Windows: security made easy

You might think that with a multitude of business and personal devices now being used to access company data in even the smallest of businesses, IT security is a bigger headache than ever before. However, with the Windows tools on offer to both users and IT administrators, securing devices including smartphones, hybrid tablets, slates and laptops running on various operating systems is easier than ever before

Device management

The latest tools in Windows 8.1, Windows Server 2012 R2 and Windows Intune make it simple for both employees and IT managers to ensure their devices are being used securely.

Workplace Join, for example, allows users to enter their regular business email address and password in the Windows 8.1 settings menu, and gain access to corporate applications and data. IT departments can apply two-factor authentication to Workplace Join, so that employees must respond to a message on their mobile phone to complete the initial log-in procedure.

If the device is lost or stolen, the IT department can selectively wipe the business apps and data stored on the device

Once joined on either a business or personal Windows 8.1 device the IT department then has the option to control device security settings, Wi-Fi network settings, and the business apps available to the user on that device. If the device is lost or stolen, the IT department can selectively wipe the business apps and data stored on the device, protecting business assets even on employees' own devices.

Everything is made as simple as possible for the user. On a Windows 8.1 device, users can click on a company app on the Windows Start screen, and enter a portal showing what business applications are available to install on their device: a company expenses manager, for example, or Microsoft applications such as Skype or OneNote. The company app may also, for instance, provide secure, one-click remote desktop access to the employee's PC in the office, allowing workers to access apps that they don't have installed on a Windows 8.1 tablet with limited storage.

Remote workers can be given secure, seamless access to files they have stored on the company servers, through a new feature called Work Folders. Once signed in, Work Folders appear in Windows Explorer, just like local documents folders or OneDrive (previously known as SkyDrive) files. Employees can create and edit files, which are saved and synchronised to the company server not their local machine.

IT departments can even apply rules to documents saved in Work Folders to ensure that sensitive company information isn't leaked. It's possible, for example, to automatically apply rights management to any document containing the word "confidential," which ensures that it cannot be shared via email or saved to external cloud services such as Dropbox. It's reassuring for the user that Windows is watching their back and preventing them from doing anything that could compromise security and, ultimately, result in disciplinary action.

If an employee accessing Work Folders on a personal PC leaves the company, the IT department can remotely wipe and revoke access to the folders, ensuring that company data is protected, whilst leaving the employee's personal data intact.

And it's not only Windows 8.1 devices that can be managed with the combination of Server 2012's System Center Configuration Manager and Windows Intune: Windows 8.1 RT*, Windows Phone 8, Apple iOS and Android devices are all covered from a single management console.

Secure sign-in

With Windows 8.1, there are more options than ever to ensure that you're signing into your work device with something more secure than a simple password.

Now there's no fear of leaving your smartcard on your office desk

Windows 8 introduced the concept of virtual smartcards. Instead of carrying around a physical pass that you insert into a smartcard reader to gain access to your PC, virtual smartcards are built into the Trusted Platform Module (TPM) chip built into the laptop or tablet. Now there's no fear of leaving your smartcard on your office desk or waiting for IT to replace a lost smartcard before you can gain access to the PC; the smartcard is contained within the PC itself. Users still have to enter a PIN code just as they would have to with a separate smartcard preventing thieves from gaining unauthorised access to the system.

While virtual smartcards may raise the risk of an attacker gaining access to an unattended PC, the other security benefits outweigh that threat. For instance, you're far more likely to notice that your laptop's been stolen than your work smartcard, and you're much less likely to leave your laptop in a coffee shop or your canteen dinner tray than you are a plastic card. IT departments can still instantly revoke virtual smartcards in the same way they can physical passes, and of course, the cost of issuing new smartcards is dramatically reduced.

Windows 8.1 also offers other biometric authentication options, allowing you to sign in to the PC, instigate a remote desktop session or manage User Account Control settings via a fingerprint reader, for example. The already small risk of thieves fooling readers with silicon copies of your fingerprint have been eliminated by modern "touch" readers, which can now detect whether the "finger" has a pulse, for example.

Once you're signed in, Direct Access will give you seamless access to the company network (provided it's enabled in Windows Server 2012). No more fiddling with VPN clients or entering additional logins: you'll have access to the company's assets the moment you're logged into Windows.

Encrypted data

Even if thieves cannot get past Windows' many authentication options to log in to a stolen PC, they might try and remove a laptop's hard disk to access sensitive data. Again, Windows 8.1 brings down the shutters.

BitLocker encryption ensures that thieves cannot simply remove a hard disk and access its contents from a different PC, nor install a secondary operating system and access files that way. Only those with access to the encryption key usually held securely by the IT department will be able to recover the data from a BitLocker-encrypted drive.

For an extra layer of security, IT departments can require extra authentication to access BitLocker-encrypted files on a PC. You may have to enter a PIN code, for example, or insert a special USB drive into the system to gain access.

And it's not only internal disk drives that can be protected. External disk drives and USB thumb sticks can also be encrypted with BitLocker To Go. Using Group Policy, IT departments can even mandate that files cannot be written to external drives unless they are first encrypted, preventing potentially costly and embarrassing data loss.

Reinforced Windows

Combine all these enterprise security measures with the other safeguards already built into Windows 8.1 the built-in firewall and antivirus protection offered by Windows Defender, and the SmartScreen Filter integrated into Internet Explorer, to name but two and it's clear that businesses have never been so well protected from threats to their data.

Whether through accidental loss, employee carelessness or deliberate attack, Microsoft offers solutions that prevent your critical data ever leaving the business, no matter what device it's stored on.

(*Windows 8.1 RT is the version of Windows for devices running ARM-based processors. It's predominantly deployed on compact tablet or hybrid devices.)

Barry Collins

Barry Collins is an experienced IT journalist who specialises in Windows, Mac, broadband and more. He's a former editor of PC Pro magazine, and has contributed to many national newspapers, magazines and websites in a career that has spanned over 20 years. You may have seen Barry as a tech pundit on television and radio, including BBC Newsnight, the Chris Evans Show and ITN News at Ten.