You may have heard that Microsoft has made Windows 10 more secure than any of its predecessors, packing it with security goodies. What you might not know is that some of these vaunted security features aren’t available out of the box or they require additional hardware -- you may not be getting the level of security you bargained for.
Features such as Credential Guard are available for only certain editions of Windows 10, while the advanced biometrics promised by Windows Hello require a hefty investment in third-party hardware. Windows 10 may be the most secure Windows operating system to date, but the security-savvy organization -- and individual user -- needs to keep the following hardware and Windows 10 edition requirements in mind in order to unlock the necessary features to achieve optimum security.
Note: Presently, there are four desktop editions of Windows 10 -- Home, Pro, Enterprise, and Education -- along with multiple versions of each, offering varying levels of beta and preview software. InfoWorld’s Woody Leonard breaks down which version of Windows 10 to use. The following Windows 10 security guide focuses on standard Windows 10 installations -- not Insider Previews or Long Term Servicing Branch -- and includes Anniversary Update where relevant.
The right hardware
Windows 10 casts a wide net, with minimum hardware requirements that are undemanding. As long as you have the following, you’re good to upgrade from Win7/8.1 to Win10: 1GHz or faster processor, 2GB of memory (for Anniversary Update), 16GB (for 32-bit OS) or 20GB (64-bit OS) disk space, a DirectX 9 graphic card or later with WDDM 1.0 driver, and an 800-by-600-resolution (7-inch or larger screens) display. That describes pretty much any computer from the past decade.
But don’t expect your baseline machine to be fully secure, as the above minimum requirements won’t support many of the cryptography-based capabilities in Windows 10. Win10’s cryptography features require Trusted Platform Module 2.0, which provides a secure storage area for cryptographic keys and is used to encrypt passwords, authenticate smartcards, secure media playback to prevent piracy, protect VMs, and secure hardware and software updates against tampering, among other functions.
Modern AMD and Intel processors (Intel Management Engine, Intel Converged Security Engine, AMD Security Processor) already support TPM 2.0, so most machines bought in the past few years have the necessary chip. Intel’s vPro remote management service, for example, uses TPM to authorize remote PC repairs. But it’s worth verifying whether TPM 2.0 exists on any system you upgrade, especially given that Anniversary Update requires TPM 2.0 support in the firmware or as a separate physical chip. A new PC, or systems installing Windows 10 from scratch, must have TPM 2.0 from the get-go, which means having an endorsement key (EK) certificate preprovisioned by the hardware vendor as it is shipped. Alternatively, the device can be configured to retrieve the certificate and store it in TPM the first time it boots up.
Older systems that don’t support TPM 2.0 -- either because they don’t have the chip installed or are old enough that they have only TPM 1.2 -- will need to get a TPM 2.0-enabled chip installed. Otherwise, they will not be able to upgrade to Anniversary Update at all.
While some of the security features work with TPM 1.2, it’s better to get TPM 2.0 whenever possible. TPM 1.2 allows only for RSA and SHA-1 hashing algorithm, and considering the SHA-1 to SHA-2 migration is well under way, sticking with TPM 1.2 is problematic. TPM 2.0 is much more flexible, as it supports SHA-256 and elliptical curve cryptography.
Unified Extensible Firmware Interface (UEFI) BIOS is the next piece of must-have hardware for achieving the most secure Windows 10 experience. The device needs to be shipped with UEFI BIOS enabled to allow Secure Boot, which ensures that only operating system software, kernels, and kernel modules signed with a known key can be executed during boot time. Secure Boot blocks rootkits and BIOS-malware from executing malicious code. Secure Boot requires firmware that supports UEFI v2.3.1 Errata B and has the Microsoft Windows Certification Authority in the UEFI signature database. While a boon from a security perspective, Microsoft designating Secure Boot mandatory for Windows 10 has run into controversy, as it makes it harder to run unsigned Linux distributions (such as Linux Mint) on Windows 10-capable hardware.
Anniversary Update won’t install unless your device is UEFI 2.31-compliant or later.
Beefing up authentication, identity
Password security has been a significant issue in the past few years, and Windows Hello moves us closer to a password-free world as it integrates and extends biometric logins and two-factor authentication to "recognize" users without passwords. Windows Hello also manages to be simultaneously the most accessible and inaccessible security feature of Windows 10. Yes, it is available across all Win10 editions, but it requires significant hardware investment to get the most of what it has to offer.
To protect credentials and keys, Hello requires TPM 1.2 or later. But for devices where TPM is not installed or configured, Hello can use software-based protection to secure credentials and keys instead, so Windows Hello is accessible to pretty much any Windows 10 device.
But the best way to use Hello is to store biometric data and other authentication information in the on-board TPM chip, as the hardware protection makes it more difficult for attackers to steal them. Further, to take full advantage of biometric authentication, additional hardware -- such as a specialized illuminated infrared camera or a dedicated iris or fingerprint reader -- is necessary. Most business-class laptops and several lines of consumer laptops ship with fingerprint scanners, enabling businesses to get started with Hello under any edition of Windows 10. But the marketplace is still limited when it comes to depth-sensing 3D cameras for facial recognition and retina scanners for iris-scanning, so Windows Hello’s more advanced biometrics is a future possibility for most, rather than a daily reality.
Available for all Windows 10 editions, Windows Hello Companion Devices is a framework for allowing users to use an external device -- such as a phone, access card, or wearable -- as one or more authenticating factors for Hello. Users interested in working with Windows Hello Companion Device to roam with their Windows Hello credentials between multiple Windows 10 systems must have Pro or Enterprise installed on each one.
Windows 10 formerly had Microsoft Passport, which enabled users to log in to trusted applications via Hello credentials. With Anniversary Update, Passport no longer exists as a separate feature but is incorporated into Hello. Third-party applications that use the Fast Identity Online (FIDO) specification will be able to support single sign-on by way of Hello. For example, the Dropbox app can be authenticated directly via Hello, and Microsoft’s Edge browser enables integration with Hello to extend to the web. It’s possible to turn on the feature in a third-party mobile device management platform, as well. The password-less future is coming, but not quite yet.
Keeping malware out
Windows 10 also introduces Device Guard, technology that flips traditional antivirus on its head. Device Guard locks down Windows 10 devices, relying on whitelists to let only trusted applications be installed. Programs aren’t allowed to run unless they are determined safe by checking the file’s cryptographic signature, which ensures all unsigned applications and malware cannot execute. Device Guard relies on Microsoft’s own Hyper-V virtualization technology to store its whitelists in a shielded virtual machine that system administrators can’t access or tamper with. To take advantage of Device Guard, machines must run Windows 10 Enterprise or Education and support TPM, hardware CPU virtualization, and I/O virtualization. Device Guard relies on Windows hardening such as Secure Boot.
AppLocker, available only for Enterprise and Education, can be used with Device Guard to set up code integrity policies. For example, administrators can decide to limit which universal applications from the Windows Store can be installed on a device.
Configurable code integrity is another Windows component which verifies that the code running is trusted and sage. Kernel mode code integrity (KMCI) prevents the kernel from executing unsigned drivers. Administrators can manage the policies at the certificate authority or publisher level as well as the individual hash values for each binary executable. Since much of commodity malware tends to be unsigned, deploying code integrity policies lets organizations immediately protect against unsigned malware.
Windows Defender, first released as standalone software for Windows XP, became Microsoft’s default malware protection suite, with antispyware and antivirus, in Windows 8. Defender is automatically disabled when a third-party antimalware suite is installed. If there is no competing antivirus or security product installed, make sure that Windows Defender, available across all editions and with no specific hardware requirements, is turned on. For Windows 10 Enterprise users, there is the Windows Defender Advanced Threat Protection, which offers real-time behavioral threat analysis to detect online attacks.
BitLocker, which secures files in an encrypted container, has been around since Windows Vista and is better than ever in Windows 10. With Anniversary Update, the encryption tool is available for Pro, Enterprise, and Education editions. Much like Windows Hello, BitLocker works best if TPM is used to protect the encryption keys, but it can also use software-based key protection if TPM does not exist or is not configured. Protecting BitLocker with a password provides the most basic defense, but a better method is to use a smartcard or the Encrypting File System to create a file encryption certificate to protect associated files and folders.
When BitLocker is enabled on the system drive and brute-force protection is enabled, Windows 10 can restart the PC and lock access to the hard drive after a specified number of incorrect password attempts. Users would have to type the 48-character BitLocker recovery key to start the device and access the disk. To enable this feature, the system would need to have UEFI firmware version 2.3.1 or later.
Windows Information Protection, formerly Enterprise Data Protection (EDP), is available only for Windows 10 Pro, Enterprise, or Education editions. It provides persistent file-level encryption and basic rights management, while also integrating with Azure Active Directory and Rights Management services. Information Protection requires some kind of mobile device management -- Microsoft Intune or a third-party platform such as VMware’s AirWatch -- or System Center Configuration Manager (SCCM) to manage the settings. An admin can define a list of Windows Store or desktop applications that can access work data, or block them entirely. Windows Information Protection helps control who can access data to prevent accidental information leakage. Active Directory helps ease management but is not required to use Information Protection, according to Microsoft.
Virtualizing security defenses
Credential Guard, available only for Windows 10 Enterprise and Education, can isolate “secrets” using virtualization-based security (VBS) and restrict access to privileged system software. It helps block pass-the-hash attacks, although security researchers have recently found ways to bypass the protections. Even so, having Credential Guard is still better than not having it at all. It runs only on x64 systems and requires UEFI 2.3.1 or greater. Virtualization extensions such as Intel VT-x, AMD-V, and SLAT must be enabled, as well as IOMMU such as Intel VT-d, AMD-Vi, and BIOS Lockdown. TPM 2.0 is recommended in order to enable Device Health Attestation for Credential Guard, but if TPM is not available, software-based protections can be used instead.
Another Windows 10 Enterprise and Education feature is Virtual Secure Mode, which is a Hyper-V container that protects domain credentials saved on Windows.