What is the difference between Windows RT and Windows 8 security? Can we generally make the same preparations for both versions of the Windows OS to arrive on the network, or are there platform-specific security concerns that we should prepare for?
Ask a Question
SearchSecurity.com expert Michael Cobb is standing by to answer your questions about enterprise application security and platform security. Submit your question via email at firstname.lastname@example.org.
There certainly are some key differences between Windows RT and Windows 8, and some dictate how to best protect each type of device. Although Windows RT looks and feels like Windows 8, it is designed specifically for mobile devices running ARM processors, such as the Microsoft Surface tablet. And even though Windows RT looks and feels just like Windows 8, administrators need to be aware of some significant security differences.
Unlike other versions of Windows, RT users can only run software that is certified by Microsoft and downloaded from the Windows Store. Users cannot install code from any other source, apart from their own company store, which should improve security by preventing users from downloading, installing or running malicious applications. However, because apps have to be specifically compiled to run on Windows RT, existing apps must be updated. There isn't an emulation layer that allows an organization to run legacy code.
Windows RT includes a free copy of Office for Windows RT. However, Windows RT licensing is for home and student use only, so businesses must buy a commercial license to use Windows RT's Office apps. While supporting most of the functionality found in standard versions of Office, RT doesn't support macros or tools that rely on ActiveX controls. This is good from a security standpoint. Another security plus is that Flash only runs on sites approved by Microsoft. Also, users do not have the option to disable the Unified Extensible Firmware Interface (UEFI) secure boot on Windows RT systems. This means that only digitally signed UEFI bootloaders can be executed at the system boot up, which prevents bootkits from being able to take over the device.
Although Windows RT devices do have Virtual Desktop Access rights, they lack support for Group Policy and domain membership. Combine this with the fact that the pre-installed Office 2013 RT doesn't include Outlook, and organizations are faced with a complex task of trying to enforce security and acceptable usage policies while managing access to enterprise email and calendars.
Don't overlook the advantage of having a single business OS for both tablets and PCs, but if you want to deploy Microsoft's Surface tablet, consider the Surface Pro tablet instead. The Surface Pro runs the full version of Windows 8 Pro on a traditional Intel CPU and is far more appealing to administrators who want to more easily enforce a BYOD policy because these devices can join a domain and participate in Group Policy enforced settings.
This was first published in February 2013