Windows 8 security for business
8th Nov 2012 | 12:40
A business guide to the new security improvements in Windows 8
Hardly a week goes by without yet another data breach in the news; even if your business isn't a target for the kind of routine hacking attempts the government has been warning about, you need to care about whether your confidential information and your customer files are safe.
Additionally you need to care about malware on your users' PCs because at the very least it slows them down, interferes with your productivity and clogs up your network.
So what can security features can Windows 8 offer a business?
For a start, the way the Windows kernel allocates memory has been rewritten to make it harder for viruses to attack.
There are now much stricter limits on how much memory a program can ask for, malware has to work harder to request enough memory to overflow the buffer it's supposed to fit in without getting shut down. Additionally Windows 8 implements 'guard pages' around code, and if data overflows into the guard pages, or if the malware targets the wrong memory while it's trying to attack, then Windows can shut it down.
Memory allocations now start in random locations, rather than based on predictable locations or values that malware could change so it knows where the memory it wants to attack is. And when programs no longer need memory, Windows is more careful about keeping track of it so viruses can't hijack it.
One reason Windows 8 won't run on some older PCs is security; if a CPU doesn't support NX instructions (which mark memory used to store data as Non eXecutable so you can't run code from it), it won't run Windows 8. Unlike the similar Data Execution Prevention (DEP) in Windows 7, that works whether software is written to use it or not.
New Intel Ivy Bridge CPUs also have Supervisor Mode Execution Protection (SMEP or OS Guard as Intel calls it) to stop the CPU running any memory pages that are marked as 'user' (so just for data) rather than 'kernel'.
Malware protection from bootup
Having Microsoft's own anti-virus software built into Windows means PCs are protected as soon as you buy or upgrade them, and you will then have the same level of protection on all your PCs.
For a smaller office, that could be an improvement over getting an assortment of anti-virus software with each new PC you buy, especially as you don't have to worry about renewing licences at a different time for each system (or indeed, budgeting extra for PC anti-virus software).
If you choose to run different anti-virus software make sure it has the same Early Load Anti Malware as Defender (almost all the big name security software does but some commercial packages haven't added this yet).
ELAM loads your anti-virus software before Windows finishes booting, so before any malware that's already on the PC can interfere with it. And if it finds malware trying to interfere with the operating system it will automatically replace the Windows components from the internal Side by Side store.
Users don't get a warning is this happens, because the principle in Windows 8 is to only notify you when there's something you can actually do; instead it enters an event in the Action Centre and in the security log so you'll see it if you're monitoring PC security remotely.
Getting malware onto a PC will be a little harder now that the SmartScreen service is built into Windows; this is the reputation checking service for executable files that's in IE 9 and 10, but it now checks files you access from a network share or USB drive as well as executables you download with a different browser.
Instead of looking for virus signatures SmartScreen checks whether the file you're looking at is frequently and safely downloaded or if it's a new file that hasn't been seen before even though it has the same filename as a commonly used program.
It doesn't replace anti-virus software, but it's a useful extra check and it might catch a new piece of malware that anti-virus software doesn't yet have a signature for.
Moving beyond password security
Forcing users to type in a complex password on a tablet isn't popular because it's just too awkward, even on a decent touchscreen keyboard. Picture password in Windows 8 lets you draw your choice of three gestures onto a picture of your own to unlock your PC.
Assuming you don't pick obvious gestures for the picture and assuming that you touch the screen to operate Windows after you've unlocked the password so those gestures aren't the only smears on the screen, this should be secure enough to protect your PC (and it's certainly more secure than not setting a password.
If you need a much more secure approach, with new hardware Windows 8 will let you do that without the cost and complexity of extra hardware for two-factor authentication.
New PCs that come with Windows 8 use UEFI rather than BIOS and for the first time, they use UEFI's Secure Boot option. This ships with a database of OS signatures, so PCs can check that all the operating system components that are trying to load at boot are correctly signed. (If you're downgrading a PC that came with Windows 8 on, remember to disable secure boot in the UEFI settings first). OEMs will have ways to update that database and to revoke any certificates that get compromised, and larger businesses will also be able to manage certificates themselves.
Many more PCs – including all Clover Trail Atom devices as well as Windows RT tablets – have the Trusted Protection Modules that have previously shown up only in premium business PCs. TPM adds an extra layer of security with Measured Boot; the TPM calculates a fingerprint for all the boot components of Windows that start before your anti-malware software and check if any of those components have changed the next time you boot. Combined with ELAM, that means a PC can prove it hasn't been tampered with (and that works with both BIOS and UEFI systems).
You can also use the TPM as a virtual smart card; that stores a complex key securely in the TPM's credential database that you can use to authenticate to a security system so you don't have to remember a complex password, just a PIN.
In fact TPMs are going to be so widespread that Microsoft's Chris Hallam told us some banks are considering using Windows 8 virtual smartcards as a way of letting customers log into their bank accounts securely. A bank could also check whether your PC had passed Measured Boot to decide whether to ask you extra security questions before approving a large transactions. Microsoft is going to check employees PCs to see if they've passed Measured Boot before giving them access to file shares remotely with DirectAccess.
A TPM also makes BitLocker full disk encryption (which is now included in Windows 8 Pro as well as Enterprise) more secure.
Easier Wi-Fi authentication
Better mobile broadband support in Windows 8 is great if you have built-in 3G or you want to pull out a dongle and pay for data, but Wi-Fi is nearly always faster and cheaper – it's just hard to find hotspots that you can connect to easily when you travel.
This will get easier with new standards for roaming automatically onto Wi-Fi hotspots that are on the way; Next Generation Hotspot and Passpoint are the two main programs. With these, you'll automatically get logged onto a hotspot that you can use, based on the credentials from your SIM but without using mobile broadband (and there will be options for doing Wi-Fi roaming on laptops without SIM slots).
Currently, if you use a Wi-Fi roaming service you have to install software to get connected; Windows 8 has the important mobile authentication protocols built in (WISPr (Wireless Internet Services Provider Roaming) and three mobile EAP (Enterprise Authentication Protocol) standards so you'll be able to use new Wi-Fi roaming services without needing to install extra utilities.
The same goes for connecting to secure 802.1X Wi-Fi services that use EAP with certificates today; Windows 8 adds EAP-TTLS which has the same level of security but doesn't mean you have to distribute certificates or third-party software to every PC that you want to have connect. That adds convenience without compromising security.