Free Privileged Account Discovery Tool: Identify & secure credentials to stop lateral movement. Download Free

BeyondTrust
  • Products
    Privileged Password Management
    Discover, manage, audit, and monitor privileged accounts
    Password Safe DevOps Secrets Safe
    Endpoint Privilege Management
    Manage privileges on Windows, Mac, Linux, and Unix endpoints
    Windows and Mac Unix and Linux Active Directory Bridge
    Secure Remote Access
    Centrally manage and secure remote access for service desks and vendors
    Remote Support Privileged Remote Access
    BeyondInsight Analytics
    See All Solutions
  • Resources

    Universal Privilege Management

    Our innovative Universal Privilege Management approach secures every user, asset, and session across your entire enterprise.

    Watch Video

    Learn

    Case Studies
    Competitor Comparisons
    Datasheets
    Glossary
    Product Demos
    Whitepapers

    Attend

    Events
    Go Beyond
    Training
    Webinars

    Support

    Changelog
    Professional Services
    Technical Documentation
  • Blog
  • Partners
  • Contact
  • Support
  • Services
  • Training
  • Events
  • Company

Why you Still Need a Commercial Least Privilege Solution with Windows 10

April 19, 2016

  • Blog
  • Archive
blog-pbw-windows-10 At BeyondTrust we see a lot of trends in the industry. We see commercial software that has been on the market for some time suddenly become popular, or a recent update cause unforeseen issues in an environment. We see new software hit the market and gain immediate recognition and customers understandably like to confirm everything will continue to play nice together. One of the more notable trends is when Microsoft releases a new OS. Windows 7 was massively popular with our customers; Windows 8 not so much. As we approach the one-year mark for the Windows 10 release we are beginning to see adoption in production networks; and rightfully so. Windows 10 is, in my and many others’ opinions, a huge leap forward for the Microsoft platform. It is clear security was a keystone while developing this latest OS. When a major new release of the Windows operating system ships, we inevitably hear the question, “Do I still need PowerBroker for Windows if I’m running Windows X?” Let’s take a look at some of the security features available in Windows 10, what they are intended to do, and why the answer to that question is wholeheartedly, Yes!

Security features in Windows 10

Some of the top security capabilities in Windows 10 include the following. Device Guard
  • Designed to allow only trusted applications to run
  • Applications must be signed by a trusted signature, but businesses can sign their own software or software purchased from third parties
  • Key services are isolated in a virtual container to prevent spoofing legitimate signatures
Credential Guard
  • Stores domain credentials in a virtual container
  • Aims at protecting against Pass-the-Hash attacks
Windows Hello
  • Provides a two factor authentication mechanism to log into the OS
  • Can use biometric or facial recognition
Windows Defender Advanced Threat Protection
  • Additional functionality to Defender’s AV/AM software
  • Designed to help see threats across an organization
  • Every Windows 10 machine running AT Protection becomes an additional tracking node
  • Provides actionable intelligence as part of the OS
(And some old favorites too, including Bit Locker and the Windows Firewall.) Where these new features might be most attractive for customers These are good features to implement if you do not already have an alternative in place. Why?
  • These features are free with Windows 10
  • Updates are included as part of standard OS update procedures
  • By collecting data from all Windows 10 machines running these features, they can react to threats and provides updates quickly
Requirements Consider the following requirements for these new features:
  • Some of these features require Secure Boot, 64bit virtualization support, Unified Extensible Firmware Interface (UEFI) firmware, and the Trusted Platform Module (TPM) chip
  • “Standard” technology often do not meet these requirements, (for example older hardware or “light weight” laptops)
  • Implementing these features will likely affect existing workflows

Is there room for a commercial least privilege solution?

And as we dig in a bit deeper we must take other factors into account where a commercial solution like PowerBroker for Windows is still required. Consider the following:
  • REGARDLESS OF HOW MANY LAYERS YOU PUT IN FRONT OF A MAL-INTENTED USER, HAVING ADMIN RIGHTS REMAINS THE ACHILLES HEEL OF COMPUTER SECURITY
  • PowerBroker for Windows is still required for true Application Rights Management for security and operations teams
  • Most of these features are new. We don’t yet know all the limitations, effects to the enterprise, and the real security of those features. Microsoft has never created an un-breachable feature after all
  • Historically, Microsoft features embedded into the OS have lacked true enterprise functionality
  • A full upgrade to Windows 10 will take time, and PowerBroker for Windows works across multiple operating systems, as well as with the BeyondTrust PAM/VMS suite
While I continue to be impressed by the work being done at Microsoft, and while it is obvious from this latest OS they understand their market and are doing their part for security, there remain gaps in protecting and managing networks an OS just isn’t intended to close. For this, you still need a commercial Windows least privilege solution like PowerBroker for Windows. If you would like to see how PowerBroker for Windows can help you enforce least privilege, sign up for a no-risk free trial today!

Jason Silva, Sr. Solutions Engineer, BeyondTrust

Jason Silva brings over 25 years of solutions and management experience to the industry. Currently serving as Senior Solutions Engineer for BeyondTrusts' Universal Privilege Management Platform, he uses this knowledge to help customers realize the value of our solutions throughout the product lifecycle. Earlier in his career, he found success as a software developer in a global consulting company and spent over four years managing IT and Regulatory Compliance in the banking industry.

Specialties: Microsoft Active Directory, Microsoft Group Policy, Pre and Post Sales Training, Sales Engineering, Enterprise Security Tools, Privileged Access Management

Stay Up To Date

Get the latest news, ideas, and tactics from BeyondTrust. You may unsubscribe at any time.

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

You May Also Be Interested In:

Whitepapers

A Zero Trust Approach to Secure Access

Webcasts

Rising CISOs: Ransomware, Cyber Extortion, Cloud Compromise, oh my!

Whitepapers

A Zero Trust Approach to Windows & Mac Endpoint Security

BeyondTrust Logo
  • Facebook
  • Twitter
  • LinkedIn

Keep up with BeyondTrust

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

Customer Support
Contact Sales

Products

  • Endpoint Privilege Management
  • Password Management
  • Privileged Remote Access
  • DevOps Secrets Safe
  • Remote Support

Resources

  • Blog
  • Case Studies
  • Competitor Comparisons
  • Datasheets
  • Glossary
  • Videos
  • Webcasts
  • Whitepapers

About

  • Company
  • Careers
  • Contact
  • Events
  • Leadership Team
  • Partner Program
  • Press

Languages

  • English
  • German
  • French
  • Spanish
  • Korean
  • Portuguese
  • Japanese
  • Privacy
  • Security
  • Manage Cookies
  • WEEE Compliance

Copyright © 1999 — 2020 BeyondTrust Corporation. All rights reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust Corporation is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.