Windows 10 includes new enterprise security features for authentication and data protection. I’ll cover them in this post, the second in our series on our webinar Under the Hood with Windows 10 Security, for which more than 2,300 sysadmins, IT managers and network administrators registered.
Authentication and Windows Hello (41:25 into the On-demand Webinar)
My last post covered malware prevention in Windows 10, and I’ll continue the theme of Windows 10 endpoint security in the area of authentication. The model here is authentication first between your and your device, then between the combination of you and your device to applications and websites.
The big news here for the enterprise is Windows Hello. Instead of relying on passwords, Hello is designed to authenticate the user to the device using biometrics. Facial recognition is implemented around an infrared camera that cannot be spoofed as easily as an ordinary webcam; that removes the danger of an impostor simply holding your photo up to the camera at logon. Other options include iris and fingerprint recognition, and a device-specific PIN that is easier to remember than a password and more secure.
Hello authenticates quickly and stores biometric data on the device, not in the cloud. That means everything needed for authentication remains strictly on the device.
Windows Passport (44:50)
First your device authenticates you with Hello, then you and your device use Windows Passport to authenticate to the network and services like your Microsoft account, Azure Active Directory, on-premises AD and apps and sites that comply with Fast IDentity Online. The FIDO Alliance promotes an industry-standard effort for improving online authentication, and Passport supports FIDO.
The result is a different kind of two-factor authentication. You’re authenticated to your device with Hello, and Passport uses a private key stored on your device to authenticate you to the online service. The servers you access ensure that you authenticate with the Trusted Platform Module chip, which proves that the TPM library generated the private key and that the key is stored on the device and has never left it.
Credentials are based on a certificate or an asymmetrical key pair, and each account key is stored in a separate, secure container. The big difference is that, in case the online service is breached, your passwords and PINs are not exposed. The only exposure is to your public key.
I think this new, “password-less” model of authentication shows a lot of promise. There’s no password to steal from servers, AD or websites, and the combination of Hello and Passport protects against Pass-the-Hash and Pass-the-Token attacks. It’s security for the enterprise with minimal inconvenience for users. What’s not to like?
Enterprise Data Protection (50:20)
With Enterprise Data Protection (EDP), Microsoft addresses the problem of maintaining the privacy of your enterprise data by filling the gap between encrypted hard drives and rights management-protected documents. It’s not exactly Rights Management Services, although RMS can enhance EDP.
EDP separates and protects enterprise apps and data against disclosure across both company-owned and personal devices. It doesn’t require Code Integrity or changes in your environment or apps.
EDP tries to reconcile ease of access to files with severe data protection policies. It also addresses the reality that you cannot lock down employee-owned devices in your efforts to prevent the accidental release of enterprise data. It allows remote wipe and requires MDM, such as Microsoft Intune or SCCM.
For example, suppose you’re trying to keep employees from copying text from an enterprise document into a non-enterprise document.
You have four levels of protection with EDP:
- Block – EDP looks for inappropriate data sharing and stops the employee from completing the action.
- Override – EDP looks for inappropriate data sharing, alerts the employee that it’s inappropriate and gives the employee the option of overriding the policy and copying/sharing the data anyway. EDP logs the action.
- Audit – EDP runs silently, logging inappropriate data sharing, without blocking anything.
- Off – EDP isn't active and doesn't protect your data. Probably a bad idea.
EDP adds up to what I call “Pretty Good Data Protection.” It does a good job straddling some rather tall fences between security and productivity. To make it easy to raise awareness among users, protected files show up in green in the Windows Explorer.
Under the Hood with Windows 10 Security – On-demand Webinar
My next and final post in this series will cover migration to Windows 10.
Meanwhile, listen to Randy Franklin Smith’s webinar, Under the Hood with Windows 10 Security. I’ve included the time stamps so you can fast-forward to the topics of most interest to you.