News

Windows 10's ID Management and Security Controls

• By Kurt Mackie
• 10/23/2014

Microsoft outlined some of the new security features making its way to the company's next OS.

Windows 10 will include a number of features designed to protect against identity theft, inadvertent data disclosures and the installation of malware, according to an announcement today by the company. The protections will benefit both consumers and organizations. It appears from the announcement that IT pros will get some tools to help manage the complexities associated with the new security controls as well.

Jim Alkove, a lead on the Windows enterprise management team, summed up the Windows 10 improvements to come, including the addition of multifactor authentication and built-in data loss prevention for documents, in Microsoft's announcement:

With this release we will have nearly everything in place to move the world away from the use of single factor authentication options, like passwords. We are delivering robust data loss prevention right into the platform itself, and when it comes to online threats, such as malware, we'll have a range of options to help enterprises protect against common causes of malware infection on PC's.

Multifactor Authentication
Multifactor authentication will be built into the Windows 10 operating system, according to Alkove. The second authenticating factor will be either biometric, such as using a finger print, or a personal identification number can be used. Under this scheme, attackers would need to have the device physically in hand to cause a security breach, he contended. Smartphones can be used as a secondary factor for authenticating these devices.

Windows 10 will create a key pair for authentication purposes. Alternatively, organizations that use a public key infrastructure (PKI) security approach can also control device authentication by using certificates. This credentials management capability in Windows 10 will be supported through Active Directory.

"Active Directory, Azure Active Directory, and Microsoft Accounts will support our new user credentials solution right out of box, so enterprises and consumers using Microsoft online services will quickly be able to move away from passwords," Alkove contended, adding that the technology will work across other platforms.

User access tokens, which are created via the authentication process, will get protected via Hyper-V virtualization technology with Windows 10. This approach is designed to reduce identity impersonations, according to Alkove:

With Windows 10 we aim to eliminate this type of [impersonation] attack with an architectural solution that stores user access tokens within a secure container running on top of Hyper-V technology. This solution prevents the tokens from being extracted from devices even in cases where the Windows kernel itself has been compromised.

Data Loss Prevention
Microsoft is building a data loss prevention scheme into Windows 10 to reduce the risk of information disclosure for organizations. The scheme will work across personal and corporate data on a device, according to Alkove. IT pros will be able to set policies that will protect data from being copied to noncorporate documents or locations. Windows 10 will have the capability to automatically encrypt "corporate apps, data, email, website content and other sensitive information, as it arrives on the device from corporate network locations," Alkove stated.

Alkove noted that Microsoft already has a Rights Management Service as part of Microsoft Azure and an Information Rights Management capability in Microsoft Office. Both offer data loss prevention capabilities for documents. But Alkove implied that Windows 10 would have its own data loss prevention capabilities built into the platform.

Other Security Protections
Microsoft is also building in protections for Windows 10 mobile devices that access virtual private networks (VPNs). IT pros will get some "VPN control options, from constant connectivity, to specifying which particular apps may have access via VPN," Alkove explained. IT pros also will be able to specify which apps are authorized to access the VPN, and which cannot access it. In addition, they can specify restrictions on port access or put restrictions on the IP addresses that can be used for VPN access.

Microsoft has a whole mobile device management scenario that typically depends on having Windows Intune along with Windows Server 2012 R2 in place. It's not quite clear if Alkove is saying that these VPN controls will be part of Windows 10 straight out of the box or whether other software dependencies will be involved.

Microsoft is envisioning a new app "signing service" with Windows 10 as a security measure to reduce malware installation threats. Using this signing service, app installation will be limited to those apps that are trusted. It's similar to the vetting process that Microsoft carries out for the vendor-supplied apps that are lodged in Microsoft's Windows Store. In addition, original equipment manufacturers (OEMs) will be able to lock down devices against malware, according to Alkove's description.

Organizations will be able to determine the level of trust for installable Windows 10 apps, ranging from company-signed apps, to software vendor apps, to Windows Store apps or they can trust all of those apps. This capability will apply to Desktop Win32 apps, too, not just to Windows Store apps (also known as "Metro" apps).

At this point, it's not clear how much of what Alkove described applies to protections for consumers vs. organizations. It's also not clear if the security protections will be associated with particular Windows 10 editions. The new OS is scheduled to ship sometime next year, so the details are likely yet to come.

Microsoft also released a new build of the Windows 10 technical preview yesterday. It has a few new features, but it doesn't have any of the new security elements that were described by Alkove today, according to a Microsoft spokesperson.

Many of the security features Alkove described are currently available as Microsoft Azure services and available at an extra cost, but he heavily implied that a lot of these security features would be built into Windows 10. Those exact details remain to be seen. However, Wes Miller, an analyst with Directions on Microsoft, an independent consultancy, interpreted Microsoft's announcements today as likely requiring the purchase of various Azure subscriptions or other licensing, such as the Enterprise Mobility Suite:

Although there are several new security features that are not in, and do not require, Azure services, a few of these integrated features are just that, integrations of previously available functionality. To that end, no, they aren't giving these away, this is a client integration; for a customer to take advantage of it, they'll likely need to be an active Azure Active Directory subscriber, and have the organization subscribing to the Enterprise Mobility Suite in order to consume these OS-native features (or pay a premium to use them individually). In many ways, the EMS is becoming an analog to an on-premises CAL Suite (buy the bundle and save). Thus if you want to truly take advantage of enterprise features built into Windows -- and other platforms (and give your users the best experience), you will probably need to subscribe to it.

Microsoft may make some more Windows 10 announcements next week, which is when its TechEd Europe event kicks off. Miller speculated we'll hear about the naming of the next Windows Server and possibly news about "Microsoft RemoteApp."