Apr 05 2019

How a Windows 10 Migration Boosts Agencies' Cybersecurity

With extended support for Windows 7 ending in 2020, state and local officials should upgrade to the latest OS promptly.

Agencies remaining with Windows 7 past Jan. 14, 2020, will pay for security hotfixes. But upgrading to Microsoft’s Windows 10 now will strengthen an agency’s security posture quickly, and at less cost.

The security landscape has changed significantly since Windows 7 first appeared, and Windows 10 is designed to address new and emerging threats. Windows 10 offers security improvements that already have proved effective. For example, devices running Windows 10 were not infected with the WannaCry and NotPetya malware that spread quickly around the world in 2017. 

Windows Defender offers a suite of cybersecurity protections and is built into Windows 10. It includes several different technologies that deliver superior protection:

  1. System Guard
  2. Credential Guard
  3. Application Control
  4. Application Guard
  5. Exploit Guard
  6. Advanced Threat Protection

System Guard Segments OS Using Containers 

Designed to protect and maintain the integrity of Windows upon startup and to validate system integrity through local and remote attestation, System Guard uses Secure Boot to ensure malicious bootloaders can’t run before Windows starts and that only signed files and drivers are loaded. Ensuring that Windows isn’t compromised is vital for the other defenses to work properly.

Windows Defender System Guard Container uses virtualization-based security to segregate critical parts of the OS using containers. Windows Defender Exploit Guard reduces the attack surface for malware, and Windows Defender Credential Guard protects access to sensitive processes by halting credential-stealing exploits.

Device Health Attestation allows System Guard to take integrity measurements, protected by a Trusted Platform Module to prevent tampering with the results, and to hand the data to Intune or System Center Confiaguration Manager. System administrators can block network access for devices that don’t pass DHA.


Credential Guard Protects Password Hashes 

“Pass the hash” and “pass the token” attacks are common methods used to laterally move around networks and elevate privileges to gain domain administrator access to Active Directory. Credential Guard uses VBS to protect password hashes and security tokens so that only privileged system processes can access them. VBS stores Kerberos and NT LAN Manager credentials in a container that the Windows kernel cannot access directly, rendering ineffective many tools used to harvest hashes and tokens.

Application Control Restricts Access to Apps 

Windows 7 AppLocker is a basic application whitelisting solution, and it is still present in Windows 10. But because of the way it was designed, it is easy to override AppLocker once you have administrative privileges on the device. Application Control is more robust, and it optionally can be used with Exploit Guard’s Memory Integrity.

MORE FROM STATETECH:  Find out how states are using advanced endpoint protection and AI to gain greater visibility into cyberattacks.

Application Guard Keeps Users Safe While Browsing 

Application Guard starts Microsoft Edge in a container that protects Windows from the user’s browser session. Application Guard may be configured to automatically provide additional protection when visiting untrusted sites. Additionally, system administrators can allow or block file downloads and copy/paste operations between the protected session and Windows. Sadly, Favorites cannot be accessed in Application Guard. Internet Explorer is included in Windows 10 for backward compatibility, but Edge promises a more secure experience by removing legacy technologies like ActiveX controls, and it blocks Adobe Flash Player by default.


The worldwide percentage of personal computers running Windows 7 as of January 2019

Source: computerworld.com, “Windows by the Numbers: January 2019,” Feb. 4, 2019

Exploit Guard Reduces the Attack Surface 

The Enhanced Mitigation Experience Toolkit for Windows 7 is now integrated into Windows 10 as Exploit Guard. Attack surface reduction rules applied in audit mode can later protect from attacks against Microsoft Office and other software.

Advanced Threat Protection Offers Even More Defenses

ATP is integrated into the Enterprise E5 edition of Windows 10, and it goes beyond the basic malware protection provided by Windows Defender. ATP can stop breaches before they take hold across a network by sharing information with the Microsoft Intelligent Security Graph, monitoring behavior, using machine learning and analyzing security metrics.

MORE FROM STATETECH: Discover why cybersecurity planning should be a top priority for local agencies. 

Windows 10 Has Numerous Additional Cybersecurity Features

Microsoft wants users to stop using passwords because they are not secure, and Windows Hello takes us one step closer to that reality. Using biometrics, such as facial recognition or a fingerprint, users can log in to Windows 10 without a password. 

Windows Hello for Business integrates with Azure Active Directory. Controlled Folder Access allows only the whitelisted processes to gain write access, blocking ransomware from encrypting files, and thereby protecting files. 

And Mobile Device Management is built into Windows 10. Unlike Windows 7, it doesn’t require a separate agent. Windows 10 can join directly to AAD domains for agencies that want to use Microsoft’s modern management stack, which includes Intune, AAD and Windows Autopilot.

Windows 10 empowers modern hardware like the Dell Latitude 3590 and HP ProDesk 400 G5 to thwart ransomware and security breaches, such as “pass the hash” attacks, where one compromised device could lead to an attacker getting access to an entire network. Not only is an unpatched Windows 7 environment exposed to such threats, but agencies will have to pay extra for any fixes to the operating system next year.

Consider a speedy migration to Windows 10. Microsoft supports in-place upgrades to Windows 10 from Windows 7 and encourages this upgrade path. In the past, a wipe-and-reload approach was preferred, but improvements in the upgrade process in Windows 10 offer a more reliable experience. For agencies that can quickly redeploy apps and user settings, or those looking to move to modern management, a clean install is still a good option.

Illustrations by Rob Dobi

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT