Windows 10 security

Page | 2 www.Windows10update.com

CopyrightNotice

INTRODUCTIONTOWINDOWS10SECURITY-BYONUORAAMOBI

UPDATEDSEPTEMBER15TH,2015

©2015NnigmaInc.

Allrightsreserved.

Anyunauthorizeduse,sharing,reproductionordistributionofthesematerialsbyanymeans,electronic,mechanical,orotherwiseisstrictlyprohibited.

Noportionofthesematerialsmaybereproducedinanymannerwhatsoever,withouttheexpresswrittenconsentofthePublisherorAuthor.

PublishedundertheCopyrightLawsofTheUnitedStatesofAmericaby:

NnigmaInc.

3579EastFoothillBlvd,Suite#254

Pasadena,CA91107

www.Nnigma.com


LegalNotice

Whileallattemptshavebeenmadetoverifyinformationprovidedinthispublication,neithertheauthornorthepublisherassumesanyresponsibilityforerrors,omissionsorcontradictoryinterpretationofthesubjectmatterherein.

Thispublicationisnotintendedtobeusedasasourceofbindingtechnical,technological,legaloraccountingadvice.

Pleaserememberthattheinformationcontainedmaybesubjecttovaryingstateand/orlocallawsorregulationsthatmayapplytotheuser’sparticularpractice.

Thepurchaserorreaderofthispublicationassumesresponsibilityfortheuseofthesematerialsandinformation.

Adherencetoallapplicablelawsandregulations,bothfederal,state,andlocal,governingprofessionallicensing,businesspractices,advertisingandanyotheraspectsofdoingbusinessintheUSoranyotherjurisdictionisthesoleresponsibilityofthepurchaserorreader.

NnigmaInc.assumesnoresponsibilityorliabilitywhatsoeveronbehalfofanypurchaserorreaderofthesematerials.

Windows10,Windows9,Windows8.1,Windows8.1Update1,Windows8,Windows7,WindowsVista,WindowsXP,SurfaceHub,WindowsHolographicandallotherrelatedtermsareregisteredtrademarksoftheMicrosoftCorporation.

AllRightsReserved.

Allothertrademarksarethepropertyoftheirrespectiveowners.

Alltrademarksandcopyrightsarefreelyacknowledged.


TableofContents

IntroductiontoWindows10Security ..................................................................................................................... 6MicrosoftandtheFIDOAlliance ............................................................................................................................. 7ThecomparisontoWindows7and8Securityfeatures ......................................................................................... 9HowMicrosoftWindows10WillProtectYourIdentity ........................................................................................ 11

Windows10–ProtectingYourIdentityandControllingAccess ....................................................................... 11TheProsandConsofBiometrics ....................................................................................................................... 12FacialAuthentication ........................................................................................................................................ 16WindowsHello .................................................................................................................................................. 18

NewSecurityFeaturesinWindows10 ................................................................................................................. 19MicrosoftPassport ............................................................................................................................................ 19Passport2Go ...................................................................................................................................................... 22BitLockerandTPM ............................................................................................................................................ 30

HowDoesBitLockerDriveEncryptionWork? ....................................................................................................... 32DeviceGuard ..................................................................................................................................................... 33

RequiredHardwareandSoftwareforDeviceGuard ............................................................................................ 34WhyuseDeviceGuard? .................................................................................................................................... 35EnterpriseDataProtection(EDP) ...................................................................................................................... 37

HowDoesEDPWork? ........................................................................................................................................... 38LevelsofProtection ........................................................................................................................................... 38EDPAllowsBetterWorkFlow ........................................................................................................................... 39ChangingtheProtectionLevelsonDocuments ................................................................................................ 39EnterpriseDataSecurity .................................................................................................................................... 40WipeEnterpriseDataRemotely ........................................................................................................................ 40CopyingorDownloadingEnterpriseData ......................................................................................................... 41PrivilegedAppsandRestrictions ....................................................................................................................... 41PersistentDataEncryption ................................................................................................................................ 42HelpsPreventAccidentalDataSharing ............................................................................................................. 42

TheBenefitsofEDP ............................................................................................................................................... 43Enterprisescenarios .......................................................................................................................................... 43

WindowsDefender ................................................................................................................................................ 44ConfigurationandExclusions ............................................................................................................................ 44

UEFI ........................................................................................................................................................................ 45AdvancedThreatAnalytics .................................................................................................................................... 47

HowDoesItWork? ........................................................................................................................................... 48VirtualSecureMode .......................................................................................................................................... 50MicrosoftVirtualizationStrategyandSecurity ................................................................................................. 51SecurityImprovements ..................................................................................................................................... 52


EnterpriseMobility–IdentityintheEnterprise ................................................................................................... 53CloudAppDiscovery ......................................................................................................................................... 55

ManagingYourDirectoryontheCloud ....................................................................................................... 56HowMicrosoftWindows10WillProtectYourData ............................................................................................. 57

AzureRightsManagementandInformationRightsManagement ................................................................... 57AzureAdministrativeTasks ............................................................................................................................... 57DataProtectioninAzure ................................................................................................................................... 58VirtualMachines–Windows/LINUX ................................................................................................................. 58Key Vault Security ............................................................................................................................................ 59AzureStorage–Blobs,Tables,Queues ............................................................................................................. 59SQLServerandSQLDatabase ........................................................................................................................... 59AccessControlandAuditing ............................................................................................................................. 60

MitigatetheRiskofCompromisedAccounts .............................................................................................. 60LimitingPermissions ..................................................................................................................................... 60PrivilegedAccounts ...................................................................................................................................... 61

WhatistheOperationsManagementSuite? ........................................................................................................ 62MobileSecurity ................................................................................................................................................. 63MDM–MobileDeviceManagementandtheBusinessStore .......................................................................... 69BrowserSecurity ............................................................................................................................................... 74EnterpriseMobilitySuite ................................................................................................................................... 75Office365 .......................................................................................................................................................... 76ConditionalAccesstoAzureADConnectedApplications ................................................................................. 77

WindowsasaService–MoreSecurityviasecureupdates .................................................................................. 79WindowsUpdateforBusiness ..................................................................................................................... 80

Windows10andtheInternetofThings ................................................................................................................ 81AllSeenandAllJoyn ........................................................................................................................................... 81WhereDoesWindows10ComeIn? .................................................................................................................. 82IoTAzureSecurity .............................................................................................................................................. 82

Summary ............................................................................................................................................................... 85


IntroductiontoWindows10Security

Security has always been an issue for computer users. However, over the last couple ofdecades,securitythreatshavebecomemuchworse.

WhileyoumaythinkyouhavethebestsecuritysystempossibleonyourPCitislikelythatyouprobablydon’t.Why?Becausethelandscapeofcyber-threatsischangingtoofastforordinarysecuritysoftwaretokeepupwith.

Heck, you could buy a new security system for your computer right now and within 72hours;itwouldrequireasecurityupdate.

Cyber threats are becoming more complex and attackers more cunning. Viruses andmalwareforexample,havegainednewabilitiestohideandremainundetected.

Cyber-attacks aremore sophisticatedandhighly targeted comparedwith years agowhenhackerscouldonlyhopeforindiscriminateandunfocuseddamage.

Intheearlydays,wehadScriptKiddies,whichwereaimedatcausingmischiefratherthandamage.

TodaycriminalgangsconductcrimessuchasclickfraudandIDtheft,conductedpurelyforillicitprofit.WealsohaveactivistsandtheInternetterrorgroupswhosesoleaimistocauseasmuchdisruptionanddamageastheycan,aswellasstealidentities.

In themidst of this very treacherous landscape,Microsoft has taken up the challenge ofkeeping computer users safe. With Windows 10, the software company is introducingunprecedentedlevelsofsecuritysafeguardsintotheveryfabricoftheOperatingSystem.

IwrotethisbookbecauseIwantedtotakeabrieflookbehindthecurtaintoseewhattypesofsecuritywereembeddedinWindows10.

Here’swhatIfound.


MicrosoftandtheFIDOAlliance

TheFIDO(FastIdentityOnline)Alliancewaslaunchedin2012asawayofaddressingthelackofinteroperabilitybetweenstrongauthenticationdevicesandtheproblemsusershaveinrememberingmultipleusernamesandpasswords.PayPalandLenovo,twoofthebiggestnamesintheindustry,werefoundingmembersofFIDO.Injustoverayearafterlaunch,manymorebignameshadjoinedthealliance,includingGoogle,Blackberry,Visa,SecureKeysandofcourse,Microsoft.So,howdoestheFIDOAlliancefactorintoWindows10?Togettothat,weneedtogobackasteportwo,totalkaboutwhyMicrosoftoptedtojointheAlliance.Securityproblemsonourdevicesaregettingworse,partlybecauseofthesignificantjumpinmaliciousattacksandpartlybecauseofuserbehaviour.Yousee,itoftencomesdowntopasswords.Computerusersoftengetsloppyandlax,andsharetheirpasswordswithothers.Thatisn’ttheonlyproblem,though;thenextpartofthepuzzleinvolvesthewebsiteswevisit.Theissueisnotthattheyareunsafebecausemostofthemaresafe.It’sjustthat,once


again,thatlazygenecomesoutandwesticktousingthesamepasswordforeverysinglesitethatwehavetologinto.Whydowedothat?Becausenotonlyisittime-consumingtohavetocomeupwithadifferentcomplexpasswordforeachsite,wehavetorememberthemaswell.Thehumanbraincanonlyholdsomuchinformationandtohelpusout,wewritethosepasswordsdown–whichcomesbacktobeinglaxandsloppyaboutsecurity.Becauseweareusingthesamelogindetailsforeverysite,itmakesiteasyforthosedetailstobestolen.Amaliciousattackerwillgoforaweakwebsite,onewhichdoesn’thavesomuchsecurityonit,andoncetheyhaveyourdetailsfromthatsite,itdoesn’ttakeageniustoguessthatyouprobablyusedthesameonestologineverywhereelse!Thatgivestheattackeranopenpass,amasterkeyifyoulike,toeverythingyouhaveaccessto.Thefinalpieceofthepuzzle,oneoftheweakestlinks,isthedevicethatyouareusing.It’snotthatit’snogood,it’sjustthat,upuntilnow,anyapplicationwouldrunonyourapp,regardlessofcontent,untilitwasproventobeabadapple.Theonlywaythatappwouldnotrunisifyouranti-virussoftwareorfirewallpickeditupandkickeditout.Noteveryonehasantivirussoftwareinstalledortheydon’tusetheonethatisalreadyprovidedwithWindows.Thatmeansthatsomuchmalwaregetsthroughthenetthatonceitstarts,itisdifficulttostopit.SohowdoesMicrosoftintendtofixthis?ThecurrentPKI(publickeyinfrastructure)iswaytooexpensiveandcomplextomaintain,anditisconstantlyunderattack.ThecurrentCA(certificateauthority)systemisalsounderattack.AnattackercangettoyourcertificatedetailsbeforeyourIDP(IdentityProvider)cangiveyouatoken,andthatleaveseverydoorinthehousewideopen.And,ifthatweren’tenough,limiteduseofMFA(multi-factorauthentication)leavesweakspotseverywhere,weakspotsthattakelittleefforttogetthrough.InWindows10,MicrosoftismakingiteasierforyoutologinwhiletighteningthesecuritynetwithMFA.Withacombinationofbiometrics,PINaccessandtyingasymmetricalkeypairstoaspecificdevice,Microsoftisaimingtomakeitsothatnooneelse,exceptforyou,canaccessyourresourcesandyourapplications.WithWindows10,Microsoftisbringingtomarketthenextgenerationofusercredentials.We’llrunthroughthemonebyoneinthisbook.


ThecomparisontoWindows7and8Securityfeatures

MicrosofthadtotakeanewapproachtoWindows10securityforacoupleofreasons.

First, security problems and challenges continue to evolve rapidly, and it was clear thattherewerenewchallengesthatneededtobesolved.

It was also clear that some of these challengeswere a little bitmore sophisticated thanWindows7andWindows8weredesignedtohandle.

Togiveyouaquickoverview,takealookatthetablebelow,showingyouthefundamentaldifferencesinsecuritybetweenWindows7andWindows10:

Function Windows7 Windows10

IdentityProtection Passwordtheftistoocommonnowandcurrentmulti-factorsolutionsaresimplytooexpensiveandtoodifficulttodeploy.

Comescompletewithaneasy-to-deploymulti-factorsolution,completewithanti-phishingandanti-theftfeatures.Password-protectionandPINsareincludedinmulti-factorsecuritysolutions.

DataProtection Offerstheoptionofconfigurablediskencryptionbutdoesn’thaveintegratedDataLossPrevention(DLP).Canusethirdpartysolutionsbutnotalwayssuccessful.

Hasmarketleadingdiskencryption,verymanageableandincreasedout-of-band(OOB)securityupdates.DataseparationandDLPisfullyintegrated.

ThreatResistance Appsarealwaystrusteduntilthey Desktopmachinescanbelockeddown


areathreat,andthereisnowayofdetectingthousandsofnewthreatsthatappeareveryday.

toamobilelevel.Thereistheabilitytohaveatrustedappmodelwherethoseappsthatareuntrustedcannotrun.

DeviceSecurity Theplatformissecurelybuilt,butbuiltonsoftwarealone,meaningmalwarecanhidefromsecurity,embeddingitselfindevices.

Theplatformisbuiltonintegratedhardwareandsoftwaresecurityandoffersprotectionfrombeingswitchedontobeingshutdown.Therearenopossibilitiesforsystemtamperingandmalwarehasnoplacetohide.

Basically Microsoft took a holistic look at security and decided to attack some of thefundamentalsecurityflawsandchallengesfromadeeparchitecturalperspective.

With Windows 10, Microsoft has implemented a wide variety of security solutions thatprotectbothyoursoftwareandthehardware:

• WindowsHelloandWindowsPassporthandleIDprotection.

• BitLockerandEnterpriseDataProtectionhandledataprotection.

• DeviceGuardandWindowsDefenderprotectagainstmultifacetedthreats.

• UEFISecureBoot,TPM2.0andVirtualizationkeepyourhardwaresafe.

Let’stakeacloserlookateachofthesesolutions.


HowMicrosoftWindows10WillProtectYourIdentity

Firstupis identityprotection.Identitytheft istheonethingthatconcernscomputerusersthemost.

Every day,more stories are published about people whose identity has been stolen andusedtocommitfraudand,that,quiteunderstandably,makeconsumersnervous.Windows10 looks set tomake users feel good about using a computer again, tomake them feelsecure.

Windows10–ProtectingYourIdentityandControllingAccess

Thenexttopicofdiscussionisanewsolutiontoprotectone’sidentity,asolutionthatleavesbehindtheoldfashioneduseofsinglefactorauthentication,likepasswords.Itisasolutionthatprotectsyouwhenabreachhappensinthedatacenter.

Italsoprotectsyourdatafrombeingstolenifyourdevicehappenstobecompromisedanditstopsphishingattacksintheirtracks.

Onceyouareenrolledinthesystem,yourdevicebecomesoneofthetwofactorsthatyouneedforauthentication;theother isaPINnumberorbiometric information,suchasyourfingerprint.

ThesystemsinquestionareWindowsHelloandWindowsPassport,twosystemsthatworktogethertoprovidetheultimateinidentityprotection.Let’sgoalittledeeperandexaminewhateachsystemhastooffer.

This security solution benefits consumers and business users alike and provides theconvenience of using a password without all the hassle of having to remember it orforgettingwhoyougaveitto.Microsoftistakingsecuritytoawholenewleveltobringitscustomerscompleteidentityprotectionwithmultifactorauthentication.


Let’stakealookatthesystemsthatMicrosoftchosetouseandwhytheychosethem.First,biometrics.Whatisitexactly?Biometricsisthestudyofbiologicalcharacteristicsthatcanbemeasured.Incomputersecurity,biometricsisincreasinglyusedtomakeitmoredifficultforsystemstobehackedthroughtheold-fashionedpasswordsystem.

Thebiometrics in this instance refer tophysical characteristics that caneasilybe checkedagainst what information is stored in the system. There are a number of ways thatbiometricsareusedforauthentication:

Facial:theanalysisofdifferentfacialcharacteristics

Fingerprint:analysisoftheuniquefingerprintsofeachperson

HandGeometry:theshapeofthehandsandthefingerlength

Retinal:analysisofthecapillaryvesselsattherearoftheeye

Iris:analysisofthecoloredringsurroundingthepupilintheeye

Signature:howapersonsignshisorhername

Vein:patternoftheveinsonthebackofahandandinthewrist

Voice:toneandpitchofavoice,aswellasthefrequencyandcadence

Biometrics isstillarelativelynewdevelopmentbut it is fastbecomingthewaytogowithcomputersecuritysystems.

TheProsandConsofBiometrics

Thereareprosandconstoeveryformofbiometricauthentication.GiventhatMicrosofthaschosentoadoptthisasasecuritymeasure,itisimportanttoreviewtheargumentsforandagainsttheuseofthenewtechnology.


Theargumentsforusing it fornetworkaccessrevolvemainlyaroundthreekeyareas.Thefirstandperhapsthemostobviousisthatbiometricauthenticationusesattributesthatareuniquetotheindividual,makingittheidealformofsecurity.

Thesecondargumentforusingbiometricsisthatuserswillnolongerbeabletoforgettheirpasswords,orsharethemwithothers,knowinglyorinadvertently.Passwordadministrationsystems and overheads are considerably reduced as well and this is one of the drivingfactorsinadoptingbiometricauthentication.The third argument is that it will be incredibly difficult for a person’s biometriccharacteristicstobereplicated,farmoredifficultthanit istoreplicateapasswordoruserID.Also,whereastokenscanbestolenorlost,biometriccharacteristicscannot.Arguments against the use of biometrics aremany, showing just how controversially it isviewed in some quarters. First and foremost, it is still expensive to implement biometricauthenticationmeasures,meaningthatmanyorganizationscannotaffordit.The cost of both the hardware and software requiredmaybeprohibitive tomany, alongwithcostofintegratingitwithcurrentsystemsinplace.There isalso theargument that rightnow,biometric systemsareonly suited to simplisticnetworks.Thisispairedwithsomecurrentthinkingthat,asanall-or-nothingtechnology,itmaynotsuitmanyorganizationsatthisstage.All-or-nothingmeansthatyoucangototheexpenseofhavingbiometricauthenticationoneverysinglecomputeronthenetwork,butitcountsfornothingifausercanlogontothesystemfromaremotelocationwithoutneedingtouseit;thatwouldundermineeverything


andmaketheexpenseacompletewasteoftime.There is also the argument that the storage of biometric information is an invasion ofprivacy, but those in favor of it say that it is only a representation of the data, not theoriginaldatathatisbeingstored.Ofcourse,there isanotherangletothis–giventherateatwhichasuccessfultechnologywillspread,thereisconcernthat,shouldauser’sbiometricdatabecompromised,notonlydoes it affectnetwork security, thatdata couldalsobeused fora largenumberof illegalactivities.

Onefinalbutsignificantconcernisthatusingbiometricdataisnotthesameasusingakeyanddoesnothavethesamerandom,secretnatureofakey.Neitherdoesithavetheabilitytoupdateanddestroyitself.Ifaperson’sbiometricdataiscompromised, it isnota simplecaseof issuingnewbiometricdata–clearly thatcan’tbedone!So, given all the controversy surrounding the use of biometrics for security, why hasMicrosoftoptedtoadoptit?Thesimpleanswer is reliability.Theconsequencesofhavingasystemthatrunsusingold-fashionedmethodscanbedamaging,withconfidentialinformationstolenanddataintegritycompromised.Also let’s face it,manyof theapplicationsweuse inourdaily lives requiresomeformofauthentication.AsfarasMicrosoftisconcerned,byusingbiometricauthenticationtogetintoWindows10,youcanalsouse it toaccessall yourMicrosoftaccountsandapps– there isn’taneed to


rememberseparatepasswordsforeachapp.Passwordscanbestolenorreplicated,biometricinformationcannot.Inaddition,biometricinformationcanbepositivelylinkedtoaspecificperson–forexample,acreditcardcanbeused without the actual user being there, whereas biometrics requires you to be at thecomputingdevicetologin.Windows10issetuptoprovidemodernbiometriccapabilitiesthatallowuserstoeasilyunlocktheirdevicesandtounlockNGC–NextGenerationCredentials–foramuchmoreimprovedandsecurepassword-freeexistence.TheInternetcanbeahostileplaceandconsumerswantasafer,morereliableexperienceandabetterauthenticationsystemthanwehavenow.Theywantasystemthatissecure;asystemthatleavespasswordsinthedust,yetstillgivesthemaccesstoeverythingtheyneed.WithWindows10,Microsoftsetouttodojustthat,settingoutaseriesofgoalstheywantedtomeet:

• Toenablebothconsumersandenterpriseuserstobeabletounlocktheirdevices,makepaymentsandsecuretheircontent–allwithoutusingapasswordandinamoresecureway

• Todevelophardwaresolutionsthat,attheveryleastmeet,ifnotexceed,theexpectationsofthecustomer,hardwarethatisrobustandeasytouse

• TodeliverbiometricdevicesthatareinnovativeandgivethecustomervalueTothisend,Windows10hasbeendevelopedtosupportawiderangeofbiometrics–fingerprint,facialoririsrecognition-whicheversuitstheuserbest.SpecialhardwareisrequiredtosupportthisandthosedevicesthatmeettherequirementsofWindows10forbiometricauthenticationwillbenefitinanumberofways:

• Easyandconvenientlogonandverystrongauthentication• EnterpriselevelsecuritywithaccesstoHBI(HighBusinessImpact)resources• ConsistentinboxenrolmentandusageacrossWindowsenabledbiometricdevices

Inaddition,Windows10alsosupportsaninboxFaceAuthenticationsolutionthatisavailableforallOEMsthatprovidethesupportedhardware,withouttheneedtorelyonthirdparties.


FacialAuthentication

Windows10bringsanewlevelofFaceRecognitiontothetable;asystemthatallowsfortheeasyauthenticationandunlockingofWindowsdevices,aswellasaccesstocontentthatisNGC-supported.Thisisallwithouttheneedtousepasswordsoranyadditionalauthenticationfactors.Features:Windows10FaceAuthenticationfeaturesinclude:

• Aninterfacethatisuser-friendly,providingthecapabilityforsinglesign-on.Thereisnoneedfortheuseofpasswordsaswell,oranyotherauthenticationcredentials.

• Enterprisegradeauthentication,aswellasaccesstoNGCsupportedcontent–networkresources,purchasedcontentandwebsites.

• Anti-spoofingmeasuresareincludedtoeliminatethechanceofphysicalattack–nooneexceptyoucanlogontoyoursystem.

• UsingCleanInfrared,cleanandconsistentimagescanbeproduced,evenindiverselightingsituations.Thesystemalsoallowsforslightchangesinappearance,suchastheadditionorremovaloffacialhair,makeup,glasses,etc.

UseCasesTherearethreeprimaryusecasesforFaceAuthentication:

1. Authenticationneededtounlockorlogin


Onaverage,thesystemtakeslessthan2secondstorecognizeyourface,althoughitmaytakeupto30seconds–butnomorethanthat.Thisisexpectedtobeusedatahighfrequencysinceitisrequiredwheneverauserneedstoauthenticatetheirdeviceandgetpastthelockscreen.

2. AuthenticationtoPurchaseOnaverage,thesystemwillrecognizeafaceinlessthan2seconds,butuptoamaximumof30seconds.Thisisrequiredeverytimeanapplicationneedsausertore-authenticatetheirdetailsandisnotexpectedtobeafrequentlyoccurringusecase.

3. PresenceTheaveragedurationofrecognitionis1.5to30secondsalthoughitmaytakelonger.Thefrequencyofusageisexpectedtobelowand,usingnewpresenceAPI’s,applicationswillbeabletousesensorstodetermineiftheauthenticatedpersonispresentatthedeviceorifitisanunknownorguestuser.

Solet’stalkalittlebitaboutMicrosoft’sfacialdetectionsecuritymechanism…


WindowsHello

WindowsHelloprovidesbiometricauthentication,allowingyouinstantaccesstoanyofyourWindows10devices,whetherdesktopormobile.

Forgettryingtoremembercumbersomepasswords–withWindowsHelloyouwillbeabletolook at your webcam or use your fingerprint to be immediately recognized and allowedaccess.

As well as being much more convenient, it is also a more secure method than using apassword.

Windows10 introducesanewsystemthatallowsyou toauthenticateenterprisecontent,applications,andevenonlineexperienceswithouthavingapasswordstoredwhereitcanbestolen.

Windows Hello works with your face, your iris or with a fingerprint, (you will need acompatiblewebcam and/or fingerprint sensor). After implementation, only you and yourpartnereddevicecanbeusedtoaccessyourWindows10apps,websites,anddata.Thisisdoneusingaseriesofmodernsensorsthatwillrecognizecharacteristicsthatarepersonaltoyou.

UnlessyourdevicealreadyhasanIntelRealSensecompatiblecameraorfingerprintsensor,youwillneed toupgrade tooneofa largenumberofWindows10devices thatwill soonsupportWindowsHello.

For facial detection, Windows Hello uses software and special hardware to verify youridentity–itwon’tworkifsomeoneholdsupaphotographofyou,forinstance.


TheIntelRealSenseenabledcamerasuseinfraredtechnologytotakeaverycomprehensive3Dimageofyourface.Thisallowsfornotonlyagreatfeelforthelookofyourface,butthedepthaswell.

Thecamerasarestunninglyreliableandcanverifyyouridentityinawiderangeoflightingconditions.

WindowsHello isasolution thatwillbeusednotonlybyconsumersbutalsobydefense,government,healthorganizations,financialorganizationsandotherstobringbettersecurityandeliminatethethreatofimpostersorhackers.

NewSecurityFeaturesinWindows10

ThefollowingaresomemoreofthenewandexcitingsecurityfeaturesthatWindows10isbringingtothetable.

MicrosoftPassport

WindowsHello is not thewhole story, however.Microsoft has also introducedMicrosoftPassport.

Passport is designed to do away with passwords, allowing system IT managers, websiteauthors,andsoftwaredeveloperstoincludeamoresecurewayoflettingyousignintotheirappsorsites.


Insteadofusingtheold-fashionedmethodofapassword,WindowsPassportisdesignedtosecurelyverifyyouridentityandauthenticateyouonwebsites,applications,andnetworkswithouttheneedtostoreapasswordontheservers–thuseliminatingthethreatoftheftthroughhacking.

Windows 10 replaces the password systemwith a private key or PIN thatwill allow youaccesstoeitheryourownpersonaldataortoyourorganization’sdata.ThatPINislinkedtoyourdeviceonlyandwillnotworkwithoutit.

IfyoutriedtologinusingyourPINonanotherdevice,youwouldbebarredfromentering.Obviously,youwillneedtosetupaseparatePINforeachdevicethatyouintendtousebutthatjustaddsafurtherlayerofsecurity–no-onecanaccessyourdatafromjustanydeviceanylonger,makingyourdataandyouridentitysafefromunwantedattention.

WhydidMicrosoftgodowntherouteofusingaPINnumber?Surelythatis justasbadasusingapassword,isn’tit?No.APINissignificantlyfastertouseandiswaymoresecurethanapassword.Nextquestion–howcansuchashortPINbemoresecurethanacomplexpassword?Thisisbecauseitdoesn’treallyhaveanythingtodowithsize.


WherethePINdiffers fromapassword is thatapasswordcanbeused foraccess onanydevice;thePINisuniquetoaspecificdevice.ThatmeansthatifsomeoneweretostealyourPINandtrytoaccessyourdata,theycouldn’tdoit,unlesstheywereusingthedevicethePINwaslinkedto.Eventhen,theywouldstillneedtogetpastthebiometricloginandthatcannotbedonebyanyoneotherthanyou.Makesense?ThinkofitasbeinglikeyourcreditcardPIN.A person could not steal your PIN number and then use it on their own card in a cashmachine.ThatPINistiedtothatcardandthatishowtheMicrosoftPassportPINworkstoo.Noneofthisisrequired–itisentirelyyourchoiceifyouchoosetouseMicrosoftWindowsHelloandPassport.Youmaybeconcernedthatyouruniquebiometric informationcanbestolen and used, and it is for that reason that Microsoft stores your unique biometricinformationonyourdeviceonly,notonanyeternalsystemorserverandit issharedonlywithyou.

Itcanonlybeusedasamethodofunlockingyourdeviceandisneverusedtoauthenticateyouoveranopennetwork.


Passport2Go

Passport2GoispartofthePassportsystemthatallowsyoutospecifywhetheradeviceisforpersonalorforbusinessuse.Let’sgothroughanexampleofPassport2Goinuse.

FunFact:MicrosoftusesthefictionalContosoCompanyforexamplesinmanyoftheirpresentationsanddocuments

IrwinworksforaconsultingcompanythatprovidesitsservicestoContoso.Contosogivesitspartnerscloud-onlyaccountsthroughAzureActiveDirectory(AAD)whenitisnecessary.Irwinhasalong-runningengagementthatrequireshimtohaveanAADaccountand,throughhisworkforContoso,hehasanallowance,whichletshimbuyadevicethatisONLYforuseforhisContosowork.Howdoeshesetthisdeviceupsothathecanonlyuseitinthisway?

ByenablingPassport2Go.WhenyousignuptoPassport2Go,youdefinewhetheryourdeviceisapersonalorbusinessusedevice.Onthenextpage,let’swalkthroughtheexample:


Inourexample,choosingorganizationusegivesIrwinaccesstoalltheresourcesthatheneedsforhiswork.

NextIrwinhastodeterminehowheisgoingtoconnect.BecauseContosoprovideshimwithanAADaccount,thatistheoptionheselects.

IrwinisnowtakentotheAADsigninpagewherehesignsinwithhisMicrosoftorOffice365credentials,startingwithhisemailaddress.


Thenhispassword...


IrwinisthendirectedtotheContososigninpageonAAD.

Nowit’stimeforIrwintosetuphisPINnumberwhichwillallowhimtounlockthedeviceandaccesseverythingheneedsinordertodohiswork.

PINnumbersarefarmoresecurethanpasswordsandaremuchshorter.Aswementionedbefore,youmayquestionhowashorterPINnumbercouldbemoresecurethanalongandcomplexpassword.Microsofthastheanswertothat:


ThenextstepforIrwinistochoosehowtoverifyhisaccount.Hehasachoiceoffouroptions–textmessage,phonecall,anotificationthatissenttohisauthenticatorapp,orusingtheauthenticatorapptogenerateasecuritycode.

Irwinoptsforthetextmessage…


Oncehehasreceivedthemessageverifyinghisaccount,IrwincancreatehisPIN.

Becausehehastickedtheboxthatsays,“Usea4-digitPIN”,hisnewPINisnotacceptedandheseesamessagethattellshimtherearespecialrequirementsforthePIN.


ContosohassetspecificrequirementsforthecomplexityofthePINandtheseinstructionsarenowrevealedtoIrwin,allowinghimtocreateaPINthattiesinwithwhattheywant.


OnceIrwinhassuccessfullysethisPINup,thechangesareapplied,whichmaytakeafewsecondstoacoupleofminutes.

Finally,theNGC(NextGenerationCredentials)containerisloadedandIrwinhasfullaccesstoalltheappsandsystemsheneedsforwork.


BitLockerandTPM

WindowsBitLockerDriveEncryptionisabrandnewsecurityfeaturethatprotectsyourdatamoreefficiently. Itdoesthisbyencryptingeverysinglepieceofdatathat isstoredontheWindowsOSsystemvolume–thepartitionsonyourharddisks.

TPM–theTrustedPlatformModuleisaspecialchipthatstoresakeypairthatiscalledtheEndorsementKey.ThekeypairiskeptinsidetheTPMchipandisnotaccessiblebysoftware.

Whentheuseroranadministratortakesonownershipofadevice,aStorageRootKey iscreated.ThekeypairisgeneratedbytheTPMandisbasedontheEndorsementKeyandapasswordspecifiedbytheowner.

Anotherkey,whichiscalledtheAttestationIdentityKey,workstoprotectthedevicefromunauthorizedmodificationsby softwareor firmware. Itdoes thisbyhashingvitalpartsofthesoftwareandfirmwarebeforetheycanbeexecuted.

Whenthesystemtriestoconnecttoanetwork,aservertocheckthattheymatchexpectedvaluesthenverifiesthosehashes.

Ifanyofthehasheshavebeenmodifiedsincetheywerelastverified,therewillbenomatchandthesystemwillnotbeabletogainentrancetothenetwork.

WindowsBitLockerusesTPMtoprotecttheoperatingsystemandalltheuserdata.Italsohelpstoprotecttheuser’scomputerfrombeingtamperedwith,evenifitislostorstolen.


That said, BitLocker can be used without TPM but, from 2016, Microsoft will requirecomputerstohaveTPM2.0.

If youdouse itwithoutTPM,youmustconfigureBitLocker to storeyourencryptionkeysontoaUSBflashdrive,whichmustthenbeusedwheneveryouwanttounlockthedatathatisstoredonaparticularvolume.

Trusted Platform Module, or TPM, provides a number of essential security services,including:

• Securelyrecordingbootprocessmeasurements.• Derivingandsealingkeysbasedonaspecificbootsequence.• ProvidingarootoftrusttotheCloud.• Protectingeveryoneoftheseprocessesfrommalwareoramalicioususer.

TPM2.0goesalittlefurtherthanthatandupdatesthecapabilitiesprovidedinTPM1.2:

• Cryptographicstrengthisupdatedtomeetmodernstandardsinsecurity.• Ismoreflexibleoncryptographicalgorithmsinordertobettersupportgovernment

needs.• Bettermanagementconsistencyacrossallimplementations.


HowDoesBitLockerDriveEncryptionWork?

Inanutshell,itprotectsyourentiresystembyencryptingallofthedata.

IfaTPMisusedtolocktheencryptionkeys,thosekeyscannotbeaccesseduntilthestateofthecomputerhasbeenverifiedbytheTPM.

Ifthereareanysignsoftampering,TPMwillnotauthorizethereleaseofthekeys.

Byencryptingtheentirecontentsofthevolume,youareprotectingeverything–yourownpersonaldata,theoperatingsystemitself,temporaryfiles,Windowsregistryfiles,andthehibernationfile.

BecausethekeysarelockedbytheTPM,evenifyourharddrivewerestolenandinsertedintoanotherdevice,thethiefwouldnotbeabletoreadyourdata.

Whenyoustartyourdevice,theTPMcomparesahashofsystemconfigurationvalues,alongwithasnapshotthatwastakenearlier,toverifythestartupprocess.

Ifall isOK, theTPMwill releasethekey,andtheencrypteddatacanbeunlocked. IfyourWindowsinstallationshowssignsoftampering,thekeywon’tbereleased;it’sassimpleasthat.

Bydefault,BitLockerissetuptoworkwiththeTPM,andyoucanalsocombinethiswithauser-enteredPINor another startup key that is storedon aUSB flashdrive. This key is arequirementifyoudonothaveacompatibleTPMandyouwantthelockingkeys.


BitLocker goes a step further than that inWindows 10 – it can also be used to encryptindividual files.While it isnormallyused for theentiredrive, if youneed to send specificfilesusingemailoraUSBkey,theyhavetobeencryptedonafile-by-filelevel.

Userscanopttoencrypt their files fromthe“Save-As”dialogueboxorbyusingWindowsFile Explorer. In this case, all you need to do is right click on a file and choose from theencryption options. All encrypted files then show up in green, allowing you to see at aglancewhathasandhasnotbeenprotected.

One of themore common uses of BitLocker is downloading sensitive documents from awebsite. In this case,web filesareautomaticallyencrypted,givingyou thepeaceofmindthatcomesfromknowingthattheinformationiscompletelysecure.

DeviceGuard


So,Microsoftisgoingtoprotectyouridentityandyourdatabutwhataboutthedeviceyouareusing?Windows10includesanumberofwaystolockdownyourdevice,addinginextraprotectionand threat resistance. Users inadvertently download most malware onto a device, soMicrosoft is introducinganewsystemofonlyallowingtrustedappstobeinstalledand/orrunonyourdevice.TrustedappsarethosethathavebeensignedbytheMicrosoftsigningservice,althoughthedevicewillhavetobeconfiguredforthis.ThatnewfeatureiscalledDeviceGuard.DeviceGuard isanewpieceoffirmwarethatrunsathardwarelevelbeforeandduringthebootupprocess.Itisdesignedtoonlyallowapplicationsandscriptsthathavebeenproperlysignedtoloadupandisalreadyprovingtobeapopularfeature,withmanyOEMsreadytoinstallitonnewdevices.Device Guard is a combination of software and hardware features that need to beconfiguredtogether.Whenthisisdone,thedevicewillbelockeddowntoonlyruntrustedapplications.Itworksbyusingthenewvirtualization-basedsecurityfeaturethatWindows10includes–asystemthatisolatestheCodeIntegrityservicerightfromtheWindowskernelandallowingtheservicetouseenterprise-controlledpolicydefendsignaturestodeterminewhatcanandwhatcan’tbetrusted.ThebasicfunctionofDeviceGuardistotestouteachprocessthatisbeingloadedupintothememorytobeexecuted.Itwillrunthistestbothbeforeandduringthebootupprocessandwill check tosee if theprocess isgenuinebasedonsignaturesandwill stopanythingthatdoesnothavethepropersignaturefromloading.The technology that Device Guard uses is embedded at hardware level, as opposed tosoftware,which isn’talways100%accurateatdetectingmalware. Itusesvirtualizationforthecorrectdecision–makingprocess,totellthedevicewhatitshouldandshouldn’tallowtoloadupintothememory.

Thislevelofisolationshouldstopmalwareinitstracks,asitwon’tbeallowedtoloadontothedevice,even if theattackeralreadyhascontrolof thesystemswhereDeviceGuard isinstalled.

AccordingtoMicrosoft,thissystemismoresecurethanthetraditionalanti-virusmethodsweusetoday,evenmoresecurethanappcontroltechnologies,likeBit9andAppLocker,asthesecanbetamperedwith,eitherthroughmalwareorthroughsystemadministration.

RequiredHardwareandSoftwareforDeviceGuard

InordertouseDeviceGuard,youwillneedtoinstallthefollowinghardwareandsoftwareandthenconfigureit:


ü DeviceGuardwillonlyworkwithWindows10ü UEFISecureBoot–helpstoprotecttheintegrityofthedeviceathardwarelevelü TrustedBoot–designedtohelpprotectagainstattacksattherootkitlevelü Virtualization-basedSecurity–Hyper-Vprotectedcontainerthatseparateswindows

10processesü PackageInspectorTool–Helpsuserstocreatealistofthefilesthatmustbesigned

forClassicWindowsapplications

WhyuseDeviceGuard?

Every single day, thousands of new malicious files are created and using the traditionalmethodofsignature-baseddetectiontofightthemalwareisnotadequateanymore.WithDeviceGuard,thatmalwarecannotbedownloadedbecausetheappsthatcontain itarenot trusted.Uptoand includingWindows8.1,anappwouldbetrustedautomaticallyunlessafirewalloranti-virusblockedit–withWindows10,anappwon’twillrununlessitistrustedfirst.Device Guard will also help to protect against Zero Day attacks and will also combatchallengesputupbypolymorphicviruses.Inanenterprisesetting,theCodeIntegritypolicymustbesetuptodeterminewhichappsaretrusted.Aswellasthat,specificsoftwareandhardwareconfigurationsarerequired:

• UMCI–UserModeCodeIntegrity


• Kernel code integrity rules that include WHQL signing constraints – WindowsHardwareQualityLabs

• SecureBootthathasdb/dbxdatabaserestrictions• OPTIONAL – virtualization based security to protect kernel mode apps, system

memoryanddriversfromtampering• OPTIONAL–TPM2.0

Before you can use Device Guard, you should enable the virtualization-based securityfeatureoncapabledevices,makesurethattheCodeIntegritypolicyisconfigured,andthenconfigureanyothersettingsthatarerequiredbyyouforWindows10.Afterthat,DeviceGuardwillworklikethis:

1. Your device boots up with U Secure Boot – this will stop rootkits from running,allowingWindows10tostartupfirst.

2. Once safely started up, Windows 10 will start the Hyper-V virtualization-basedsecurity features, includingKernelMode Integrity. Thesewillprotect theWindowskernel, any privileged drivers and your system anti-malware solutions by stoppingmalware from running in the boot process or in the kernel once the device hasstartedup

3. UsingUMCI, DeviceGuard checks your system tomake sure that anything that ismeant to run in UserMode is trusted, including ClassicWindows apps, UniversalWindowsPlatform,oraservice.Onlybinariesthataretrustedwillbeallowedtorun.

4. AsWindows 10 is starting up, TPM starts up as well, helping to protect sensitiveinformation by providing a hardware component that is isolated from everythingelse.Thisprotectsyourcertificatesandusercredentialsfromattackortheft.


EnterpriseDataProtection(EDP)

MicrosoftalsohasanewDLP–datalossprevention–system.

Whileconsumerscanuseit,itisaimedmainlyatcorporations,duetothelargenumberofemployee-owned devices that are now being used under the BYOD – “Bring Your OwnDevice”–banner.

Due to the large numbers of these devices, the risk of accidental data disclosure is nowmuchhigherthaniteverwas,basicallybecauseofthenumberofexternalappsandservicesthatarealsoinuseonthedevice–outsideofthecontroloftheenterprise.

Thisincludesemail,socialmediaandcloudservices,andalltheapplicationsweuseonourmobiledevicesonadailybasis.

Yes,therearesolutionsthatattempttoaddressthisbyaskingemployeestoswitchbetweencontainersforpersonalandcorporateusebutthisisn’taveryefficientwayofworking.

ThenewfeatureinWindows10iscalledEDP–EnterpriseDataProtection–anditoffersupa much better user experience while, at the same time, helps to keep personal andcorporateactivitiesseparate.

EDP helps to protect corporate apps and data from the risk of disclosurewithout askinguserstochangethesystemtheyareworkingon.

Furthermore,inconjunctionwithRMS–RightsManagementServices–EDPcanalsoprotectyourcorporatedataonalocalbasis,evenwhenyourdataisroamingorisbeingshared.


HowDoesEDPWork?

Enterprise Data Protection is designed to counteract and address everyday workplacechallenges,suchas:

• Dealingwithseveredataprotectionleaks

• Maintainingenterprisedataprivacy

• Managingthoseappsthatarenotpolicy-aware,inparticular,onmobiledevices

• Handles a previous inability to lock down an employee device, which wouldpotentiallyallowdatatobeleaked

LevelsofProtection

EDPcanbesettofourdifferentlevelsofprotection:

Block: The feature looks for data sharing that is not appropriate and blocks theemployeefromcompletingtheshare.

Override: The featurewill look foranydatasharing that isnotappropriate, tellingtherelevantemployeesthattheyaredoingsomethingwrong.However,thiscanbe


overriddenat theemployee levelandthedatacanstillbeshared–but theactionwillbeloggedontheauditlog.

Audit:EDPrunsquietlyinthebackground,loggingalldatasharingandflaggingthosethatareinappropriate.However,itwillnotblockanything,onlymonitorandrecord.

Off:EDPisnotactiveanddoesnotprotectanyofyourdata.

EDPAllowsBetterWorkFlow

Becauseemployeeswillnolongerhavetoswitchbetweenenvironmentsorappstoprotectenterprise data, workflow is uninterrupted and productivity can potentially increasesignificantly.

Anexampleofthiswouldbeifanemployeeischeckingtheircorporateemailaccountandtheyreceiveapersonalemail.Insteadofhavingtoexitoutoftheircorporateaccount,bothmessageswouldappearonthescreentogether.

ChangingtheProtectionLevelsonDocuments

Employees have the ability to change the protection levels set on documents underEnterpriseDataProtection.

Theycanonlydothisifthedocumentisapersonaloneandhasbeenincorrectlymarkedasenterprise. Todo this, it requiresemployees to takeanactionand thiswill be logged formanagementtosee.


EnterpriseDataSecurity

Enterpriseadminsneedtobeabletomaintaintheconfidentialityandthesecurityoftheirdata. With Enterprise Data Protection, you can make sure that corporate data is fullyprotectedondevicesownedbyemployees,evenwhenthedeviceisnotbeingused.

Whenyouremployeescreatecontentontheirdevices,theyareaskedtodefinewhetheritispersonalorcorporatedata– if it iscorporate, it is immediatelybroughtunderthe localdataprotection.

WipeEnterpriseDataRemotely

EDPalsooffersmanagers theoptionof remotelywiping all corporatedata fromadevicethatismanagedbythecorporationandusedbytheemployee,withouttouchinganyofthepersonaldataonthatdevice.Thisisofhugebenefitwhenadeviceisstolenoranemployeeleavesthecompany.

Corporatedocumentsarestoredlocallyonthedeviceandareencryptedusinganenterpriseidentity.

Whenyouwanttowipethedevice,youwillneedtogothroughaverificationprocess,afterwhichacommandcanbesent throughthemobilemanagementsystemtoremotelywipethe data. When the device is connected to a network, the data is removed and theencryptionkeysareirretrievablyrevoked.


Thiswillonlyhappenondevicesthathavebeenspecificallytargeted–allotherdeviceswillworknormally.

CopyingorDownloadingEnterpriseData

WhendataistargetedfordownloadfromacorporatesourcelikeSharePointorOffice365,itisdeterminedtobeenterprisedataandwillbeencryptedbeforebeingstoredlocally.

The samewill apply to any data that is copied from the enterprise to a USB flash drive.Because the data is already marked down as being enterprise data, the encryption willfollowthedatatothenewstoragedevice.

PrivilegedAppsandRestrictions

With Enterprise Data Protection, you will be able to control which apps can and cannotaccessenterprisedata.

Thosethatcanareaddedtoa“privileged”applistandaresubsequentlyallowedtoaccessand use enterprise data. Anything that is not on this list is classified as personal and areblockedfromaccessingdata,dependingofcourse,onthelevelofprotectionyouhaveset.

Privilegedappswillactdifferentlyfrompersonalornon-privilegedapps.Whenauserwantstocopyandpastedata,aprivilegedappwillallowit;non-privilegedoneswon’t.

Should a person try to copy enterprise data to a non-privileged app, they will see anotification advising that policy restrictions are in place and the action could not becompleted.


PersistentDataEncryption

Enterprise Data Protection allows you to keep your data safe even when the device isroaming. Apps such asOneNote andOfficework in conjunctionwith EDP to persist dataencryptionacrossservicesandlocations.

For example, an employee opens content inOutlook that is EDP encrypted,makes somechanges to it and then attempts to save it under a new name, to try and get rid of theencryption.

Thatwon’tworkbecauseOutlookwill automatically apply EDP to thenewversionof thedocument,ensuringthatthedataiskeptfullyencryptedandsecure.

HelpsPreventAccidentalDataSharing

EDPalsohelpstoprotectcorporatedatafrombeingaccidentallysharedinpublicspaceslikethecloud.Say,forexampleanemployeeputsadocumentinafoldercalledDOCUMENTS.

ThisfolderissyncedautomaticallywithOneDrive,whichisonyourprivilegedapplist.Itisthenencryptedonalocallevel–itwillnotbesyncedtotheemployee’spersonalcloud.


Datasharingalsocoversotherdevices.Undertheoldsystemitwaspossiblefordatatobeleaked to another devicewhile it was being transferred between them. For example, anemployeesavescorporatedataontoaUSBflashdrivethatalsohaspersonaldataonit.

Thecorporatedataisencryptedwhilethepersonaldataremainsopen.Aswellasthat,theencryptionfollowsthedata,soevenifitiscopiedtoanotherdevice,itwillstayencrypted.

TheBenefitsofEDP

ThebenefitsofEDPinclude:

ü Protection against the leakage of enterprise data, with little to no impact on theworkpracticesoftheemployees

ü Separation of personal and corporate datawith no need for employees to switchappsorenvironments

ü Extradataprotectionforexistingbusinessappswithouthavingtoupdatethem

ü The ability to wipe all corporate data off a device while leaving personal datauntouched

ü Auditreportstohelpwithtrackingissues

ü Fully integrates with your current management system or mobile devicemanagementsystemtoconfigureEDPforyourcorporation,aswellasdeployingandmanagingit

ü Extraprotectionwhileroamingorsharingdata

Enterprisescenarios

EDPaddressesthefollowingenterprisescenarios:

• Enterprisedatacanbeencryptedonbothemployeeandcorporateowneddevices

• Enterprisedatacanbewipedoffremotelywithouttouchingpersonaldata

• Specificappscanbechosen,calledPrivilegedapps,whichcanaccessenterprisedata.Theseappsareclearlyrecognizedbyemployees.Nonprivilegedappscanbeblockedfromhavingaccesstoenterprisedata

• Employees don’t need to switch between enterprise or personal apps, thuseliminatinginterruptiontoworkflow,providedenterprisepolicieshavebeenputinplace.


WindowsDefender

Windows 10 users will still need to use specific anti-malware software to protect frommalwarethatcomesfromothersources.

ThisisbecauseDeviceGuardonlyprotectsagainstmalicioussoftwarethatattemptstoloadduring thebootprocess – at this stage, no anti-malware software is able toprotect yourdevice.

Insteadof taking the chance thatuserswill forget todownloadaprogram,Microsofthasincluded Windows Defender, also available in Windows 8. Defender is automaticallyenabledonyoursystemandrunssilentlyinthebackground.

Thisensures that,whetheryouopt fora third-party solutionornot, youwillhave,at theveryleast,abaselineantivirusprotection.However,unlikeWindows7,Windows10willnotkickupafussifyouchoosetoinstallathirdpartyoptionaswell.

Instead, itwill simplydisableWindowsDefender, stopping it fromprotectingyourdevice.Should you opt to uninstall the third party malware software, Windows Defender willautomaticallybere-enabled,thusensuringthatyourdeviceisneverleftwithoutsomekindofmalwareprotection.

FormerlycalledMicrosoftSecurityEssentials,Defenderrunsquietly,scanningevery fileasandwhenyouaccessthem,beforetheyareactuallyopened.

Ifitfindsmalwareoranythingelsethatcouldcauseathreattoyourmachineandyourdata,itwillcleanitupandquarantinetheoffendingfileautomatically.

YouwillgetanotificationthatDefenderhasdetectedmalware,tellingyouthatit istakingthe necessary action to clean it up. The antivirus definitions will also be automaticallyupdatedthroughWindowsUpdateandthisprocessdoesnotrequirearebootofthedevice.

ConfigurationandExclusions

ThesettingsforWindowsDefenderarealready integratedwithWindows10, inthebrandnew Settings app. This can be accessed via the Start menu, in the Update and Security


category under Settings. By default, it will automatically be enabled for real-time, cloud-based, and sample submission protection. If you disable the real-time protection for anyreason,WindowsDefenderwillautomaticallyre-enableit,tokeepyousafe.Both Cloud and sample submission protection let Defender share any information that itfindsaboutthreats,alongwiththeactualmalwarefile,withMicrosoft.ThisisdoneinabidtokeepthedefinitionscompletelyuptodateandtoallowMicrosofttocontinueimprovingandupdatingtheirsecuritysystems.Fromthesamemenu,youcanalsosetupExclusions–thesecanbespecificfiles,filetypes,foldersandprocesses.If, for example, Defender is slowing down your device performance because it keeps onscanningappsorfilesthatyouknowtobesafe,youcansetanexclusionandtell itnottoscanthem.TheseexclusionsaretobeusedasandwhenabsolutelynecessarybecausehavingtoomanyexclusionswillrenderDefenderuseless,andleavesyourdeviceopentoallkindsofthreats.

UEFI

Unified Extensible Firmware Interface, or UEFI Secure Boot, is a more up to datereplacementforBIOS,traditionallyusedtostartupacomputer.SecureBootisdesignedtoshutoutlow-levelmalwareandstopitfrominfectingandtaking


over thebootprocessonanydevice. In thepast, vendors thatwanted the “Designed forWindows”certificationhadtohaveUEFISecureBootontheirhardware.Inorder toallowusersofothersystemssuchasLINUX,Microsofthad to includea togglethatwouldallowauser to turnoffSecureBoot,at thevery least forX-86hardware.Thisallowedausertoopenthedoorandinstallwhatevertheychoseontheircomputers.InWindows10,Microsofthadoriginallysaidthattheywouldnotbesupportingtheon/offtoggleandthatallnewhardwaremustshipwithUEFISecureBootenabled.However,itnowtranspiresthat,whileSecureBootmustbeenabledonallnewWindows10hardware,OEMshavetheoptionofwhethertoallowtheendusertodisableitornot.Thatisonly fordesktopmachines; forWindows10mobile retaildevices, theoption todisableSecureBootisnotincluded.Theideaistorestrictthepossiblyofmalwarebeingdownloadedbyuserswhoinstallanalternativeoperatingsystemtodualboottheirmachines.Atthetimeofthiswriting,Microsofthasnotfinalizedtheirspecsand,assuch,thedecisiontoputtheonusontheOEMtoincludethetogglemaybechanged.


AdvancedThreatAnalytics

Securityattackstodayaremorepersistent,frequent,andsophisticatedthaneverbefore.

Regardlessofwhichtypeofdeviceyouareusing, it issafertoassumethatyouhavebeenbreachedandthatattackersmayalreadyberesidinginyoursystemthanitistogoblindlyaboutyourworkignoringpotentialthreats.

Thefollowingstatisticstellaverysoberingstory:

• 200+days–itisn’tunusualforattackerstoremaininsideyoursystemforthislongwithoutdetection.Theycandothisbecausetheytakeadvantageofuseraccounts,privileged or otherwise, and hide inside the network. It takes sophisticated andadvanced technology to find them and stop them, and to prevent others fromattackingthesystem.

• 75% + - this is the percentage of network intrusions that result from a user’scredentialsbeingcompromised.

• $500 billion – this represents the estimated cost of cybercrime to the globaleconomy.

• $3.5million–theaveragecosttoacompanyforadatabreach.

This is why Microsoft has come up with a brand new feature called Advanced ThreatAnalytics or ATA. ATA is designed as an on-premises threat analytics tool that works todetectthreatsandabnormalbehaviour(seebelow)beforetheycancausedamage.


To illustrate how it works, say you have a credit card and your provider monitors yourspendingbehaviour.

If there is any suspicious activity, or activity outside your normal pattern, the providercontactsyoutoverifythattheactivitywasyours.Theymayalsoplaceatemporarystoponthecardwhiletheyverifyit.ThisistheconceptthatMicrosoftwantstobringtoenterpriseusers.

ThebenefitsofATAare:

• Threatsaredetectedusingbehaviouralanalysisoftheuser,monitoringhowtheyusethesystem,andbeingalertedwhenthere isanychangeto thatpattern that lookssuspicious.

• ATAisconstantlyevolving,foreverlearningfromtheuser’sbehaviour,andadaptingitselftoreflectchangeswithinadynamicorganization.

• It uses a simple attack timeline to focus onwhat is important – a very clear andefficient system thatmonitors anddraws attention to the right things at the righttime.Inaddition,itprovidesyouwiththeinformationyouneed,i.e.thewho,when,andwhereaspectsof theattack.ATAalsoprovides recommendations for thenextstep.

• ATAwill also identify known risks and alert the right people – risks such asweakpasswords,brokentrust,weakandvulnerableprotocols,etc.

• ATAalsoreducestheriskoffalsepositives.

HowDoesItWork?

After ATA is installed, a non-intrusive port-mirroring configuration will copy all ActiveDirectoryrelatedtraffictoATA,butwillremaininvisibletoanyhoveringattackers.ATAwillthenanalysethedataandworkwithSIEM–SecurityInformationandEventManagement–to look at related traffic and relevant events. All the information is stored locally, on-premisesbyATA,andneverleavestheorganization.


TheATAdetectionenginebegins learningandprofiling thebehaviorofallusersand thenusesmachinelearningtechnologytopaintanoverviewoftheeverydayactivity.

Once it is familiarwithyournormalusebehaviour, itwillbeginto look foranomaliesandstrangebehaviour.

If these arise, itwill raise a red flag and alert security teams, as soon as the system hascomparedandaggregatedtheanomalywithnearreal-timedetectionofsecuritybreachesandadvancedattackstobuildthetimeline.

This also reduces the chance of false positives and better identifiesmalicious attacks, asshownbelow.

Microsoft ATA is a non-intrusive system that works quietly in the background withoutdetection.


VirtualSecureMode

Windows10ismadeupofanumberofdifferentcontainers,oneofwhichhousestheactualoperatingsystem.However,thesecuritytokenforActiveDirectorythatallowsyoutoaccessyour companynetwork,and theLSAauthentication service that issues it, arehoused inaseparatecontainerthatrunsontopoftheHyper-Vvirtualizationcontainer.These security tokens are the target for a good percentage of “Pass the Hash” securityattacks.Oncetheyhavethattoken,theyhaveyouridentity,whichisasgoodasgivingthemyourlogindetails.Theyhaveaccesstoadminprivilegesandareabletorunatool,whichcanaccessandtakethetoken.Oncetheyhaveit,theycangetaroundthenetworksandaccessserverswithouttheneedforapassword.Microsoft has made things more difficult for them by taking those tokens out of thesoftwarerepositorywheretheywerepreviouslystoredandwheretheyweresusceptibletomalware, and have locked them in a container. Once inside that container, not evenWindowshasaccesstothem,evenifthecontaineriscompromisedinanyway.The container will not release any tokens or hashes; instead, when they are passed toWindows, it is done in a new format that cannot be replayed on the device. In addition,NTLMhashesareseparatedfromthelogonprocess,arerandomizedandmanagedinsuchawayastoprotectthemagainstabruteforceattack.ThatcontaineriscalledVSM–VirtualSecureMode.


TheVSMis,ineffect,aminiversionoftheoperatingsystem,aWindowsCoreOS.Itrequiresjust1GBofmemoryandhassufficientcapabilitytobeabletoruntheLSAservicethat isneededforauthenticationpurposes.Itwillhavelittletonoeffectontheperformanceofthedevicebut youdoneedWindows10, thenext versionofWindowsServeronyourActiveDirectorydomaincontroller,andaCPUthathassupportforhardwarevirtualization.Inbrief:

• VirtualSecureModeisolatesthesensitiveprocessesintoaHyper-Vcontainer• VSMrunsWindowskernelandTrustletsinsideofthatcontainer• VSMprotectsthekernelandTrustletsevenwhenWindowsKerneliscompromised,

thuskeepingthosetokenssafe

MicrosoftVirtualizationStrategyandSecurity

For the last ten years or so, one of the biggest topics in the IT industry has beenvirtualization,mainlybecauseofthesheernumberofbenefitsthatcomewithitforITstaff.

Itbringstheabilitytomakemoreoutofhardwareutilizationcapabilities,whileatthesametimeoffering sufficient scalability to get away fromperformance issues. There is also thecapability to migrate virtual machines and cut down on downtime, and finally, theconveniencethatcomeswithbeingabletodeploynewvirtualmachinesquickly–manuallyorautomated–thusreducingtheworkloadoftheITdepartment.

Microsoft has a goal in mind – what Hyper-V has done for server deployment andmanagement;theywanttodowiththedatacenter.Todothat, theywantedtobringthewholestructuredowntothesoftwarelevel,whichgivesuserstheabilitytoautomatemanymoredatacenteraspects,andgainmuchmoreefficiency.


OverthelastfewversionsofWindowsServer,MicrosofthascomealongwayinimprovingHyper-V and bringing it up, together with the supporting technologies, to a software-defineddatacenter,packedwithusefulfeatures.Thosefeaturescovereverysingleaspectofthedatacenter–networking,storage,andcompute.

The last two versions of Windows Server introduced Storage Spaces, IP AddressManagement and multi-tenant site-to-site VPNs. Server 2016 is building on those andbringingadditionalfeatureslikeStorageReplica.

SecurityImprovements

Windows Server 2016 also addresses a number of security issues in Hyper-V that aredesignedtobringmoreprotectiontoVirtualMachinesandhaltingmalware,administratorattacks,andotherattackvectorsintheirtracks.

Microsoft is completelyawareofoneof thebiggest reasonswhy theCloudhasnotbeenadopted in the way they had hoped, and that is corporate trust. Microsoft is nowdeterminedtoprove toeveryone,bothcorporateandconsumer, thatcloudsolutionscanofferdatacentersecuritythatisatleastcomparable,ifnotbetter,thaniteverusedtobe.

Windows Server 2016 also offers support for a virtual TPM to be enabled in the virtualmachine,andthenconfigured.

ThemainbenefitofthisistheabilitytobeabletoenableBitLockerencryptionforallguestvirtualmachines,whichwillhavethebenefitofstoppingunauthorizedaccesstoanyfilesortothesystemthatiscontainedinthevirtualdrives.


ShieldedVirtualMachinesinServer2016isyetanothersecurityfeaturethatallowsaguestvirtualmachinetobeprotectedfromthehostserveradministrator.

Inthisscenario,whileanadministratorcanstoporstarttheshieldedVM,theycannotalterits configuration, seewhat is on the virtual disks, or view processes that the guestOS isrunning.

This is the ideal solution for largeenvironments thatdon’twant themanagement side toseewhatisonacustomervirtualmachine,orforthoseindustriesthatoperateaneed-to-knowpolicyorstrictlyenforcedseparationofduties.

EnterpriseMobility–IdentityintheEnterprise

Rightnow,managingidentitieswithintheEnterprisesettingiscumbersome.Windows10isgoingtochangeallofthatandallowempowermentofenterprisemobility.Thewaythingsaresetupnowisasfollows:alltheusersintheenterprisewanttoaccesseverything,fromanywhere,andfromanydevice.Managementwantstocontroleverything;aswellasensuringthatdataissecureandprotected.Thisbecomesdifficultwhenend-usershavethesamelogindetailsfromeverysitethattheyvisit,andusethesamepassword.Whilethismightbeeasytostartwith,itallfallsapartwhenonesiterequestsapassword


change…andthenanotheronedoes…andanother…andsoon.Theenduserhastorememberallofthesedifferentpasswords.So,instepstheHRdepartment,withtheircompanycreditcardtohand,andbuysthelatestsoftwaretomanageeverything.Thentheyhaveaproblem–security.ThustheycometotheITdepartment,confesswhatthey’vedone,andthenhandtheproblemoverforthemtosolve.That’swhereWindows10changeseverything.Identityisthefoundationtobuildingtheenterprisemobilitystrategy.Mostbusinessesalreadyhaveon-premisesidentitystrategies,useActiveDirectoryandotherdirectories,andhavetheirfirewallsalreadysetup.Theyalsohaveaccesstocloudappsonaseparateinfrastructure.Windows10bringssomethingalittlebitdifferentandawholelotbetter.

It’scalledAzureActiveDirectoryanditbringstogetheron-premisesandcloudaccessinoneeasyplace.Allyouneedisonesimpleconnectiontojointhetwotogether,andWindows10providesallthetoolsyouneedtomakethatconnection.WhatAzureActiveDirectorybringstoenterpriseusersisonesinglesignonthatgivesyouaccesstoeverythingthatyouneed.Beforewegoanyfurther,let’sjustspendaminutetalkingaboutAzureActiveDirectory.Whatisit,exactly?


AADisanidentityandaccessmanagementsolutionthatcombines:

• Directoryservices• Advancedidentitygovernance• Appaccessmanagement• Standardsbasedplatformfordevelopers

AzureADallowsyouruserstoaccess1000sofappsthroughonesinglesignon.Betterthanthatthough,italsoallowsyoutopickandchoosewhichappstheyhaveaccesstothroughanumberofdifferentoptions.AADis:

• Easytouse.Itprovidesenterpriseswithasimplewayofmanagingidentityandaccesstoorganizationalappsandservices,bothon-premisesandinthecloud.Therearemorethan2000appsalreadyreintegratedanditiseasytointegrateyourownappswiththesinglesign-onsupport.

• Designedtoempowerusersbyallowingthemtosignonwitheitheraworkorapersonalaccountforaccesstoon-premiseswebandcloudapplications.Withself-servicecapabilities,theyarealsoabletoperformmanyoftheirownadministrativetaskswithouthavingtocontactthehelpdesk.

• Designedwithenhancedsecurityinmind.Yourenterprisecanprotecton-premisesandclouddatabyensuringthatproperaccessisgiven.Youcanalsomonitorthesystemforanyanomalousactivityanddetectanddealwithpotentialthreats.

• Setuptoallowhybrididentities.Thisallowsyoutointegrateon-premisesdirectoriesandenableworkerstoaccesscorporateresourcesbothsecurelyandconsistently,withjustonesingleorganizationaccount.AADcanbeusedtoenhanceon-premisesinfrastructure,allowingself-service,securitytoolsandbuilt-inappconnectivity.

• Setuptoprovideacomprehensivereportingandanalyticssystemthatenhancesyoursecurity,allowsyoutomonitorusageandviewtheperformanceofyourenvironment.

CloudAppDiscovery

Cloudappdiscoveryallowsyoutomonitorappsinthecloud.Rightnow,intheaverageenterprise,thereareabouttentimesmorecloudappsinusethantheITdepartmentrealizes.Cloudappdiscoveryallowsyoutoseeexactlywhichappsarebeingused,whoisusingthem,andhowoftentheyareused.Youcanexportthedetailsfromyourreportsdirectlytoareportingtoolandincludethemaspartofyourregularreportsaswellasusingitfordata


analysis.ManagingYourDirectoryontheCloudAnotherusefulfeatureincludedinAADistheMicrosoftIdentityManager.Thisallowsyoutomanageyouron-premisesidentitiesandconnectandshareon-premisesdirectoriestoAzure.Therearealreadymorethan2,400SaaSappsinthegalleryandmorecanbeintegratedandaddedasneeded,includingthosethatarepublishedusingAADApplicationProxy.BecauseAADstandsinthemiddle,alloftheseappsanddirectoriescanbeaccessedon-premisesandfrommobiledevices.

AADAppProxyincludesaconnectorthatautomaticallyconnectsittothecloud,allowingforseamlesssyncing.AADalsoincludesacomprehensiveidentityandaccessmanagementconsole,providingcentralizedaccessadminforallapps,bothreintegratedandothercloudbasedapps.Thismakeslifemucheasierfortheenduserbecausetheadmincan:

• Putusersingroupsandallowgroupstoaccessdifferentsetsofapps.• Setupenterpriseaccountsforcertainapps–oneaccount,multipleusers–andonly

theadminwillknowthelogindetails.Thispreventsaccidentalsharing.• Theadmincanalsoprovisionorde-provisionusers.Ifauserleavesaparticulargroup

orleavestheorganizationcompletely,heorshewillautomaticallybede-provisioned,cancellingaccesstoalloftheseapps.

Therearealsootherbuiltinsecurityfeaturestoprotectenterpriseapps,namely:

• Securityreportingthatmonitorsanddetectsinconsistentaccesspatternsandthrowsupalerts.

• Theopportunityforanadmintostepupanapptomulti-factorauthentication–iftheydoubtthatauseriswhotheysaytheyare,forexample,theycanaddanothersteptotheauthenticationprocesswhichwillblockaccessuntilthatstephasbeensuccessfullycompleted.Thestepcouldbeaphonecalloratextmessage.

• Theaccesspolicieswilldependonthestateofauser’sdevice,theirlocation,andgroupmembership.


HowMicrosoftWindows10WillProtectYourData

Aswellasprotectingyouridentity,anareathatMicrosoftismakinggreatstridesin,theyarealsoworkinghardoncomingupwithnewsolutionstoprotectyourdataandinformation.

Next to identity, theft of data is the nextmost serious consideration for consumers andorganizationsalike.CurrentsecuritysystemsonlyprotectabouthalfofyourITsystemandeventhen,thatisn’tfullyprotected.

Every time you switch on your computer orWindows mobile device, or every time youaccessthe Internetoropenanemail,youruntheriskofahackerswooping inandtakingcontrol.Microsoftintendstostopthatinitstrackswithtwoupgradedsystems.

AzureRightsManagementandInformationRightsManagement

Whendata leavesyourdevice,Microsofthas something calledAzureRightsManagementand InformationRightsManagement,bothofwhichhelp toprotect the lossofdata fromdocuments.

Asofnow,ausertypicallyhastoopt intoactivatetheprotectionthatthesetwoservicesofferandthatcanleaveanenterprisewithabitofaproblem–agapthroughwhichdatacanbeleaked,whetherdeliberatelyorinadvertently.

AzureAdministrativeTasks

Theendusercanperformmanyoftheirownadministrativetasksbyvisitinghttp://myapps.microsoft.com,orthroughtherelevantapponAndroidoriOS.Throughthat,theycanseehowmanyappstheyhaveaccessto,fromanydevice.TheycanalsoseealloftheirmanageddevicesandcanresettheirownpasswordswithouttheneedfortheITdepartmenttogetinvolved.Lastly,theycanalsorequestaccesstoappsand/orgroupsthroughtheself-serviceoptions.AzureActiveDirectoryisembeddedinWindows10andisavailablethroughthreesubscriptionoptions,dependingonyourneeds–free,basicandpremium.Overthenextyear,MicrosoftisinvestingmoretimeandmoneyinimprovingthefollowingareasofAAD:

• AdminUnits–abilitytosplitadmindutiesintogroups• Business-To-Business–anewfeaturethatwillbeavailablethatallowsyoutoshare

yourresourceswithbusinesspartnersthroughAAD• B2C–Identitiesforbusinesstoconsumers• ConditionalAccess–Abilitytoblockoutsideaccess• PrivilegedIdentityManagement–Optionstomakeadminaccesstemporaryor

permanent• AADJoin–AADcontrolseverythingandisfullyembeddedwithWindows10


DataProtectioninAzure

Globalcyber-attacksareontheriseandsoarethecostsassociatedwithit. It isestimatedthatcybercrimeextractsaround15-20%ofthevaluethatiscreatedbytheInternet.

Inthelast2yearsintheUKalone,morethan80%oflargebusinessesand60%ofsmallonesreportedacyber-breachand,globally, thenumberofsecuritycompromisesreportedroseby about 34% in 2014. The estimated cost of cyber-attacks, in terms of lost growth andproductivity,isthoughttobearound$3trillion.

In order to protect their customers’ data,Microsoft has introduced a number of securitymeasures inAzureActiveDirectory.Bydefault,AADprovides strongprotectionand thereare also options that customers can choose to enable as well. First, let’s look at data intransit.

Bythis,Imeandatathatissentandreceivedbetweenauserandtheservice,betweendatacentersandbetweenusers.DatathatcomesthroughtheMicrosoftAzurePortalorthroughstorage API is automatically encrypted using https, alongwith strong ciphers. By default,FIPS140-2supportisenabledtocomplywithgovernmentsecuritystandards.

All data that is imported or exported is encrypted with BitLocker, which is built in toWindows10andallcustomerdatathatgoesbetweenthedatacenterandstoragefacilitiesisalsoencrypted.

Forcustomers thataccessdata inastorage facilityorcontainer, thereare twooptionsofaccess–httpandhttps–Microsoftrecommendsusinghttpsasthisissecureandencrypted.

Ifacustomerchoosestoaccessorsenddatausingawebclient,TLSshouldbeimplemented– TLS is Transport Layer Security and it is a protocol that makes sure that third partiescannot intercept or eavesdrop on data that is being sent between applications and theirInternetusers.

Whenwetalkaboutdataatrest,wearetalkingaboutdatathatisstoredinoneofanumberofdifferentcontainers. ThecontainersthatMicrosoftprovidedataprotectionoptionsforarelistedbelow.

VirtualMachines–Windows/LINUX

Azure disk encryption is provided using BitLocker for Windows or DM-Crypt for LINUX.Virtualharddrives(VHD)areencryptedforbothWindowsandLinuxVMs.Thecustomerisgiven theoptionofenablingdiskencryptiononboth thebootand thedatavolumes; theencryptions keys are stored in the key vault. This also applies to Azure Gallery and torunningaVMinAzure.

HowitWorks

• ThecustomeruploadstheirencryptedVHDtotheirAzurestorageaccount


• TheyprovisiontheirBitLockerencryptionkeysorLINUXpassphraseintheirkeyvaultandgivesaccesstotheplatformtoprovisiontheVM

• Atthispoint,theyoptintodiskencryption

• Azure service management updates the service model with the key vault andencryptionconfiguration

• TheplatformprovisionstheencryptedVM

Key Vault Security

Everything revolvesaround thekey vaultbecause this iswhere thekeysare stored– theencryptionkeys thatareprotectingyourdata.Thesekeysarekept inan isolatedvault sothat,shouldyourstoragecontainerbecomecompromised,onlyanimageofyourdatecanbestolen–thisisuselesstoanythiefbecausethekeysthatunlockthedataareelsewhere.

Itisimportanttonotethat:

• Onlythecustomercancontrolaccesstothekeysthatareintheirprivatevault

• Thecustomercanenablemonitoringandlogging,collectingthelogsintheirstorageaccount–thisenablesthemtoseewhohasaccessorwhohasattemptedaccesstotheirvault

• Encrypteddisksarestoredinthecustomer’sstorageaccountandAzurestoragewillautomaticallyreplicatethem–thecustomerhascontroloverhowmanycopiesaremade

• Azure has no default access to the key vault – the customermust grant Read orWritepermission.

• Azurecannotaccessthediskencryptionfeatureinthevault

AzureStorage–Blobs,Tables,Queues

Client sideencryptionallowsusers toencrypt theirdatabefore it isuploaded toAzureaswellasdecryptingitagainafterdownloading.Again,thekeysarekeptsafeinthekeyvaultandthestorageservicewillneverseethekeys,norisitcapableofdecryptinganydata.Forcloud-integratedstorage,alldataisencryptedonpremisesandisbackedupinAzure.

SQLServerandSQLDatabase


UsingTDE–TransparentDataEncryption–technology,theentirecontentsofadatabaseinstoragecanbeencryptedusingadatabaseencryptionkey,whichisanAES-256symmetrickey.

Thiskeyisprotectedwithaservice-managedcertificate,whichisprotectedbySQLDatabaseServer. Thecertificate issetona90-daycycle,afterwhichanewonemustbeproduced,thusloweringthechancesofcompromisethroughstandingaccess.

HDInsightusesAzurestorageandSQLAzureDBencryptiontoprotectyourdatawhileAzureBackup Service uses Azure Disk Encryption to ensure your data cannot be lost, stolen orcompromisedinanyotherway.

AccessControlandAuditing

So,MicrosoftAzureADhasencryptedandprotectedallyourdataandyourkeysarestoredawaysafelyinavaultthatonlyyouhaveaccessto.That’snotallthereistoitthough.Manyofthefundamentalsecurityrisksstillexistonpremises.

MitigatetheRiskofCompromisedAccountsWeakauthentication is thekeyproblemtosecurity.Weakpasswords,passwords thatarewritten down or shared, or passwords that are stolen are the biggest way in for anyattacker.Microsoftislookingtoeradicatepasswordsandbringmultifactorauthenticationinacrosstheboard.

AlluseraccountscanbesecuredusingAzureMFA,usablewithbothAzureActiveDirectoryor theWindows Server Active Directory Federation Services, and this is backed up by asecondfactorforidentification,usuallyatextoraphonecall.

Users can also use existing PKI – smart cards or virtual smart cards – to protect theiraccountsusingADFSwiththeon-premisesinfrastructure.

LimitingPermissionsThisisoneofthemostdifficultconceptstogetoverbutpermissionsshouldfollowa“LeastPrivilege”principle,i.e.accessisonlygrantedwhenitisnecessaryforaspecificrole.AzureRBAC–Role-BasedAccessControl–nowcontains20differentrulesthatcanbeassignedtousers,undertheheadingsofowners,contributorsandreaders,aswellascustomroles.


Ownershavefullaccesstothedata;contributorscanaddtoitbutcannotdoanythingelse,whilereaderscanonlydojustthat–readthecontentbutcannotmakeanychanges.Userswithintheenterprise,orwithingroupscanbegivenaccesstodataunderoneofthoseroles,allowingITtocontrolwhodoeswhat.

PrivilegedAccountsSuperuseraccountsdeservespecialmanagementbecausetheyproduceaspecialrisk.JIT–Just-In-Time – access can be enabled, removing the risk of an attack through standingpermissionsorstandingaccess.

JITgivesauseraccesstoadminwhentheyneeditforalimitedperiodoftimeandonlytothe feature theyneedaccess to.Managerscanalsoset somethingcalledAzureADPIM–PrivilegedInformationManagement.

This iswheretheycanmonitorthesystem,seewhohasaccessandwhowants it,andsetthepoliciesthattransitionpermanentaccesstotemporary.

Using auditing and logging, management can also detect suspicious activity, includingirregular logins,down touser level, through theuseofadvanceddetection tools thatareconstantlymonitoringeveryuseraccount. Inthisway, threatscanbedetectedandactiontakenbeforetheybecomeaproblem.


WhatistheOperationsManagementSuite?

OMS,orOperationsManagementSuite is anothernew feature inWindows10and it is asimplifiedITmanagementsolution.

It’sahybridmanagementservicethatsupportsAzureAD,AWS,VMWare,OpenStack,LINUXandWindowsServer,anditconnectstoon-premisesdatacenterandcloudenvironments,givingITmanagersonesingleportalthatallowsthemtocollect,analyzeandsearchthroughthousands of pieces of data and records that are spread access the workloads and theservers.

Thesedays,thereissomuchinformation,somuchdata,andsomanyappsthatarespreadacrosstheinfrastructure,acrossthecloudandcloudservices,it isgettingdifficulttoknowhowtohandleitall.

ITmanagersstillhavethetaskofmanagingandsecuringallthatdata,nomatterwhereitiskeptandOMSmakesthateasiertohandle.

ThebenefitsgainedfromOMSare:

LogAnalytics:Collectand searchacrossmanymachine sourcesofdata to identifywheretheproblemslieinoperationalissues.

Availability: Regardless of where servers and apps are, OMS includes integratedrecoveryforthemall,whichisenabledbydefault.

Automation:Orchestrationofcomplexandrepetitiveoperationstoprovideamoreefficientandcosteffectivehybridcloudmanagementsystem.

Security: The ability tomonitor and identify the status of malware, findmissingsystem updates and implement them and to collect security related events foranalysisandauditpurposes.


ExtendedSystemCenter:OMScombineswiththeexistingSystemCentertoextenditscapabilitytodeliverthefullhybridcloudmanagementsystemacrossanycloudoranydatacenter.

HybridandOpen:VeryfeworganizationsarenowhousedinasingledatacenterandOMS steps in to manage your hybrid cloud, irrespective of the topology or thetechnology being used, and integrating seamlessly with the existing on premisesinfrastructure.

All of this makes protecting your data and preventing breaches and compromises easierthaneverbefore.

MobileSecurity

Thesedays,notonlydoweuseourdevicesforpersonaluse,wealsousethemforbusiness.MoreandmorebusinessemployeesusesmartphonesandtabletsforworkandWindows10Mobile, formerlyWindows Phone, is designed around segregating personal and businessuseson thedeviceandproviding the right levelof securityandcontrolover thebusinessside.Mobiledevicesarethenumberonetargetforacyber-attackand,upuntilnow,theyhavebeenmoredifficulttoprotect.


Microsoft has added in a number of security layers to protect aWindowsmobile devicefrom any number of malware and malicious attacks, allowing both end users andenterprisestorelaxalittle,knowingthattheirsecurityisingoodhands.The first line of defense is a layer of security to protect the actual hardware. All newWindowdevicesareequippedwithaTPM2.0chipandhaveUEFISecureBootenabled.ThisisaWindowsrequirementandcannotbedisabledbyanyone.TheUEFISecureBootsystemisdesignedtostartcheckingyoursystemassoonasthedeviceispoweredon,checkingthattheTPMistherealthingandthatthefirmware,andanyothersoftwarethatstartsup,isgenuineandhasbeensigned.If ithasnot, itwon’trun,it’sthatsimple.Onceeverythingisdeclaredasfitforwork,UEFIwillbootintotheWindowsBootManagerandthenintotheOSitself.The only exception to this is if there is a need to replace the OS through the use of arecoveryapplication,inwhichcase,thebootmanagerwillbootintoflashmode.JusthowsecureisUEFIthough?Duringthemanufacturingprocess,anumberofpublickeyhashesarefused.Thesehasheslinktospecificprocessesthattakeplaceinthedevice.

All thedrivers, loaders, applicationsand firmwarewithinUEFImustbe signedandaUEFIdatabasewilllistallkeys,imagehashesandcertificateauthorities,statingwhethertheyaretrustedoruntrusted.Asecuredrollbacksystemisinplace–onceUEFIhascheckedasystemanddeclaredittobeasafeandgenuineenvironment,securedrollbackpreventsarollbacktoanyversionotherthan that one, effectively stopping malware that could have been hiding in an insecure


versionfrombeinginstalled.UEFIwillbekeptfullyup-to-datethroughtheWindowsUpdatesystem.Other security of the hardware includes TPM, which was discussed earlier and whichenableskeystobeisolatedfromtheOS–thismeansthatifthesystemisbreachedinanyway,thosekeyscannotbestolen–noteventheOSitselfcanaccessthem.Health attestation completes the hardware protection layer. Health attestation is vastlyimprovedfromtheversionthatcamewithWindows8.1anditallowsWindows10tocarryoutahealthchecktotheCloudbeforeitcangainaccesstoanyinternalresources.Features checked include Secure Boot, BitLocker, and other operation-essential featuresthatneedtobe100%healthybeforeWindows10canrunfully.The next layer of security is theWindowsOneCore.We examine theApp Platform first,becauseitiswhatusersinteractwithwhentheyuseWindows10ontheirmobiledevices.

Windows 10 only supportsmodern apps or RT apps depending on your system, and notWin32apps.Thenewsecuritylayerfortheappplatformmodelworkslikethis:

• TheOS runs inaTCB–TrustedComputerBase–wherenobodycanaccess it andnobodycanmakechangestoit.

• Appsthatare installedvia thestoreorareshippedwithadeviceare installed inasandbox, or in a Least Privilege Chamber (LPC). When the app is put into thechamber, it is givenpermissionsbasedonwhat itneeds to runandnomore.Thismeansthatitwillonlydowhatitsaysontheboxandcannotbetouchedbymalwarethat tries to order it to deviate from that. Thepermissions that are linked to thatchambercannotbechangedorelevatedbyanyone,onlybyanupgradewithanewmanifest.

Windows10forMobilewillcomewithanumberofpreinstalledapps,asfollows:


Allofthesearemodernappsandcanbefullyupdatedwithnewfunctionswithouttheneedto go through themobile operator to deliver the update – instead, theywill be updatedthroughWindowsUpdates,underafeaturecalledWindowsasaService.

Access to apps and services has always caused concern in terms of security.Microsoft isimplementinganumberofnew featuresonboth theDesktopand theMobileversionsofWindows10thatwillsecureaccessmorethaneverbefore.

Manyusersarefedupwiththecurrentpasswordsystem.Notonlyisittoomuchtohavetoremembermultiple passwords, it is simply not secure.Most people tend to stick to thesamepasswordforeverything–therearesomanyplacesthatrequireIDtobeprovednowthatyoucouldprobablyproduceabookfilledwithallthedifferentaccessdetailsyouwouldneed.

Businesseswantmorecontroloverwhattheirend-usersareaccessing,nottobenosybuttobetter understand patterns and to detect potential threats and/or security leaks. SoMicrosofthascomeupwithWindowsHello.

WeknowallaboutthisfromthedesktopversionandtheMobileversionisthesame,sotorecap:

• WindowHelloisabiometricsystem

• ItusescleanIRforirisorfacialrecognition,orafingerprintreader

• Newhardwarewillneedtobeproducedtocomplementthisfeaturebecausetoday’smobiles do not have the capabilities to recognize facial or iris details; somemayhaveanintegratedfingerprintreader,thismayalsoneedtobeupdated;devicesalsoneedtobecapableof3Dvisionfordetectionpurposes


• Microsoft is working hard to increase the FALSE Acceptance Rate – currently at1/100,000,andtoreducetheFALSERejectionRate,whichiscurrentlybetween2-4%

• Passwords and/or PIN numbersmay still be used, but the difference here is thatthesecanbecoveredbyMDM–MobileDeviceManagement–especially inBYODsituations

MicrosoftPassport isanother systemthatwillbeonWindows10 fordesktopandmobileand is a replacement for the old password system. Instead of a password, a key pair isgenerated, one public and one private, after a user has created trust with their IDP –identityprovider.

Theprivatekeywillneverleavethedeviceitispairedwith.Usershaveachoiceofproviders,anyonethatisapartoftheFIDOAlliance,suchasMicrosoftthemselves,Google,Facebook,Twitter,etc.

The differencewith business users is that an end-userwill create their Passport account,specifyingwhethertheaccountisforbusinessorpersonaluse.Whentheuserhastocreatetrust,theIDPmayrequirethatasecondlayerofauthenticationisincludedtoproveidentity,perhapsaphonecallortextmessage.

Once the trust has been created, the keys are produced and, when validated, anauthentication token is sent to thedevice. That tokencan thenbeusedonanumberofthird-partyrelyingresourcesthattrustthosetokens.

AnaccesstokeniscreatedandthiscanbecontrolledbyMDM–youcansetatimelimitontheaccesstheuserhastoaparticularsite,meaningthattheywillneedtore-authenticateafterthatlimitexpiresiftheywanttogainaccesstothesiteagain.

Enterprise expectations for corporate access are “anytime, anywhere, secure remoteaccess”,asshownbelow:


Furthermore,toenabledataandaccesstobeprotectedtoandfromadevice,Microsofthasexpanded their VPN capabilities inWindows 10. Again, these can beMDM-managed in atwomainways:

• Onaper-applicationbasis– ITcangiveuseraccess tospecificsites throughaVPNandthisisfullyintegratedwithEnterpriseDataProtection

• Onan “Always-On”basis,whichmeansuserswill access sites throughaVPNonapermanentbasis,untiltheyturnitoff;thiscanbemanagedandITdecideswhethertoallowausertodisabletheVPNornot

BitLockerisalsopresentonalldevices,andthisisdesignedtoprotectthedataonamobiledevicewhenitislostorstolen.Allcorporatedataisencrypted,whichprovidesprotectiontothemfromcoldbootattacks.Inorderforthistowork,UEFISecureBootmustbeenabled,whichisstandardonWindows10Mobile.

EnterpriseDataProtectiononamobiledevice isessentiallythesameas it isonadesktopenvironment. It isMDM-dependentand,onceenrollmenthas takenplace, trusthasbeencreated.Thedevicewill thenbeenrolled inMDMat thesametimeas theauthenticationtokenisissued.

ThismeansthatITcansetkeypoliciestoprotectdataoneachindividualdeviceandforeachindividual user. This includesmanaging keys, setting enterprise apps for users, protectingthenetworkandstoragefacilities,andauditcontrols.Partofthis includesenterpriseappsnotbeingusableonapersonallogin,astheyarekeptentirelyseparate.

Thereareenlightenedappsaswell,suchasMSOffice.Forexample,ifyouopenanewWorddocumentorExceltemplate,amessagewillappearaskingifthisisforpersonalorbusinessuse.

Personalusedocumentsarenotencryptedwhereastheenterprisesonesare.

IT canalso setpermissions for things likeCopy/Pasteactions. Let’s say, forexample, thatyoucopiedapieceofdatafromacorporatedocumentorwebsiteandtriedtopasteittoapersonalone.ITcansetanumberofpermissionshere:

• Blockaltogether

• Allow

• OrAllowtheusertodecide

Ifauseroptstogoaheadandpastethedata,eventhoughtheyhavebeenwarneditisofcorporateorigin,theiractionsaresubjecttoauditcontrols.

Finally,ITcanremovepermissionsautomaticallyforpeoplewholeaveemploymentormoveto a different area of the enterprise. This means that any access to apps they hadpermissiontousewillautomaticallyberemoved.


MDM–MobileDeviceManagementandtheBusinessStore

Today’sbusinessneedsarechangingfastandMicrosoftisofferingenterprisemanagementwhatitneedswithWindows10.Itusedtobethataworkdaywasasimple9-5,MondaytoFridaything,withemployeessittingattheirdeskintheoffice.

TheirPCswouldbeconnectedtoaLANnetwork;PCsthatwereprovidedandmanagedbythe enterprise. They had just one device ecosystem to use with an extended operatingsystem.

In this scenario, devices would have a long life because they were kept serviced andupdated. Users could share files and data on-premises and their access to apps wascontrolledbytheorganization.

Managementwould be deeply involved in setting controls and policies andmalwarewasseenascriminalactivityandvandalism.Thenetworkperimeterworkedasagooddefensesystemanddeviceswereverticallyintegratedforworkers.

So,what’schanged?Theadventofthemobiledeviceiswhatchangeditall. Morepeopleareusing theirmobiles forwork,andenterprisesneed tochange to incorporate thisnewenvironment.Ofcourse,thismeansthatthosedevicesarebeingused24/7forbothworkandpersonalactivities.

Insteadofworkingonadesktopconnected to thatLANnetwork,wearenowworkingonourmobiledevices,connectedtoanynetwork.Notonlyareweusingpersonalapps,weareusingcorporateapps,allonthesamedevice.

We can use any number of ecosystems, including Android, iOS and Chrome, as well asWindows.Ourdevicesarenot lastingas longas thespecificdesktops thatwehadbeforebecauseofthechangesinhardwareandspecs.


Instead of using on-premises apps, we use SaaS and file-sharing apps. This means thataccesscontrolismuchharderbecauseinsteadofbeingconfinedtotheorganization,nowitisspreadoutovertheuserandthedeviceaswell.

Cloud-basedmanagementmeanstherearefewercontrolsandmalware isseenmoreasaweaponusedforespionage.Insteadofbeingknowinglysecure,wemustnowoperateundertheassumptionthatourdevicehasbeenbreachedand,ifithasn’t,itwillbeatsomepoint.Also,insteadofverticallyadapteddevices,wenowhavedynamicallyadapteddevices.

WithmoreorganizationsandemployeesadoptingBYOD,thesecuritychallengesaremuchharder.Thesheerdiversityofdevices,apps,andnetworksisastonishingandwiththelossoftheperimeterdefensesystemcomesthemuchhigherlikelihoodofattack.

Lookatitthisway–bytheendof2018,morethan50%ofalluserswillautomaticallyturnto theirmobile device for online activities, before they even think about using a desktopenvironment. By the end of 2016, more than 40% of the world population will own asmartphoneora tablet.Addto that themorethan6.5billionwirelessconnections inusetodayandyoucanseethescaleoftheproblem.

Attacks are increasing in intensity; they are more organized, more persistent, andspecificallytargeted.Inthelastcoupleofyearsalone,thenumberofattacksonmajor,well-known retailers, such as Sony and eBay, have increased significantly and if they can behacked,socanyou.

Thefinal layerofsecuritythatMicrosofthas included isAppSecurity.Upuntilnow,therehas been no control over which apps users download and install and from where.With


Windows10,extralayershavebeenaddedin.UserscanstillpurchaseanddownloadappsforpersonaluseusingtheirownLIVEID.

However, there is now a Business storewhere app licenses can be purchased for use byend-users.Theseareplacedwithin theCompanyPortal,a separatestorewithin thestoreandpermissionsaregiventothepeoplethatneedthem.Thismakesappdeploymentmucheasier,saferandfarmoresecure.

Windows10bringschoicestomanagers–traditionalmanagement,includingGroupPolicy,SystemCenter and all the related components, and then there’sMDM,orMobileDeviceManagement. This has undergone some serious enhancement since its inception inWindows8.1andthecapabilitieshavebeenexpandedwithWindows10.

With Windows 8.1 and Windows Phone 8.1, devices had to meet enterprise securityrequirementsbeforebeingabletoaccesscorporatedata.WindowsPhone8.1wentalittlefurther and enabled device lockdown, meaning that devices could be configured to runspecificapps.

So, as shown below, Windows 10 devices are fully managed corporate devices whendeployedbybusinesses.

In Windows 10, Microsoft have enhanced each separate phase of MDM provisioning,including:

• EasyenrollmentcapabilitiesforautomatingMDMenrollmentofthespecificdeviceasapartoftheAADJoinprocess

• NewconfigurationandStartMenumanagementtools


• NewWindowsUpdatecontrols,allowingyoutosetwhenspecificupdatesarerolledouttoMDMdevices

• NewconfigurationsettingsforEnterpriseDataProtectionsandAppLocker

• Better integration with Windows Store and Business Store for automated appmanagement

• Fullcapabilitiesforwipingdevices

Allof thesecapabilitiesandmorewillbe fullysupportedonall typesofdevices, includingWindowPhones,tabletsandInternetofThingsdevices,asillustratedbelow.

Active Directory is used by virtually all businesses today to provide security and identityservices.All of theAD capabilitieswill be fully supported inWindows10, but thebiggestsinglechangeistheadditionoffullsupportforAzureActiveDirectory.

ThismeansthatWindows10isawareofallthedirectoriesandaccountsinAADandcanusetheseinmanydifferentways.

First,though,itisvitalthatyouunderstandthatyoudonotneedtochoosebetweenADandAAD–ifyouhaveADyouwillautomaticallybeabletouseAADaswell,takingadvantageoftheextracapabilities.

Windows 10 is able to supportmanagement of BYOD (personally owned), organizationaldevices and the same remains truewhenwe talk about identity aswell. A device that isownedbytheorganizationcanbejoinedtoanADdomaintoestablishtrustandcanthenbesignedonwithanAADaccount.


You can also choose to join the device as an AAD tenant and then sign onwith an AADaccount,whichwillgivefullsupportforroamingthroughAzurestorage.

Therealvaluecomeswhenthedeviceiscombinedwithboth.AftertheADdomainhasbeensynchronizedwithAAD,extrabenefitsareavailableintheformofsinglesign-on.Windows10automaticallyrecognizestheassociationbetweentheaccounts,meaningthatADuserscanaccesscloudbasedserviceswithouthavingtologonagain.Andviceversa–AADusercanaccesson-premisesdatawithnoneedforadditionalauthentication.

I’mnotjusttalkingaboutMicrosoftcloudherethough;I’mtalkingabouthavingsinglesignon for hundreds of different SaaS (Software as a Service) providers. Simply define theconnectionbetweenAADandtheservicesyouwant,andyouareallsetforsinglesignon.

For BYOD devices, Windows 10 will support device registration for registering personaldevices.Once it isregistered,asshownbelow,yougainanadditional leveloftrust,whichmeans thataccesswouldbeallowed toall sortsof serviceandapps thatanunregistereddevicecouldn’tget.

ForAAD tobeused, anAAD tenantmustbe setup for theorganizations (thosewhouseIntune or Office 365 will already have this). After that, the synchronization takes placebetweentheADdomainandAADusingAzureADSync.ThisrunsperiodicallytoensurethatAADiskeptfullyuptodate.

AlldevicescanjoinAADortheycanjustleverageAADaccounts.Eitherway,theywillgainsinglesignonaccesstocloudservices,aswellasgettingapproamingsettingsanddataforawiderangeofdevices.


BrowserSecurity

On Windows 10 Phone devices, there will be only one browser – Edge. This is thereplacementforInternetExplorerandisMicrosoft’snew,cutting-edgebrowser.

Of course, with a new browser comes awhole set of fresh security challenges and on amobiledeviceusedasacorporatedevice,EdgecanbeMDM-managed.

Microsoft are introducing a whole new set of policies for Edge. To start with, there areGroupPolicies,whichuse theexistingGO/GPP/SCCM infrastructure. There are alsoMDMpoliciesthatareonaparwiththegrouppoliciesandarebrandnewtoWindows10.

TheMDMpoliciesprovidecrossplatformmanagementcapabilities fordifferentoperatingsystems and are a standards-based infrastructure. All of these packages add up into onenice,andneatresult–afullymanagedMicrosoftEdge.

MDM is a way of consistently managing multi-platform devices using ExtensibleMarkupLanguage, or XML, for data exchange. XML defines rules for encoding data in away thatboththedeviceandahumancanread.

MDMisfullysupportedbyallmajormobilemanufacturersanditcoverstheentirelifeofthedevice,including:

• Deviceenrollment

• Configuration

• Appmanagement

• Remoteassistanceandinventory


• Theretirementofthedevice

MicrosoftEdgepoliciesarescenario-driven,whichmeansthattheywilldependentirelyontheuseandpermissionsofthedeviceandtheindividual.

They are also consistent across all devices, regardless of what they are and include thefollowing:

• Enterprisesitelistconfiguration

• SendingtheIntranettoIE(forcompatibilityreasons)

• Allowingthebrowseronamobile

• Defaultbrowser

• Allowingpop-ups

• Configuringcookies

• AllowingSmartScreen

• AllowingActiveScripting

• Configuringthehomepage

• AllowingDoNotTrack

• AllowingAutofill

• ConfiguringPasswordManager

• Disablingsearchsuggestionsintheaddressbar

Allofthisisdesignedtohelpkeepcorporatedatasafebymonitoringwhatcorporateuserscanandcannotdoandthecapabilitiestheyhaveaccessto.

Thisreducestheriskofmalware,oranyotherunwelcomethreatvectormakingitontothemobiledeviceandpotentiallyaccessingcorporatedata.

EnterpriseMobilitySuite

EnterpriseMobilitySuite(EMS)isMicrosoft’sanswertoaccesscontrolsecurity.Rightnow,mostcorporatedataisstoredonpremises,mostlikelyinActiveDirectory,andisaccessedthroughtheInternetviabrowsersonmobileplatformsandPCs.

Inshort,thereisactuallyverylittlecontroloverwhoaccesseswhat,fromwhere,andwhen.TheweakestpointinthesystemistheDMZ,ortheperimeter,becausetherearesomanywaysofaccessthataredifficultandcumbersometokeepcontrolof.

Microsoft’ssolutionistobuildaccesscontrolintoallapps,on-premisesandcloudservices,asawayofcontainingdataandstoppingitfromleaking.


So,atthebaselayerofEMS,onthemobiledevice,isMDM–MobileDeviceManagement.This is pretty much standard on most corporate devices and allows access to variousservices.

Thenext layer,compoundingthat, isOffice365MobileProductivityandthisencompassesallOfficeapps,suchasWord,ExcelandOneDrive.Thiscomeswithtwobuilt-in libraries–ActiveDirectoryAuthenticationandIntuneDataprotection.

Finishingoffisextensibility,whichallowsbusinessappsinteroperabilitywithOfficeMobile.

Thefirstandmost importantpartofEMSisconditionalaccesscontrol,apartofAzureADpremiumthatismadeupofthefollowinglayers:

• Userattributes–theusermustidentifywhotheyareandthegroupstheybelongtodetermine their access to specific apps. This also determineswhethermulti-factorauthenticationisrequiredforthem.

• Deviceauthentication–thewholeideaofsecurityinWindows10istotieausertoadevice.Notonlydoestheuserhavetoprovewhotheyare,theyhavetoprovetheirdevice iscompliant, isMDM-managed,andisnot lostorstolenbeforetheycanbegivenaccess.

• Applications – these are based on business sensitivity and users are only givenaccesstotheappstheyneed,withITsettinguptheappropriatepermissions.

• Network – The EMS candeterminewhere theuser is accessing thenetwork fromandcandecideifMFAisrequired,basedonlocationandwhethertheyareinsideoroutsidethenetwork

Office365

Underconditionalaccesscontrols,usersareblockedfromusingOfficeappsuntiltheyhavebeenenrolledinMDMandarecompliantwithcompanypolicies.

Oncetheyhavebeengrantedaccess,afteridentityauthentication,allappdataisencryptedand sharing is restricted tomanaged apps. Applied policies are enforced, which gives allOffice365appsabuiltinlayerofprotection.

Fordatathatissharedexternally,i.e.emailsandtheirattachments,thedataisencryptedtosecureit.Shouldadevicebelostorstolenoranemployeeleavethecompany,allaccessesare revoked and corporate data can be remotely wiped, taking access away from thatindividualand/ordevice.

The following twodiagramsshowthesameaccesscontrols for theuseofOutlookon iOSandAndroidandaccesstoSharePointfromOneDriveMobile:


ConditionalAccesstoAzureADConnectedApplications

Azure AD comes complete with more than 2,000 preconfigured apps and access can becontrolledonaper-appbasiswithMFA,per-appbasisfromextranet,andappsblockedfromextranets.TheseareSaaSappsandITcantargetspecificgroupsofpeopletohaveaccesstospecificappsonlyorcanblockgroupsorindividualsfromaccessingcertainapps.Thismeansthat users get to see only what they need to do their jobs and nomore, restricting thechancesofdataleakage.


DeviceConditionalAccess

Accesscanberestrictedtoonlythosedevicesthataremanagedandarecompliant.Auto-Workplace Join PCswill be automaticallymarked asmanaged andwill be included in theaccesspolicies.Anydevicewhoseattributechangeswillhavetheiraccessrevokedandtheusermaybeaskedtoprovideanewsetofcredentials.

Support is built in for a number of differentmajor SSL VPN providers, including Juniper,Cisco,Checkpoint,SonicWALL,SFSandothercustomVPNpayloads.NativeVPNstandardssuch as PPTP, L2TP and IKEv2 are supported, as is app-triggered VPN andmultipleWi-Fiauthenticationtypes,likeWEP,WPA/WPA2,andEnterprise.


WindowsasaService–MoreSecurityviasecureupdates

Weallknowthatthingsarechangingandwiththosechangescomenewproblemsandnewchallenges.

End-usersandvendorsalikehaveexpressedconcernaboutadoptingWindows10,andsomeofthemorecommonissuesraisedinclude:

• ConcernthattheupgradetoWindows10willbreakcurrentapps

• Keysoftwarevendorsareconcernedthattheywon’thaveenoughtimetotestandthenissuetheirstatementsforsupport

• PeoplefeelthattheyneedmoretimetoplanforWindows10

• There is toomuch interdependency between the editions for all the differentMSproducts

• Deploymentistootime-consumingandmuchtooexpensive

• Concernoversecurityvulnerabilities

• Peoplearesayingthattheyneedhelptoimplementthisbrandnewsystem

So, in termsof adoption,Microsoft has listened and this iswhat they feel end-users andbusinessuserswant:

Agility:

• Accesstonewtechnology

• Microsoftneedstoimplementfeedbackquickly

• Transparency

• Enterprise-gradecapabilitiessothatuserscanaddressthelatestmarkettrends

• Flexibilityformixedenvironments

Control:

• Morestability

• Lessupgrades

• Alongerlifecycleforsupport

• Moretimetotestandcertify

• Predictability

• ISVstatementofsupport


WindowsasaServiceprovidesagreatexperiencefortheconsumer–updatesarerolledoutautomaticallythroughWindowsUpdateandthesheerdiversityoftheuserbasekeepstheupdates on target and specific. In addition, BYOD devices are kept fully up-to-date andsecureandmillionsofdevicesareupdatedeachtime.

On the other side of the coin, we have special systems. Systems like air traffic control,medicalsystemsandbankingsystems. Allofthesearemission-criticalandprobablydon’tneedalltheupdates,allofthetime,butdogetregularsecurityupdates.

Inthemiddle,wehavethebusinessuser.Thebusinessuserisnotaconsumeranddoesnotneed as many updates as they do, certainly not all the time and not at inopportunemoments.

Theyarealsonotaspecialsystemcase,althoughtheydoneedstabilityandplanningetc.So,how should business users be treated, since neither of these update systems worksparticularlywellforthem?

Microsoftsaysthatbusinessusersshouldbetreatedastheprofessionalsthattheyare.Theyshouldbeprovidedwithupdatesonlyafterthemarkethasvalidatedthem.

Intheory,thismeanstheygetaccesstothelatesttechnologyandvaluemuchsooner.

Theyshouldalsohavetimetotestandplantheupdateafteritsreleasetothebroadmarketand theseupdateswill bedeployed via a brandnew systemcalledWindowsUpdates forBusiness.

WindowsUpdateforBusinessWindows Update for Business is a brand new feature, designed with the help of ITprofessionalsfromallovertheworld.Thefeatureisdesignedtoprovide:

Roll out Rings: The IT pro can specify which devices are updated and when,deployingtheupdateinwavessoastoworkanykinksoutofthesystembeforetheygotothecriticaldevices.

MaintenanceWindows: IT pro specifies critical timeframes for when the updatesshouldandshouldnotbedeployed.

Peer-to-PeerDelivery: IT canenable this todeliverupdates tobranchofficesandremotesiteswithlimitedbandwidthinamoreefficientmanner.

IntegrationwithExistingTools:SuchasEnterpriseMobilitySuite,sothatthetoolsarefullyintegratedinthesystemmanagement.

WindowsUpdate forBusiness isdesignedtoreducemanagementcostsandprovidemorecontroloverthedeploymentofupdates.ItwillalsoofferquickeraccesstocriticalsecurityupdatesandprovidequickaccesstothelatestinnovationsfromMicrosoftonaregularandongoingbasis.

Inthepast,twosoftwareupdateoptionswereavailable–WindowsUpdate(WU),whichiswhatwehavenow,aimedatBYODdevices,consumerdevicesandontestmachines;and


Windows SystemUpdate Services (WSUS), which is aimed at those special systems, whoneedcriticalsecurityupdates.

NowwehaveWindowsUpdateforBusiness(WUB).WUBallowsmanagerstoattachdevicestoupdates,ratherthantheotherwayaround.

Yougettodecidewhichdevicesgetwhichupdatesandwhen,andcriticalsecurityupdateswillbedeliveredtoyoufordeploymentonaregularbasis.

Windows10andtheInternetofThings

WhatistheInternetofThings?IoTisthefuture,thefutureofconnectingthingsanddevices,andwhileitremainslargelyunexploredanddisjointed,theopportunitiesarehuge.Togiveyousomeideaofthesheerscaleofthingstocome:

• By the year 2020, therewill be an estimated 28 billion “things” connected to theInternet–that’sfourforeverypersononearth.

• By 2017, the opportunities for wearable devices will be worth approximately $20billion.

• By 2017, the opportunities for the Smart Home will be worth approximately $12billion.

But,withthesehugeopportunitiescomehugechallenges,suchas:

• Proprietaryhardwareandprotocolsthatcomplicatedeployment

• Manageability,configurationandidentity

• Security

IoTisbrokendownintotwomainareas–ConsumerandEnterprise.Ontheconsumerside,we tend to think mainly of home devices, for automation, security, entertainment andenergymanagement.

TheEnterpriseside isa little lessdefinedandlargelyunexplored.TheIoT iscomplicated–therearethousandsofconnectionsoutthereandnorealinteroperability.

Eachdeviceconnectstoitsownseparateappandpossiblytoitsowncloudandeachoneisseparatedfromtheothersbyawalledgarden,asandboxofactivity.

To get any real value from the Internet of Things, all these devices need to be able toconnectwitheachother,acrossbrands,andacrosscategories.

AllSeenandAllJoyn


AllJoyn isthenameofanopensourcetechnology,acommunicationsnetworkthatallows devices to talk to one another and to give those devices and apps a highdegreeofinteroperability.

AllSeen isanalliance thatwassetup tooverseeAllJoyn, toenable the InternetofThingstoworkandisalsopartoftheLINUXFoundationopensourceproject.

AllJoynisdesignedtoallowdevicesto:

• Discovernearbyfriendlydevices

• Identifyservicesthatarerunningonotherdevices

• Adapt to devices that are coming and going, i.e. If two deviceswere once pairedtogether and then disconnected, if they are paired again, theywill remember thepreviouspairingandwhatwasdonewhentheywerepaired

• Managediversetransports,alsoknownas‘radiosoup’

• Interoperatebetweenalloperatingsystems

• Exchange information, enabling one device to make another more powerful byknowingwhatservicesarerunningonthatdevice.

WhereDoesWindows10ComeIn?

AsapremiermemberoftheAllSeenAlliance,MicrosoftisbringingAllJoynintoWindows10,inthreeseparateWindows10forIoTeditions:

Windows 10 IoT for Industry: Enterprise devices, a full version of Windows 10running a Desktop Shell and including legacy support for Win32 and UniversalWindowsappsanddrivers.

Windows10IoTforMobile: MobiledeviceversionwithaModernShell,whichcanonlyrunmodernoruniversalwindowsappsanddrivers,butnotWin32.

Windows10 IoTCore:Thishasnoshellandnouserinterface.Itisfordevicesthatconnectsensorstogether,forexample,formissioncriticalsystems.Anotherexampleis Internet TVboxes, suchasRaspberryPi, etc.,withonlyoneapp running topulleverythingtogether,gatheringinformationandsendingitalltoAzure.

MicrosoftisalsoworkingonthegivingdeveloperstheabilitytobuildtheirownappsforIoT,openingupthewayaheadforfull-scaleinteroperability.

IoTAzureSecurity

IoTpresentsabrandnewsetofchallengesintermsofsecurity,forboththedeveloperandthearchitect.


Devices get deployed, oftenwithno supervision, in public places.Wewant tobe able tocontrol things remotely,perhapsdevices inourhomeswhileweareaway,perhapsacar-sharingvehicleusingasmartphone.

Allofthishastobedoneinasecureway,awaythatcan’tbetamperedwith,spoofed,ordegraded in any way. Microsoft has come up with a way to secure our IoT experiencethroughAzure.

Digitalsecurityhasoftenbeensidelined;operationaltechnologyengineersfocusonsystemsthat are generally closed and isolated and IT engineers don’t generally focus onpersonalsafety.

However, it isafundamentalrequirementnowfor IoTdevicestobeabletocommunicatewithcloud-basedanalyticandcontrolservices,whetherdirectlyorindirectly.Togetherwiththerequirementforremoteservicingandremotecontrolofdigitaldevices,itispasttimetostartlookingbeyondperimeterboundaries.Thismeansthatthebasicnetworklevelsecurityseeninmostsystemsissimplynotsufficientanymore.

ServiceAssistedCommunication is a provenmodel that allows for secure communicationbetweendeviceswithassociated services, andalsowith thoseacross localnetworks. SACbrokersthecommunicationwithadevicebydirectingitthroughatrustedgateway,eitheratthefieldorinthecloud.

Thismeansthatthedevicecanactasanetworkclienttothegatewaybydirectingitthrougha peer secured channel, which, in turn, limits the chances of unsolicited and maliciousconnectionattempts.

AzureIoThubisasuperchargedversionofEventhubwithexplicitsupportforfieldgatewaysandadditionalprotocols.CustomerswillbeabletogotoAzureportalandbuildanIoThub,givingthembidirectionalcapability.ThiscapabilitygivesyouawayoftalkingdirectlytoanIoThubthoughhttpsoramqps(advancedmessagequeuingprotocol-secured).

Insidethehub isan IdentityRegistrythatallowsmillionsofdevicestoberegistered.Eachregistered device is federated against and via Azure Active directory to check theirauthenticity.

AnIoThubwillbesecure,withTLSalwaysenforced–thehubwillneverallowaconnectionthatisnotsecured,whichmeansthatanyplainhttptrafficwillbeturnedawayatthedoorandredirectedtoaself-hostedgateway.NativesupportforServiceAssistedCommunicationis built in, with the potential to hold on to millions of those bidirectional capabilities Imentionedearlier

Authenticationtakesplaceatthechannellevelandgatewayauthorizationisgivenbasedonidentity registry checks. Microsoft tags all messages with the device identity, stoppingspoofingattemptsintheirtracks.Devicemanagementisincludedsothatsoftwareupdatescanbemanagedaswellastheabilitytocheckonthestateofaspecificdevice.

Asalreadydiscussedindetail,Window10isprovidingatrustedmodelforsecurityacrossallhardware–secureboot,trusteddrivervalidation,trustedappvalidationandsecuritypolicyenforcement,aswellasawholeboatloadofsecurenetworkingcapabilities.


Azure IoT services bring hyper scale connection capabilities, for collecting, storing andprocessingIoTdata,aswellasensuringasecurecommunicationstreambetweenthecloudanddevices,orfieldgateways,throughtheSACsystem.

InthesamewaythataWindows10devicecancombinewithanycloudplatform,AzureIoTserviceswillbeabletoprovidesupportforanydeviceandanyoperatingsystem,providedacompatible communication stack is present. Additionally, through Azure, Microsoft iscommittedtosecuringdataandtokeepingitprivate;thesameappliestoallIoTdata.


Summary

AtremendousamountofthoughtandplanninghavegoneintomakingtheWindows10ecosystemsecure.Microsofthastakenthetimetolistentocustomers,makeadjustmentsandinmanyareasbeproactivetolockdowndifferentelementsoftheO.S.Inareaslikefacialrecognition(viaWindowsHello),MicrosoftareleadingthewayinhelpingbringindustrialstrengthsecuritytocorporationsANDtheregularconsumer.Aslongastherearecomputersthatarelockeddown,therewillbehackerstryingtobreakintothem.WithWindows10however,MicrosofthavedonetheirbesttomakeitprettydamnhardforsomeonetogetintoyourPCifyouusethetoolsavailabletoyou.Ihopethisbookhasbeenasmuchfuntoreadasitwasformetowrite.Asusual,Iwouldlovetohearfromyousofeelfreetoemailmeatsecuritybook@windows10update.comAdditionalWindows10TrainingInaddition,ifyouarelookingforWindows10Training,wehaveacoupleofclassesonUdemyyoushouldcheckout.IntroductiontoMicrosoft’sWindows10

https://www.udemy.com/introduction-to-windows-10/Thisclassisregularly$50.Here’sacouponcodefor$20off-Windows10SecurityBook40SettingupWindows10forBusiness

https://www.udemy.com/setting-up-windows-10-for-small-business/Thisclassisregularly$250.Here’sacouponcodefor$100off-Windows10SecurityBook40Thanksfortakingthisjourneywithme.

Iappreciateyourtime.

OnuoraAmobi.