arthead -


Key native features for Windows 10 security and maintenance

Desktop administrators should look for Windows 10's native security features and architecture to establish a baseline of desktop security before turning to alternative tools.

If desktop administrators properly configure and maintain a Windows 10 system and its native security features, users will have a safe and secure desktop computing experience.

Microsoft has gone out of its way to bolster the Windows 10 system against attack and compromise. IT can support key infrastructure elements to further secure desktops against unwanted access or disclosure.

Microsoft Defender: A security cornerstone

From the desktop perspective, the Windows Security tab is the control center for security matters related to Windows 10. Administrators can access this by navigating Start > Settings > Update & Security > Windows Security, which produces the Windows Security dashboard.

Key elements in the Windows Security dashboard include at-a-glance status indicators for virus and threat protection, account protection, firewall and network protection, app and browser controls, and device security. A green checkmark indicates good health and security status.

The Security at a glance dashboard within Windows 10, displaying various metrics
The Windows Security dashboard, which provides a desktop-centric view of Windows Defender's security controls

Under the hood, administrators can use Group Policy Objects (GPOs) to enforce many security management settings and requirements. These enable desktop administrators to simplify Windows 10 security and maintenance with straightforward and automated functionality.

Key elements in the Windows Security dashboard include at-a-glance status indicators for virus and threat protection, account protection, firewall and network protection, app and browser controls, and device security.

IT administrators can address key Windows security elements outside the realm of virus and threat protection via Microsoft Defender for Endpoint or security offerings from various third-party vendors. Some alternatives come from vendors such as Avast, Bitdefender, Webroot and Sophos. These outside functions include the following:

  • Account protection
    • dual-factor authentication for Microsoft accounts;
    • Windows Hello-supported biometric logins; and
    • dynamic lock for locking the PC screen when a linked smartphone is absent.
  • Firewall & network protection
    • domain network features for single sign-on, authentication and access controls
  • App & browser control
    • reputation-based protection to block malicious content and messages;
    • isolated browsing, enabling Microsoft Edge to run sandboxed to protect against malware; and
    • exploit protection supporting control flow guard, data execution prevention, mandatory address space layout randomization, validated exception chains and validated heap integrity to block attack vectors.
  • Device security
    • core isolation to prevent attacks from inserting code into high-security processes

Basic Windows Defender security measures provide a solid foundation for Windows 10 systems in any setting. This makes Windows 10 security and maintenance easy, fast and well suited for automation. However, there is always room for additional controls from more comprehensive platforms.

Microsoft's Windows 10 security infrastructures for business

Configurable Windows 10 mitigations include the following:

  • Windows Defender SmartScreen checks the reputation of downloaded apps using a Microsoft service and reacts when it identifies unrecognized or bad-reputation items.
  • Credential Guard employs virtualization-based security to protect secrets, including password hashes and Kerberos Ticket Granting Tickets, so only privileged system software gains access.
  • Enterprise certificate pinning protects internal domain names from chaining to suspect external or fraudulent certificates and pins X.509 certificates and public keys to Certification Authorities.

In addition, Windows 10 provides support for Unified Extensible Firmware Interface, BIOS-level firmware designed to protect itself, other system firmware and the boot process against tampering or attack. It also supports Early Launch Antimalware (ELAM), so antimalware protection comes into play before non-Microsoft drivers and apps load and start up. If malware modifies a boot-related driver, ELAM detects that change and blocks the driver from loading, thereby fending off rootkit attacks.

In addition, Windows 10 offers extensive protection against memory exploits that require no explicit configuration. Desktop admins also have free access to Microsoft Enhanced Mitigation Experience Toolkit (EMET) to configure a broad range of exploit mitigations. These include memory and addressing checks, null page checks and a variety of Control Flow Guard checks. EMET also explains how to convert EMET XML settings files into Windows 10 mitigation policies via GPOs. Admins should consult Microsoft's documentation around Security and Assurance, Microsoft Defender for Endpoint and Exchange Online Advanced Threat Protection.

Dig Deeper on Windows OS and management

Virtual Desktop