What's new in Windows 10
Because the bad guys are always upping their game, a hallmark of each new version of Windows is a number of new and improved security features. Windows 10 is no exception. Here we enumerate changes available in Windows 10 Home and Windows 10 Pro; several additional features are included with Windows 10 Enterprise on a managed network.
Securing devices
Security features in Windows 10 begin with support for modern hardware designs. Although Windows 10 continues to support legacy hardware, some security features require two elements built in to most newer computers:
- Unified Extensible Firmware Interface (UEFI):
UEFI is a firmware interface that replaces the BIOS, which has been a part of every PC since the beginning of personal computing. Among other improvements, UEFI enables Secure Boot and Device Encryption, features that are described in the following pages. PCs designed for Windows 8 and later must use UEFI. - Trusted Platform Module (TPM):
A TPM is a hardware chip that facilitates encryption and prevents altering or exporting encryption keys and certificates. With a TPM, BitLocker Drive Encryption (described later in this tutorial) is more convenient to use as well as more secure. Other security features in Windows 10, such as Measured Boot and Device Guard, require the presence of a TPM.
With UEFI and TPM in place, Windows 10 is able to secure the boot process. (Many recent malware attacks take control of the system early in the boot process, before Windows is fully running and before antimalware programs spring into action. This type of malware is called a rootkit.) The Windows 10 boot process steps through the following features:
- Secure Boot:
Secure Boot, a basic feature of UEFI, prevents the use of any alternative operating system (OS) loader. Only an OS loader that is digitally signed using a certificate stored by UEFI is allowed to run. (A conventional BIOS allows interruption of the boot process to use any OS loader, including one that's been corrupted.) - Early Launch Antimalware (ELAM):
Antimalware software-including compatible third-party programs as well as Windows Defender-that has been certified and signed by Microsoft loads its drivers before any other third-party drivers or programs. This allows the antimalware software to detect and block attempts to load malicious code. - Measured Boot:
Measurements of the UEFI firmware and each Windows component are taken as they load. The measurements are then digitally signed and stored in the TPM, where they can't be changed. During subsequent boots, measurements are compared against the stored measurements.
Securing data
The increased mobility of PCs also increases the risk of theft. Losing a computer is bad enough, but handing over all the data you've stored on the computer is by far the greater loss. Windows 10 includes new features to ensure the thief can't get your data.
- Device encryption:
On devices that support InstantGo, data on the operating system volume is encrypted by default. (Formerly called Connected Standby, InstantGo is a Microsoft hardware specification that enables advanced power-management capabilities. Among other requirements, InstantGo devices must boot from a solid state drive.) The encryption initially uses a clear key, but when a local administrator first signs in with a Microsoft account, the volume is automatically encrypted. A recovery key is stored at onedrive.com/recoverykey; you'll need it if you reinstall the operating system or move the drive to a new PC. - BitLocker Drive Encryption:
BitLocker Drive Encryption offers similar (but stronger) whole-volume encryption, and on corporate networks it allows centralized management. In Windows 10, BitLocker encrypts drives more quickly than in previous Windows versions; additional speed comes from the new ability to encrypt only the part of a volume in use.
Securing identities
It seems like every week we hear about another data breach where millions of user names and passwords have been stolen. There's a thriving market for this type of information because it enables the thieves to sign in anywhere using your credentials. Furthermore, because many people use the same password for different accounts, criminals can often use the stolen information to hack into a theft victim's other accounts. Windows 10 marks the beginning of the end of passwords.
- Windows Hello:
With Windows 10, enterprise-grade two-factor authentication is built in. After enrolling a device with an authentication service, the device itself becomes one factor; the second factor is a PIN or a biometric, such as a fingerprint, facial recognition, or an iris scan. - Microsoft Passport:
After Windows Hello signs you in, Microsoft Passport enables sign-in to networks and web services. Your biometric data remains securely stored in your computer's TPM; it's not sent over the network.
With this combination of authentication methods, an attacker who has a trove of user names and passwords is stymied. To unlock Microsoft Passport (and, by extension, gain the ability to sign in to your web services), he needs the enrolled device. And a thief who steals your computer needs your PIN or biometric data. Active Directory, Azure Active Directory, and Microsoft Accounts support this new form of credentials; other services are sure to follow.
Blocking malware
Since the days of Windows 7, several features that block malicious software have been beefed up:
- Address Space Layout Randomization (ASLR):
ASLR is a feature that randomizes the location of program code and other data in memory, making it difficult to execute attacks that write directly to system memory because the malware can't find the memory location it needs. In Windows 10, memory locations are scrambled even more. And because the randomization is unique to each device, a successful attack on one device won't work on another. - Data Execution Prevention (DEP):
DEP is a hardware feature that marks blocks of memory so that they can store data but not execute program instructions. Windows 10 can't be installed on a system that doesn't support DEP. - Windows Defender:
In Windows 7, Windows Defender is a lightweight antispyware program. But starting with Windows 8 and continuing in Windows 10, Windows Defender includes the well-regarded antimalware capabilities of Windows Security Essentials, a free add-on for Windows 7. Windows Defender supports ELAM, described earlier in this tutorial, which means that it can defend against rootkits that attempt to co-opt the boot process. For more information, see "Using Windows Defender to block malware" later in this tutorial. - SmartScreen:
The goal of SmartScreen, introduced in Windows 7, is similar to that of Windows Defender: stop malicious code from running, which is much better than trying to clean up the damage after the fact. But SmartScreen takes a completely different approach: instead of looking for signatures of known bad programs, it checks a hash of each executable downloaded from an online source against Microsoft's application-reputation database. Files that have established a positive reputation are deemed safe and are allowed to run, whereas files with a negative reputation are blocked.
In Windows 7, SmartScreen is a feature of Internet Explorer and checks files as they are downloaded. Beginning with Windows 8, SmartScreen is an integral part of Windows (and continues to be a feature of Internet Explorer and, in Windows 10, Microsoft Edge). Therefore, it blocks execution of unknown programs not just as you download them in a browser but any time you attempt to run a program from an online source-including those downloaded with a non-Microsoft browser.