Windows 8

What Windows 8 has done to improve security

Windows 8 is getting mixed reviews but there's no doubt that Microsoft has taken significant steps to improve security. Patrick Lambert describes the new features.

Windows 8 is coming, there's no question about that. A lot of people dislike it already, even though it just got released to manufacturers, and won't be available to new PC buyers for months. But so far, most of the reviews have centered around the user interface, or the new "Metro" screen. What about security, or more precisely, the security enhancements it brings that could be helpful to your business? If you work as an IT pro or a manager, then obviously the main thing you want to think about when considering an upgrade is how the new software will impact your users, which goes much deeper than what the start screen looks like. So now might be a good time to go over all the new security features that this OS provides, and how it differs from Windows 7 and the previous versions.

Windows 8 is similar to Windows 7 in many ways, but thanks to the new interface, and the need to redo a lot of the old code that used to be inside of the OS, Microsoft also took the time to improve security as well. When going from Vista to 7, or from 2000 to XP, there were only so many things they could do to improve the internal processes inside the OS, because they needed to keep everything as backward compatible as they could. But making a big leap, we're seeing much bigger improvements under the hood. This happened when we went from XP to Vista, and it seems Windows 8 now has a lot of improvements as well. In fact, Windows 8 is one of the many things hackers at the latest Black Hat and DEF CON conferences went against, trying to break the OS open, and this latest Windows version came out on top.

Windows 8 improvements

The first one is Secure Boot, which helps protect against low-level exploits and rootkits. Basically, Secure Boot is a security process shared between the OS and the UEFI (the BIOS), where PC makers will be adding a special detection code that will require the whole booting sequence to be signed with digital certificates. From the moment you press the power button, all the way to the login screen, you will be certain that everything is being loaded as it should be. One of the more malicious types of malware are rootkits, because they can place themselves deep inside your system, and get loaded during the boot process before Windows has a chance to load up -- never mind any of the antivirus programs you may be running. Secure Boot prevents this type of exploit. In a corporate environment, there's no question that this will help and should be turned on everywhere. Some people have complained about Secure Boot, because it will be mandated by all PC makers if they want the Windows logo on their machines, and when turned on, it prevents any other OS from being installed, such as Linux or FreeBSD. However, PC makers have made it clear that users will be able to turn it on or off inside the UEFI options, just not on ARM-based machines.

Another security improvement in Windows 8 and Internet Explorer 10 is called SmartScreen. This is a new system where Microsoft will be keeping track of all downloads from the Internet. When you go and get a program online, the SmartScreen filter will look at it, and see if others have downloaded it as well. Then, the rating it gives will be based on how popular that particular piece of software is, and whether any malware was detected in it. If SmartScreen is turned on, and you download something that has a low rating, a warning message will appear, warning you of the dangers. This can be very good to prevent phishing attacks, where a user may think he's downloading a certain popular program, but instead has been duped into downloading something else. SmartScreen will help stop that. Again, there are complaints about this feature as well. If you're a small, independent developer, you won't have a high rating for your new updates. The way to make sure your users don't get a scary warning when downloading them is to get an approved digital certificate and get your apps signed. However this is one more step required for developers in order to make Windows-approved software.

Metro apps are also safer than traditional Windows apps, because like any modern smartphone, they are each run inside their own sandbox. That means these apps cannot access the whole system like traditional apps could, and there are more checks being done against them. Also because Metro apps will all be sold exclusively through the Microsoft store, the company will be able to check them before they get onto users' machines. Windows 8 also includes an easy-to-use option to restore your entire system to a previous, safe state. While there have always been ways to do that in the past, Windows 8 makes it a lot easier for the user. If something does infect your system, you can reinstall a clean OS in just a few clicks. Finally, Internet Explorer 10 also has increased security by running plugins in their own sandboxes, and breaking tabs into different processes as well.

Overall, Windows 8 is shaping up to be a good improvement on the security landscape. Does this mean it will be foolproof, or that you should upgrade all your corporate systems right away? Obviously, not. Any new software takes time for malware authors to poke at it and find holes. Also, upgrading to a new OS, especially one that has such a drastically different user interface, is more than just looking at the security model. If users are confused as to how to do common tasks using the new Metro interface, that could cause a lot more nightmares for the support staff than having to deal with malware. But at least for now, we know that Microsoft is doing the right thing when it comes to security under the hood of Windows 8.

About

Patrick Lambert has been working in the tech industry for over 15 years, both as an online freelancer and in companies around Montreal, Canada. A fan of Star Wars, gaming, technology, and art, he writes for several sites including the art news commun...

17 comments
Nebbie2
Nebbie2

The isolation of "apps" is good (one step closer to Linux security), but I get the feeling that it's gonna be just like Win 7: everything wants to mess with stuff outside the allowed areas and I have to click a message that comes up. Secure boot goes about things in a way that leaves alternative OSes to rely on Microsoft, or removing a security layer (you can't get more FUD than making your average computer user have to decide to disable security they didn't know about). The rest of this is IE10 stuff. While IE is integrated into Windows, we can use alternatives and IE can be used on previous Windows versions. Its security shouldn't be counted among Windows 8 improvements. Also, Avast! Antivirus already has that popularity/safety rating thing as a plugin, tho it does it for the site. It's not a revolutionary feature.

viProCon
viProCon

I'm sorry but did I miss something? SmartScreen filter has been kicking around forever. I know IE8 has it, can't remember if IE 7 did. Not once in several years has it ever flagged a file. Also on hat note, the Malicious Software Removal Tool has never flagged anything either. I work in IT, havce seen a variety of viruses on systems, and never once has any Microsoft filter or tool found any of them. And I fully agree with the statements that Windows would need a ground-up reinventtion towards security. Secure Boot using certificates is a very neat concept but doesn't the Flame example highlight how this isn't so powerful? of course perhaps if everybody would stop using SHA1 in their certificates and move onto something the NSA has not discontunued perhaps keys and signatures would be stronger. By the way, I'm no expert on BIOS and hardly know anything about UEFI design but I thought viruses could infiltrate BIOS code? What's to stop an in-OS exploit from updating the UEFI to hook in some rootkit that subverts Secure Boot after POST?

pbug56
pbug56

It's so nice that Win 8 will be more secure. But outside of touchscreen systems for idiots and for POS, and for pads and supposed smart phones, no one has any good reason to go to Win 8, and many new PC buyers will only want Win 7.

Deadly Ernest
Deadly Ernest

back in the mid 1990s Microsoft announced a whole raft of security measures to make your computing experience more secure and safe, but it also ensured that ALL users had vendor-lock in with Microsoft software as it would only talk to other such secure Microsoft systems - they called it Palladium, and it got shot down in flames on many issues. Part of that is what is now being called Secure Boot and is just another part of Palladium by stealth. The worst aspect of all this is the majority of the security issues they claim to be trying to protect you from via this are ones that will NEVER be fixed until Microsoft go back to their core code and rewrite Windows from the core out with security in mind and NOT incorporate back-doors for their own applications or embed applications within the core kernel such as GUI and browser apps. When that happens, then you can say Microsoft are getting serious about providing some security. All Secure Boot does is set up the system so you can not load another OS onto it at any time.

Rexxrally
Rexxrally

Don't call them "Metro Apps", you'll get your hand slapped by Microsoft. You have to call them "The Apps Formerly Known As Metro". ;-)

andrew232006
andrew232006

Windows didn't need more security features/checks for viruii or post infection fixes. It needs a complete re-design of how it handles security from the core. It's not something that can be tacked on after they program their shiny new features. Ok, so it limits the permissions of third party software. But what about the monthly security vulunerabilities in windows/IE that allows a remote attacker to take complete control of my system?

Joe_Wulf
Joe_Wulf

When the preponderance of patches/updates for every OS found via Windows/Microsoft Update, for 3 solid years are NOT security related, then Microsoft can be determined to have 'gotten it right' for OS security. That is a simple 51% margin.

Craig_B
Craig_B

SmartScreen Filter is already built into IE9. This feature is OK but not great. I think many people will end up running IE10 in desktop mode which does not have as much isolation as Metro based IE/apps. I wonder how many vendors will rewrite apps as Metro apps, especially as that means Microsoft will take a cut of their profits.

mark
mark

You said it correctly you don't know much about UEFI. The encryption key protects the bios from malicious activity. That is the main purpose for the cert to provide a secure process where w/o a key not only can the application not inject the BIOS with nasties but it cant even run on the OS. I applaud boot signing as it has protected Unix systems for many years and it does work just like millions and millions of ssl and ssh keys on mission critical servers world wide.

eaglewolf
eaglewolf

I had a laptop on order - ultrabook - and it was being customized (improved). I was getting Windows 7 on a clean install. And this was ordered and paid for a week in advance of the release of Win8. The company advised me today that the manufacturer was ONLY sending out machines with Win8 - and it was locked in. There was no option to 'retro' to Win7. Yes, while many new PC/laptop buyers may want Win7, between the manufacturer and Microsoft, you're plain out of luck. I don't like that one bit - it's manipulating usage stats so Microsoft can say how 'wonderful Win8 is' and how 'everybody wants it.'

mark
mark

Unless the system is a very low cost netbook you will be able to turn off uefi and install any os just like you do today. People demanded that MS secure their systems and then people cry that it is too secure. LOL

Deadly Ernest
Deadly Ernest

Have them cancel the order and shop around more. I'm sure once the vendors get enough cancelled orders they'll act on it, they did that with the Win Vista to XP problem. Yes Win 8 has UEFI on it and it can be locked down, it's supposed to be unlockable on all versions of Win 8 except Win 8 RT, thus it should be possible to blow it away and load what you want.

Deadly Ernest
Deadly Ernest

First - Secure boot is NOT about making the computer secure against a virus or a trojan, it's about locking the boot sector down so nothing else can be loaded on. Second, security in Windows will only come about when the operating system itself is made secure, not the hardware. A trojan that takes over control of the software will still work with Secure Boot running. Third, what I said about Microsoft's intentions are true. Here's what the wiki UEFI article has to say on this part of the issue with Win 8: quote In December 2011, Microsoft released a document about hardware certification of OEM products: Windows Hardware Certification Requirements, [41] confirming significantly different requirements regarding secure boot for the x86/x86-64 architecture and the ARM architecture. It has been revised several times since being issued. As of July 30 2012, the document requires that x86 and x86-64 devices have "secure boot" enabled by default. However, it requires that the firmware include an option to disable secure boot, and also a custom secure boot mode that provides the ability to add cryptographic signatures from vendors other than Microsoft. ARM devices are required to have secure boot enabled by default, and are required not to provide either an option to disable it, nor a custom mode that allows the user to add alternate signatures. end quote source is http://en.wikipedia.org/wiki/Uefi Microsoft requires that ALL devices be supplied with Secure Boot installed and activated by default, that ARM devices have it so it can NOT be deactivated at all. As we all know the average user doesn't know what a BIOS is let alone how to work with it, so they'll never be able to go into the BIOS to deactivate it. So it effectively becomes a permanent activation except for the few cases where a knowledgeable tech gets involved and turns it off, which will be very rare. ..... In short, it does NOT make Windows 8 safe against most trojan or virus attacks, while it does restrict the ability of loading other software. By promoting it as making Windows 8 more secure the way they are, the average user will think it provides protection against most trojans and virus attacks.

Deadly Ernest
Deadly Ernest

you may have to end up buying something on-line, what breed is it? I'd also have the store jump on the manufacturer as they have no legal; right to deny you access to make legitimate changes to the system. If the vendor refuses to provide what's ordered of the code to allow it to be set up right, I'd not be dealing with them any more and make it public why - big sign in shop front window. The HP website still has a bunch or notebooks etc with Win 7 on them - their website allows you to select the OS up front. http://www.hp.com/united-states/campaigns/envy14-spectre/index.html

eaglewolf
eaglewolf

Where I was buying from was the only place that offered hardware/software improvements - and no bloat. That had value to me. They indicated the manufacturer would not release the key to unlock the o/s install - they tried already. Most places I've been to - brick and mortar - have sold down all their stock that still had Win7 on it. And no company would ship them any stock with Win7. You were left with what hadn't sold yet and that was generally low-end product. I haven't specifically asked 'in-store' if a unit could be retro-ed. I'll try that this weekend just out of curiosity.

Editor's Picks