Windows 7 enters its final year of free support

Up to three years of paid support will be available after the cut-off.

Licensing and support lifecycles are not really the easiest topics to illustrate.

Enlarge / Licensing and support lifecycles are not really the easiest topics to illustrate. (credit: Peter Bright)

Windows 7's five years of extended support will expire on January 14, 2020—exactly one year from today. After this date, security fixes will no longer be freely available for the operating system that's still widely used.

As always, the end of free support does not mean the end of support entirely. Microsoft has long offered paid support options for its operating systems beyond their normal lifetime, and Windows 7 is no different. What is different is the way that paid support will be offered. For previous versions of Windows, companies had to enter into a support contract of some kind to continue to receive patches. For Windows 7, however, the extra patches will simply be an optional extra that can be added to an existing volume license subscription—no separate support contract needed—on a per-device basis.

These Extended Security Updates (ESU) will be available for three years after the 2020 cut-off, with prices escalating each year.

Read 3 remaining paragraphs | Comments

Microsoft offers completely passwordless authentication for online apps

Phone-based authentication is the way forward instead.

Article intro image

Applications using Azure Active Directory (AD) to authenticate—a category that includes Office 365, among other things—will soon be able to stop using passwords entirely.

Azure AD accounts can already use the Microsoft Authenticator app for two factor authentication, combining a password with a one-time code. With the new passwordless support, authentication is handled entirely by the app; the app itself represents "something you have," and this is combined with either biometric authentication or a PIN. Passwords have a long, problematic history; while they can be very strong, if suitably long and suitably random, human passwords are often short, non-random, and reused across multiple sites. App-based authentication avoids this long-standing weakness.

Enabling two-factor authentication is just one of the things that organizations can do to improve their security. To that end, Microsoft has extended "Microsoft Security Score," a tool used to assess organizational policy and provide guidance on measures that can be taken to harden an organization against attack. Secure Score already spans Office 365 and Windows security features; to these, Microsoft has added Azure AD, Azure Security Center, and Enterprise Mobility Suite, covering a wider range of settings and options.

Read 2 remaining paragraphs | Comments

Windows Defender Advanced Threat Protection coming to Windows 7 and 8.1

(credit: Jerry Raia)
Windows Defender Advanced Threat Protection (ATP), Microsoft’s security software that combines end-point security and data collection with cloud analytics, has hitherto been unique to Windows 10. But no longer; Microsoft announc…

(credit: Jerry Raia)

Windows Defender Advanced Threat Protection (ATP), Microsoft's security software that combines end-point security and data collection with cloud analytics, has hitherto been unique to Windows 10. But no longer; Microsoft announced today that it's bringing the same features to Windows 7 and Windows 8.1.

Coming this summer, the Endpoint Data and Response (EDR) portions of ATP will be available for these older operating systems, allowing their health and status to be managed through the cloud interface. This will be paired with either third-party anti-virus for endpoint protection or Windows Defender/System Center Endpoint Protection.

This move shows the contradictory position Microsoft finds itself in. On the one hand, Microsoft wants enterprises to deploy and use ATP, as it continues to build its cloud-based device management and monitoring software. On the other hand, Redmond wants those same companies to upgrade to Windows 10. This creates a tension: having ATP as a Windows 10 exclusive feature makes Windows 10 more attractive—Microsoft says that security is one of the major reasons enterprises cite for moving to the new operating system—but with many organizations still having Windows 7 and Windows 8.1 systems that they need to support, the inability to monitor those machines makes ATP less attractive.

Read 1 remaining paragraphs | Comments

Azure Confidential Computing will keep data secret, even from Microsoft

Enlarge / The Trusted Execution Environment means that, even if the application and operating system are compromised, the green code and data can’t be accessed. (credit: Microsoft)
Microsoft announced today a new feature coming to its Azure cloud pl…

Enlarge / The Trusted Execution Environment means that, even if the application and operating system are compromised, the green code and data can't be accessed. (credit: Microsoft)

Microsoft announced today a new feature coming to its Azure cloud platform named "Confidential Compute." The feature will allow applications running on Azure to keep data encrypted not only when it's at rest (in storage) or in transit (over a network) but when it's being computed on in-memory. This ability to encrypt data when it's in-use means that it can be kept secure even from Microsoft's administrators, government warrants, and hackers.

Confidential Computing will have two modes: one is built on virtual machines, while the other uses the SGX ("Software Guard Extensions") feature found in Intel's recently introduced Skylake-SP Xeon processors. Both modes will allow applications to ringfence certain parts of their code and data so that they operate in a "trusted execution environment" (TEE). Code and data that are inside a TEE cannot be inspected from outside the TEE.

The virtual machine mode uses the Virtual Secure Mode (VSM) functionality of Hyper-V that was introduced in Windows 10 and Windows Server 2016. With VSM, most parts of an application will run in a regular virtual machine atop a regular operating system. The protected, TEE parts will run in a separate virtual machine containing only a basic stub operating system (enough that it can communicate with the regular VM) and only those parts of the application code that need to handle the sensitive data.

Read 4 remaining paragraphs | Comments