Microsoft Outlines Windows 10 Security and ID Management Controls

Microsoft is planning to step up their security controls and identity management with its next-generation operating system Windows 10.

Windows 10 includes a number of security features designed to protect against identity theft, accidental disclosure of data and the installation of malware, as the company announced today. The protections will benefit both consumers and organizations. He stated in the notice that IT professionals have some tools to help manage the complexities associated with the new security controls as well.

Jim alkove, a clue to the management team of the company Windows, Windows 10 has summarized the improvements to come, including the addition of multi-factor authentication of documents and prevention of built-in data loss, the invitation to Microsoft:

With this release we have almost everything in place to move the world away from the use of authentication options on individual factors, such as passwords. We are offering robust data loss prevention to the right on the platform, and when it comes to online threats such as malware, we have a range of options to help businesses protect against the most common causes malware infections on your PC.

Multifactor Authentication

Multifactor authentication is built on the Windows 10 OS, according Alkove. The second factor biometric authentication will be either, as the use of a fingerprint, or personal identification number can be used. Under this scheme, the attackers would have to physically have the device in hand to cause a security breach, he said. Smart phones can be used as a secondary factor for authenticating these devices.

Windows 10 will create a key pair for authentication purposes. Moreover, organizations that use a security approach for public key infrastructure (PKI) can also control device authentication using certificates. This credential management capabilities in Windows 10 is done through Active Directory.

"Active Directory, Active Directory Azure and Microsoft accounts our new solution of user credentials to the right of the box support, so businesses and consumers who use online services Microsoft will be quickly able to get away from passwords "Alkove said, adding that the technology work through other platforms.

User access tokens, which are created through the process of authentication, they will get protected through virtualization technology Hyper-V with Windows 10 This approach is designed to reduce identity theft, according Alkove:

With Windows 10 we aim to eliminate this type of [impersonation] attack with an architectural solution that stores user login credentials in a secure container running on top of Hyper-V technology. This solution prevents the tokens to be extracted from the device, even in cases where the Windows kernel itself has been compromised.

Data Loss Prevention

Microsoft is building a data loss prevention scheme into Windows 10 to reduce the risk of information disclosure for organizations. The scheme will work across personal and corporate data on a device, according to Alkove. IT pros will be able to set policies that will protect data from being copied to noncorporate documents or locations. Windows 10 will have the capability to automatically encrypt "corporate apps, data, email, website content and other sensitive information, as it arrives on the device from corporate network locations," Alkove stated.

Alkove noted that Microsoft already has a Rights Management Service as part of Microsoft Azure and an Information Rights Management capability in Microsoft Office. Both offer data loss prevention capabilities for documents. But Alkove implied that Windows 10 would have its own data loss prevention capabilities built into the platform.

Other Security Protections

Microsoft is also building in protections for Windows 10 mobile devices that access virtual private networks (VPNs). IT pros will get some "VPN control options, from constant connectivity, to specifying which particular apps may have access via VPN," Alkove explained. IT pros also will be able to specify which apps are authorized to access the VPN, and which cannot access it. In addition, they can specify restrictions on port access or put restrictions on the IP addresses that can be used for VPN access.
Microsoft has a whole mobile device management scenario that typically depends on having Windows Intune along with Windows Server 2012 R2 in place. It's not quite clear if Love is saying that these VPN controls will be part of Windows 10 straight out of the box or whether other software dependencies will be involved.

Microsoft is envisioning a new app "signing service" with Windows 10 as a security measure to reduce malware installation threats. Using this signing service, app installation will be limited to those apps that are trusted. It's similar to the vetting process that Microsoft carries out for the vendor-supplied apps that are lodged in Microsoft's Windows Store. In addition, original equipment manufacturers (OEMs) will be able to lock down devices against malware, according to Alkove's description.

Organizations will be able to determine the level of trust for installable Windows 10 apps, ranging from company-signed apps, to software vendor apps, to Windows Store apps or they can trust all of those apps. This capability will apply to Desktop Win32 apps, too, not just to Windows Store apps (also known as "Metro" apps).

At this point, it's not clear how much of what Alkove described applies to protections for consumers vs. organizations. It's also not clear if the security protections will be associated with particular Windows 10 editions. The new OS is scheduled to ship sometime next year, so the details are likely yet to come.
Microsoft also released a new build of the Windows 10 technical preview yesterday. It has a few new features, but it doesn't have any of the new security elements that were described by Alkove today, according to a Microsoft spokesperson.

Many of the security features Alkove described are currently available as Microsoft Azure services and available at an extra cost, but he heavily implied that a lot of these security features would be built into Windows 10. Those exact details remain to be seen. However, Wes Miller, an analyst with Directions on Microsoft, an independent consultancy, interpreted Microsoft's announcements today as likely requiring the purchase of various Azure subscriptions or other licensing, such as the Enterprise Mobility Suite:

Although there are several new security features that are not in, and do not require, Azure services, a few of these integrated features are just that, integrations of previously available functionality. To that end, no, they aren't giving these away, this is a client integration; for a customer to take advantage of it, they'll likely need to be an active Azure Active Directory subscriber, and have the organization subscribing to the Enterprise Mobility Suite in order to consume these OS-native features (or pay a premium to use them individually). In many ways, the EMS is becoming an analog to an on-premises CAL Suite (buy the bundle and save). Thus if you want to truly take advantage of enterprise features built into Windows -- and other platforms (and give your users the best experience), you will probably need to subscribe to it.

Microsoft may make some more Windows 10 announcements next week, which is when its TechEd Europe event kicks off. Miller speculated we'll hear about the naming of the next Windows Server and possibly news about "Microsoft RemoteApp."