Top Windows 10 Security Features Explained

Staying Safe With Windows 10

Windows 10 will ship with the requisite Windows Defender and Windows Firewall, but what else? According to Microsoft executives, Windows 10 is built for security.

Emphasis for Windows 10 is three-dimensional, said Terry Myerson, executive vice president of the Windows and Devices Group. He said Microsoft has targeted identity protection, credential cache protection and storage protection features.

So let's dive in and explore what security features will keep you safe with Windows 10.

D evice Guard: Zero-Day Defense

Microsoft is trying to stay one step ahead of malware and zero-day attackers by introducing Device Guard to its new operating system. Think of Device Guard as a brawny bouncer: It blocks zero-day attacks by vetting applications that try to access Windows 10 machines and/or its network. When an unknown (unsigned) app is executed, Windows 10 makes a determination about whether that app is trustworthy, and notifies the user if it is not.

Companies can configure Device Guard to be as aggressive as they want. The technology is no security panacea, as Microsoft points out: "Device Guard helps block executable and script based malware while AV will continue to cover areas that Device Guard doesn't such as JIT based apps (e.g.: Java) and macros within documents."

Windows Hello: Microsoft's Own Password Killer

Passwords are the bane of our digital lives. That's why Microsoft is trying to develop a "password killer" with its Windows Hello feature in Windows 10. Windows Hello is a biometric technology that uses your face, iris and fingerprint as password alternatives to launching Windows.

Windows 10 ships with capability, but it relies on OEM partners to build in support for Windows Biometric Framework. Hardware requirements at launch will include Intel's RealSense F200 camera technology, which uses infrared lasers, multiple lenses and a special processing chip to analyze images for Windows Hello.

Windows Passport: Password Killer 2.0

Another aspect of Microsoft's Hello password technology is called Windows Passport. Passport utilizes two-factor authentication (a biometric sensor or PIN with enrolled device) and grants password-free access to applications, websites and networks on specific enrolled devices.

This takes password protection that is part of Windows Hello to the next logical level. However, only those devices that are equipped with specific biometric sensors will be able to take advantage of Windows Passport.

Data Protection: Azure Rights Management

BitLocker is credited with being a leading solution that keeps data safe on specific devices. But increasingly that's just not good enough. Companies need to protect data once it leaves a device or network. To help keep control, Microsoft has extended BitLocker's ability to provide data protection on data that resides on and off a specific device. It accomplishes this by associating Azure Rights Management services and Information Rights Management (IRM) in Microsoft Office to data.

Here is how it works, according to Microsoft: "Protection of corporate data in Windows 10 enables automatic encryption of corporate apps, data, email, website content and other sensitive information, as it arrives on the device from corporate network locations. And when users create new original content, this data protection solution helps users define which documents are corporate versus personal. If desired, companies can even designate all new content created on the device as corporate by policy. Additional policies can also enable organizations to prevent data from being copied from corporate content to non-corporate documents or external locations on the web such as social networks."

Windows Update For Business: A New Approach To Patch Management

With Windows 10 Pro for businesses Microsoft is taking a new approach to fixing code and patching security holes. No longer will businesses have to wait for periodic patching (aka Patch Tuesday) -- now updates will be delivered continuously.

For companies concerned about being stuck with a faulty fix or one that introduces incompatibilities, Microsoft hopes to solve that problem by offering a distribution ring-based model so companies can decide what PCs get updated first. Microsoft will also offer maintenance windows allowing business to decide when updates can or should occur. It will also support peer-to-peer updates, which will allow PC in limited bandwidth offices to distribute updates among themselves instead of each PC downloading updates separately.

Windows Store: Trusted Apps

Microsoft has given its Windows Store a huge update, allowing consumers and businesses to have a unified shopping experience on any Windows 10 device -- phone, tablet or PC. The store will act more like an Apple App Store for Windows apps instead of the current free-for-all the Windows platform deals with today. This will help cut down on end-user self-inflicted security screw-ups in which rogue software is downloaded from unknown websites.

To be clear, Microsoft won't vet apps to the same degree Apple does with its App Store, but it will require apps distributed through its store to be signed by Microsoft or a trusted vendor. Those signed apps are called Trusted Apps. Companies will be able to set restrictions on apps, for example allowing only Trusted App installs on a system.

Secure Boot

Secure Boot works a bit like Device Guard in that it allows only trusted executables to run on a device. But Secure Boot goes deeper and is meant to thwart efforts by some of the most dastardly hackers who attack computers by injecting low-level malware like rootkits during a PC's boot process.

Secure Boot was a feature in Windows 8 but it was seldom deployed because most OSs shipped with the feature off. Windows 10 ships with Secure Boot enabled. With Secure Boot, admins can prevent the type of attack in which a hacker uses a thumb drive or a microSD port on a device to boot to a malicious program image. Secure Boot allows to run only apps that are signed and trusted by admins.

That type of omnipotent control has some in the Linux community concerned that users will be able to boot only Microsoft-approved operating systems, making booting to Linux problematic. Microsoft said it allows manufacturers to choose whether a user can disable Secure Boot.

Edge Browser Beefs Up The Security

Microsoft's new Edge browser will ship with Windows 10, quasi replacing Internet Explorer, which is not going away. The browser called Microsoft Edge, Microsoft writes, was designed to defend users from increasingly sophisticated and prevalent attacks.

One advanced Edge security feature includes reducing extension support that has notoriously been a springboard for bad guys to sneak onto your PC via a Web browser. For that reason, Edge will no longer support the extensions VML, VB Script, Toolbars, BHOs or ActiveX. Microsoft makes no mention of support for Flash and Java.

Along with banning many extensions, Microsoft has also added a raft of Edge browser security features that range from allowing Windows to run Edge in an app controller sandbox by default to tightening the reigns on how Edge handles website certificates.

CPU Virtualization: Virtual Secure Mode

Once hackers are able to crack into a computer and find credentials on that system, they can go deeper into the enterprise infrastructure. That's why Windows 10 has introduced a capability called "virtual secure mode" (VSM) that uses a PC's CPU virtualization to protect key aspects of a PC, including data and credentials (aka tokens) on the system's hard drive.

According to Microsoft, VSM stops attackers from obtaining credentials. It is able to prevent attacks by breaking the Windows 10 OS into multiple containers. While Windows is one container, the security token from Active Directory that lets you access a company's network resources is another container. Those are just two containers of many. The idea is, even if your PC is compromised by a rootkit, the tokens -- used by hackers to move around a network without being asked for a password -- are locked up tight in an encrypted container.

This virtual secure mode approach can go a long way to eliminate "pass the hash" attacks, according Microsoft. The feature needs a CPU that supports hardware virtualization.

Microsoft Partners With HP On Security Tools

Microsoft has partnered with key OEMs such as Hewlett-Packard to boost security beyond its own tools. The partnership allows HP to take advantage of Microsoft's existing security platform, but also deliver unique features of its own under the suite of services called HP On Security Tools.

HP said the toolkit will ship with its line of Elite notebooks and ZBooks. Many of the features HP includes in its security suite seem to be slightly enhanced versions of what Microsoft is bundling into Windows 10. For example, HP Sure Start is a feature that ensures that an HP system's BIOS has not been tampered with before it's allowed to begin the boot sequence -- similar to Secure Boot.

Another feature, called HP Touchpoint Manager, helps businesses enforce security and mobility policies for keeping PCs and Windows 10 devices always up to date with the latest security patches -- similar to Windows Update for Business.

Microsoft Partners With Bromium For More Secure Windows 10

Virtualization startup Bromium has partnered with Microsoft to deliver its micro-virtualization to Windows 10. The partnership, Bromium said, will give Windows 10 customers serious firepower when it comes to fighting against data and information breaches that launch attacks via browser attacks, USB thumb drives and email attachments.

Bromium said it will complement Windows 10's existing security features with its own micro-virtualization technologies that isolate and eliminate cyberattacks. Bromium protects PCs by automatically isolating each user's unverified task at the device level. It creates what are called hardware-isolated micro-VMs that run untrusted processes without giving them access to critical parts of a PC.