Lead Image © Galina Peshkova, 123RF.com

Lead Image © Galina Peshkova, 123RF.com

Endpoint Security for Windows 10

Well-Tempered Computer

Article from ADMIN 67/2022
By
Windows 10, build 21H1, has numerous protection mechanisms out of the box. We look at the option for delaying updates, the components and features of Microsoft Defender, and recommendations for hardening the operating system.

Microsoft introduced a number of new security features in Windows 10, but they are not available in all variants of the operating system. For example, features such as Windows Defender Device Guard – now Microsoft Defender Application Control – or Microsoft Defender Credential Guard are only available in Windows 10 Enterprise E3/E5; Microsoft Defender for Endpoint – formerly Advanced Threat Protection – is only available with Windows 10 Enterprise E3/E5, Microsoft 365 E5 Security, and Microsoft 365 E5. Also not to be ignored is that Microsoft only allows the Enterprise version to use group policies that can configure the Windows Store.

Windows Update for Business

The monthly patch day still causes excitement among many administrators, as does the question as to whether everything will continue to work as it did before the update. Microsoft has changed the update cycle for Windows 10. Apart from the monthly critical updates, the company releases optional updates at different times in the second half of the month. Therefore, you can concentrate on installing the critical updates and install the optional updates at a later point in time, once their compatibility with the IT infrastructure has been successfully checked.

Windows Update for Business [1], the update process for business customers, includes what are known as update rings, which you can use to specify the order in which you want to patch end devices and servers. These rings let you, for example, patch only unimportant computers or special test machines in an initial update wave. Update rings also allow systems to be patched as a function of how they interact. For example, a domain controller can be patched first, followed by an Exchange server that requires the Active Directory (AD) services to work properly.

Windows Update for Business also lets you define maintenance windows during which computers receive updates, so you can select the time windows when the service interruptions associated with the update installation, in the form of computer or service restarts, will have little or no effect on your operation. IT managers can use local settings on the client or group policy to delay updates.

Authentication Options

In addition to the classic username and password option to authenticate the system, Windows 10 provides other options (Figure 1). In workgroup environments, for example, a picture password can be used. You can choose a picture for logging in or define various gestures that are known only to you and use them for authentication. Microsoft equates picture passwords with the PIN entry method in terms of security.

Figure 1: Logon procedures are numerous and vary in usefulness depending on the end device.

Windows Hello [2] is a facial recognition feature that automatically logs the user into the operating system when a known face is detected. As an alternative to facial recognition, the eyes (iris) or fingers (fingerprint) can be scanned for identification. Microsoft decided on this additional authentication option because passwords have long since ceased to provide sufficient security if users do not implement all the requirements for their secure use. You need the right kind of device to run Microsoft Hello, such as an integrated iris or finger scanner. In AD environments, Windows Hello can be implemented with the help of group policies.

Microsoft Passport is a multifactor authentication (MFA) system that uses a PIN or biometrics (provided by Windows Hello) in conjunction with encoded keys from a device for authentication. Users can use it to authenticate against a local AD, Azure Active Directory (AAD), or non-Microsoft LDAP service.

Windows 10 clients can also join an AAD and use it as their exclusive authentication source. A client's membership in the AAD then enables single sign-on (SSO) to various services, such as Office 365 in the Microsoft cloud. In environments with an on-premises AD and AAD, a synchronization instance ensures that SSO is still guaranteed for on-premises and cloud resources.

Endpoint Protection

Microsoft Defender is an integral part of Windows 10 and helps protect the computer against malware in two ways:

  • Real-time protection: Microsoft Defender blocks malware that tries to install or run on the PC and notifies the user. The user is also notified if apps try to change important settings.
  • Various scanning options: Microsoft Defender automatically checks at regular intervals for whether malware is installed on the PC. The scan can be started at a different time, if desired. Microsoft Defender automatically removes or quarantines all suspicious objects detected during a scan. Users and administrators can manually remove objects from the quarantine, or the objects located there are automatically deleted after a definable period of time.

The Microsoft Defender interface largely matches that of older Windows Defender versions. However, the configuration of Defender options is now done in the Windows 10 settings menus and not in the Defender application itself.

In Windows 10, Microsoft Defender has become a strategic product and has been extended with numerous features, which I will describe in more detail in the following sections of this article. The components include Defender Security Center, Defender for Endpoint, Defender Application Control, Defender Credential Guard, Defender Exploit Guard, and Defender SmartScreen.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus