Modernizing Authentication — What It Takes to Transform Secure Access
Microsoft is bringing a number of new features and capabilities to Windows 10 for the Enterprise. At the recent Ignite conference a session titled "Windows 10, Overview for the Enterprise" outlined a number of these items, including several of interest to security professionals: identity, information and device protection.
Protecting Identity in Windows 10
Microsoft Passport technology focuses on identity protection and takes advantage of multiple pieces to reliably identify individual users. The goal is to replace traditional passwords with one of several two-factor authentication methods. It makes use of the trusted platform modules (TPMs) available on the majority of recently manufactured systems to generate certificate keys on demand in order to eliminate many of the threats based on harvesting user credentials.
One of the new two-factor options is called Windows Hello and brings facial recognition into the mainstream. Biometrics have been around for quite some time but to date have been implemented for the most part by third-party providers. Fingerprint devices have found their way onto many enterprise-class laptops for quite some time and are becoming common technology on smartphones. Common enough, in fact, that researchers are demonstrating how to hack them.
Windows 10 makes it possible to use facial and iris recognition in addition to an improved fingerprint as one of the two-factor methods. A demonstration of the facial recognition capability during the session showed the use of IR to help eliminate the use of a photograph to fool the process.
The concept of identity as a platform was discussed as a way for enterprise developers to leverage the work Microsoft has put into Windows 10 in their corporate applications. Another key foundational piece of Microsoft's identity protection push comes in the form of Azure Active Directory, making it possible to authenticate a user from literally anywhere they can get an Internet connection.
Windows 10 Enterprise will have an "always on" hypervisor providing something Microsoft calls Virtual Secure Mode (VSM). VSM makes use of a number of techniques in an effort to mitigate the risk of pass-the-hash attacks. A pass-the-hash attack makes use of the current Windows method of caching credentials in the computer's memory in such a way that they can be harvested if an attacker gains access to that computer. If an administrator has logged onto the machine, those credentials could be extracted and used to gain privileged access to other corporate resources.
A number of minimal hardware requirements will be required in order to take advantage of VSM. These include a CPU with virtualization extensions, IO virtualization and secure boot (UEFI) enabled.
Protecting Information in Windows 10
This focuses on securing the information stored on a local device. At the most basic level, this capability makes it possible to control the information which passes between personal and corporate. Azure Rights Management Services is one of the back-end pieces which helps facilitate the protection of files when they move between local storage and the cloud. Azure RMS makes use of encryption to protect the data and facilitates the management of the keys to make the process work.
Windows 10 brings file-level encryption to FAT-formatted disks to include removable devices. The Windows 10 operating system now provides the ability to use personal devices for sensitive enterprise files with the appropriate authentication. The OS also makes it possible to restrict the use of copy and paste to extract sensitive information.
Another protection point involves the use of Applocker to restrict access to enterprise data by specific applications. A key point highlighted in the presentation was the use of operating system log files integrated with all of these security measures, making it possible to monitor and report on any action which might represent a security incident. New functionality has been added to Windows Intune to monitor and manage all of these enterprise-level data protection methods.
Protecting Devices in Windows 10
Device Guard is the name of the new Windows 10 feature focused on protecting your devices. At a high level this capability allows an enterprise to control what software can run on an individual device. This feature uses code signing to create a trusted source for approved applications. Microsoft is introducing the Business Store as a part of this new feature to serve as a repository of trusted applications.
Windows Update for Business brings the control for the entire process to the enterprise. This new capability will use things like peer-to-peer delivery mechanisms to speed the process but in a controlled fashion. It will also integrate tightly with existing management tools like System Center to minimize the need for any new management infrastructure. Enterprise control means no more Patch Tuesday, where Microsoft rolls out patches for the operating system on the first Tuesday of the month. Roll-out rings will make it possible to update specific sets of systems at different times.
Deploying Windows 10
Once Windows 10 officially releases, the process of rolling out to enterprise desktops will begin in earnest. Microsoft is addressing a number of different scenarios to help make this process go smoothly. The three primary methods of deploying Windows 10 are anticipated to be wipe-and-load, in-place upgrade and bare-metal provisioning. All three are currently supported with the traditional Windows deployment tools.
The key message from the session around deployment is that Microsoft recognizes the importance of providing a smooth experience to move to Windows 10. The company has made enhancements including the use of Azure Active Directory to improve the process of joining systems to corporate networks even when they're not within the confines of the corporate firewall.
Windows 10: Key Takeaway
Microsoft is bringing many resources to bear on making Windows 10 more secure, while at the same time making it play well within existing management infrastructure. The hope is that corporations will want to jump directly from existing Windows 7 systems to rolling out Windows 10.
Paul Ferrill has been writing in the IT trade press for over 25 years. He's written hundreds of articles for publications like Datamation, Federal Computer Week, InfoWorld, Network Computing, Network World and PC Magazine and is the author of two books. He is a regular contributor to ServerWatch and several other QuinStreet Enterprise properties.