Windows

What you should know about Windows 8 security features

Alfonso Barreiro takes a detailed look at all the security features available in each edition of Windows 8, including what's brand new, improved, and carried over from previous versions.

This post was originally published in May 2012.

Ever since Microsoft committed itself to its Trustworthy Computing program, each new version of Windows has introduced new security features and significantly improved its security posture. Windows 8 is no different, but this fact appears to be lost in the coverage it has received, due mostly to the criticism aimed at its new UI and the polarizing effect it has. Here, we will take a look at some of the different security features it will offer and in which of its editions you will find them.

Please note that Windows 8 is still in development and the features described here could be subject to change by the time it's released.

Windows 8 base security features

These features will be available to all versions of Windows, regardless if it's the home-oriented Windows 8 or the business-oriented Pro and Enterprise:

UEFI Secure Boot support

Despite some controversy regarding this feature because of potential problems it can cause in some scenarios, Secure Boot is a very important new security characteristic included in this version of Windows. UEFI (Unified Extensible Firmware Interface - currently in version 2.3.1) is intended to replace the traditional BIOS (Basic Input Output System) as the next-generation firmware interface for PCs. When Secure Boot is enabled, it can make Windows 8 very resistant to low-level malware such as rootkits. With Secure Boot the operating system will validate the digital signature of all boot components up to the antimalware driver to detect any tampering. If a component is not signed correctly (it's been tampered with), the Windows  Recovery Environment will start and attempt to fix the operating system. A rootkit usually tampers key operating system files and becomes active during the boot process, before many anti-malware defenses are enabled. Secure Boot will detect any type of tampering and prevent the rootkit from loading. Organizations that deploy Windows 8 will probably want this feature enabled and prevent users from disabling the feature.

SmartScreen filter

The SmartScreen technology debuted in Internet Explorer, and it is now being extended to the operating system itself. In tests from NSS Labs, this feature has been shown to be the best among modern browsers for detecting and blocking socially-engineered malware. SmartScreen has an URL reputation system and a file/application reputation system. The URL reputation system is intended to protect the user against phishing and socially engineered attacks. The file reputation system tracks file downloads and verifies their respective reputations. If a file has been previously identified as malicious, it's blocked, showing messages such as these:

Figure A

Click to enlarge.

If it's a new file, or the system doesn't recognize it, it shows a warning similar to this:

Figure B

Click to enlarge.

For unknown files, it's possible at this point for users to bypass these warnings and open suspicious files anyway, but there will be administrative controls available so these warnings cannot be ignored.

Integrated anti-malware/Windows Defender

Windows 8 will include a full anti-malware solution, as Windows Defender will now incorporate the antivirus features from the Microsoft Security Essentials solution. This version of Windows Defender will also have improved performance and a smaller memory/CPU footprint. Organizations will probably want to replace it with their selected anti-malware product though. Organizations should start asking their incumbent anti-malware vendors about their plans to support Windows 8 because compatible anti-malware solutions, when combined with Secure Boot, will be able to start actively defending the system from a known good environment faster, reducing potential blind spots in their coverage.

Picture Password

Picture Password is a new touch-based security login where the user selects a picture and then makes three touch gestures on top of it. The system will save the sequence of gestures as the user's "password" and then the user would repeat that sequence to log in. The gesture sequence is tied to the image to increase login security. For example, a user could select an image of two people and draw a smile in the face of one and touch each eye of the second. It sounds like an interesting alternative to traditional passwords, however, the robustness of the system remains to be seen.

Windows Reader

An interesting new security feature could be hidden in the Windows Reader, the new integrated document reader for Windows 8. This reader supports PDF documents, a format that has become very popular as an attack vector. Including a lightweight reader within the OS that would be patched using the regular Windows Update process could potentially increase the default security of the platform, by reducing the need of potentially insecure applications or plug-ins.

ASLR and exploit mitigations

Address Space Layout Randomization (ASLR) was introduced in Windows Vista and is essentially a technique to mitigate the infamous "Buffer Overrun" vulnerabilities by randomly moving the location of code and data in memory. In Windows 8 randomization is increased in order to foil known techniques for bypassing ASLR. Other mitigations include changes to the Windows kernel and heap, including new integrity checks and randomization using a similar approach to ASLR. Internet Explorer 10 will also benefit from these changes: besides including an "Enhanced Protected Mode" sandbox, there will be a "ForceASLR" option in IE10 that can randomize all modules loaded into memory by the browser, regardless if those modules did not opt in to use ASLR protection (developers can create modules that take advantage of ASLR protection by using the optional /DYNAMICBASE flag).

Windows 8 Pro security features

These following features will only be available to the business-oriented Pro and Enterprise versions of Windows 8:

Bitlocker and Bitlocker To Go

Bitlocker is the full-disk encryption solution Microsoft introduced in Windows Vista and then extended to removable drives with Bitlocker To Go in Windows 7. Not much has changed from the previous version, but it will now include the option of backing up the encryption key of Bitlocker To Go to a SkyDrive Account.

Encrypting File System

EFS is Microsoft's original solution for encrypting individual drives, folders or files. It was originally introduced nearly twenty years ago in the Windows NT family of products, but now it's been largely overshadowed by Bitlocker, Bitlocker To Go, and a number of free encryption alternatives.

Domain membership and Group Policy Objects

As usual, these two features are the ones that mostly differentiate the consumer version of Windows from the business-oriented version. The ability to become a member of an Active Directory domain is critical for a centralized managed environment. Once joined, administrators can create and apply Group Policy Objects to members of the domain and control many aspects of their operation, including security. Windows 8 introduces new policies specific to the new OS:

Figure C

Windows 8 Enterprise security features

Finally, organizations with Software Assurance agreements will have access to Windows 8 Enterprise, which includes the following security features:

Applocker

Applocker is Microsoft's solution for application control. This solution was introduced in Windows 7 and works with either blacklists or whitelists of applications. With Applocker, an administrator can create policies that restrict or allow specific applications from being installed or run by users. In Windows 8 Applocker evolves in order to manage both traditional desktop applications and the new Metro apps.

DirectAccess

Microsoft introduced DirectAccess as an alternative to VPNs for securely connecting PCs to corporate networks. DirectAccess connections don't require launching an additional application to connect and can help organizations maintain compliance on remote or mobile computers by applying policies and patches seamlessly. This feature doesn't appear to have changed much from the previous version introduced in Windows 7.

Windows To Go

With the rise of the "Bring Your Own Device" movement, Microsoft announced Windows To Go, a fully managed Windows 8 corporate image that administrators can provision on an external USB drive and can be booted from any x64 PC at any location, regardless of connectivity. As a fully corporate PC image, it can include management features such as Windows Update policies, corporate anti-malware solutions and Bitlocker. Currently, Windows To Go requires USB drives with at least 32GB and can only be booted from an x64 machine. Despite these limitations it can be a very useful feature for multiple scenarios, including organizations concerned with the security risks of BYOD initiatives and for disaster recovery scenarios.

About

I am a technology specialist with over 10 years of experience performing a variety of corporate IT functions, including desktop and server operations, application development, and database administration. My latest role is in information security, fo...

7 comments
cwarner7_11
cwarner7_11

What effects are these new security features going to have on those of us who have a need for dual boot configurations with multiple OS's?

Deadly Ernest
Deadly Ernest

all part of the Microsoft Total Vendor Lock-in Plan set out in Palladium about 15 years ago that got howled down by the tech community and now some have fallen prey to the PR that it's needed. I don't think the frogs have noticed the water warming up at all.

WIDW
WIDW

It is too early to comment on Windows 8 and it's security features. I saw a lot of articles about Windows 8 Defender and its features. I think this will really become a threat to other Virus Guard Developers and vendors. I like the feature they use when booting the OS (saw an article at vpswebserver http://www.vpswebserver.com/windows-vps/is-windows-8-secure?). But my concern is will this slow the PC? I like Windows 7 a lot since it is faster and user friendly. Windows 8 is targeting both Tablets and PCs (but in my opinion more into tablets). So people get a chance to use the same OS on both systems.

stubucks
stubucks

So how does UEFI handle VMs like VMWare? If VMWare, VirtualBox, etc. is installed first, then Windows 8, does the Secure Boot try to disable the VMWare? Is Secure Boot built into Window's hypervisor?

mperata
mperata

I have my network at Win 7 Pro/Ult and SBS 2011. The security updates available in Win 8 seem practical. Why not just sell me a package of security upgrades and forgot trying to get me to use a new UI paradigm.

spdragoo
spdragoo

The SecureBoot feature is included in the UEFI structure provided on the motherboard in place of old-style BIOS; Windows 8 has a product key that allows it to use the feature, but it's not exclusive to Windows 8. I would imagine, though, that if you're loading Windows 8 through a VM, then Windows 8 will load the same way as if you have it installed in a non-UEFI machine.

Editor's Picks