Risk
11/5/2012
04:48 PM
Connect Directly
RSS
E-Mail
50%
50%

Windows 8 Security Improvements Carry Caveats

Many new Windows 8 security features were previously available standalone, or require businesses to buy in to Microsoft's server and cloud vision.

6 Reasons To Want Windows 8 Ultrabooks
6 Reasons To Want Windows 8 Ultrabooks
(click image for larger view and for slideshow)
Should businesses upgrade to Windows 8?

The benefits on offer include a raft of security improvements, such as Secure Boot, which uses the BIOS replacement known as Unified Extensible Firmware Interface (UEFI) to make it difficult for rootkits to gain a foothold. In addition, anti-malware software comes built in and loads early, and improvements to ASLR and DEP mitigation technologies help block more types of exploits.

But the Windows 8 security improvements carry caveats. For starters, some remain relatively untested. Others, such as improved access controls, require using Windows Server 2012 as well, or else Microsoft's own cloud-based storage system. As that suggests, realizing all of the advertised security benefits might require additional investments.

[ Read Windows 8: Why I Won't Upgrade. ]

Here are five related facts to help businesses weigh a move to Windows 8:

1. DirectAccess VPN Now IPv4-Compatible.

Hands down, one of the biggest security improvements is DirectAccess VPN, which can be configured to force a Windows 8 system to use a VPN whenever it's not connected to a corporate network; for example, when a user is logging on via a cafe, airport lounge, or hotel, said Chester Wisniewski, a senior security advisor at Sophos Canada, speaking by phone.

When initially launched with Windows 7, DirectAccess only worked with IPv6. Now, however, it's been made to work with IPv4 too. "The idea of DirectAccess being automatic no matter what you're doing -- if you're not connecting to the corporate network -- is brilliant, it's what every VPN for the last 20 years should have been doing, but nobody ... has done that," he said.

2. Bevy Of Minor Improvements.

Overall, however, few of the security improvements in Windows 8 are game changing. "Secure Boot is the biggest change, that took a big move, and is the standout thing they've done," said Wisniewski. Still, it only works with latest-generation PC hardware that has UEFI built in, meaning that any business that upgrades its operating system, but not its hardware, won't yet benefit.

Beyond Secure Boot, "the rest of it is pretty iterative," Wisniewski said, pointing in particular to the built-in anti-malware and better BitLocker.

3. Modern UI Loses Important Security Cues.

Windows 8 also sports a new, tablet-focused user interface. "With the radical user interface changes, you may lose, or you may gain," said Wisniewski. Notably, the interface can omit key details that help keep users secure, for example in Internet Explorer. "With IE10, in the Modern user interface--or Metro UI, as it was called--you don't see the location bar or padlock when you're surfing. By default, your browsing is in full-screen mode," he said. "So you lose that context; you no longer have an idea that you're being phished, because you can no longer see that the URL is badguy.ru."

This issue isn't limited to Windows 8. "If you're on an iPad, you can't see the link you're going to until you click on it," he said. "To me, with phones and tablets, you lose some of the context that's important, and unfortunately Windows 8 has undone that as well."

4. Windows To Go, With Cloud Support.

Windows 8 -- enterprise edition only -- adds the ability to store a whole, bootable version of a user's Windows 8 environment on a USB key. "The cool part of it is that it blocks access to all the local media. So if you had an infected machine at a library, airport, or hotel, and plugged in your Windows 8 media stick and turned it on, even if you're infected to tarnation [on the machine], you're good to go," said Wisniewski.

But there's a caveat: Users either need to have updated their USB stick immediately before using it, or else store any documents they want to retrieve on Microsoft SkyDrive. "To make Windows To Go useful, you have to embrace the whole Microsoft cloud model," said Wisniewski.

5. SmartScreen Borrows Apple Business Plan.

Microsoft has extended the SmartScreen technology it introduced with IE9 -- to check online file downloads against a known-bad list of malicious files, and offer related warnings -- to the operating system. Now, Windows 8 checks any application a user wants to install to see if it's been digitally signed and can be trusted.

Although this can have security upsides, it's also a business play: Like Apple, Microsoft would prefer that users purchase approved -- and theoretically, trustworthy -- applications via its Windows Store, or else from the employee's corporate app store.

"What Microsoft wants is [for] you to buy everything from the Microsoft Store," said Wisniewski. "The only prompt is, do you want to pay $3.99?" The question, accordingly, is whether Microsoft can offer an app store that's as secure as the one Apple provides, while simultaneously blocking malware from pretending to be the app store. "I think [Microsoft] will probably do a pretty darn good job of it, but it's going to be six months before we can really judge that," he said.

Upgrading isn't the easy decision that Win 7 was. We take a close look at Server 2012, changes to mobility and security, and more in the new Here Comes Windows 8 issue of InformationWeek. Also in this issue: Why you should have the difficult conversations about the value of OS and PC upgrades before discussing Windows 8. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
moarsauce123
50%
50%
moarsauce123,
User Rank: Apprentice
11/10/2012 | 2:35:14 PM
re: Windows 8 Security Improvements Carry Caveats
Requiring Server 2012 deployment is hardly 'minor'.
RobMark
50%
50%
RobMark,
User Rank: Apprentice
11/6/2012 | 7:14:27 PM
re: Windows 8 Security Improvements Carry Caveats
Most of the "caveats" are minor.
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6335
Published: 2014-08-26
The Backup-Archive client in IBM Tivoli Storage Manager (TSM) for Space Management 5.x and 6.x before 6.2.5.3, 6.3.x before 6.3.2, 6.4.x before 6.4.2, and 7.1.x before 7.1.0.3 on Linux and AIX, and 5.x and 6.x before 6.1.5.6 on Solaris and HP-UX, does not preserve file permissions across backup and ...

CVE-2014-0480
Published: 2014-08-26
The core.urlresolvers.reverse function in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not properly validate URLs, which allows remote attackers to conduct phishing attacks via a // (slash slash) in a URL, which triggers a scheme-relative URL ...

CVE-2014-0481
Published: 2014-08-26
The default configuration for the file upload handling system in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 uses a sequential file name generation process when a file with a conflicting name is uploaded, which allows remote attackers to cause a d...

CVE-2014-0482
Published: 2014-08-26
The contrib.auth.middleware.RemoteUserMiddleware middleware in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3, when using the contrib.auth.backends.RemoteUserBackend backend, allows remote authenticated users to hijack web sessions via vectors relate...

CVE-2014-0483
Published: 2014-08-26
The administrative interface (contrib.admin) in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not check if a field represents a relationship between models, which allows remote authenticated users to obtain sensitive information via a to_field ...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.