Keeping Compliant with Windows 10
The latest version looks solid, but don’t be surprised by new ‘features.’
Microsoft recently rolled out Windows 10, the latest version of its popular software, and it appears to be a stable, intuitive operating system. It also works well with applications designed to run on Windows 7 and 8.
But Windows 10 comes with several features, many of them enabled by default, that could be a problem for companies in regulated industries, which must meet a higher standard for guarding their customers’ personal data.
Let’s look at some of the specific concerns.
Security and Privacy
At least at initial release, Windows 10 contains many default “features” with dubious security and poor privacy controls. Many of these capabilities were intended for home users with interest in social networking and casual sharing of home networks. In addition, default settings permit the gathering of information to make it easier to provide directed advertising, and helpful browsing and content suggestions.
None of these is appropriate in a secured environment. These features can be disabled or managed using group policies on a Microsoft Domain.
One of Windows 10’s most discussed features is Wi-Fi Sense. Wi-Fi Sense is intended to make it easy for friends to share each other’s Wi-Fi connections. This “feature,” if enabled, stores your Wi-Fi access passwords on external, encrypted Microsoft servers, and if enabled, permits anyone in your various contact lists to have automatic access to your Wi-Fi bandwidth when they drop by.
There is some security involved. The actual passwords are not shared, and the shared access is “guest,” permitting only Internet access and no visibility of network resources. However, this feature can eat Internet bandwidth. This feature is turned on by default. Make sure you turn it off.
Browsing, Typing and Location
By default, Windows 10 privacy settings permit gathering of information about your browsing, typing and location to “enhance” your experience. These settings are found under Privacy/General in Settings.
Again, banks and other regulated industries should be concerned about the amount of data that flows out of the company to advertisers or other parties that could potentially be used for social engineering attempts. Cortana, Microsoft’s version of Apple’s Siri, also likes to
get to know you. This can be disabled under Privacy/Speech, Inking & Typing.
Windows 10 comes with a brand new Web browser, Edge. Microsoft has stated that Edge is substantially more secure than Internet Explorer, but IE 11 is still around for legacy requirements. It is important to thoroughly test Edge (and IE 11) against websites important for your company’s operations. Any improvements to browser security are often offset by delays in website compatibility.
Patch Management and Updates
Windows 10 takes some of the options away from patch management. Patching still can be managed with Windows Servers Update Services and third-party management tools, but for companies that don’t have an enterprise license for Windows 10, automatic patching cannot be disabled, only delayed.
If your policy is to test critical patches before deployment, test your patch management capabilities on a test system.
Also hidden in the settings is a new setting, “Updates from more than one place.” When turned on, this permits PCs on your network to receive patches from other PCs on the network or on the Internet. It also permits your PCs to distribute patches to other PCs. Again, it is best to turn off any file-sharing options.
As with any significant update, test your existing applications thoroughly on the new operating system to ensure functionality. Check with your software and hardware vendors for compatibility, and roll out Windows 10 on a test system that has your company’s critical applications installed, before you introduce the update to your entire operation.
Also, the Windows 10 media creation tool has a compatibility checker as part of the install process. For any workstations and servers with encrypted folders or hard drives, unencrypt before upgrading. The upgrade process could potentially make files or entire hard drives unreadable.
Not sure if Windows 10 is right for you right now? Good news: Windows 7 will continue to be viable and receive security updates until January 2020. There are no compelling reasons to jump to a new desktop platform immediately, which means you have plenty of time to carefully test and evaluate Windows 10 before taking the plunge.