Windows 10 Update: 10 Key New Security Features
Microsoft is tightening its focus on Windows 10 security with several new security tools in its latest major OS update.
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt0fe17ab539267843/64f0d7a69cf288eb0c173735/win10creators-intro.jpg?width=700&auto=webp&quality=80&disable=upscale)
Windows 10 security is getting a face-lift in the Fall Creators Update, which Microsoft started rolling out last week. The update is packed with several new tools intended to give administrators and users more granular control over security.
Updates pertaining to Windows 10 security are increasingly relevant to businesses as more swap older versions of Windows for the latest. Microsoft reports 90% growth in commercial devices year over year as enterprise, small business, and education users make the switch.
The most recent batch of security and management features addresses common business security concerns like ransomware, application security, credential theft, and polymorphic malware. Overall, they indicate a broader transition from reactive to proactive security.
"With continuous updates, and focus on security, they're responding quickly to changing attack patterns on the OS in a way they weren't before," says Gartner Vice President Peter Firstbrook of Microsoft's approach to security management in Windows 10.
Here, we take a closer look at the newest security tools in Windows 10 and dig a little further into how each works. Which of these features do you think will be most helpful for managing your security operations? Where do you think Microsoft could further improve security? Feel free to share your thoughts in the comments.
Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.
Windows Defender Exploit Guard (WDEG) is a set of four components designed to help with intrusion prevention by identifying and blocking attack vectors and behaviors common in malware attacks. It's built on the idea that while vulnerabilities, delivery mechanisms, and payloads vary, there is a core set of behaviors common among various attacks.
The four parts of WDEG include Attack Surface Reduction (ASR), which shrinks the attack surface by block Office-, script-, and email-based threats; Network protection, which blocks outbound process to untrusted hosts; Controlled folder access, which blocks untrusted programs from accessing sensitive data; and Exploit protection, a set of exploit mitigations that can be configured to protect the system.
Exploit protection is significant because it replaces Enhanced Mitigation Experience Toolkit (EMET), which is automatically uninstalled from machines. After announcing the end-of-life for EMET earlier this year, Microsoft pulled components of EMET and integrated them directly into Windows.
The nice advantage here is it's built directly into the OS," says Firstbrook. "Exploit Guard will be updated by Microsoft so everyone can use it." He also points out that as WDEG is updated to detect and eliminate more hacker behaviors, attackers will be forced to change their tactics.
Taking a closer look at one of WDEG's four components, Controlled Folder Access aims to block ransomware attacks by giving admins more granular control over exactly which programs can access sensitive data. It locks down folders so only authorized apps can access them. Unauthorized apps -- including malicious executable files, DLLs, and scripts -- are denied access.
"Cybercriminals can't extort money if they can't encrypt your files," reports Microsoft's Malware Protection Center in a post on the update. By default, the tool protects common folders where data is stored but can be configured to protect more folders, or enable access for custom apps. Users are notified of attempts to access or modify files in protected folders.
Firstbrook says this approach is "more durable" in blocking ransomware. "Unless it's a program we know and understand, and a user has given permission to access files, we shouldn't allow [access]," he says.
In business settings, Controlled Folder Access can be activated and managed using Group Policy, PowerShell, or configuration service providers for mobile device management. Admins can customize notifications that appear for intrusion attempts.
IT typically spends a lot of time building and customizing images, and deploying them to devices with an OS already installed. The idea behind Windows AutoPilot is to simplify setup by pre-registering devices through the Windows AutoPilot Deployment Program. IT pros only have to connect them to the network and verify credentials.
AutoPilot lets users automatically join devices to Azure Active Directory and auto-enroll into MDM services like Microsoft Intune. It creates and auto-assigns devices to configuration groups based on the device's profile and restricts the creation of administrator accounts. Because the device knows it belongs to a business, it can skip several steps in the setup process.
However, there are a few prerequisites before this can happen. Devices have to be registered to the business, have the correct Windows 10 version installed, run Azure AD Premium P1 or P2, and use Intune or another MDM service for device management.
Application Guard isolates the Microsoft Edge browser from the Windows OS, applications, data, and network to protect users from online threats. If users are affected by malware or hacking attempts online, they won't affect the rest of the machine.
The move is intended to defend against the rise in kernel attacks, which have increased. Attackers use kernel exploits to break free of software sandboxes. Application Guard creates a "miniature" version of the Windows OS to host Edge when browsing the Internet, Microsoft explains. If someone visits a malicious website, their mini kernel protects the host machine and all the sensitive data on it. Windows 10 Enterprise users can run Edge in a fully isolated hardware environment so they can operate free of web-based malware, unpatched flaws, and zero-day exploits.
Microsoft first launched Windows Hello as a means of securing the authentication process in Windows 10. Now it's updating with a new, simpler admin experience and security features for Windows Hello for Business to defend against data breaches caused by misused, default, or stolen credentials.
New capabilities include Dynamic Lock, which automatically locks a device when the user is no longer in Bluetooth range. Multi-factor device unlock requires users to provide multiple factors and signals to unlock their machine; for example, both facial scanning and a PIN. In addition to Hello gestures like facial recognition and PIN, these factors include network location and device proximity. The Fall Creators Update also introduces support for remote PIN reset on corporate-owned phones.
The Creators Update gives multi-app support to Windows Assigned Access, which was created for business devices intended for specific purposes (kiosks, for example). Before, each device could only run a single app, and users couldn't access features or functions on the device beyond that one app.
Now, admins can configure multi-app devices using a provisioning package for corporate-owned, fixed purpose machines. This makes it easier for users to access only the tools they need, and prevents them from seeing functions they don't need to access. Admins can lock down devices to specific purposes and manage devices in the cloud.
Windows Defender Antivirus was updated with new "instant protection" to defend against polymorphic malware. This system relies on machine learning models on the local client and in the cloud. On a client level, it uses mostly linear high-performance models to find 97% of malware.
Beyond that 97%, additional data on potentially dangerous signals and files are sent to the cloud protection system, where intensive machine learning models apply computing power not possible on a client level. The extra 3% of threats are detected using greater processing power, in a way that doesn't interfere with client performance, by connecting with the Microsoft Intelligent Security Graph (ISG). The ISG leverages signals from endpoints, consumer services, commercial services, and on-premise technologies to identify new threats.
Windows Defender ATP was initially created to cut back on the time it takes to detect, investigate, and respond to advanced attacks. Its most recent update adds new prevention tools to stop attacks as they happen, before they can have a malicious effect.
This release includes detections for new indicators of attack based on recent attack techniques. New detections, for example, include dynamic script-based attacks and keylogging alerts. Security teams will be able to react to threats faster. For example, if someone is tricked into installing malware in their browser and the infection is stored in Windows Defender Application Guard, ATP will still give security pros visibility into the event so they can investigate later.
Security admins will also have broader visibility into security stack technologies through a larger "single pane of glass." In a single screen, they will be able to see active alerts, top users and machines at risk, active alerts, protected machines, and overall service health.
Subscription Activation leverages Azure Active Directory to eliminate product keys and let admins assign Windows 10 Enterprise E3 or E5 licenses to Azure AD users directly. When a user logs in to a Windows 10 Pro machine, it automatically launches Windows 10 Enterprise so all of the associated features are instantly available.
Subscription Activation leverages Azure Active Directory to eliminate product keys and let admins assign Windows 10 Enterprise E3 or E5 licenses to Azure AD users directly. When a user logs in to a Windows 10 Pro machine, it automatically launches Windows 10 Enterprise so all of the associated features are instantly available.
Windows 10 security is getting a face-lift in the Fall Creators Update, which Microsoft started rolling out last week. The update is packed with several new tools intended to give administrators and users more granular control over security.
Updates pertaining to Windows 10 security are increasingly relevant to businesses as more swap older versions of Windows for the latest. Microsoft reports 90% growth in commercial devices year over year as enterprise, small business, and education users make the switch.
The most recent batch of security and management features addresses common business security concerns like ransomware, application security, credential theft, and polymorphic malware. Overall, they indicate a broader transition from reactive to proactive security.
"With continuous updates, and focus on security, they're responding quickly to changing attack patterns on the OS in a way they weren't before," says Gartner Vice President Peter Firstbrook of Microsoft's approach to security management in Windows 10.
Here, we take a closer look at the newest security tools in Windows 10 and dig a little further into how each works. Which of these features do you think will be most helpful for managing your security operations? Where do you think Microsoft could further improve security? Feel free to share your thoughts in the comments.
Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024