Corporate customers can rest easy: Microsoft’s latest operating system puts the emphasis on security.
Released in late July, Windows 10 comes with a mix of features designed to ensure identity and data protection, as well as device security. Credential Guard and Device Guard — available only on Windows 10 Enterprise and Education — stand out as impressive defenses against malware and advanced persistent threats.
The enhanced security starts with the log-on process. While older versions of the operating system stored hashed user credentials in the Local Security Authority, Windows 10 uses Credential Guard to isolate secrets in a virtualization-based security environment.
In an article on InfoWorld, Fahmida Rashid explains that the previous setup allowed attackers to gain access to locally stored hashes; the new feature solves that issue.
“By isolating those credentials in a virtual container, Credential Guard prevents attackers from stealing the hash, restricting their ability to move around the network,” she writes.
Device Guard likewise relies on a virtualization-based container to allow only trusted applications to run. For the most part, devices are restricted to those applications with valid cryptographic signatures from Microsoft or specific software vendors, but businesses can also sign internal software to customize their list of trustworthy applications.
Device Guard’s flexibility will certainly appeal to enterprise customers who require a wide array of applications; however, Rashid offers an even more compelling reason to praise the security feature:
Under the hood, Device Guard is more than another whitelisting mechanism. It handles whitelisting in a way that is actually effective because the information is protected by the virtual machine. That is, malware or an attacker with administrator privileges cannot tamper with the policy checks.
Device Guard isolates Windows services that verify whether drivers and kernel-level code are legitimate in a virtual container. Even if malware infects the machine, it cannot access that container to bypass the checks and execute a malicious payload.
Is It Time for an Upgrade?
Both Credential Guard and Device Guard represent a continuation of Microsoft’s shift to hardware-based security. Microsoft outlines reasons for the change in a comparison chart that pits the software-based security setup of Windows 7 against the new and improved design of Windows 10:
Platform security is based entirely on what software can do on its own, and once infected there is no assurance that system [defenses] can perform their function and remain tamper free.
Malware can hide within the hardware or in the operating system itself, and there is no way to validate integrity once it has been compromised.
Microsoft’s hardware-based security features are less vulnerable but require substantial hardware investments, plus possible infrastructure and process changes, Rashid explains.
Although the financial and infrastructure requirements may slow widespread adoption of Device Guard and Credential Guard, they won’t likely stop companies from eventually enabling the protections.
A Spiceworks survey from June shows that more than half of IT professionals include Windows 10’s enhanced security among the operating system’s most enticing features. Combined with the current threat environment, that attitude could help Microsoft convert Windows 7 holdouts and bring more enterprise customers into the fold.