Is Windows 10 S more secure?
MICROSOFT’S ANSWER TO CHROME OS LOOKS AND SMELLS LIKE REGULAR WINDOWS BUT CLAIMS TO BE THE FRIENDLIER VERSION FOR NON-TECHNICAL USERS.
BACK IN 2011, Google did something unexpected: it announced a new operating system that wasn’t a version of Android. Chrome OS was, like Android, built on Linux but far simpler. The OS was pretty much the Chrome browser and that’s all. You could install add-ons from the Chrome Web Store, and you could, of course, access web-based application through the browser. But that’s it.
Unless you have kids or are in education, there’s a decent chance that you’ve never used a Chromebook, but for that particular market, Chrome OS has been reasonably successful. Its locked down, limited nature means that it’s very hard to mess up, meaning that maintenance is much easier. It can’t run games or desktop apps (although some Chromebooks can run Android apps now through the App Runtime for Chrome), so the amount of potentially dangerous stuff that can be installed on it is limited.
We’re finally seeing Microsoft’s answer to Chrome OS. Earlier this year, Microsoft announced Windows 10 S, which would first appear in Microsoft’s own Surface Laptop but is also now available from other manufacturers including those from Acer and HP.
Although it’s often seen as a educationcentric alternative to Chrome OS, it could well be that Microsoft has bigger plans for Windows 10 S, perhaps making it a model for its OS going forward — a way to provide a secure and “non-scary” version of Windows to non-technical users. Indeed, the price of the Surface Laptop — it starts at $1,500 — indicates that Microsoft views this as not just a tool for schoolies, but a platform for the rest of us. Ultimately, it looks and works just like the Windows 10 that we’re used to, but it locks you out from doing certain things that might damage the PC.
WINDOWS 10 S APPS
Windows 10 has a number of features, but perhaps its most significant are securityrelated. This being our Privacy and Security column, we’re going to focus on those, starting with the biggest one.
The headline feature for Windows 10 S is that it only runs apps downloaded from the Microsoft Store. Much like Apple in iOS, Microsoft will be your sole source of apps for Windows 10 S. If it’s not in the Store, you can’t have it.
What that means for app security has been the source of some confusion. The best part about it is that it will work like Google Play and iTunes — only apps that are ratified will make it to the Store, and Microsoft will remove any that are found to have malware or insecure code. That doesn’t mean that malicious apps might not slip the net — they have, after all, infiltrated Google Play and iTunes on a number of occasions — but there is a much higher degree of certainty that the apps you’re downloading are the official apps.
That said, it’s now the case that not all apps in the app store are WinRT apps, which has caused some confusion about the security of such apps.
WinRT was introduced in Windows 8, and originally all Microsoft Store apps had to be WinRT. It’s an application architecture that replaced the old Win32 Windows API (application programming interface). It has a number of advantages, the most significant from a security point of view is that apps written for WinRT are sandboxed. That means that their ability to access other applications or operate outside their allotted memory space is limited. They can only write to a limited set of directories like the User directory without explicit user permission, so they can’t change core system files, and they install into a single directory, so that uninstall should be clean.
The problem was that most existing apps were and still are written for Win32. So the Store was (and still is, for now) a wasteland. But when Windows 10 came along, Microsoft changed its policy. It now offers a tool to developers called Desktop Bridge that packages Win32 ‘Desktop’ apps into the APPX applications that are supported by Microsoft Store and the Universal Windows Platform.
The upshot is that you can now find converted Win32 apps in the Store, which will vastly increase what you’ll find there going forward but also opens up new security threats. Or to put it more simply, you can
absolutely download insecure apps from the Microsoft Store.
That said, it does still have the advantage that we noted earlier — Microsoft will remove most malware before it even hits the store. Like Google Play and iTunes, it also has an integrated update system, so that app updates are downloaded and installed automatically, which is a major plus.
BROWSERS AND WEB SEARCH
The application support is not the only notable security change in Windows 10 S. Come hell or high water, Microsoft will make us use Bing and Edge. Microsoft has officially said that it will not block other browsers from the Store (and Monument Browser and Sidekick can already be found there), but neither Chrome or Firefox have made moves into the store. What’s more, all the system hooks and tools point to Edge and Bing, and some of those are unchangeable. You can go to google.com or startpage.com in Edge on Windows 10 S, but you can’t change the default search engine. You also can’t change the default browser from Edge. This could be a deal breaker for a lot of users. From a security standpoint, Edge doesn’t have nearly as many tools as Firefox and Chrome for dealing with online nasties. Command line and shell tools are gone in Windows 10 S. For power users, this could be another deal breaker, but it’s also a good move from a security perspective. A number of attacks use command scripts or macros, and in Windows 10 S, those attacks will no longer work. You also can’t use the command line to sideload and run apps that are not in the Microsoft Store.
BUSINESS TOOLS
There are some other positive tweaks to the security of Windows 10 S. Rather than basing it on Windows 10 Home, Microsoft actually built it around Windows 10 Pro, and some of the tools that you only find in the Pro version of Windows made it across. This includes: BitLocker support for drive encryption. Support for Windows Update for Business, which provides tools to better manage update rollouts across a network of devices. Mobile device management (MDM) support. Azure AD domains support. Simplified USB-based setup up and distribution.
WRAP UP
Windows 10 S can best be summarised as “Windows 10 Pro, with most of the ways you might mess it up ripped out”. It’s not a bad solution for schools, and if you’re the designated tech support guy or gal for your circle of family and friends, it’s not a bad way of keeping them from calling you as often.
Power users, of course, will find very little use for it. There’s nothing S can do that Windows 10 Pro can’t, and there’s quite a bit that Pro can do that S can’t.
Perhaps the biggest immediate problem with it is that, right now, the number of security apps available in the store is very limited. Some suites have made the leap, including Norton and McAfee, but most VPNs and other tools have not. Secure browser add-ons are also extremely limited. You’re virtually forced to use Bing and Edge, and there’s no Disconnect, no Tor Browser and no Signal. There is Ghostery and LastPass at least, and much more may appear in the store in the future. But right now, it’s a rough ask to sacrifice so much functionality in exchange for being locked down.
PERHAPS THE BIGGEST IMMEDIATE PROBLEM WITH IT IS THAT, RIGHT NOW, THE NUMBER OF SECURITY APPS AVAILABLE IN THE STORE IS VERY LIMITED.