Rashid: Why Windows 10 is the most secure Windows ever

Topic

New Reply

There’s a new review from Fahmida Rashid — one of my favorite writers — that explains how Device Guard, Credential Guard, and Application Guard can
[See the full post at: Rashid: Why Windows 10 is the most secure Windows ever]

2 users thanked author for this post.

Elly, PhotM

Reply | Quote

Replies

The most secure Windows ever with the most vulnerabilities… ironic.

3 users thanked author for this post.

lurks about, Seff, ymo1965

Reply | Quote

If someone has good-enough hardware, and keeps it up-to-date, then it sounds to me like Windows 10 will be a lot more secure than previous versions of Windows. Therefore, this will be a winner with large corporations, and with the government.

However, this is not going to fly with small businesses, because they won’t have the money to keep their hardware up-to-date. Neither will the average consumer.

It appears to me, therefore, that Microsoft has decided to abandon all markets except large corporations. And when they try to provide desktop support for these large companies, they will fail miserably, because they have no clue what is required for providing desktop support in the corporate world.

Group "L" (Linux Mint)
with Windows 10 running in a remote session on my file server

3 users thanked author for this post.

johnf, lurks about, WildBill

Reply | Quote

Given that most current computers have more power than the average user realistically will use upgrading hardware with new is not cost effective for most. It is probably more cost effective to upgrade with the box basically dies and even then buying a good used box might be more cost effective.

The key is to have good backups of your critical stuff on external drives/cloud so when the day comes you still have your data.

Reply | Quote

Abacus.

Slide rule.

Pencil.

On permanent hiatus {with backup and coffee}
offline▸ Win10Pro 2004.19041.572 x64 i3-3220 RAM8GB HDD Firefox83.0b3 WindowsDefender
offline▸ Acer TravelMate P215-52 RAM8GB Win11Pro 22H2.22621.1265 x64 i5-10210U SSD Firefox106.0 MicrosoftDefender
online▸ Win11Pro 22H2.22621.1992 x64 i5-9400 RAM16GB HDD Firefox116.0b3 MicrosoftDefender

Reply | Quote

The most secure Windows ever with the most vulnerabilities… ironic.

I agree. It is easier to break into Windows 10 system than Windows 7. In some cases, Windows XP is more secure than Windows 10. Windows 10 is no secure. I wonder how much MS paid Fahmida to write than.

3 users thanked author for this post.

johnf, Geo, ymo1965

Reply | Quote

The irony is that MS and others thinks that Windows 10 is secure. There are more vulnerabilities not publicly disclosed in Windows 10 than previous versions.

2 users thanked author for this post.

Geo, ymo1965

Reply | Quote

If they are not publicly disclosed, how do you know about them?

Can you give an example or two of these undisclosed vulnerabilities?

Group "L" (Linux Mint)
with Windows 10 running in a remote session on my file server

2 users thanked author for this post.

LH, b

Reply | Quote

windows 10 has the potential to be more secure *as long as appLocker,least privilege access model, Zero Trust, no admin, LAPS, Device Guard, Cred Guard, Cortana Valkyrie all applied and setup using best practices.  But really I like win 10 more then 7, but i use it in the enterprise with GPOs where i setup the things that protect me. some things aren’t ready easy to setup in large corps unless you have time and resources. Some are easy just there isn’t any buy in from management.

1 user thanked author for this post.

johnf

Reply | Quote

I’ve tried using device guard but could only stand having them on for a week. There are too many incompatibilities with MS own software and updates. Maybe it’s changed since I tried it a year ago. I’ve switched to Qubes as my secure privileged access workstation and haven’t looked back since. Honestly if your a system admin that has rule over a lot of different environments that is the way to go.

Reply | Quote

If they are not publicly disclosed, how do you know about them?

Can you give an example or two of these undisclosed vulnerabilities?

They are discussed on dark net, private forums, Def con meeting, etc…

An example that was recently made public is the schedule task. If give other examples, than they will be disclosed and MS will patch them. Many people would be upset about it so can not give more than one.

Reply | Quote

anonymous wrote:

An example that was recently made public is the schedule task. If give other examples, than they will be disclosed and MS will patch them. Many people would be upset about it so can not give more than one.

What was the issue with the schedule task? I’m not familiar with that one, and I would appreciate your giving me some detail about it.

Group "L" (Linux Mint)
with Windows 10 running in a remote session on my file server

Reply | Quote

I suspect it’s this one, Jim.

“Microsoft Windows task scheduler contains a local privilege escalation vulnerability in the Advanced Local Procedure Call (ALPC) interface, which can allow a local user to obtain SYSTEM privileges.”

1 user thanked author for this post.

MrJimPhelps

Reply | Quote

Yes. It is that one that was publicly posted on Twitter.

1 user thanked author for this post.

satrow

Reply | Quote

The most secure and also the biggest pain in the b*** of all time.

2 users thanked author for this post.

ymo1965, WildBill

Reply | Quote

“Most Secure Ever” and “Most Snooping Ever” simply don’t go together no matter how many marketeers try to tell us otherwise. Let’s not lose sight of common sense here.

As a software author myself, I can appreciate their desire to gauge how well their software is running in the field. Fine. Make it configurable so that those who really don’t want things taken from them forcibly can disable it entirely.

They can potentially lose control of data they’ve collected. Someone could collect it as it goes by then later decrypt it. Then what? Well, it was the most secure Windows ever? Not good enough.

As one who has minimized software support costs to near zero myself, I’m here to tell you that a complex software package CAN still be managed on a strictly “rely on user reports if there are problems” basis, without forced telemetry!

-Noel

13 users thanked author for this post.

LH, AlexEiffel, Elly, David F, Nibbled To Death By Ducks, johnf, lurks about, wdburt1, ymo1965, FakeNinja, BobbyB, MrJimPhelps, WildBill

Reply | Quote

Some of the protections require using a MS account and signing in to the OS, which means that the snooping is even worse. This pales in comparison to something like Linux or Mac OS X which are inherently more secure, by design, regardless of whether you use an Apple ID or not.

Windows 10 is a great OS; it’s just a shame that it’s buried under so much cruft and questionable behavior and decisions. I’m starting to lose faith in the “worth it” column with it myself. You would have thought that after the 8 debacle, and the little bit of saved face with 8.1, that 10 would be knocked out of the park – but it isn’t, not by a longshot.

All people wanted was 7, refined. What we got is 7 refined, with questionable patching and a bunch of extra features no one asked for and they continue adding more questionable patching and extra features no one asked for. 3 years after release and Settings still has not replaced the Control Panel.

11 users thanked author for this post.

LH, Elly, Bill C., johnf, JSTechGeek, lurks about, wdburt1, ymo1965, FakeNinja, Cybertooth, BobbyB

Reply | Quote

woody wrote:

There’s a new review from Fahmida Rashid — one of my favorite writers — that explains how Device Guard, Credential Guard, and Application Guard can actually be useful.
Whether they’re sufficient reasons for organizations to move to Win10 — that remains debatable. But it’s important to know about the protections on offer.

I think it should be noted that, whilst Application Guard is available for Edge on Windows 10 Pro since version 1803, Device Guard and Credential Guard are only available on Windows 10 Enterprise and Education.

The quoted article doesn’t make this clear, and Microsoft in its announcements and documentation about security improvements (e.g. Windows Defender Advanced Threat Protection) rarely mentions which editions are included (hint; nearly always NOT Home/Pro.) This is also true for Office 365, where advanced security features can only added to volume-licensed (i.e. enterprise/education) plans.

11 users thanked author for this post.

mindwarp, AlexEiffel, Elly, Bill C., johnf, JSTechGeek, Seff, ymo1965, MrJimPhelps, Cybertooth, woody

Reply | Quote

Excellent points.

Also, Edge has had trouble with Application Guard in the past.

Reply | Quote

b wrote:

I think it should be noted that, whilst Application Guard is available for Edge on Windows 10 Pro since version 1803, Device Guard and Credential Guard are only available on Windows 10 Enterprise and Education.

In the case of Enterprise, the user will almost certainly have up-to-date equipment. Therefore, Device Guard and Credential Guard make sense for these users.

Group "L" (Linux Mint)
with Windows 10 running in a remote session on my file server

Reply | Quote

The article should be re-titled “Why Windows 10 Enterprise/Education is the most secure Windows ever.”

Group A | Windows 7 Pro 64-bit | Windows 10 Pro 1809 64-bit

1 user thanked author for this post.

Cybertooth

Reply | Quote

Security through marketing. What can go wrong?

Reply | Quote

They always do that. Remember when they bragged about DEP, then ASLR or the two-way firewall, Applocker, etc.

Marketing says they have a much more secure Windows for you, but the features cited as examples are either unavailable on Home/Pro version or they are disabled by default so it doesn’t break existing software or they can be so cumbersome to manage that almost nobody at home/SMB would use it.

Still, they get the message out that Windows is now the most secure Windows ever. They at least don’t go so far as to say it is the most secure OS ever (not that they need to say that).

1 user thanked author for this post.

JSTechGeek

Reply | Quote

If you have Office 365 in a corporate environment running any version of Windows, you are syncing your directory to the cloud.  Let me say it again.  You are transmitting your security information over the Internet.

3 users thanked author for this post.

wdburt1, ymo1965, Cybertooth

Reply | Quote

In industries like transportation, companies in the U.S. are required to develop security measures to prevent sensitive information from being obtained by unauthorized people.  These programs go into effect only after approval by federal regulators, who then enforce compliance.  Other industries like health care have their own regulations to guard patient  information.

For the life of me I have never been able to figure out how the purveyors of cloud-based systems convince businesses that they can comply with such regs.  My sense of it is that there is a kind of mutual agreement not to confront the issue because no one is ready to challenge Microsoft, Google, et al.  (The average federal inspector, who in my experience seldom hesitates to threaten company executives with ruinous fines that they must pay personally, is a timid mouse when it comes to confronting a big company.)  And a certain willingness to accept techno-babble as a substitute for real security.

The saying that the cloud is just someone else’s computer applies here.

9 users thanked author for this post.

mindwarp, AlexEiffel, Elly, Bill C., OscarCP, johnf, Cybertooth, lurks about, Seff

Reply | Quote

Not only that, but you don’t even know where “someone else’s computer” is located and under which national jurisdiction/regulatory system it operates. The common notion that “the Cloud” consists of a server farm in the US is a false one, the servers are typically in satellite locations which do not need to be disclosed by the service provider.

A massive Cloud security breach and resulting data loss is an inevitability waiting to happen, and nobody has any idea how they will respond to it when it happens, or what legal redress they may or may not have at that time.

2 users thanked author for this post.

Elly, wdburt1

Reply | Quote

I think a massive cloud based data breach would ultimately fall on the owner of the data not the cloud provider. Often there are important configuration settings that are skipped when setting up a cloud service.

Reply | Quote

Wonder why if these security features are so important that they are not available in all versions of Windows 10? Seems to me a lot of these features require and least Pro if not enterprise versions. Sort of feel like nothing much trickles down to Home versions.

2 users thanked author for this post.

Elly, johnf

Reply | Quote

I wonder when will Microsoft realizes that we don’t want a service, just reliable working computers for whatever we need.

Just someone who don't want Windows to mess with its computer.

3 users thanked author for this post.

RamRod, ymo1965, Cybertooth

Reply | Quote

They realize it.  They just don’t care.

Windows as a Service is their new way to monetize Windows to the highest degree possible, and naturally, the users are not in favor of being monetized.  That’s why Microsoft’s request that people use Windows 10 and abandon everything else is more of a demand… they can’t begin monetizing people until they put themselves into the line of fire.

Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon 6.2
XPG Xenia 15, i7-9750H/32GB & GTX1660ti, Kubuntu 24.04
Acer Swift Go 14, i5-1335U/16GB, Kubuntu 24.04 (and Win 11)

11 users thanked author for this post.

LH, Elly, David F, Bill C., RamRod, johnf, lurks about, wdburt1, ymo1965, FakeNinja, Cybertooth

Reply | Quote

So Windows 10 Enterprise is the only Windows with a panic room. There is a high price for elaborate protection and only those with deep pockets can afford it. I just wonder why this house has so many entry points with inadequate locks on them. There is a break-in just about every week.

In 2017 Microsoft stated that Windows 7 is dangerously insecure – old tech being the reason. However, the older version is more stable than the newer and that gets glossed over in many articles about OS vulnerabilities. Stability seems so much less important to those not providing a service or running a business.

When Windows 10 is the only Microsoft attraction on the block for the hackers and rogue nation intruders, the company jewels and essential services will once again be the target. You can only say something is ‘the most secure’ if you have something to compare it too, so I guess we will be hearing that their cloud is ‘the most secure’ way to use Windows after 2020.

1 user thanked author for this post.

wdburt1

Reply | Quote

I appreciate that man may mean well…

Reply | Quote

Maybe the “most secure Windows ever”. But, I would suggest, not the most stable, and so by design.

If someone is prepared (or even in a position) to go to the lengths already pointed out by others here and move to Win 10 in order to make the most of its allegedly peerless “security”, and in the process trade off the stability of an earlier Windows version for that “security”, I’d say: go right ahead and the very best of luck to you. For my part, I think I’ll pass.

Group-B  Windows 7 Pro, x64 SP1.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

2 users thanked author for this post.

Nibbled To Death By Ducks, Cybertooth

Reply | Quote

Here’s another example of something Microsoft has introduced to supposedly make life easier for users that may actually end up being detrimental because of the way it’s implemented, without warning or explanation from Microsoft:

https://www.zdnet.com/article/this-windows-file-may-be-secretly-hoarding-your-passwords-and-emails/

Talk about lacking transparency…

3 users thanked author for this post.

Elly, johnf, Cybertooth

Reply | Quote

From the linked article:

Skeggs has not contacted Microsoft about his findings, as he, himself, recognized that this was a part of an intended functionality in the Windows OS, and not a vulnerability.

I’m not sure how anyone in their right mind would not consider this a vulnerability – that is, a file which stores all of your passwords, and all of the text of every one of your documents, in text format in this file (the WaitList.dat file).

This file is actively collecting your passwords and other text that you type if Personalized Handwriting Recognition is activated on your computer.

Group "L" (Linux Mint)
with Windows 10 running in a remote session on my file server

2 users thanked author for this post.

Elly, johnf

Reply | Quote

It doesn’t store all your passwords, or any of them, unless you’re in the habit of listing them in an email or document:

“Not all users may be storing passwords in emails or text-based files on their PCs, but those who do are advised to delete the file or disable “Personalised Handwriting Recognition” feature in their operating system’s settings panel.“

Reply | Quote

In one fell swoop you grant permission to hold copies (separate from originals) of all emails and documents as if that is a normal and desired event. Meanwhile dismissing the password issue as collateral material that is the user’s fault for including in private material.

It is good to remind users that new features often have unforeseen — and unannounced, and unexplained — methods to accomplish the new featured task.

2 users thanked author for this post.

Elly, wdburt1

Reply | Quote

b wrote:

It doesn’t store all your passwords, or any of them, unless you’re in the habit of listing them in an email or document

I don’t want even that.

Group "L" (Linux Mint)
with Windows 10 running in a remote session on my file server

1 user thanked author for this post.

Elly

Reply | Quote

If anyone else can read or copy this file, they already have administrator access to everything on your computer, so they would have much easier, and certainly more universal, ways to wreak havoc than checking a complex text database just in case a user stored passwords in a text file. (There’s no hint how passwords could be identified by a search amongst many snippets of text unless labeled as such by the user.)

1 user thanked author for this post.

MrJimPhelps

Reply | Quote

I think the article should say “Why Windows 10 Enterprise is the most secure Windows ever”.  The next line says “With Device Guard, Credential Guard, and Application Guard, Windows uses …”

According to this comparison, the touted features are on Enterprise only.
https://www.microsoft.com/en-us/windowsforbusiness/compare

1 user thanked author for this post.

satrow

Reply | Quote

It is the most secure version of Windows ever, as it spends more time “bricked” than every other version of Windows.

-lehnerus2000

Reply | Quote