It’s only been one month since Microsoft unveiled Windows 10 to great fanfare and high expectations for a world of new and better user experiences. And while the initial focus was on the deep integration between the operating system and the Internet, much of that attention has now turned to security.
And the timing couldn’t be better. Microsoft plans to release an enterprise version of Windows 10 this Fall, when the trained eyes of thousands of chief information security officers will pull apart every feature in the hope of uncovering hidden threats to data security and privacy. But one expert has already taken a look at a few of Windows 10’s more compelling features and found that understanding the operating system’s security and privacy features is sometimes a matter of reading the fine print.
In a blog post for the Dell Insight Partners Program, Eric Vanderburg, director of information systems security at JURINNOV, said while Windows 10 offers many significant improvements in security there are a number of less obvous features that some users may not be comfortable with from a security and privacy standpoint.
Passive Data Collection
For example, Windows 10 collects information from your microphone, location, camera, handwriting and searches by default, according to Vanderburg. That information is used by the operating system’s integrated personal digital assistant, known as Cortana, to provide intelligent information users. But that’s not all it does, says Vanderburg.
“The information is also used to send product and service information, distribute security notices and display advertisements. Information is shared with Microsoft affiliates, subsidiaries and vendors. This is a common practice for many companies, and Microsoft explicitly states that it does not collect information from email, chat, video calls, voice mails, and personal files for advertisement targeting,” said Vanderburg. “However, unlike the web, your operating system is resident on your machine, potentially collecting information even when you are not actively using the computer.”
Fortunately, all of the privacy settings for the microphone, camera and location data can be changed in Windows 10 and through the new Edge broswer’s privacy settings.
Windows 10 also continues Microsoft’s integration of online accounts with local accounts — something the company started when it released Windows 8. The feature allows users to link data from multiple computers that are linked to a Microsoft account. It’s a handy feature, but one users should be aware of, said Vanderburg.
“Using a local account will disable some application downloads and synchronization features, but it will limit the data collected to that machine so it is not integrated with usage on other platforms or the Microsoft online community,” he said. “This also prevents someone who compromises your online account from remotely accessing your computer using that account or vice versa.”
Another interesting feature of Windows 10 is something called Wi-Fi Sense, which is designed to allow access to a user’s wireless network by anybody in their contact list. The feature has received tons of negative press coverage, but Vanderburg says the concerns are overblown.
“Wi-Fi Sense is not turned on for all your contacts automatically,” he said. “Contacts are not granted access to your network unless access has been assigned, and this is only available after you make a wireless network available for sharing. This feature makes it easier to allow friends to connect to your network without providing the wireless password to them, and the feature can be disabled if and when it is not needed.”
Windows 10 does come with some rock-solid security improvements.
Windows Hello is software that is built into the operating system that will allow enterprises to incorprate biometric devices into their identity management processes. According to Vanderburg, Windows Hello supports face, eye and fingerprint biometrics.
Microsoft has also introduced Device Guard, which prevents unsigned applications from running on your system. The developers of third party software must digitally sign the installer file of their apps so that Windows 10 can confirm that the file is actually from the developer and not a hacker trying to execute malicious code on your computer. Likewise, the new Edge browser introduces several new security protections to screen for phishing sites and prevent web sites from stealing credentials.
“In the end, I think Windows 10 is a good step forward in both features and security, but it can be enhanced by turning off a few features, especially if you are not using them,” Vanderburg said.
Ian Trump, security lead at LogicNow, said like anything new being deployed in the government, one of the first priorities is making sure it works with existing and legacy systems.
“Enterprise customers and government are generally fiscally challenged and the deployment of a new operating system is a massive expense measured in both software, hardware costs and IT department time,” Trump said. “Enterprises and governments have hundreds of applications, some 20 years old or older that will require testing on the new OS. Although Microsoft suggests Windows 10’s compatibility is the best ever … Microsoft’s assurance is not evidence of due diligence. That only comes from organizational testing and documentation,” he said.
“On the bright side, Windows 10 is a wonderful opportunity to boost security through introducing new security technologies at a fraction of the cost of third party applications,” Trump said. “With the right balance of compatibility testing and adoption of these new features, enterprises and governments could move the organization security posture forward. If it’s a simple matter to turn on and configure robust security on the workstations and laptops, executives will enjoy costs savings when these features arrive out of the box.”
Tom Kellermann, chief cybersecurity officer at Trend Micro, said he firmly believes Windows 10 is a significant leap forward for Windows Security. “Microsoft’s security leadership team has righted the ship and can now be proud of their masterpiece,” he said. Any of the major security and privacy concerns stemming from default features are sure to be “rectified” for business and government users before the enterprise version is released, he said.