Windows 8 is getting mixed reviews but there's no doubt that Microsoft has taken significant steps to improve security. Patrick Lambert describes the new features.
Windows 8 is coming, there's no question about that. A lot of people dislike it already, even though it just got released to manufacturers, and won't be available to new PC buyers for months. But so far, most of the reviews have centered around the user interface, or the new "Metro" screen. What about security, or more precisely, the security enhancements it brings that could be helpful to your business? If you work as an IT pro or a manager, then obviously the main thing you want to think about when considering an upgrade is how the new software will impact your users, which goes much deeper than what the start screen looks like. So now might be a good time to go over all the new security features that this OS provides, and how it differs from Windows 7 and the previous versions.
Windows 8 is similar to Windows 7 in many ways, but thanks to the new interface, and the need to redo a lot of the old code that used to be inside of the OS, Microsoft also took the time to improve security as well. When going from Vista to 7, or from 2000 to XP, there were only so many things they could do to improve the internal processes inside the OS, because they needed to keep everything as backward compatible as they could. But making a big leap, we're seeing much bigger improvements under the hood. This happened when we went from XP to Vista, and it seems Windows 8 now has a lot of improvements as well. In fact, Windows 8 is one of the many things hackers at the latest Black Hat and DEF CON conferences went against, trying to break the OS open, and this latest Windows version came out on top.
Windows 8 improvements
The first one is Secure Boot, which helps protect against low-level exploits and rootkits. Basically, Secure Boot is a security process shared between the OS and the UEFI (the BIOS), where PC makers will be adding a special detection code that will require the whole booting sequence to be signed with digital certificates. From the moment you press the power button, all the way to the login screen, you will be certain that everything is being loaded as it should be. One of the more malicious types of malware are rootkits, because they can place themselves deep inside your system, and get loaded during the boot process before Windows has a chance to load up -- never mind any of the antivirus programs you may be running. Secure Boot prevents this type of exploit. In a corporate environment, there's no question that this will help and should be turned on everywhere. Some people have complained about Secure Boot, because it will be mandated by all PC makers if they want the Windows logo on their machines, and when turned on, it prevents any other OS from being installed, such as Linux or FreeBSD. However, PC makers have made it clear that users will be able to turn it on or off inside the UEFI options, just not on ARM-based machines.
Another security improvement in Windows 8 and Internet Explorer 10 is called SmartScreen. This is a new system where Microsoft will be keeping track of all downloads from the Internet. When you go and get a program online, the SmartScreen filter will look at it, and see if others have downloaded it as well. Then, the rating it gives will be based on how popular that particular piece of software is, and whether any malware was detected in it. If SmartScreen is turned on, and you download something that has a low rating, a warning message will appear, warning you of the dangers. This can be very good to prevent phishing attacks, where a user may think he's downloading a certain popular program, but instead has been duped into downloading something else. SmartScreen will help stop that. Again, there are complaints about this feature as well. If you're a small, independent developer, you won't have a high rating for your new updates. The way to make sure your users don't get a scary warning when downloading them is to get an approved digital certificate and get your apps signed. However this is one more step required for developers in order to make Windows-approved software.
Metro apps are also safer than traditional Windows apps, because like any modern smartphone, they are each run inside their own sandbox. That means these apps cannot access the whole system like traditional apps could, and there are more checks being done against them. Also because Metro apps will all be sold exclusively through the Microsoft store, the company will be able to check them before they get onto users' machines. Windows 8 also includes an easy-to-use option to restore your entire system to a previous, safe state. While there have always been ways to do that in the past, Windows 8 makes it a lot easier for the user. If something does infect your system, you can reinstall a clean OS in just a few clicks. Finally, Internet Explorer 10 also has increased security by running plugins in their own sandboxes, and breaking tabs into different processes as well.
Overall, Windows 8 is shaping up to be a good improvement on the security landscape. Does this mean it will be foolproof, or that you should upgrade all your corporate systems right away? Obviously, not. Any new software takes time for malware authors to poke at it and find holes. Also, upgrading to a new OS, especially one that has such a drastically different user interface, is more than just looking at the security model. If users are confused as to how to do common tasks using the new Metro interface, that could cause a lot more nightmares for the support staff than having to deal with malware. But at least for now, we know that Microsoft is doing the right thing when it comes to security under the hood of Windows 8.