Microsoft reveals audacious plans to tighten security with Windows 10

Summary: Windows 10 will build in standards-based two-factor authentication to every device, effectively neutering most phishing attacks and password database breaches. The company also announced new features aimed at securing corporate machines from malware attacks and data leaks.

Most of the early coverage of the Windows 10 Technical Preview has focused on the new Start menu, virtual desktops, and other highly visible parts of the user experience. But even in these early builds there are hints of much more momentous changes to come, especially in the crucial realm of security.

The most tantalizing hint so far has been a new service called Next Generation Credentials, which is installed but not started in the most recent preview builds. next-gen-credentials

Today, Microsoft revealed more details about its plans to "move the world away from the use of single factor authentication options, like passwords." The feature, which isn't currently enabled in Windows 10 Technical Preview builds, will allow the owner of a Windows 10 device (PC, tablet, or phone) to enroll that device as trusted for the purposes of authentication. In combination with a PIN or biometric proof, such as a fingerprint, the user will be able to sign in to any supported mobile service.

The PIN, Microsoft says, can be any combination of alphanumeric characters--it doesn't have to be restricted to a short numeric code. If that PIN is stolen in a database breach or phishing attack, the thief will be unable to access any services, because the hardware part of the two-factor authentication requirement isn't present. Likewise, a stolen device without the necessary PIN will be useless.

The authentication scheme isn't proprietary. Instead, it's based on standards from the FIDO Alliance, whose membership includes a who's who of computing giants (Google, Microsoft, Lenovo, and more), banking and payments companies (BofA, PayPal, Visa and MasterCard), and established security firms like RSA and IdentityX.

On the device itself, the required public and private keys can be issued by an enterprise using its existing PKI infrastructure, or for consumer devices they can be generated and securely stored by Windows 10 itself.

According to Microsoft, Windows 10 users will be able to enroll any or all of their devices with these new credentials. As an alternative, they can choose to enroll a single device, which then serves as a virtual smart card. A mobile phone, for example, can offer two-factor authentication using Bluetooth or WiFi for signing in on local devices or accessing remote resources.

The user access tokens themselves will be stored in a virtualized secure container (running on top of Hyper-V technology), eliminating the effectiveness of common attacks such as Pass The Hash.

In today's announcements. Microsoft also laid out two new features in Windows 10 that will tighten security for its enterprise customers.

The first is a set of information-protection capabilities that make it possible to protect corporate data even on employee-owned devices. Windows 10, the company says, will allow network administrators to define policies that automatically encrypt sensitive information, including corporate apps, data, email, and the contents of intranet sites.

Because support for this encryption will be built into the APIs for common Windows controls, such as Open and Save dialog boxes, it will be available to all Windows apps that use those controls. For tighter security, administrators can create lists of apps that are allowed to access encrypted data as well as those that are denied access—a network administrator might choose to deny access to cloud services such as Dropbox, for example.

A final security measure is potentially a big winner for organizations with high-security needs, such as banks and other regulated industries as well as defense contractors and government agencies concerned about online espionage. With Windows 10 Enterprise edition and specially configured OEM hardware, administrators will be able to completely lock down devices so that they're unable to run untrusted code.

In this configuration, the only apps that will be allowed to run are those signed by a Microsoft-issued code-signing certificate. That includes any app from the Windows Store as well as desktop apps that have been submitted for approval through Microsoft. Enterprises with internal line of business apps can get their own key generator, which will allow those apps to run on their network but won't work outside the network.

For more details on the changes, see this blog post from Microsoft.

I use my desktop for basic computer functions and applications, and XP fitted the bill. IMO, it was the best OS Microsoft has ever developed.

True enough, but the big problem with XP was always that it was a single-user mostly non-networtked OS with a decade's worth of bolt-ons and duct tape that would hold the whole mess together for a while, but ultimately was undermined by the fundamental weakness of the structure underneath it all.

I'm not a gamer either, nor do I personally own any apple products with the exception of a hand-me-down iphone 4, twice removed from its original owner.

I use computers to get jobs done, and occasionally to learn with. I want something designed to be multi-user from the ground up because we have more folks here than just me. I also want the OS to not get in the way or self destuct on me over time. For me, the answer has been Linux. Some folks are apparently willing to accept the headaches and hassles of running windows, (i.e., registry cleanters, virus scanners, malware scanners, having to reload every year to keep any kind of appreciable performance), I'm not.

I've used many different kind of computers, and have supported everything from IBM mainframes, to HP and DEC minicomputers, to small LANs of workstations. I have a lot of experience with different types of compters, and how they work and manage information. My rather lengthy experince with XP is that it's "OK", but a kludge. Using a "registry" the way that Microsoft does is pretty much broken as far as I'm concerned, for many reasons. People forget how utterly bad it was when it first came out. Most folks don't remember that it was pretty unusable until SP2.

However, because it was around long enough, and eventually became stable enough for most people who didn't know any better, it became familiar. It is the familiarity that people are so attached to IMO.

Personally, I'll never own a microsoft operating system untll two things happen.

1) a file should not be executable based on it's name.

2) the registry really has to go.

My 2 cents. YMMV

“I think you’ve misunderstood me. I’m talking about the user accounts”

I did misunderstand you. But in response, almost ALL modern software from all but the one-off, rinky-dink software companies works just fine in limited-user accounts when installed system-wide. Very old software can be problematic too, but the big boys, like intuit, adobe, etc. have long since fixed those issues in newer versions.

For 99.99% of home users, limited-user accounts pose little, if any, problems. I’ve set up hundreds of computers this way for business and home and it works just fine, and their instance of malware attack has dropped to nil. Even if malware gets into a limited account, it can’t infect the system, so it’s easy to logoff the limited account, go the the Admin account and delete the malware files by hand or have a program like antimalwarebyes do it for you.

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.