Win10's safety features worthy of attention

Microsoft's next-generation operating system, Windows 10, will be available for free to existing Windows 7 and Windows 8.1 users on July 29 this year. However, Windows Enterprise customers will have to wait until later this year to come up with their own solutions.

In the new major security features of Microsoft's next-generation Windows 10 operating system, we have seen two titles, application review and biometrics. The software giant pointed out in today's announcement that all of this will be delivered to existing Windows 7 and Windows 8 users with the free release of the new version of Windows on July 29 this year.

The advent of Windows 10 makes everything about Windows dying —— especially considering the fact that Microsoft arbitrarily launched the tile interface and removed the start menu in Windows 8 version —— Eliminate invisible, or at least temporarily subsided. In addition to our favorite start menu will be a strong return, nickname "Little Na" Cortana personal assistant online and a newer, faster, more personalized browser solution called Edge, Microsoft will also be on Windows 10 A new set of security features —— and most of them will go directly to the first release of Windows 10.

Windows security expert Marc Maiffret pointed out that with the combination of Windows 10 security features and application authentication and censorship in the new Windows Store, Microsoft is embarking on a new direction similar to smartphones. —— This is definitely good news for security work. “There are a lot of interesting security mechanisms that we can use to better control the applications and code in the environment in security work,” he explained.

1. Device Guard

Microsoft's new Device Guard is designed to completely block applications that attempt to access Windows 10 devices and their network architecture, thus completely blocking the emergence of zero-day attacks. . It basically blocks all applications by default, except those that have a specific software vendor, a Windows app store, and an enterprise-approved license.

Acer, Fujitsu, Hewlett-Packard, NCR, Lenovo, PAR and Toshiba have already reached an agreement with Microsoft to introduce Device Guard into their Windows devices. It can support sales systems, ATMs, and other Internet of Things devices running Windows systems.

“To help protect users from malware, when an application starts executing, Windows first checks if the application is trusted and notifies the user when it finds it is not trusted. Device Guard can use hardware technology and virtualization mechanisms to isolate this additional licensing feature from other components in the Windows operating system, which helps protect users from attackers or malware that have gained overall system privileges. Harassment, & rdquo; Microsoft's Chris Hallum wrote in a recent feature introduction blog post.

Microsoft's Hallum also pointed out that unlike other anti-virus and white-listing software, malware that can be tampered with system certificates or unknown types is also difficult to get rid of Device Guard, and it can be used with anti-virus and whitelists. And even other application control products work together.

“Traditional anti-virus solutions and application control technologies can be based on the Device Guard mechanism to block malware based on executables and scripts, and anti-virus tools will continue to cover Device Guard. The JIT application (such as Java) and the macros in the file, etc., "Hallum added.

Interestingly, Device Guard can also be virtualized, which means that if the Windows kernel is breached, Device Guard will still not be affected, Microsoft said. It will still review whether the software being run meets the configuration requirements set forth by the management policy.

2. Windows Hello

Windows Hello has been promoted by Microsoft as a password killer feature that utilizes biometrics —— including the user's face, iris or fingerprint — — to start Windows 10 devices, instead of using only nasty and less secure password content as in the past.

Joe Belfiore, vice president of operations for Microsoft's operating system division, points out that Hello is more secure because it allows users to authenticate applications, enterprise content, and online experiences without the need for user devices or networks. The server side stores any password content.

But the problem is that we need a device with a fingerprint reader and scanning hardware and software, because this is the only way to successfully perform biometric verification through the face or iris. In addition, the device also needs to support the Windows Biometric framework.

“We work closely with our hardware partners to provide Windows Hello with support for Windows 10 systems. We are also excited to announce that all OEM systems equipped with the Intel RealSense 3D camera (F200) will support Windows Hello's face unlocking feature, including automatic login to Windows, and support unlocking without having to enter a PIN code &Passport’ , & rdquo; Belfiore introduced in a Windows 10 blog post released today.

Maiffret said that Microsoft is currently developing a new authentication mechanism based on the needs of enterprise customers. “This solution can significantly improve the level of security from the perspective of encryption, so it can be used in the corporate environment as a formal verification mechanism,” he said.

3. Passport

With the aforementioned close mechanism retreat, Windows 10 also brings us a new feature called Passport that allows users to avoid passwords. Login to the app, website, and network.

<;Windows 10 will require the user to confirm ownership of the current device and then provide authentication via Windows Hello based on the device via a PIN or device equipped with a biometric sensor. After passing the ‘Passport’ certification, you will be able to immediately access more websites & services …… including your favorite e-commerce sites, email and social networking services, financial institutions and business networks, etc., etc., Microsoft The company pointed out.

According to Microsoft's confirmation, Passport can also cooperate with Microsoft's Azure Active Directory service, and the user's biometric authentication & signature will be stored in the local user device in a secure manner, and only used To unlock the device and Passport; in other words, this part of the information will not be transmitted over the network.

However, although it has become a member of the FIDO Alliance and is trying to throw password mechanisms into the history of the garbage heap in the future, Microsoft does not intend to announce the demise of passwords in Windows 10. Therefore, users or corporate customers can continue to use traditional password and password management schemes in Windows 10 even if they are unwilling or unable to bear the cost of deploying Windows Hello and Passport related devices.

At the same time, Microsoft has introduced some preliminary but very critical changes within Windows 10, including the use of container technology and virtual sandboxing mechanisms to improve the security of desktop systems, Maiffret said. “But I'm sure that at next year's Black Hat conference or other similar events, someone will claim to have successfully cracked the Windows 10 sandbox solution, which is an inevitable result. "Despite this, Microsoft has introduced it to the Windows system as a major improvement to the game rules," he said.