As every IT professional knows, Microsoft has always struggled with OS security. The vulnerabilities inherent in XP, Vista and Windows 7 have led to security breaches – and embarrassing headlines – in record numbers. Keeping up with the never ending schedule of Microsoft security updates is a full time job for administrators and even companies that keep up to date with the latest updates still have to worry about zero day vulnerabilities that can be exploited before an update to address them is released.
Unsurprisingly, Microsoft has used the release of Windows 10 Enterprise as an opportunity to repair its reputation in this area. The new OS has two new security features designed to help reduce security breaches in organizations:
- Device Guard Device Guard enables enterprises to lock down systems to prevent many forms of malware from executing. It does this by only allowing applications that are trusted by your enterprise to execute. Device Guard isn’t a replacement for traditional antivirus and malware protection as it does not protect against exploits such as java scripts or documents with embedded macros, but it provides another layer to your defense in depth strategy.
- Credential Guard Credential Guard is a new feature in Windows 10 Enterprise that isolates secrets by creating a virtual container to keep them separate from the full operating system. In previous versions of Windows, without Credential Guard, user’s hashed credentials were stored in the Local Security Authority (LSA). Malware could access these and utilize them to access data as well as other systems. Credential Guard significantly reduces these types of attacks by isolating secrets in a virtual container and limiting their access.
While these new features sound great, there’s a catch: implementing them in the enterprise is not as easy as simply checking a box. In fact, they have specific hardware requirements and configurations which, although they are available on many modern enterprise laptops and workstations, may not have been previously enabled or utilized to date. These include:
- Unified Extensible Firmware Interface (UEFI)
- Secure Boot
- Virtualization Extensions
- Trusted Platform Module (TPM)
Ensuring these settings are in place creates a huge manual workload for administrators – and a considerable overhead for the business. The conversion to UEFI, for example, requires a complete reformatting of the hard drive – something that may well prevent many organizations from taking advantage of Windows 10’s new security features for quite some time. So how can these issues be overcome? The answer lies in abandoning the manual techniques that characterized migration to Windows 7 and XP and embracing the automated Zero Touch approach. For example, 1E’s Nomad and PXE Everywhere eliminate the need to have a server at every location or to deploy an army of technicians with USB drives. 1E Nomad utilizes peers at remote sites to share data removing the need for local servers, while PXE Everywhere uses peers to facilitate the PXE booting needed to reformat hard drives without a technician present. By eliminating manual configuration in this way, organizations can gain fast access to Windows 10’s security capabilities and fortify themselves against risk.