More info on enhanced security in Windows 8 and trusted boot redux

  • Article

By Ron Grattopp ronaldg-001_thumb2_thumb_thumb1_thum….You’ll hear us TS2 guys and others say the Windows 8 is “a better Windows 7 than Windows 7”.  One of the most important aspects of this is the improvements Windows 8 has made in the area of security.  I’ve made the case in other posts that Windows 7 is actually the most secure OS out there, so how did we make it even better.  Well, one of the main things we did was to implement the Trusted Boot process whereby we can insure that your Windows 8 PC will not become a bot thanks to a rootkit (or bootkit).  From one of my previous posts (Secure Boot in Windows 8, 8/1/2012) we already know that UEFI (Unified Extensible Firmware Interface) is essentially the modern-day replacement to the BIOS.  The legacy BIOS is a security problem because it can't tell the difference between a legitimate boot loader and a rootkit.  With UEFI, a computer will only run operating system kernels that have been digitally signed by an approved software vendor. Thus, the user is guaranteed that the operating system has not been tampered with by attackers.  Windows 8 systems ship with a certificate in the UEFI that analyzes the boot loader to ensure it is both the right one and is signed by Microsoft. If you were to encounter a rootkit , the UEFI wouldn't allow it to boot. In other words, UEFI protects the pre-OS environment.  Additionally, as the system boots, Windows 8 detects if any of the OS elements have been tampered with and automatically restores the unmodified versions. As you know from that earlier post, Secure Boot is just one of the three pillars of what is called the Trusted Boot process. Besides the UEFI Secure Boot, Windows 8 institutes ELAM, or Early Load Anti-Malware, ensuring that the antimalware software, which must be certified by Microsoft, is the first third-party piece to start up. And the third pillar of this new security process, called Measured Boot, allows PCs with TPM chips take unique “measurements” of the software components loaded during the boot process, and can use that info to “attest” to the health (or trustworthiness) of the computer.  So besides continuing all the great security features in Windows 7, Windows 8 now protects your PC from the additional threat of a boot or rootkit.

Along with the boot process enhancements to security, Microsoft focuses on every aspect of Windows 8 to ensure greater protection. For example, there are now two new password types: a four-digit PIN and a picture password where you use a photo and set three gestures (on touchscreen devices) that ultimately comprise your "password."  There are some excellent articles around the added security of using a picture password vs a text-based one if you have questions around that.

Although you can choose whatever antimalware vendor or app you like, note that Windows 8 has enhanced Windows Defender to now include anti-virus capability (which it previously lacked).  So the new Windows Defender is now much more than just an anti-spyware solution; it’s now a more full-featured security product capable of protecting your computer from many more types of threats.  You've heard me say it before - we "get" security, so I would recommend our built-in solution unless you need some additional value-add features that come from the other security vendors, otherwise the actual protection you get with our built-in solution is as effective as anyone's. And, we use Windows Update to update malware signatures, so no additional software or code needs to be installed on your system for updating.  One caveat here, however, if you buy a PC with the OS already installed by an OEM or reseller, then you may be getting trial or bundled AV software instead of Defender and Defender will probably be disabled.  If that’s your case, just removing the pre-installed product and rebooting your machineshould reinstate Defender automatically.

I've actually done a couple of posts on the Smart Screen filter and security in our IE browser, but we have now added SmartScreen to Windows 8. Windows SmartScreen is a technology, originally developed for IE, to protect your computer from running unrecognized apps and files downloaded from the Internet. This means that whenever you launch an executable file downloaded from the internet, the SmartScreen shows up and prompts you to give your approval before continuing the loading process. (In fact, I got this when I tried to run the Office 365 Demo Provisioning toolkit – not that it’s suspicious <grin>). This can be good for detecting the fake antivirus and other rogueware programs that seem to be becoming more prevalent these days.  And, since SmartScreen is now part of Windows 8, the filter will kick in regardless of what browser the user is running, not just Internet Explorer.

Even memory management in Windows 8 has been enhanced, actually re-architected, to provide additional safeguards, such as comprehensive randomization and guard pages.  As a result, many, if not most of the memory exploit tactics that an attacker would use to gain control of a Windows 7 machine will now fail under Windows 8.

One of the lesser known, under-the-covers security features in Windows 8 is AppContainer, which is essentially a secure application sandbox environment where Windows 8 apps will reside. Designed to prevent apps from disrupting the operating system, AppContainer decides which actions are available to which apps.  Following the same logic, all Internet Explorer plugins run in their own sandboxes under Windows 8.

And in that vein, it is important to note, and probably not something you might think of a security feature, but vetting apps that would be loaded in Windows 8 through the Windows App Store should have an impact on security as well.  When people begin to use the App Store as their main source for applications, security in general will be enhanced because, in addition to the AppContainer functionality, it will much harder, if not almost impossible, for an attacker to place something like a trojan horse in the store. In addition, the App Store will automatically keep applications updated with the latest security patches.

lastly, Windows 8 machines can optionally ship with self-encrypting drives (SED), which provides businesses and security-minded end-users with hardware-based encryption that can never be turned off – this is how you will get the encryption for Windows RT devices I mentioned in my last post on RT even though RT doesn’t support the Encrypting File System feature like Windows 8 Pro does.  SEDs are ready-to-go out of the box, protecting data right from the start. Hardware-based encryption also has less of an impact on performance as well.

And it’s not just me saying this, professional security researcher Aryeh Goretsky, of ESET, wrote this in a whitepaper examining security technologies in Windows 8: "After reviewing the layers of technologies used by Microsoft to protect Windows 8, it is our opinion that it is the most secure version of Microsoft Windows to date".

Btw, here’s a cool trick, I got from a Softpedia article: If you want to see an overview of the security system of your Windows 8 computer, simply go to the Start Screen and type “security.”  Select Settings under Search, then, Click the “Check security status” option, then drop down the “Security” list and take a look.  Gotta admit, I knew about the Security list in Control Panel, but never thought to use it to get an idea of the layers of protection available.

image

Read more: Building Windows 8 Blog - Protecting you from malware and The Windows Security Blog

Well, hopefully you have a better idea now of the range of improvements we’ve made in security for Windows 8 and understand a bit more about why we say it’s a “Better Windows 7 than Windows 7”.

Cheers, as always,

Ron