Establishing Digital Trust: Don't Sacrifice Security for Convenience
The Windows OS has never been known for its security features. Microsoft hopes to change that with Windows 8.
When it comes to platform security, Microsoft is still trying to earn back the trust it so badly lost during the Windows XP era. At its worst, an unpatched Windows XP machine connected to the Internet could become infected by malware in an average time of four minutes.
Subsequent Windows releases have certainly improved on this rock-bottom situation. Windows Vista saw infection rates drop by about half compared to XP. And with Windows 7, infections dropped on average by half again compared to Vista.
Without a doubt, Windows security has been improving. But Windows still possesses the lion's share of the desktop OS market – particularly in the enterprise – and as such still remains a favored target of malware distributors.
The newly released Windows 8 features major interface changes, which have drawn the bulk of attention. But the differences between Windows 7 and 8 aren't only on the surface. A short list of new security features promise to significantly decrease the Windows 8 infection rate, even as compared to the improvements seen in Windows 7.
Here are some of the most significant security features, all of which will be available in Windows 8.1, the upcoming update of Microsoft's latest operating system, which a growing number of sources are reporting will be released in October.
Early Malware Detection
As anti-malware scanners have become the standard on many machines, malware distributors have increasingly looked for new attack vectors. One such strategy is to target malware further up the chain in the OS. Typical anti-malware software employs runtime scanners – meaning that they detect malware after the OS is already up and running.
But malware like rootkits and bootkits install themselves earlier in the OS sequence, meaning their hooks are in place before conventional anti-malware scanners are launched. Windows 8 introduces two new defenses to combat this problem; secure boot and ELAM, or "Early Launch Anti-Malware."
Windows 8 support for secure boot is one of the more controversial new security features. In brief, secure boot requires that code launched at boot possess a secure certificate verifiable by a hardware module.
The argument behind secure boot is that it will prevent infections from bootkits, which weasel their way into the boot code of the machine. Bootkits can be very difficult to remove. However, they also make up a relatively small proportion of malware infections. The secure boot feature can make it more complicated to install alternative operating systems on a machine, such as Linux. Windows 8 installed on non-certified hardware (e.g. machines which are not brand new) will likely not support secure boot anyway.
Some critics say that secure boot will make Windows machines into "closed" systems by more closely tying the hardware to the OS, while preventing a limited vector of attack. Although true, this fact is not likely to present a real practical problem for enterprise deployments where control and uniformity of workstations is generally desirable.
As with just about any security feature, though, determined hackers can find a way around it. Security researchers demonstrated two exploits of Secure Boot at the recent Black Hat security conference. It is worth noting, however, that the attacks are possible because of shortcomings in how some PC vendors implement the Unified Extensible Firmware Interface (UEFI) specification on their machines rather than weaknesses in the secure boot feature itself.
Early Detection: ELAM
With ELAM, Windows 8 essentially possesses a built-in scanner for operating system drivers. When the OS boots ELAM is launched before other drivers, so that they can be checked against a blacklist of known infection signatures.
Enterprises can use the group policy editor to configure exactly how ELAM behaves. For example, administrators can decide whether the system should be allowed to boot only when known good drivers are present or whether to also allow unknown drivers – which may be infected or may simply be installed by useful third-party products.
When the Windows 8 OS is up and running, several more security defenses have been introduced to further limit the attack surface area.
Windows Defender, which was originally included with Windows 7 as an anti-malware scanner, now runs by default and its job scope has been expanded to look for suspicious network activity as well as malware executable signatures. Note, though, that PC vendors may opt to replace Defender with third-party anti-malware solutions of their choosing, which may be limited-time trial editions.
Sandboxing with AppContainer
The biggest new security feature introduced to runtime Windows 8 is the new AppContainer. When an application runs inside a "sandbox," it is limited in how it can interact with the underlying OS. Depending on the sandbox, apps may be restricted from reading or writing files outside prescribed locations, accessing location awareness, modifying operating system files and so on.
If you've installed apps on an Android phone, you've seen the screen where it describes which privileges the app requests access to. If an app requests overly broad privileges relative to its functionality, you may decide to abandon the install. Microsoft's AppContainer roughly applies this concept to Windows 8 Metro apps. Wait – what?
A key new and/or confusing aspect of Windows 8 is that it now supports two types of applications. There are the traditional desktop applications that look and operate just like applications on Windows 7, and then there are Metro apps which are more like mobile applications. You discover and install Metro apps from a central app store, you launch them from a grid display, and each app runs full screen. In short, Metro apps are the part of Windows 8 where it behaves like a mobile OS.
AppContainer is designed to apply to these Metro apps. But wait – there's more. Microsoft extends the AppContainer feature to also apply to browser tabs inside Internet Explorer 11. Therefore, potentially malicious apps that could run inside a Web page will be isolated inside an AppContainer sandbox.
Portable Enterprise Security
Organizations that use the Windows 8 Enterprise edition can deploy an interesting new twist on platform security called Windows To Go. With WTG, a pre-configured installation of Windows 8 can be installed to and launched from an approved USB stick.
In this context, an enterprise can be assured that an employee or contractor is using a securely configured Windows 8, which for example might be set up to access the corporate VPN. Separating business and personal silos addresses the increasing trend toward BYOD, ensuring that personal devices are securely used for business work.
To further secure WTG, the USB drives can be encrypted either at creation time or after the fact using Microsoft’s Bitlocker.
Security by Default
Although a feature like Windows To Go requires active adoption by an organization, most of the new security enhancements to Windows 8 are baked in to run out of the box. This should be good news to organizations that are hesitant about adopting Windows 8.
Aaron Weiss is a technology writer and frequent contributor to eSecurity Planet and Wi-Fi Planet.