Light Mode Dark Mode
March 8, 20186 min read

Infographic: Windows 10 Security Primer

AdobeStock_256229414 1

IT pros worldwide agree that Microsoft Windows 10 is a security must-have for enterprises. In an Enterprise Endpoint Security Survey, respondents ranked security capabilities highest amongst features compelling them to move to Windows 10.

Many people, however, are unsure exactly what features and capabilities Windows 10 offers. To that end, with help from my colleagues Ami Casto and Chaz Spahn, I have created this Windows 10 Security Primer Infographic.

The infographic organizes security features and capabilities by operating phase (offline, boot, logon, running).

Windows 10 Security Primer Infographic

 

Offline

Encrypt Fixed Drives

BitLocker is robust encryption technology from Microsoft that can encrypt an entire disk, including boot disks. Learn more.

Encrypt Removable Drives

BitLocker to Go secures removable media such as USB drives. Learn more.

Boot

Maximize Firmware-based Security

Windows 10 includes capabilities that help enterprises secure systems by leveraging capabilities now available in endpoint firmware.

On-Chip Cryptography and Security

Windows 10 can use a Trusted Platform Module (TPM) to enhance security. A TPM is hardware-based security consisting of a separate processing module with shielded memory. It can authenticate a unique physical device, and generate and store encryption keys. It can also take and store security measurements. Learn more.

Authenticate Devices

TPM Attestation verifies that a device has an operational TPM chip, and further verifies that the TPM is trusted. Once a device is known to have a valid TPM, the authenticity of the device can be validated (this actually is Kelly Mason’s laptop and not an imposter). Learn more.

Migrate from BIOS to UEFI

Secure 10 is a solution provided by Adaptiva to automate and speed the process of migrating large numbers of endpoints from using legacy BIOS to booting with UEFI. The solution includes a set of documentation and Microsoft System Center Configuration Manager task sequences. Contact us to learn more.

Control the Boot Process

Windows 10 leverages UEFI, advanced firmware that provides a number of hardware-based security capabilities that are available throughout the boot process. Learn more.

Protect Against Rootkits and Bootkits

Windows 10 includes a series of features to prevent malicious code from infecting an operating system at the lowest levels including the boot loader, the OS kernel, and boot drivers.

Prevent Windows Bootloader Tampering

Secure Boot ensures that boot software has a valid signature. This prevents tampering with software that loads the Windows 10 kernel. Learn more.

Prevent Tampering with Windows Kernel and Components
Trusted Boot verifies that the Windows 10 kernel itself has not been tampered with. Learn more.

Early Launch Anti-Malware (ELAM)

ELAM prevents malware from infecting a system at the boot driver level by allow only trusted drivers to load during Windows 10 boot. Learn more.

Measured Boot

Measured Boot will log all boot activities to a server, where they can be analyzed for signs of infection or tampering. Learn more.

Resolve Encryption Lockouts

Access PC/Disk When Locked Out

BitLocker Recovery allows access to a hard disk when the user is locked out. A recovery key may be generated in different ways, depending on how BitLocker was set up. Learn more.

Logon

Replace Passwords with Biometric or PIN

Windows Hello for Business replaces traditional password with biometrics—thumbprint readers, facial recognition, etc.—and PINs. Learn more.

Lock User Per Policy
Windows 10 can automatically lock users out when security is in question. This can be as simple as locking out an account after a set number of failed password entries, or more complex. Learn more.

In addition to account lockout, Windows 10 can increment a TPM counter (an on-chip counter that can be incremented once each time a suspicious activity occurs). A TPM lockout occurs when the counter on a TPM chip exceeds a threshold. While in effect, the TMP will refuse authorizations by returning an error in response to command requests. Learn more.

Protect Tokens During Exchange

Kerberos Armoring secures communication between a domain-joined client and its domain controller to prevent spoofing that could allow password-based attacks. Learn more.

Authenticate Both User and Device

Compound Authentication ensures that the unique combination of user and device is authenticated, not just user or device. Learn more.

Deny Access to Insecure Systems

Windows Device Health Attestation allows administrators to allow or deny access to corporate resources based on device health. Systems are checked and run time, and can only access corporate resources if correctly running key security components (e.g., ELAM, BitLocker, Secure Boot, and code integrity). Learn more.

Running

Software

Prevent Unauthorized Changes

User Account Control (UAC) ensures that only administrators can install applications. Learn more.

Allow/Deny Running Applications

AppLocker whitelists applications so only approved applications can run on an endpoint. Learn more.

Block Known-Dangerous Content

Windows Defender SmartScreen connects to a service to make sure that software you have downloaded and are about to run is not malicious. It does this by checking it against a database of known-good software. Learn more.

Isolate Threats via Virtualization

Windows Defender Application Guard can protect your system by isolating applications in their own virtualized environment. Learn more.

Allow/Deny Running Applications Based on Cloud Reputation

Windows Defender Application Control intelligently restricts which applications, scripts, plug-ins, etc., can run on a system. Learn more.

Apply Security Patches and Updates

Adaptiva OneSite Anywhere, working with Configuration Manager, protects endpoints by keeping software up to date. OneSite rapidly deploys and applies patches at scale using a secure peer-to-peer model. Learn more.

Devices

Protect System and User Accounts Against Threats

Windows Defender Credential Guard protects password using virtualization-assisted security. Learn more.

Harden Endpoints Against Malware

Windows Defender Device Guard prevents malware from running on a system using a variety of techniques. Learn more.

Apply Security Configuration via Group Policy/MDM

Microsoft empowers systems administrators to apply device restrictions policies via group policy or MDM. For enterprises using group policies, a Security Compliance Toolkit is available to help test and customize Microsoft-recommended configurations. Learn more.

Data

Separate Business Data from Personal Data

Windows Information Protection allows enterprises to separate corporate and personal data and set restrictions for each. For example, a user may not be able to share, copy, or print corporate data while given free reign with their cat pictures. Learn more.

Control File Access Based on User and Device Attributes

Dynamic Access Control is the ability to change permissions on the file system on different systems through the enterprise on the fly in real time. Learn more.

Cyber Defense

Protect PCs from Viruses, Malware and Ransomware

Windows Defender protects PCs from viruses, malware, and ransomware. Windows Defender has been improved in Windows 10 to the point where many security experts suggest using it over traditional third-party antivirus solutions. Learn more.

Restrict Inbound/Outbound Network Traffic

Windows Defender Firewall with Advanced Security provides two-way traffic filtering for a device.  The software is intelligent, meaning it will do basic configuration automatically. It works  with other Microsoft network security technologies, managed through the Windows Defender Firewall interface. Learn more.

Protect Web Activity with Browser Virtualization

Microsoft Edge runs each instance of the browser in its own virtual machine to limit the damage attackers can do. Internet-acquired malicious software cannot access the Windows 10 operating system or file system, just what is exposed to Edge’s virtual machine. Learn more.

Simulate a Physical Smart Card

In a two-factor authentication scenario that would normally require a physical smart card, a virtual smart card can be used instead. This Windows 10 technology requires use of a system’s TPM chip. Learn more.

Automate Security Configuration Management

Adaptiva Endpoint Health allow automation of security configuration management, including identification and remediation in the event of deviations from corporate policy.

Summary

While keeping your company safe in today’s environment is challenging, it’s also possible. Windows 10 is revolutionizing endpoint security in enterprises. It offers capabilities that help administrators stay ahead of cyberattackers in every phrase of operation.

Mastering Windows 10 security is a huge step in your security success as you deploy and use the OS. I wish you the best as you fight the dark side!

AdobeStock_488605053

Ready to Get Started?

Schedule a one-on-one demo today.

Request a Demo