Windows 10 Gets Thumbs Up From Security Experts

Security experts have given a cautious welcome to enhancements in Windows 10, including improved access controls, data loss prevention, and app whitelisting for consumers and businesses.

Microsoft’s new operating system is available free to Windows 7 and 8 customers from today, with a raft of new features including the Siri-like Cortana personal assistant and a new browser to replace the increasingly buggy Internet Explorer.

It has also been given a major makeover when it comes to security.

This includes Device Guard, a whitelisting feature designed to vet and block any app trying to download to a Windows 10 machine that hasn’t been signed by software vendor, Windows Store, or the enterprise itself.

Then there’s Windows Hello, Microsoft’s attempt at two-factor biometric authentication supporting facial and fingerprint based access systems.

On a similar password-killing theme, Passport is designed to let users access apps, networks and websites without the need for passwords

Other features include improved file-level encryption and data loss prevention (DLP).

“Microsoft has clearly considered the rise in BYOD by introducing the DLP feature,” argued Webroot solutions architect, Matthew Aldridge.

“Through enabling the containerization of applications and encryption of corporate data as soon as it arrives on the device, it is far harder for sensitive company information to fall into the wrong hands, whether this is by accident or through a targeted attack. Application-specific VPN connectivity is also a huge step forward in reducing risk exposure on compromised devices.”

Steve Allen, senior security consultant at Capgemini, argued that some of the less well publicized changes may end up having the greatest long-term benefits for enterprises.

“Perhaps the most significant security improvement is Microsoft replacing Internet Explorer with a new browser, Edge. This is good news for the user community as IE has unfortunately been quite buggy and a target for exploitation by criminals to attack users as they shop or bank online,” he claimed.

“Having a consistent operating system across multiple devices – PCs and mobiles – combined with Microsoft’s change to patch updating, should make it easier to deploy and manage applications which is always good for security.”

However, the new operating system is far from bulletproof, F-Secure security adviser Tom Gaffney told Infosecurity by email.  

For one, Windows 10 still hides double extensions by default, which is a major error, he argued.

“Consider a file named doubleclick.pdf.bat. If ‘hide extensions’ is enabled, then this will be shown in File Explorer as ‘doubleclick.pdf’. You, the user, might go ahead and double-click on it, because it’s just a PDF, right?” he explained.

“In truth, it’s a batch file, and whatever commands it contains will run when you double-click on it.”

Other potential security holes include the open Wi-Fi access feature, which allows Windows 10 users to share Wi-Fi passwords with their friends.

This is “open to accidental and deliberate misuse,” Gaffney claimed.

However, there were caveats.

“The system is not live yet and Microsoft will continue to make changes, so expect the landscape to change,” said Gaffney.

“You would think it would be fairly locked down given the launch is today, but to give them their due, issuing a new OS is not easy. Expect lots of hotfixes and security patches to continue being issued over the coming months.”

What’s Hot on Infosecurity Magazine?