With the first wave of highly anticipated Windows 8 devices now landing on retailers' shelves, it's time for enterprises...
to think about the security implications of switching to Microsoft's new OS, as well as supporting consumer devices that use it.
Windows 8 has new security features and changes to some of those introduced in Windows 7 with the goal of further improving user protection and the OS's resistance to attack. In this tip, we'll analyze the most notable security features of Windows 8, including its antimalware capabilities and the Windows Store, and discuss how Microsoft's latest OS affects enterprise desktop and BYOD security.
Key security features in Windows 8
Windows 8 includes its own antimalware package, Windows Defender, which has been beefed up to incorporate the antivirus features from Microsoft Security Essentials, including an expanded set of malware signatures. Defender will only turn itself off if it detects an active third-party antivirus program that's receiving signature updates. While Windows Defender is fine for home users, most enterprises will want to continue using their own more robust and more familiar antivirus gateways or other antimalware systems, and in most cases that is indeed the recommended course of action.
Another slightly controversial antimalware control is Windows 8's Secure Boot, which provides protection during the system startup process to prevent low-level malware such as rootkits from loading. As part of the Secure Boot process, an Early Launch Anti Malware (ELAM) driver ensures that only known, digitally signed antimalware programs can load, preventing fake antivirus programs from executing during the startup process. Some antimalware vendors have complained that the ELAM driver doesn't allow them to integrate their full set of security features with Windows 8. However, if security software "rootkits" won't work, neither will malicious ones. In this expert's opinion, that's a good thing.
Other security features that have been upgraded in Windows 8 include Address Space Layout Randomization (ASLR) and SmartScreen Filter. ASLR's protection has been extended to cover legacy DLLs and offer increased randomization to eliminate predictable memory regions. SmartScreen Filter technology was introduced in Internet Explorer 8 as an extension of IE 7's phishing filter. It is enabled by default.
Microsoft's SmartScreen servers check each URL that is requested, and if the servers recognize it as being malicious, a warning message is displayed and access to the Web page is blocked. To offer the same level of protection throughout the operating system, Microsoft has integrated this technology into Windows 8, where it is called Windows SmartScreen. The first time a user runs any downloaded executable on Windows 8, its name and a hash of its contents are checked against a database of known malicious code. Windows then displays a warning if the file is deemed malicious. Tests have shown this to be an effective way to prevent users from downloading malware. Adjusting administrative controls ensures users cannot ignore warnings and open suspicious files.
The Windows Store and application security
Microsoft has taken several steps to ensure tighter application security in Windows 8. For starters, Windows Sidebar and Gadgets, which contained serious security flaws, are not supported. Microsoft also uses sandboxing to isolate applications from each other, making it more difficult for an attacker to use a flaw or exploit against one application to attack others.
The creation of the Windows Store enables Microsoft to better control the legitimacy of applications users can install. Much like Apple's App Store, all applications in the Windows Store are reviewed prior to approval. While this whitelisting of apps makes life harder for attackers to get new malware onto users' machines, Windows 8 still supports legacy applications, with both the good and bad implications that entails. Enterprises should put policies in place that cover access to and use of the Windows Store. Employees should also be trained on policy updates and the new interface and features they will encounter once their desktops are upgraded.
While not all Windows 8 security features are embraced as warmly as others, administrators will welcome the arrival of Microsoft's integrated document reader, Modern Reader. Adobe Reader has been a huge hole for enterprise defenses, and Modern Reader is potentially a more secure alternative to Adobe's PDF reader. As it will be included in Windows Update patch cycles going forward, using Modern Reader in place of Adobe Reader may unburden some organizations that need to deal with Adobe's standalone patching process.
Pro and Enterprise versions of Windows 8 support full-disk and removable drive encryption by BitLocker and BitLocker To Go, and organizations with Software Assurance agreements gain AppLocker access. In Windows 8, AppLocker manages both traditional desktop applications and the new Windows 8 apps, controlling which apps a user can run and the files those apps can access. Administrators can create a full, managed corporate Windows 8 image, along with a user's business apps, data and settings, on a USB device. Users can then plug the USB stick into their machine to run an enterprise-configured Windows 8 desktop.
Final verdict on Windows 8 security
According to the philosophy behind Microsoft's Trustworthy Computing Security Development Lifecycle, each new release of Windows should be more robust than the last. Microsoft has again achieved that goal with the release of Windows 8. Security controls also make it a suitable OS for BYOD devices; Windows 8 works on both touchscreen tablets and traditional desktops. It's an OS for mobile devices with which administrators are familiar.
This may well accelerate calls for its deployment as enterprises can leverage their existing knowledge of Windows-based security systems and resources to enforce better data security. Regardless of an enterprise's stance on BYOD devices, though, the security essentials behind Windows 8, if harnessed properly, should improve enterprise desktop security.
About the author:
Michael Cobb, CISSP-ISSAP, is a renowned security author with more than 15 years of experience in the IT industry and another 16 years of experience in finance. He is the founder and managing director of Cobweb Applications Ltd., a consultancy that helps companies to secure their networks and websites, and also helps them achieve ISO 27001 certification. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Michael is also a Microsoft Certified Database Administrator and a Microsoft Certified Professional.