Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


03:00 PM
Connect Directly

Microsoft Windows 10: Three Security Features To Know About

Microsoft's next-generation operating system Windows 10 will be available as a free upgrade to Windows 7 and 8.1 users on July 29. But Windows Enterprise version customers will have to wait until later this year.

Application-vetting and biometric authentication headline the new main security features in Microsoft's new Windows 10 operating system, which the company today said will begin shipping for free on July 29 to users of Windows 7 and 8.

Windows 10's arrival can't come too soon amid doom-and-gloom predictions of the demise of Windows after Microsoft's failed makeover of Windows with the tile interface-heavy and startup menu-missing Windows 8. Aside from the return of the beloved startup menu, a personal assistant called Cortana and a new faster and more personalized browser called Edge, Microsoft also is launching some significant new security features in Windows 10, most of which are available in the first release.

Windows security expert Marc Maiffret says with the new Windows 10 security features combined with the new Windows Store for authorized and vetted applications, Microsoft is making the desktop ecosystem look a lot more like the smartphone -- which is good news for security. "There are interesting security implications to that: part of what all of us are fighting is how to better control apps and code in environments," he says.


1.  Device Guard

Microsoft's new Device Guard is aimed at blocking zero-day attacks by vetting applications that try to access a Windows 10 machine and its network. It basically blocks any applications that are not signed by specific software vendors, the Windows app store, and an enterprise itself.

Acer, Fujitsu, HP, NCR, Lenovo, Par, and Toshiba, have teamed up with Microsoft to use Device Guard on their Windows-based devices. It supports point-of-sale systems, ATM machines, and other Internet of Things-type devices running Windows.

"To help protect users from malware, when an app is executed, Windows makes a determination on whether that app is trustworthy, and notifies the user if it is not. Device Guard can use hardware technology and virtualization to isolate that decision-making function from the rest of the Windows operating system, which helps provide protection from attackers or malware that have managed to gain full system privilege," blogged Microsoft's Chris Hallum recently on the new Windows app feature.

Microsoft's Hallum argues that Device Guard, unlike antivirus and whitelisting software, isn't an susceptible to insider tampering or credential hijacking or unknown malware sneaking past, but the feature likely will work in concert with AV and whitelisting or other app-control products.

"Traditional AV solutions and app control technologies will be able to depend on Device Guard to help block executable and script based malware while AV will continue to cover areas that Device Guard doesn’t such as JIT based apps (e.g.: Java) and macros within documents," Hallum said.

Interestingly, Device Guard also operates virtually so that if the Windows kernel is compromised, Device Guard is not, according to Microsoft. It requires policy provision software.

2.  Windows Hello

Windows Hello has been touted by Microsoft as a password-killer feature that uses biometrics -- your face, iris, or your fingerprint -- to launch Windows 10 devices rather than those pesky and vulnerable passwords.

Joe Belfiore, corporate vice president of Microsoft's operating systems group, says Hello is more secure because it allows you to authenticate applications, enterprise content, and online experiences without storing a password on the user device or on a network server.

The catch is you need a machine with a fingerprint reader and scanning software and hardware for the infrared technology to identify a user by his face or iris. And the devices require Windows Biometric Framework support.

"We're working closely with our hardware partners to deliver Windows Hello capable devices that will ship with Windows 10 and we are excited to announce that all OEM systems incorporating the Intel RealSense 3D Camera (F200) will support the facial unlock features of Windows Hello, including automatic sign-in to Windows, and support to unlock 'Passport' without the need for a PIN," Belfiore said in a post about Windows 10 today.

Maiffret says Microsoft appears to have developed Hello as a viable form of authentication for the enterprise as well. "They've gone the lengths to make this secure from a crypto perspective, so it can be ... accepted as a real form of authentication in the enterprise," he says. 

[Harder to spoof and easier on users, behavioral biometrics may be bigger than passwords soon. Read Behavioral Biometrics On The Rise At RSA Conference.]

3. Passport

Also in sync with the theme of password liberation is Windows 10's new Passport feature that lets users authenticate to applications, websites, and networks sans passwords.

"Windows 10 will ask you to verify that you have possession of your device before it authenticates on your behalf, with a PIN or Windows Hello on devices with biometric sensors. Once authenticated with “Passport”, you will be able to instantly access a growing set of websites and services … favorite commerce sites, email and social networking services, financial institutions, business networks" and others, according to Microsoft.

Passport will work with Microsoft's Azure Active Directory Services, according to Microsoft, and the user's biometric "signature" is secured and stored locally on the user device and used only to unlock it and for Passport; it's not used to authenticate via the network.

Microsoft isn't dictating the death of passwords, however, although now as part of the FIDO Alliance it's working to help replace passwords in the future. So users or organizations who can't bear to part with their passwords and password management don't have to deploy Windows Hello and Passport in Windows 10 at all.

Meanwhile, Microsoft also has made some subtle but key changes in Windows 10 "under the hood" using containers and virtualized sandboxes to better secure desktops, Maiffret says. "But I'm sure at Black Hat or next year someone will do a talk on how to break out of the [Windows 10] sandbox. that's inevitable."

Even so, Microsoft's taking that approach with Windows is a game changer for the OS, he says.


Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
7/27/2015 | 1:43:07 PM
Re: Biometric Passwords
That is just a myth. Biometric technologies require blood flow through the bodypart being scanned in order to function. Once that person is gone, that information is lost forever.
User Rank: Apprentice
6/8/2015 | 2:57:37 PM
Re: Biometric Passwords
Na you could just cut off the finger.
User Rank: Apprentice
6/8/2015 | 11:52:18 AM
Biometric Passwords
Can't wait until grandma passes away and you have to hold her dead finger to the  computer to get photos and other personal items off the computer.
User Rank: Apprentice
6/5/2015 | 9:11:48 AM
Re: Device Guard and Developers
Those are certainly valid concerns but I would say that they're focused around a small demographic.  In an enterprise environment this capability will be useful as it allows for granular control and a better protection posture.  For the average home user who doesn't understand the cert warning it provides additional protection as well.

I would suspect that the end user that is going to leverage a legit third party app that wasn't signed probably shouldn't be using that app.  For the savvy user they'll most likely disable the protection. To your point (question) about a processes to get apps accepted that's certainly a critical need because if they don't address that then the capability will most likely just get disabled ala UAC.  
User Rank: Ninja
6/2/2015 | 11:37:58 AM
Device Guard and Developers
When device guard notifies you of a possibly malicious app download, does it allow the user to then download it or is it indefinitely blocked? And what does this mean for third party developers that are not part of those major organizations listed in the article? What process do they have to go through now to get their apps accepted? Or do they not have that option?
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Active Directory Needs an Update: Here's Why
Raz Rafaeli, CEO and Co-Founder at Secret Double Octopus,  1/16/2020
New Attack Campaigns Suggest Emotet Threat Is Far From Over
Jai Vijayan, Contributing Writer,  1/16/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: I've never actually seen the corporate ladder before.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-01-23
In Secure Headers (RubyGem secure_headers), a directive injection vulnerability is present in versions before 3.9.0, 5.2.0, and 6.3.0. If user-supplied input was passed into append/override_content_security_policy_directives, a newline could be injected leading to limited header injection. Upon seei...
PUBLISHED: 2020-01-23
In Secure Headers (RubyGem secure_headers), a directive injection vulnerability is present in versions before 3.8.0, 5.1.0, and 6.2.0. If user-supplied input was passed into append/override_content_security_policy_directives, a semicolon could be injected leading to directive injection. This could b...
PUBLISHED: 2020-01-23
In PrivateBin versions 1.2.0 before 1.2.2, and 1.3.0 before 1.3.2, a persistent XSS attack is possible. Under certain conditions, a user provided attachment file name can inject HTML leading to a persistent Cross-site scripting (XSS) vulnerability. The vulnerability has been fixed in PrivateBin v1.3...
PUBLISHED: 2020-01-23
A timing vulnerability in the Scalar::check_overflow function in Parity libsecp256k1-rs before 0.3.1 potentially allows an attacker to leak information via a side-channel attack.
PUBLISHED: 2020-01-22
An issue was discovered on Eaton 5P 850 devices. The Ubicacion SAI field allows XSS attacks by an administrator.