Introduction

Alexander Benoit, senior consultant and head of Competence Center Microsoft, said something during a Microsoft event in Orlando in September 2017: “Because the threat landscape we’re facing today is so diverse, there cannot be one tool or feature that we just enable and then we’re secure.”

We can observe that willingness to stop diverse threats in all parts of the industry today. It’s especially clear in the fact that Microsoft decided to design Windows 10 to offer five levels of security configuration:

  1. Enterprise basic security
  2. Enterprise enhanced security
  3. Enterprise high security
  4. Specialized workstation
  5. Administrator workstation

Let’s look at some of the most prominent security features of Windows 10.

Windows Update

Windows Update is there, as usual, to fix past bugs and introduce new functions. This is the most important security setting for any Windows 10 device. Keeping all software up to date at all times is of paramount importance.

Windows Defender Antivirus (WDA)

WDA’s UI is more user-friendly than what most other antivirus programs have to offer. But what is particularly good about WDA is that it does not require any manual configuration or any support whatsoever (other than the automatic updates). 

For example, WDA comes with a built-in firewall and a safe browsing environment that will protect you from the most common threats. The firewall supports three different network configurations (Domain, Private and Public); however, in principle, this feature is enabled by default (as in compliance with the “security by default” rule) and does not need any adjustments to be effective.

WDA automatically scans each newly downloaded file once you proceed to open it as part of the real-time protection defense posture. A deep scan for rootkits once or twice a month is always a good idea.

Microsoft SmartScreen

SmartScreen is a built-in feature that scans and blocks execution of known malicious programs. In addition, it can notify Windows 10 users when they are about to visit suspicious websites and emails because it compares their reliability against a Microsoft’s blacklist. Consequently, this cloud-based tool can provide an extra level of protection against both phishing and malware attacks in addition to the traditional cybersecurity awareness training of staff. 

Windows Defender Application Guard

Windows Defender Application Guard raises your level of protection considerably, as it protects against advanced, targeted threats. This functionality works either by designating a list of trusted websites (the so-called “whitelisting”) or opening untrusted websites in a container that has no connection to corporate network endpoints, installed applications, memory, local storage or any other resources that may come under cyberattack. 

Windows Sandbox

Windows Sandbox is a great solution if administrators decide to allow considerable freedom concerning application permissions, because it enables new apps to operate in isolated virtual silos in order to prevent full threat exposure.

Windows Defender Device Guard

Device Guard is part of the Microsoft Defender tools suite. Equipped with enterprise-grade application whitelisting, this tool protects kernel processes and drivers from dangerous threats like zero-day attacks. 

Since signature-based detection often cannot cope with the heterogeneous nature of malware, Device Guard steps in to change the mode where the OS trusts only apps authorized by the administrator — locking down the device — in situations predetermined in code integrity policies. This feature is dependent on virtualization-based security (VBS).

Windows Credential Guard

Credential Guard protects better the derived domain credentials by leaning on other security features such as Secure Boot and virtualization. Because of that, it increases in turn the overall security against advanced persistent threats. In essence, VBS can isolate secret data from any other software except for privileged system software.

Windows Defender Exploit Guard

Exploit Guard is a tool designed to cover a broad range of security tasks: network protection, controlled folder access, blocking untrusted fonts, blocking low-integrity images, address filtering and more.

Secure Boot

A feature called Secure Boot provides excellent protection from ransomware by safeguarding the UEFI/BIOS. Windows 10 users can set up the Secure Boot feature to require that any code that runs immediately after the start of the OS be signed by Microsoft or the hardware maker.

In addition, UEFI Secure Boot can create a Windows 10 save point. While Secure Boot prevents hardware-based malware installations, save points provide a safety net in case something goes wrong with new application installations.

Controlled Folder Access

CFA is another excellent measure at your disposal to limit the potential damage caused by ransomware. This feature is available in all editions of Windows 10.

Microsoft Defender Advanced Threat Protection

Leveraging a tool called Microsoft Defender Advanced Threat Protection for monitoring of endpoints via behavioral sensors in combination with cloud-based analytics can ensure that suspicious behavior would be spotted on sight.

User Account Control

User Account is an important security tool of Windows 10 to keep unauthorized changes at bay. This is because it is always asking for an administration-level permission in the event of important changes such as removing an application or installing a program.

According to a survey done by Snow Software, 76% of employees are accessing business resources through work devices without IT permission. Due to a functionality called Windows 10 S Mode, businesses can solve the problem of shadow IT, limiting indiscriminate installation of applications.

Windows Hello

Multi-factor authentication is the gold standard for safe logging. Windows Hello is a multi-factor authentication platform that can work with biometric data (e.g., fingerprints or facial recognition), as well as be paired with “companion devices” (smart phones, smart watches, etc.) to ensure only authorized users can have access to the computer on which Windows 10 is installed. Note that passwords are more likely to be stolen or hacked compared to fingerprint and facial data.

Other tools such as Microsoft Passport and Microsoft Azure Active Directory can be combined with Windows Hello. Microsoft Passport is a good multi-factor password alternative and Active Directory moves identity and access management to the cloud environment. In fact, leveraging Windows 10 security features that implement least-privilege protocols would confound most cybercriminal attacks, since bad guys cannot do much without credentials.

Find My Device

The Find My Device feature can help you locate your stolen device when connected to the internet, and even lock it down.

BitLocker

Easy to use and already integrated into Windows OS, BitLocker encrypts your entire drive with a standard dubbed XTS-AES, whose default encryption strength is 128-bit (but Windows 10 users can increase it to 256-bit). This makes it impossible for malicious actors to steal your information.

Probably the best part is how unobtrusive and easy to use this feature is — you will usually not notice any difference in system performance and you will not need anything other than a Windows user account password to start it.

It may be advisable to not store your BitLocker recovery key in your Microsoft account. Save it rather to an external drive, store it in a password manager (e.g., LastPass) or print it on paper and lock it away somewhere safe. When coupled with the Trusted Platform Module (TPM), BitLocker’s encryption key can be safely stored on the TPM instead of the hard disk.

Windows 10 offers another, simpler form of encryption called BitLocker Device encryption.

Conclusion

Statistics show that Microsoft Windows is the chosen operating system for the majority of desktop and laptop users in the United States (65%) and in the world (77%). That is a lot of Windows-driven devices! Many people’s personal data is there, so Microsoft bears the enormous responsibility of providing their clients with a product that will meet all modern standards from a cybersecurity point of view.

All things considered, with its new security features that further operational best practices, Windows 10 seems to fortify and streamline cybersecurity.

Nick Cavalancia, Microsoft MVP and founder of Techvangelism, put it this way: “Windows 10 security features are laser-focused on protecting and preventing current, specific forms of cyberattack.”

Sources 

  1. 7 Windows 10 security features that could help prevent cyberattacks against your business, TechRepublic
  2. 18 Reasons You Should Upgrade to Windows 10, PC Magazine
  3. A guide to Windows 10’s security features, IT Pro
  4. Here Are Some Windows 10 Security Guides to Safeguard Your PC!, MiniTool
  5. How to secure your PC after a fresh Windows installation, Heimdal Security
  6. How to Secure Windows 10, Online Tech Tips
  7. How To Secure Microsoft Windows 10 In Eight Easy Steps, Forbes 
  8. Introducing the security configuration framework: A prioritized guide to hardening Windows 10, Microsoft
  9. The Windows 10 Security Features to Consider in Cybersecurity Strategy, BizTech Magazine
  10. Windows Defender vs Avast – Which is Best in 2020?, Showbox
  11. Windows 10 Security And Privacy Guide 2020, DefendingDigital
  12. The Windows 10 security guide: How to protect your business, ZDNet

Be Safe

Section Guide

Dimitar
Kostadinov

View more articles from Dimitar

As you grow in your cybersecurity career, Infosec Skills is the platform to ensure your skills are scaled to outsmart the latest cyber threats.

Section Guide

Dimitar
Kostadinov

View more articles from Dimitar