Thought Leadership on Managed IT Services presented by SecurElement Infrastructure Solutions.
Microsoft has recently released a new SKU to the Cloud Solution Provider family of products: Windows 10 Enterprise E3. This new OS upgrade provides enterprise-grade security capabilities for small and mid-sized businesses. Machines that are running Windows 10 Pro currently have these features included in the OS, but the features are not turned on until the E3 SKU is purchased through the monthly subscription.
Windows 10 Enterprise E3 requires a one-seat minimum purchase with a one year commitment, and the list price is $7 per user, per month. There is no seat limit and each user can get Enterprise E3 on up to five devices.
Let’s delve deeper into the enhanced security offered through Windows 10 Enterprise E3.
Windows 10 Pro currently includes Microsoft Passport and Windows Hello, but per the Windows IT Center, Credential Guard adds additional levels of protection including:
- Hardware security: Credential Guard increases the security of derived domain credentials by taking advantage of platform security features, including Secure Boot and virtualization.
• Virtualization-based security: Windows services that manage derived domain credentials and other secrets run in a protected environment that is isolated from the running operating system.
• Better protection against advanced persistent threats: Securing derived domain credentials using the virtualization-based security blocks the techniques and tools that are used in many targeted attacks. Malware running in the operating system with administrative privileges cannot extract secrets that are protected by virtualization-based security. While Credential Guard is a powerful mitigation, persistent attackers will likely shift to new attack techniques, so you should also incorporate Device Guard and other security strategies and architectures.
• Manageability: You can manage Credential Guard by using Group Policy, WMI, from a command prompt, and Windows PowerShell.
Device Guard adds additional protection against malware and “is a combination of enterprise-related hardware and software security features that, when configured together, will lock a device down so that it can only run trusted applications that you define in your code integrity policies. If the app isn’t trusted it can’t run, period.
With hardware that meets basic requirements, it also means that even if an attacker manages to get control of the Windows kernel, he or she will be much less likely to be able to run malicious executable code.” (Windows IT Center, 2016)
Windows 10 Enterprise E3 includes enhanced controls for administrators to determine applications that are permitted to run on devices. Windows IT Center states, “AppLocker rules are organized into collections based on file format. If no AppLocker rules for a specific rule collection exist, all files with that file format are allowed to run. However, when an AppLocker rule for a specific rule collection is created, only the files explicitly allowed in a rule are permitted to run.” (Windows IT Center, 2016)