How to protect your business

It is tempting to think that the process of securing a device under Windows 10 can be reduced to that: install security software, adjust some parameters, organize a training session or two, and you can move to the next element from your list of things to do. Alas, the real world is much more complicated than that.

There is no quick fix, and your initial setup simply establishes a basic level of security. Once this initial configuration is complete, the respect of security requires vigilance and continuous efforts. Because much of the work of securing a Windows 10 device is done outside the device itself. A well-planned security policy considers network traffic, email accounts, authentication mechanisms, server management, and other external connections.

This guide covers a wide range of business use cases, each topic dealing with an issue that decision-makers need to consider when deploying Windows 10 PCs. And while it covers many of the available options, it does not a practical guide. In a large organization, your IT staff should include security specialists who can handle these steps. In a small business with no dedicated IT staff, outsourcing these responsibilities to a consultant with the necessary expertise might be the best approach.

Before touching a single parameter of Windows, take the time to evaluate the threat. In particular, be aware of your legal and regulatory responsibilities in the event of a breach of data protection or any other security-related event. For companies subject to compliance requirements, you may need to hire a specialist who is familiar with your industry and can ensure that your systems meet all applicable requirements.

The following categories apply to businesses of all sizes.

Update Management

The most important security setting for any Windows 10 PC is to ensure that updates are installed on a regular and predictable schedule. This is true for all modern computing devices, of course, but the “Windows as a service” model that Microsoft introduced with Windows 10 changes the way you manage updates.

Before you start, though, it’s important to understand the different types of Windows 10 updates and how they work.

  • So-called quality updates are provided monthly by Windows Update. They deal with security and reliability issues and do not include new features. (These updates also include fixes for microcode defects in Intel processors.)
  • All quality updates are cumulative, so you do not need to download dozens or even hundreds of updates after performing a clean install of Windows 10. Instead, you can install the latest update. Cumulative and you will be completely up to date.
  • Feature updates are the equivalent of what was previously known as versioning updates. They include new features and require a gigabyte download and full configuration. Windows 10 feature updates are released twice a year, in April and October, and are also provided by Windows Update.

By default, Windows 10 devices download and install updates as they become available on Microsoft Update Servers. On devices running Windows 10 Home, there is no way to control when updates are installed. However, administrators can have some control over when updates are installed on PCs running the Windows 10 Professional versions.

As with all security decisions, when should you install updates? involves a compromise. Installing updates immediately after they are released provides the best protection; Postponing updates helps minimize unplanned downtime associated with these updates.

With Windows Update for Business features built into Windows 10 Pro, Enterprise, and Education, you can defer the installation of up to 30 days of quality updates. You can also delay feature updates for up to two years, depending on the edition.

Postpone quality updates from 7 to 15 days is a low-risk way to avoid the risk of a faulty update that can cause stability or compatibility issues. You can adjust Windows Update settings for enterprises on individual PCs by using the controls in Settings> Update & Security> Advanced Options.

In large organizations, administrators can apply Windows Update for Business settings by using Group Policy or Mobile Device Management (MDM) software. You can also administer updates centrally using a management tool such as System Center Configuration Manager or Windows Server Update Services.

Finally, your software update policy should not stop at Windows itself. Make sure that Windows application updates, including Microsoft Office and Adobe applications, are installed automatically.

Identity and user account management

Each PC running Windows 10 requires at least one user account, itself protected by a password and optional authentication mechanisms. The way you set up this account (and any secondary account) greatly contributes to the security of the device.

Devices that run a professional version of Windows 10 (Pro, Enterprise, or Education) can be associated with a Windows domain. In this configuration, domain administrators have access to Active Directory features and can allow users, groups, and computers to access local and network resources. If you are a domain administrator, you can manage Windows 10 PCs by using the set of server-based Active Directory tools.

For Windows 10 PCs that are not connected to a domain, as is the case in most small businesses, you have the choice of three types of accounts:

  • Local accounts use credentials that are stored only on the device.
  • Microsoft accounts are free for mainstream customers and allow synchronization of data and settings between PCs and devices; they also support two-factor authentication and password recovery options.
  • Azure Active Directory accounts (Azure AD) are associated with a custom domain and can be managed centrally. The basic features of Azure AD are free and are included in Office 365 Business and Enterprise subscriptions; other features of Azure AD are available as paid upgrades.

The first account on a Windows 10 PC is part of the Administrators group and has the right to install software and change the system configuration. Secondary accounts can and should be configured as standard users to prevent untrained users from inadvertently damaging the system or installing unwanted software.

Requiring a strong password is an essential step, regardless of the type of account. On managed networks, administrators can use Group Policy or MDM software to enforce an enterprise password policy.

To increase the security of the connection process on a specific device, you can use a Windows 10 function called Windows Hello. Windows Hello requires a two-step verification process to register the device with a Microsoft account, an Active Directory account, an Azure AD account, or a third-party identity provider that supports the FIDO version 2.0 feature.

Once registration is complete, the user can log in using a PIN or, if the hardware allows it, biometric authentication, such as a fingerprint or facial recognition. Biometric data is only stored on the device and prevents a variety of common password-stealing attacks. On devices connected to business accounts, administrators can use Windows Hello for Business to specify PIN complexity requirements.