Windows 8 makes securing enterprise PCs and tablets easier--and shows that the future of enterprise Windows security is proper control of applications.
For years, the Windows platform has built an amazing security feature into the core of the operating system, one that has been both a bane and benefit to security professionals everywhere, Group Policy. The newest edition of Windows extends these capabilities, while also providing new enhancements to address the biggest threat in the enterprise: the browser. These features make Windows 8 a no-brainer upgrade for the enterprise.
Microsoft's App Mindset
The most significant change in Windows 8 security is not so much the actual features, but Microsoft's architecture and mindset. Windows 8's new security paradigms focus on the apps. Everything--the new AppContainer, Advanced ASLR, and even the Windows Store--indicates that the future of Windows security for the enterprise is about properly controlling applications.
This security mindshift is critical to the future of security professionals tasked with budget-friendly enterprise security. The growth of BYOD has many organizations rethinking how employees access corporate data. Microsoft's focus on application security within Windows 8 and Windows 2012 is a massive step forward in centralizing management of application security settings for enterprises (without having to purchase an additional product) under the familiar Group Policy interface. Oh, and the Surface tablet supports these features, too, so the new tablet, from day one, has centralized security and management capabilities.
There are some other new security features that have both utility and a cool factor for everyday users of Windows 8. A feature called Picture Password, which is similar to the Android Password Lock Pattern screen, where the user connects a set of dots with a finger, instead of typing in a password, is bundled with Windows 8. With Picture Password, the user draws a pattern made up of three gestures on a picture or photo that he or she provides. The gestures use points, lines, and circles. For example, you could choose a picture of your kids and draw a smiley face on your youngest child's face. Whenever you want to log in to your Windows 8 device, you simply draw the same smiley face on the proper child and you are logged in.
While this is mostly targeted as a tablet feature for consumers, it can also be used on PCs with a mouse, which gives companies a security option besides passwords for logins. The problem is that, according to our Windows 8 security survey, 21% of respondents with Windows 8 migration plans say they won't use Picture Password. Another 56% say maybe, but they will investigate its security first. We think it isn't ready for primetime yet, but is very promising.
Internet Explorer Enhanced Security
Five or six years ago, the operating system itself was most targeted by attackers, but now it's the browser. Drive-by downloads, malicious websites, etc., are the fastest-growing security vector and one that most security professionals deal with every day. Microsoft has listened and improved the Internet Explorer security model, too.
IE10 also has a much more aggressive application permission configuration. Named AppContainer, this operating system enhancement gives developers the ability to apply finely grained application access control. This feature can outright prevent Web-based exploits, or at least limit the extent of an exploit.
AppContainer is similar to application sandboxing on mobile operating systems such as iOS and Android. Under AppContainer, a developer must produce a manifest file that is linked directly to the application. This manifest file defines what the application can and cannot do. For instance, a developer might indicate on a manifest that an application can initiate outbound connections to the Internet, but cannot receive an incoming connection. If that application is subsequently exploited, and the exploit instructs the application to open a port for an inbound communication, the Windows 8 kernel will prevent the port from opening, thus limiting the potential damage that an exploit can inflict.
These new browser improvements don't come cheap. You'll need all of your systems to run the 64-bit version of Windows 8, as all of the features within IE10's new security model (named Enhanced Protection Mode) only work on 64-bit architectures for Windows 8. Microsoft has not provided guidance on whether it will back-port these features to IE10 on Windows 7 64-bit.
The Bottom Line
Microsoft has made some significant investments in security for Windows 8 that are applicable to desktops, tablets, and servers. While they are not revolutionary steps, and build on what Microsoft started with Windows 7, they are significant and can reduce risks for companies. Additionally, they don't incur additional costs (beyond the Windows 8 upgrade) and integrate with the existing Group Policy frameworks used by security professionals everywhere.
Our take: Don't simply ignore Windows 8 because of the odd new interface. It is worth your time to look under the hood and see how these new security features can help your company.
Upgrading isn't the easy decision that Win 7 was. We take a close look at Server 2012, changes to mobility and security, and more in the new Here Comes Windows 8 issue of InformationWeek. Also in this issue: Why you should have the difficult conversations about the value of OS and PC upgrades before discussing Windows 8. (Free registration required.)
InformationWeek Tech Digest, Nov. 10, 2014Just 30% of respondents to our new survey say their companies are very or extremely effective at identifying critical data and analyzing it to make decisions, down from 42% in 2013. What gives?