Risk
11/5/2012
04:48 PM
Connect Directly
RSS
E-Mail
50%
50%

Windows 8 Security Improvements Carry Caveats

Many new Windows 8 security features were previously available standalone, or require businesses to buy in to Microsoft's server and cloud vision.

6 Reasons To Want Windows 8 Ultrabooks
6 Reasons To Want Windows 8 Ultrabooks
(click image for larger view and for slideshow)
Should businesses upgrade to Windows 8?

The benefits on offer include a raft of security improvements, such as Secure Boot, which uses the BIOS replacement known as Unified Extensible Firmware Interface (UEFI) to make it difficult for rootkits to gain a foothold. In addition, anti-malware software comes built in and loads early, and improvements to ASLR and DEP mitigation technologies help block more types of exploits.

But the Windows 8 security improvements carry caveats. For starters, some remain relatively untested. Others, such as improved access controls, require using Windows Server 2012 as well, or else Microsoft's own cloud-based storage system. As that suggests, realizing all of the advertised security benefits might require additional investments.

[ Read Windows 8: Why I Won't Upgrade. ]

Here are five related facts to help businesses weigh a move to Windows 8:

1. DirectAccess VPN Now IPv4-Compatible.

Hands down, one of the biggest security improvements is DirectAccess VPN, which can be configured to force a Windows 8 system to use a VPN whenever it's not connected to a corporate network; for example, when a user is logging on via a cafe, airport lounge, or hotel, said Chester Wisniewski, a senior security advisor at Sophos Canada, speaking by phone.

When initially launched with Windows 7, DirectAccess only worked with IPv6. Now, however, it's been made to work with IPv4 too. "The idea of DirectAccess being automatic no matter what you're doing -- if you're not connecting to the corporate network -- is brilliant, it's what every VPN for the last 20 years should have been doing, but nobody ... has done that," he said.

2. Bevy Of Minor Improvements.

Overall, however, few of the security improvements in Windows 8 are game changing. "Secure Boot is the biggest change, that took a big move, and is the standout thing they've done," said Wisniewski. Still, it only works with latest-generation PC hardware that has UEFI built in, meaning that any business that upgrades its operating system, but not its hardware, won't yet benefit.

Beyond Secure Boot, "the rest of it is pretty iterative," Wisniewski said, pointing in particular to the built-in anti-malware and better BitLocker.

3. Modern UI Loses Important Security Cues.

Windows 8 also sports a new, tablet-focused user interface. "With the radical user interface changes, you may lose, or you may gain," said Wisniewski. Notably, the interface can omit key details that help keep users secure, for example in Internet Explorer. "With IE10, in the Modern user interface--or Metro UI, as it was called--you don't see the location bar or padlock when you're surfing. By default, your browsing is in full-screen mode," he said. "So you lose that context; you no longer have an idea that you're being phished, because you can no longer see that the URL is badguy.ru."

This issue isn't limited to Windows 8. "If you're on an iPad, you can't see the link you're going to until you click on it," he said. "To me, with phones and tablets, you lose some of the context that's important, and unfortunately Windows 8 has undone that as well."

4. Windows To Go, With Cloud Support.

Windows 8 -- enterprise edition only -- adds the ability to store a whole, bootable version of a user's Windows 8 environment on a USB key. "The cool part of it is that it blocks access to all the local media. So if you had an infected machine at a library, airport, or hotel, and plugged in your Windows 8 media stick and turned it on, even if you're infected to tarnation [on the machine], you're good to go," said Wisniewski.

But there's a caveat: Users either need to have updated their USB stick immediately before using it, or else store any documents they want to retrieve on Microsoft SkyDrive. "To make Windows To Go useful, you have to embrace the whole Microsoft cloud model," said Wisniewski.

5. SmartScreen Borrows Apple Business Plan.

Microsoft has extended the SmartScreen technology it introduced with IE9 -- to check online file downloads against a known-bad list of malicious files, and offer related warnings -- to the operating system. Now, Windows 8 checks any application a user wants to install to see if it's been digitally signed and can be trusted.

Although this can have security upsides, it's also a business play: Like Apple, Microsoft would prefer that users purchase approved -- and theoretically, trustworthy -- applications via its Windows Store, or else from the employee's corporate app store.

"What Microsoft wants is [for] you to buy everything from the Microsoft Store," said Wisniewski. "The only prompt is, do you want to pay $3.99?" The question, accordingly, is whether Microsoft can offer an app store that's as secure as the one Apple provides, while simultaneously blocking malware from pretending to be the app store. "I think [Microsoft] will probably do a pretty darn good job of it, but it's going to be six months before we can really judge that," he said.

Upgrading isn't the easy decision that Win 7 was. We take a close look at Server 2012, changes to mobility and security, and more in the new Here Comes Windows 8 issue of InformationWeek. Also in this issue: Why you should have the difficult conversations about the value of OS and PC upgrades before discussing Windows 8. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
moarsauce123
50%
50%
moarsauce123,
User Rank: Apprentice
11/10/2012 | 2:35:14 PM
re: Windows 8 Security Improvements Carry Caveats
Requiring Server 2012 deployment is hardly 'minor'.
RobMark
50%
50%
RobMark,
User Rank: Apprentice
11/6/2012 | 7:14:27 PM
re: Windows 8 Security Improvements Carry Caveats
Most of the "caveats" are minor.
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2963
Published: 2014-07-10
Multiple cross-site scripting (XSS) vulnerabilities in group/control_panel/manage in Liferay Portal 6.1.2 CE GA3, 6.1.X EE, and 6.2.X EE allow remote attackers to inject arbitrary web script or HTML via the (1) _2_firstName, (2) _2_lastName, or (3) _2_middleName parameter.

CVE-2014-3310
Published: 2014-07-10
The File Transfer feature in WebEx Meetings Client in Cisco WebEx Meetings Server and WebEx Meeting Center does not verify that a requested file was an offered file, which allows remote attackers to read arbitrary files via a modified request, aka Bug IDs CSCup62442 and CSCup58463.

CVE-2014-3311
Published: 2014-07-10
Heap-based buffer overflow in the file-sharing feature in WebEx Meetings Client in Cisco WebEx Meetings Server and WebEx Meeting Center allows remote attackers to execute arbitrary code via crafted data, aka Bug IDs CSCup62463 and CSCup58467.

CVE-2014-3315
Published: 2014-07-10
Cross-site scripting (XSS) vulnerability in viewfilecontents.do in the Dialed Number Analyzer (DNA) component in Cisco Unified Communications Manager allows remote attackers to inject arbitrary web script or HTML via an unspecified parameter, aka Bug ID CSCup76308.

CVE-2014-3316
Published: 2014-07-10
The Multiple Analyzer in the Dialed Number Analyzer (DNA) component in Cisco Unified Communications Manager allows remote authenticated users to bypass intended upload restrictions via a crafted parameter, aka Bug ID CSCup76297.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.