After January 14, 2020, Microsoft will no longer provide free security updates or support for PCs running Windows 7. That means that known security holes will no longer be updated by Microsoft free of charge and networks that contain Windows 7 PC’s will be vulnerable to hacking, malware and viruses if not updated.
The time to start planning these upgrades should begin now to phase in new PC’s running Windows 10 or begin an upgrade of existing PC’s to Windows 10. LCC recommends any new systems utilize Windows 10 Enterprise to maximize the built in security features.
Here are some noteworthy configurable security upgrades in Windows 10 (some, as noted, only in Windows 10 Enterprise):
Windows Defender SmartScreen helps prevent malicious applications from being downloaded.
Credential Guard helps keep attackers from gaining access through Pass-the-Hash or Pass-the-Ticket attack so that only privileged system software can access the systems. Credential Guard is included in Windows 10 Enterprise and Windows Server 2016.
Enterprise certificate pinning helps prevent man-in-the-middle attacks. This enables you to protect your internal domain names.
Device Guard helps keep a device from running malware or other untrusted apps.
Device Guard: allows you to create a whitelist of trusted apps—the only apps allowed to run in your organization. Device Guard is included in Windows 10 Enterprise and Windows Server 2016.
Windows Defender Antivirus, which helps keep devices free of viruses and other malware.
Windows 10 includes Windows Defender Antivirus, a robust inbox antimalware solution. Windows Defender Antivirus has been significantly improved since it was introduced in Windows 8.
Blocking of untrusted fonts helps prevent fonts utilized in certain “elevation-of-privilege” attacks.
Block Untrusted Fonts is a setting that allows you to prevent users from loading fonts that are “untrusted” onto your network, which can mitigate these types of attacks.
Memory protections help prevent malware from using memory manipulation attacks. This feature helps to protect against memory-based attacks, where malware or other code manipulates memory to gain control of a system.
UEFI Secure Boot helps protect the platform from bootkits and rootkits malware . Unified Extensible Firmware Interface (UEFI) Secure Boot is a security standard for firmware built in to PCs by manufacturers beginning with Windows 8. It helps to protect the boot process and firmware against tampering, such as from a physically present attacker or from forms of malware that run early in the boot process or in kernel after startup.
Early Launch Antimalware (ELAM) helps protect the platform from rootkit malware disguised as drivers.
Device Health Attestation (DHA) helps prevent compromised devices from accessing an organization’s assets. Device Health Attestation (DHA) provides a way to confirm that devices attempting to connect to an organization’s network are in a healthy state, not compromised with malware. When DHA has been configured, a device’s actual boot data measurements can be checked against the expected “healthy” boot data. If the check indicates a device is unhealthy, the device can be prevented from accessing the network.