Windows 10 is finally about to become the most popular operating system as it slowly replaces Windows 7. With the introduction of Device Guard and Credential Guard – in Windows 10, and in subsequent updates, has added other virtualization-based protections to the operating system.
Microsoft tackled the two biggest challenge for enterprises with Windows 10, password management and protecting the operating system from attackers. Windows Defender was renamed Windows Security in 2017 and now includes anti-malware and threat detection, firewall and network security, application and browser controls, device and account security, and device health. Windows Security shares status information between Microsoft 365 services and interoperates with Windows Defender Advanced Threat Protection, Microsoft’s cloud-based forensic analysis tool.
Device Guard and Credential Guard remain the two standout security features of Windows 10 – they protect the core kernel from malware and prevent attackers from remotely taking control of the machine. Microsoft has also grouped other virtualization-based protections such as Windows Defender Application Guard under the Windows Security umbrella.
Device Guard relies on Windows 10’s virtualization-based security to allow only trusted applications to run on devices. Credential Guard protects corporate identities by isolating them in a hardware-based virtual environment. Microsoft isolates critical Windows services in the virtual machine to block attackers from tampering with the kernel and other sensitive processes. With Application Guard, Microsoft Edge opens untrusted websites in an isolated Hyper-V enabled container, keeping the host operating system protected from potentially malicious sites. These features rely on the same hypervisor technology already used by Hyper-V.
Apps on lockdown
Device Guard relies on both hardware and software to lock down the machine so that it can run only trusted applications. Applications must have a valid cryptographic signature from specific software vendors — or from Microsoft if the application comes from the Windows Store. Device Guard assumes that all software is suspicious, and relies on the enterprise to decide which is trusted.
Although there have been reports of malware code writers stealing certificates to sign malware, a significant majority of malware is unsigned code. The reliance of Device Guard on signed policies will block most malware attacks.
“It is a great way to protect against zero-day attacks that make it by anti-malware defenses,” Trump said.
Windows 10 – Not yet for everyone
Exciting features aren’t enough to spur adoption. Many businesses have held off on upgrading to Windows 10. The reluctance stems from the substantial investment required upfront, from better hardware and new Group Policy settings. However, the latest shift to Windows 10 reflects the reality that Windows 7 will enter end-of-life in January 2020 and even with support windows being extended, organizations have to plan their hardware refresh to support Windows 10.
Only enterprise hardware, not consumer PCs, includes such features. For example, business laptops such as Lenovo ThinkPad and Dell Latitude models typically have these specs, but consumer models such as the Lenovo Yoga 3 Pro do not. The hypervisor-level protections are available only if the machine has a processor with virtualization extensions, such as Intel VT-x and AMD-V.
Microsoft also recognizes that many organizations have a hybrid environment with different Windows versions. Very few can claim to have moved their entire infrastructure to Windows 10. Windows Defender ATP was originally available only with a Windows E5 or Microsoft Office 365 E5 subscription, but now there is down-level support for Windows 7 SP1 and Windows 8.1. Heterogenous organizations can get access to the advanced forensics.
Few enterprises believe the current state of enterprise Windows security is acceptable. Device Guard and Credential Guard actually offer a way forward, albeit one that demands a substantial investment. With Windows 10, “Microsoft is telling enterprises, ‘If you want good technology you need to do security [our way],'” Wisniewski said.
Original article in Computer World.
If you own a business you really need to make the decision to only purchase Business Class Computers and laptop , not consumer grade. You may save some money on the computers, but it will cost you in the long run.
Impress Computers primarily sell business class units with 3 year warranties. They will last longer and provide better security, along with reducing down time and slowtime for your employees.