Windows 10 - Privacy and Security Features at a Glance (Part 2)

by [Published on 7 Jan. 2015 / Last Updated on 7 Jan. 2015]

In this article we take a more detailed looked at some of the security features that are going to be released in the new version of Windows 10.

If you would like to read the first part in this article series please go to Windows 10 - Privacy and Security Features at a Glance (Part 1).

Introduction

In the previous article (part one) we looked at some of the security features that were going to be released in the new version of Windows 10 later in 2015, in this article (part two) we cover in a bit more detail the explanations of those features and what we have researched as well as some topics that have been mentioned at Microsoft previews. Although this information is not set in stone these are features that are likely to be in Windows 10.

What we know so far about Windows 10

Although Windows 10 previews are well underway, we need to keep in mind that that is exactly what they are- a preview. Our researchers have gathered information from many reliable sources, from the previews, from Microsoft employees and users alike, but things may change before the official release date expected in 2015. Every couple of weeks Microsoft is releasing a set of revised features as and when various additions and changes are found to be necessary.

Below are some of the technical features that Microsoft has highlighted will be present in the Windows 10 as a continuation of the previous article. The features will prove beneficial for both consumers and organisations.

Some security features explained

Securing Identities

Multi-factor authentication is going to be built into the OS, using the device itself in the form of a hashed signature as the first factor and the PIN or biometric reader as the second factor to authenticate. Access is only possible through physical access to the device combined with access via the personal identification number (PIN) or biometrics, perhaps a fingerprint. Additional hardware security peripherals will not be necessary to secure the identity. Being able to use two-factor authentication in this manner should prove to be more convenient and user friendly.

The built in two-factor authentication will assist to deter current security threats and improve securing identities and strengthen access control. This feature is available today but with significant amounts of configuration, hopefully it’s simpler and easier to implement in Windows 10.

This is a step in the right direction, towards the initiation of normalising two-factor authentication and perhaps the route to the demise of less secure single-factor authentication options such as passwords. It’s time we saw the end of passwords and this seems like the start.

Access control is strengthened through the utilisation of the device as the credential. The user may register one or all of their devices with their credentials. If opting for one device, a tablet for example, the tablet will invariably act as the first factor of authentication, as the mobile credential for the other devices, services and networks. As long as the tablet is in close vicinity of the users other devices being utilised, a laptop for example, it can be used to gain access to those devices via Bluetooth or a wireless connection.

The credential is either a key-pair that is generated cryptographically by Windows or a certificate supplied to the device for an existing public key infrastructure (PKI). Active directory will support the management of the credentials.

This allows some enterprise flexibility if an organisation is using existing PKI. The options set out in this manner for credential, allows for utilisation across multiple platforms and infrastructures, which is essential through organisations and encompasses majority of user requirements.

With the utilisation of the Hyper-V Secure Execution Environment, access tokens generated after login, which can bring an element of security risk if used maliciously for identity impersonations, are contained (running above the Hyper-V) and made inaccessible, even if the windows kernel is compromised, significantly improving security and risk of credential theft.

Securing Devices

Mobile devices are being made more secure. Virtual Private Network (VPN) associated risks are being addressed. Better VPN control options are afforded to the administrator, restriction can be put in place for applications, thus regulating the access applications have to the VPN. Access to the VPN via ports and IP addresses can also be controlled and restricted as seen fit.

The signing service for applications is aimed at reducing risk from malware by limiting application installation to chosen trusted apps. This will allow for Microsoft to warn users of unsigned code and also revoke certificates from code writers that have malicious or potentially malicious code.

The lock-down feature allows organisations to restrict app access to specific devices, reducing the threat risk threshold. Policies can be created to enforce the necessary rules.

The Mobile Device Management (MDM) feature, should offer greater support for organisations. MDM is destined to work across traditional desktop and laptops as well. Microsoft’s consolidated approach to managing the mobility platforms is surely going to be a winner as this is something that was lacking in the past.

Securing Data and Data Privacy

Data Loss Prevention (DLP) for corporates is also a useful feature. Data is protected through corporate policy and data can be categorised as personal or corporate and also restricted with regards to the data allowed to be copied or not.

This feature will assist in the prevention of data disclosure within and outside of organisations, securing the data and keeping it private. The ability to categorise data is a great tool for BYOD within organisations.

Automatic encryption of data, via the DLP solution, includes encryption of apps, data, email and website content. The automatic encryption will happen as the data arrives on the device from network locations within the organisation. Policies can be applied to automatically encrypt certain data. At the moment this is Microsoft platform specific, but I am sure with the announcements of .net being able to be used across platforms this will change quickly.

Interoperability across devices will ensure data is secured across multiple platforms.

VPN associated risks have been addressed. Restrictions can put in place for applications via policy, thus regulating the access applications have to the VPN.

We should now also start seeing the extension of what was previously known as direct access, essentially each application will have the capability to independently create their own SSL type VPN back to where the centralised resource is stored. This will occur on demand and when the application has had the authentication token supplied by the OS, the application itself securely connects to the remote service.

Windows 10 will also support more biometric devices than ever before, this lean towards biometric devices is logical as biometric devices are now much more mature than before and have the capability to be found in a multitude of tablets, phones and PCs. The devices are now quick and accurate and this way of computing is now becoming ubiquitous.

Azure will also now start integrating into AD, with the arrival of this feature both Hybrid clouds and full hosted platforms are possible and easier to adopt so this will accelerate the migration to Microsoft services. The authentication systems have yet to be finalised but this is a big move by Microsoft that will have a major influence on the ability to operate securely in the cloud. It’s not yet clear if this model will allow for advance federation but it’s an exciting prospect none the less.

Conclusion

Finally it looks like Windows 10 is going to address most of the security concerns that were down to the operating systems deficiencies. Although these features will improve the operating system and enhance the functionality of the OS, it’s not clear what the user experience will be.

We are sure that there are lots of conversations taking place in Redmond that will ensure that the prioritised features will be released vs. the nice to haves. At this moment we think it’s clear that third part security solutions are still required but this is a big step forward in the right direction.

We are sure that everyone is looking forward to the release of Windows 10 and all the enhancements mentioned in this series of articles.

If you would like to read the first part in this article series please go to Windows 10 - Privacy and Security Features at a Glance (Part 1).

See Also


The Author — Ricky M. & Monique L. Magalhaes

Ricky M. & Monique L. Magalhaes avatar

Ricky M Magalhaes is an International Information Security architect, working with a myriad of high profile organizations. Monique is an international security researcher, she holds a BSc Degree (Cum Laude). Previously she has focussed on research and development at leading enterprises in the Southern hemisphere.