We're preparing for Windows 8, and specifically Windows 8 BYOD endpoints. Do you have any sense of what to expect security-wise from Windows 8 tablets? We're trying to get out in front of them and make an "allow all" policy decision before they become the latest bring-your-own-device appliances we see on the network.
Windows 8, the upcoming version of Microsoft Windows, will work on touchscreen tablets as well as traditional desktop and laptop PCs. All of the management and security features from Windows 7 will still be available, but there are additional security features and changes in this version to appeal to enterprises looking for suitable Windows 8 BYOD devices to allow on the network.
Windows Defender will incorporate the antivirus features from Microsoft Security Essentials, including an expanded set of malware signatures, so a full anti-malware package now comes as standard. Another anti-malware and antivirus control is the support for the secure boot feature of the Unified Extensible Firmware Interface (UEFI). The digital signatures of all boot components up to the anti-malware driver are validated when a device starts up to ensure they haven't been altered. If this check fails, the Windows Recovery Environment attempts to fix the operating system. This provides protection during the system startup process to prevent low-level malware such as rootkits from loading.
There are also improvements to Address Space Layout Randomization (ASLR) and the SmartScreen URL reputation technology. Microsoft sees this as an effective control to protect users against phishing and socially engineered attacks. The file-reputation system tracks file downloads and verifies their respective reputations. Administrative controls can ensure users cannot ignore warnings when opening suspicious files. Together, these two controls make it more difficult for software exploits to gain a foothold on a system.
Ask a question
SearchSecurity.com expert Michael Cobb is standing by to answer your questions about enterprise application security and platform security. Submit your question via email: firstname.lastname@example.org.
Picture password is a new touch-based security logon feature that requires a user to select a picture and then make three touch gestures on top of the image. The system saves the sequence of gestures as the user's password; it's a similar concept to Android’s pattern-screen lock. I am particularly interested in seeing the integrated document reader, called Modern Reader, which is potentially a more secure alternative to Adobe PDF readers. It may remove the need for Adobe's stand-alone patching process, as it will become part of Windows Update patching. As Adobe Reader has been a security headache for enterprises for years, Modern Reader could prove a positive step for security.
Pro and Enterprise versions of Windows 8 include full-disk and removable drive encryption provided by Bitlocker and Bitlocker To Go, plus those with Software Assurance agreements will have access to AppLocker. In Windows 8, AppLocker can manage both traditional desktop applications and the new Windows 8 apps, formerly called Metro. AppLocker can control which apps a user can run and which files those apps can access. For enterprises preparing for Windows 8 tablets to show up on networks as BYOD appliances, Windows 8 does include remote wipe functionality and Windows To Go, which gives administrators the ability to create a full, managed corporate Windows 8 image, along with users' business apps, data and settings, on a USB device. End users can then plug that USB stick into their own device to run a corporate Windows 8 desktop.
Although Windows 8 has now been finalized, the global launch date is not until Oct. 26, and Microsoft has said it may still make changes depending on test user feedback. Enterprises will need to review the full specs of any Windows 8 devices they plan to buy as different vendors will provide varying device specs. Dell, for example, is tipped to be including a TPM security chip and a lock slot, as well as an optional fingerprint or smart card reader, BitLocker support, and Dell Data Protection, to appeal to enterprise buyers.
This was first published in September 2012