Windows 8 and 8.1 Security at Different Operating System Layers
Microsoft has been working on improving security for end user computing by introducing new security features in Windows Operating Systems. Over the period of time, we have seen massive security improvements in Windows Operating Systems. There were plenty of new security features introduced in both Windows 8 and 8.1 that are discussed in this article.
Windows Operating System is modular in design. There are several layers that operate together in a Windows Operating System. Two important layers that control all other layers are Kernel Mode and User Mode Layers. Kernel Mode Layer which operates directly on top of the hardware implements several components to provide an execution environment for the applications installed in the User Mode Layer. In earlier versions of Windows, users had to depend on third party products/tools to provide security for Windows computers. Though, it is still the case, but it has been reduced dramatically in the newer versions of Windows Operating Systems such as Windows 8 and Windows 8.1. It is important to understand that most of the third party security products/tools can provide security only to the applications running in the User Mode Layer. These third party security products/tools fail to provide security to Kernel Mode Layer. Starting with Windows 8, Microsoft’s primary focus has been to provide security for components running in the Kernel Mode layer. The security enhancements in both Windows 8 and 8.1 range from securing the boot process to securing the execution environment in the User Mode Layer. These security features can be categorized into two sections; Windows OS-Controlled security features and Windows User-Controlled security features.
Windows 8 and 8.1 OS-Controlled Security Features
Windows 8 and 8.1 OS-Controlled security features help you prevent from executing a boot environment with an infected code. Windows 8 disables the ability for a malicious code to gain access to Kernel Mode Layer components by implementing the below listed security features:
- Windows 8/8.1 Boot Process is Secure By Design: BothSecure Boot and Trusted Boot security features of Windows 8 play a major role in booting a clean environment. The Secure Boot feature, first introduced in Windows 8, is enabled by default, which, in turn, helps in preventing the execution of the unnecessary or malware apps during the Windows boot. The Trusted Boot feature of Windows 8 performs a check on the Windows startup files such as Winload.exe (Windows Boot Manager) to make sure they are unbroken and untouched by a malware. This integrity check is performed during each boot.
- Enabling Anti-Malware During Boot: The Early Launch AntiMalware, sometimes referred to as ELAM, provides the ability to lunch an Anti-Malware application before allowing execution of third party software. The ability to launch an Anti-Malware application before allowing execution of any third-party drivers/applications is a major change, which, in turn, helps in preventing a malware to execute and insert itself into Kernel Mode Layer. You can use Group Policy settings to configure how ELAM responds to malicious boot drivers during the boot. ELAM Group Policy settings can be found by navigating to “Computer Configuration\Administrative Templates\System\Early Launch AntiMalware” node as shown in the screenshot below:
- Storing System Vital Data at Randomized Place in Memory: Windows 8 and later Operating Systems implement Address Space Layout Randomization (ASLR) feature. Windows Kernel Mode keeps system vital data at a randomized location in the memory, which is not known to the malware or any other application running in the User Mode Layer.
- Measured Boot: Windows 8 introduced Measured Boot feature, which uses the TMP hardware built into the PCs to securely record sizes of every boot driver and then send the logs to a trusted server connected to your network. Trusted server can then verify the log and determine whether the client is healthy or not. Based on the result, client can be allowed either a limited network access or full network access.
Windows 8 and 8.1 User-Controlled Security Features
While Windows 8 and 8.1 OS-Controlled security features help you boot a clean environment, the Windows User-Controlled Security features allows you to control the behaviour of the security features provided to protect the execution environment in the User Mode Layer. The User-Controlled security features are explained below:
- SmartScreen Filtering: Although SmartScreen Filtering is not new to Windows 8, it could only be used to scan the web sites in the Internet Explorer. In Windows 8, the SmartScreen feature is integrated with the Operating System. The integration of SmartScreen filtering with the base Operating System prevents the execution of applications, which are considered unsafe by the Windows OS. The SmartScreen feature warns you if it does not recognize a website or an application. Whether you copy an application from another PC or download from a website, SmartScreen mechanism now verifies the digital signature of the file. If the file is a known malicious code, the SmartScreen security feature warns users or blocks the execution of the application. In some cases, you might want to disable or control the behaviour of the SmartScreen feature, if you play with a lot of third party tools/applications.
- Automatic BitLocker Encryption: Unlike previous versions of Windows, BitLocker encryption is automatically enabled on Windows 8.1 for any existing devices such as fixed hard drives or devices you attach to the PC at a later point of time. If you do not want Windows 8.1 to enable BitLocker encryption automatically for devices, you can create a registry entry called PreventDeviceEncrption at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\BitLocker registry location and set the value to 1.
- Windows Update and Automatic Restart: Most of the users are in the habit of ignoring the Windows Update restart alerts, but this might not be acceptable in an organization where security is the major concern and all Windows computers need to be in compliance with the corporate IT security policies. Windows 8.1 mitigates the risk of a computer to be non-compliant by applying the important updates and performing a restart of the Windows PC automatically without disturbing the applications. The applications that were running before the restart will be launched again and user desktop will be locked. In case you need to control this behaviour, you can do so by implementing Group Policy settings for Windows Update. A quick way to disable this behaviour is by creating a registry entry on the local Windows computer. All you need to do is to create NoAutoRebootWithLoggedOnUsers registry entry and set the value to 1 at the HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU registry location.
- Use Windows Store Apps: You may not want to take the risk of being infected with malware by downloading applications from the Internet or the applications, which are not approved by an enterprise administrator. Any application that is downloaded from the Windows Store is secure by default. It is because all apps have to go through a careful screening process before applications are made available in the Windows Store.
This article explained the new security features that were introduced in both Windows 8 and Windows 8.1. These security features help you become more productive rather than spending much time on how you can keep your Windows PC secure.