Windows 10 will include new information and identity protection mechanisms designed to address modern security threats, Microsoft said on Wednesday.
On October 1, Microsoft released Windows 10 Technical Preview which, according to the company, has already been installed and tested by a large number of users.
Just before the release, Microsoft revealed that the new version of the operating system introduces advancements in the security area. The company detailed some of the new features in a post published on the Windows blog.
One of the new security systems is designed for identity protection and access control. Microsoft says the feature protects users in case their devices are compromised, and makes phishing attacks ineffective.
“We believe this solution brings identity protection to a new level as it takes multi-factor security which today is limited to solutions such as smartcards and builds it right into the operating system and device itself, eliminating the need for additional hardware security peripherals,” said Jim Alkove, General Manager of Security for Microsoft’s Interactive Entertainment Business.
The two-factor authentication mechanisms in Windows 10 relies on the user’s device, which is the first factor, and a PIN or biometric (e.g. fingerprint), which is the second factor. An attacker would need not only the targeted user’s PIN or biometric information, but also physical access to the device.
Users can enroll each of their devices with the new credentials, or they can enroll one device, for example their mobile phone, and use it to authenticate on any of their accounts, including PCs, networks, and Web services. In the case of mobile phones, they will act as a remote smartcard and transmit the two-factor authentication data through WiFi or Bluetooth.
“The credential itself can be one of two things. It can be a cryptographically generated key pair (private and public keys) generated by Windows itself or it can be a certificate provisioned to the device from existing PKI infrastructures. Providing both of these options makes Windows 10 great for organizations with existing PKI investments and it makes it viable for the web and consumer scenarios where PKI backed identity isn’t practical,” Alkove explained.
Another attack vector that Microsoft is trying to address with Windows 10 involves the access tokens generated by the system after users log in. These access tokens can be highly valuable for an attacker since they can be used to impersonate targets without the need to obtain their credentials.
Microsoft wants to prevent attackers from extracting the access tokens from compromised devices by storing them inside a secure container running on top of Hyper-V technology.
Windows 10 is designed to protect sensitive corporate data not only when it’s stored on the device, but also when it leaves it. Currently, BitLocker secures data stored on the machine, and the Azure Rights Management services and Information Rights Management (IRM) in Microsoft Office protects it when it leaves the device. However, the latter security feature requires users to manually activate the protection, which means that sensitive information can still be leaked if employees are not careful.
To address this gap, Microsoft introduced a data loss prevention (DLP) solution that separates corporate data from personal data. Corporate apps, emails, website content and other data are automatically encrypted when they arrive on the device from other locations within the organization. Users can define themselves which of the original content they create are corporate files, or IT teams can create policies to enforce certain rules (e.g., all newly created documents are corporate content).
“This solution will provide the same experience on Windows Phone as we see on the Windows desktop and we’ll provide interoperability such that protected documents can be accessed across multiple platforms. Lastly on data protection in Windows 10 organizations can define which apps have access to corporate data via policy,” Alkove said.
Windows 10 also addresses risks associated with VPN connectivity. The new version of the operating system enables administrators to specify which apps are allowed and which apps are not allowed to access the organization’s VPN. IT teams can also restrict access based on ports and IP addresses.
Locking down devices
Another security feature detailed by Alkove allows organizations to lock down computers to protect them against malware infections. Administrators can configure devices so that only trustworthy apps can be installed on them.
“Organizations will have the flexibility to choose what apps are trustworthy – just apps that are signed by themselves, specially signed apps from [independent software vendors], apps from the Windows Store, or all of the above,” Alkove said.
Data collection controversy
Earlier this month, the Internet started buzzing over Windows 10 collecting data and monitoring user’s actions. Some even went as far to say that the operating system was acting as a” keylogger.” However, as many have pointed out, the Technical Preview’s privacy statement clearly shows that data is collected.
“With Windows 10, we’re kicking off the largest ever open collaborative development effort that will change the way we build and deliver Windows. Users who join the Windows Insider Program and opt-in to the Windows 10 Technical Preview are choosing to provide data and feedback that will help shape the best Windows experience for our customers,” Microsoft told SecurityWeek in an emailed statement.
“As always, we remain committed to helping protect our customers’ personal information and ensuring safeguards are in place for the collection and storing of that data. As we get closer to a final product, we will continue to share information through our terms of service and privacy statement about how customer data is collected and used, as well as what choices and controls are available.”
Experts share thoughts
Vijay Basani, CEO of EiQ Networks: “These features are a good step in the right direction to improve Windows security. Even though Microsoft claims these are easy to use, and scale across the ecosystem of devices, we have to see it to believe it. Given Microsoft’s history of vulnerabilities and security challenges with Windows OS, we cannot be sure how effectively these features are implemented, how easy they are to use, and what other vulnerabilities may have been introduced elsewhere in the overall Windows code base that could potentially pave the way to compromise these features. Bitlocker was not widely used by Windows users in the past.”
Eric Siskonen, Senior Security Consultant with Foreground Security: “Windows 10 is likely to be the next iteration that is adopted by enterprise users, which have mostly remained on Windows 7. All of the security advancements made in the Windows 8.1 kernel will likely carry over. Some announced changes are improved authentication, improved patch deployment, improved data protection, mobile-device-management (MDM), and per-application VPN capabilities. Windows 10 also seems to be more application-centric with the new Windows store that can be managed for organization wide deployments.”
Steve Lowing, Director of Product Management at Promisec: “By having a single OS base run across all your devices with the new functionality above, you will be able to access them all with the same multifactor authentication means, get access to information that is encrypted and protected on creation and maintains that secure protection for the lifecycle of its use and movement from device to device from application to application. Getting to Windows 10 will be easier as well as having a single platform to implement monthly updates should make protections faster to get in place. With more MDM like application strategy, all devices can be managed similarly cutting down on gaps that could yield problems. Taken together, Windows 10 simplifies the management and reduces the attack surface for malware to get a foothold and has capabilities that should attract business user adoption.”
Gregory Nowak, Principal Research Analyst at the Information Security Forum: “The goal here is not just to offer particular technical security features that might or might not make it into the final release. The goal seems to be to make a significant dent in the overall amount of management overhead posed by multiple form factors in the workplace. Organizations that provide their staff with tablets or smartphones will become more and more tempted to incentivize Windows-10 based devices as the platform of choice.
“That’s not to say that Windows 10 enterprise deployments won’t pose security challenges. Any organization that currently supports multiple form factors will still have other operating systems to deal with on tablets and smartphones; those platforms will still need to be managed. And we still don’t know how well existing apps will play with the security features of Windows 10 – let alone with those that may be introduced in the scheduled updates. But given the signs we’ve already seen that Microsoft is trying to make enterprise deployments easier, I’m optimistic that those challenges will be addressed.”