Microsoft is on the verge of releasing its latest operating system, Windows 10. It has taken several nontraditional strides for this release including being free Microsoft 10 for one year for all Windows 7 and Windows 8 users (a play from Apple’s OS X playbook). Additionally, Windows 10 will allow upgrades for unlicensed copies of previous versions (this will not provide a valid license, just allow for the upgrade). Based on our understanding of the beta releases and what is currently published, several key components will be worth watching as we near the imminent release:
Microsoft Windows Hello – The concept of Hello is based on Microsoft Kinect and Passport technology. Hello provides a credential to a system that can’t be stolen or copied by another user (theoretically). Since it is based on advanced biometrics, and not simply face recognition from a photo, it would be difficult or near impossible to impersonate a user. Since the various methods (facial, iris, fingerprint, etc.) require special hardware (and not a common camera built into a laptop or tablet today), it is yet to be seen how this equipment will be adopted and the cost it will add to systems.
Providing a unique credential to a user that can only be associated with them is a great way to ensure passwords are not shared and are unique per individual. There is one potential draw back that could circumvent this system – the password can never be changed. You cannot change your face, infrared heat patterns of your skin, iris blood vessels, or even your fingerprint. If a database was stolen that keeps this PII, it is just a matter of time before someone could technically own your likeness forever.
Project Spartan – Whatever the final name will be, I am certain it will be a safer browser than Internet Explorer. Microsoft has completely rewritten the rendering engine and certainly had security in mind when doing so. In order to keep up with the other players, Spartan will have to adopt features found in Safari, Chrome, and Firefox and do them better – like iCloud Password KeyChains and Session passing. It is yet to be seen how it will support Active X controls and other plug-ins like browser bars that have traditionally caused security holes.
Windows 10 will improve on the concepts of least privilege. Modern applications should be designed and complied to fully operate as standard user and Microsoft has embraced the need to change the OS in order to do so. New programs will be able to launch processes for auto update, etc. without the need for administrator credentials. While this is a huge improvement, it does not dissolve the need for tools that support legacy applications, all operating system functions, and vendors that truly need administrator access like VMware workstation. In addition, application allow listing with a focus on least privilege is still void in this latest release. This means, that there are little provisions to “absolutely” control what executes, is installed, and what permissions are used when a user interacts with a system.
For all of these solutions, BeyondTrust tests beta builds from Microsoft to determine scope, effort, and timelines for support of these new solutions. Whether this is just basic compatibility or support with new features, BeyondTrust strives to meet compatibility within 3 months of GA by Microsoft. We are looking forward to supporting Microsoft with our upcoming Privilege Account Management and Vulnerability Management releases.
Will you be at Microsoft Ignite next week in Chicago? Stop by booth #308 to learn more about how BeyondTrust proactively eliminates data breaches from insider privilege abuse and external hacking attacks.
Morey J. Haber, Chief Security Officer at BeyondTrust
Morey J. Haber is the Chief Security Officer at BeyondTrust. He has more than 25 years of IT industry experience and has authored three books: Privileged Attack Vectors, Asset Attack Vectors, and Identity Attack Vectors. He is a founding member of the industry group Transparency in Cyber, and in 2020 was elected to the Identity Defined Security Alliance (IDSA) Executive Advisory Board. Morey currently oversees BeyondTrust security and governance for corporate and cloud based solutions and regularly consults for global periodicals and media. He originally joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition where he served as a Product Owner and Solutions Engineer since 2004. Prior to eEye, he was Beta Development Manager for Computer Associates, Inc. He began his career as Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelor of Science degree in Electrical Engineering from the State University of New York at Stony Brook.