Amidst the recent Windows 8.1: Ask Us Anything tour we at CANITPRO have recently embarked on, one question has been repeated more often than not. Said question is namely:
“What has Microsoft done to further enable security in its new Windows offering?”
While the push to migrate users off Windows XP is on as support ends on April 8th and it is obvious that Windows 8.1 provide a vastly more superior security story, the purpose of this post is to provide insight as to the security differences between Windows 8.1 and its predecessor Windows 7. This is in part due to the fact that companies of all sizes migrating off Windows XP are currently torn in terms of Windows OS choice. While the subject of touch verses non-touch becomes less and less of an issue with Windows 8.1 and the upcoming Windows 8.1 Update due this spring, discussion regarding Windows 8.1 security enhancements over Windows 7 might provide additional insight to assist your choice. The top 5 security enhancements to take into consideration include:
Maintaining system integrity - UEFI Secure Boot/Trusted Boot
UEFI’s Secure Boot feature prevents Windows 8 certified devices from starting a tampered with or replaced Windows bootloader. Trusted Boot verifies the integrity of the remainder of the Windows boot process, components, and antimalware solution. Together UEFI’s Secure Boot and Windows Trusted Boot prevent low level malware infections from persisting on the device and protect the antimalware solution from tampering.
Safer system and apps – AppContainers and Vulnerability Mitigations
One thing that customers have enjoyed on mobile operating systems such as Windows Phone 8 is a relatively malware free experience. There are two primary reasons driving these impressive results on mobile devices. First being the fact that all apps come from a centralized store that vets the apps before making them available to customers. Secondly, all of these apps run inside of a sandbox called the AppContainer. The AppContainer utilizes a sandboxing technology which is effective at preventing malicious apps from tampering with the system, other apps, and your data. Windows 8.1 also utilizes this technology making the system less susceptible to attacks even in the event that vulnerabilities are discovered. Improvements to technologies like ASLR and DEP where made in Windows 8.1 to ward off attackers and close said vulnerabilities.
Secure data from unauthorized access - Device Encryption
Previously device encryption was only made available in Windows Phone 8 and Windows RT. Windows 8.1 now enables device encryption in all editions automatically via the system volume of InstantGo certified devices. This occurs when a user logs onto a device with administrative privileges for the first time and with a Microsoft Account.
IT control of corporate data - Remote Business Data Removal
IT administrators are now empowered to have additional control over corporate content on devices that can be distinguished as corporate vs. user. Remote Business Data Removal, enabled via Windows Server 2012 R2, ensures that corporate data for supporting applications (e.g.: WorkFolders, Mail, etc) is encrypted. IT managers can invoke selective wipe of said corporate data from a device when the relationship between the device owner and the organization has ended. Ideal in a BYOD scenario, this allows the device owner’s personal information to remain unaffected when the corporate data is remotely deleted.
Modern authentication - Biometrics and Virtual Smartcards
Ability to support advanced biometric capabilities for authenticating user identities, acquiring user consent for purchases, and confirming user presence when accessing sensitive apps and app data. This also includes a common identity enrollment experience that is compatible with new, existing and next-generation touch based fingerprint sensors. Biometrics offers a single factor option that is stronger than password but many customers are looking for two factor options. In the past two factor authentication has proven challenging from a cost perspective. Window 8.1’s Virtual Smart Cards feature offers a costs effective and easily to deploy option that make the device itself the smart card.
Remember, these are only the top 5 of many other security enhancements enabled in Windows 8.1. Microsoft provides more detail in terms of these and other security enhancements via Microsoft Virtual Academy amidst its newest online course offering entitled What’s New in Windows 8.1 Security.