Windows 10 is upon us, coming to crash the party by the end of July. In this post we\u2019re going to take a look at the announced security enhancements. Is anybody surprised? :-) For now Microsoft has pulled the wraps from some novel features intended to protect all future OS users from threats, existing and prospected.<\/p>\n
Dominant species<\/strong><\/p>\n With Windows being the dominant OS worldwide, it\u2019s hard to overestimate the importance of its cybersecurity. For quite a while, the Windows family was a common source of bugs and flaws, vigorously exploited by hackers of all kinds and skill levels<\/a>.<\/p>\n But over the early aughts,\u00a0Microsoft invested a tremendous amount of effort to improve the security of its OS. At a certain point it even became a bit of overkill: users described Windows Vista\u2019s security approach as \u201calmost paranoid\u201d as the number of authorization prompts for User Account Control was \u00a0too excessive. Among other things, this made Vista one of the least successful Windows versions. Lessons were learned and Windows 7 UAC was way less intrusive, without sacrificing security.<\/p>\n #Windows10: promised #security improvements<\/p>Tweet<\/a><\/blockquote>\n But, again, it is Windows 10 we\u2019re talking about. In October 2014, Microsoft published a blog post dedicated to the security features slated to arrive with the new operating system \u2013 Windows 10: Security and Identity Protection for the Modern World<\/a>.<\/p>\n \u201cWith Windows 10 we\u2019re actively addressing modern security threats with advancements to strengthen identity protection and access control, information protection, and threat resistance. With this release we will have nearly everything in place to move the world away from the use of single factor authentication options, like passwords. We are delivering robust data loss prevention right into the platform itself, and when it comes to online threats, such as malware, we\u2019ll have a range of options to help enterprises protect against common causes of malware infection on PC\u2019s\u201d, wrote Microsoft\u2019s Jim Alcove.<\/p>\n Now, that\u2019s impressive.<\/p>\n More details<\/strong><\/p>\n Microsoft announced three essential security improvements. First and foremost, Identity Protection \u2013 \u00a0a compulsory two-factor authentication for every Windows 10-based device, whether it is PC or something else. The second factor will be a PIN or biometric, such as fingerprint. Users can enroll each of their devices with their new credentials, or turn their smartphone into a \u201cmobile credential\u201d, as Mr. Alcove put it. This will allow users to sign-in to all of their PCs, networks, and web services as long as their mobile phone is nearby. Essentially, it will behave as a remote smartcard.<\/p>\n According to Microsoft\u2019s description, the credential itself can either be a cryptographically generated key pair (private and public keys) generated by Windows itself or it can be \u201ca certificate provisioned to the device from existing PKI infrastructures\u201d. In short, this will make Windows 10 suitable for both organizations with existing PKI investments and consumers.<\/p>\n As for Access Control, it is all about protecting user access tokens which are generated once your users have been authenticated.<\/p>\n According to Jim Alcove, these tokens are increasingly under attack using techniques such as Pass the Hash, Pass the Ticket. Microsoft\u2019s countermeasure? \u201cAn architectural solution that stores user access tokens within a secure container running on top of Hyper-V technology\u201d. In other words, these tokens remain non-extractable from devices even if the Windows kernel itself has been compromised. Mr. Alcove specifically mentions APTs in that context.<\/p>\n #Windows10: unified platform, separated data. #security<\/p>Tweet<\/a><\/blockquote>\n