Why you Still Need a Commercial Least Privilege Solution with Windows 10

At BeyondTrust we see a lot of trends in the industry. We see commercial software that has been on the market for some time suddenly become popular, or a recent update cause unforeseen issues in an environment. We see new software hit the market and gain immediate recognition and customers understandably like to confirm everything will continue to play nice together. One of the more notable trends is when Microsoft releases a new OS. Windows 7 was massively popular with our customers; Windows 8 not so much. As we approach the one-year mark for the Windows 10 release we are beginning to see adoption in production networks; and rightfully so. Windows 10 is, in my and many others’ opinions, a huge leap forward for the Microsoft platform. It is clear security was a keystone while developing this latest OS. When a major new release of the Windows operating system ships, we inevitably hear the question, “Do I still need PowerBroker for Windows if I’m running Windows X?” Let’s take a look at some of the security features available in Windows 10, what they are intended to do, and why the answer to that question is wholeheartedly, Yes!

Security features in Windows 10

Some of the top security capabilities in Windows 10 include the following. Device Guard

• Designed to allow only trusted applications to run
• Applications must be signed by a trusted signature, but businesses can sign their own software or software purchased from third parties
• Key services are isolated in a virtual container to prevent spoofing legitimate signatures

Credential Guard

• Stores domain credentials in a virtual container
• Aims at protecting against Pass-the-Hash attacks

Windows Hello

• Provides a two factor authentication mechanism to log into the OS
• Can use biometric or facial recognition

Windows Defender Advanced Threat Protection

• Additional functionality to Defender’s AV/AM software
• Designed to help see threats across an organization
• Every Windows 10 machine running AT Protection becomes an additional tracking node
• Provides actionable intelligence as part of the OS

(And some old favorites too, including Bit Locker and the Windows Firewall.) Where these new features might be most attractive for customers These are good features to implement if you do not already have an alternative in place. Why?

• These features are free with Windows 10
• Updates are included as part of standard OS update procedures
• By collecting data from all Windows 10 machines running these features, they can react to threats and provides updates quickly

Requirements Consider the following requirements for these new features:

• Some of these features require Secure Boot, 64bit virtualization support, Unified Extensible Firmware Interface (UEFI) firmware, and the Trusted Platform Module (TPM) chip
• “Standard” technology often do not meet these requirements, (for example older hardware or “light weight” laptops)
• Implementing these features will likely affect existing workflows

Is there room for a commercial least privilege solution?

And as we dig in a bit deeper we must take other factors into account where a commercial solution like PowerBroker for Windows is still required. Consider the following:

• REGARDLESS OF HOW MANY LAYERS YOU PUT IN FRONT OF A MAL-INTENTED USER, HAVING ADMIN RIGHTS REMAINS THE ACHILLES HEEL OF COMPUTER SECURITY
• PowerBroker for Windows is still required for true Application Rights Management for security and operations teams
• Most of these features are new. We don’t yet know all the limitations, effects to the enterprise, and the real security of those features. Microsoft has never created an un-breachable feature after all
• Historically, Microsoft features embedded into the OS have lacked true enterprise functionality
• A full upgrade to Windows 10 will take time, and PowerBroker for Windows works across multiple operating systems, as well as with the BeyondTrust PAM/VMS suite

While I continue to be impressed by the work being done at Microsoft, and while it is obvious from this latest OS they understand their market and are doing their part for security, there remain gaps in protecting and managing networks an OS just isn’t intended to close. For this, you still need a commercial Windows least privilege solution like PowerBroker for Windows. If you would like to see how PowerBroker for Windows can help you enforce least privilege, sign up for a no-risk free trial today!