Windows 10: promised security improvements

June 19, 2015

Windows 10 is upon us, coming to crash the party by the end of July. In this post we’re going to take a look at the announced security enhancements. Is anybody surprised? :-) For now Microsoft has pulled the wraps from some novel features intended to protect all future OS users from threats, existing and prospected.

Dominant species

With Windows being the dominant OS worldwide, it’s hard to overestimate the importance of its cybersecurity. For quite a while, the Windows family was a common source of bugs and flaws, vigorously exploited by hackers of all kinds and skill levels.

But over the early aughts, Microsoft invested a tremendous amount of effort to improve the security of its OS. At a certain point it even became a bit of overkill: users described Windows Vista’s security approach as “almost paranoid” as the number of authorization prompts for User Account Control was  too excessive. Among other things, this made Vista one of the least successful Windows versions. Lessons were learned and Windows 7 UAC was way less intrusive, without sacrificing security.

But, again, it is Windows 10 we’re talking about. In October 2014, Microsoft published a blog post dedicated to the security features slated to arrive with the new operating system – Windows 10: Security and Identity Protection for the Modern World.

“With Windows 10 we’re actively addressing modern security threats with advancements to strengthen identity protection and access control, information protection, and threat resistance. With this release we will have nearly everything in place to move the world away from the use of single factor authentication options, like passwords. We are delivering robust data loss prevention right into the platform itself, and when it comes to online threats, such as malware, we’ll have a range of options to help enterprises protect against common causes of malware infection on PC’s”, wrote Microsoft’s Jim Alcove.

Now, that’s impressive.

More details

Microsoft announced three essential security improvements. First and foremost, Identity Protection –  a compulsory two-factor authentication for every Windows 10-based device, whether it is PC or something else. The second factor will be a PIN or biometric, such as fingerprint. Users can enroll each of their devices with their new credentials, or turn their smartphone into a “mobile credential”, as Mr. Alcove put it. This will allow users to sign-in to all of their PCs, networks, and web services as long as their mobile phone is nearby. Essentially, it will behave as a remote smartcard.

According to Microsoft’s description, the credential itself can either be a cryptographically generated key pair (private and public keys) generated by Windows itself or it can be “a certificate provisioned to the device from existing PKI infrastructures”. In short, this will make Windows 10 suitable for both organizations with existing PKI investments and consumers.

As for Access Control, it is all about protecting user access tokens which are generated once your users have been authenticated.

According to Jim Alcove, these tokens are increasingly under attack using techniques such as Pass the Hash, Pass the Ticket. Microsoft’s countermeasure? “An architectural solution that stores user access tokens within a secure container running on top of Hyper-V technology”. In other words, these tokens remain non-extractable from devices even if the Windows kernel itself has been compromised. Mr. Alcove specifically mentions APTs in that context.

Windows_10_wide

Data separation

The next announced feature is Data Loss Prevention capability that separates corporate and personal data and helps protect it using containment. This is a specific business-oriented feature introduced to Windows 10 with BYOD in mind. Separating personal and corporate data is a best practice recommended to prevent leaks of sensitive information from lost or stolen personal devices.

DLP is integrated into Windows 10 platform, and there will be no need for the users “to switch modes, or apps in order to protect corporate data.” Users can help keep data safe without changing their behavior. Even more interesting:

“Windows 10 enables automatic encryption of corporate apps, data, email, website content and other sensitive information, as it arrives on the device from corporate network locations”. Thus it is kept separate from the user’s own original content, although companies can designate all new content created on the device as corporate, and set policy to prevent data from being copied from corporate content to non-corporate documents or external locations on the web such as social networks. This may sound overly restrictive, but it’s about securing critical data.

Speaking of BYOD, the same DLP functions will be available on both desktop/laptop and Windows Phone-based mobiles. There is also interoperability promised that will enable the protected documents to be accessed across multiple platforms.

“Lastly on data protection in Windows 10 organizations can define which apps have access to corporate data via policy. We took this capability a little further and extended these polices to address VPN requirements that many of you have shared with us,” Mr. Alcove wrote. According to him, there will be “a spectrum of VPN control options” with app-allow and app-deny lists, allowing IT professionals to define “which apps are authorized to access the VPN and can be managed through MDM solutions for both desktop and universal apps. ”

For administrators, there’s even more “granular” controls available – they can restrict access by specific ports or IP addresses.

As an additional means Windows 10 will be allowing only the trusted apps – apps that are signed using a Microsoft provided signing service – “to be run on specially configured devices”. Configured by the OEM, to be more specific.

For admins: SSH is in

Earlier this month, Microsoft announced it is finally planning to support SSH in Windows and the company’s engineers also will contribute to the OpenSSH project.

SSH (Secure Shell), a cryptographic network protocol, is a popular tool for remote login and command execution on many Unix and Linux systems; it had not been supported by Microsoft for various reasons… until now.

“A popular request the PowerShell team has received is to use Secure Shell protocol and Shell session (aka SSH) to interoperate between Windows and Linux – both Linux connecting to and managing Windows via SSH and, vice versa, Windows connecting to and managing Linux via SSH. Thus, the combination of PowerShell and SSH will deliver a robust and secure solution to automate and to remotely manage Linux and Windows systems,” Angel Calvo, a group software engineering manager on Microsoft’s PowerShell team, said (via Threatpost) https://threatpost.com/microsoft-to-support-ssh-in-windows/113120

Stay aware

As we see, the described above features are mostly business-oriented, as they address the primary IT security problems businesses have to face today. And judging by the announcement, they address the issues properly, protecting the information and not just certain devices. Hopefully there will be no huge failures with the implementation.

The security improvements of the software platforms are a good thing on their own, but surprisingly they may work against themselves: People get used to relying on the “default” security means and often ignore even those threats these default tools are incapable of addressing, or make mistakes which effectively cancel out these improvements.

The only proper course of action here is to stay aware of the threats existence and rely, first and foremost, on reason and common sense.