In my last post, we covered all the good things Microsoft has done to improve the ITPros Life from a Deployment and Administration Tools Point of View. In Part 2 of this blog, we are covering all the new security features.
Note: Windows security features have been rebranded as Windows Defender security features, including Windows Defender Device Guard, Windows Defender Credential Guard, and Windows Defender Firewall.
Introducing New Security Features of Windows 10
One of the first things to note is that the Windows security baselines have been updated for Windows 10 (1709). These baselines are a group of Microsoft-recommended configuration settings.
Windows Defender Advanced Threat Protection has been expanded with powerful analytics, security stack integration, and centralized management for better detection, prevention, investigation, response, and management.
Windows Defender ATP is Agentless and built right into the OS. Its deeply analytically driven and learns as it identifies new threats.
Windows Defender Application Guard
Windows Defender Application Guard hardens a favorite attacker entry-point by isolating malware and other threats away from your data, apps, and infrastructure. Designed for Windows 10 and Microsoft Edge, Windows Defender Application Guard helps to isolate enterprise-defined untrusted sites, protecting your company while your employees browse the Internet. As an enterprise administrator, you can define trusted websites, cloud resources, and internal networks. Everything else is considered untrusted by default.
If you go to one of these untrusted sites through either Microsoft Edge or Internet Explorer, the site then opens in an isolated Hyper-V-enabled container, which is separate from the host operating system. This container isolation means that if the untrusted site turns out to be malicious, the host PC is protected, and the attacker can’t get to your enterprise data.
Window Defender Exploit Guard
Window Defender Exploit Guard provides intrusion prevention capabilities to reduce the attack and exploit surface of applications. Exploit Guard has many of the threat mitigations that were once available in Enhanced Mitigation Experience Toolkit (EMET), a deprecated security download. These mitigations are now built into Windows and configurable with Exploit Guard.
There are four features in Windows Defender EG:
- Exploit protection can apply exploit mitigation techniques to apps your organization uses, both individually and to all apps
- Attack surface reduction rules can reduce the attack surface of your applications with intelligent rules that stop the vectors used by Office-, script- and email-based malware
- Network protection extends the malware and social engineering protection offered by Windows Defender SmartScreen in Microsoft Edge to cover network traffic and connectivity on your organization’s devices
- Controlled folder access helps protect files in key system folders from changes made by malicious and suspicious apps, including file-encrypting ransomware malware.
Windows Defender Device Guard
Configurable code integrity has been rebranded and is now known as Windows Defender Application Control. This is to help distinguish it as a standalone feature to control the execution of applications. Windows Defender Device Guard is a combination of enterprise-related hardware and software security features that run on Windows 10 Enterprise edition and Windows Server. When these features are configured together, Windows Defender Device Guard will lock a device down so that it can only run trusted applications, defined in your code integrity policies. If the app isn’t trusted, it can’t run, period.
Windows Information Protection
Windows Information Protection is now designed to work with Microsoft Office and Azure Information Protection. WIP gives you a new way to manage data policy enforcement for apps and documents. You also now have the ability to remove access to enterprise data from both enterprise and personal devices (after enrollment in an enterprise management solution, like Intune).
This integration will help ITPros change the way they think about data policy enforcement. As an enterprise admin, you need to maintain compliance in your data policy and data access. WIP ensures that your enterprise data is protected on both corporate and employee-owned devices, even when the employee isn’t using the device. When employees create content on an enterprise-protected device, they can choose to save it as a working document. If it’s a working document, it becomes locally-maintained as enterprise data.
New features in Windows Hello enable a better device lock experience, using multi-factor unlock with the new location and user proximity signals. Using Bluetooth signals, you can configure your Windows 10 device to automatically lock when you walk away from it, or to prevent others from accessing the device when you are not present. More details about this feature will be available from Microsoft soon, as this is an emerging technology still.
The minimum PIN length is being changed from 6 to 4, with a default of 6. While not a major change, this small adjustment makes life for the end user so much better.