Windows 10 Enterprise E3 for CSP
by Kate Smith, Director, Sales & Marketing
Microsoft has recently released a new SKU to the Cloud Solution Provider family of products: Windows 10 Enterprise E3. This new OS upgrade provides enterprise-grade security capabilities for small and mid-sized businesses. Machines that are currently running Windows 10 Pro currently have these features included in the OS, but the features are not turned on until the E3 SKU is purchased through the monthly subscription.
Windows 10 Enterprise E3 requires a 1 seat minimum purchase with a 1 year commitment, and the list price is $7 per user per month. There is no seat limit and each user can get Enterprise E3 on up to 5 devices.
Let’s delve deeper into the enhanced security offered through Windows 10 Enterprise E3.
Windows 10 Pro currently includes Microsoft Passport and Windows Hello but per the Windows IT Center, Credential Guard adds additional levels of protection including:
• Hardware security – Credential Guard increases the security of derived domain credentials by taking advantage of platform security features including, Secure Boot and virtualization.
• Virtualization based security – Windows services that manage derived domain credentials and other secrets run in a protected environment that is isolated from the running operating system.
• Better protection against advanced persistent threats – Securing derived domain credentials using the virtualization-based security blocks the credential theft attack techniques and tools used in many targeted attacks. Malware running in the operating system with administrative privileges cannot extract secrets that are protected by virtualization-based security. While Credential Guard is a powerful mitigation, persistent threat attacks will likely shift to new attack techniques and you should also incorporate Device Guard and other security strategies and architectures.
• Manageability – You can manage Credential Guard by using Group Policy, WMI, from a command prompt, and Windows PowerShell.
Device Guard adds additional protection against malware and “is a combination of enterprise-related hardware and software security features that, when configured together, will lock a device down so that it can only run trusted applications that you define in your code integrity policies. If the app isn’t trusted it can’t run, period.
With hardware that meets basic requirements, it also means that even if an attacker manages to get control of the Windows kernel, he or she will be much less likely to be able to run malicious executable code.” (Windows IT Center, 2016)
Windows 10 Enterprise E3 includes enhanced controls for administrators to determine applications that are permitted to run on devices. Windows IT Center states, “AppLocker rules are organized into collections based on file format. If no AppLocker rules for a specific rule collection exist, all files with that file format are allowed to run. However, when an AppLocker rule for a specific rule collection is created, only the files explicitly allowed in a rule are permitted to run.” (Windows IT Center, 2016)
App-V for Windows 10 Enterprise E3 allows users to access applications without having install them on individual devices. “Virtual applications are installed on centrally managed servers and delivered to users as a service – in real time and on as as-needed basis. Users launch virtual applications from familiar access points and interact with them as if they were installed locally.” (Windows IT Center, 2016)
Managed User Experience
Managed User Experience controls user experience on specific devices, and additionally, “helps customize and lock down a Windows device’s user interface to restrict it to a specific task. For example, you can configure a device for a controlled scenario such as a kiosk or classroom device. The user experience would be automatically reset once a user signs off. You can also restrict access to services including Cortana or the Windows Store, and manage Start layout options.” (Windows IT Center, 2016)
Windows IT Center. (2016, August 10). Device Guard deployment guide. Retrieved from Microsoft Tech Net: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/device-guard-deployment-guide
Windows IT Center. (2016, August 19). Getting Started with App-V for Windows 10. Retrieved from Microsoft Tech Net: https://technet.microsoft.com/en-us/itpro/windows/manage/appv-getting-started
Windows IT Center. (2016, September 28). Lock down Windows 10 to specific apps. Retrieved from Microsoft Tech Net: https://technet.microsoft.com/en-us/itpro/windows/manage/lock-down-windows-10-to-specific-apps
Windows IT Center. (2016, September 13). Windows 10 Enterprise E3 in CSP Overview. Retrieved from Microsoft Tech Net: https://technet.microsoft.com/en-us/itpro/windows/deploy/windows-10-enterprise-e3-overview
Windows IT Center. (2017, January 3). Protect derived domain credentials with Credential Guard. Retrieved from Microsoft Tech Net: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/credential-guard
About the Author
Kate Smith, SecurElement’s Director, Sales & Marketing is responsible for SecurElement’s overall sales and marketing strategy as well as ongoing partner relationships with organizations such as Microsoft, Cisco, Barracuda and many others.