Operating system security

Data Security in Windows 10

Dimitar Kostadinov
July 28, 2020 by
Dimitar Kostadinov


By design, Windows 10 is more secure than its predecessors Windows 7 and Windows 8.1. That’s what the people from Microsoft say, anyway.

One excellent measuring tool regarding security is how well an OS can protect data. This article examines the subject matter in question from three perspectives:

  1. Data backup
  2. Data encryption
  3. Additional data security measures

Learn Windows 10 Host Security

Learn Windows 10 Host Security

Build your Windows skills with 13 courses covering Windows registry, services, processes, toolset and more.

Data backup

Before you even proceed to encrypt your data, you should first make a secure copy of it and store it in a safe and trusted place. A clean installation restore point for your Windows 10 can spare you much time. If things go wrong, you can use the save point to restore your OS with a fresh install and start with a clean slate.

Malicious software and online threats can always creep in, but you should also consider the probability of hardware issues that could endanger your data. To make sure your data is safe, use a twofold backup strategy that combines external hard drive storage with an online backup service. Users of Windows 10, for example, can rely on the Windows’ File History feature to easily back up their data to an external drive.

Last but not least, by turning on encryption during a backup, one can double protect valuable data.

Data encryption

 When BitLocker — a Windows 10 built-in tool for a full-volume encryption — is enabled, encryption standards called XTS-AES or AES-CBC encrypt every bit of data within an entire drive. The default encryption strength is 128-bit, but Windows 10 users can increase it to 256-bit. Military-grade encryption is a welcome feature — an indispensable safety net of sorts against data loss or theft.

Several prerequisites for enabling BitLocker are:

  • Having a device that comes with a Trusted Platform Module (TPM) chip — a hardware-based method of storing encryption keys. Otherwise, you may have to store the encryption keys on the hard drives, which is not recommended because hackers will likely be able to decrypt your data if they can get their hands on your hard disk
  • Business edition of Windows 10, since the Home editions requires a Microsoft account and does not allow management of the BitLocker device

Do not also forget to encrypt portable storage devices like USB flash drives or MicroSD cards with the password-based solution BitLocker To Go.

While BitDefender is best suited for encrypting entire drives, Windows 10 also offers a feature called Encrypted File System (EFS) that can encrypt one by one individual files and directories. However, the strength of the BitLocker’s full-disk encryption is just superior to what the EFS has to offer. Furthermore, to optimally defend data at scale, Windows Information Protection (WIP) tools have the capacity to complement the file-level encryption by allowing for integrated data separation and containerization.

Azure Information Protection and Azure Rights Management services are Windows 10 features that can secure the contents of stored files and messages based on the premise that administrators can, independently of the local encryption status, classify and restrict access to files created via applications such as Office.

Additional data security measures

Perhaps the most dangerous threats to sensitive data lurk in the unprotected wireless networks. For that reason, additional measures are never enough. Here are some ideas on how to mitigate this issue:

  • Sizeable organizations should import the 802.1x standard to improve security of wireless connections, as it relies on access controls instead of shared passwords
  • Windows domain-based networks could count on the DirectAccess feature in order to allow secure remote access
  • A virtual private network (VPN) is still the best option when you cannot avoid using an untrusted wireless network

As a rule of thumb, regularly delete apps you do not need because it decreases your potential attack surface, among other things. The smaller the attack surface is, the lower the chance is for initial compromise of your system that may lead attackers to your data.

Do you know that corporate attack surfaces expand as staff use more and more unauthorized apps and even personal devices (think of BYOD threats) while they are on a company’s premises? One survey states that 76% of employees regularly access personal stuff on work devices even without the IT department’s permission. 

Fortunately, Windows 10 has the remedy to cure that prevalent shadow IT sprawl. Windows Defender Application Guard is a tool that makes visiting untrusted websites possible via an isolated virtual container, as it blocks the access to vital system resources. In addition, a feature named S mode can limit the installation of apps to those available on the Microsoft Store.

Controlled Folder Access is one more item from the “toolshed” of Windows 10 that protects data by disallowing unauthorized apps, including malicious executable files, scripts and DLLs, to access files. In essence, this application locks down folders, giving file access only to authorized apps. Like Secure Boot (whose purpose is to safeguard the UEFI/BIOS), Controlled Folder Access is just another excellent measure at your disposal to limit the potential damage caused by ransomware. This feature is available in all editions of Windows 10.

According to Microsoft, "[a]ttackers use data corruption techniques to target system security policy, escalate privileges, tamper with security attestation, modify “initialize once” data structures, among others." 

That might be the reason why the tech giant is developing a new feature that will improve Windows 10 system security. Kernel Data Protection (KDP) will prevent data corruption by enhancing security at particular kernel points as well as some Windows 10 drivers in read-only memory. Note that KDP is part of the virtualization-based security, as it functions through isolating, inside a virtual secure mode, a secure region of memory from the normal OS to create read-only sections of the kernel memory, the effect of which is that the data within can be accessed but not modified.


It seems that Windows 10 offers data protection that is comprehensive enough to meet all compliance requirements and maintain user productivity at the same time.

No matter how secure Windows 10 is claimed to be, however, it would be unrealistic to not expect some vulnerabilities to emerge throughout its field application; that is, unless you have the National Security Agency at your side to tip you off before things go south for real.

Nevertheless, if you apply what Windows 10 offers to their clients even only in terms of backing up data and data encryption, you should do just fine against almost every threat that comes after your precious data resources.


  1. 6 steps to secure your Windows 10 machine, because security defaults aren't enough, CNET
  2. 7 Windows 10 security features that could help prevent cyberattacks against your business, TechRepublic
  3. 18 Reasons You Should Upgrade to Windows 10, PC Magazine
  4. A guide to Windows 10’s security features, IT Pro
  5. Fixed: "Encrypt Contents to Secure Data" Greyed Out Windows 10, AOMEI
  6. Here Are Some Windows 10 Security Guides to Safeguard Your PC!, MiniTool
  7. How to secure your PC after a fresh Windows installation, Heimdal Security
  8. How to Secure Windows 10, Online Tech Tips
  9. How To Secure Microsoft Windows 10 In Eight Easy Steps, Forbes
  10. Introducing the security configuration framework: A prioritized guide to hardening Windows 10, Microsoft
  11. Kernel Data Protection (KDP), the new feature that makes Windows 10 more secure, Information Security Newspaper
  12. NSA finds major security flaw in Windows 10, free fix issued, ABC News
  13. The Windows 10 Security Features to Consider in Cybersecurity Strategy, BizTech Magazine
  14. The Windows 10 security guide: How to protect your business, ZDNet
  15. Windows Defender vs Avast – Which is Best in 2020?, Showbox
  16. Windows 10 Security And Privacy Guide 2020, DefendingDigital
  17. Windows 10 improves security and data protection, Microsoft
Dimitar Kostadinov
Dimitar Kostadinov

Dimitar Kostadinov applied for a 6-year Master’s program in Bulgarian and European Law at the University of Ruse, and was enrolled in 2002 following high school. He obtained a Master degree in 2009. From 2008-2012, Dimitar held a job as data entry & research for the American company Law Seminars International and its Bulgarian-Slovenian business partner DATA LAB. In 2011, he was admitted Law and Politics of International Security to Vrije Universiteit Amsterdam, the Netherlands, graduating in August of 2012. Dimitar also holds an LL.M. diploma in Intellectual Property Rights & ICT Law from KU Leuven (Brussels, Belgium). Besides legal studies, he is particularly interested in Internet of Things, Big Data, privacy & data protection, electronic contracts, electronic business, electronic media, telecoms, and cybercrime. Dimitar attended the 6th Annual Internet of Things European summit organized by Forum Europe in Brussels.