Microsoft unveils a bonanza of security capabilities
New features for Windows and Office 365 aim to help businesses with cybersecurity
By Blair Hanley Frank
PCWorldFeb 10, 2017 10:00 am PST
Image: Blair Hanley Frank/IDGNS
Companies concerned about cybersecurity have a fleet of new Microsoft tools coming their way. The company announced a host of new security capabilities Friday morning as part of the run-up to the massive RSA security conference next week in San Francisco.
On the Windows front, the company announced that it’s adding the ability to use on-premises Active Directory with Windows Hello, its system for allowing biometric-based logins with Windows 10. Microsoft also launched new tools to help organizations get more use out of mobile device management products by giving them tools to migrate group policy settings to cloud-managed devices.
What’s more, Microsoft has launched a new tool that’s designed to help customers configure the Surface hardware under their administration, doing things like disabling the tablets’ cameras.
Office 365 customers get a new security assessment tool and the private beta of a service aimed at showing them information about security threats.
Microsoft has been pushing advanced security capabilities like the ones announced Friday as a key part of its pitch to enterprises concerned about securing their data from a growing threat landscape. Here’s the rundown.
New Windows Capabilities
Windows Hello, Microsoft’s biometric-based authentication system, is getting two new enhancements with the forthcoming Windows 10 Creators Update. First off, Microsoft is making it possible to use its biometric Windows Hello login system solely with on-premises Active Directory servers, rather than requiring Azure Active Directory.
Microsoft is also trying to address the problem of users forgetting to lock their computers by using a new Dynamic Lock feature in Windows Hello. That will connect a user’s smartphone with their Windows 10 device, and automatically lock the device when the phone’s Bluetooth signal drifts far away.
Using it requires customers have the Microsoft Authenticator app installed on their smartphones. Once the app is connected to a PC, it uses the Windows Hello Companion Device Framework to automatically lock the computer when its user walks away.
The Surface Enterprise Management Mode (SEMM) allows enterprise customers to apply additional hardware restrictions to Microsoft’s Surface Pro 4 tablet, Surface Book laptop, and Surface Studio desktop in order to comply with security needs. That way, it’s possible for them to do things like disabling the device’s microphone.
Administrators can set policies that only kick in under a particular set of conditions, like when a Surface is connected to a specific network. Applying the policies requires that administrators have physical access to the Surfaces in question but does not require they erase them.
SEMM works at the Unified Extensible Firmware Interface level, “so a lot of the attacks you would expect attackers to use in order to just re-enable the camera without the user knowing, won’t even work, because the device is disabled at a fundamental, hardware level,” said Rob Lefferts, the director of program management for Windows Enterprise and Security.
Microsoft is also allowing mobile device management (MDM) software to apply settings and configurations from the Security Baseline Policies list. Previously, those settings were only available through Group Policy. It’s a move that’s designed to make it possible for administrators to have the same policies on devices managed using Group Policy and MDM.
The company also released a new MDM Migration Analytics Tool designed to help customers figure out migrating from Group Policy to MDM. It scans a system for all of the policies applied to it, tries to map those policies to their MDM equivalents, and spits out a report of the results.
There’s one hitch to MMAT when it comes to international users: The tool only works on the English names of Group Policy settings, which means that the system it runs on needs an English language pack. At this point, Microsoft recommends that users install English on a non-English system to work around that issue.
Windows Defender Advanced Threat Protection, which is designed to help find and contain security threats, is gaining support for custom security rules to protect against particular threats.
Organizations using Office 365 can use a new Secure Score tool to benchmark their security. It analyzes an organization’s configuration, then provides them with a score based on the security controls they have fully or partially deployed.
The feature also provides guidance on what Office 365 security features administrators could use that would improve the security of the organizations they work for. By default, the Score Analyzer first shows users features that provide the most security benefit with the least impact to users and then lets people drill down further from there.
While the score is a useful tool for giving organizations an at-a-glance view of their security practices, it will also have some practical considerations. The Hartford plans to use the Secure Score in evaluating customers that it’s considering for cybersecurity insurance, Microsoft CISO Bret Arsenault said in a blog post.
Microsoft also announced the private beta of its previously-announced Office 365 Threat Intelligence service. That allows administrators to see information about the cybersecurity threats both inside and outside an organization.
For example, admins can see who in their organization is the most targeted for attack, along with general information about security threats, like how much bitcoin attackers usually request from a ransomware attack.