Scalable security via Microsoft Windows 10 Enterprise E3 just became available this month from Microsoft partners through the Cloud Solution Provider channel. Let’s take a look at three enterprise security capabilities that organizations can now tap into on a per-user, per-month basis — no matter their size: Credential Guard, Device Guard and Windows Information Protection.
These sophisticated security features in Windows 10 help organizations secure sensitive data and identities, protect devices from cyberthreats and let an increasingly mobile workforce safely access sensitive data on a variety of devices.
Credential Guard is a new feature that can secure user identities, but organizations need to understand its function to take advantage of its capabilities. Credential Guard takes each user’s access token and secures it in a hardware-isolated container that runs on Microsoft Hyper-V.
The access token — which contains the security credentials for a login session and identifies the user, the user’s group policy settings, the user’s privileges and, in some cases, applications — is completely removed from the device itself.
The benefit here is that if a device is compromised, a cybercriminal can’t get to the actual user token, which is essentially a user’s identity. This is incredibly strong protection. If a hacker were to get a hold of your token, he or she could access resources by impersonating your identity.
By removing the token from the device and hiding it in Hyper-V, even if the device is compromised, the credentials aren’t available to the unauthorized user. This helps to protect from common “pass-the-hash” attacks, in which the attacker compromises enterprise endpoints and uses them to dig deep into an enterprise network.
Device Guard, a feature that protects the Windows core, is another worthwhile capability. It employs hardware-based isolation and virtualization to protect devices and their operating system core, while preventing malicious or unapproved applications from running.
The IT team can identify the applications — from trusted sources — that each core will be able to access. Then Device Guard will only allow access based on those core settings.
It’s a way for your IT department to say, “This is the suite of applications we have endorsed; we know they are from trusted sources.” It puts an organization in control of its environment at the OS layer.
Windows 10 also can help an organization keep its mobile users safe on the go. There’s an additional layer of security in this latest iteration of the OS that will give users the freedom to tap into enterprise resources, using different devices (company-owned or personal) without compromising data assets. This Windows Information Protection feature has data leak prevention capability built in.
Now, the IT team can set policies to encrypt individual files or entire data sets automatically, regardless of whether the device containing the data is itself encrypted. This clearly lessens concerns about data leakage in environments where team members need to share and collaborate easily but wield multiple devices.
To compare the different versions of the OS, visit our CDW Windows 10 showcase.