Windows 10 hardening and enterprise security

A few months ago, the system administrator for one of my PCI customers asked for help with Windows 7 hardening, given that most of his familiarity was with various Unix flavors. I responded with the comment “hardening of Windows is a relative term.” In my research to make sure I gave him the best possible checklist, I ran across one document on the subject that was 437 pages! 

While Windows 10 is not likely to reduce the 437-page hardening document to two pages, it does include some promising features that can make hardening and enterprise management easier, especially important for those in large PCI- or HIPAA-regulated environments. 

With the promise of improved hardening and security management, however, comes some inevitable speed bumps. First and foremost is the fact that many of the features I will discuss here come as part of the Enterprise version, not the “free” version widely advertised by Microsoft and discussed in the press. Additionally, Microsoft has incorporated a variety of new “features” that will cause privacy concerns for many. One might say that Redmond giveth, and Redmond taketh away. 

If you have been paying attention to the Windows 10 rollout, you are likely aware that Microsoft is moving away from major Windows releases to incremental changes, somewhat similar to Apple’s approach (meaning no insult to my Mac friends). Under this approach, the Windows 10 upgrade, which occurs in place with little fanfare, is free to most users. New features and fixes will continue to be rolled out incrementally. This will save Microsoft support dollars in the long run, given that, like Apple, Microsoft will be more likely to have a greater percentage of users on the same major Windows version. That being said, we must expect the company to find some approach to monetizing Windows 10, and it will accomplish this via the Enterprise version, not only requiring its purchase, but ongoing software assurance as well. 

One of the more important Enterprise hardening capabilities comes as a byproduct of Microsoft’s incremental approach to new features. For those needing a hardened environment, pushing out frequent new features would spawn an almost continuous effort to test, adjust and approve a each new hardened release. To address this, Microsoft has introduced the Long Term Servicing Branch (LTSB). The LTSB will be a stable release, relatively speaking, with only critical fixes being applied. Each such branch will be maintained for Microsoft’s entire five-year support period. 

While the details are not fully known yet, we are told that users will be able to easily move from an LTSB to the Current Branch and back, as well as to a later LTSB. As now, administrators will be able to control the deployment of non-feature updates with Windows Server Update Services (WSUS).  The Windows 10 “free” users, on the other hand, will no longer be able to control which updates they receive. 

Windows 10 includes a number of additional features that will be of interest to corporate security officers, including:

Multifactor authentication

The ability to use multifactor authentication for PC access is incorporated into Windows 10 at the OS level. It will support either a biometric device or a PIN sent to a mobile device. This will be useful for corporate environments, particularly in securing lost laptops. 

Data loss prevention (DLP)

As I discussed in “Closing the data floodgates,” DLP automates the process of monitoring for and masking the transmission or exposure of protected data such as Social Security numbers. This is normally complicated to implement and manage, but Microsoft is trying to simplify the process by incorporating some DLP features directly into Windows 10, via its Enterprise Data Protection functionality. This facility includes the ability to recognize and transparently encrypt corporate versus personal data, some remote device wiping capabilities, and audit reports. 

Application control

Prior Windows versions allowed users to install untrusted applications, after a strongly worded warning. Windows 10 has the ability to disallow any untrusted applications, known as Device Guard. This will give security administrators better automated control over users running potentially harmful applications. 

Phishing protection

Windows 10 provides some inherent protection from certain phishing attacks by placing the user access token, which allows continued user access after initial authentication, in a secure container. This will eliminate certain classes of attacks, such as Pass the Hash and Pass the Ticket. 

If you are tempted to cede protection of your corporate security to Windows 10 and relax, you may be a bit premature, however. There are some well-publicized privacy exposures in Windows 10 that will take some work to control. These include Windows 10 sharing your Wi-Fi information automatically with people in your address list, tracking your location, and sending your browsing history to Microsoft so it can “help” you. Security managers will want to make sure these privacy holes are plugged as they deploy new workstations. 

Overall, Windows 10 offers much to help the corporate security officers sleep better, but they may be rudely awakened on occasion by nagging privacy issues.