Few years before, the protection to a Windows machine was only an Antivirus software with a malware/spyware protection. This world is changed now and the cyber attacks are getting more sophisticated. I don’t believe that only antivirus and malware/spyware solution can only help us to protect corporate devices. As you know, Windows 10 is redefining the way we think about security. With TPM and UEFI, hardware can be used to plug some of the holes attackers use to compromise systems. Of course, these capabilities are just part of a sophisticated solution that involves countless security enhancements to Windows 10 itself, such as improved identity and access control, cloud security integration, and containerization. Windows 10 delivers an unprecedented suite of capabilities to the enterprise. Now it’s up to you as IT systems administrators to use these new features correctly and help keep your company safe.
To that end, Microsoft TechNet has a nice overview here and Adaptiva has provided some background and how-to information in their recent Top 5 Security Best Practices for Windows 10 in the Enterprise report. Most of the topics covered below are very easily implemented using modern management way using OMA-URI via Intune/SCCM. Some of the topics the report covers include:
Windows Information Protection
Want to keep your company’s confidential product roadmap from being sent from an employee’s private email, or placed in their personal Dropbox account? That is the sort of challenge Microsoft is solving through containerization with WIP. How to create WIP/EDP policies via Intune and SCCM are explained in one of my blog post here.
Imagine a future where part of your encryption key is stored in the hardware of a system, and another part is stored in software. If you run a TPM chip with BitLocker, that future is reality today. It makes life easier for users, because they get this extra level of security while only entering their Windows login—not a separate encryption key. But it makes life hard for attackers, who would need both the hardware and software keys (or an extremely long recovery key) to break in.
UEFI with Secure Boot
UEFI changes everything because it enables secure boot. Now when your OS loads, it has to be trusted by the PC manufacturer or it won’t run. The same goes for drivers and more—if they are not trusted they don’t run. This makes life a lot harder for people looking to compromise your OS.
We’ve all heard of “pass the hash” attacks where security credentials are snagged and used for unfriendly purposes. Credential Guard helps to prevent them, and some other attacks as well.
Of course, securing the boot process, credentials, and hard disk is not enough. If one application is replaced with an imposter, or contains malware to begin with, or IS malware, a hacker has the keys to the front door of your enterprise. Device Guard prevents unauthorized applications from running.
Vulnerability is not an Option
If you are up to speed on all these technologies, and implementing them correctly, great! If not, you should invest some time to download the guides and reports out there and get up to speed on your security options with Windows 10 today.