This post was originally published in May 2012.
Ever since Microsoft committed itself to its Trustworthy Computing program, each new version of Windows has introduced new security features and significantly improved its security posture. Windows 8 is no different, but this fact appears to be lost in the coverage it has received, due mostly to the criticism aimed at its new UI and the polarizing effect it has. Here, we will take a look at some of the different security features it will offer and in which of its editions you will find them.
Please note that Windows 8 is still in development and the features described here could be subject to change by the time it’s released.
Windows 8 base security features
These features will be available to all versions of Windows, regardless if it’s the home-oriented Windows 8 or the business-oriented Pro and Enterprise:
UEFI Secure Boot support
Despite some controversy regarding this feature because of potential problems it can cause in some scenarios, Secure Boot is a very important new security characteristic included in this version of Windows. UEFI (Unified Extensible Firmware Interface - currently in version 2.3.1) is intended to replace the traditional BIOS (Basic Input Output System) as the next-generation firmware interface for PCs. When Secure Boot is enabled, it can make Windows 8 very resistant to low-level malware such as rootkits. With Secure Boot the operating system will validate the digital signature of all boot components up to the antimalware driver to detect any tampering. If a component is not signed correctly (it’s been tampered with), the Windows Recovery Environment will start and attempt to fix the operating system. A rootkit usually tampers key operating system files and becomes active during the boot process, before many anti-malware defenses are enabled. Secure Boot will detect any type of tampering and prevent the rootkit from loading. Organizations that deploy Windows 8 will probably want this feature enabled and prevent users from disabling the feature.
The SmartScreen technology debuted in Internet Explorer, and it is now being extended to the operating system itself. In tests from NSS Labs, this feature has been shown to be the best among modern browsers for detecting and blocking socially-engineered malware. SmartScreen has an URL reputation system and a file/application reputation system. The URL reputation system is intended to protect the user against phishing and socially engineered attacks. The file reputation system tracks file downloads and verifies their respective reputations. If a file has been previously identified as malicious, it’s blocked, showing messages such as these:
Click to enlarge.
If it’s a new file, or the system doesn’t recognize it, it shows a warning similar to this:
Click to enlarge.
For unknown files, it’s possible at this point for users to bypass these warnings and open suspicious files anyway, but there will be administrative controls available so these warnings cannot be ignored.
Integrated anti-malware/Windows Defender
Windows 8 will include a full anti-malware solution, as Windows Defender will now incorporate the antivirus features from the Microsoft Security Essentials solution. This version of Windows Defender will also have improved performance and a smaller memory/CPU footprint. Organizations will probably want to replace it with their selected anti-malware product though. Organizations should start asking their incumbent anti-malware vendors about their plans to support Windows 8 because compatible anti-malware solutions, when combined with Secure Boot, will be able to start actively defending the system from a known good environment faster, reducing potential blind spots in their coverage.
Picture Password is a new touch-based security login where the user selects a picture and then makes three touch gestures on top of it. The system will save the sequence of gestures as the user’s “password” and then the user would repeat that sequence to log in. The gesture sequence is tied to the image to increase login security. For example, a user could select an image of two people and draw a smile in the face of one and touch each eye of the second. It sounds like an interesting alternative to traditional passwords, however, the robustness of the system remains to be seen.
An interesting new security feature could be hidden in the Windows Reader, the new integrated document reader for Windows 8. This reader supports PDF documents, a format that has become very popular as an attack vector. Including a lightweight reader within the OS that would be patched using the regular Windows Update process could potentially increase the default security of the platform, by reducing the need of potentially insecure applications or plug-ins.
ASLR and exploit mitigations
Address Space Layout Randomization (ASLR) was introduced in Windows Vista and is essentially a technique to mitigate the infamous “Buffer Overrun” vulnerabilities by randomly moving the location of code and data in memory. In Windows 8 randomization is increased in order to foil known techniques for bypassing ASLR. Other mitigations include changes to the Windows kernel and heap, including new integrity checks and randomization using a similar approach to ASLR. Internet Explorer 10 will also benefit from these changes: besides including an “Enhanced Protected Mode” sandbox, there will be a “ForceASLR” option in IE10 that can randomize all modules loaded into memory by the browser, regardless if those modules did not opt in to use ASLR protection (developers can create modules that take advantage of ASLR protection by using the optional /DYNAMICBASE flag).
Windows 8 Pro security features
These following features will only be available to the business-oriented Pro and Enterprise versions of Windows 8:
Bitlocker and Bitlocker To Go
Bitlocker is the full-disk encryption solution Microsoft introduced in Windows Vista and then extended to removable drives with Bitlocker To Go in Windows 7. Not much has changed from the previous version, but it will now include the option of backing up the encryption key of Bitlocker To Go to a SkyDrive Account.
Encrypting File System
EFS is Microsoft’s original solution for encrypting individual drives, folders or files. It was originally introduced nearly twenty years ago in the Windows NT family of products, but now it’s been largely overshadowed by Bitlocker, Bitlocker To Go, and a number of free encryption alternatives.
Domain membership and Group Policy Objects
As usual, these two features are the ones that mostly differentiate the consumer version of Windows from the business-oriented version. The ability to become a member of an Active Directory domain is critical for a centralized managed environment. Once joined, administrators can create and apply Group Policy Objects to members of the domain and control many aspects of their operation, including security. Windows 8 introduces new policies specific to the new OS:
Windows 8 Enterprise security features
Finally, organizations with Software Assurance agreements will have access to Windows 8 Enterprise, which includes the following security features:
Applocker is Microsoft’s solution for application control. This solution was introduced in Windows 7 and works with either blacklists or whitelists of applications. With Applocker, an administrator can create policies that restrict or allow specific applications from being installed or run by users. In Windows 8 Applocker evolves in order to manage both traditional desktop applications and the new Metro apps.
Microsoft introduced DirectAccess as an alternative to VPNs for securely connecting PCs to corporate networks. DirectAccess connections don’t require launching an additional application to connect and can help organizations maintain compliance on remote or mobile computers by applying policies and patches seamlessly. This feature doesn’t appear to have changed much from the previous version introduced in Windows 7.
Windows To Go
With the rise of the “Bring Your Own Device” movement, Microsoft announced Windows To Go, a fully managed Windows 8 corporate image that administrators can provision on an external USB drive and can be booted from any x64 PC at any location, regardless of connectivity. As a fully corporate PC image, it can include management features such as Windows Update policies, corporate anti-malware solutions and Bitlocker. Currently, Windows To Go requires USB drives with at least 32GB and can only be booted from an x64 machine. Despite these limitations it can be a very useful feature for multiple scenarios, including organizations concerned with the security risks of BYOD initiatives and for disaster recovery scenarios.