Windows 10: Desktop management and security issues
- By Simon Townsend
- Jun 30, 2016
Although Windows 10 has taken off in the consumer market, with 350 million active devices are already deployed, the real driver for the operating systems’ deployment in government agencies and enterprises is its ability to improve cybersecurity.
Defense Department CIO Terry Halvorsen issued a memo directing that Windows 10 be deployed to improve cybersecurity, lower the cost of IT and streamline the operating environment. DOD was given until January 2017 for execution, a fast trajectory for the mammoth agency. Even agencies that are less in the cybersecurity spotlight are sure to follow.
IT professionals are giving Windows 10 high marks as an operating system, agreeing that it is more secure and easier to manage. However, the new Windows 10 OS will require oversight and controls to prevent risk. Here are five issues and areas of improvement agencies should be thinking about in terms of OS migration and security objectives:
Windows 10 update frequency. Microsoft is moving to a far more agile OS release process, intending to roll out new features on an incremental basis, rather than waiting for major updates. This presents a new challenge for IT, which has historically taken a slow approach to applying OS service packs. How can IT departments manage the environment when the OS updates outpace application updates? This question is driving IT towards a layered approach when it comes to applications, data and users.
The layered desktop. To enable the new rhythm of updates, forward thinkers are considering the concept of the ‘layered desktop,’ a way of abstracting users away from the OS so that they are not tethered to an OS that is frequently changing and updating. This approach should begin with the top two layers -- the data and personalized user experience -- and work down through security and application layers.
Managing user context. As agency personnel change locations and work on different devices, the risk of security breaches increases. Literally every day, a user’s context -- and risks -- may change and require a different configuration. An IT approach to mitigate these risks looks at ‘user context’ for device-based application control. In this scenario, where employees are working, how they are working and what they’re working on determines which applications they are allowed to execute.
Restricting Windows 10 OS components. IT staff must also look at Windows 10 OS components, as well as universal applications delivered from the Windows Store, with an eye toward restricting access and further securing operations. Microsoft is planning a validation process similar to the Apple App Store, but there are so many applications already written for and working on Microsoft’s OS that it will take years to validate them all. As security attacks escalate, IT must restrict access now; it can’t afford delay.
Advanced application control. ‘Trusted ownership’ application control and whitelisting based on the owner of each executable file minimizes the amount of configuration required to ensure any user-introduced software is automatically restricted, unless specifically allowed. Whitelists can also be built using metadata properties of an executable so that trusted vendors and software suites can be allowed with a single rule.
Windows 10 is getting good marks from IT for security, management and functionality, but as one IT staffer said, “It’s like changing the wheels while driving the car.”
However, as Microsoft follows through on incremental updates -- and agencies switch over from legacy OS systems -- it’s imperative to identify where security risks may occur, such as failing to set adequate controls in user context or allowing loose privilege rights regarding executable files.
Taking a hard look at desktop management controls now and implementing as many advanced security measures as possible will offer the best protection as Microsoft rolls out updates.
Simon Townsend is chief technologist for AppSense.