Microsoft reveals audacious plans to tighten security with Windows 10

Summary: Windows 10 will build in standards-based two-factor authentication to every device, effectively neutering most phishing attacks and password database breaches. The company also announced new features aimed at securing corporate machines from malware attacks and data leaks.

Most of the early coverage of the Windows 10 Technical Preview has focused on the new Start menu, virtual desktops, and other highly visible parts of the user experience. But even in these early builds there are hints of much more momentous changes to come, especially in the crucial realm of security.

The most tantalizing hint so far has been a new service called Next Generation Credentials, which is installed but not started in the most recent preview builds. next-gen-credentials

Today, Microsoft revealed more details about its plans to "move the world away from the use of single factor authentication options, like passwords." The feature, which isn't currently enabled in Windows 10 Technical Preview builds, will allow the owner of a Windows 10 device (PC, tablet, or phone) to enroll that device as trusted for the purposes of authentication. In combination with a PIN or biometric proof, such as a fingerprint, the user will be able to sign in to any supported mobile service.

The PIN, Microsoft says, can be any combination of alphanumeric characters--it doesn't have to be restricted to a short numeric code. If that PIN is stolen in a database breach or phishing attack, the thief will be unable to access any services, because the hardware part of the two-factor authentication requirement isn't present. Likewise, a stolen device without the necessary PIN will be useless.

The authentication scheme isn't proprietary. Instead, it's based on standards from the FIDO Alliance, whose membership includes a who's who of computing giants (Google, Microsoft, Lenovo, and more), banking and payments companies (BofA, PayPal, Visa and MasterCard), and established security firms like RSA and IdentityX.

On the device itself, the required public and private keys can be issued by an enterprise using its existing PKI infrastructure, or for consumer devices they can be generated and securely stored by Windows 10 itself.

According to Microsoft, Windows 10 users will be able to enroll any or all of their devices with these new credentials. As an alternative, they can choose to enroll a single device, which then serves as a virtual smart card. A mobile phone, for example, can offer two-factor authentication using Bluetooth or WiFi for signing in on local devices or accessing remote resources.

The user access tokens themselves will be stored in a virtualized secure container (running on top of Hyper-V technology), eliminating the effectiveness of common attacks such as Pass The Hash.

In today's announcements. Microsoft also laid out two new features in Windows 10 that will tighten security for its enterprise customers.

The first is a set of information-protection capabilities that make it possible to protect corporate data even on employee-owned devices. Windows 10, the company says, will allow network administrators to define policies that automatically encrypt sensitive information, including corporate apps, data, email, and the contents of intranet sites.

Because support for this encryption will be built into the APIs for common Windows controls, such as Open and Save dialog boxes, it will be available to all Windows apps that use those controls. For tighter security, administrators can create lists of apps that are allowed to access encrypted data as well as those that are denied access—a network administrator might choose to deny access to cloud services such as Dropbox, for example.

A final security measure is potentially a big winner for organizations with high-security needs, such as banks and other regulated industries as well as defense contractors and government agencies concerned about online espionage. With Windows 10 Enterprise edition and specially configured OEM hardware, administrators will be able to completely lock down devices so that they're unable to run untrusted code.

In this configuration, the only apps that will be allowed to run are those signed by a Microsoft-issued code-signing certificate. That includes any app from the Windows Store as well as desktop apps that have been submitted for approval through Microsoft. Enterprises with internal line of business apps can get their own key generator, which will allow those apps to run on their network but won't work outside the network.

For more details on the changes, see this blog post from Microsoft.

The only way any OS Windows will ever be even close to secure is if Microsoft quits automatically giving superuser privilege to ALL user accounts by default, and instead making all new installation instances of Windows OS default to having an Admin account with superuser privilege and one or more limited-privilege accounts for the user(s) to do their daily work.

In addition, by default, NO .exe or .dll or other binary program should be executable in the context of any limited-privilege account, meaning that all binary software MUST first be installed from a superuser account for the system to use as a whole. It will also most likely be necessary to prevent even non-binary programs from running in the user-context without explicitly granting them permission.

That would solve about 99.999% of the malware problems and until that is done everything else is just adding additional ineffective security band-aids on top of a whole pile of other, older, ineffective security band-aids.

Furthermore, my experience with those piles of security band-aids is that malware finds a way around them every time, and then those “security” band-aids turn into major impediments for removing the malware. In other words, the security measures don’t block the malware, but does block the sys admin efforts.

“The only way any OS Windows will ever be even close to secure is if Microsoft quits automatically giving superuser privilege to ALL user accounts by default, and instead making all new installation instances of Windows OS default to having an Admin account with superuser privilege and one or more limited-privilege accounts for the user(s) to do their daily work.”

It doesn’t do that. It only forces you to set up one admin account when you first set up the machine. Any other users you add after that, whether they are manually added, or simply logged in through a network domain, default to standard users unless upgraded to an admin by another admin user.

The reason every user ends up an admin is because the standard users can’t do much of anything. They can’t install a printer, for example, or install an ActiveX control that you might need to work on some web app. So, people end up upgrading all users to admins just to avoid the hassles.

They need to stop having every program be required to be installed, and most should not even be allowed. Nor should any program be able to go modify setting for windows and everything else willy nilly. Right now every piece of crapware installs itself, adds a stupid toolbar, redirrects all your web use, and throws in some popups for a bonus. Plus it can decide to start itself when you turn on your computer, and often even override being disabled or removed.

It ought to be forbidden unless you click a lot of checkboxes from windows authorizing stuff to mess with other program’s private data and settings. If normal programs had no power to change settings or modify data except for their own, it wouldn’t be necessary to click through authorizing the install of everything with your admin password that it gets so common and routine that anyone could get tricked into allowing it, which is common now.

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.