Windows 8: A Win For Enterprise Security

Windows 8 makes securing enterprise PCs and tablets easier--and shows that the future of enterprise Windows security is proper control of applications.

Michael A. Davis, CTO of CounterTack

October 24, 2012

5 Min Read

For years, the Windows platform has built an amazing security feature into the core of the operating system, one that has been both a bane and benefit to security professionals everywhere, Group Policy. The newest edition of Windows extends these capabilities, while also providing new enhancements to address the biggest threat in the enterprise: the browser. These features make Windows 8 a no-brainer upgrade for the enterprise.

Microsoft's App Mindset

The most significant change in Windows 8 security is not so much the actual features, but Microsoft's architecture and mindset. Windows 8's new security paradigms focus on the apps. Everything--the new AppContainer, Advanced ASLR, and even the Windows Store--indicates that the future of Windows security for the enterprise is about properly controlling applications.

This security mindshift is critical to the future of security professionals tasked with budget-friendly enterprise security. The growth of BYOD has many organizations rethinking how employees access corporate data. Microsoft's focus on application security within Windows 8 and Windows 2012 is a massive step forward in centralizing management of application security settings for enterprises (without having to purchase an additional product) under the familiar Group Policy interface. Oh, and the Surface tablet supports these features, too, so the new tablet, from day one, has centralized security and management capabilities.

[ For a deeper dive into Win8 security, see Want Better Security? Get Windows 8. ]

Picture Passwords

There are some other new security features that have both utility and a cool factor for everyday users of Windows 8. A feature called Picture Password, which is similar to the Android Password Lock Pattern screen, where the user connects a set of dots with a finger, instead of typing in a password, is bundled with Windows 8. With Picture Password, the user draws a pattern made up of three gestures on a picture or photo that he or she provides. The gestures use points, lines, and circles. For example, you could choose a picture of your kids and draw a smiley face on your youngest child's face. Whenever you want to log in to your Windows 8 device, you simply draw the same smiley face on the proper child and you are logged in.

While this is mostly targeted as a tablet feature for consumers, it can also be used on PCs with a mouse, which gives companies a security option besides passwords for logins. The problem is that, according to our Windows 8 security survey, 21% of respondents with Windows 8 migration plans say they won't use Picture Password. Another 56% say maybe, but they will investigate its security first. We think it isn't ready for primetime yet, but is very promising.

Internet Explorer Enhanced Security

Five or six years ago, the operating system itself was most targeted by attackers, but now it's the browser. Drive-by downloads, malicious websites, etc., are the fastest-growing security vector and one that most security professionals deal with every day. Microsoft has listened and improved the Internet Explorer security model, too.

IE10 also has a much more aggressive application permission configuration. Named AppContainer, this operating system enhancement gives developers the ability to apply finely grained application access control. This feature can outright prevent Web-based exploits, or at least limit the extent of an exploit.

AppContainer is similar to application sandboxing on mobile operating systems such as iOS and Android. Under AppContainer, a developer must produce a manifest file that is linked directly to the application. This manifest file defines what the application can and cannot do. For instance, a developer might indicate on a manifest that an application can initiate outbound connections to the Internet, but cannot receive an incoming connection. If that application is subsequently exploited, and the exploit instructs the application to open a port for an inbound communication, the Windows 8 kernel will prevent the port from opening, thus limiting the potential damage that an exploit can inflict.

These new browser improvements don't come cheap. You'll need all of your systems to run the 64-bit version of Windows 8, as all of the features within IE10's new security model (named Enhanced Protection Mode) only work on 64-bit architectures for Windows 8. Microsoft has not provided guidance on whether it will back-port these features to IE10 on Windows 7 64-bit.

The Bottom Line

Microsoft has made some significant investments in security for Windows 8 that are applicable to desktops, tablets, and servers. While they are not revolutionary steps, and build on what Microsoft started with Windows 7, they are significant and can reduce risks for companies. Additionally, they don't incur additional costs (beyond the Windows 8 upgrade) and integrate with the existing Group Policy frameworks used by security professionals everywhere.

Our take: Don't simply ignore Windows 8 because of the odd new interface. It is worth your time to look under the hood and see how these new security features can help your company.

Upgrading isn't the easy decision that Win 7 was. We take a close look at Server 2012, changes to mobility and security, and more in the new Here Comes Windows 8 issue of InformationWeek. Also in this issue: Why you should have the difficult conversations about the value of OS and PC upgrades before discussing Windows 8. (Free registration required.)

About the Author(s)

Michael A. Davis

CTO of CounterTack

Michael A. Davis has been privileged to help shape and educate the globalcommunity on the evolution of IT security. His portfolio of clients includes international corporations such as AT&T, Sears, and Exelon as well as the U.S. Department of Defense. Davis's early embrace of entrepreneurship earned him a spot on BusinessWeek's "Top 25 Under 25"
list, recognizing his launch of IT security consulting firm Savid Technologies, one of the fastest-growing companies of its decade. He has a passion for educating others and, as a contributing author for the *Hacking Exposed* books, has become a keynote speaker at dozens of conferences and symposiums worldwide.

Davis serves as CTO of CounterTack, provider of an endpoint security platform delivering real-time cyberthreat detection and forensics. He joined the company because he recognized that the battle is moving to the endpoint and that conventional IT security technologies can't protect enterprises. Rather, he saw a need to deliver to the community continuous attack monitoring backed by automated threat analysis.

Davis brings a solid background in IT threat assessment and protection to his latest posting, having been Senior Manager Global Threats for McAfee prior to launching Savid, which was acquired by External IT. Aside from his work advancing cybersecurity, Davis writes for industry publications including InformationWeek and Dark Reading. Additionally, he has been a partner in a number of diverse entrepreneurial startups; held a leadership position at 3Com; managed two Internet service providers; and recently served as President/CEO of the InClaro Group, a firm providing information security advisory and consulting services based on a unique risk assessment methodology.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights