Optimizing Security Protections of Windows 10
With its release of the “Windows 10” computer operating system in July 2015, Microsoft made bold, sweeping claims for its security features. After four years of “builds” that have extended the Windows 10 series, with some 900 million users, today, those security features have to say the least undergone sustained and varied test in practice.
There have been continual modifications and patches, of course, including a recent one that embarrassed the company by seeming, when installed, to disable a key Windows 10 security feature.
On the whole, however, after many fixes, the Windows 10 operating system remains a formidable array of build-in features addressing every major type of cyber-security issue.
Continually escalating cyber-threats
Nor has the effort been for nothing. Every year since 2015, the cyber-security landscape has become more complex and the threats more pressing. In general, breaches of security and new possible vulnerabilities increase every year. The Microsoft “Vulnerabilities Report 2019,” analyzing data from Microsoft security bulletins issued throughout 2018, promised to address, among many other things:
- Why vulnerabilities continued to rise in 2018, with a total of 700 discovered.
- How vulnerabilities are growing and in which specific products.
Ransomware and spyware are on the rise, especially threatening businesses. At a session sponsored by Microsoft in Orlando, FL, Alexander Benoit, senior consultant and head of Competence Center Microsoft, cited phishing attacks, ransomware, spyware, keyloggers, worms, and compromised accounts, concluding: “Because the threat landscape we’re facing today is so diverse, there cannot be one tool or feature that we just enable and then we’re secure.”
The Windows 10 operating system is intended to incorporate within itself multiple security features creating the typical “layered security approach.” Although striving to be comprehensive, Microsoft does not claim that no other security feature is needed by any individual or enterprise. Nor that the same level of security can be achieved throughout an entire computer, system, or network. Benoit emphasized that any organization’s comprehensive security plan should prioritize what data, where located, would be most valuable to criminals—and plans to focus there.
A few overarching considerations
Before reviewing and summarizing specific security features of Windows 10, as it is constituted today, some more general, overarching points are in order:
Not all Windows 10 software, even of the same current version, is equal when it comes to security features. “Enterprise” versions of Windows 10 include somewhat more extensive and different security features for such reasons as use of software in huge networks, use by multiple ranks of individuals with different access to features and information, and many more points of vulnerability in a networked system.
Much criticism, but also much praise, has been directed at an issue not technically a “security vulnerability,” but closely related to it: the privacy of the user in relationship with Microsoft itself. The company has been under fire for the sheer amount of personal data it collects from users. The chief justification advanced by Microsoft is that such information improves security, services, the quality of upgrades in the software, and brings opportunities to users (notable among these the opportunity to buy things and to review ads supposedly targeted at their personal profile). By any standard, however, what Microsoft collects would surprise and perhaps disturb many users. Virtually all of this information flow can be cut off by a user willing to take the time to adjust the software’s settings.
A feature of the Windows 10 system hailed as essential to security are the regular, automatic updates—patches, for example—sent by Microsoft to address new vulnerabilities, new types of attack. These are numerous and, to many users, intrusive. Again, the user willing to take the time can schedule all of these updates times the computer is not in use.
Following are some specific features of the Windows 10 security array that protect from cyberattacks. Where relevant, I try to mention differences between the personal and “enterprise” features:
- Two-Factor Identification and Biometrics Windows 10 has extensive capabilities for securing the computer from unauthorized login. They include what is called “multi-factor authentication,” various uses of PIN numbers, and improved support for biometric authentication through the Windows Hello platform. Like all security features, this sophisticated capability will be viewed as valuable, even crucial, by some users and virtually ignored by others.
- Windows Defender Smart Screen Smart Screen is presented as a layer of security that can “block at first sight.” Employees are protected if they try to click through to websites previously reported as phishing or using malware. They also are stopped from downloading suspected files with malicious intent. This feature also takes on blocking “fake” advertisements and scam sites. This is a first line of defense, according to Benoit, against phishing and malware.
- Windows Defender Application Guard Application Guard is more advanced protection directed at the attacks on Microsoft Edge, the browser that replaced the widely used “Microsoft Explorer.” This security feature employs Microsoft’s proprietary “Hyper-V virtualization technology that operates by means of “whitelisting” (yes, the opposite of “blacklisting”), enabling users, including companies and networks, to designate trusted sites that can be browsed without danger. That is not the end of the story, though. If you still want to open a site that is “not trusted,” then Application Guard will open it in a kind of isolation chamber that denies the suspected site any access to the memory, local storage, other applications, or parts of the corporate network.
- User Account Control UAC prevents malware from damaging your machine. The feature relies on the difference between accounts that are administrative and non-administrative—a distinction frequently popping up in the work context. When UAC is enabled, applications and tasks always run in the non-administrative accounts (from a security perspective). Of course, an administrator controls the authorization of administrative access to a system.
- Windows Defender Device Guard Defender Device Guard is another feature employing whitelisting, in this case, what is called “enterprise-grade” whitelisting. It can whitelist a driver or application. That means that the default position is not to trust any app not blocked by an antivirus program. Instead, Device Guard trusts only apps authorized by an enterprise.
- Windows Defender Exploit Guard Defender Exploit Guard, chiefly on the enterprise level, offers an organization such features as network protection and controlled folder access. This is a step toward what Benoit has characterized as prioritizing the protection of certain known attack targets. Defender Exploit Guard can be on the watch for low-integrity images, fonts earlier identified as untrusted, and approaches from unwanted addresses. Understandably, many of these features of the Windows 10 security package operate below the awareness of most uses, doing their security patrols unnoticed. In this particular instance, the bottom line is a new level of capability to prevent intrusions into the system.
- Microsoft Bitlocker Bitlocker, a feature involving “full-drive encryption,” is built into Windows 10 Professional and Enterprise software. It addresses the threat of unauthorized access to privileged data by upping the level of protection for both files and systems. One feature is that it makes all data inaccessible if a computer is no longer in use or recycled. Thus, it offers a level of protection if a computer or related device is lost or stolen.
- Windows Defender Credential Guard Defender Credential Guard goes directly to the issue of security for secrets—call them highly confidential data—by isolating them where only privileged system software has access. Obviously, many malicious intrusions in search of valuable records or other data are by cyber attackers with some “credentials” for access. Windows Defender Credential Guard provides protection against this. It is a security feature specifically intended to counter advanced persistent attacks.
Stay in touch with BSW
Check back regularly with BSW for information on computers, computer networks, and website development. And get in touch with the BSW team for solutions that have an outstanding record of success in meeting the needs of diverse clients for computer and network solutions and website development and enhancement.