Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


03:00 PM
Connect Directly

Microsoft Windows 10: Three Security Features To Know About

Microsoft's next-generation operating system Windows 10 will be available as a free upgrade to Windows 7 and 8.1 users on July 29. But Windows Enterprise version customers will have to wait until later this year.

Application-vetting and biometric authentication headline the new main security features in Microsoft's new Windows 10 operating system, which the company today said will begin shipping for free on July 29 to users of Windows 7 and 8.

Windows 10's arrival can't come too soon amid doom-and-gloom predictions of the demise of Windows after Microsoft's failed makeover of Windows with the tile interface-heavy and startup menu-missing Windows 8. Aside from the return of the beloved startup menu, a personal assistant called Cortana and a new faster and more personalized browser called Edge, Microsoft also is launching some significant new security features in Windows 10, most of which are available in the first release.

Windows security expert Marc Maiffret says with the new Windows 10 security features combined with the new Windows Store for authorized and vetted applications, Microsoft is making the desktop ecosystem look a lot more like the smartphone -- which is good news for security. "There are interesting security implications to that: part of what all of us are fighting is how to better control apps and code in environments," he says.


1.  Device Guard

Microsoft's new Device Guard is aimed at blocking zero-day attacks by vetting applications that try to access a Windows 10 machine and its network. It basically blocks any applications that are not signed by specific software vendors, the Windows app store, and an enterprise itself.

Acer, Fujitsu, HP, NCR, Lenovo, Par, and Toshiba, have teamed up with Microsoft to use Device Guard on their Windows-based devices. It supports point-of-sale systems, ATM machines, and other Internet of Things-type devices running Windows.

"To help protect users from malware, when an app is executed, Windows makes a determination on whether that app is trustworthy, and notifies the user if it is not. Device Guard can use hardware technology and virtualization to isolate that decision-making function from the rest of the Windows operating system, which helps provide protection from attackers or malware that have managed to gain full system privilege," blogged Microsoft's Chris Hallum recently on the new Windows app feature.

Microsoft's Hallum argues that Device Guard, unlike antivirus and whitelisting software, isn't an susceptible to insider tampering or credential hijacking or unknown malware sneaking past, but the feature likely will work in concert with AV and whitelisting or other app-control products.

"Traditional AV solutions and app control technologies will be able to depend on Device Guard to help block executable and script based malware while AV will continue to cover areas that Device Guard doesn’t such as JIT based apps (e.g.: Java) and macros within documents," Hallum said.

Interestingly, Device Guard also operates virtually so that if the Windows kernel is compromised, Device Guard is not, according to Microsoft. It requires policy provision software.

2.  Windows Hello

Windows Hello has been touted by Microsoft as a password-killer feature that uses biometrics -- your face, iris, or your fingerprint -- to launch Windows 10 devices rather than those pesky and vulnerable passwords.

Joe Belfiore, corporate vice president of Microsoft's operating systems group, says Hello is more secure because it allows you to authenticate applications, enterprise content, and online experiences without storing a password on the user device or on a network server.

The catch is you need a machine with a fingerprint reader and scanning software and hardware for the infrared technology to identify a user by his face or iris. And the devices require Windows Biometric Framework support.

"We're working closely with our hardware partners to deliver Windows Hello capable devices that will ship with Windows 10 and we are excited to announce that all OEM systems incorporating the Intel RealSense 3D Camera (F200) will support the facial unlock features of Windows Hello, including automatic sign-in to Windows, and support to unlock 'Passport' without the need for a PIN," Belfiore said in a post about Windows 10 today.

Maiffret says Microsoft appears to have developed Hello as a viable form of authentication for the enterprise as well. "They've gone the lengths to make this secure from a crypto perspective, so it can be ... accepted as a real form of authentication in the enterprise," he says. 

[Harder to spoof and easier on users, behavioral biometrics may be bigger than passwords soon. Read Behavioral Biometrics On The Rise At RSA Conference.]

3. Passport

Also in sync with the theme of password liberation is Windows 10's new Passport feature that lets users authenticate to applications, websites, and networks sans passwords.

"Windows 10 will ask you to verify that you have possession of your device before it authenticates on your behalf, with a PIN or Windows Hello on devices with biometric sensors. Once authenticated with “Passport”, you will be able to instantly access a growing set of websites and services … favorite commerce sites, email and social networking services, financial institutions, business networks" and others, according to Microsoft.

Passport will work with Microsoft's Azure Active Directory Services, according to Microsoft, and the user's biometric "signature" is secured and stored locally on the user device and used only to unlock it and for Passport; it's not used to authenticate via the network.

Microsoft isn't dictating the death of passwords, however, although now as part of the FIDO Alliance it's working to help replace passwords in the future. So users or organizations who can't bear to part with their passwords and password management don't have to deploy Windows Hello and Passport in Windows 10 at all.

Meanwhile, Microsoft also has made some subtle but key changes in Windows 10 "under the hood" using containers and virtualized sandboxes to better secure desktops, Maiffret says. "But I'm sure at Black Hat or next year someone will do a talk on how to break out of the [Windows 10] sandbox. that's inevitable."

Even so, Microsoft's taking that approach with Windows is a game changer for the OS, he says.


Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
7/27/2015 | 1:43:07 PM
Re: Biometric Passwords
That is just a myth. Biometric technologies require blood flow through the bodypart being scanned in order to function. Once that person is gone, that information is lost forever.
User Rank: Apprentice
6/8/2015 | 2:57:37 PM
Re: Biometric Passwords
Na you could just cut off the finger.
User Rank: Apprentice
6/8/2015 | 11:52:18 AM
Biometric Passwords
Can't wait until grandma passes away and you have to hold her dead finger to the  computer to get photos and other personal items off the computer.
User Rank: Apprentice
6/5/2015 | 9:11:48 AM
Re: Device Guard and Developers
Those are certainly valid concerns but I would say that they're focused around a small demographic.  In an enterprise environment this capability will be useful as it allows for granular control and a better protection posture.  For the average home user who doesn't understand the cert warning it provides additional protection as well.

I would suspect that the end user that is going to leverage a legit third party app that wasn't signed probably shouldn't be using that app.  For the savvy user they'll most likely disable the protection. To your point (question) about a processes to get apps accepted that's certainly a critical need because if they don't address that then the capability will most likely just get disabled ala UAC.  
User Rank: Ninja
6/2/2015 | 11:37:58 AM
Device Guard and Developers
When device guard notifies you of a possibly malicious app download, does it allow the user to then download it or is it indefinitely blocked? And what does this mean for third party developers that are not part of those major organizations listed in the article? What process do they have to go through now to get their apps accepted? Or do they not have that option?
How SolarWinds Busted Up Our Assumptions About Code Signing
Dr. Jethro Beekman, Technical Director,  3/3/2021
'ObliqueRAT' Now Hides Behind Images on Compromised Websites
Jai Vijayan, Contributing Writer,  3/2/2021
Attackers Turn Struggling Software Projects Into Trojan Horses
Robert Lemos, Contributing Writer,  2/26/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-03-05
A remote unauthenticated cross-site request forgery (csrf) vulnerability was discovered in Aruba AirWave Management Platform version(s): Prior to A vulnerability in the AirWave web-based management interface could allow an unauthenticated remote attacker to conduct a CSRF attack against a ...
PUBLISHED: 2021-03-05
A remote authenticated arbitrary command execution vulnerability was discovered in Aruba AirWave Management Platform version(s): Prior to Vulnerabilities in the AirWave CLI could allow remote authenticated users to run arbitrary commands on the underlying host. A successful exploit could a...
PUBLISHED: 2021-03-05
TOTVS Fluig Luke platform allows directory traversal via a base64 encoded file=../ to a volume/stream/ URI. This affects: Fluig Lake 1.7.0-210217 Fluig Lake 1.7.0-210112 Fluig Lake 1.7.0-201215 Fluig Lake 1.7.0-201124 Fluig Lake 1.7.0-200915
PUBLISHED: 2021-03-05
A remote unauthenticated cross-site request forgery (csrf) vulnerability was discovered in Aruba AirWave Management Platform version(s): Prior to A vulnerability in the AirWave web-based management interface could allow an unauthenticated remote attacker to conduct a CSRF attack against a ...
PUBLISHED: 2021-03-05
jpeg-xl v0.3.2 is affected by a heap buffer overflow in /lib/jxl/coeff_order.cc ReadPermutation. When decoding a malicous jxl file using djxl, an attacker can trigger arbitrary code execution or a denial of service.