A recent survey conducted by Adaptiva1 found that 70% of Enterprise IT companies are concerned about security in their environments with the overwhelming majority of respondents planning to conduct security audits this year.
Respondents were also concerned about potential vulnerabilities in their environments but were optimistic that a move to Windows 10 could make their enterprises more secure.
Windows 10 is Microsoft's latest and most secure operating system (OS) to date. It has to be. The ever increasing complexity, adoption and use of technology enriches our lives and can make them easier, but with this comes an ever increasing spectrum of attack vectors.
Microsoft has broken these down into the following three broad categories in Windows 10:
With all these powerful new security features in Windows 10, trying to decide which features to implement and how to implement them might seem intimidating.
The purpose of this document is to provide you the reader with the Top 5 Security best practices for Windows 10 in the enterprise.
Although the term "Top Five" is used, it does not mean that any item is any more importance than any of the other items. Of course, the Top Five in your company may differ based on needs. Windows 10 also includes a host other security and non-security related features not covered by this whitepaper which you can read more about at: https://www.microsoft.com/en-US/windows/features
Few people think about what happens when they turn on their PC, they just hit the power button. Part of the boot process involves the PC looking for a bootloader which is then simply used to load the operating system. What if the bootloader has been tampered with or indeed the operating system? Without any safeguards in place the PC could be booted into an infected/rogue operating system.
To prevent this the Unified Extensible Firmware Interface (UEFI) specification was devised. It is a specification for a software program that connects a computer's firmware to its operating system (OS), which basically replaces the old Basic Input Output System (BIOS) traditionally used on PCs.
In addition to UEFI, the Secure Boot security standard was developed by members of the PC industry to help make sure that when your PC boots, it only uses software trusted by the PC manufacturer.
When the PC starts, the firmware checks the signature of each piece of boot software, including firmware drivers (Option ROMs) and the operating system. Only the hardware manufacturer has access to the digital certificate required to create a valid firmware signature. If the signatures are good, the PC boots and the firmware gives control to the operating system.
Secure Boot was originally introduced in Windows 8. If your computer did not ship with Windows 8/10 you still may be able to use it by updating the BIOS. Contact your computer manufacturer to see if a BIOS update is available that will enable this.
If you use Microsoft's System Center Configuration Manager (ConfigMgr), then take a look at Adaptiva's free ConfigMgr Community solution that will help you automate migrations from Windows 7/8 to secure Windows 10: http://www2.adaptiva.com/l/139131/2016-07-18/j7lfk
Not only does this provide you with an automated, unattended solution using ConfigMgr and freely available vendor utilities, it also handles the deployment of secure Windows 10 Enterprise with Secure Boot. It does not require any Adaptiva software to function, just straight ConfigMgr.
You may have the requirement to disable Secure Boot. For example, you might want to run an unsigned operating system, or use hardware that is incompatible with Secure Boot. All PCs certified to run with Windows 8 and later allow you to disable Secure Boot, but there a few things to bear in mind:
If you do need to disable Secure Boot, Microsoft provides details on how to do so here.
Credentials are key to controlling and gaining access to systems. However, they can also be easily compromised and once that happens you could be in big trouble. What if there were a way to better protect your credentials built-in to the operating system and to prevent operations if something untoward is detected?
Virtualization technologies such as Microsoft's Hyper-V are not new, and segregating operations to specific virtual machines is an effective way to reduce contagion. So what if we could leverage this same technology to isolate core operating system services in a similar way but in a client operating system such as Windows 10?
Well in Windows 10 you can. This is known as virtualization-based security (VBS), which means even if the kernel mode of the host operating system is compromised, the core operating system services cannot be manipulated.
This VBS environment consists of two services. The Hypervisor Code Integrity (HVCI) service determines if code executing in kernel mode is trustworthy and securely designed. The Local Security Authority (LSA) service manages authentication operations, including NT LAN Manager (NTLM) and Kerberos mechanisms.
In a nutshell Credential Guard segregates a part of the LSA service to help mitigate pass-the-hash and passthe-&cket attacks. A pass the hash attack is where an attacker uses the underlying NTLM and/or LanMan hash of a user's password to authenticate to a remote server/service instead of requiring the actual password. A pass-the-&cket a,ack is where an attacker uses the Kerberos Ticket Granting Ticket of a user recently logged into the domain to authenticate to a Windows server, gaining access to all servers and other resources for which the user has priviledges.
As Rob Lefferts, Director of Program Management, Windows Enterprise and Security states:
"Credential Guard has proven so impactful that customers have told us that it's their top-priority security feature and a benefit that is so compelling that it justifies the Windows 10 deployment all by itself. It's no wonder, since it combats one of the most prolific and critical tactics being used against organizations today: Pass the Hash (PtH)."
In order to use Credential Guard you are going to need the following combination of hardware and software:
Microsoft have released the Device Guard and Credential Guard hardware readiness tool (https://www.microsoft.com/en-us/download/details.aspx?id=53337) which you can use to check if your hardware is ready for Credential Guard (and Device Guard). The tool can enable them as well.
As Credential Guard relies on the security of the underlying hardware and firmware it is vital that you keep your firmware updated with the latest security fixes. You can use the System.Fundamentals.Firmware.UEFISecureBoot Windows Hardware Compatibility Program requirement to verify your firmware complies with the secure firmware update process.
You can use the System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby Windows Hardware Compatibility Program requirement to verify your firmware is using UEFI version 2.3.1 or higher and Secure Boot.
Historically, users have by and large been rather too trusting when running applications. If an application causes damage or allows a security breach, system administrators find out after the fact.
In Windows 10 this all changes with the Device Guard feature, the basic premise of which is to only run those applications we know about and explicitly trust. Anything else will be blocked.
Device Guard is a combination of hardware and software hardening features that utilize the new virtualization-based security (VBS) environment introduced in Windows 10 discussed in the Credential Guard section.
On the hardware side, Device Guard integrates with advanced hardware features such as CPU virtualization extensions, Input–Output Memory Management Units (IOMMUs), and 64-bit processors with Second Level Address Translation (SLAT), to leverage these hardware features inside Windows 10 itself.
As a result, in order to use Device Guard you are going to need the following combination of hardware and software:
Utilizing Device Guard, organizations can chose exactly which software (either from external suppliers or written in house), can run code on your Windows 10 clients. If it's not on the list, the machine can't run it. In this way, it protects the system core and the processes and drivers running in kernel mode.
Device Guard can be enabled and managed using the following management tools:
Device Guard is not meant to be the silver bullet to all your anti-malware issues. To get the most from it you should deploy it along with the other threat-resistance features available in Windows 10 such as AppLocker and Credential Guard. Microsoft also recommends you continue to maintain an enterprise antivirus solution as part of your enterprise security portfolio.
A lot of the security features mentioned in this whitepaper rely on the Trusted Platform Module (TPM).
You can use the table in the Dell PlaCorm Support for TPM 2.0 (Shipping as of January 2016 - Factory default is TPM 2.0 for Windows 10) section of the TPM 1.2 vs. 2.0 Features page of the Dell Wiki to verify to see which Dell systems support TPM 1.2/2.0.
For Lenovo machines they added the Device Guard feature to their 2016 ThinkPad models (T460/X260) which feature Intel's Skylake platform. They added the Secure Boot feature to their 2014 ThinkPad models (T440/X240) which feature Intel's Haswell platform.
Any data stored locally on a machine is at risk especially when that machine leaves the sanctuary of your company. There are various steps you can take to protect the machine and its data including encrypting the hard drive, which is where BitLocker comes in.
BitLocker is at its most effective when it is used on a machine with a Trusted Platform Module (TPM) chip. The chip works with BitLocker to help protect the user's data and ensure the system was not interfered with with while offline.
Enabling the TPM in earlier versions of Windows was a bit of a hassle. Thankfully in Windows 10 Microsoft now includes instrumentation that allows the operating system to fully manage the TPM. This means no more messing about in the BIOS and countless restarts.
In Windows 10 BitLocker has had a bit of an overhaul. It can now protect individual files as well as entire hard drives (both system and data). It is also now possible to pre-provision BitLocker (enabling the TPM and BitLocker), using a Task Sequence or from within the Windows Pre-installation Environment before installing Windows. If you also configure BitLocker to encrypt Used Disk Space Only this can drastically reduce the time taken to enable BitLocker compared to previously where you had to wait for the entire drive to be encrypted before BitLocker was fully enabled.
A word of warning here. If you are encrypting a drive using Used Disk Space Only on a disk that previously contained confidential data that has since been deleted, the confidential data is potentially at risk of being able to be recovered by recovery tools. This risk may remain until the space it occupies is overwritten by fresh data which will be encrypted by BitLocker.
Of course there will be a slight performance overhead of data being encrypted as it is being written to unencrypted parts of the disk.
What else can you do if someone manages to get physical access to the machine? If your machine has a
TPM and BitLocker has been enabled on the system drive, you can enforce that the user needs to type a PIN before BitLocker will unlock the drive. They then also need to have valid credentials to able to logon to the machine.
Enabling such an option is a case of balancing the risk versus the impact it is going to have on the user who has to remember and type the PIN each time they want to use their machine. Users can now manage their PINs and passwords in Windows 10 themselves rather than having to contact a system administrator or use an administrative account.
There are a whole raft of other improvements to BitLocker in Windows 10 such as support for SelfEncrypting Drives (SEDs) and Network Unlock. These capabilities are a bit beyond the scope of this paper, but worth checking out if interested.
With BitLocker enabled to protect the system drive, consider tying your users credentials to TPM. This way, if someone enters them incorrectly a set number of times (such as during a brute-force attack), Windows will automatically restart the device and put it in BitLocker recovery mode where it will stay until someone enters a valid 48-character recovery key. Obviously, make sure you have copies of your Recovery keys.
To establish how many incorrect guesses you want to allow, run gpedit.msc to open the Local Group Policy Editor. Then navigate to:
Computer Configuration\Windows SeOngs\Security SeOngs\Security Options.
Open the Interactive Login: Machine Account Lockout Threshold and set the number of invalid logon aVempts to the required value.
If you already have BitLocker enabled on Windows 7/8 machines you don't need to decrypt the drive (i.e., completely remove BitLocker protection and fully decrypt the drive), in order to upgrade the machine to Windows 10.
Instead, open the BitLocker Drive Encryption Control Panel. Then click Manage BitLocker and click Suspend which simply disables BitLocker authentication and instead uses a clear key on the drive to enable access (the drive is not decrypt).
Once you have completed the upgrade to Windows 10 open Windows Explorer, right-click the relevant drive and click Resume Protection to reapply the BitLocker authentication methods and delete the clear key.
To verify if a computer has a TPM chip simply open the Trusted PlaCorm Module (TPM) Management Console
(run tpm.msc) and look under the Status heading. It will state The TPM is ready for use if the computer has a TPM and it has been prepared.
Even given the long history of the PC and Windows, there are still several missing pieces of the security jigsaw including:
However, it is not all about restriction. Many businesses rely on being able to share business information securely both inside their organization and outside.
Up until now none of the required functionality to tackle these issues has been built into the Windows operating system out-the-box. Sure Microsoft provides some tools to address some of these areas but not all of them.
However, now with the advent of the Windows 10 Anniversary Edition Microsoft provides these capabilities and more in the Windows Information Protection (WIP), feature formerly known as Enterprise Data Protection.
Specifically designed to work with Office 365 ProPlus and Azure Rights Management, WIP can distinguish between corporate and personal data. Then it can restrict what happens to corporate data when it leaves the device. For example a user can be prevented from forwarding an email containing business data to an unapproved recipient. At an even more basic level, WIP can control which applications have access to corporate data and what those applications can do with it. For example, WIP can prevent the copy and pasting or printing of corporate data in unapproved applications or to unapproved locations. If a user tries to perform an action that is not permitted, the action can be blocked and audited. This auditing can highlight potential issues that may need further attention, such as education on corporate policy.
Traditionally, solutions to issues such as these have required compromising the user experience at the expense of securing the data. There are countless Mobile Device Management (MDM), solutions available, all with their nuances such as requiring the user to switch modes depending on whether they are working with corporate or personal data as these are kept in separate containers. With some solutions, the user can't use Outlook but instead has to use a specific MDM email client which is stripped down in terms of functionality for security reasons.
In the non-mobile space, things are slightly better and more integrated with the operating system. However, companies are still relying on third party add-ons which they need to purchase, learn, and maintain.
WIP on the other hand is part of the Windows OS itself so it's fully integrated. It is also incredibly easy to deploy by enabling some policies in your MDM (for example Microsoft Intune) or using System Center Configuration Manager (ConfigMgr). As WIP is fully integrated into the OS there is no need to switch modes to work with different data types, or to use feature-limited versions of applications. Users just carry on doing what they do using the applications they know. WIP can even continue to protect your data when it is copied off to USB drives or other removable data.
Microsoft's goal when designing WIP was to come up with something that everyone could and would deploy regardless of company size. As it works in conjunction with Office 365 and Azure Rights Management this is one Windows 10 feature you definitely want to look at to take your data leak prevention to the next level.
If you want to be able to use WIP with Office, ensure you are using the Office 2016 Universal Windows apps as these are ready to go and fully support WIP.
Microsoft publishes a whole host of information about WIP, including how to set it up. Here are a couple of links to get you started:
Create a Windows Information Protection (WIP) policy: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/overview-create-wip-policy
General guidance and best practices for Windows Information Protection (WIP): https://technet.microsoft.com/en-us/itpro/windows/keep-secure/guidance-and-best-practices-wip
Although it may seem like you need the Enterprise version of Windows 10 in order to get access to Windows Information Protection (WIP), that is not the case.
WIP is available in the Windows 10 Professional SKU and upwards as detailed under the Security section of the Compare Windows 10 Editions page on the Microsoft website.
In addition to the Top Five Security features we've already looked at in this document, Windows 10 includes a plethora of other security-related features some of which are summarized below:
As with any migration, when considering migrating to Windows 10 you need to plan your migration carefully to avoid as many potential issues as possible.
Of course Microsoft's recommend tool of choice when it comes to deploying/migrating to Windows 10 is System Center Configuration Manager (ConfigMgr) Current Branch which includes a raft of functionality.
But in addition to ConfigMgr, you may also wish to take a look at Adaptiva's OneSite product, which includes features such as the following to bolster and improve on the ConfigMgr out-the-box experience in three key areas:
This is all about achieving secure content delivery, anytime, anywhere. It shouldn't matter what you need to deliver, to where, or when; OneSite can deliver content promptly, securely and without adversely affecting the core purpose of your network – your business.
It is all very well being able to deliver content efficiently, but if the content is not secure and is open to tampering either in transit or at its destination then you have big problems. OneSite can drastically reduce your ConfigMgr infrastructure requirements and thus your potential attack surface and the headaches of monitoring and maintenance. Not only is all content sent by OneSite encrypted during transmission, it's also securely encrypted on the disk.
Couple this with the use of 512-bit Secure Hash Algorithm (SHA-512) to prevent tampering, and OneSite meeting all the requirements for the Federal Information Processing Standard (FIPS) Publication 140-2 (amongst others), means OneSite delivers the highest security compliance of any content distribution technology in market.
Should the worst happen and you find yourself with a security breach you want a solution that is "ready to go" with the most secure configurations (that can be customized). You also want the ability to remediate the breach as soon as possible by pushing the required fix out once to all affected endpoints without waiting for each individual client to reach it's polling cycle. With OneSite, you can also use the Workflow Designer to enforce security policies and lock down errant systems automatically.
This report was written by Cliff Hobbs. Cliff is a 13 times Microsoft Most Valuable Professional (MVP), the first to be awarded in the UK for Microsoft System Center Configuration Manager (ConfigMgr/SCCM) and Systems Management Server (SMS).
He has worked as a Consultant with the product since 1998, during which time he has gained extensive experience of designing, deploying, supporting, and documenting enterprise-wide Configuration Manager implementations on behalf of many companies such as Microsoft, HP, EDS, Getronics, 1E and Abbey (now Santander), across multiple industry sectors.
Since 1998 Cliff has been writing Frequently Asked Questions (FAQs) related to ConfigMgr and its related products. In 2003 he founded http://faqshop.com which is one of the most popular websites for ConfigMgr-related information.
Adaptiva is a leading, global provider of IT systems management solutions that advance the power of Microsoft System Center Configuration Manager. Founded in 2004 by the lead architect of Microsoft SMS 2003, Adaptiva enables IT professionals to securely speed enterprise-wide software deployments without adding costly servers or throttling network bandwidth. The company's breakthrough peer-to-peer systems management technology uses intelligence, automation, and bandwidth optimization techniques to distribute content faster than any other systems management solution available today. Adaptiva's suite of smart scaling systems management products includes OneSite™ for rapid content distribution and management, Client Health™ for endpoint security, troubleshooting, and remediation, and Green Planet™ for energy-efficient power management and patching. The company's software is used by Fortune 500 companies and deployed on millions of devices in over 100 countries. Learn more at adaptiva.com.