Windows 8 Security: What's New?

Microsoft has been adding and improving advanced security features and capabilities in its Windows operating system and other applications over the past few years. Each iteration of Windows has featured improved security—necessary to withstand the constant barrage of attacks—and Windows 8 coming is no exception.

In Windows 8, Microsoft expanded its support for embedded hardware security, bundling a full-blown security suite into the operating system, introducing secure boot and signed applications, and enableing alternate authentication schemes, to name a few. Some of the latest innovations are aimed specifically at enterprise users and meet business needs, but there are plenty of improvements that end-users will notice right off the bat, too.

"After reviewing the layers of technologies used by Microsoft to protect Windows 8, it is our opinion that it is the most secure version of Microsoft Windows to date," Aryeh Goretsky, a distinguished researcher at ESET, wrote in a whitepaper examining security technologies in Windows 8 released earlier this month. Microsoft is offering three main versions of the new operating system. Windows 8 is the "home" edition, Windows 8 Pro includes features for enterprises, such as support for Hyper-V, BitLocker, a virtual private network client and group policy support, and Windows RT for ARM-powered devices.

Secure Boot
Microsoft designed Secure Boot to protect the computer from low-level exploits and rootkits and bootloaders. A security process shared between the operating system and Unified Extensible Firmware Interface (UEFI, replacing the BIOS), Secure Boot requires all the applications that are running during the booting process to be pre-signed with valid digital certificates. This way, the system knows all the files being loaded before Windows 8 loads and gets to the login screen have not been tampered with.

If a bootloader has infected your computer and it tries to load during the boot-up sequence, Secure Boot will be able to undo all the changes and thwart the attack. Having Secure Boot means it is that much harder for attackers to try to compromise the start up sequence.

While PC makers have to have Secure Boot enabled in the UEFI firmware by default, if they want to be able to slap the Windows logo outside the box, the feature can be disabled within the UEFI interface. Anyone who wants to install a non-Windows operating system on Windows 8-certified hardware would first have to manually disable SecureBoot.

Windows Defender

As PCMag's lead analyst for security Neil Rubenking noted a few weeks ago, Microsoft decided to release Windows 8 with built-in antivirus. This is a much more robust application than , the free anti-malware software that users could download and install manually in previous versions.

Windows Defender (Microsoft repurposed the name for the anti-malware product) is enabled by default, right out of the box, which means users have some form of security protection as soon as they turn on the machine. While it can't be uninstalled, it can be disabled if the user wants to install a different security product from another vendor (AV-Test has certified several as being Windows-8-ready). In fact, Windows Defender must be disabled if you want to install a third-party security suite.

Loading the AV First
Regardless of whether you are using Windows Defender or a different anti-malware product, Windows 8 has tweaked its load process so that security software runs first. Early Launch Anti-Malware (ELAM) insures that the first software driver loaded into Windows 8 is a driver from the user's anti-malware software.

In previous versions, if the malware executed and was loaded into system memory before the operating system and the antivirus, it was difficult to detect and remove. SecureBoot prevents rootkits from interfering with the OS, and ELAM ensures that pre-approved anti-malware software drivers are loaded before any other application.

Whether or not it is effective is unknown, but Goretsky noted in the whitepaper that the concept was "fundamentally sound."

SmartScreen

Originally an Internet Explorer security feature, Microsoft added SmartScreen to Windows 8. When a user downloads a program or a file from the Internet, the SmartScreen filter checks to see if other people have downloaded the same file as well. If so, there is a rating for the file based on its popularity and whether it was considered malicious. Users trying to download something with a low rating while Smart Screen is enabled will see a warning message. This can be good for detecting fake antivirus and other rogueware programs.

Since SmartScreen is now part of Windows 8, the filter will kick in regardless of what browser the user is running, not just Internet Explorer.

Alternate Passwords

Picture passwords is one of my favorite bits of Windows 8. The idea is that instead of relying on alphanumeric passwords, users can use pictures. When this feature is enabled, you select a photo from your image library and then define three gestures on the photo using any combination of circles, straight lines, and taps (using either touch or the mouse). It's possible to switch to PIN-based authentication.

There still need to be some tweaks to the alternate authentication methods, though. Earlier this month, password experts Passcape Software found that it was possible to recover passwords from Windows 8 systems with Picture Password enabled. The problem was related to the fact that users needed to have an account with a regular password before switching to the alternate authentication scheme. It turned out that when the switch was made, the regular password remained in the system and (shockingly!) was stored as plain-text.

Passcape claimed that users with administrator-level privileges can access the Vault where the information is stored and see the text passwords, but it's not clear how big a problem it would turn out to be. If the person snooping through has administrator rights, that person really wouldn't need to harvest the passwords in the first place, right?

Regardless, here is to hoping Microsoft has at least fixed that scenario to encrypt that text password before storing it.

AppContainer
One of the invisible-to-the-user changes in Windows 8 is AppContainer, the more secure application-sandbox environment where Windows 8 applications will reside. Designed to prevent apps from disrupting the operating system, AppContainer decides which actions are available to which apps.

Following the same logic, all Internet Explorer plugins run in their own sandboxes under Windows 8.

The apps will also be available through the new Windows 8 app store, which means Microsoft will be able to check beforehand for malicious applications. Only time will tell whether Microsoft will successfully keep out the dodgy apps from its store. The restore feature will at least make it easier to return to a previous safe state if malware does somehow manage to infect the machine.

Enterprise Specific Security Improvements

Samara Lynn, the PCMag's lead analyst for networking, pointed out some of the enterprise-specific features in Server 2012 which would flow into Windows 8 and Windows 7 systems. Dynamic Access Control, which expands access control to include a wider list of attributes, is one of them.

In previous versions, administrators could define who had access to files and folders on a per-user basis or by creating groups and assigning permissions specific to those groups. In Windows 8, DAC allows administrators to use any of the data stored in Active Directory, such as personal information, device ID, log on method, or even location, to define access control rules.

Here is an example: documents marked "confidential" or "private" are accessible to only members of the Human Resources division. In this case, in Server 2012, the administrator would create a claim that "confidential" and "private" would be accessible to people with the "Human Resources" attribute. There is no need to create a specific group for HR and add individual users to it. So long as the user in the Active Directory is defined as being part of HR, the access control rule would apply.

This definitely makes managing users and permissions much easier within the enterprise.

Microsoft also added a few new Group Policy settings in Windows Server 2012. The settings could prevent new accounts from being created on the computer or lock a session if the machine is inactive for a specified period of time. Another policy automatically locks out users from accessing volumes that use BitLocker encryption after a certain number of failed login attempts.

Hardware-Based Security
Windows 8 will really push the hardware-based authentication capabilities of the Trusted Platform Module to the forefront, said Steven Sprague, CEO of Wave Systems.TPM makes a lot of sense if you stop to consider at the increase in sophisticated rootkits and other malware that increasingly target the hardware layer such as the Master Boot Record. TPM stores sensitive configuration data and credentials, making it possible to implement single sign-on and access to VPN. Device-based security could be used to log in users to the network, Sprague said. No passwords required.

Windows 8 machines can optionally ship with self-encrypting drives, which gives businesses and security-minded end-users with hardware-based encryption that can never be turned off. SEDs are ready-to-go out of the box, protecting data right from the start. Hardware-based encryption also has a less of an impact on performance as well.

Speaking of encryption, BitLocker also has a new feature that will allow users to encrypt only the parts of the disk that are in use, instead of encrypting the whole volume at once.

There you have it. A sample of the more obvious security changes Microsoft has made in Windows 8. There is plenty more under the hood that we will never notice, but that's the way it should be—features chugging away in the background to keep users safe from attackers.