In Windows 8, Microsoft expanded its support for embedded hardware security, bundled a full-blown security suite into the operating system, introduced Secure Boot and signed applications, and enabled alternate authentication schemes, to name a few measures. Some of the latest innovations are aimed specifically at enterprises, but there are plenty of improvements that end-users will notice right off the bat, too.
“After reviewing the layers of technologies used by Microsoft to protect Windows 8, it is our opinion that it is the most secure version of Microsoft Windows to date,” Aryeh Goretsky, a researcher at ESET, wrote in a whitepaper examining security technologies in Windows 8 released earlier this month.
Microsoft is offering three main versions of the new operating system. Windows 8 is the vanilla “home” edition, Windows 8 Pro includes features for businesses, such as support for Hyper-V, BitLocker, a virtual private network client and group policy support, and finally Windows RT is for ARM-powered devices.
Microsoft designed Secure Boot to protect the computer from low-level exploits such as rootkits and bootloaders. A security process shared between the operating system and Unified Extensible Firmware Interface (UEFI, replacing the BIOS), Secure Boot requires all the applications that are running during the booting process to be pre-signed with valid digital certificates. This way, the system knows all the files being loaded before Windows 8 fires up have not been tampered with.
If a bootloader has infected your computer and it tries to load during the boot-up sequence, Secure Boot will be able to undo all the changes and thwart the attack. Having Secure Boot means it is that much harder for attackers to try to compromise your PC’s start-up sequence.
While PC makers must have Secure Boot enabled in the UEFI firmware by default if they want to be able to slap the Windows logo on their box, the feature can be disabled within the UEFI interface. Anyone who wants to install a non-Windows operating system on Windows 8-certified hardware would first have to manually disable Secure Boot.
Microsoft decided to release Windows 8 with built-in antivirus. This is a much more robust application than Microsoft Security Essentials, the free anti-malware software that users could download and install manually in previous versions of the OS.
Windows Defender (Microsoft repurposed the name for the anti-malware product) is enabled by default, right out of the box, which means users have some form of security protection as soon as they turn on the machine. While it can’t be uninstalled, it can be disabled if the user wants to install a different security product from another vendor. In fact, Windows Defender must be disabled if you want to install a third-party security suite.
Loading the AV first
Regardless of whether you are using Windows Defender or a different anti-malware product, Windows 8 has tweaked its load process so that security software runs first. Early Launch Anti-Malware (ELAM) ensures that the first software driver loaded into Windows 8 is a driver from the user’s anti-malware software.
In previous versions, if the malware executed and was loaded into system memory before the operating system and the antivirus, it was difficult to detect and remove. Secure Boot prevents rootkits from interfering with the OS, and ELAM ensures that pre-approved anti-malware software drivers are loaded before any other application.
For now, whether or not it is effective is unknown, but Goretsky noted in the aforementioned whitepaper that the concept was “fundamentally sound.”
Originally an Internet Explorer security feature, Microsoft added SmartScreen to Windows 8. When a user downloads a program or a file from the Internet, the SmartScreen filter checks to see if other people have downloaded the same file as well. If so, there is a rating for the file based on its popularity and whether it was considered malicious.
Users trying to download something with a low rating while SmartScreen is enabled will see a warning message. This can be good for detecting fake antivirus and other rogueware programs.
Since SmartScreen is now part of Windows 8, the filter will kick in regardless of what browser the user is running, not just Internet Explorer.
Picture Password is one of my favourite bits of Windows 8. The idea is that instead of relying on alphanumeric passwords, you can use pictures. When this feature is enabled, you select a photo from your image library and then define three gestures on the photo using any combination of circles, straight lines, and taps (using either touch or the mouse). It’s possible to switch to PIN-based authentication.
Apparently, the alternate authentication methods still need some tweaking, though. Earlier this month, password experts Passcape Software claimed that it was possible to recover passwords from Windows 8 systems with Picture Password enabled.
The problem was related to the fact that users need to have an account with a regular password before switching to the alternate authentication scheme. It turned out that when the switch was made, the regular password remained in the system and what’s more, it could easily be decoded to the original plaintext form by a user with administrator-level privileges who could access the Vault where the information is stored. Here’s hoping that Microsoft has fixed this issue, or a fix is imminent, as this seems a rare misstep for the new operating system’s across-the-board security improvements.
One of the invisible-to-the-user changes in Windows 8 is AppContainer, the more secure application sandbox environment where Windows 8 apps will reside. Designed to prevent apps from disrupting the operating system, AppContainer decides which actions are available to which apps.
Following the same logic, all Internet Explorer plugins run in their own sandboxes under Windows 8.
Apps will also be available through the new Windows 8 app store, which means Microsoft will be able to check beforehand for malicious applications. Only time will tell whether Microsoft will manage to successfully keep dodgy apps out of its store. The restore feature will at least make it easier to return to a previous safe state if malware does somehow manage to infect the machine.
Enterprise-specific security improvements
Samara Lynn, our networking expert, pointed out some of the enterprise-specific features in Server 2012 which would flow into Windows 8 and Windows 7 systems. Dynamic Access Control (DAC), which expands access control to include a wider list of attributes, is one of them.
In previous versions, administrators could define who had access to files and folders on a per-user basis, or by creating groups and assigning permissions specific to those groups. In Windows 8, DAC allows administrators to use any of the data stored in Active Directory, such as personal information, device ID, log on method, or even location, to define access control rules.
Here is an example: Documents marked “confidential” or “private” are only accessible to members of the Human Resources division. In this case, in Server 2012, the administrator would create a claim that “confidential” and “private” would be accessible to people with the “Human Resources” attribute. There is no need to create a specific group for HR and add individual users to it. So long as the user in the Active Directory is defined as being part of HR, the access control rule would apply.
This definitely makes managing users and permissions much easier within the enterprise.
Microsoft also added a few new Group Policy settings in Windows Server 2012. The settings could prevent new accounts from being created on the computer or lock a session if the machine is inactive for a specified period of time. Another policy automatically locks out users from accessing volumes that use BitLocker encryption after a certain number of failed login attempts.
Windows 8 will really push the hardware-based authentication capabilities of the Trusted Platform Module (TPM) to the forefront, Steven Sprague, the CEO of Wave Systems, noted. TPM makes a lot of sense if you stop to consider the increase in sophisticated rootkits and other malware that increasingly targets the hardware layer such as the Master Boot Record. TPM stores sensitive configuration data and credentials, making it possible to implement single sign-on and access to VPN. Device-based security could be used to log in users to the network, Sprague said. No passwords required.
Windows 8 machines can optionally ship with self-encrypting drives, which provides businesses and security-minded end-users with hardware-based encryption that can never be turned off. SEDs are ready-to-go out of the box, protecting data right from the start. Hardware-based encryption also has less of an impact on performance as well.
Speaking of encryption, BitLocker also has a new feature that will allow users to encrypt only the parts of the disk that are in use, instead of encrypting the whole volume at once.
And there you have it – these are just some of the more obvious security changes Microsoft has made in Windows 8. There is plenty more under the hood that we will never notice, but that’s the way it should be, with these features chugging away in the background keeping users safe from attackers.