While not an all-encompassing review of the security features available in Windows 8, in this slideshow, Paul Henry, security and forensic analyst at Lumension, takes a quick look at some of the more noteworthy capabilities in this latest iteration from Microsoft.
Click through for a quick look at some of the noteworthy security features in Windows 8, as identified by Paul Henry, security and forensic analyst at Lumension.
Windows Defender has evolved from a spyware product to a relatively good malware defense product. Naturally, a commercial AV vendor recently tried to take Windows Defender to task. They claimed in their testing that Windows Defender allowed 16 percent of malware to infect a Windows 8 PC. According to Henry, signature-based AV is obsolete, so he took a quick look at the AV Comparatives testing on AV for heuristic detection, which goes well beyond traditional signature-based AV, and found several commercial product vendors that fell well below the effectiveness of Windows Defender. In fact, 13 out of 17 products tested only equaled or were below the protections for heuristic detection of Windows Defender. Even when adding behavioral protection into the mix, Windows Defender still beat the performance of four of the 17 well-established commercial products tested. For a new offering right out of the gate, Windows Defender is sure to raise the bar in AV product offerings.
With that being said, though, Henry says that you really need to look at the bigger picture – even a solution that affords the capability to block 99 percent of malware is still not an effective solution in an environment where we are seeing 75,000 new malicious programs every day and a database of known unique instances of malware that has now exceeded 90,000,000 malware instances. Do the math. Even with 99 percent effectiveness, 750 pieces of malware (one percent of 75,000) will get through undetected every day and you are still potentially exposed from the 900,000 unique instance of malware (one percent of 90,000,000).
Bottom line: Windows Defender, as a free product from Microsoft, is poised to offer better protection than many commercial AV products, but it shouldn’t be your only defense.
In Windows 8, your traditional BIOS has now been replaced with UEFI, the Unified Extensible Firmware Interface. While UEFI alone is not controversial, one of its features, called “Secure Boot,” certainly is. Secure Boot prevents a computer from booting into an operating system unless the boot loader code is digitally signed with a certificate derived from a key stored in the UEFI firmware. This digital signature allows the UEFI firmware to verify that the boot loader code it reads from the disk into memory is in fact from a trusted source before allowing the processor to execute it. This effectively mitigates the risk of a malicious “boot-kit” from being run on boot to facilitate persistent malware. In considering the security aspects of Secure Boot, you must consider that hackers have stolen digital certificates in the past and those certificates have been used to successfully sign malware. So with that line of thinking, the jury is still out on the UEFI Secure Boot benefits.
Windows 8 also includes improvements to Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP). ASLR ensures that the address space of a process is randomized, thereby making it more difficult to predict the location of code within memory, while DEP prevents data from being executed. The improvements to ASLR and DEP are combined with the new Windows 8 application sandboxing capability that effectively limits the access of a compromised application. This feature means the bad guys will be fighting an uphill battle to deliver effective exploits for Windows 8.
It is also worth noting that there are other new mitigations in the kernel that go well beyond just improvements to ASLR and DEP. New integrity checks in the kernel and improvements with randomization using a similar approach are also new mitigations in Windows 8.
One of the issues of ASLR and DEP, of course, is that you have to rely on the programmer writing an application to actually turn them on. In Windows 8, the capability to literally mark data in memory as “non-executable” is a great step forward. However, it limits the ability to run Windows 8 only on a CPU that can handle this requirement via this “NX” capability to mark data in memory as non-executable.
Another interesting new security feature built into Windows 8 is support for “Supervisor Mode Execution Protection” (SMEP). It is supported on today’s Intel Ivy Bridge CPUs, and because user pages are only for data, it can effectively stop an Ivy Bridge CPU using Windows 8 from running any memory pages that are marked as ‘user’ rather than ‘kernel.’ This is another security feature that will likely complicate the development of reliable and repeatable malware.
BitLocker has a new BitLocker To Go capability that allows the encryption key for BitLocker to be saved in the user’s SkyDrive account.
You need to have the Pro version of Windows 8 to join a domain and take advantage of Group Policy Objects. This is the big differentiator between the basic consumer version of Windows 8 and the business-oriented Pro version of Windows 8. There are several new policies that have been introduced in Windows 8 Pro. Here is a sampling of some of the newly introduced policies:
- Assign default domain for login
- Turn off PIN login and picture password login
- Exclude external credential providers
- Do not process the legacy run list
- Do not process the run once list
- Turn off App Notifications on the lock screen
- Turn off Windows Startup Sound
- Do not enumerate connected users on domain joined computers
- Enumerate local users on domain joined computers
- Hide entry points for Fast User Switching
- Always use classic login
First introduced in Windows 7, Applocker is Microsoft’s application control solution. It works with either blacklists or whitelists of applications. With Applocker, an administrator can create policies that restrict or allow specific applications from being installed or run by users. In the Windows 8 version, Applocker has now evolved to manage both the traditional desktop applications and the new Metro apps. While it is perhaps not as comprehensive as other whitelisting/application Control solutions, it is a step in the right direction. One of the biggest and most glaring differentiators between the Microsoft Applocker solution and other current generation whitelisting/application controls is the lack of support for a trust model for their products or third-party applications. This is important to help reduce the administrative burden of both the implementation and ongoing maintenance of an effective enterprise-wide whitelisting/application control solution.
Not to be left out of the current wave in the ongoing bring your own device (BYOD) mania, Windows 8 supports “Windows To Go.” Administrators can now build a corporate image of Windows 8 that can be provisioned on a 32 GB USB stick. The Windows To Go USB stick can then be booted from any x64 PC at any location, whether the PC is connected to the enterprise network or not. Again, this is a corporate-defined image that can include the full complement of Windows 8 security features so the administrator effectively has full control of the user’s USB-booted endpoint device.