Horse Sense #131
Windows 10 (In-)Security, Part 2
[For Horse Sense 129, Windows 10 (In-)Security, Part 1 and Horse Sense 130, Feeling More Secure in Windows 10, please visit the newsletter section of our web site. The specific instructions in Horse Sense 130 will help you make your Windows 10 machine more secure. Most Horse Sense articles are intended to be useful reads for many years.]
You Are Not In Control Any More
Windows 10 Home will install critical patches as soon as they are available. Microsoft will no longer release a bunch of patches on Patch Tuesday (2nd Tuesday of the month). Service packs, which bundled a mass of patches together for the operating system and were meant to install as a group to bring you to a specific level in Windows Vista/XP/7, will no longer exist. When you install the base operating system, it will install updates from the Internet one at a time. A newly installed Windows 10 machine will need to download and install lots of large updates, perhaps over many days, until it becomes fully patched.
Businesses using Windows 10 Pro may be able to delay patch installations, but only for a while. While many people may not like the forced upgrades, IT professionals who maintain systems and security people will breathe a small sigh of relief because fully patched systems perform better, are more reliable, are easier to manage and support, and are more secure. That relief will be tempered with the knowledge that although Microsoft tests its patches, it has had some issues with patches not working as intended in the real world.
You May Be an Unpaid Beta Tester
Windows 10 Home (consumer) users will be the guinea pigs. This is not really a bad compromise. It has been common industry practice to test new or patched software on consumers first for years. Windows 10 Home users will get the latest patches containing feature enhancements, security updates, and performance enhancements first. Consumers are also quite likely to do some dangerous things on their home computers they might not do at work, so early patching can make them safer. If there are problems with a patch, a few isolated consumers might experience it and it may cause aggravation. A glitchy business patch could mess up things for thousands and cost millions to fix. Even if the patch works fine for consumers, though, a delayed business patch might still cause issues because businesses use software consumers do not.
Information is Lacking in the New World Order
Since the Windows 10 release, I have not seen notices that an update is scheduled to install from Microsoft and non-Microsoft sources I have used for some years. Such a heads up warning is appreciated for those who track whether a patch is successful or not.
Whether the patch is brand new or has been out for a while, I have so far seen very little detail on what a Windows 10 patch was for and why it is being installed. For example, when a recent update replaced well over 100 files on one of my machines, the referenced information indicated what files were being replaced, but not why.
Although Microsoft says I can hold off installing an update on business systems, I would need a lot more information to know if doing so or not would be appropriate. Microsoft might be comfortable in the way they are currently handling their patching because not a whole lot of people actually take the time to look at this information, but security professionals do need a heads up, transparency, and better documentation.
Better Security Microsoft Has But Did Not Use in Windows 10
Microsoft could have improved security, manageability, performance, reliability, and the user experience by doing what Windows Server software has done for years: they could have introduced the concept of roles. When you load up a Windows Server, it is a very basic affair. Only then do you tell it what roles you expect it to play on your network. Will it just serve up files? How about authenticating users? Will it be a web or e mail server? .... Windows 10 makes the same invalid assumption of Windows 8.x, that because it is supposed to run and look the same on phones, tablets, and PCs, everything should be on and enabled, right? Wrong. You want your software to fit the role assigned to it. This is perhaps the greatest failing of Windows 10. It could adjust itself to not only the device it is running on, but the person and organization using it. Windows 10, sadly, lacks role play capabilities.
©2015 Tony Stirk, Iron Horse tstirk@ih-online.com