Think Windows 8 was a big step forward in security? So did Microsoft – at the time. Looking back though, Chris Hallum, who manages the security features in Windows and Windows Phone, now thinks it had incremental improvements tackling a subset of the problem.
That's not helped by the fact that PC makers didn't start putting the same kind of touch sensor fingerprint readers as seen on the iPhone on their devices the way he'd hoped they would.
He's still hoping to see fingerprint sensors become common, but he's also bullish about what's coming next. "In Windows 10," he says confidently, "you'll see we actually decisively address entire classifications of issues with solutions that maybe in some ways can eradicate the issue in its entirely."
The first issue to tackle is passwords. "We're no longer thinking about passwords as a problem," he admits freely. "Passwords are actually a real-time crisis. You have to move to something better."
And that would be the 'next-generation credential'. It's going to use two-factor authentication, with the second factor being either the Trusted Platform Module security chip which is in many modern PCs and will be in every single Windows device in 2015, or your phone (where the equivalent of the TPM is "pretty close to pervasive") – or, he suggests mysteriously, "devices we're not talking about yet".
When you first make your account, your PC will create a key that's stored in a secure container, protected by the TPM – you might have one key for your personal account, another for your online bank and another for your work account that has a longer PIN.
"The user unlocks their Windows container with an unlock gesture, which could be a PIN or a password or biometrics, and they get access to it," says Hallum. That PIN isn't the usual four digits – it can be up to 20 characters long and it can include numbers, symbols, spaces and upper and lower case letters.
Finger printing good
Or you could use a fingerprint. Hallum expects readers that can tell whether your finger is a real finger and whether it's still alive, looking not just at the pattern but "the 3D image with the peaks and valleys" which flatten out on dead fingers and fake fingerprints.
He'd like to see a 9mm sensor that doesn't have a big chrome border around it so you can just press your whole fingertip on it once instead of multiple times like the iPhone, but OEMs may pick smaller, cheaper sensors. "We're going to get the cost down to where it can go mainstream," he says with cautious optimism. "We have an OEM signalling – not committing but signalling – that they may put it across their entire consumer range. Although I hope I don't get burned again because I talked about this for Windows 8…"
With or without fingerprint readers, the new password-replacing credentials are coming – not just from Microsoft but from fellow FIDO Alliance members like Google. Google's similar secure key proposal has already been ratified and Hallum says Microsoft is committed to getting its own system ratified by FIDO too.
Hallum believes the flexibility of the Windows 10 credential is an advantage. "The differentiator for us is you will be able to use existing devices to authenticate for this; you can use your PC or your phone.
"That means your phone – including Windows Phone, Android, an iPhone with its fingerprint reader and maybe one day a BlackBerry – could store your credentials and pair to your PC via Bluetooth to sign you in. That means two-factor authentication will become ubiquitous, without people needing multiple fobs and physical tokens."
He's confident the credentials will be adopted by a range of services, and says Microsoft is evangelising it to both business and consumer services. "This is going to succeed. You're going to see a lot of consumer services like Netflix. They see how important this is for banking, for content, for consumer services." Business apps that you log into with a Windows username and password today will just work with them too. "Every app should be able to take advantage of it, unless you've done something that is not best practice."
Getting past Pass the Hash
Signing in with one of these next-generation credentials "unlocks the Windows container" because Windows 10 is made up of multiple containers. Windows is in one container, but the security token from Active Directory that lets you access resources on your company network and the LSA authentication service that issues it are in another, running on top of Hyper-V virtualisation in what Microsoft calls a Virtual Secure Mode.
Those tokens are what many attackers have been targeting when they break into companies using a technique known as Pass the Hash. "Once attackers have that token they have your identity, it's as good as having your username and password. They gain admin privileges and run a tool to extract the token and take it, and then they can move around the network and access all these servers without ever being asked for a password," explains Hallum.
"We've taken these tokens which were being protected by Windows in a software store which was susceptible to malware or to applications with a high level of privilege and we're putting them inside a container. Even the kernel doesn't have access to take information out of that container if it's compromised."
That container is the VSM. "The VSM is basically a mini OS. Think of it as a Windows core OS – it's a very small OS that will require about 1GB of memory and has just enough capability to run the LSA service that's used for all our authentication brokering."
It won't affect the performance of your PC, he says, but you will need to have Windows 10 on your PC, a CPU that supports hardware virtualisation and the next version of Windows Server on your Active Directory domain controller.
That means even if you are infected by a rootkit or bootkit that takes over the Windows kernel, your tokens would still be safe.
No cast iron guarantee
However, Hallum warns: "We can't promise Pass the Hash is not possible, there could be bugs in our implementation. But it is an architectural solution designed to prevent [this threat] rather than what we've done in the past which was just a defence that made it a little bit harder. It is one of the strongest mitigations we can do.
"We think this will be very decisive in dealing with that threat. I don't want to say we've solved identity but this is so substantial compared to anything we've done in the past. Virtual smartcards in 8 were incremental; this is virtual smart cards for the entire world."
VSMs can be used for other security features – if you run Windows 10 in a virtual machine, it can use a VSM as a virtual TPM. And if PC makers adopt the Windows 10 Enterprise Lockdown idea, the Windows code integrity service will live in another container, so even a compromised kernel can't turn off checks on the code that's allowed to run. And that code will be limited to Windows and applications that have been signed by Microsoft, apps from the Windows Store and software signed by either software vendors vetted by Microsoft or your own business (using certificates from a Certificate Authority Microsoft will run itself).
Those signed applications can be distributed through the Windows Store and there will be a way for businesses to sign apps they trust but didn't write (so you can sign software if the vendor has gone out of business and you can't be forced to upgrade to a new, signed version if you're happy with the version you have).
Trusted app ecosystem
Hallum calls it an attempt to "create a trusted app ecosystem" for PCs that protects them the way the App Store protects iOS devices, but is more suited to the way enterprises work.
Enterprise lockdown will only work with Windows Enterprise and with PCs preconfigured to support it by locking their UEFI boot systems "because if you can configure Windows for signed only [software], malware can configure it to not require signing." Microsoft is recommending that OEMs make this an option for all their business PCs and suggesting the premium they charge for it should be low, but it remains to be seen how well they'll support it.
Hallum certainly believes it can be extremely effective: "Assuming the person who owns signing applications in your business is trustworthy, we think we can all but eliminate malware." He also suggests it would have stopped the kind of PoS breaches that have happened in the last year.
Encrypted files on Windows 10 will also be stored in containers, but unlike mobile devices where all business documents are in one container – and are only protected if you choose to save them there – each file will be in its own container.
"Our container is different," Hallum explains. "It's a container at the file level so every single file – every document, any content item, the files for your app – they will be protected with an encryption container and then Windows becomes a broker of access control between them."
Windows 10 will also work out which files to encrypt, based on where the file comes from or what app you create or open it with, using policies you set.
"You'll be able to set locations on the network and say 'we consider these to be corporate – this is the corporate mail server, these are the corporate file servers on these IP address ranges, using these DNS addresses.
"When content comes from those locations, the system knows where it comes from and we can say 'let's go ahead and encrypt that at the file level'. In real time, as you're bringing content to your device, Windows knows what's corporate and what's personal, but it happens transparently behind the scenes and you don't have to think about it."
You can set policy to mark apps as business apps and all files created with them will be encrypted. You can use policy to mark some apps as personal and they won't be able to open encrypted business files. "We want to make sure apps that shouldn't have access to corporate networks can be gated," says Hallum. "These are the apps on the device I trust and will allow to connect to my VPN."
And for apps like Office that are used for both, there will be an option in the Save dialog to say whether a file saved on your PC is a business document that should be encrypted or a personal document that shouldn't.
Containers not constrainers
He suggests that's more convenient than the style of containers used in Samsung Knox or Good Technologies, which he calls 'constrainers'. "I'm constrained – I have to move to a secure place to access content. I need to use a specific application, maybe not the one I use on my PC, to access email. A container that contains the apps that contain the data is very effective at securing things but I have to change my behaviour, I have to stop using apps like Office.
"When we move the technology down the stack into the platform itself rather than building a protective solution that sits on top of the platform, as the others are, we can do a lot of the heavy lifting behind the scenes, where we don't have to interfere with the user experience to the same degree."
And yes, encrypted files will be usable on other devices. Hallum says OS X, iOS and Android will all be supported, either through Office or using readers. You'll be able to manage this with any MDM, not just Microsoft management tools like System Center.
There are other Windows 10 security features still in development and Hallum thinks security will make Windows 10 a compelling upgrade. "Every previous release of Windows has delivered defence in depth, but we've just made it harder. If you didn't deploy a release, you always had the excuse of plausible deniability; you could say 'it just made it harder, it wasn't the solution'. Once there's an OS available that you can deploy that will eliminate most of these attacks, there are no more excuses. You're making a choice to be vulnerable."
- You might also want to read our Windows 10 hands on review.