bem, já que ninguém ainda falou nisto, vou meter aqui a que para mim é uma das mais interessantes..
Identity Protection and Access Control
To start, I want to talk about a solution that provides a very modern approach to identity and user credentials, something that represents the next generation of identity protection. I touched on it a little in my blog post on September 30TH. With this solution, Windows 10 protects user credentials when breaches occur in the data center. It protects users from theft when devices are compromised and it renders phishing attacks for identities almost completely ineffective. It’s a solution that offers benefits for both businesses and consumers, and one that provides all of the convenience of a password along with security that is truly enterprise-grade. It represents the destination in our journey to eliminate the use of single factor identity options like passwords. We believe this solution brings identity protection to a new level as it takes multi-factor security which today is limited to solutions such as smartcards and builds it right into the operating system and device itself, eliminating the need for additional hardware security peripherals.
Once enrolled, devices themselves become one of two factors that are required for authentication. The second factor will be a PIN or biometric, such as fingerprint. From a security standpoint, this means that an attacker would need to have a user’s physical device – in addition to the means to use the user’s credential – which would require access to the users PIN or biometric information. Users will be able to enroll each of their devices with these new credentials, or they can enroll a single device, such as a mobile phone, which will effectively become their mobile credential. It will enable them to sign-in into all of their PC’s, networks, and web services as long as their mobile phone is nearby. In this case, the phone, using Bluetooth or Wi-Fi communication, will behave like a remote smartcard and it will offer two factor authentication for both local sign-in and remote access.
If we drill a bit deeper into this component of Windows 10 and look under the hood, IT and security teams would find that things look quite familiar. The credential itself can be one of two things. It can be a cryptographically generated key pair (private and public keys) generated by Windows itself or it can be a certificate provisioned to the device from existing PKI infrastructures. Providing both of these options makes Windows 10 great for organizations with existing PKI investments and it makes it viable for the web and consumer scenarios where PKI backed identity isn’t practical. Active Directory, Azure Active Directory, and Microsoft Accounts will support our new user credentials solution right out of box, so enterprises and consumers using Microsoft online services will quickly be able to move away from passwords. This technology is intentionally being designed so that it can be adopted broadly across other platforms, the web, and other infrastructures.
Protecting user identities is just one part of our identity protection approach. The next part is to protect the user access tokens that are generated once your users have been authenticated. Today, these access tokens are increasingly under attack using techniques such as Pass the Hash, Pass the Ticket, etc. Once an attacker has these tokens they can access resources by effectively impersonating the user’s identity without needing the user’s actual credentials. The technique is frequently coupled with advanced persistent threats (APT) and thus it’s a technique that we eagerly want to eliminate from the attacker’s playbook. With Windows 10 we aim to eliminate this type of attack with an architectural solution that stores user access tokens within a secure container running on top of Hyper-V technology. This solution prevents the tokens from being extracted from devices even in cases where the Windows kernel itself has been compromised.
-------------
Threat Resistance
Windows 10 also provides organizations with the ability to lock down devices, enabling additional threat and malware resistance. Because malware is often inadvertently installed onto devices by users, Windows 10 addresses this threat by only allowing trusted apps, meaning apps that are signed using a Microsoft provided signing service, to be run on specially configured devices. Access to the signing service will be controlled using a vetting process similar to how we control ISV publishing access to the Windows Store and the devices themselves will be locked down by the OEM. The lockdown process OEMs will use is similar to what we do with Windows Phone devices. Organizations will have the flexibility to choose what apps are trustworthy – just apps that are signed by themselves, specially signed apps from ISVs, apps from the Windows Store, or all of the above. Unlike Windows Phone these apps can also include desktop (Win32) apps – meaning that anything that can run on the Windows desktop can also run on these devices. Ultimately, this lockdown capability in Windows 10 provides businesses with an effective tool in the fight against modern threats, and with it comes with the flexibility to make it work within most environments.
-------
fontes:
http://www.windowscentral.com/microsoft-outlines-security-improvements-planned-windows-10
http://blogs.windows.com/business/2...and-identity-protection-for-the-modern-world/