Enterprises face phishing attacks, ransomware, spyware, keyloggers, worms, and compromised accounts every day. “Because the threat landscape we’re facing today is so diverse, there cannot be one tool or feature that we just enable and then we’re secure,” Benoit said.
Before embarking on a comprehensive security plan, organizations need to determine where the data that would be most valuable to criminals lives, and plan to focus on that area, Benoit said.
Here are seven Windows security features that can help your business defend against cyberattacks.
1. Windows Defender Smart Screen
The Windows Defender Smart Screen can “block at first sight,” according to Microsoft. It helps protect employees if they try to visit sites previously reported as containing phishing or malware, and to stop them from downloading potentially malicious files. It can also help protect against fake advertisements, scam sites, and drive-by attacks.
“This is one of multiple layers of defense in anti-phishing and malware protection strategies,” Benoit said.
2. Windows Defender Application Guard
Application Guard offers protection against advanced, targeted threats launched against Microsoft Edge using Microsoft’s Hyper-V virtualization technology. The functionality works with whitelisting: Users can designate trusted sites to browse freely. If a site is not trusted, Application Guard will open it in a container, completely blocking access to memory, local storage, other installed applications, corporate network endpoints, or any other resources of interest to the attacker.
3. User Account Control
User Account Control (UAC) protects users by preventing malware from damaging a machine, and helps organizations deploy a better-managed desktop. When this feature is enabled, apps and tasks always run in the security context of a non-administrator account, unless an administrator specifically authorizes administrator-level access to the system. It can also block the automatic installation of unauthorized apps, and prevent accidental changes to system settings.
4. Windows Defender Device Guard
Defender Device Guard involves driver and application whitelisting, Benoit said. The feature changes from a mode where apps are trusted unless blocked by an antivirus solution, to a mode where the OS trusts only apps authorized by an enterprise. It operates on two components: The first, kernel mode code integrity (KMCI) protects kernel mode processes and drivers from zero-day attacks and other vulnerabilities by using HVCI. The second, user mode code integrity (UMCI) is enterprise-grade application whitelisting that achieves PC lockdown for enterprises using only trusted apps.
5. Windows Defender Exploit Guard
Defender Exploit guard includes exploit protection, attack surface reduction rules, network protection, and controlled folder access. It also provides legacy app protection including arbitrary code guard, blocking low-integrity images, blocking untrusted fonts, and exporting address filtering.
“This helps you audit, configure, and manage Windows systems and application exploit mitigations,” Benoit said. “It also delivers a new class of capabilities for intrusion prevention.”
6. Microsoft Bitlocker
Bitlocker is a full-drive encryption solution provided natively within Windows 10 Professional and Enterprise, Benoit said. It helps mitigate unauthorized data access by enhancing file and system protections, and renders data inaccessible if the computers are decommissioned or recycled.
“This is so important—you don’t want to be the guy who got blamed after the CEO’s device was lost or stolen and all the data was found on the world wide web,” he added.
7. Windows Defender Credential Guard
Defender Credential Guard uses virtualization-based security to isolate secrets, so that only privileged system software can access them—protecting from credential theft attacks. Enabling this feature offers hardware security and better protection against advanced persistent threats.
The overall best security practice? “Educate your users,” Benoit said. “They are the ones who click on the things and execute the files. It’s the toughest thing to do, but in the very end that’s the thing you have to do.”