This post is from our recent three-part Windows 10 webinar series. You can watch the video replay of the entire Windows 10 webinars at the following links.
Windows 10 Features and Navigation
Windows instructor Steve Fullmer introduces the navigation and some of the new features associated with Windows 10 including Sysinternals Tools for Windows Client as well as some of the features that are not yet ready for prime time but will be released shortly in the future with Windows 10.
Managing, Deploying and Configuring Windows 10
Systems Instructor Rick Trader will presents the deployment and management of Windows 10 Enterprise and the new Provisioning capability in Windows 10 and Windows 10 deployments using System Center Configuration Manager, Mobile Device Management and Intune, Active Directory and Group Policy Management
Windows 10 Security – What’s New and Improved?
Security Expert Mike Danseglio presents the enhanced security features of SmartScreen, Defender and BitLocker in Windows 10 and new features such as Biometric Identification, Microsoft Passport, Device Guard and more.
Instructor – Steve Fullmer
Before we get underway, we’re talking about Windows 10 and new features of Windows 10. Microsoft has introduced some terminology associated with some of the new features. As an instructor of CompTIA for both A+ and Security+ Technologies, some of the terminology that Microsoft introduced is not necessarily industry specific. It’s their interpretation and their implementation.
To make that clear, as we talk about some of the new features, I’m going to give you a little bit of that background that’ll help you as you take a look at some of the terminologies you’ll find in documentation associated with Windows 10 releases.
The first of these terminologies is what is called “Windows Hello.”
Windows Hello has new functions and features that Microsoft is embedding in Windows 10 that have to do with biometric identification, facial recognition, fingerprint or hand print, also iris and/or retinal scans.
Microsoft started to introduce the technology in the device drivers that are digitally signed to support that kind of identification and authentication in Windows 7. They’ve enhanced it in Windows 8. They’re even going further in Windows 10.
It’s a part of their sign‑in features that include “Windows Passport.”
Windows Passport is a new technology that automatically, or is designed to automatically encourage and enforce at least two‑factor, if not three‑factor authentication.
The combination of a login ID, a password, or a PIN, along with multifactor authentication that includes elements like Windows Hello, as well as other features like tokens, like a USB card, or a proximity card, Near Field Communications as we go to portable devices.
Windows Passport will require Microsoft Active Directory, Azure Active Directory and/or non‑Microsoft support for what we call “FIDO.” Fast ID Online.
Let me describe FIDO a little bit because it’s not really a Microsoft technology. FIDO is an open‑source technology that’s becoming prominent in the mobile device industry, primarily supported by the financial industry.
Think about the phones that you’ve got that you go to make a payment, whether it’s at Starbucks or a restaurant, where effectively your device is a digital token that you apply your fingerprint or some other PIN to be able to identify yourself for financial payments. That’s what FIDO is all about. FIDO was essentially an open‑source alliance that stands for Fast ID Online.
Microsoft is incorporating the ability to use any of the FIDO technologies into their Windows Passport solutions. It doesn’t have to be a Microsoft solution, you can use some of the open‑source content with Windows Passport, as well as Hello and some of the other features that Microsoft is introducing.
DLP (Data Leakage Prevention)
Moving on to a couple of other terms. Typically, when we see DLP, as a Security+ expert, we talk about Data Loss Prevention. But Microsoft is using the term a little bit more robustly, where we might talk about Data Leakage Prevention.
From a security arena, we talk about the concept of data being protected In-Place, In Use or In‑Transit.
This is the kind of security that we put on to a hard drive. Microsoft has been providing that for some time with tools like BitLocker so that you can encrypt your data in‑place. We also have encryption solutions that are network‑based or storage array networks, et cetera. That would be in‑place.
The In‑Use solutions include things like anti‑virus solutions like Windows Defender, anti‑spyware solutions whether they’re by Microsoft or other vendors, pop‑up blockers that prevent your system from being attacked or hacked while you are using the operating system or applications.
Other features that are considered to be In-Use include certain drivers or application elements cannot be loaded and used as executables by the operating system, unless they have for instance the Data Execution Prevention bit, the NX bit turned on.
Microsoft went further in Windows 7 and Windows 8 to protect your operating system by digitally signing with operating system and drivers components. This assures that no component of your system that’s not digitally signed or accurate will be run as an executable. That’s an in‑use enhancement of your system.
That could be data loss or even data leakage. Data leakage is the concept that your intellectual property from your business is getting out and looked at by other people who don’t have or shouldn’t have access to it.
The most common place for data leakage to occur is its transit across the network. The Internet network, as well as the internal network. Consider those hackers that are trying to look at packets as they’re transiting the network.
Data leakage is them looking at it. You don’t want that to happen. IPsec enabled in Windows 7, Windows 8 and Windows 10 is a component of that data leakage, but it’s not all. Microsoft’s added more to what they talk about when they say DLP. You’ll see that terminology through some of my demos. Some of what Rick and/or Mike talks about, so I want you to get that overview of the terminology first.
Another concept as well is “BYOD,” Bring Your Own Device. One of the issues, this is not so much for Microsoft as it is my background in security and teaching the CompTIA Security+ course many employees want to bring their own laptops or tablets, their own cellphones to work.
The ability of those devices to attach to your systems to get intellectual, property, to have it reside or transit on their system is consistently and constantly increasing.
The challenge with that is this recent study suggests that about 15 percent of all employees don’t believe that their employers have any right to touch or add components to their systems in order to protect that intellectual property.
As a matter of fact, an even larger percentage don’t believe that there’s any true issue with the use of their own devices because they’re careful, or their devices won’t get in the hands of other malicious people, et cetera.
There is an issue today with Bring Your Own Device (BYOD). Microsoft, rather than supporting that, is supporting a concept called Choose Your Own Device (CYOD).
CYOD is effectively where the employer is providing a set of devices with pre‑installed security settings, with pre‑installed intellectual property controls on them, so that the end user, the employee gets some choice in what they’re picking, but only as long as it’s compliant with company policy.
This also includes the concept of, Remote Wipe of data or Remote Wipe of lost or stolen equipment. Microsoft’s taken this Bring Your Own Device into the Choose Your Own Device environment, so you’ll see a lot of the CYOD vs BYOD.
Mobile Device Management (MDM) or Over the Air (OTA):
We’re talking about the ability to manage devices through cell carriers, through WiFi, through Bluetooth, through Near Field Communication. Such that devices now have the ability to transmit data through all of those different mediums.
Remember when we talk about that data leak prevention, we’re also talking about the ability of somebody to capture your packets as they transit.
We, therefore, want to take a look at solutions from security perspective that help us manage our devices, that includes Remote Wipe. That includes the ability to identify or authenticate who it is that’s connecting to us in this over the air wireless kind of technology to grab the data.
Microsoft’s add a lot of technology in the Windows 10 platform to be able to help us secure our systems using not only Microsoft, but third‑party Mobile Device Management (MDM) solutions. Microsoft supports numerous open‑source or third‑party applications to do that.
That covers the high‑level overview of communication. As we go through the actual demonstration, I’ll talk about other things like Virtualization‑Based Security as well as Configurable Code Integrity (CCI).
CCI is the management of digital credentials and how Microsoft plans to move forth with them.
Credential Guard, is a Group Policy solution that Rick Trader will cover in the next module, and Device Guard, which is about digital certificates, controlling devices that act like token or token carriers, including the use of a Trusted Platform Module version 2.0, which should be on your motherboard and be able to support some of the advanced features of Windows 10.
For more, watch the entire presentation at our Video Training Website: Windows 10 Features and Navigation.