Review how Windows 10 identity and access security features protect your users when they sign in, and protect access to resources.
- [Instructor] Windows 10 offers comprehensive identity and access security features which protects your users' identity and authentication protocols from being hacked. Let's take a look at some of the built-in features within Windows 10 that protects your environment. Access Control manages the authorization of users, computers, and groups within a shared resource environment. Traditionally, this used Active Directory and NTFS, but more often, this has been provided for by Azure Active Directory, which gives Access Control to solutions such as Office 365, OneDrive for Business, and SharePoint Online.
By employing Access Control, your users and groups can be granted permissions and rights to use shared resources. These permissions include read, write, modify, and allowing full control of any resource. Additionally, a user may not be granted permissions to access a resource such as files, folders, and printers. Windows 10 uses virtual smart cards for two-factor authentication, which requires something that you have, such as your laptop or device, and something that you know, such as your username and password.
Virtual smart cards mimic legacy physical smart cards and are used as the second form of authentication during the login process. The Trusted Platform Module, or TPM chip, found on most PC motherboards, provides the storage location to the virtual smart card, and provides protection by encrypting the smart card passwords and keys. In Windows 10, Windows Hello offer secure authentication by using biometric and PIN identification methods instead of passwords.
Modern Windows 10 devices support biometric features, such as fingerprint readers and facial recognition cameras. User Account Control or UAC guards against malware which could historically take control of a PC and install malware such as ransomware. All Windows 10 applications and tasks always run at the user level and not as an administrator, unless specifically authorized to do so by an admin. If a user needs to install an application or a feature that requires UAC elevation, they'll need to request IT support, who can then connect remotely to the device and enter administrative level credentials.
UAC has been very successful in stopping malware from launching apps or starting processes using administrative privileges. Digital certificates provide the means to establish a very secure communication between clients and services. Certificates are issued by a trusted certification authority, which then vouches for the identity of the certificate holder. Windows 10 also supports S/MIME or Secure/Multipurpose Internet Mail Extensions.
This provides an encryption system for email. This allows all outgoing email messages and attachments sent to and from an Exchange ActiveSync account to be secured. S/MIME uses certificates to identify senders and ensures that only the intended recipients are able to read emails. Passwords are still the target for hackers. Windows Defender Credential Guard protects credentials used and stored on a Windows 10 device. It uses Virtual Secure Mode or VSM to protect areas of the system memory so that processes that handle password keys are isolated from regular Windows processes.
This means that regular processes are not able to read what's going on within the VSM, and not even administrators are able to do this. By using the VSM, you can protect against pass-the-hash attacks, where a hacker attempts to use the hashed version of a user password to gain access to a system.
- Why use Windows 10?
- Using cloud-based identities
- Connecting Windows 10 to cloud storage
- Upgrading to Windows 10
- Working with Microsoft 365 Business
- Managing mobile devices
- Deploying devices with Windows Autopilot
- Windows 10 servicing channels