Risk
11/5/2012
04:48 PM
Connect Directly
RSS
E-Mail
50%
50%

Windows 8 Security Improvements Carry Caveats

Many new Windows 8 security features were previously available standalone, or require businesses to buy in to Microsoft's server and cloud vision.

6 Reasons To Want Windows 8 Ultrabooks
6 Reasons To Want Windows 8 Ultrabooks
(click image for larger view and for slideshow)
Should businesses upgrade to Windows 8?

The benefits on offer include a raft of security improvements, such as Secure Boot, which uses the BIOS replacement known as Unified Extensible Firmware Interface (UEFI) to make it difficult for rootkits to gain a foothold. In addition, anti-malware software comes built in and loads early, and improvements to ASLR and DEP mitigation technologies help block more types of exploits.

But the Windows 8 security improvements carry caveats. For starters, some remain relatively untested. Others, such as improved access controls, require using Windows Server 2012 as well, or else Microsoft's own cloud-based storage system. As that suggests, realizing all of the advertised security benefits might require additional investments.

[ Read Windows 8: Why I Won't Upgrade. ]

Here are five related facts to help businesses weigh a move to Windows 8:

1. DirectAccess VPN Now IPv4-Compatible.

Hands down, one of the biggest security improvements is DirectAccess VPN, which can be configured to force a Windows 8 system to use a VPN whenever it's not connected to a corporate network; for example, when a user is logging on via a cafe, airport lounge, or hotel, said Chester Wisniewski, a senior security advisor at Sophos Canada, speaking by phone.

When initially launched with Windows 7, DirectAccess only worked with IPv6. Now, however, it's been made to work with IPv4 too. "The idea of DirectAccess being automatic no matter what you're doing -- if you're not connecting to the corporate network -- is brilliant, it's what every VPN for the last 20 years should have been doing, but nobody ... has done that," he said.

2. Bevy Of Minor Improvements.

Overall, however, few of the security improvements in Windows 8 are game changing. "Secure Boot is the biggest change, that took a big move, and is the standout thing they've done," said Wisniewski. Still, it only works with latest-generation PC hardware that has UEFI built in, meaning that any business that upgrades its operating system, but not its hardware, won't yet benefit.

Beyond Secure Boot, "the rest of it is pretty iterative," Wisniewski said, pointing in particular to the built-in anti-malware and better BitLocker.

3. Modern UI Loses Important Security Cues.

Windows 8 also sports a new, tablet-focused user interface. "With the radical user interface changes, you may lose, or you may gain," said Wisniewski. Notably, the interface can omit key details that help keep users secure, for example in Internet Explorer. "With IE10, in the Modern user interface--or Metro UI, as it was called--you don't see the location bar or padlock when you're surfing. By default, your browsing is in full-screen mode," he said. "So you lose that context; you no longer have an idea that you're being phished, because you can no longer see that the URL is badguy.ru."

This issue isn't limited to Windows 8. "If you're on an iPad, you can't see the link you're going to until you click on it," he said. "To me, with phones and tablets, you lose some of the context that's important, and unfortunately Windows 8 has undone that as well."

4. Windows To Go, With Cloud Support.

Windows 8 -- enterprise edition only -- adds the ability to store a whole, bootable version of a user's Windows 8 environment on a USB key. "The cool part of it is that it blocks access to all the local media. So if you had an infected machine at a library, airport, or hotel, and plugged in your Windows 8 media stick and turned it on, even if you're infected to tarnation [on the machine], you're good to go," said Wisniewski.

But there's a caveat: Users either need to have updated their USB stick immediately before using it, or else store any documents they want to retrieve on Microsoft SkyDrive. "To make Windows To Go useful, you have to embrace the whole Microsoft cloud model," said Wisniewski.

5. SmartScreen Borrows Apple Business Plan.

Microsoft has extended the SmartScreen technology it introduced with IE9 -- to check online file downloads against a known-bad list of malicious files, and offer related warnings -- to the operating system. Now, Windows 8 checks any application a user wants to install to see if it's been digitally signed and can be trusted.

Although this can have security upsides, it's also a business play: Like Apple, Microsoft would prefer that users purchase approved -- and theoretically, trustworthy -- applications via its Windows Store, or else from the employee's corporate app store.

"What Microsoft wants is [for] you to buy everything from the Microsoft Store," said Wisniewski. "The only prompt is, do you want to pay $3.99?" The question, accordingly, is whether Microsoft can offer an app store that's as secure as the one Apple provides, while simultaneously blocking malware from pretending to be the app store. "I think [Microsoft] will probably do a pretty darn good job of it, but it's going to be six months before we can really judge that," he said.

Upgrading isn't the easy decision that Win 7 was. We take a close look at Server 2012, changes to mobility and security, and more in the new Here Comes Windows 8 issue of InformationWeek. Also in this issue: Why you should have the difficult conversations about the value of OS and PC upgrades before discussing Windows 8. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
RobMark
50%
50%
RobMark,
User Rank: Apprentice
11/6/2012 | 7:14:27 PM
re: Windows 8 Security Improvements Carry Caveats
Most of the "caveats" are minor.
moarsauce123
50%
50%
moarsauce123,
User Rank: Apprentice
11/10/2012 | 2:35:14 PM
re: Windows 8 Security Improvements Carry Caveats
Requiring Server 2012 deployment is hardly 'minor'.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0993
Published: 2014-09-15
Buffer overflow in the Vcl.Graphics.TPicture.Bitmap implementation in the Visual Component Library (VCL) in Embarcadero Delphi XE6 20.0.15596.9843 and C++ Builder XE6 20.0.15596.9843 allows remote attackers to execute arbitrary code via a crafted BMP file.

CVE-2014-2375
Published: 2014-09-15
Ecava IntegraXor SCADA Server Stable 4.1.4360 and earlier and Beta 4.1.4392 and earlier allows remote attackers to read or write to arbitrary files, and obtain sensitive information or cause a denial of service (disk consumption), via the CSV export feature.

CVE-2014-2376
Published: 2014-09-15
SQL injection vulnerability in Ecava IntegraXor SCADA Server Stable 4.1.4360 and earlier and Beta 4.1.4392 and earlier allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

CVE-2014-2377
Published: 2014-09-15
Ecava IntegraXor SCADA Server Stable 4.1.4360 and earlier and Beta 4.1.4392 and earlier allows remote attackers to discover full pathnames via an application tag.

CVE-2014-3077
Published: 2014-09-15
IBM SONAS and System Storage Storwize V7000 Unified (aka V7000U) 1.3.x and 1.4.x before 1.4.3.4 store the chkauth password in the audit log, which allows local users to obtain sensitive information by reading this log file.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
CISO Insider: An Interview with James Christiansen, Vice President, Information Risk Management, Office of the CISO, Accuvant