microsoft's operating systems group, says Hello is more secure because it allows you to authenticate applications, enterprise content, and online experiences without storing a password on the user device or on a network server.

The catch is you need a machine with a fingerprint reader and scanning software and hardware for the infrared technology to identify a user by his face or iris. And the devices require Windows Biometric Framework support.

"We're working closely with our hardware partners to deliver Windows Hello capable devices that will ship with Windows 10 and we are excited to announce that all OEM systems incorporating the Intel RealSense 3D Camera (F200) will support the facial unlock features of Windows Hello, including automatic sign-in to Windows, and support to unlock 'Passport' without the need for a PIN," Belfiore said in a post about Windows 10 today.

Maiffret says Microsoft appears to have developed Hello as a viable form of authentication for the enterprise as well. "They've gone the lengths to make this secure from a crypto perspective, so it can be ... accepted as a real form of authentication in the enterprise," he says. 

[Harder to spoof and easier on users, behavioral biometrics may be bigger than passwords soon. Read Behavioral Biometrics On The Rise At RSA Conference.]

3. Passport

Also in sync with the theme of password liberation is Windows 10's new Passport feature that lets users authenticate to applications, websites, and networks sans passwords.

"Windows 10 will ask you to verify that you have possession of your device before it authenticates on your behalf, with a PIN or Windows Hello on devices with biometric sensors. Once authenticated with “Passport”, you will be able to instantly access a growing set of websites and services … favorite commerce sites, email and social networking services, financial institutions, business networks" and others, according to Microsoft.

Passport will work with Microsoft's Azure Active Directory Services, according to Microsoft, and the user's biometric "signature" is secured and stored locally on the user device and used only to unlock it and for Passport; it's not used to authenticate via the network.

Microsoft isn't dictating the death of passwords, however, although now as part of the FIDO Alliance it's working to help replace passwords in the future. So users or organizations who can't bear to part with their passwords and password management don't have to deploy Windows Hello and Passport in Windows 10 at all.

Meanwhile, Microsoft also has made some subtle but key changes in Windows 10 "under the hood" using containers and virtualized sandboxes to better secure desktops, Maiffret says. "But I'm sure at Black Hat or next year someone will do a talk on how to break out of the [Windows 10] sandbox. that's inevitable."

Even so, Microsoft's taking that approach with Windows is a game changer for the OS, he says.

 

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
creecreb
50%
50%
creecreb,
User Rank: Apprentice
7/27/2015 | 1:43:07 PM
Re: Biometric Passwords
That is just a myth. Biometric technologies require blood flow through the bodypart being scanned in order to function. Once that person is gone, that information is lost forever.
Madcowpro
0%
100%
Madcowpro,
User Rank: Apprentice
6/8/2015 | 2:57:37 PM
Re: Biometric Passwords
Na you could just cut off the finger.
mutant
50%
50%
mutant,
User Rank: Apprentice
6/8/2015 | 11:52:18 AM
Biometric Passwords
Can't wait until grandma passes away and you have to hold her dead finger to the  computer to get photos and other personal items off the computer.
Lepricon
100%
0%
Lepricon,
User Rank: Apprentice
6/5/2015 | 9:11:48 AM
Re: Device Guard and Developers
Those are certainly valid concerns but I would say that they're focused around a small demographic.  In an enterprise environment this capability will be useful as it allows for granular control and a better protection posture.  For the average home user who doesn't understand the cert warning it provides additional protection as well.

I would suspect that the end user that is going to leverage a legit third party app that wasn't signed probably shouldn't be using that app.  For the savvy user they'll most likely disable the protection. To your point (question) about a processes to get apps accepted that's certainly a critical need because if they don't address that then the capability will most likely just get disabled ala UAC.  
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
6/2/2015 | 11:37:58 AM
Device Guard and Developers
When device guard notifies you of a possibly malicious app download, does it allow the user to then download it or is it indefinitely blocked? And what does this mean for third party developers that are not part of those major organizations listed in the article? What process do they have to go through now to get their apps accepted? Or do they not have that option?
Where Businesses Waste Endpoint Security Budgets
Kelly Sheridan, Staff Editor, Dark Reading,  7/15/2019
How Attackers Infiltrate the Supply Chain & What to Do About It
Shay Nahari, Head of Red-Team Services at CyberArk,  7/16/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-7843
PUBLISHED: 2019-07-18
Adobe Campaign Classic version 18.10.5-8984 and earlier versions have an Insufficient input validation vulnerability. Successful exploitation could lead to Information Disclosure in the context of the current user.
CVE-2019-7846
PUBLISHED: 2019-07-18
Adobe Campaign Classic version 18.10.5-8984 and earlier versions have an Improper error handling vulnerability. Successful exploitation could lead to Information Disclosure in the context of the current user.
CVE-2019-7847
PUBLISHED: 2019-07-18
Adobe Campaign Classic version 18.10.5-8984 and earlier versions have an Improper Restriction of XML External Entity Reference ('XXE') vulnerability. Successful exploitation could lead to Arbitrary read access to the file system in the context of the current user.
CVE-2019-7848
PUBLISHED: 2019-07-18
Adobe Campaign Classic version 18.10.5-8984 and earlier versions have an Inadequate access control vulnerability. Successful exploitation could lead to Information Disclosure in the context of the current user.
CVE-2019-7850
PUBLISHED: 2019-07-18
Adobe Campaign Classic version 18.10.5-8984 and earlier versions have a Command injection vulnerability. Successful exploitation could lead to Arbitrary Code Execution in the context of the current user.