Effectively securing Windows 8.x, ten things you need to know
Windows 8.x has many features that enhance the security of the operating system and protect both the device and data.
We delve a little deeper into Windows 8 and consider 10 features that heighten the operating system for both the individual and the enterprise, when considering security and the OS.
Ten security features you need to know about Windows 8.x
Windows 8 boasts an array of security enhancements. Security is a continuous challenge for individual and enterprise alike so any enhancement in security is eagerly awaited by all. Windows 8 seems to have accomplished a broad range of beneficial security features, which address the main security challenges we face on a daily basis.
Windows 8 has taken into consideration the importance of securing mobile devices and enterprise data. Some features are particularly important as enterprises move towards BYOD, and will assist in securing enterprise data on those personal devices.
1. WIFI is more secure
The WIFI managed through Windows 8 is a lot safer than when utilised with previous versions. Windows 8 extends support to many wireless and Mobile Extensible Authentication Protocol standards allowing for easy and secure connection to secure networks. You no longer need to rely on obtaining certificates or roaming between varying mobile and wireless networks.
2. Device Drive Encryption
Windows mobile devices are automatically encrypted when a Microsoft account is used for login.
With Windows 8 Pro addition for enterprises, when a device is on standby but still connected to the internet, the feature to encrypt data while the device is at rest is an enhancement. However hibernation does not always work well with encryption (and when tested in the lab by our team has led to data recovery issues) so for increased security it’s probably best to disable the hibernation option in Windows 8 for now to ensure stability.
The enterprise version of Windows 8.x has also extended encryption to mobile devices, and the encryption key can be backed up to SkyDrive. It’s strongly advised that encryption keys be stored on premise when in a corporate environment. This will ensure more security than storing it on SkyDrive or OneDrive.
With many forms of encryption commercially available the one offered by Windows 8.x is still considerably weaker in comparison to many other commercial grade alternatives. It also tends to be quite cumbersome and a further drawback being that it is only deployable on MS platforms, with the keys badly managed. It is critical to note keys = data, so key management is something that needs to be streamlined.
3. Remote Data Removal
This feature allows for partial wipe of a device. If organisations are participating in a BYOD program, data on the device can be categorised as ‘personal’ or ‘corporate’ and any corporate categorised data can be wiped or made inaccessible if necessary. This a great feature and can be used to keep corporate data safe in the event of compromise or data loss. It is highly recommended that this feature be used in conjunction with device and hard drive encryption.
4. Access Control
Many features have been included or enhanced in Windows 8 and Windows 8 Enterprise to facilitate secure access control. Some of the features include:
- Dynamic access control: Access is based on dynamic rules based policies and access can be allowed or denied based on a combination of user, device and data characteristics. Access can be restricted to certain departments or users allowing for greater controlled authorisation. This feature allows for the rule of least privilege to be implemented and supports more modern security zoning techniques.
- Direct Access: This feature, part of Windows 8 Enterprise, enables a secure direct connection with the organisation's internal network, as long as the user has an internet connection, simplifying the access to data on the network. This alternative to VPN’s can assist organisations to maintain compliance through the seamless application of policies and patches to remote and mobile devices. It’s great to be able to extend the network to your home or anywhere else you might be working from (this is one of the best features of the platform and has slowly been enhanced for the past few years and has matured properly to a reliable and secure solution).
- Biometric Folder and Authentication Security: Access is controlled through a fingerprint reader (swipe or touch readers). This feature can be folder specific and based on the fingerprint can grant or deny access to a folder (this feature is truly impressive and is what we should have had from the beginning).
Within an organisation this feature can extend to access control of the windows store as well, as a way to authenticate certificates for transactions. Thus fingerprint authentication would be required prior to access.
- Virtual Smart Cards: Multifactor authentication combining smart card and PIN for authentication. Windows 8 conveniently and securely stores the smart card certificate in the PC thus removing the necessity for the user to physically keep the smart card and reader with them at all times, all that is required is the PIN. This is an effective form of remote access. This feature should always be used together with drive encryption and with corporate remote wipe to ensure better levels of security.
- Picture Password: An alternative means of login through a touch-base system. A secure form of login is achieved through a sequence of gestures being locked to any chosen image. This picture password is then used as an alternative to the traditional password.
5. BIOS to EFI to UEFI
Windows 8 offers UEFI (Unified Extensible Firmware Interface), a step forward from EFI (Extensible Firmware Interface). This is an interface between the OS and the firmware which improves the security when compared to that of the original BIOS. UEFI makes it more challenging to maliciously manipulate the firmware and also prevents scenarios such as bricking, eavesdropping and boot changes. This in combination with Secure Boot make the OS very resistant to low-level Malware like rootkit (it is vital to keep the “BIOS” UEFI updated…).
- Memory Allocation:
Memory allocation is not a new feature for windows 8 as it is a feature of window 7 too. However the feature has been improved and enhanced for windows 8. Previously the memory could already be allocated to applications so as to assist in the prevention of malware attack. The disadvantage was that it was not a default setting but had to be manually switched on. Windows 8 however won’t run on CPU’s that fail to have the hardware to allocate memory as non-executable and unlike previous versions of the OS, the feature’s default setting is always ‘on’.
- Randomising Memory:
Windows 8 utilises randomising memory to aid in the prevention of malicious attack from Malware. This is made possible through Windows accumulating a random combination of data when booting from various sources which is then combined to form a new random number seed, differing each time. This makes it very challenging for malware interference.
- Enabling and disabling secure boot:
With Windows 8 this enhancement achieves the ability to block the use of memory that is no longer in use. Memory is less vulnerable to malicious attack. Organisations that deploy Windows 8 will probably want the secure boot feature enabled, to prevent any tampering through malware.
7. Integrated Anti-malware
Windows 8 incorporates the antivirus features from Microsoft Security Essentials solution, namely Windows Defender. Integrated anti-malware has enhanced performance and decreased memory/CPU footprint and is enabled by default.
Although this solution comes built in to Windows 8 many organisations will probably prefer to use an alternate commercial product as a lot of the alternatives available surpass the integrated solution.
8. SmartScreen Filter
The SmartScreen Filter is now part of the Windows 8 OS. It enhances socially-engineered malware detection and blocking significantly. The combination of URL reputation system and file or application reputation system protects the user against phishing and socially-engineered attacks.
9. ASLR and Kernel Enhancements
The combination of the features below aid to eliminate methods that malware has previously used to gain access to PC’s advanced privileges.
The enhancement is achieved in Windows 8 through the improvement of ASLR (Address Space Layout Randomisation). This feature was available in Windows Vista as a means to lessen buffer overflow exposures however has been improved in Windows 8 by increased randomisation.
Other developments include changes to the Windows kernel and heap. In Windows 8 the heap has added reliability checks. The kernel has more stringent limits on the amount of memory that can be allocated, so any possible attack through buffer overflow would have to be extremely precise to be effective.
The more accessible DEP (Data Execution Prevention) is now a requirement under Windows 8.
Windows 8 offers integrated cloud based services, a cloud based Windows. Although features like SkyDrive / OneDrive were offered in the previous version of Windows, the storage solution has become easier to use through its integration into the Windows 8 OS. SkyDrive is more prevalent, with it set as the default location for certain libraries.
SkyDrive / OneDrive offers cloud storage with a similar experience achievable from other commercial cloud storage providers/services.
The Microsoft Account Integration, whereby you are able to sign into Windows with your Microsoft Account credentials allowing your settings to sync from machine to machine is also a new development.
Cloud features are enhancement but this in turn provides security challenges that need to be met.
Windows 8 seems to have more security features than the previous versions of Windows, however by introducing many cloud elements this has in turn introduced some security challenges that are slowly being addressed by native Microsoft technical controls. The tools are still being worked on and completed to offer fully fledged enterprise grade security and we look forward to the next release of these tools in Windows 9.
Further enhancements of Windows have improved the OS for enterprises through the additional enterprise version features mentioned above and in addition to those, features like Application control through Applocker, Windows To Go and Group Policies for centralised management enhance the enterprise user experience.