Windows 10 To Offer Enhanced Security and Identity Protection
Microsoft's Windows 10 will be designed to address modern security threats with advancements to strengthen identity protection and access control, information protection, and threat resistance.
Microsoft is trying to have nearly everything in place to move the world away from the use of single factor authentication options, like passwords. With two-factor authentication, malicious hackers need to be in control of two pieces of information in order to break into a system, such as a password and a code sent to a user?s device like a smartphone.
Antoerh security factor will be a PIN or biometric, such as fingerprint. From a security standpoint, this means that an attacker would need to have a user's physical device - in addition to the means to use the user's credential - which would require access to the users PIN or biometric information. Users will be able to enroll each of their devices with these new credentials, or they can enroll a single device, such as a mobile phone, which will effectively become their mobile credential. It will enable them to sign-in into all of their PC's, networks, and web services as long as their mobile phone is nearby. In this case, the phone, using Bluetooth or Wi-Fi communication, will behave like a remote smartcard and it will offer two factor authentication for both local sign-in and remote access.
Under the hood, the credential itself can be one of two things. It can be a cryptographically generated key pair (private and public keys) generated by Windows itself or it can be a certificate provisioned to the device from existing PKI infrastructures. Active Directory, Azure Active Directory, and Microsoft Accounts will support Microsoft's new user credentials solution right out of box.
Microsoft also wants to to protect the user access tokens that are generated once your users have been authenticated. Today, these access tokens are increasingly under attack using techniques such as Pass the Hash, Pass the Ticket, etc. With Windows 10, Microsoft aims to eliminate these attacks with an architectural solution that stores user access tokens within a secure container running on top of Hyper-V technology. This solution prevents the tokens from being extracted from devices even in cases where the Windows kernel itself has been compromised.
In Windows 10, Microsoft is also adding a data loss prevention (DLP) solution that separates corporate and personal data and helps protect it using containment. There will be no need for your users to switch modes, or apps in order to protect corporate data, which means that users can help keep data safe without changing their behavior. Protection of corporate data in Windows 10 enables automatic encryption of corporate apps, data, email, website content and other sensitive information, as it arrives on the device from corporate network locations. And when users create new original content, this data protection solution helps users define which documents are corporate versus personal. If desired, companies can even designate all new content created on the device as corporate by policy. Additional policies can also enable organizations to prevent data from being copied from corporate content to non-corporate documents or external locations on the web such as social networks.
This solution will provide the same experience on Windows Phone as on the Windows desktop and Microsoft will provide interoperability such that protected documents can be accessed across multiple platforms.
When supporting remote users, IT professionals look for ways to limit the risks associated with VPN connectivity, particularly with BYOD devices. Windows 10 helps, by giving a spectrum of VPN control options, from constant connectivity, to specifying which particular apps may have access via VPN. App-allow and app-deny lists will enable IT professionals to define which apps are authorized to access the VPN and can be managed through MDM solutions for both desktop and universal apps. For administrators requiring more granular control, they can further restrict access by specific ports or IP addresses.
Windows 10 also provides organizations with the ability to lock down devices, enabling additional threat and malware resistance. Because malware is often inadvertently installed onto devices by users, Windows 10 addresses this threat by only allowing trusted apps, meaning apps that are signed using a Microsoft provided signing service, to be run on specially configured devices. Access to the signing service will be controlled using a vetting process similar to how we control ISV publishing access to the Windows Store and the devices themselves will be locked down by the OEM. Organizations will have the flexibility to choose what apps are trustworthy ? just apps that are signed by themselves, specially signed apps from ISVs, apps from the Windows Store, or all of the above. Unlike Windows Phone these apps can also include desktop (Win32) apps.
Antoerh security factor will be a PIN or biometric, such as fingerprint. From a security standpoint, this means that an attacker would need to have a user's physical device - in addition to the means to use the user's credential - which would require access to the users PIN or biometric information. Users will be able to enroll each of their devices with these new credentials, or they can enroll a single device, such as a mobile phone, which will effectively become their mobile credential. It will enable them to sign-in into all of their PC's, networks, and web services as long as their mobile phone is nearby. In this case, the phone, using Bluetooth or Wi-Fi communication, will behave like a remote smartcard and it will offer two factor authentication for both local sign-in and remote access.
Under the hood, the credential itself can be one of two things. It can be a cryptographically generated key pair (private and public keys) generated by Windows itself or it can be a certificate provisioned to the device from existing PKI infrastructures. Active Directory, Azure Active Directory, and Microsoft Accounts will support Microsoft's new user credentials solution right out of box.
Microsoft also wants to to protect the user access tokens that are generated once your users have been authenticated. Today, these access tokens are increasingly under attack using techniques such as Pass the Hash, Pass the Ticket, etc. With Windows 10, Microsoft aims to eliminate these attacks with an architectural solution that stores user access tokens within a secure container running on top of Hyper-V technology. This solution prevents the tokens from being extracted from devices even in cases where the Windows kernel itself has been compromised.
In Windows 10, Microsoft is also adding a data loss prevention (DLP) solution that separates corporate and personal data and helps protect it using containment. There will be no need for your users to switch modes, or apps in order to protect corporate data, which means that users can help keep data safe without changing their behavior. Protection of corporate data in Windows 10 enables automatic encryption of corporate apps, data, email, website content and other sensitive information, as it arrives on the device from corporate network locations. And when users create new original content, this data protection solution helps users define which documents are corporate versus personal. If desired, companies can even designate all new content created on the device as corporate by policy. Additional policies can also enable organizations to prevent data from being copied from corporate content to non-corporate documents or external locations on the web such as social networks.
This solution will provide the same experience on Windows Phone as on the Windows desktop and Microsoft will provide interoperability such that protected documents can be accessed across multiple platforms.
When supporting remote users, IT professionals look for ways to limit the risks associated with VPN connectivity, particularly with BYOD devices. Windows 10 helps, by giving a spectrum of VPN control options, from constant connectivity, to specifying which particular apps may have access via VPN. App-allow and app-deny lists will enable IT professionals to define which apps are authorized to access the VPN and can be managed through MDM solutions for both desktop and universal apps. For administrators requiring more granular control, they can further restrict access by specific ports or IP addresses.
Windows 10 also provides organizations with the ability to lock down devices, enabling additional threat and malware resistance. Because malware is often inadvertently installed onto devices by users, Windows 10 addresses this threat by only allowing trusted apps, meaning apps that are signed using a Microsoft provided signing service, to be run on specially configured devices. Access to the signing service will be controlled using a vetting process similar to how we control ISV publishing access to the Windows Store and the devices themselves will be locked down by the OEM. Organizations will have the flexibility to choose what apps are trustworthy ? just apps that are signed by themselves, specially signed apps from ISVs, apps from the Windows Store, or all of the above. Unlike Windows Phone these apps can also include desktop (Win32) apps.
