Microsoft released the Windows 8.1 Enterprise preview. Is there anything noteworthy about Windows 8.1 security?
Ask the Expert
Do you have an application security question for Michael Cobb? Email it now! (All questions are anonymous
Windows 8.1 Enterprise reflects Microsoft's continued efforts to provide the security features and tools corporate IT managers need to effectively manage today's diverse network endpoints, users and devices. Many of the enhanced or new Windows 8.1 security capabilities focus on supporting bring your own device (BYOD) scenarios. The most notable new data security features aim to simplify the tasks of data encryption and remote data removal from employee-owned devices. In addition, Window 8.1 security includes biometric and multifactor authentication support for improved access control.
Although password-based authentication has been broken for some time, finding an alternative that's acceptable to users has proved elusive. In an attempt to make two-factor authentication less frustrating, Windows 8.1 security supports virtual smartcards, turning a device into the second security factor. By employing two-factor authentication, Windows 8.1 devices -- including Windows RT tablets -- can take advantage of a feature called Workplace Join. This removes the need for users to fully join a domain and cede control of their device to the IT department while it allows Windows Server R2 to ensure that only registered and trusted devices access secured enterprise data. Windows 8.1 Enterprise also offers improved support for biometric authorization, enabling more affordable fingerprint sensors to be embedded in a keyboard, notebook casing or tablet bezel, which greatly reduces reliance on passwords. Users should appreciate being able to use biometric-based authentication whenever they encounter a Windows credential prompt.
Windows 8.1 Enterprise also makes it easier to manage users who connect to enterprise resources via a VPN. Microsoft's DirectAccess technology ensures that attempts to access corporate resources can be set to automatically trigger a VPN connection if they require one. DirectAccess also keeps track of security policies and automatically updates remote computers with current security software and policy updates.
Malware resistance has also improved in Windows 8.1 Enterprise. Windows Defender now supports network behavior monitoring, which actively scans for malware and hostile behaviors in memory, the registry or the file system before potentially harmful code can execute. Internet Explorer 11 can also have binary extensions, such as ActiveX, scanned for malware before code is executed. Selective Wipe, a remote data removal management component, purges corporate data from employee-owned devices while leaving personal data intact. Administrators can also revoke encryption keys on specific files or remotely revoke all keys to block access if a device is lost or a user leaves the company.
Another plus: Windows 8.1 security features give IT departments a lot more control over OS appearance on user devices. It also strengthens application security: Device Lockdown limits access in the Windows Store to only approved apps while Assigned Access limits access to a particular app for a set period of time (a one-off sales campaign app, for example). Additionally, Start Screen lockdown allows administrators to turn Windows 8.1 devices into kiosks, booting into specific Metro apps. These controls limit device customization, which helps reduce the number of user-initiated infections. Open Mobile Alliance Device Management, or OMA-DM, capabilities have been built into version 8.1 so devices can be managed by both Microsoft and third-party management tools, such as MobileIron or AirWatch, without the need for an additional client agent.
Microsoft-based infrastructure administrators will definitely want to look at this version of Windows, particularly if they are struggling with BYOD and secure access to internal networks. The Windows 8.1 Enterprise Preview is available for enterprise customers to begin deploying on test machines. It's important to note that by 2015 machines will need to support TPM 2.0, an update to the Trusted Platform Module security specification, to be Windows 8.1 certified.
This was first published in January 2014