• United States




Windows 10 hardening and enterprise security

Aug 10, 20155 mins
Data and Information SecuritySecuritySmall and Medium Business

Lots to like, but with some caveats

A few months ago, the system administrator for one of my PCI customers asked for help with Windows 7 hardening, given that most of his familiarity was with various Unix flavors. I responded with the comment “hardening of Windows is a relative term.” In my research to make sure I gave him the best possible checklist, I ran across one document on the subject that was 437 pages! 

While Windows 10 is not likely to reduce the 437-page hardening document to two pages, it does include some promising features that can make hardening and enterprise management easier, especially important for those in large PCI- or HIPAA-regulated environments. 

With the promise of improved hardening and security management, however, comes some inevitable speed bumps. First and foremost is the fact that many of the features I will discuss here come as part of the Enterprise version, not the “free” version widely advertised by Microsoft and discussed in the press. Additionally, Microsoft has incorporated a variety of new “features” that will cause privacy concerns for many. One might say that Redmond giveth, and Redmond taketh away. 

If you have been paying attention to the Windows 10 rollout, you are likely aware that Microsoft is moving away from major Windows releases to incremental changes, somewhat similar to Apple’s approach (meaning no insult to my Mac friends). Under this approach, the Windows 10 upgrade, which occurs in place with little fanfare, is free to most users. New features and fixes will continue to be rolled out incrementally. This will save Microsoft support dollars in the long run, given that, like Apple, Microsoft will be more likely to have a greater percentage of users on the same major Windows version. That being said, we must expect the company to find some approach to monetizing Windows 10, and it will accomplish this via the Enterprise version, not only requiring its purchase, but ongoing software assurance as well. 

One of the more important Enterprise hardening capabilities comes as a byproduct of Microsoft’s incremental approach to new features. For those needing a hardened environment, pushing out frequent new features would spawn an almost continuous effort to test, adjust and approve a each new hardened release. To address this, Microsoft has introduced the Long Term Servicing Branch (LTSB). The LTSB will be a stable release, relatively speaking, with only critical fixes being applied. Each such branch will be maintained for Microsoft’s entire five-year support period. 

While the details are not fully known yet, we are told that users will be able to easily move from an LTSB to the Current Branch and back, as well as to a later LTSB. As now, administrators will be able to control the deployment of non-feature updates with Windows Server Update Services (WSUS).  The Windows 10 “free” users, on the other hand, will no longer be able to control which updates they receive. 

Windows 10 includes a number of additional features that will be of interest to corporate security officers, including:

Multifactor authentication

The ability to use multifactor authentication for PC access is incorporated into Windows 10 at the OS level. It will support either a biometric device or a PIN sent to a mobile device. This will be useful for corporate environments, particularly in securing lost laptops. 

Data loss prevention (DLP)

As I discussed in “Closing the data floodgates,” DLP automates the process of monitoring for and masking the transmission or exposure of protected data such as Social Security numbers. This is normally complicated to implement and manage, but Microsoft is trying to simplify the process by incorporating some DLP features directly into Windows 10, via its Enterprise Data Protection functionality. This facility includes the ability to recognize and transparently encrypt corporate versus personal data, some remote device wiping capabilities, and audit reports. 

Application control

Prior Windows versions allowed users to install untrusted applications, after a strongly worded warning. Windows 10 has the ability to disallow any untrusted applications, known as Device Guard. This will give security administrators better automated control over users running potentially harmful applications. 

Phishing protection

Windows 10 provides some inherent protection from certain phishing attacks by placing the user access token, which allows continued user access after initial authentication, in a secure container. This will eliminate certain classes of attacks, such as Pass the Hash and Pass the Ticket

If you are tempted to cede protection of your corporate security to Windows 10 and relax, you may be a bit premature, however. There are some well-publicized privacy exposures in Windows 10 that will take some work to control. These include Windows 10 sharing your Wi-Fi information automatically with people in your address list, tracking your location, and sending your browsing history to Microsoft so it can “help” you. Security managers will want to make sure these privacy holes are plugged as they deploy new workstations. 

Overall, Windows 10 offers much to help the corporate security officers sleep better, but they may be rudely awakened on occasion by nagging privacy issues.


Robert C. Covington, the "Go To Guy" for small and medium business security and compliance, is the founder and president of Mr. Covington has B.S. in Computer Science from the University of Miami, with over 30 years of experience in the technology sector, much of it at the senior management level. His functional experience includes major technology implementations, small and large-scale telecom implementation and support, and operations management, with emphasis on high-volume, mission critical environments. His expertise includes compliance, risk management, disaster recovery, information security and IT governance.

Mr. Covington began his Atlanta career with Digital Communications Associates (DCA), a large hardware/software manufacturer, in 1984. He worked at DCA for over 10 years, rising to the position of Director of MIS Operations. He managed the operation of a large 24x7 production data center, as well as the company’s product development data center and centralized test lab.

Mr. Covington also served as the Director of Information Technology for Innotrac, which was at the time one of the fastest growing companies in Atlanta, specializing in product fulfillment. Mr. Covington managed the IT function during a period when it grew from 5 employees to 55, and oversaw a complete replacement of the company’s systems, and the implementation of a world-class call center operation in less than 60 days.

Later, Mr. Covington was the Vice President of Information Systems for Teletrack, a national credit bureau, where he was responsible for information systems and operations, managing the replacement of the company’s complete software and database platform, and the addition of a redundant data center. Under Mr. Covington, the systems and related operations achieved SAS 70 Type II status, and received a high audit rating from the Federal Deposit Insurance Corporation and the Office of the Comptroller of the Currency.

Mr. Covington also served as Director of Information Technology at PowerPlan, a software company providing software for asset-intensive industries such as utilities and mining concerns, and integrating with ERP systems including SAP, Oracle Financials, and Lawson. During his tenure, he redesigned PowerPlan's IT infrastructure using a local/cloud hybrid model, implemented IT governance based on ITIT and COBIT, and managed the development of a new corporate headquarters.

Most recently, Mr. Covington, concerned about the growing risks facing small and medium business, and their lack of access to an experienced CIO, formed togoCIO, an organization focused on providing simple and affordable risk management and information security services.

Mr. Covington currently serves on the board of Act Together Ministries, a non-profit organization focused on helping disadvantaged children, and helping to strengthen families. He also leads technical ministries at ChristChurch Presbyterian. In his spare time, he enjoys hiking and biking.

The opinions expressed in this blog are those of Robert C. Covington and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author