New security features in Windows 10
Fresh Start
Microsoft has responded to the changes in IT threat management with a number of new Windows 10 security functions [1]. Read on for a summary of some important new security features in Windows 10.
Updates
The vast majority of security advisories come with one common warning: Update your system! System updates are a necessity on today's networks, and a number of extensions to the update process [2] are waiting for you in Windows 10. These extensions include distribution rings, which you can use to determine the order in which devices and servers are patched. It is possible, for example, to patch only unimportant computers or test computers in an initial wave of updates to first test the effects of the update on your production environment.
Distribution rings make it possible to patch systems based on both importance and membership. For example, you can update a domain controller first and then the Exchange Server that requires the domain controller's Active Directory services to operate correctly. Windows Update for Business makes it possible to define maintenance windows in which computers are supplied with updates. Using these tools, you can meet any requirements your company might have and just install updates at a convenient time when the disruptions associated with installing updates will have little or no effect.
A tool called BranchCache lets you copy Windows updates to computers in branch offices and remote sites with low bandwidth for local distribution. This technique removes the need to run a Windows Update distribution solution such as Windows Server Update Services (WSUS) at all locations. Storing updates once only at branch offices also saves network bandwidth.
Only Signed Apps
Device Guard [3] is a new technology in Windows 10 that aims to prevent malicious software from running on the system. The Device Guard function only allows trusted or digitally signed apps on the machine, thus protecting against new, unknown malware and advanced persistent threats (APT). Device Guard even protects portable applications that run from a USB stick.
The system administrator can use central guidelines to determine the sources from which apps are classified as trusted. It is possible to block or allow both universal apps and Win32 apps. Device Guard defends itself from manipulation by isolating the related code and processes using hardware and virtualization technologies from other components. Compared with similar Microsoft technologies such as AppLocker, Device Guard's strength is that it prevents the intruder from manipulating the test process itself. In the future, Device Guard could form the platform for other anti-virus and anti-malware technologies.
Compartmentalized Apps
Microsoft is tying to implement new functions for separating business and personal information in Windows 10 Mobile apps. This capability would let you create separate environments for using a smartphone privately and professionally. Microsoft is thus closing the gap with BlackBerry and Android devices (e.g., Samsung KNOX), which have similar technologies. This feature could combine with Device Guard to make it possible for administrators to define a list of trusted apps that can run on the device.
Integrated identification protection in Windows 10 makes it easy to sign in to a device, app, or website. A two-component test based on similar tests for smartcards is already integrated into the system. Companies will be able to customize the app store according to their needs in the future. This way it will be possible to use volume licenses for apps; app distribution will be more flexible, and administrators will be able to recover and reuse licenses.
Buy this article as PDF
(incl. VAT)
Buy ADMIN Magazine
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Most Popular
Support Our Work
ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.