Windows has evolved with time, and Windows 10 is one of the most secure systems right now, especially for Enterprise. It’s ranked highest when it comes to security capabilities highest amongst features. That said, the system needs, or rather an IT person needs to make sure to set it up properly in terms of security, and in different phases. Right from being in offline mode to boot to log in to run.
Windows 10 security features and capabilities
Below are the details from the Infographic created by Bill Bernat, Ami Casto, and Chaz Spahn to give a clear idea of what can be used, and set up in Windows 10 from a security perspective.
When in Offline Mode
Before setting up a Windows 10 PC, IT pros can encrypt fixed devices using BitLocker. Its an encryption technology from Microsoft which can encrypt an entire disk, including boot disks. You might need TPM module to get this done in some cases.
The same can be applied to USB device or any removable devices which are used on the go. Its pretty clear that no company wants their data to get out of their premises, and have their IP get into wrong hands.
How to secure PC Boot
The best way to secure a Windows 10 PC during boot is to by maximizing its firmware-based security. You can use a Trusted Platform Module (TPM) to enhance security. As TPM is hardware-based with module separated from other components it makes sure nothing gets into the system during that time. You can add TPM Attestation to this to further verify TPM chip.
Upgrading from BIOS to UEFI is another way to secure. It’s an advanced firmware which offers a number of hardware-based security features. Using both of them makes sure that no malicious code infects an operating system at the lowest levels including the bootloader, the OS kernel, and boot drivers.
Secure Boot, Trusted Boot, Measured Boot and more should be followed to make sure the boot software has a valid signature that ultimately loads Windows 10 Kernel.
Windows 10 also offers ELAM which prevents malware from infecting a system at the boot driver level by allowing only trusted drivers to load during Windows 10 boot. This was first introduced in Windows 8.
In case a user or the PC is locked out, it is possible to recover the data using BitLocker Recovery.
How to secure PC during Logon
We all secure our phones with PIN and Password, and not with Fingerprint and Face Unlock. Similar support is available with Windows. IT companies can implement Windows Hello and Fingerprint based (biometric) authentication.
Post this, IT admins can set up Lock User Per Policy which will come into action when there is a suspicion of security. It can lockout an account after a set number of failed password entries or more. To make it even secure, IT Pros can use both as a combination to super secure your account including TPM counters, Kerberos Armoring secures communication between a domain-joined client and its domain controller.
Many IT companies believe in In Bring Your Own Device (BYOD) scenarios, where employees bring commercially available devices to access both work-related resources and their personal data. In this case, administrators can use Windows Device Health Attestation to make sure the PC isn’t compromised, and infect other systems in the network.
How to secure PC when in use
On a Software level, you can prevent Unauthorized Changes using UAC, Applocker to only allow applications that are authorized by the organization. Then comes the Windows Defender Security System which has native integration in Windows 10. WDSS makes sure to check for malicious software when installing from the internet. It further secures in following ways:
- Protects system by isolating applications in their own virtualized environment.
- Intelligently restricts which applications, scripts, plug-ins, etc., can run on a system
- Protects password using virtualization-assisted security
- Protection against Ransomware.
- Make sure to monitor the inbound and outbound network traffic using Firewall Interface which is also a part of Windows Defender.
- A company can encourage employees to use Microsoft Edge which runs each instance of the browser in its own virtual machine to limit the damage attackers can do.
On a hardware level:
- Windows Defender Credential Guard protects the password using virtualization-assisted security.
- Windows Defender comes with Device Guard as well which prevents malware from running on a system using a variety of techniques.
It is actually a brilliant infographic which explains so many features an enterprise can use to secure companies data and keep all of the employees secure, including their own devices which become a part of the enterprise. It is impressive to see how Windows 10 has revolutionizing endpoint security in enterprises, especially from cyber attacks.
Check out the infographic here.