Risk
11/5/2012
04:48 PM
Connect Directly
RSS
E-Mail
50%
50%
Repost This

Windows 8 Security Improvements Carry Caveats

Many new Windows 8 security features were previously available standalone, or require businesses to buy in to Microsoft's server and cloud vision.

6 Reasons To Want Windows 8 Ultrabooks
6 Reasons To Want Windows 8 Ultrabooks
(click image for larger view and for slideshow)
Should businesses upgrade to Windows 8?

The benefits on offer include a raft of security improvements, such as Secure Boot, which uses the BIOS replacement known as Unified Extensible Firmware Interface (UEFI) to make it difficult for rootkits to gain a foothold. In addition, anti-malware software comes built in and loads early, and improvements to ASLR and DEP mitigation technologies help block more types of exploits.

But the Windows 8 security improvements carry caveats. For starters, some remain relatively untested. Others, such as improved access controls, require using Windows Server 2012 as well, or else Microsoft's own cloud-based storage system. As that suggests, realizing all of the advertised security benefits might require additional investments.

[ Read Windows 8: Why I Won't Upgrade. ]

Here are five related facts to help businesses weigh a move to Windows 8:

1. DirectAccess VPN Now IPv4-Compatible.

Hands down, one of the biggest security improvements is DirectAccess VPN, which can be configured to force a Windows 8 system to use a VPN whenever it's not connected to a corporate network; for example, when a user is logging on via a cafe, airport lounge, or hotel, said Chester Wisniewski, a senior security advisor at Sophos Canada, speaking by phone.

When initially launched with Windows 7, DirectAccess only worked with IPv6. Now, however, it's been made to work with IPv4 too. "The idea of DirectAccess being automatic no matter what you're doing -- if you're not connecting to the corporate network -- is brilliant, it's what every VPN for the last 20 years should have been doing, but nobody ... has done that," he said.

2. Bevy Of Minor Improvements.

Overall, however, few of the security improvements in Windows 8 are game changing. "Secure Boot is the biggest change, that took a big move, and is the standout thing they've done," said Wisniewski. Still, it only works with latest-generation PC hardware that has UEFI built in, meaning that any business that upgrades its operating system, but not its hardware, won't yet benefit.

Beyond Secure Boot, "the rest of it is pretty iterative," Wisniewski said, pointing in particular to the built-in anti-malware and better BitLocker.

3. Modern UI Loses Important Security Cues.

Windows 8 also sports a new, tablet-focused user interface. "With the radical user interface changes, you may lose, or you may gain," said Wisniewski. Notably, the interface can omit key details that help keep users secure, for example in Internet Explorer. "With IE10, in the Modern user interface--or Metro UI, as it was called--you don't see the location bar or padlock when you're surfing. By default, your browsing is in full-screen mode," he said. "So you lose that context; you no longer have an idea that you're being phished, because you can no longer see that the URL is badguy.ru."

This issue isn't limited to Windows 8. "If you're on an iPad, you can't see the link you're going to until you click on it," he said. "To me, with phones and tablets, you lose some of the context that's important, and unfortunately Windows 8 has undone that as well."

4. Windows To Go, With Cloud Support.

Windows 8 -- enterprise edition only -- adds the ability to store a whole, bootable version of a user's Windows 8 environment on a USB key. "The cool part of it is that it blocks access to all the local media. So if you had an infected machine at a library, airport, or hotel, and plugged in your Windows 8 media stick and turned it on, even if you're infected to tarnation [on the machine], you're good to go," said Wisniewski.

But there's a caveat: Users either need to have updated their USB stick immediately before using it, or else store any documents they want to retrieve on Microsoft SkyDrive. "To make Windows To Go useful, you have to embrace the whole Microsoft cloud model," said Wisniewski.

5. SmartScreen Borrows Apple Business Plan.

Microsoft has extended the SmartScreen technology it introduced with IE9 -- to check online file downloads against a known-bad list of malicious files, and offer related warnings -- to the operating system. Now, Windows 8 checks any application a user wants to install to see if it's been digitally signed and can be trusted.

Although this can have security upsides, it's also a business play: Like Apple, Microsoft would prefer that users purchase approved -- and theoretically, trustworthy -- applications via its Windows Store, or else from the employee's corporate app store.

"What Microsoft wants is [for] you to buy everything from the Microsoft Store," said Wisniewski. "The only prompt is, do you want to pay $3.99?" The question, accordingly, is whether Microsoft can offer an app store that's as secure as the one Apple provides, while simultaneously blocking malware from pretending to be the app store. "I think [Microsoft] will probably do a pretty darn good job of it, but it's going to be six months before we can really judge that," he said.

Upgrading isn't the easy decision that Win 7 was. We take a close look at Server 2012, changes to mobility and security, and more in the new Here Comes Windows 8 issue of InformationWeek. Also in this issue: Why you should have the difficult conversations about the value of OS and PC upgrades before discussing Windows 8. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
moarsauce123
50%
50%
moarsauce123,
User Rank: Apprentice
11/10/2012 | 2:35:14 PM
re: Windows 8 Security Improvements Carry Caveats
Requiring Server 2012 deployment is hardly 'minor'.
RobMark
50%
50%
RobMark,
User Rank: Apprentice
11/6/2012 | 7:14:27 PM
re: Windows 8 Security Improvements Carry Caveats
Most of the "caveats" are minor.
Register for Dark Reading Newsletters
White Papers
Cartoon
Latest Comment: LOL.
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2011-3154
Published: 2014-04-17
DistUpgrade/DistUpgradeViewKDE.py in Update Manager before 1:0.87.31.1, 1:0.134.x before 1:0.134.11.1, 1:0.142.x before 1:0.142.23.1, 1:0.150.x before 1:0.150.5.1, and 1:0.152.x before 1:0.152.25.5 does not properly create temporary files, which allows local users to obtain the XAUTHORITY file conte...

CVE-2013-2143
Published: 2014-04-17
The users controller in Katello 1.5.0-14 and earlier, and Red Hat Satellite, does not check authorization for the update_roles action, which allows remote authenticated users to gain privileges by setting a user account to an administrator account.

CVE-2014-0036
Published: 2014-04-17
The rbovirt gem before 0.0.24 for Ruby uses the rest-client gem with SSL verification disabled, which allows remote attackers to conduct man-in-the-middle attacks via unspecified vectors.

CVE-2014-0054
Published: 2014-04-17
The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External ...

CVE-2014-0071
Published: 2014-04-17
PackStack in Red Hat OpenStack 4.0 does not enforce the default security groups when deployed to Neutron, which allows remote attackers to bypass intended access restrictions and make unauthorized connections.

Best of the Web