Windows 10 security
-
Upload
aniket-kanitkar -
Category
Documents
-
view
220 -
download
3
description
Transcript of Windows 10 security
Page | 2 www.Windows10update.com
CopyrightNotice
INTRODUCTIONTOWINDOWS10SECURITY-BYONUORAAMOBI
UPDATEDSEPTEMBER15TH,2015
©2015NnigmaInc.
Allrightsreserved.
Anyunauthorizeduse,sharing,reproductionordistributionofthesematerialsbyanymeans,electronic,mechanical,orotherwiseisstrictlyprohibited.
Noportionofthesematerialsmaybereproducedinanymannerwhatsoever,withouttheexpresswrittenconsentofthePublisherorAuthor.
PublishedundertheCopyrightLawsofTheUnitedStatesofAmericaby:
NnigmaInc.
3579EastFoothillBlvd,Suite#254
Pasadena,CA91107
www.Nnigma.com
Page | 3 www.Windows10update.com
LegalNotice
Whileallattemptshavebeenmadetoverifyinformationprovidedinthispublication,neithertheauthornorthepublisherassumesanyresponsibilityforerrors,omissionsorcontradictoryinterpretationofthesubjectmatterherein.
Thispublicationisnotintendedtobeusedasasourceofbindingtechnical,technological,legaloraccountingadvice.
Pleaserememberthattheinformationcontainedmaybesubjecttovaryingstateand/orlocallawsorregulationsthatmayapplytotheuser’sparticularpractice.
Thepurchaserorreaderofthispublicationassumesresponsibilityfortheuseofthesematerialsandinformation.
Adherencetoallapplicablelawsandregulations,bothfederal,state,andlocal,governingprofessionallicensing,businesspractices,advertisingandanyotheraspectsofdoingbusinessintheUSoranyotherjurisdictionisthesoleresponsibilityofthepurchaserorreader.
NnigmaInc.assumesnoresponsibilityorliabilitywhatsoeveronbehalfofanypurchaserorreaderofthesematerials.
Windows10,Windows9,Windows8.1,Windows8.1Update1,Windows8,Windows7,WindowsVista,WindowsXP,SurfaceHub,WindowsHolographicandallotherrelatedtermsareregisteredtrademarksoftheMicrosoftCorporation.
AllRightsReserved.
Allothertrademarksarethepropertyoftheirrespectiveowners.
Alltrademarksandcopyrightsarefreelyacknowledged.
Page | 4 www.Windows10update.com
TableofContents
IntroductiontoWindows10Security ..................................................................................................................... 6MicrosoftandtheFIDOAlliance ............................................................................................................................. 7ThecomparisontoWindows7and8Securityfeatures ......................................................................................... 9HowMicrosoftWindows10WillProtectYourIdentity ........................................................................................ 11
Windows10–ProtectingYourIdentityandControllingAccess ....................................................................... 11TheProsandConsofBiometrics ....................................................................................................................... 12FacialAuthentication ........................................................................................................................................ 16WindowsHello .................................................................................................................................................. 18
NewSecurityFeaturesinWindows10 ................................................................................................................. 19MicrosoftPassport ............................................................................................................................................ 19Passport2Go ...................................................................................................................................................... 22BitLockerandTPM ............................................................................................................................................ 30
HowDoesBitLockerDriveEncryptionWork? ....................................................................................................... 32DeviceGuard ..................................................................................................................................................... 33
RequiredHardwareandSoftwareforDeviceGuard ............................................................................................ 34WhyuseDeviceGuard? .................................................................................................................................... 35EnterpriseDataProtection(EDP) ...................................................................................................................... 37
HowDoesEDPWork? ........................................................................................................................................... 38LevelsofProtection ........................................................................................................................................... 38EDPAllowsBetterWorkFlow ........................................................................................................................... 39ChangingtheProtectionLevelsonDocuments ................................................................................................ 39EnterpriseDataSecurity .................................................................................................................................... 40WipeEnterpriseDataRemotely ........................................................................................................................ 40CopyingorDownloadingEnterpriseData ......................................................................................................... 41PrivilegedAppsandRestrictions ....................................................................................................................... 41PersistentDataEncryption ................................................................................................................................ 42HelpsPreventAccidentalDataSharing ............................................................................................................. 42
TheBenefitsofEDP ............................................................................................................................................... 43Enterprisescenarios .......................................................................................................................................... 43
WindowsDefender ................................................................................................................................................ 44ConfigurationandExclusions ............................................................................................................................ 44
UEFI ........................................................................................................................................................................ 45AdvancedThreatAnalytics .................................................................................................................................... 47
HowDoesItWork? ........................................................................................................................................... 48VirtualSecureMode .......................................................................................................................................... 50MicrosoftVirtualizationStrategyandSecurity ................................................................................................. 51SecurityImprovements ..................................................................................................................................... 52
Page | 5 www.Windows10update.com
EnterpriseMobility–IdentityintheEnterprise ................................................................................................... 53CloudAppDiscovery ......................................................................................................................................... 55
ManagingYourDirectoryontheCloud ....................................................................................................... 56HowMicrosoftWindows10WillProtectYourData ............................................................................................. 57
AzureRightsManagementandInformationRightsManagement ................................................................... 57AzureAdministrativeTasks ............................................................................................................................... 57DataProtectioninAzure ................................................................................................................................... 58VirtualMachines–Windows/LINUX ................................................................................................................. 58Key Vault Security ............................................................................................................................................ 59AzureStorage–Blobs,Tables,Queues ............................................................................................................. 59SQLServerandSQLDatabase ........................................................................................................................... 59AccessControlandAuditing ............................................................................................................................. 60
MitigatetheRiskofCompromisedAccounts .............................................................................................. 60LimitingPermissions ..................................................................................................................................... 60PrivilegedAccounts ...................................................................................................................................... 61
WhatistheOperationsManagementSuite? ........................................................................................................ 62MobileSecurity ................................................................................................................................................. 63MDM–MobileDeviceManagementandtheBusinessStore .......................................................................... 69BrowserSecurity ............................................................................................................................................... 74EnterpriseMobilitySuite ................................................................................................................................... 75Office365 .......................................................................................................................................................... 76ConditionalAccesstoAzureADConnectedApplications ................................................................................. 77
WindowsasaService–MoreSecurityviasecureupdates .................................................................................. 79WindowsUpdateforBusiness ..................................................................................................................... 80
Windows10andtheInternetofThings ................................................................................................................ 81AllSeenandAllJoyn ........................................................................................................................................... 81WhereDoesWindows10ComeIn? .................................................................................................................. 82IoTAzureSecurity .............................................................................................................................................. 82
Summary ............................................................................................................................................................... 85
Page | 6 www.Windows10update.com
IntroductiontoWindows10Security
Security has always been an issue for computer users. However, over the last couple ofdecades,securitythreatshavebecomemuchworse.
WhileyoumaythinkyouhavethebestsecuritysystempossibleonyourPCitislikelythatyouprobablydon’t.Why?Becausethelandscapeofcyber-threatsischangingtoofastforordinarysecuritysoftwaretokeepupwith.
Heck, you could buy a new security system for your computer right now and within 72hours;itwouldrequireasecurityupdate.
Cyber threats are becoming more complex and attackers more cunning. Viruses andmalwareforexample,havegainednewabilitiestohideandremainundetected.
Cyber-attacks aremore sophisticatedandhighly targeted comparedwith years agowhenhackerscouldonlyhopeforindiscriminateandunfocuseddamage.
Intheearlydays,wehadScriptKiddies,whichwereaimedatcausingmischiefratherthandamage.
TodaycriminalgangsconductcrimessuchasclickfraudandIDtheft,conductedpurelyforillicitprofit.WealsohaveactivistsandtheInternetterrorgroupswhosesoleaimistocauseasmuchdisruptionanddamageastheycan,aswellasstealidentities.
In themidst of this very treacherous landscape,Microsoft has taken up the challenge ofkeeping computer users safe. With Windows 10, the software company is introducingunprecedentedlevelsofsecuritysafeguardsintotheveryfabricoftheOperatingSystem.
IwrotethisbookbecauseIwantedtotakeabrieflookbehindthecurtaintoseewhattypesofsecuritywereembeddedinWindows10.
Here’swhatIfound.
Page | 7 www.Windows10update.com
MicrosoftandtheFIDOAlliance
TheFIDO(FastIdentityOnline)Alliancewaslaunchedin2012asawayofaddressingthelackofinteroperabilitybetweenstrongauthenticationdevicesandtheproblemsusershaveinrememberingmultipleusernamesandpasswords.PayPalandLenovo,twoofthebiggestnamesintheindustry,werefoundingmembersofFIDO.Injustoverayearafterlaunch,manymorebignameshadjoinedthealliance,includingGoogle,Blackberry,Visa,SecureKeysandofcourse,Microsoft.So,howdoestheFIDOAlliancefactorintoWindows10?Togettothat,weneedtogobackasteportwo,totalkaboutwhyMicrosoftoptedtojointheAlliance.Securityproblemsonourdevicesaregettingworse,partlybecauseofthesignificantjumpinmaliciousattacksandpartlybecauseofuserbehaviour.Yousee,itoftencomesdowntopasswords.Computerusersoftengetsloppyandlax,andsharetheirpasswordswithothers.Thatisn’ttheonlyproblem,though;thenextpartofthepuzzleinvolvesthewebsiteswevisit.Theissueisnotthattheyareunsafebecausemostofthemaresafe.It’sjustthat,once
Page | 8 www.Windows10update.com
again,thatlazygenecomesoutandwesticktousingthesamepasswordforeverysinglesitethatwehavetologinto.Whydowedothat?Becausenotonlyisittime-consumingtohavetocomeupwithadifferentcomplexpasswordforeachsite,wehavetorememberthemaswell.Thehumanbraincanonlyholdsomuchinformationandtohelpusout,wewritethosepasswordsdown–whichcomesbacktobeinglaxandsloppyaboutsecurity.Becauseweareusingthesamelogindetailsforeverysite,itmakesiteasyforthosedetailstobestolen.Amaliciousattackerwillgoforaweakwebsite,onewhichdoesn’thavesomuchsecurityonit,andoncetheyhaveyourdetailsfromthatsite,itdoesn’ttakeageniustoguessthatyouprobablyusedthesameonestologineverywhereelse!Thatgivestheattackeranopenpass,amasterkeyifyoulike,toeverythingyouhaveaccessto.Thefinalpieceofthepuzzle,oneoftheweakestlinks,isthedevicethatyouareusing.It’snotthatit’snogood,it’sjustthat,upuntilnow,anyapplicationwouldrunonyourapp,regardlessofcontent,untilitwasproventobeabadapple.Theonlywaythatappwouldnotrunisifyouranti-virussoftwareorfirewallpickeditupandkickeditout.Noteveryonehasantivirussoftwareinstalledortheydon’tusetheonethatisalreadyprovidedwithWindows.Thatmeansthatsomuchmalwaregetsthroughthenetthatonceitstarts,itisdifficulttostopit.SohowdoesMicrosoftintendtofixthis?ThecurrentPKI(publickeyinfrastructure)iswaytooexpensiveandcomplextomaintain,anditisconstantlyunderattack.ThecurrentCA(certificateauthority)systemisalsounderattack.AnattackercangettoyourcertificatedetailsbeforeyourIDP(IdentityProvider)cangiveyouatoken,andthatleaveseverydoorinthehousewideopen.And,ifthatweren’tenough,limiteduseofMFA(multi-factorauthentication)leavesweakspotseverywhere,weakspotsthattakelittleefforttogetthrough.InWindows10,MicrosoftismakingiteasierforyoutologinwhiletighteningthesecuritynetwithMFA.Withacombinationofbiometrics,PINaccessandtyingasymmetricalkeypairstoaspecificdevice,Microsoftisaimingtomakeitsothatnooneelse,exceptforyou,canaccessyourresourcesandyourapplications.WithWindows10,Microsoftisbringingtomarketthenextgenerationofusercredentials.We’llrunthroughthemonebyoneinthisbook.
Page | 9 www.Windows10update.com
ThecomparisontoWindows7and8Securityfeatures
MicrosofthadtotakeanewapproachtoWindows10securityforacoupleofreasons.
First, security problems and challenges continue to evolve rapidly, and it was clear thattherewerenewchallengesthatneededtobesolved.
It was also clear that some of these challengeswere a little bitmore sophisticated thanWindows7andWindows8weredesignedtohandle.
Togiveyouaquickoverview,takealookatthetablebelow,showingyouthefundamentaldifferencesinsecuritybetweenWindows7andWindows10:
Function Windows7 Windows10
IdentityProtection Passwordtheftistoocommonnowandcurrentmulti-factorsolutionsaresimplytooexpensiveandtoodifficulttodeploy.
Comescompletewithaneasy-to-deploymulti-factorsolution,completewithanti-phishingandanti-theftfeatures.Password-protectionandPINsareincludedinmulti-factorsecuritysolutions.
DataProtection Offerstheoptionofconfigurablediskencryptionbutdoesn’thaveintegratedDataLossPrevention(DLP).Canusethirdpartysolutionsbutnotalwayssuccessful.
Hasmarketleadingdiskencryption,verymanageableandincreasedout-of-band(OOB)securityupdates.DataseparationandDLPisfullyintegrated.
ThreatResistance Appsarealwaystrusteduntilthey Desktopmachinescanbelockeddown
Page | 10 www.Windows10update.com
areathreat,andthereisnowayofdetectingthousandsofnewthreatsthatappeareveryday.
toamobilelevel.Thereistheabilitytohaveatrustedappmodelwherethoseappsthatareuntrustedcannotrun.
DeviceSecurity Theplatformissecurelybuilt,butbuiltonsoftwarealone,meaningmalwarecanhidefromsecurity,embeddingitselfindevices.
Theplatformisbuiltonintegratedhardwareandsoftwaresecurityandoffersprotectionfrombeingswitchedontobeingshutdown.Therearenopossibilitiesforsystemtamperingandmalwarehasnoplacetohide.
Basically Microsoft took a holistic look at security and decided to attack some of thefundamentalsecurityflawsandchallengesfromadeeparchitecturalperspective.
With Windows 10, Microsoft has implemented a wide variety of security solutions thatprotectbothyoursoftwareandthehardware:
• WindowsHelloandWindowsPassporthandleIDprotection.
• BitLockerandEnterpriseDataProtectionhandledataprotection.
• DeviceGuardandWindowsDefenderprotectagainstmultifacetedthreats.
• UEFISecureBoot,TPM2.0andVirtualizationkeepyourhardwaresafe.
Let’stakeacloserlookateachofthesesolutions.
Page | 11 www.Windows10update.com
HowMicrosoftWindows10WillProtectYourIdentity
Firstupis identityprotection.Identitytheft istheonethingthatconcernscomputerusersthemost.
Every day,more stories are published about people whose identity has been stolen andusedtocommitfraudand,that,quiteunderstandably,makeconsumersnervous.Windows10 looks set tomake users feel good about using a computer again, tomake them feelsecure.
Windows10–ProtectingYourIdentityandControllingAccess
Thenexttopicofdiscussionisanewsolutiontoprotectone’sidentity,asolutionthatleavesbehindtheoldfashioneduseofsinglefactorauthentication,likepasswords.Itisasolutionthatprotectsyouwhenabreachhappensinthedatacenter.
Italsoprotectsyourdatafrombeingstolenifyourdevicehappenstobecompromisedanditstopsphishingattacksintheirtracks.
Onceyouareenrolledinthesystem,yourdevicebecomesoneofthetwofactorsthatyouneedforauthentication;theother isaPINnumberorbiometric information,suchasyourfingerprint.
ThesystemsinquestionareWindowsHelloandWindowsPassport,twosystemsthatworktogethertoprovidetheultimateinidentityprotection.Let’sgoalittledeeperandexaminewhateachsystemhastooffer.
This security solution benefits consumers and business users alike and provides theconvenience of using a password without all the hassle of having to remember it orforgettingwhoyougaveitto.Microsoftistakingsecuritytoawholenewleveltobringitscustomerscompleteidentityprotectionwithmultifactorauthentication.
Page | 12 www.Windows10update.com
Let’stakealookatthesystemsthatMicrosoftchosetouseandwhytheychosethem.First,biometrics.Whatisitexactly?Biometricsisthestudyofbiologicalcharacteristicsthatcanbemeasured.Incomputersecurity,biometricsisincreasinglyusedtomakeitmoredifficultforsystemstobehackedthroughtheold-fashionedpasswordsystem.
Thebiometrics in this instance refer tophysical characteristics that caneasilybe checkedagainst what information is stored in the system. There are a number of ways thatbiometricsareusedforauthentication:
Facial:theanalysisofdifferentfacialcharacteristics
Fingerprint:analysisoftheuniquefingerprintsofeachperson
HandGeometry:theshapeofthehandsandthefingerlength
Retinal:analysisofthecapillaryvesselsattherearoftheeye
Iris:analysisofthecoloredringsurroundingthepupilintheeye
Signature:howapersonsignshisorhername
Vein:patternoftheveinsonthebackofahandandinthewrist
Voice:toneandpitchofavoice,aswellasthefrequencyandcadence
Biometrics isstillarelativelynewdevelopmentbut it is fastbecomingthewaytogowithcomputersecuritysystems.
TheProsandConsofBiometrics
Thereareprosandconstoeveryformofbiometricauthentication.GiventhatMicrosofthaschosentoadoptthisasasecuritymeasure,itisimportanttoreviewtheargumentsforandagainsttheuseofthenewtechnology.
Page | 13 www.Windows10update.com
Theargumentsforusing it fornetworkaccessrevolvemainlyaroundthreekeyareas.Thefirstandperhapsthemostobviousisthatbiometricauthenticationusesattributesthatareuniquetotheindividual,makingittheidealformofsecurity.
Thesecondargumentforusingbiometricsisthatuserswillnolongerbeabletoforgettheirpasswords,orsharethemwithothers,knowinglyorinadvertently.Passwordadministrationsystems and overheads are considerably reduced as well and this is one of the drivingfactorsinadoptingbiometricauthentication.The third argument is that it will be incredibly difficult for a person’s biometriccharacteristicstobereplicated,farmoredifficultthanit istoreplicateapasswordoruserID.Also,whereastokenscanbestolenorlost,biometriccharacteristicscannot.Arguments against the use of biometrics aremany, showing just how controversially it isviewed in some quarters. First and foremost, it is still expensive to implement biometricauthenticationmeasures,meaningthatmanyorganizationscannotaffordit.The cost of both the hardware and software requiredmaybeprohibitive tomany, alongwithcostofintegratingitwithcurrentsystemsinplace.There isalso theargument that rightnow,biometric systemsareonly suited to simplisticnetworks.Thisispairedwithsomecurrentthinkingthat,asanall-or-nothingtechnology,itmaynotsuitmanyorganizationsatthisstage.All-or-nothingmeansthatyoucangototheexpenseofhavingbiometricauthenticationoneverysinglecomputeronthenetwork,butitcountsfornothingifausercanlogontothesystemfromaremotelocationwithoutneedingtouseit;thatwouldundermineeverything
Page | 14 www.Windows10update.com
andmaketheexpenseacompletewasteoftime.There is also the argument that the storage of biometric information is an invasion ofprivacy, but those in favor of it say that it is only a representation of the data, not theoriginaldatathatisbeingstored.Ofcourse,there isanotherangletothis–giventherateatwhichasuccessfultechnologywillspread,thereisconcernthat,shouldauser’sbiometricdatabecompromised,notonlydoes it affectnetwork security, thatdata couldalsobeused fora largenumberof illegalactivities.
Onefinalbutsignificantconcernisthatusingbiometricdataisnotthesameasusingakeyanddoesnothavethesamerandom,secretnatureofakey.Neitherdoesithavetheabilitytoupdateanddestroyitself.Ifaperson’sbiometricdataiscompromised, it isnota simplecaseof issuingnewbiometricdata–clearly thatcan’tbedone!So, given all the controversy surrounding the use of biometrics for security, why hasMicrosoftoptedtoadoptit?Thesimpleanswer is reliability.Theconsequencesofhavingasystemthatrunsusingold-fashionedmethodscanbedamaging,withconfidentialinformationstolenanddataintegritycompromised.Also let’s face it,manyof theapplicationsweuse inourdaily lives requiresomeformofauthentication.AsfarasMicrosoftisconcerned,byusingbiometricauthenticationtogetintoWindows10,youcanalsouse it toaccessall yourMicrosoftaccountsandapps– there isn’taneed to
Page | 15 www.Windows10update.com
rememberseparatepasswordsforeachapp.Passwordscanbestolenorreplicated,biometricinformationcannot.Inaddition,biometricinformationcanbepositivelylinkedtoaspecificperson–forexample,acreditcardcanbeused without the actual user being there, whereas biometrics requires you to be at thecomputingdevicetologin.Windows10issetuptoprovidemodernbiometriccapabilitiesthatallowuserstoeasilyunlocktheirdevicesandtounlockNGC–NextGenerationCredentials–foramuchmoreimprovedandsecurepassword-freeexistence.TheInternetcanbeahostileplaceandconsumerswantasafer,morereliableexperienceandabetterauthenticationsystemthanwehavenow.Theywantasystemthatissecure;asystemthatleavespasswordsinthedust,yetstillgivesthemaccesstoeverythingtheyneed.WithWindows10,Microsoftsetouttodojustthat,settingoutaseriesofgoalstheywantedtomeet:
• Toenablebothconsumersandenterpriseuserstobeabletounlocktheirdevices,makepaymentsandsecuretheircontent–allwithoutusingapasswordandinamoresecureway
• Todevelophardwaresolutionsthat,attheveryleastmeet,ifnotexceed,theexpectationsofthecustomer,hardwarethatisrobustandeasytouse
• TodeliverbiometricdevicesthatareinnovativeandgivethecustomervalueTothisend,Windows10hasbeendevelopedtosupportawiderangeofbiometrics–fingerprint,facialoririsrecognition-whicheversuitstheuserbest.SpecialhardwareisrequiredtosupportthisandthosedevicesthatmeettherequirementsofWindows10forbiometricauthenticationwillbenefitinanumberofways:
• Easyandconvenientlogonandverystrongauthentication• EnterpriselevelsecuritywithaccesstoHBI(HighBusinessImpact)resources• ConsistentinboxenrolmentandusageacrossWindowsenabledbiometricdevices
Inaddition,Windows10alsosupportsaninboxFaceAuthenticationsolutionthatisavailableforallOEMsthatprovidethesupportedhardware,withouttheneedtorelyonthirdparties.
Page | 16 www.Windows10update.com
FacialAuthentication
Windows10bringsanewlevelofFaceRecognitiontothetable;asystemthatallowsfortheeasyauthenticationandunlockingofWindowsdevices,aswellasaccesstocontentthatisNGC-supported.Thisisallwithouttheneedtousepasswordsoranyadditionalauthenticationfactors.Features:Windows10FaceAuthenticationfeaturesinclude:
• Aninterfacethatisuser-friendly,providingthecapabilityforsinglesign-on.Thereisnoneedfortheuseofpasswordsaswell,oranyotherauthenticationcredentials.
• Enterprisegradeauthentication,aswellasaccesstoNGCsupportedcontent–networkresources,purchasedcontentandwebsites.
• Anti-spoofingmeasuresareincludedtoeliminatethechanceofphysicalattack–nooneexceptyoucanlogontoyoursystem.
• UsingCleanInfrared,cleanandconsistentimagescanbeproduced,evenindiverselightingsituations.Thesystemalsoallowsforslightchangesinappearance,suchastheadditionorremovaloffacialhair,makeup,glasses,etc.
UseCasesTherearethreeprimaryusecasesforFaceAuthentication:
1. Authenticationneededtounlockorlogin
Page | 17 www.Windows10update.com
Onaverage,thesystemtakeslessthan2secondstorecognizeyourface,althoughitmaytakeupto30seconds–butnomorethanthat.Thisisexpectedtobeusedatahighfrequencysinceitisrequiredwheneverauserneedstoauthenticatetheirdeviceandgetpastthelockscreen.
2. AuthenticationtoPurchaseOnaverage,thesystemwillrecognizeafaceinlessthan2seconds,butuptoamaximumof30seconds.Thisisrequiredeverytimeanapplicationneedsausertore-authenticatetheirdetailsandisnotexpectedtobeafrequentlyoccurringusecase.
3. PresenceTheaveragedurationofrecognitionis1.5to30secondsalthoughitmaytakelonger.Thefrequencyofusageisexpectedtobelowand,usingnewpresenceAPI’s,applicationswillbeabletousesensorstodetermineiftheauthenticatedpersonispresentatthedeviceorifitisanunknownorguestuser.
Solet’stalkalittlebitaboutMicrosoft’sfacialdetectionsecuritymechanism…
Page | 18 www.Windows10update.com
WindowsHello
WindowsHelloprovidesbiometricauthentication,allowingyouinstantaccesstoanyofyourWindows10devices,whetherdesktopormobile.
Forgettryingtoremembercumbersomepasswords–withWindowsHelloyouwillbeabletolook at your webcam or use your fingerprint to be immediately recognized and allowedaccess.
As well as being much more convenient, it is also a more secure method than using apassword.
Windows10 introducesanewsystemthatallowsyou toauthenticateenterprisecontent,applications,andevenonlineexperienceswithouthavingapasswordstoredwhereitcanbestolen.
Windows Hello works with your face, your iris or with a fingerprint, (you will need acompatiblewebcam and/or fingerprint sensor). After implementation, only you and yourpartnereddevicecanbeusedtoaccessyourWindows10apps,websites,anddata.Thisisdoneusingaseriesofmodernsensorsthatwillrecognizecharacteristicsthatarepersonaltoyou.
UnlessyourdevicealreadyhasanIntelRealSensecompatiblecameraorfingerprintsensor,youwillneed toupgrade tooneofa largenumberofWindows10devices thatwill soonsupportWindowsHello.
For facial detection, Windows Hello uses software and special hardware to verify youridentity–itwon’tworkifsomeoneholdsupaphotographofyou,forinstance.
Page | 19 www.Windows10update.com
TheIntelRealSenseenabledcamerasuseinfraredtechnologytotakeaverycomprehensive3Dimageofyourface.Thisallowsfornotonlyagreatfeelforthelookofyourface,butthedepthaswell.
Thecamerasarestunninglyreliableandcanverifyyouridentityinawiderangeoflightingconditions.
WindowsHello isasolution thatwillbeusednotonlybyconsumersbutalsobydefense,government,healthorganizations,financialorganizationsandotherstobringbettersecurityandeliminatethethreatofimpostersorhackers.
NewSecurityFeaturesinWindows10
ThefollowingaresomemoreofthenewandexcitingsecurityfeaturesthatWindows10isbringingtothetable.
MicrosoftPassport
WindowsHello is not thewhole story, however.Microsoft has also introducedMicrosoftPassport.
Passport is designed to do away with passwords, allowing system IT managers, websiteauthors,andsoftwaredeveloperstoincludeamoresecurewayoflettingyousignintotheirappsorsites.
Page | 20 www.Windows10update.com
Insteadofusingtheold-fashionedmethodofapassword,WindowsPassportisdesignedtosecurelyverifyyouridentityandauthenticateyouonwebsites,applications,andnetworkswithouttheneedtostoreapasswordontheservers–thuseliminatingthethreatoftheftthroughhacking.
Windows 10 replaces the password systemwith a private key or PIN thatwill allow youaccesstoeitheryourownpersonaldataortoyourorganization’sdata.ThatPINislinkedtoyourdeviceonlyandwillnotworkwithoutit.
IfyoutriedtologinusingyourPINonanotherdevice,youwouldbebarredfromentering.Obviously,youwillneedtosetupaseparatePINforeachdevicethatyouintendtousebutthatjustaddsafurtherlayerofsecurity–no-onecanaccessyourdatafromjustanydeviceanylonger,makingyourdataandyouridentitysafefromunwantedattention.
WhydidMicrosoftgodowntherouteofusingaPINnumber?Surelythatis justasbadasusingapassword,isn’tit?No.APINissignificantlyfastertouseandiswaymoresecurethanapassword.Nextquestion–howcansuchashortPINbemoresecurethanacomplexpassword?Thisisbecauseitdoesn’treallyhaveanythingtodowithsize.
Page | 21 www.Windows10update.com
WherethePINdiffers fromapassword is thatapasswordcanbeused foraccess onanydevice;thePINisuniquetoaspecificdevice.ThatmeansthatifsomeoneweretostealyourPINandtrytoaccessyourdata,theycouldn’tdoit,unlesstheywereusingthedevicethePINwaslinkedto.Eventhen,theywouldstillneedtogetpastthebiometricloginandthatcannotbedonebyanyoneotherthanyou.Makesense?ThinkofitasbeinglikeyourcreditcardPIN.A person could not steal your PIN number and then use it on their own card in a cashmachine.ThatPINistiedtothatcardandthatishowtheMicrosoftPassportPINworkstoo.Noneofthisisrequired–itisentirelyyourchoiceifyouchoosetouseMicrosoftWindowsHelloandPassport.Youmaybeconcernedthatyouruniquebiometric informationcanbestolen and used, and it is for that reason that Microsoft stores your unique biometricinformationonyourdeviceonly,notonanyeternalsystemorserverandit issharedonlywithyou.
Itcanonlybeusedasamethodofunlockingyourdeviceandisneverusedtoauthenticateyouoveranopennetwork.
Page | 22 www.Windows10update.com
Passport2Go
Passport2GoispartofthePassportsystemthatallowsyoutospecifywhetheradeviceisforpersonalorforbusinessuse.Let’sgothroughanexampleofPassport2Goinuse.
FunFact:MicrosoftusesthefictionalContosoCompanyforexamplesinmanyoftheirpresentationsanddocuments
IrwinworksforaconsultingcompanythatprovidesitsservicestoContoso.Contosogivesitspartnerscloud-onlyaccountsthroughAzureActiveDirectory(AAD)whenitisnecessary.Irwinhasalong-runningengagementthatrequireshimtohaveanAADaccountand,throughhisworkforContoso,hehasanallowance,whichletshimbuyadevicethatisONLYforuseforhisContosowork.Howdoeshesetthisdeviceupsothathecanonlyuseitinthisway?
ByenablingPassport2Go.WhenyousignuptoPassport2Go,youdefinewhetheryourdeviceisapersonalorbusinessusedevice.Onthenextpage,let’swalkthroughtheexample:
Page | 23 www.Windows10update.com
Inourexample,choosingorganizationusegivesIrwinaccesstoalltheresourcesthatheneedsforhiswork.
NextIrwinhastodeterminehowheisgoingtoconnect.BecauseContosoprovideshimwithanAADaccount,thatistheoptionheselects.
IrwinisnowtakentotheAADsigninpagewherehesignsinwithhisMicrosoftorOffice365credentials,startingwithhisemailaddress.
Page | 24 www.Windows10update.com
Thenhispassword...
Page | 25 www.Windows10update.com
IrwinisthendirectedtotheContososigninpageonAAD.
Nowit’stimeforIrwintosetuphisPINnumberwhichwillallowhimtounlockthedeviceandaccesseverythingheneedsinordertodohiswork.
PINnumbersarefarmoresecurethanpasswordsandaremuchshorter.Aswementionedbefore,youmayquestionhowashorterPINnumbercouldbemoresecurethanalongandcomplexpassword.Microsofthastheanswertothat:
Page | 26 www.Windows10update.com
ThenextstepforIrwinistochoosehowtoverifyhisaccount.Hehasachoiceoffouroptions–textmessage,phonecall,anotificationthatissenttohisauthenticatorapp,orusingtheauthenticatorapptogenerateasecuritycode.
Irwinoptsforthetextmessage…
Page | 27 www.Windows10update.com
Oncehehasreceivedthemessageverifyinghisaccount,IrwincancreatehisPIN.
Becausehehastickedtheboxthatsays,“Usea4-digitPIN”,hisnewPINisnotacceptedandheseesamessagethattellshimtherearespecialrequirementsforthePIN.
Page | 28 www.Windows10update.com
ContosohassetspecificrequirementsforthecomplexityofthePINandtheseinstructionsarenowrevealedtoIrwin,allowinghimtocreateaPINthattiesinwithwhattheywant.
Page | 29 www.Windows10update.com
OnceIrwinhassuccessfullysethisPINup,thechangesareapplied,whichmaytakeafewsecondstoacoupleofminutes.
Finally,theNGC(NextGenerationCredentials)containerisloadedandIrwinhasfullaccesstoalltheappsandsystemsheneedsforwork.
Page | 30 www.Windows10update.com
BitLockerandTPM
WindowsBitLockerDriveEncryptionisabrandnewsecurityfeaturethatprotectsyourdatamoreefficiently. Itdoesthisbyencryptingeverysinglepieceofdatathat isstoredontheWindowsOSsystemvolume–thepartitionsonyourharddisks.
TPM–theTrustedPlatformModuleisaspecialchipthatstoresakeypairthatiscalledtheEndorsementKey.ThekeypairiskeptinsidetheTPMchipandisnotaccessiblebysoftware.
Whentheuseroranadministratortakesonownershipofadevice,aStorageRootKey iscreated.ThekeypairisgeneratedbytheTPMandisbasedontheEndorsementKeyandapasswordspecifiedbytheowner.
Anotherkey,whichiscalledtheAttestationIdentityKey,workstoprotectthedevicefromunauthorizedmodificationsby softwareor firmware. Itdoes thisbyhashingvitalpartsofthesoftwareandfirmwarebeforetheycanbeexecuted.
Whenthesystemtriestoconnecttoanetwork,aservertocheckthattheymatchexpectedvaluesthenverifiesthosehashes.
Ifanyofthehasheshavebeenmodifiedsincetheywerelastverified,therewillbenomatchandthesystemwillnotbeabletogainentrancetothenetwork.
WindowsBitLockerusesTPMtoprotecttheoperatingsystemandalltheuserdata.Italsohelpstoprotecttheuser’scomputerfrombeingtamperedwith,evenifitislostorstolen.
Page | 31 www.Windows10update.com
That said, BitLocker can be used without TPM but, from 2016, Microsoft will requirecomputerstohaveTPM2.0.
If youdouse itwithoutTPM,youmustconfigureBitLocker to storeyourencryptionkeysontoaUSBflashdrive,whichmustthenbeusedwheneveryouwanttounlockthedatathatisstoredonaparticularvolume.
Trusted Platform Module, or TPM, provides a number of essential security services,including:
• Securelyrecordingbootprocessmeasurements.• Derivingandsealingkeysbasedonaspecificbootsequence.• ProvidingarootoftrusttotheCloud.• Protectingeveryoneoftheseprocessesfrommalwareoramalicioususer.
TPM2.0goesalittlefurtherthanthatandupdatesthecapabilitiesprovidedinTPM1.2:
• Cryptographicstrengthisupdatedtomeetmodernstandardsinsecurity.• Ismoreflexibleoncryptographicalgorithmsinordertobettersupportgovernment
needs.• Bettermanagementconsistencyacrossallimplementations.
Page | 32 www.Windows10update.com
HowDoesBitLockerDriveEncryptionWork?
Inanutshell,itprotectsyourentiresystembyencryptingallofthedata.
IfaTPMisusedtolocktheencryptionkeys,thosekeyscannotbeaccesseduntilthestateofthecomputerhasbeenverifiedbytheTPM.
Ifthereareanysignsoftampering,TPMwillnotauthorizethereleaseofthekeys.
Byencryptingtheentirecontentsofthevolume,youareprotectingeverything–yourownpersonaldata,theoperatingsystemitself,temporaryfiles,Windowsregistryfiles,andthehibernationfile.
BecausethekeysarelockedbytheTPM,evenifyourharddrivewerestolenandinsertedintoanotherdevice,thethiefwouldnotbeabletoreadyourdata.
Whenyoustartyourdevice,theTPMcomparesahashofsystemconfigurationvalues,alongwithasnapshotthatwastakenearlier,toverifythestartupprocess.
Ifall isOK, theTPMwill releasethekey,andtheencrypteddatacanbeunlocked. IfyourWindowsinstallationshowssignsoftampering,thekeywon’tbereleased;it’sassimpleasthat.
Bydefault,BitLockerissetuptoworkwiththeTPM,andyoucanalsocombinethiswithauser-enteredPINor another startup key that is storedon aUSB flashdrive. This key is arequirementifyoudonothaveacompatibleTPMandyouwantthelockingkeys.
Page | 33 www.Windows10update.com
BitLocker goes a step further than that inWindows 10 – it can also be used to encryptindividual files.While it isnormallyused for theentiredrive, if youneed to send specificfilesusingemailoraUSBkey,theyhavetobeencryptedonafile-by-filelevel.
Userscanopttoencrypt their files fromthe“Save-As”dialogueboxorbyusingWindowsFile Explorer. In this case, all you need to do is right click on a file and choose from theencryption options. All encrypted files then show up in green, allowing you to see at aglancewhathasandhasnotbeenprotected.
One of themore common uses of BitLocker is downloading sensitive documents from awebsite. In this case,web filesareautomaticallyencrypted,givingyou thepeaceofmindthatcomesfromknowingthattheinformationiscompletelysecure.
DeviceGuard
Page | 34 www.Windows10update.com
So,Microsoftisgoingtoprotectyouridentityandyourdatabutwhataboutthedeviceyouareusing?Windows10includesanumberofwaystolockdownyourdevice,addinginextraprotectionand threat resistance. Users inadvertently download most malware onto a device, soMicrosoft is introducinganewsystemofonlyallowingtrustedappstobeinstalledand/orrunonyourdevice.TrustedappsarethosethathavebeensignedbytheMicrosoftsigningservice,althoughthedevicewillhavetobeconfiguredforthis.ThatnewfeatureiscalledDeviceGuard.DeviceGuard isanewpieceoffirmwarethatrunsathardwarelevelbeforeandduringthebootupprocess.Itisdesignedtoonlyallowapplicationsandscriptsthathavebeenproperlysignedtoloadupandisalreadyprovingtobeapopularfeature,withmanyOEMsreadytoinstallitonnewdevices.Device Guard is a combination of software and hardware features that need to beconfiguredtogether.Whenthisisdone,thedevicewillbelockeddowntoonlyruntrustedapplications.Itworksbyusingthenewvirtualization-basedsecurityfeaturethatWindows10includes–asystemthatisolatestheCodeIntegrityservicerightfromtheWindowskernelandallowingtheservicetouseenterprise-controlledpolicydefendsignaturestodeterminewhatcanandwhatcan’tbetrusted.ThebasicfunctionofDeviceGuardistotestouteachprocessthatisbeingloadedupintothememorytobeexecuted.Itwillrunthistestbothbeforeandduringthebootupprocessandwill check tosee if theprocess isgenuinebasedonsignaturesandwill stopanythingthatdoesnothavethepropersignaturefromloading.The technology that Device Guard uses is embedded at hardware level, as opposed tosoftware,which isn’talways100%accurateatdetectingmalware. Itusesvirtualizationforthecorrectdecision–makingprocess,totellthedevicewhatitshouldandshouldn’tallowtoloadupintothememory.
Thislevelofisolationshouldstopmalwareinitstracks,asitwon’tbeallowedtoloadontothedevice,even if theattackeralreadyhascontrolof thesystemswhereDeviceGuard isinstalled.
AccordingtoMicrosoft,thissystemismoresecurethanthetraditionalanti-virusmethodsweusetoday,evenmoresecurethanappcontroltechnologies,likeBit9andAppLocker,asthesecanbetamperedwith,eitherthroughmalwareorthroughsystemadministration.
RequiredHardwareandSoftwareforDeviceGuard
InordertouseDeviceGuard,youwillneedtoinstallthefollowinghardwareandsoftwareandthenconfigureit:
Page | 35 www.Windows10update.com
ü DeviceGuardwillonlyworkwithWindows10ü UEFISecureBoot–helpstoprotecttheintegrityofthedeviceathardwarelevelü TrustedBoot–designedtohelpprotectagainstattacksattherootkitlevelü Virtualization-basedSecurity–Hyper-Vprotectedcontainerthatseparateswindows
10processesü PackageInspectorTool–Helpsuserstocreatealistofthefilesthatmustbesigned
forClassicWindowsapplications
WhyuseDeviceGuard?
Every single day, thousands of new malicious files are created and using the traditionalmethodofsignature-baseddetectiontofightthemalwareisnotadequateanymore.WithDeviceGuard,thatmalwarecannotbedownloadedbecausetheappsthatcontain itarenot trusted.Uptoand includingWindows8.1,anappwouldbetrustedautomaticallyunlessafirewalloranti-virusblockedit–withWindows10,anappwon’twillrununlessitistrustedfirst.Device Guard will also help to protect against Zero Day attacks and will also combatchallengesputupbypolymorphicviruses.Inanenterprisesetting,theCodeIntegritypolicymustbesetuptodeterminewhichappsaretrusted.Aswellasthat,specificsoftwareandhardwareconfigurationsarerequired:
• UMCI–UserModeCodeIntegrity
Page | 36 www.Windows10update.com
• Kernel code integrity rules that include WHQL signing constraints – WindowsHardwareQualityLabs
• SecureBootthathasdb/dbxdatabaserestrictions• OPTIONAL – virtualization based security to protect kernel mode apps, system
memoryanddriversfromtampering• OPTIONAL–TPM2.0
Before you can use Device Guard, you should enable the virtualization-based securityfeatureoncapabledevices,makesurethattheCodeIntegritypolicyisconfigured,andthenconfigureanyothersettingsthatarerequiredbyyouforWindows10.Afterthat,DeviceGuardwillworklikethis:
1. Your device boots up with U Secure Boot – this will stop rootkits from running,allowingWindows10tostartupfirst.
2. Once safely started up, Windows 10 will start the Hyper-V virtualization-basedsecurity features, includingKernelMode Integrity. Thesewillprotect theWindowskernel, any privileged drivers and your system anti-malware solutions by stoppingmalware from running in the boot process or in the kernel once the device hasstartedup
3. UsingUMCI, DeviceGuard checks your system tomake sure that anything that ismeant to run in UserMode is trusted, including ClassicWindows apps, UniversalWindowsPlatform,oraservice.Onlybinariesthataretrustedwillbeallowedtorun.
4. AsWindows 10 is starting up, TPM starts up as well, helping to protect sensitiveinformation by providing a hardware component that is isolated from everythingelse.Thisprotectsyourcertificatesandusercredentialsfromattackortheft.
Page | 37 www.Windows10update.com
EnterpriseDataProtection(EDP)
MicrosoftalsohasanewDLP–datalossprevention–system.
Whileconsumerscanuseit,itisaimedmainlyatcorporations,duetothelargenumberofemployee-owned devices that are now being used under the BYOD – “Bring Your OwnDevice”–banner.
Due to the large numbers of these devices, the risk of accidental data disclosure is nowmuchhigherthaniteverwas,basicallybecauseofthenumberofexternalappsandservicesthatarealsoinuseonthedevice–outsideofthecontroloftheenterprise.
Thisincludesemail,socialmediaandcloudservices,andalltheapplicationsweuseonourmobiledevicesonadailybasis.
Yes,therearesolutionsthatattempttoaddressthisbyaskingemployeestoswitchbetweencontainersforpersonalandcorporateusebutthisisn’taveryefficientwayofworking.
ThenewfeatureinWindows10iscalledEDP–EnterpriseDataProtection–anditoffersupa much better user experience while, at the same time, helps to keep personal andcorporateactivitiesseparate.
EDP helps to protect corporate apps and data from the risk of disclosurewithout askinguserstochangethesystemtheyareworkingon.
Furthermore,inconjunctionwithRMS–RightsManagementServices–EDPcanalsoprotectyourcorporatedataonalocalbasis,evenwhenyourdataisroamingorisbeingshared.
Page | 38 www.Windows10update.com
HowDoesEDPWork?
Enterprise Data Protection is designed to counteract and address everyday workplacechallenges,suchas:
• Dealingwithseveredataprotectionleaks
• Maintainingenterprisedataprivacy
• Managingthoseappsthatarenotpolicy-aware,inparticular,onmobiledevices
• Handles a previous inability to lock down an employee device, which wouldpotentiallyallowdatatobeleaked
LevelsofProtection
EDPcanbesettofourdifferentlevelsofprotection:
Block: The feature looks for data sharing that is not appropriate and blocks theemployeefromcompletingtheshare.
Override: The featurewill look foranydatasharing that isnotappropriate, tellingtherelevantemployeesthattheyaredoingsomethingwrong.However,thiscanbe
Page | 39 www.Windows10update.com
overriddenat theemployee levelandthedatacanstillbeshared–but theactionwillbeloggedontheauditlog.
Audit:EDPrunsquietlyinthebackground,loggingalldatasharingandflaggingthosethatareinappropriate.However,itwillnotblockanything,onlymonitorandrecord.
Off:EDPisnotactiveanddoesnotprotectanyofyourdata.
EDPAllowsBetterWorkFlow
Becauseemployeeswillnolongerhavetoswitchbetweenenvironmentsorappstoprotectenterprise data, workflow is uninterrupted and productivity can potentially increasesignificantly.
Anexampleofthiswouldbeifanemployeeischeckingtheircorporateemailaccountandtheyreceiveapersonalemail.Insteadofhavingtoexitoutoftheircorporateaccount,bothmessageswouldappearonthescreentogether.
ChangingtheProtectionLevelsonDocuments
Employees have the ability to change the protection levels set on documents underEnterpriseDataProtection.
Theycanonlydothisifthedocumentisapersonaloneandhasbeenincorrectlymarkedasenterprise. Todo this, it requiresemployees to takeanactionand thiswill be logged formanagementtosee.
Page | 40 www.Windows10update.com
EnterpriseDataSecurity
Enterpriseadminsneedtobeabletomaintaintheconfidentialityandthesecurityoftheirdata. With Enterprise Data Protection, you can make sure that corporate data is fullyprotectedondevicesownedbyemployees,evenwhenthedeviceisnotbeingused.
Whenyouremployeescreatecontentontheirdevices,theyareaskedtodefinewhetheritispersonalorcorporatedata– if it iscorporate, it is immediatelybroughtunderthe localdataprotection.
WipeEnterpriseDataRemotely
EDPalsooffersmanagers theoptionof remotelywiping all corporatedata fromadevicethatismanagedbythecorporationandusedbytheemployee,withouttouchinganyofthepersonaldataonthatdevice.Thisisofhugebenefitwhenadeviceisstolenoranemployeeleavesthecompany.
Corporatedocumentsarestoredlocallyonthedeviceandareencryptedusinganenterpriseidentity.
Whenyouwanttowipethedevice,youwillneedtogothroughaverificationprocess,afterwhichacommandcanbesent throughthemobilemanagementsystemtoremotelywipethe data. When the device is connected to a network, the data is removed and theencryptionkeysareirretrievablyrevoked.
Page | 41 www.Windows10update.com
Thiswillonlyhappenondevicesthathavebeenspecificallytargeted–allotherdeviceswillworknormally.
CopyingorDownloadingEnterpriseData
WhendataistargetedfordownloadfromacorporatesourcelikeSharePointorOffice365,itisdeterminedtobeenterprisedataandwillbeencryptedbeforebeingstoredlocally.
The samewill apply to any data that is copied from the enterprise to a USB flash drive.Because the data is already marked down as being enterprise data, the encryption willfollowthedatatothenewstoragedevice.
PrivilegedAppsandRestrictions
With Enterprise Data Protection, you will be able to control which apps can and cannotaccessenterprisedata.
Thosethatcanareaddedtoa“privileged”applistandaresubsequentlyallowedtoaccessand use enterprise data. Anything that is not on this list is classified as personal and areblockedfromaccessingdata,dependingofcourse,onthelevelofprotectionyouhaveset.
Privilegedappswillactdifferentlyfrompersonalornon-privilegedapps.Whenauserwantstocopyandpastedata,aprivilegedappwillallowit;non-privilegedoneswon’t.
Should a person try to copy enterprise data to a non-privileged app, they will see anotification advising that policy restrictions are in place and the action could not becompleted.
Page | 42 www.Windows10update.com
PersistentDataEncryption
Enterprise Data Protection allows you to keep your data safe even when the device isroaming. Apps such asOneNote andOfficework in conjunctionwith EDP to persist dataencryptionacrossservicesandlocations.
For example, an employee opens content inOutlook that is EDP encrypted,makes somechanges to it and then attempts to save it under a new name, to try and get rid of theencryption.
Thatwon’tworkbecauseOutlookwill automatically apply EDP to thenewversionof thedocument,ensuringthatthedataiskeptfullyencryptedandsecure.
HelpsPreventAccidentalDataSharing
EDPalsohelpstoprotectcorporatedatafrombeingaccidentallysharedinpublicspaceslikethecloud.Say,forexampleanemployeeputsadocumentinafoldercalledDOCUMENTS.
ThisfolderissyncedautomaticallywithOneDrive,whichisonyourprivilegedapplist.Itisthenencryptedonalocallevel–itwillnotbesyncedtotheemployee’spersonalcloud.
Page | 43 www.Windows10update.com
Datasharingalsocoversotherdevices.Undertheoldsystemitwaspossiblefordatatobeleaked to another devicewhile it was being transferred between them. For example, anemployeesavescorporatedataontoaUSBflashdrivethatalsohaspersonaldataonit.
Thecorporatedataisencryptedwhilethepersonaldataremainsopen.Aswellasthat,theencryptionfollowsthedata,soevenifitiscopiedtoanotherdevice,itwillstayencrypted.
TheBenefitsofEDP
ThebenefitsofEDPinclude:
ü Protection against the leakage of enterprise data, with little to no impact on theworkpracticesoftheemployees
ü Separation of personal and corporate datawith no need for employees to switchappsorenvironments
ü Extradataprotectionforexistingbusinessappswithouthavingtoupdatethem
ü The ability to wipe all corporate data off a device while leaving personal datauntouched
ü Auditreportstohelpwithtrackingissues
ü Fully integrates with your current management system or mobile devicemanagementsystemtoconfigureEDPforyourcorporation,aswellasdeployingandmanagingit
ü Extraprotectionwhileroamingorsharingdata
Enterprisescenarios
EDPaddressesthefollowingenterprisescenarios:
• Enterprisedatacanbeencryptedonbothemployeeandcorporateowneddevices
• Enterprisedatacanbewipedoffremotelywithouttouchingpersonaldata
• Specificappscanbechosen,calledPrivilegedapps,whichcanaccessenterprisedata.Theseappsareclearlyrecognizedbyemployees.Nonprivilegedappscanbeblockedfromhavingaccesstoenterprisedata
• Employees don’t need to switch between enterprise or personal apps, thuseliminatinginterruptiontoworkflow,providedenterprisepolicieshavebeenputinplace.
Page | 44 www.Windows10update.com
WindowsDefender
Windows 10 users will still need to use specific anti-malware software to protect frommalwarethatcomesfromothersources.
ThisisbecauseDeviceGuardonlyprotectsagainstmalicioussoftwarethatattemptstoloadduring thebootprocess – at this stage, no anti-malware software is able toprotect yourdevice.
Insteadof taking the chance thatuserswill forget todownloadaprogram,Microsofthasincluded Windows Defender, also available in Windows 8. Defender is automaticallyenabledonyoursystemandrunssilentlyinthebackground.
Thisensures that,whetheryouopt fora third-party solutionornot, youwillhave,at theveryleast,abaselineantivirusprotection.However,unlikeWindows7,Windows10willnotkickupafussifyouchoosetoinstallathirdpartyoptionaswell.
Instead, itwill simplydisableWindowsDefender, stopping it fromprotectingyourdevice.Should you opt to uninstall the third party malware software, Windows Defender willautomaticallybere-enabled,thusensuringthatyourdeviceisneverleftwithoutsomekindofmalwareprotection.
FormerlycalledMicrosoftSecurityEssentials,Defenderrunsquietly,scanningevery fileasandwhenyouaccessthem,beforetheyareactuallyopened.
Ifitfindsmalwareoranythingelsethatcouldcauseathreattoyourmachineandyourdata,itwillcleanitupandquarantinetheoffendingfileautomatically.
YouwillgetanotificationthatDefenderhasdetectedmalware,tellingyouthatit istakingthe necessary action to clean it up. The antivirus definitions will also be automaticallyupdatedthroughWindowsUpdateandthisprocessdoesnotrequirearebootofthedevice.
ConfigurationandExclusions
ThesettingsforWindowsDefenderarealready integratedwithWindows10, inthebrandnew Settings app. This can be accessed via the Start menu, in the Update and Security
Page | 45 www.Windows10update.com
category under Settings. By default, it will automatically be enabled for real-time, cloud-based, and sample submission protection. If you disable the real-time protection for anyreason,WindowsDefenderwillautomaticallyre-enableit,tokeepyousafe.Both Cloud and sample submission protection let Defender share any information that itfindsaboutthreats,alongwiththeactualmalwarefile,withMicrosoft.ThisisdoneinabidtokeepthedefinitionscompletelyuptodateandtoallowMicrosofttocontinueimprovingandupdatingtheirsecuritysystems.Fromthesamemenu,youcanalsosetupExclusions–thesecanbespecificfiles,filetypes,foldersandprocesses.If, for example, Defender is slowing down your device performance because it keeps onscanningappsorfilesthatyouknowtobesafe,youcansetanexclusionandtell itnottoscanthem.TheseexclusionsaretobeusedasandwhenabsolutelynecessarybecausehavingtoomanyexclusionswillrenderDefenderuseless,andleavesyourdeviceopentoallkindsofthreats.
UEFI
Unified Extensible Firmware Interface, or UEFI Secure Boot, is a more up to datereplacementforBIOS,traditionallyusedtostartupacomputer.SecureBootisdesignedtoshutoutlow-levelmalwareandstopitfrominfectingandtaking
Page | 46 www.Windows10update.com
over thebootprocessonanydevice. In thepast, vendors thatwanted the “Designed forWindows”certificationhadtohaveUEFISecureBootontheirhardware.Inorder toallowusersofothersystemssuchasLINUX,Microsofthad to includea togglethatwouldallowauser to turnoffSecureBoot,at thevery least forX-86hardware.Thisallowedausertoopenthedoorandinstallwhatevertheychoseontheircomputers.InWindows10,Microsofthadoriginallysaidthattheywouldnotbesupportingtheon/offtoggleandthatallnewhardwaremustshipwithUEFISecureBootenabled.However,itnowtranspiresthat,whileSecureBootmustbeenabledonallnewWindows10hardware,OEMshavetheoptionofwhethertoallowtheendusertodisableitornot.Thatisonly fordesktopmachines; forWindows10mobile retaildevices, theoption todisableSecureBootisnotincluded.Theideaistorestrictthepossiblyofmalwarebeingdownloadedbyuserswhoinstallanalternativeoperatingsystemtodualboottheirmachines.Atthetimeofthiswriting,Microsofthasnotfinalizedtheirspecsand,assuch,thedecisiontoputtheonusontheOEMtoincludethetogglemaybechanged.
Page | 47 www.Windows10update.com
AdvancedThreatAnalytics
Securityattackstodayaremorepersistent,frequent,andsophisticatedthaneverbefore.
Regardlessofwhichtypeofdeviceyouareusing, it issafertoassumethatyouhavebeenbreachedandthatattackersmayalreadyberesidinginyoursystemthanitistogoblindlyaboutyourworkignoringpotentialthreats.
Thefollowingstatisticstellaverysoberingstory:
• 200+days–itisn’tunusualforattackerstoremaininsideyoursystemforthislongwithoutdetection.Theycandothisbecausetheytakeadvantageofuseraccounts,privileged or otherwise, and hide inside the network. It takes sophisticated andadvanced technology to find them and stop them, and to prevent others fromattackingthesystem.
• 75% + - this is the percentage of network intrusions that result from a user’scredentialsbeingcompromised.
• $500 billion – this represents the estimated cost of cybercrime to the globaleconomy.
• $3.5million–theaveragecosttoacompanyforadatabreach.
This is why Microsoft has come up with a brand new feature called Advanced ThreatAnalytics or ATA. ATA is designed as an on-premises threat analytics tool that works todetectthreatsandabnormalbehaviour(seebelow)beforetheycancausedamage.
Page | 48 www.Windows10update.com
To illustrate how it works, say you have a credit card and your provider monitors yourspendingbehaviour.
If there is any suspicious activity, or activity outside your normal pattern, the providercontactsyoutoverifythattheactivitywasyours.Theymayalsoplaceatemporarystoponthecardwhiletheyverifyit.ThisistheconceptthatMicrosoftwantstobringtoenterpriseusers.
ThebenefitsofATAare:
• Threatsaredetectedusingbehaviouralanalysisoftheuser,monitoringhowtheyusethesystem,andbeingalertedwhenthere isanychangeto thatpattern that lookssuspicious.
• ATAisconstantlyevolving,foreverlearningfromtheuser’sbehaviour,andadaptingitselftoreflectchangeswithinadynamicorganization.
• It uses a simple attack timeline to focus onwhat is important – a very clear andefficient system thatmonitors anddraws attention to the right things at the righttime.Inaddition,itprovidesyouwiththeinformationyouneed,i.e.thewho,when,andwhereaspectsof theattack.ATAalsoprovides recommendations for thenextstep.
• ATAwill also identify known risks and alert the right people – risks such asweakpasswords,brokentrust,weakandvulnerableprotocols,etc.
• ATAalsoreducestheriskoffalsepositives.
HowDoesItWork?
After ATA is installed, a non-intrusive port-mirroring configuration will copy all ActiveDirectoryrelatedtraffictoATA,butwillremaininvisibletoanyhoveringattackers.ATAwillthenanalysethedataandworkwithSIEM–SecurityInformationandEventManagement–to look at related traffic and relevant events. All the information is stored locally, on-premisesbyATA,andneverleavestheorganization.
Page | 49 www.Windows10update.com
TheATAdetectionenginebegins learningandprofiling thebehaviorofallusersand thenusesmachinelearningtechnologytopaintanoverviewoftheeverydayactivity.
Once it is familiarwithyournormalusebehaviour, itwillbeginto look foranomaliesandstrangebehaviour.
If these arise, itwill raise a red flag and alert security teams, as soon as the system hascomparedandaggregatedtheanomalywithnearreal-timedetectionofsecuritybreachesandadvancedattackstobuildthetimeline.
This also reduces the chance of false positives and better identifiesmalicious attacks, asshownbelow.
Microsoft ATA is a non-intrusive system that works quietly in the background withoutdetection.
Page | 50 www.Windows10update.com
VirtualSecureMode
Windows10ismadeupofanumberofdifferentcontainers,oneofwhichhousestheactualoperatingsystem.However,thesecuritytokenforActiveDirectorythatallowsyoutoaccessyour companynetwork,and theLSAauthentication service that issues it, arehoused inaseparatecontainerthatrunsontopoftheHyper-Vvirtualizationcontainer.These security tokens are the target for a good percentage of “Pass the Hash” securityattacks.Oncetheyhavethattoken,theyhaveyouridentity,whichisasgoodasgivingthemyourlogindetails.Theyhaveaccesstoadminprivilegesandareabletorunatool,whichcanaccessandtakethetoken.Oncetheyhaveit,theycangetaroundthenetworksandaccessserverswithouttheneedforapassword.Microsoft has made things more difficult for them by taking those tokens out of thesoftwarerepositorywheretheywerepreviouslystoredandwheretheyweresusceptibletomalware, and have locked them in a container. Once inside that container, not evenWindowshasaccesstothem,evenifthecontaineriscompromisedinanyway.The container will not release any tokens or hashes; instead, when they are passed toWindows, it is done in a new format that cannot be replayed on the device. In addition,NTLMhashesareseparatedfromthelogonprocess,arerandomizedandmanagedinsuchawayastoprotectthemagainstabruteforceattack.ThatcontaineriscalledVSM–VirtualSecureMode.
Page | 51 www.Windows10update.com
TheVSMis,ineffect,aminiversionoftheoperatingsystem,aWindowsCoreOS.Itrequiresjust1GBofmemoryandhassufficientcapabilitytobeabletoruntheLSAservicethat isneededforauthenticationpurposes.Itwillhavelittletonoeffectontheperformanceofthedevicebut youdoneedWindows10, thenext versionofWindowsServeronyourActiveDirectorydomaincontroller,andaCPUthathassupportforhardwarevirtualization.Inbrief:
• VirtualSecureModeisolatesthesensitiveprocessesintoaHyper-Vcontainer• VSMrunsWindowskernelandTrustletsinsideofthatcontainer• VSMprotectsthekernelandTrustletsevenwhenWindowsKerneliscompromised,
thuskeepingthosetokenssafe
MicrosoftVirtualizationStrategyandSecurity
For the last ten years or so, one of the biggest topics in the IT industry has beenvirtualization,mainlybecauseofthesheernumberofbenefitsthatcomewithitforITstaff.
Itbringstheabilitytomakemoreoutofhardwareutilizationcapabilities,whileatthesametimeoffering sufficient scalability to get away fromperformance issues. There is also thecapability to migrate virtual machines and cut down on downtime, and finally, theconveniencethatcomeswithbeingabletodeploynewvirtualmachinesquickly–manuallyorautomated–thusreducingtheworkloadoftheITdepartment.
Microsoft has a goal in mind – what Hyper-V has done for server deployment andmanagement;theywanttodowiththedatacenter.Todothat, theywantedtobringthewholestructuredowntothesoftwarelevel,whichgivesuserstheabilitytoautomatemanymoredatacenteraspects,andgainmuchmoreefficiency.
Page | 52 www.Windows10update.com
OverthelastfewversionsofWindowsServer,MicrosofthascomealongwayinimprovingHyper-V and bringing it up, together with the supporting technologies, to a software-defineddatacenter,packedwithusefulfeatures.Thosefeaturescovereverysingleaspectofthedatacenter–networking,storage,andcompute.
The last two versions of Windows Server introduced Storage Spaces, IP AddressManagement and multi-tenant site-to-site VPNs. Server 2016 is building on those andbringingadditionalfeatureslikeStorageReplica.
SecurityImprovements
Windows Server 2016 also addresses a number of security issues in Hyper-V that aredesignedtobringmoreprotectiontoVirtualMachinesandhaltingmalware,administratorattacks,andotherattackvectorsintheirtracks.
Microsoft is completelyawareofoneof thebiggest reasonswhy theCloudhasnotbeenadopted in the way they had hoped, and that is corporate trust. Microsoft is nowdeterminedtoprove toeveryone,bothcorporateandconsumer, thatcloudsolutionscanofferdatacentersecuritythatisatleastcomparable,ifnotbetter,thaniteverusedtobe.
Windows Server 2016 also offers support for a virtual TPM to be enabled in the virtualmachine,andthenconfigured.
ThemainbenefitofthisistheabilitytobeabletoenableBitLockerencryptionforallguestvirtualmachines,whichwillhavethebenefitofstoppingunauthorizedaccesstoanyfilesortothesystemthatiscontainedinthevirtualdrives.
Page | 53 www.Windows10update.com
ShieldedVirtualMachinesinServer2016isyetanothersecurityfeaturethatallowsaguestvirtualmachinetobeprotectedfromthehostserveradministrator.
Inthisscenario,whileanadministratorcanstoporstarttheshieldedVM,theycannotalterits configuration, seewhat is on the virtual disks, or view processes that the guestOS isrunning.
This is the ideal solution for largeenvironments thatdon’twant themanagement side toseewhatisonacustomervirtualmachine,orforthoseindustriesthatoperateaneed-to-knowpolicyorstrictlyenforcedseparationofduties.
EnterpriseMobility–IdentityintheEnterprise
Rightnow,managingidentitieswithintheEnterprisesettingiscumbersome.Windows10isgoingtochangeallofthatandallowempowermentofenterprisemobility.Thewaythingsaresetupnowisasfollows:alltheusersintheenterprisewanttoaccesseverything,fromanywhere,andfromanydevice.Managementwantstocontroleverything;aswellasensuringthatdataissecureandprotected.Thisbecomesdifficultwhenend-usershavethesamelogindetailsfromeverysitethattheyvisit,andusethesamepassword.Whilethismightbeeasytostartwith,itallfallsapartwhenonesiterequestsapassword
Page | 54 www.Windows10update.com
change…andthenanotheronedoes…andanother…andsoon.Theenduserhastorememberallofthesedifferentpasswords.So,instepstheHRdepartment,withtheircompanycreditcardtohand,andbuysthelatestsoftwaretomanageeverything.Thentheyhaveaproblem–security.ThustheycometotheITdepartment,confesswhatthey’vedone,andthenhandtheproblemoverforthemtosolve.That’swhereWindows10changeseverything.Identityisthefoundationtobuildingtheenterprisemobilitystrategy.Mostbusinessesalreadyhaveon-premisesidentitystrategies,useActiveDirectoryandotherdirectories,andhavetheirfirewallsalreadysetup.Theyalsohaveaccesstocloudappsonaseparateinfrastructure.Windows10bringssomethingalittlebitdifferentandawholelotbetter.
It’scalledAzureActiveDirectoryanditbringstogetheron-premisesandcloudaccessinoneeasyplace.Allyouneedisonesimpleconnectiontojointhetwotogether,andWindows10providesallthetoolsyouneedtomakethatconnection.WhatAzureActiveDirectorybringstoenterpriseusersisonesinglesignonthatgivesyouaccesstoeverythingthatyouneed.Beforewegoanyfurther,let’sjustspendaminutetalkingaboutAzureActiveDirectory.Whatisit,exactly?
Page | 55 www.Windows10update.com
AADisanidentityandaccessmanagementsolutionthatcombines:
• Directoryservices• Advancedidentitygovernance• Appaccessmanagement• Standardsbasedplatformfordevelopers
AzureADallowsyouruserstoaccess1000sofappsthroughonesinglesignon.Betterthanthatthough,italsoallowsyoutopickandchoosewhichappstheyhaveaccesstothroughanumberofdifferentoptions.AADis:
• Easytouse.Itprovidesenterpriseswithasimplewayofmanagingidentityandaccesstoorganizationalappsandservices,bothon-premisesandinthecloud.Therearemorethan2000appsalreadyreintegratedanditiseasytointegrateyourownappswiththesinglesign-onsupport.
• Designedtoempowerusersbyallowingthemtosignonwitheitheraworkorapersonalaccountforaccesstoon-premiseswebandcloudapplications.Withself-servicecapabilities,theyarealsoabletoperformmanyoftheirownadministrativetaskswithouthavingtocontactthehelpdesk.
• Designedwithenhancedsecurityinmind.Yourenterprisecanprotecton-premisesandclouddatabyensuringthatproperaccessisgiven.Youcanalsomonitorthesystemforanyanomalousactivityanddetectanddealwithpotentialthreats.
• Setuptoallowhybrididentities.Thisallowsyoutointegrateon-premisesdirectoriesandenableworkerstoaccesscorporateresourcesbothsecurelyandconsistently,withjustonesingleorganizationaccount.AADcanbeusedtoenhanceon-premisesinfrastructure,allowingself-service,securitytoolsandbuilt-inappconnectivity.
• Setuptoprovideacomprehensivereportingandanalyticssystemthatenhancesyoursecurity,allowsyoutomonitorusageandviewtheperformanceofyourenvironment.
CloudAppDiscovery
Cloudappdiscoveryallowsyoutomonitorappsinthecloud.Rightnow,intheaverageenterprise,thereareabouttentimesmorecloudappsinusethantheITdepartmentrealizes.Cloudappdiscoveryallowsyoutoseeexactlywhichappsarebeingused,whoisusingthem,andhowoftentheyareused.Youcanexportthedetailsfromyourreportsdirectlytoareportingtoolandincludethemaspartofyourregularreportsaswellasusingitfordata
Page | 56 www.Windows10update.com
analysis.ManagingYourDirectoryontheCloudAnotherusefulfeatureincludedinAADistheMicrosoftIdentityManager.Thisallowsyoutomanageyouron-premisesidentitiesandconnectandshareon-premisesdirectoriestoAzure.Therearealreadymorethan2,400SaaSappsinthegalleryandmorecanbeintegratedandaddedasneeded,includingthosethatarepublishedusingAADApplicationProxy.BecauseAADstandsinthemiddle,alloftheseappsanddirectoriescanbeaccessedon-premisesandfrommobiledevices.
AADAppProxyincludesaconnectorthatautomaticallyconnectsittothecloud,allowingforseamlesssyncing.AADalsoincludesacomprehensiveidentityandaccessmanagementconsole,providingcentralizedaccessadminforallapps,bothreintegratedandothercloudbasedapps.Thismakeslifemucheasierfortheenduserbecausetheadmincan:
• Putusersingroupsandallowgroupstoaccessdifferentsetsofapps.• Setupenterpriseaccountsforcertainapps–oneaccount,multipleusers–andonly
theadminwillknowthelogindetails.Thispreventsaccidentalsharing.• Theadmincanalsoprovisionorde-provisionusers.Ifauserleavesaparticulargroup
orleavestheorganizationcompletely,heorshewillautomaticallybede-provisioned,cancellingaccesstoalloftheseapps.
Therearealsootherbuiltinsecurityfeaturestoprotectenterpriseapps,namely:
• Securityreportingthatmonitorsanddetectsinconsistentaccesspatternsandthrowsupalerts.
• Theopportunityforanadmintostepupanapptomulti-factorauthentication–iftheydoubtthatauseriswhotheysaytheyare,forexample,theycanaddanothersteptotheauthenticationprocesswhichwillblockaccessuntilthatstephasbeensuccessfullycompleted.Thestepcouldbeaphonecalloratextmessage.
• Theaccesspolicieswilldependonthestateofauser’sdevice,theirlocation,andgroupmembership.
Page | 57 www.Windows10update.com
HowMicrosoftWindows10WillProtectYourData
Aswellasprotectingyouridentity,anareathatMicrosoftismakinggreatstridesin,theyarealsoworkinghardoncomingupwithnewsolutionstoprotectyourdataandinformation.
Next to identity, theft of data is the nextmost serious consideration for consumers andorganizationsalike.CurrentsecuritysystemsonlyprotectabouthalfofyourITsystemandeventhen,thatisn’tfullyprotected.
Every time you switch on your computer orWindows mobile device, or every time youaccessthe Internetoropenanemail,youruntheriskofahackerswooping inandtakingcontrol.Microsoftintendstostopthatinitstrackswithtwoupgradedsystems.
AzureRightsManagementandInformationRightsManagement
Whendata leavesyourdevice,Microsofthas something calledAzureRightsManagementand InformationRightsManagement,bothofwhichhelp toprotect the lossofdata fromdocuments.
Asofnow,ausertypicallyhastoopt intoactivatetheprotectionthatthesetwoservicesofferandthatcanleaveanenterprisewithabitofaproblem–agapthroughwhichdatacanbeleaked,whetherdeliberatelyorinadvertently.
AzureAdministrativeTasks
Theendusercanperformmanyoftheirownadministrativetasksbyvisitinghttp://myapps.microsoft.com,orthroughtherelevantapponAndroidoriOS.Throughthat,theycanseehowmanyappstheyhaveaccessto,fromanydevice.TheycanalsoseealloftheirmanageddevicesandcanresettheirownpasswordswithouttheneedfortheITdepartmenttogetinvolved.Lastly,theycanalsorequestaccesstoappsand/orgroupsthroughtheself-serviceoptions.AzureActiveDirectoryisembeddedinWindows10andisavailablethroughthreesubscriptionoptions,dependingonyourneeds–free,basicandpremium.Overthenextyear,MicrosoftisinvestingmoretimeandmoneyinimprovingthefollowingareasofAAD:
• AdminUnits–abilitytosplitadmindutiesintogroups• Business-To-Business–anewfeaturethatwillbeavailablethatallowsyoutoshare
yourresourceswithbusinesspartnersthroughAAD• B2C–Identitiesforbusinesstoconsumers• ConditionalAccess–Abilitytoblockoutsideaccess• PrivilegedIdentityManagement–Optionstomakeadminaccesstemporaryor
permanent• AADJoin–AADcontrolseverythingandisfullyembeddedwithWindows10
Page | 58 www.Windows10update.com
DataProtectioninAzure
Globalcyber-attacksareontheriseandsoarethecostsassociatedwithit. It isestimatedthatcybercrimeextractsaround15-20%ofthevaluethatiscreatedbytheInternet.
Inthelast2yearsintheUKalone,morethan80%oflargebusinessesand60%ofsmallonesreportedacyber-breachand,globally, thenumberofsecuritycompromisesreportedroseby about 34% in 2014. The estimated cost of cyber-attacks, in terms of lost growth andproductivity,isthoughttobearound$3trillion.
In order to protect their customers’ data,Microsoft has introduced a number of securitymeasures inAzureActiveDirectory.Bydefault,AADprovides strongprotectionand thereare also options that customers can choose to enable as well. First, let’s look at data intransit.
Bythis,Imeandatathatissentandreceivedbetweenauserandtheservice,betweendatacentersandbetweenusers.DatathatcomesthroughtheMicrosoftAzurePortalorthroughstorage API is automatically encrypted using https, alongwith strong ciphers. By default,FIPS140-2supportisenabledtocomplywithgovernmentsecuritystandards.
All data that is imported or exported is encrypted with BitLocker, which is built in toWindows10andallcustomerdatathatgoesbetweenthedatacenterandstoragefacilitiesisalsoencrypted.
Forcustomers thataccessdata inastorage facilityorcontainer, thereare twooptionsofaccess–httpandhttps–Microsoftrecommendsusinghttpsasthisissecureandencrypted.
Ifacustomerchoosestoaccessorsenddatausingawebclient,TLSshouldbeimplemented– TLS is Transport Layer Security and it is a protocol that makes sure that third partiescannot intercept or eavesdrop on data that is being sent between applications and theirInternetusers.
Whenwetalkaboutdataatrest,wearetalkingaboutdatathatisstoredinoneofanumberofdifferentcontainers. ThecontainersthatMicrosoftprovidedataprotectionoptionsforarelistedbelow.
VirtualMachines–Windows/LINUX
Azure disk encryption is provided using BitLocker for Windows or DM-Crypt for LINUX.Virtualharddrives(VHD)areencryptedforbothWindowsandLinuxVMs.Thecustomerisgiven theoptionofenablingdiskencryptiononboth thebootand thedatavolumes; theencryptions keys are stored in the key vault. This also applies to Azure Gallery and torunningaVMinAzure.
HowitWorks
• ThecustomeruploadstheirencryptedVHDtotheirAzurestorageaccount
Page | 59 www.Windows10update.com
• TheyprovisiontheirBitLockerencryptionkeysorLINUXpassphraseintheirkeyvaultandgivesaccesstotheplatformtoprovisiontheVM
• Atthispoint,theyoptintodiskencryption
• Azure service management updates the service model with the key vault andencryptionconfiguration
• TheplatformprovisionstheencryptedVM
Key Vault Security
Everything revolvesaround thekey vaultbecause this iswhere thekeysare stored– theencryptionkeys thatareprotectingyourdata.Thesekeysarekept inan isolatedvault sothat,shouldyourstoragecontainerbecomecompromised,onlyanimageofyourdatecanbestolen–thisisuselesstoanythiefbecausethekeysthatunlockthedataareelsewhere.
Itisimportanttonotethat:
• Onlythecustomercancontrolaccesstothekeysthatareintheirprivatevault
• Thecustomercanenablemonitoringandlogging,collectingthelogsintheirstorageaccount–thisenablesthemtoseewhohasaccessorwhohasattemptedaccesstotheirvault
• Encrypteddisksarestoredinthecustomer’sstorageaccountandAzurestoragewillautomaticallyreplicatethem–thecustomerhascontroloverhowmanycopiesaremade
• Azure has no default access to the key vault – the customermust grant Read orWritepermission.
• Azurecannotaccessthediskencryptionfeatureinthevault
AzureStorage–Blobs,Tables,Queues
Client sideencryptionallowsusers toencrypt theirdatabefore it isuploaded toAzureaswellasdecryptingitagainafterdownloading.Again,thekeysarekeptsafeinthekeyvaultandthestorageservicewillneverseethekeys,norisitcapableofdecryptinganydata.Forcloud-integratedstorage,alldataisencryptedonpremisesandisbackedupinAzure.
SQLServerandSQLDatabase
Page | 60 www.Windows10update.com
UsingTDE–TransparentDataEncryption–technology,theentirecontentsofadatabaseinstoragecanbeencryptedusingadatabaseencryptionkey,whichisanAES-256symmetrickey.
Thiskeyisprotectedwithaservice-managedcertificate,whichisprotectedbySQLDatabaseServer. Thecertificate issetona90-daycycle,afterwhichanewonemustbeproduced,thusloweringthechancesofcompromisethroughstandingaccess.
HDInsightusesAzurestorageandSQLAzureDBencryptiontoprotectyourdatawhileAzureBackup Service uses Azure Disk Encryption to ensure your data cannot be lost, stolen orcompromisedinanyotherway.
AccessControlandAuditing
So,MicrosoftAzureADhasencryptedandprotectedallyourdataandyourkeysarestoredawaysafelyinavaultthatonlyyouhaveaccessto.That’snotallthereistoitthough.Manyofthefundamentalsecurityrisksstillexistonpremises.
MitigatetheRiskofCompromisedAccountsWeakauthentication is thekeyproblemtosecurity.Weakpasswords,passwords thatarewritten down or shared, or passwords that are stolen are the biggest way in for anyattacker.Microsoftislookingtoeradicatepasswordsandbringmultifactorauthenticationinacrosstheboard.
AlluseraccountscanbesecuredusingAzureMFA,usablewithbothAzureActiveDirectoryor theWindows Server Active Directory Federation Services, and this is backed up by asecondfactorforidentification,usuallyatextoraphonecall.
Users can also use existing PKI – smart cards or virtual smart cards – to protect theiraccountsusingADFSwiththeon-premisesinfrastructure.
LimitingPermissionsThisisoneofthemostdifficultconceptstogetoverbutpermissionsshouldfollowa“LeastPrivilege”principle,i.e.accessisonlygrantedwhenitisnecessaryforaspecificrole.AzureRBAC–Role-BasedAccessControl–nowcontains20differentrulesthatcanbeassignedtousers,undertheheadingsofowners,contributorsandreaders,aswellascustomroles.
Page | 61 www.Windows10update.com
Ownershavefullaccesstothedata;contributorscanaddtoitbutcannotdoanythingelse,whilereaderscanonlydojustthat–readthecontentbutcannotmakeanychanges.Userswithintheenterprise,orwithingroupscanbegivenaccesstodataunderoneofthoseroles,allowingITtocontrolwhodoeswhat.
PrivilegedAccountsSuperuseraccountsdeservespecialmanagementbecausetheyproduceaspecialrisk.JIT–Just-In-Time – access can be enabled, removing the risk of an attack through standingpermissionsorstandingaccess.
JITgivesauseraccesstoadminwhentheyneeditforalimitedperiodoftimeandonlytothe feature theyneedaccess to.Managerscanalsoset somethingcalledAzureADPIM–PrivilegedInformationManagement.
This iswheretheycanmonitorthesystem,seewhohasaccessandwhowants it,andsetthepoliciesthattransitionpermanentaccesstotemporary.
Using auditing and logging, management can also detect suspicious activity, includingirregular logins,down touser level, through theuseofadvanceddetection tools thatareconstantlymonitoringeveryuseraccount. Inthisway, threatscanbedetectedandactiontakenbeforetheybecomeaproblem.
Page | 62 www.Windows10update.com
WhatistheOperationsManagementSuite?
OMS,orOperationsManagementSuite is anothernew feature inWindows10and it is asimplifiedITmanagementsolution.
It’sahybridmanagementservicethatsupportsAzureAD,AWS,VMWare,OpenStack,LINUXandWindowsServer,anditconnectstoon-premisesdatacenterandcloudenvironments,givingITmanagersonesingleportalthatallowsthemtocollect,analyzeandsearchthroughthousands of pieces of data and records that are spread access the workloads and theservers.
Thesedays,thereissomuchinformation,somuchdata,andsomanyappsthatarespreadacrosstheinfrastructure,acrossthecloudandcloudservices,it isgettingdifficulttoknowhowtohandleitall.
ITmanagersstillhavethetaskofmanagingandsecuringallthatdata,nomatterwhereitiskeptandOMSmakesthateasiertohandle.
ThebenefitsgainedfromOMSare:
LogAnalytics:Collectand searchacrossmanymachine sourcesofdata to identifywheretheproblemslieinoperationalissues.
Availability: Regardless of where servers and apps are, OMS includes integratedrecoveryforthemall,whichisenabledbydefault.
Automation:Orchestrationofcomplexandrepetitiveoperationstoprovideamoreefficientandcosteffectivehybridcloudmanagementsystem.
Security: The ability tomonitor and identify the status of malware, findmissingsystem updates and implement them and to collect security related events foranalysisandauditpurposes.
Page | 63 www.Windows10update.com
ExtendedSystemCenter:OMScombineswiththeexistingSystemCentertoextenditscapabilitytodeliverthefullhybridcloudmanagementsystemacrossanycloudoranydatacenter.
HybridandOpen:VeryfeworganizationsarenowhousedinasingledatacenterandOMS steps in to manage your hybrid cloud, irrespective of the topology or thetechnology being used, and integrating seamlessly with the existing on premisesinfrastructure.
All of this makes protecting your data and preventing breaches and compromises easierthaneverbefore.
MobileSecurity
Thesedays,notonlydoweuseourdevicesforpersonaluse,wealsousethemforbusiness.MoreandmorebusinessemployeesusesmartphonesandtabletsforworkandWindows10Mobile, formerlyWindows Phone, is designed around segregating personal and businessuseson thedeviceandproviding the right levelof securityandcontrolover thebusinessside.Mobiledevicesarethenumberonetargetforacyber-attackand,upuntilnow,theyhavebeenmoredifficulttoprotect.
Page | 64 www.Windows10update.com
Microsoft has added in a number of security layers to protect aWindowsmobile devicefrom any number of malware and malicious attacks, allowing both end users andenterprisestorelaxalittle,knowingthattheirsecurityisingoodhands.The first line of defense is a layer of security to protect the actual hardware. All newWindowdevicesareequippedwithaTPM2.0chipandhaveUEFISecureBootenabled.ThisisaWindowsrequirementandcannotbedisabledbyanyone.TheUEFISecureBootsystemisdesignedtostartcheckingyoursystemassoonasthedeviceispoweredon,checkingthattheTPMistherealthingandthatthefirmware,andanyothersoftwarethatstartsup,isgenuineandhasbeensigned.If ithasnot, itwon’trun,it’sthatsimple.Onceeverythingisdeclaredasfitforwork,UEFIwillbootintotheWindowsBootManagerandthenintotheOSitself.The only exception to this is if there is a need to replace the OS through the use of arecoveryapplication,inwhichcase,thebootmanagerwillbootintoflashmode.JusthowsecureisUEFIthough?Duringthemanufacturingprocess,anumberofpublickeyhashesarefused.Thesehasheslinktospecificprocessesthattakeplaceinthedevice.
All thedrivers, loaders, applicationsand firmwarewithinUEFImustbe signedandaUEFIdatabasewilllistallkeys,imagehashesandcertificateauthorities,statingwhethertheyaretrustedoruntrusted.Asecuredrollbacksystemisinplace–onceUEFIhascheckedasystemanddeclaredittobeasafeandgenuineenvironment,securedrollbackpreventsarollbacktoanyversionotherthan that one, effectively stopping malware that could have been hiding in an insecure
Page | 65 www.Windows10update.com
versionfrombeinginstalled.UEFIwillbekeptfullyup-to-datethroughtheWindowsUpdatesystem.Other security of the hardware includes TPM, which was discussed earlier and whichenableskeystobeisolatedfromtheOS–thismeansthatifthesystemisbreachedinanyway,thosekeyscannotbestolen–noteventheOSitselfcanaccessthem.Health attestation completes the hardware protection layer. Health attestation is vastlyimprovedfromtheversionthatcamewithWindows8.1anditallowsWindows10tocarryoutahealthchecktotheCloudbeforeitcangainaccesstoanyinternalresources.Features checked include Secure Boot, BitLocker, and other operation-essential featuresthatneedtobe100%healthybeforeWindows10canrunfully.The next layer of security is theWindowsOneCore.We examine theApp Platform first,becauseitiswhatusersinteractwithwhentheyuseWindows10ontheirmobiledevices.
Windows 10 only supportsmodern apps or RT apps depending on your system, and notWin32apps.Thenewsecuritylayerfortheappplatformmodelworkslikethis:
• TheOS runs inaTCB–TrustedComputerBase–wherenobodycanaccess it andnobodycanmakechangestoit.
• Appsthatare installedvia thestoreorareshippedwithadeviceare installed inasandbox, or in a Least Privilege Chamber (LPC). When the app is put into thechamber, it is givenpermissionsbasedonwhat itneeds to runandnomore.Thismeansthatitwillonlydowhatitsaysontheboxandcannotbetouchedbymalwarethat tries to order it to deviate from that. Thepermissions that are linked to thatchambercannotbechangedorelevatedbyanyone,onlybyanupgradewithanewmanifest.
Windows10forMobilewillcomewithanumberofpreinstalledapps,asfollows:
Page | 66 www.Windows10update.com
Allofthesearemodernappsandcanbefullyupdatedwithnewfunctionswithouttheneedto go through themobile operator to deliver the update – instead, theywill be updatedthroughWindowsUpdates,underafeaturecalledWindowsasaService.
Access to apps and services has always caused concern in terms of security.Microsoft isimplementinganumberofnew featuresonboth theDesktopand theMobileversionsofWindows10thatwillsecureaccessmorethaneverbefore.
Manyusersarefedupwiththecurrentpasswordsystem.Notonlyisittoomuchtohavetoremembermultiple passwords, it is simply not secure.Most people tend to stick to thesamepasswordforeverything–therearesomanyplacesthatrequireIDtobeprovednowthatyoucouldprobablyproduceabookfilledwithallthedifferentaccessdetailsyouwouldneed.
Businesseswantmorecontroloverwhattheirend-usersareaccessing,nottobenosybuttobetter understand patterns and to detect potential threats and/or security leaks. SoMicrosofthascomeupwithWindowsHello.
WeknowallaboutthisfromthedesktopversionandtheMobileversionisthesame,sotorecap:
• WindowHelloisabiometricsystem
• ItusescleanIRforirisorfacialrecognition,orafingerprintreader
• Newhardwarewillneedtobeproducedtocomplementthisfeaturebecausetoday’smobiles do not have the capabilities to recognize facial or iris details; somemayhaveanintegratedfingerprintreader,thismayalsoneedtobeupdated;devicesalsoneedtobecapableof3Dvisionfordetectionpurposes
Page | 67 www.Windows10update.com
• Microsoft is working hard to increase the FALSE Acceptance Rate – currently at1/100,000,andtoreducetheFALSERejectionRate,whichiscurrentlybetween2-4%
• Passwords and/or PIN numbersmay still be used, but the difference here is thatthesecanbecoveredbyMDM–MobileDeviceManagement–especially inBYODsituations
MicrosoftPassport isanother systemthatwillbeonWindows10 fordesktopandmobileand is a replacement for the old password system. Instead of a password, a key pair isgenerated, one public and one private, after a user has created trust with their IDP –identityprovider.
Theprivatekeywillneverleavethedeviceitispairedwith.Usershaveachoiceofproviders,anyonethatisapartoftheFIDOAlliance,suchasMicrosoftthemselves,Google,Facebook,Twitter,etc.
The differencewith business users is that an end-userwill create their Passport account,specifyingwhethertheaccountisforbusinessorpersonaluse.Whentheuserhastocreatetrust,theIDPmayrequirethatasecondlayerofauthenticationisincludedtoproveidentity,perhapsaphonecallortextmessage.
Once the trust has been created, the keys are produced and, when validated, anauthentication token is sent to thedevice. That tokencan thenbeusedonanumberofthird-partyrelyingresourcesthattrustthosetokens.
AnaccesstokeniscreatedandthiscanbecontrolledbyMDM–youcansetatimelimitontheaccesstheuserhastoaparticularsite,meaningthattheywillneedtore-authenticateafterthatlimitexpiresiftheywanttogainaccesstothesiteagain.
Enterprise expectations for corporate access are “anytime, anywhere, secure remoteaccess”,asshownbelow:
Page | 68 www.Windows10update.com
Furthermore,toenabledataandaccesstobeprotectedtoandfromadevice,Microsofthasexpanded their VPN capabilities inWindows 10. Again, these can beMDM-managed in atwomainways:
• Onaper-applicationbasis– ITcangiveuseraccess tospecificsites throughaVPNandthisisfullyintegratedwithEnterpriseDataProtection
• Onan “Always-On”basis,whichmeansuserswill access sites throughaVPNonapermanentbasis,untiltheyturnitoff;thiscanbemanagedandITdecideswhethertoallowausertodisabletheVPNornot
BitLockerisalsopresentonalldevices,andthisisdesignedtoprotectthedataonamobiledevicewhenitislostorstolen.Allcorporatedataisencrypted,whichprovidesprotectiontothemfromcoldbootattacks.Inorderforthistowork,UEFISecureBootmustbeenabled,whichisstandardonWindows10Mobile.
EnterpriseDataProtectiononamobiledevice isessentiallythesameas it isonadesktopenvironment. It isMDM-dependentand,onceenrollmenthas takenplace, trusthasbeencreated.Thedevicewill thenbeenrolled inMDMat thesametimeas theauthenticationtokenisissued.
ThismeansthatITcansetkeypoliciestoprotectdataoneachindividualdeviceandforeachindividual user. This includesmanaging keys, setting enterprise apps for users, protectingthenetworkandstoragefacilities,andauditcontrols.Partofthis includesenterpriseappsnotbeingusableonapersonallogin,astheyarekeptentirelyseparate.
Thereareenlightenedappsaswell,suchasMSOffice.Forexample,ifyouopenanewWorddocumentorExceltemplate,amessagewillappearaskingifthisisforpersonalorbusinessuse.
Personalusedocumentsarenotencryptedwhereastheenterprisesonesare.
IT canalso setpermissions for things likeCopy/Pasteactions. Let’s say, forexample, thatyoucopiedapieceofdatafromacorporatedocumentorwebsiteandtriedtopasteittoapersonalone.ITcansetanumberofpermissionshere:
• Blockaltogether
• Allow
• OrAllowtheusertodecide
Ifauseroptstogoaheadandpastethedata,eventhoughtheyhavebeenwarneditisofcorporateorigin,theiractionsaresubjecttoauditcontrols.
Finally,ITcanremovepermissionsautomaticallyforpeoplewholeaveemploymentormoveto a different area of the enterprise. This means that any access to apps they hadpermissiontousewillautomaticallyberemoved.
Page | 69 www.Windows10update.com
MDM–MobileDeviceManagementandtheBusinessStore
Today’sbusinessneedsarechangingfastandMicrosoftisofferingenterprisemanagementwhatitneedswithWindows10.Itusedtobethataworkdaywasasimple9-5,MondaytoFridaything,withemployeessittingattheirdeskintheoffice.
TheirPCswouldbeconnectedtoaLANnetwork;PCsthatwereprovidedandmanagedbythe enterprise. They had just one device ecosystem to use with an extended operatingsystem.
In this scenario, devices would have a long life because they were kept serviced andupdated. Users could share files and data on-premises and their access to apps wascontrolledbytheorganization.
Managementwould be deeply involved in setting controls and policies andmalwarewasseenascriminalactivityandvandalism.Thenetworkperimeterworkedasagooddefensesystemanddeviceswereverticallyintegratedforworkers.
So,what’schanged?Theadventofthemobiledeviceiswhatchangeditall. Morepeopleareusing theirmobiles forwork,andenterprisesneed tochange to incorporate thisnewenvironment.Ofcourse,thismeansthatthosedevicesarebeingused24/7forbothworkandpersonalactivities.
Insteadofworkingonadesktopconnected to thatLANnetwork,wearenowworkingonourmobiledevices,connectedtoanynetwork.Notonlyareweusingpersonalapps,weareusingcorporateapps,allonthesamedevice.
We can use any number of ecosystems, including Android, iOS and Chrome, as well asWindows.Ourdevicesarenot lastingas longas thespecificdesktops thatwehadbeforebecauseofthechangesinhardwareandspecs.
Page | 70 www.Windows10update.com
Instead of using on-premises apps, we use SaaS and file-sharing apps. This means thataccesscontrolismuchharderbecauseinsteadofbeingconfinedtotheorganization,nowitisspreadoutovertheuserandthedeviceaswell.
Cloud-basedmanagementmeanstherearefewercontrolsandmalware isseenmoreasaweaponusedforespionage.Insteadofbeingknowinglysecure,wemustnowoperateundertheassumptionthatourdevicehasbeenbreachedand,ifithasn’t,itwillbeatsomepoint.Also,insteadofverticallyadapteddevices,wenowhavedynamicallyadapteddevices.
WithmoreorganizationsandemployeesadoptingBYOD,thesecuritychallengesaremuchharder.Thesheerdiversityofdevices,apps,andnetworksisastonishingandwiththelossoftheperimeterdefensesystemcomesthemuchhigherlikelihoodofattack.
Lookatitthisway–bytheendof2018,morethan50%ofalluserswillautomaticallyturnto theirmobile device for online activities, before they even think about using a desktopenvironment. By the end of 2016, more than 40% of the world population will own asmartphoneora tablet.Addto that themorethan6.5billionwirelessconnections inusetodayandyoucanseethescaleoftheproblem.
Attacks are increasing in intensity; they are more organized, more persistent, andspecificallytargeted.Inthelastcoupleofyearsalone,thenumberofattacksonmajor,well-known retailers, such as Sony and eBay, have increased significantly and if they can behacked,socanyou.
Thefinal layerofsecuritythatMicrosofthas included isAppSecurity.Upuntilnow,therehas been no control over which apps users download and install and from where.With
Page | 71 www.Windows10update.com
Windows10,extralayershavebeenaddedin.UserscanstillpurchaseanddownloadappsforpersonaluseusingtheirownLIVEID.
However, there is now a Business storewhere app licenses can be purchased for use byend-users.Theseareplacedwithin theCompanyPortal,a separatestorewithin thestoreandpermissionsaregiventothepeoplethatneedthem.Thismakesappdeploymentmucheasier,saferandfarmoresecure.
Windows10bringschoicestomanagers–traditionalmanagement,includingGroupPolicy,SystemCenter and all the related components, and then there’sMDM,orMobileDeviceManagement. This has undergone some serious enhancement since its inception inWindows8.1andthecapabilitieshavebeenexpandedwithWindows10.
With Windows 8.1 and Windows Phone 8.1, devices had to meet enterprise securityrequirementsbeforebeingabletoaccesscorporatedata.WindowsPhone8.1wentalittlefurther and enabled device lockdown, meaning that devices could be configured to runspecificapps.
So, as shown below, Windows 10 devices are fully managed corporate devices whendeployedbybusinesses.
In Windows 10, Microsoft have enhanced each separate phase of MDM provisioning,including:
• EasyenrollmentcapabilitiesforautomatingMDMenrollmentofthespecificdeviceasapartoftheAADJoinprocess
• NewconfigurationandStartMenumanagementtools
Page | 72 www.Windows10update.com
• NewWindowsUpdatecontrols,allowingyoutosetwhenspecificupdatesarerolledouttoMDMdevices
• NewconfigurationsettingsforEnterpriseDataProtectionsandAppLocker
• Better integration with Windows Store and Business Store for automated appmanagement
• Fullcapabilitiesforwipingdevices
Allof thesecapabilitiesandmorewillbe fullysupportedonall typesofdevices, includingWindowPhones,tabletsandInternetofThingsdevices,asillustratedbelow.
Active Directory is used by virtually all businesses today to provide security and identityservices.All of theAD capabilitieswill be fully supported inWindows10, but thebiggestsinglechangeistheadditionoffullsupportforAzureActiveDirectory.
ThismeansthatWindows10isawareofallthedirectoriesandaccountsinAADandcanusetheseinmanydifferentways.
First,though,itisvitalthatyouunderstandthatyoudonotneedtochoosebetweenADandAAD–ifyouhaveADyouwillautomaticallybeabletouseAADaswell,takingadvantageoftheextracapabilities.
Windows 10 is able to supportmanagement of BYOD (personally owned), organizationaldevices and the same remains truewhenwe talk about identity aswell. A device that isownedbytheorganizationcanbejoinedtoanADdomaintoestablishtrustandcanthenbesignedonwithanAADaccount.
Page | 73 www.Windows10update.com
You can also choose to join the device as an AAD tenant and then sign onwith an AADaccount,whichwillgivefullsupportforroamingthroughAzurestorage.
Therealvaluecomeswhenthedeviceiscombinedwithboth.AftertheADdomainhasbeensynchronizedwithAAD,extrabenefitsareavailableintheformofsinglesign-on.Windows10automaticallyrecognizestheassociationbetweentheaccounts,meaningthatADuserscanaccesscloudbasedserviceswithouthavingtologonagain.Andviceversa–AADusercanaccesson-premisesdatawithnoneedforadditionalauthentication.
I’mnotjusttalkingaboutMicrosoftcloudherethough;I’mtalkingabouthavingsinglesignon for hundreds of different SaaS (Software as a Service) providers. Simply define theconnectionbetweenAADandtheservicesyouwant,andyouareallsetforsinglesignon.
For BYOD devices, Windows 10 will support device registration for registering personaldevices.Once it isregistered,asshownbelow,yougainanadditional leveloftrust,whichmeans thataccesswouldbeallowed toall sortsof serviceandapps thatanunregistereddevicecouldn’tget.
ForAAD tobeused, anAAD tenantmustbe setup for theorganizations (thosewhouseIntune or Office 365 will already have this). After that, the synchronization takes placebetweentheADdomainandAADusingAzureADSync.ThisrunsperiodicallytoensurethatAADiskeptfullyuptodate.
AlldevicescanjoinAADortheycanjustleverageAADaccounts.Eitherway,theywillgainsinglesignonaccesstocloudservices,aswellasgettingapproamingsettingsanddataforawiderangeofdevices.
Page | 74 www.Windows10update.com
BrowserSecurity
On Windows 10 Phone devices, there will be only one browser – Edge. This is thereplacementforInternetExplorerandisMicrosoft’snew,cutting-edgebrowser.
Of course, with a new browser comes awhole set of fresh security challenges and on amobiledeviceusedasacorporatedevice,EdgecanbeMDM-managed.
Microsoft are introducing a whole new set of policies for Edge. To start with, there areGroupPolicies,whichuse theexistingGO/GPP/SCCM infrastructure. There are alsoMDMpoliciesthatareonaparwiththegrouppoliciesandarebrandnewtoWindows10.
TheMDMpoliciesprovidecrossplatformmanagementcapabilities fordifferentoperatingsystems and are a standards-based infrastructure. All of these packages add up into onenice,andneatresult–afullymanagedMicrosoftEdge.
MDM is a way of consistently managing multi-platform devices using ExtensibleMarkupLanguage, or XML, for data exchange. XML defines rules for encoding data in away thatboththedeviceandahumancanread.
MDMisfullysupportedbyallmajormobilemanufacturersanditcoverstheentirelifeofthedevice,including:
• Deviceenrollment
• Configuration
• Appmanagement
• Remoteassistanceandinventory
Page | 75 www.Windows10update.com
• Theretirementofthedevice
MicrosoftEdgepoliciesarescenario-driven,whichmeansthattheywilldependentirelyontheuseandpermissionsofthedeviceandtheindividual.
They are also consistent across all devices, regardless of what they are and include thefollowing:
• Enterprisesitelistconfiguration
• SendingtheIntranettoIE(forcompatibilityreasons)
• Allowingthebrowseronamobile
• Defaultbrowser
• Allowingpop-ups
• Configuringcookies
• AllowingSmartScreen
• AllowingActiveScripting
• Configuringthehomepage
• AllowingDoNotTrack
• AllowingAutofill
• ConfiguringPasswordManager
• Disablingsearchsuggestionsintheaddressbar
Allofthisisdesignedtohelpkeepcorporatedatasafebymonitoringwhatcorporateuserscanandcannotdoandthecapabilitiestheyhaveaccessto.
Thisreducestheriskofmalware,oranyotherunwelcomethreatvectormakingitontothemobiledeviceandpotentiallyaccessingcorporatedata.
EnterpriseMobilitySuite
EnterpriseMobilitySuite(EMS)isMicrosoft’sanswertoaccesscontrolsecurity.Rightnow,mostcorporatedataisstoredonpremises,mostlikelyinActiveDirectory,andisaccessedthroughtheInternetviabrowsersonmobileplatformsandPCs.
Inshort,thereisactuallyverylittlecontroloverwhoaccesseswhat,fromwhere,andwhen.TheweakestpointinthesystemistheDMZ,ortheperimeter,becausetherearesomanywaysofaccessthataredifficultandcumbersometokeepcontrolof.
Microsoft’ssolutionistobuildaccesscontrolintoallapps,on-premisesandcloudservices,asawayofcontainingdataandstoppingitfromleaking.
Page | 76 www.Windows10update.com
So,atthebaselayerofEMS,onthemobiledevice,isMDM–MobileDeviceManagement.This is pretty much standard on most corporate devices and allows access to variousservices.
Thenext layer,compoundingthat, isOffice365MobileProductivityandthisencompassesallOfficeapps,suchasWord,ExcelandOneDrive.Thiscomeswithtwobuilt-in libraries–ActiveDirectoryAuthenticationandIntuneDataprotection.
Finishingoffisextensibility,whichallowsbusinessappsinteroperabilitywithOfficeMobile.
Thefirstandmost importantpartofEMSisconditionalaccesscontrol,apartofAzureADpremiumthatismadeupofthefollowinglayers:
• Userattributes–theusermustidentifywhotheyareandthegroupstheybelongtodetermine their access to specific apps. This also determineswhethermulti-factorauthenticationisrequiredforthem.
• Deviceauthentication–thewholeideaofsecurityinWindows10istotieausertoadevice.Notonlydoestheuserhavetoprovewhotheyare,theyhavetoprovetheirdevice iscompliant, isMDM-managed,andisnot lostorstolenbeforetheycanbegivenaccess.
• Applications – these are based on business sensitivity and users are only givenaccesstotheappstheyneed,withITsettinguptheappropriatepermissions.
• Network – The EMS candeterminewhere theuser is accessing thenetwork fromandcandecideifMFAisrequired,basedonlocationandwhethertheyareinsideoroutsidethenetwork
Office365
Underconditionalaccesscontrols,usersareblockedfromusingOfficeappsuntiltheyhavebeenenrolledinMDMandarecompliantwithcompanypolicies.
Oncetheyhavebeengrantedaccess,afteridentityauthentication,allappdataisencryptedand sharing is restricted tomanaged apps. Applied policies are enforced, which gives allOffice365appsabuiltinlayerofprotection.
Fordatathatissharedexternally,i.e.emailsandtheirattachments,thedataisencryptedtosecureit.Shouldadevicebelostorstolenoranemployeeleavethecompany,allaccessesare revoked and corporate data can be remotely wiped, taking access away from thatindividualand/ordevice.
The following twodiagramsshowthesameaccesscontrols for theuseofOutlookon iOSandAndroidandaccesstoSharePointfromOneDriveMobile:
Page | 77 www.Windows10update.com
ConditionalAccesstoAzureADConnectedApplications
Azure AD comes complete with more than 2,000 preconfigured apps and access can becontrolledonaper-appbasiswithMFA,per-appbasisfromextranet,andappsblockedfromextranets.TheseareSaaSappsandITcantargetspecificgroupsofpeopletohaveaccesstospecificappsonlyorcanblockgroupsorindividualsfromaccessingcertainapps.Thismeansthat users get to see only what they need to do their jobs and nomore, restricting thechancesofdataleakage.
Page | 78 www.Windows10update.com
DeviceConditionalAccess
Accesscanberestrictedtoonlythosedevicesthataremanagedandarecompliant.Auto-Workplace Join PCswill be automaticallymarked asmanaged andwill be included in theaccesspolicies.Anydevicewhoseattributechangeswillhavetheiraccessrevokedandtheusermaybeaskedtoprovideanewsetofcredentials.
Support is built in for a number of differentmajor SSL VPN providers, including Juniper,Cisco,Checkpoint,SonicWALL,SFSandothercustomVPNpayloads.NativeVPNstandardssuch as PPTP, L2TP and IKEv2 are supported, as is app-triggered VPN andmultipleWi-Fiauthenticationtypes,likeWEP,WPA/WPA2,andEnterprise.
Page | 79 www.Windows10update.com
WindowsasaService–MoreSecurityviasecureupdates
Weallknowthatthingsarechangingandwiththosechangescomenewproblemsandnewchallenges.
End-usersandvendorsalikehaveexpressedconcernaboutadoptingWindows10,andsomeofthemorecommonissuesraisedinclude:
• ConcernthattheupgradetoWindows10willbreakcurrentapps
• Keysoftwarevendorsareconcernedthattheywon’thaveenoughtimetotestandthenissuetheirstatementsforsupport
• PeoplefeelthattheyneedmoretimetoplanforWindows10
• There is toomuch interdependency between the editions for all the differentMSproducts
• Deploymentistootime-consumingandmuchtooexpensive
• Concernoversecurityvulnerabilities
• Peoplearesayingthattheyneedhelptoimplementthisbrandnewsystem
So, in termsof adoption,Microsoft has listened and this iswhat they feel end-users andbusinessuserswant:
Agility:
• Accesstonewtechnology
• Microsoftneedstoimplementfeedbackquickly
• Transparency
• Enterprise-gradecapabilitiessothatuserscanaddressthelatestmarkettrends
• Flexibilityformixedenvironments
Control:
• Morestability
• Lessupgrades
• Alongerlifecycleforsupport
• Moretimetotestandcertify
• Predictability
• ISVstatementofsupport
Page | 80 www.Windows10update.com
WindowsasaServiceprovidesagreatexperiencefortheconsumer–updatesarerolledoutautomaticallythroughWindowsUpdateandthesheerdiversityoftheuserbasekeepstheupdates on target and specific. In addition, BYOD devices are kept fully up-to-date andsecureandmillionsofdevicesareupdatedeachtime.
On the other side of the coin, we have special systems. Systems like air traffic control,medicalsystemsandbankingsystems. Allofthesearemission-criticalandprobablydon’tneedalltheupdates,allofthetime,butdogetregularsecurityupdates.
Inthemiddle,wehavethebusinessuser.Thebusinessuserisnotaconsumeranddoesnotneed as many updates as they do, certainly not all the time and not at inopportunemoments.
Theyarealsonotaspecialsystemcase,althoughtheydoneedstabilityandplanningetc.So,how should business users be treated, since neither of these update systems worksparticularlywellforthem?
Microsoftsaysthatbusinessusersshouldbetreatedastheprofessionalsthattheyare.Theyshouldbeprovidedwithupdatesonlyafterthemarkethasvalidatedthem.
Intheory,thismeanstheygetaccesstothelatesttechnologyandvaluemuchsooner.
Theyshouldalsohavetimetotestandplantheupdateafteritsreleasetothebroadmarketand theseupdateswill bedeployed via a brandnew systemcalledWindowsUpdates forBusiness.
WindowsUpdateforBusinessWindows Update for Business is a brand new feature, designed with the help of ITprofessionalsfromallovertheworld.Thefeatureisdesignedtoprovide:
Roll out Rings: The IT pro can specify which devices are updated and when,deployingtheupdateinwavessoastoworkanykinksoutofthesystembeforetheygotothecriticaldevices.
MaintenanceWindows: IT pro specifies critical timeframes for when the updatesshouldandshouldnotbedeployed.
Peer-to-PeerDelivery: IT canenable this todeliverupdates tobranchofficesandremotesiteswithlimitedbandwidthinamoreefficientmanner.
IntegrationwithExistingTools:SuchasEnterpriseMobilitySuite,sothatthetoolsarefullyintegratedinthesystemmanagement.
WindowsUpdate forBusiness isdesignedtoreducemanagementcostsandprovidemorecontroloverthedeploymentofupdates.ItwillalsoofferquickeraccesstocriticalsecurityupdatesandprovidequickaccesstothelatestinnovationsfromMicrosoftonaregularandongoingbasis.
Inthepast,twosoftwareupdateoptionswereavailable–WindowsUpdate(WU),whichiswhatwehavenow,aimedatBYODdevices,consumerdevicesandontestmachines;and
Page | 81 www.Windows10update.com
Windows SystemUpdate Services (WSUS), which is aimed at those special systems, whoneedcriticalsecurityupdates.
NowwehaveWindowsUpdateforBusiness(WUB).WUBallowsmanagerstoattachdevicestoupdates,ratherthantheotherwayaround.
Yougettodecidewhichdevicesgetwhichupdatesandwhen,andcriticalsecurityupdateswillbedeliveredtoyoufordeploymentonaregularbasis.
Windows10andtheInternetofThings
WhatistheInternetofThings?IoTisthefuture,thefutureofconnectingthingsanddevices,andwhileitremainslargelyunexploredanddisjointed,theopportunitiesarehuge.Togiveyousomeideaofthesheerscaleofthingstocome:
• By the year 2020, therewill be an estimated 28 billion “things” connected to theInternet–that’sfourforeverypersononearth.
• By 2017, the opportunities for wearable devices will be worth approximately $20billion.
• By 2017, the opportunities for the Smart Home will be worth approximately $12billion.
But,withthesehugeopportunitiescomehugechallenges,suchas:
• Proprietaryhardwareandprotocolsthatcomplicatedeployment
• Manageability,configurationandidentity
• Security
IoTisbrokendownintotwomainareas–ConsumerandEnterprise.Ontheconsumerside,we tend to think mainly of home devices, for automation, security, entertainment andenergymanagement.
TheEnterpriseside isa little lessdefinedandlargelyunexplored.TheIoT iscomplicated–therearethousandsofconnectionsoutthereandnorealinteroperability.
Eachdeviceconnectstoitsownseparateappandpossiblytoitsowncloudandeachoneisseparatedfromtheothersbyawalledgarden,asandboxofactivity.
To get any real value from the Internet of Things, all these devices need to be able toconnectwitheachother,acrossbrands,andacrosscategories.
AllSeenandAllJoyn
Page | 82 www.Windows10update.com
AllJoyn isthenameofanopensourcetechnology,acommunicationsnetworkthatallows devices to talk to one another and to give those devices and apps a highdegreeofinteroperability.
AllSeen isanalliance thatwassetup tooverseeAllJoyn, toenable the InternetofThingstoworkandisalsopartoftheLINUXFoundationopensourceproject.
AllJoynisdesignedtoallowdevicesto:
• Discovernearbyfriendlydevices
• Identifyservicesthatarerunningonotherdevices
• Adapt to devices that are coming and going, i.e. If two deviceswere once pairedtogether and then disconnected, if they are paired again, theywill remember thepreviouspairingandwhatwasdonewhentheywerepaired
• Managediversetransports,alsoknownas‘radiosoup’
• Interoperatebetweenalloperatingsystems
• Exchange information, enabling one device to make another more powerful byknowingwhatservicesarerunningonthatdevice.
WhereDoesWindows10ComeIn?
AsapremiermemberoftheAllSeenAlliance,MicrosoftisbringingAllJoynintoWindows10,inthreeseparateWindows10forIoTeditions:
Windows 10 IoT for Industry: Enterprise devices, a full version of Windows 10running a Desktop Shell and including legacy support for Win32 and UniversalWindowsappsanddrivers.
Windows10IoTforMobile: MobiledeviceversionwithaModernShell,whichcanonlyrunmodernoruniversalwindowsappsanddrivers,butnotWin32.
Windows10 IoTCore:Thishasnoshellandnouserinterface.Itisfordevicesthatconnectsensorstogether,forexample,formissioncriticalsystems.Anotherexampleis Internet TVboxes, suchasRaspberryPi, etc.,withonlyoneapp running topulleverythingtogether,gatheringinformationandsendingitalltoAzure.
MicrosoftisalsoworkingonthegivingdeveloperstheabilitytobuildtheirownappsforIoT,openingupthewayaheadforfull-scaleinteroperability.
IoTAzureSecurity
IoTpresentsabrandnewsetofchallengesintermsofsecurity,forboththedeveloperandthearchitect.
Page | 83 www.Windows10update.com
Devices get deployed, oftenwithno supervision, in public places.Wewant tobe able tocontrol things remotely,perhapsdevices inourhomeswhileweareaway,perhapsacar-sharingvehicleusingasmartphone.
Allofthishastobedoneinasecureway,awaythatcan’tbetamperedwith,spoofed,ordegraded in any way. Microsoft has come up with a way to secure our IoT experiencethroughAzure.
Digitalsecurityhasoftenbeensidelined;operationaltechnologyengineersfocusonsystemsthat are generally closed and isolated and IT engineers don’t generally focus onpersonalsafety.
However, it isafundamentalrequirementnowfor IoTdevicestobeabletocommunicatewithcloud-basedanalyticandcontrolservices,whetherdirectlyorindirectly.Togetherwiththerequirementforremoteservicingandremotecontrolofdigitaldevices,itispasttimetostartlookingbeyondperimeterboundaries.Thismeansthatthebasicnetworklevelsecurityseeninmostsystemsissimplynotsufficientanymore.
ServiceAssistedCommunication is a provenmodel that allows for secure communicationbetweendeviceswithassociated services, andalsowith thoseacross localnetworks. SACbrokersthecommunicationwithadevicebydirectingitthroughatrustedgateway,eitheratthefieldorinthecloud.
Thismeansthatthedevicecanactasanetworkclienttothegatewaybydirectingitthrougha peer secured channel, which, in turn, limits the chances of unsolicited and maliciousconnectionattempts.
AzureIoThubisasuperchargedversionofEventhubwithexplicitsupportforfieldgatewaysandadditionalprotocols.CustomerswillbeabletogotoAzureportalandbuildanIoThub,givingthembidirectionalcapability.ThiscapabilitygivesyouawayoftalkingdirectlytoanIoThubthoughhttpsoramqps(advancedmessagequeuingprotocol-secured).
Insidethehub isan IdentityRegistrythatallowsmillionsofdevicestoberegistered.Eachregistered device is federated against and via Azure Active directory to check theirauthenticity.
AnIoThubwillbesecure,withTLSalwaysenforced–thehubwillneverallowaconnectionthatisnotsecured,whichmeansthatanyplainhttptrafficwillbeturnedawayatthedoorandredirectedtoaself-hostedgateway.NativesupportforServiceAssistedCommunicationis built in, with the potential to hold on to millions of those bidirectional capabilities Imentionedearlier
Authenticationtakesplaceatthechannellevelandgatewayauthorizationisgivenbasedonidentity registry checks. Microsoft tags all messages with the device identity, stoppingspoofingattemptsintheirtracks.Devicemanagementisincludedsothatsoftwareupdatescanbemanagedaswellastheabilitytocheckonthestateofaspecificdevice.
Asalreadydiscussedindetail,Window10isprovidingatrustedmodelforsecurityacrossallhardware–secureboot,trusteddrivervalidation,trustedappvalidationandsecuritypolicyenforcement,aswellasawholeboatloadofsecurenetworkingcapabilities.
Page | 84 www.Windows10update.com
Azure IoT services bring hyper scale connection capabilities, for collecting, storing andprocessingIoTdata,aswellasensuringasecurecommunicationstreambetweenthecloudanddevices,orfieldgateways,throughtheSACsystem.
InthesamewaythataWindows10devicecancombinewithanycloudplatform,AzureIoTserviceswillbeabletoprovidesupportforanydeviceandanyoperatingsystem,providedacompatible communication stack is present. Additionally, through Azure, Microsoft iscommittedtosecuringdataandtokeepingitprivate;thesameappliestoallIoTdata.
Page | 85 www.Windows10update.com
Summary
AtremendousamountofthoughtandplanninghavegoneintomakingtheWindows10ecosystemsecure.Microsofthastakenthetimetolistentocustomers,makeadjustmentsandinmanyareasbeproactivetolockdowndifferentelementsoftheO.S.Inareaslikefacialrecognition(viaWindowsHello),MicrosoftareleadingthewayinhelpingbringindustrialstrengthsecuritytocorporationsANDtheregularconsumer.Aslongastherearecomputersthatarelockeddown,therewillbehackerstryingtobreakintothem.WithWindows10however,MicrosofthavedonetheirbesttomakeitprettydamnhardforsomeonetogetintoyourPCifyouusethetoolsavailabletoyou.Ihopethisbookhasbeenasmuchfuntoreadasitwasformetowrite.Asusual,Iwouldlovetohearfromyousofeelfreetoemailmeatsecuritybook@windows10update.comAdditionalWindows10TrainingInaddition,ifyouarelookingforWindows10Training,wehaveacoupleofclassesonUdemyyoushouldcheckout.IntroductiontoMicrosoft’sWindows10
https://www.udemy.com/introduction-to-windows-10/Thisclassisregularly$50.Here’sacouponcodefor$20off-Windows10SecurityBook40SettingupWindows10forBusiness
https://www.udemy.com/setting-up-windows-10-for-small-business/Thisclassisregularly$250.Here’sacouponcodefor$100off-Windows10SecurityBook40Thanksfortakingthisjourneywithme.
Iappreciateyourtime.
OnuoraAmobi.