Windows 8.1 security: what's been improved
5th Jun 2013 | 12:00
Better malware scanning, encryption everywhere and cheap biometrics
In all the fuss about the Start screen, it's easy to miss that Windows 8 had major improvements to security; that was the culmination of ten years of work on defending the operating system, senior product manager Chris Hallum told us.
"Windows 7 is six times more likely to get infected than Windows 8 and Windows XP is 21 times more likely to be exploited."
But that was still all defensive reactions; for Windows 8.1, he said, Microsoft is going on the offensive with better malware protection, new ways of checking the security certificates web sites rely on - and with a plan to add encryption and biometric security to every PC.
The built-in anti-malware tool Defender will protect against more threats in the browser, including from plugins and ActiveX controls. "In Windows 8.1 we will scan those payloads before they're executed," Hallum told us.
Protecting against stolen certificates
Microsoft will also be more active about protecting the browser against stolen certificates; because the browser trusts those certificates to identify popular web sites that you log into, hackers have started targeting them (and the authorities who issue them) as a way to break into your accounts.
"Public certificates have already been hacked," Hallum points out; in a number of cases certificates for well-known companies like Yahoo and Google have been compromised and used on fake web sites to steal credentials."
For Windows 8.1, Microsoft will operate a service tracking certificates for the top million web sites. "If we see a certificate being used fraudulently or showing up on a server where it shouldn't be, we will work with the certificate authorities," Hallum said, noting that this will protect other versions of Windows and indeed other platforms too.
Windows 8.1 encryption and BitLocker
With Windows 8.1, encryption isn't just for business users any more, although Microsoft is improving BitLocker performance for business systems (up to 30 times faster than in Windows 8, Hallum claims). "We need it not just to protect your data but also the system itself; we don't want people to be able to tamper with Windows system files," he explained.
That's why all versions of Windows will now include encryption; BitLocker in the business editions and the same device encryption that's already in Windows RT and Windows Phone 8 in the home editions. "We expect encryption to be pervasive," he predicted.
There are some hardware restrictions on this; you need a PC that is capable of Connected Standby with Windows 8 or 8.1. That means the PC has a UEFI BIOS and either a separate Trusted Platform Module (TPM), ARM's Trusted Zone or Intel's Platform Trust Technology for storing information securely.
It also means there is are no Direct Memory Access connections, which includes both FireWire and the Thunderbolt technology Intel developed with Apple; Hallum says Microsoft is talking to Intel about ways of making Thunderbolt more secure but DMA connections can transfer code directly into memory, bypassing system security.
Windows 8.1 Provable PC
Microsoft will also use the information about the PC stored in the TPM to 'harden' Windows with a cloud service that's provisionally called Provable PC Health (expect the name to change, Hallow says). This will use the record of secure boot stored in the TPM to verify that your PC isn't infected. "We can remotely analyse the security state of the device and the integrity of the device." Hallum says, claiming that this will detect even sophisticated malware like Flame.
"We will inform the user if there is a problem and if there is an infection Windows can put them back in a safe state. If there is an infection that can steal their credentials we will inform them, and we will help them remediate their Microsoft account."
Once you can store information securely and prove that your PC doesn't have a rootkit or a virus that could compromise that, you can use your PC as a way to authenticate that's more secure than a password.
"Passwords are increasingly problematic," Hallum points out; "people can have them phished or they can be guessed." Windows 8 can already use the TPM as a virtual smartcard but that's not truly two-factor authentication. You need something else to prove your identity and that will be your fingerprint.
Windows 8.1 fingerprint sensors
Today's fingerprint sensors are big, clumsy (you have to swipe your finger across them carefully) and easy to fool with a fake finger. More powerful sensors can tell the difference between a real finger and a fake – they can tell if your finger has a pulse – and they can detect prints from four fingers at once, but those sensors currently cost $100 or more.
Microsoft is working with partners who can get the price down to about $4 each, so you'll get them in notebooks and tablets and even printers. And that could do way with insecure passwords entirely. "We want to make biometrics completely mainstream," says Hallum boldly.
Windows 8.1 virtual smartcards
Businesses get extra features as well. Windows 8.1 gets a way to use devices like Windows RT tablets, which can't jon a domain but do have a TPM, as virtual smartcards – as long as they use the new workplace join option so you identify to your company network which device you're using. That would mean that the files you can sync from your Windows Server file server to your RT tablet using Work Folders can be protected by Information Rights Management, which only lets authorised people open, print or copy those files.
Windows 8.1 selective wipe
Windows 8.1 will also include selective wipe for removing business files from a personal computer without deleting your personal files too. Work files will be protected by the encryption and admins will be able to send a command (using standard device management software like Mobile Iron, Airwatch or System Center) to erase just those files. That will work on both x86 and ARM devices running Windows RT.
Senior Director Stella Chernyak summed the combination up as Microsoft's answer to the BYOD trend. "As a user I can bring my personal device to work and easily join a corporate network with workplace join, and the company has a way to have my device recognised so when they expose the company data they know what device they're exposing it to. They don't manage the devices, they manage their corporate information, they control who has access - and they can remotely wipe business data and apps from that personal device if I'm leaving the company."
Now check out the other features in Windows 8.1. You can also check out the video below for a quick round-up: