Windows 8 Security Overview
Applies To: Windows 8
The Windows 8 operating system was built to protect against emerging security threats. The improvements fall into three broad categories:
Groundbreaking malware resistance. Windows 8 can eliminate bootkits and rootkits and drastically reduce the impact of user-level malware such as viruses, worms, Trojan horses, and spyware.
Modern access control for flexible work styles. Security is nothing without usability. Windows 8 gives you instant and automatic connectivity so your users can work flexibly while still meeting your access control requirements.
Pervasive device encryption. Windows 8 protects your data by using a suite of new and improved features to authorize, audit, and encrypt data without inconveniencing users or systems administrators.
With an unprecedented level of investment across each category, Microsoft has been able to deliver malware resistance capacities that literally start from the moment users turn on their PC and continue to protect the device and software until they turn it off. Microsoft has leveraged the Windows 8 device certification process as a tool to drive important changes in devices, such as requiring all certified PCs to support new hardware technologies like UEFI, and has worked with industry to help put security technologies like TPM on a course to become standard equipment in the future. With these investments and Windows technologies such as Trusted Boot, ELAM, and Measured Boot, Windows 8 has made it possible to virtually eliminate the possibility of bootkits and rootkits from starting. Improvements to the Windows core and Internet Explorer reduce the risk of a variety of attacks that malware has used to gain elevated privileges and attack the system and data. It’s now much more difficult to exploit and compromise Windows.
Windows 8 offers several critical improvements to BitLocker, Microsoft’s hard drive encryption technology, to improve data protection. Used Disk Space Only encryption and BitLocker preprovisioning now reduce encryption time for new drives to seconds. If you’re looking for the benefits of an on-drive encryption solution, Windows 8 supports encrypted hard drives that can do all of the heavy lifting while freeing up the system CPU for the user. BitLocker is more convenient for users, too: Network Unlock now allows PCs protected with a PIN at startup to start automatically when physically connected to the internal network, and users can change their own PIN or password with standard user privileges.
As work styles change, security must keep up. Passwords simply are not the right solution for many mobile tablet PC users, so Microsoft introduced picture passwords to provide a high level of security with touch-friendly convenience. The latest-generation lightweight tablets and Ultrabook devices simply are not large enough to have a built-in smart card reader, and external readers are cumbersome. So, Windows 8 introduces virtual smart cards, which provide multifactor authentication with nothing extra for the user to carry. Brute force protection uses BitLocker’s complex, 48-character recovery key as an additional layer of security when a brute force password-guessing attack is detected. Combined with a Windows Server 2012 infrastructure, Windows 8 also supports DirectAccess to keep users constantly connected and up to date with the latest security policies and updates, and Dynamic Access Control provides flexible policies that define file authorization and auditing in a way that can keep up with a constantly changing organization.
This document provides a detailed description of the most important security improvements in Windows 8, along with links to more detailed articles about specific features.
In this document:
Malware resistance
Data protection
Access control
Malware resistance
In movies, security threats always seem to be initiated by a malicious user sitting in front of a monitor with green text scrolling across it. In the real world, the vast majority of security threats occur without any human interaction at all. Just as software has automated so much of our lives, malware has automated attacks on our PCs. Those attacks are relentless. Malware is constantly changing, and once it infects a PC, in some cases it can be almost impossible detect and remove.
Prevention is the best bet, and Windows 8 provides strong malware resistance by taking advantage of secure hardware, securing the boot process, securing the core operating system architecture, and securing the desktop.
The following table lists specific malware threats and compares the mitigations that the Windows 7 operating system and Windows 8 provide.
Table 1. Malware threats and Windows 8 and Windows 7 mitigations
Threat | Windows 7 mitigation | Windows 8 mitigation |
---|---|---|
Firmware rootkits replace the firmware with malware. |
A small subset of PCs supports Unified Extensible Firmware Interface (UEFI). |
All certified PCs must support UEFI. |
Bootkits start malware before Windows starts. |
Some protection when BitLocker Drive Encryption was implemented with a Trusted Platform Module (TPM). |
Secure Boot verifies bootloader integrity, and Measured Boot makes information available that a remote server could use to verify integrity. |
Driver rootkits start kernel-level malware while Windows is starting, before antimalware can start. |
Windows verifies Microsoft-signed drivers but not non-Microsoft drivers. |
Trusted Boot verifies Microsoft drivers, Early Launch Anti-Malware (ELAM) verifies non-Microsoft drivers, and Measured Boot allows a remote server to verify integrity and detect untrusted boot components. |
User-level malware exploits a vulnerability in the system or an application and owns the device. |
There is some support for Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP). |
Improvements to ASLR, DEP, the heap architecture, and memory-management algorithms reduce the likelihood of vulnerabilities enabling successful exploits. |
Users download dangerous software (for example, seemingly legitimate application with an embedded Trojan horse) and run it without knowledge of the risk. |
Internet Explorer’s SmartScreen Application Reputation feature warns users or blocks the download when they contact potentially malicious software. |
The SmartScreen Application Reputation feature has been moved into the core operating system and either warns users or blocks the download when they use any browser to download potentially malicious software. |
Malware exploits a vulnerability in a browser add-on. |
ASLR and Internet Explorer Protected Mode help to reduce the risk of the attack. |
The Windows Store version of Internet Explorer does not run add-ons, eliminating this risk. |
A website with malicious code exploits a vulnerability in Internet Explorer to run malware on the client PC. |
ASLR and Internet Explorer Protected Mode help to reduce the risk of the attack. |
Enhanced Protected Mode (enabled by default in the Windows Store version of Internet Explorer) and improved memory protection further reduce the risk of these attacks. |
The following sections describe these improvements in more detail:
Secure hardware
Securing Windows startup
Securing the desktop
Secure hardware
Windows 8 is designed to run on almost any hardware capable of running the Windows 7, Windows Vista, or Windows XP operating system. However, Windows 8 is also designed to take advantage of modern advancements in hardware security, including UEFI firmware, TPM security chips, and Secure Boot technology. Although many PCs designed for older versions of the Windows operating system support these features, all PCs certified for Windows 8 support them, allowing IT to better maintain the integrity of their devices’ operating systems and applications and virtually eliminating the risk of some of the most dangerous threats, such as bootkits and rootkits.
UEFI
UEFI is a standards-based solution that offers a modern-day replacement for the BIOS that provides the same functionality as BIOS while adding security features and other advanced capabilities. Like BIOS, PCs start UEFI before any other software, and UEFI then starts the operating system’s bootloader.
Recent implementations of UEFI are able to run internal integrity checks that verify the firmware’s digital signature before running it. Because only the PC’s hardware manufacturer has access to the digital certificate required to create a valid firmware signature, UEFI has protection from firmware rootkits. Thus, UEFI is the first link in the chain of trust.
UEFI is required for Secure Boot and Measured Boot, described later in this document.
TPM
A TPM is a tamper-resistant security processor capable of storing cryptographic keys and hashes. Besides storing data, a TPM can digitally sign data using a private key that software cannot access. Among other functions, Windows uses the TPM for cryptographic calculations and to store the keys for BitLocker volumes, virtual smart cards, and other public key certificates.
Basically, the TPM is a secure storage place that both UEFI and the operating system can use to store hashes (which verify that a file has not been changed) and keys (which verify that a digital signature is genuine).
Secure Boot
When a PC starts, it starts the process of loading the operating system by locating the bootloader on the PC’s hard drive. If a PC doesn’t support Secure Boot (as is the case with most PCs released prior to Windows 8), the PC simply hands control over to the bootloader, without even determining whether it is a trusted operating system or malware.
When a PC with UEFI and Secure Boot starts, the firmware starts the bootloader only if the bootloader’s signature has maintained integrity and if one of the following conditions is true:
The bootloader was signed by a trusted authority that is registered in the UEFI database. In the case of PCs certified for Windows 8, Microsoft’s signature is trusted.
The user has added the bootloader’s digital signature to the UEFI database. This allows the user to load non-Microsoft operating systems.
All x86-based Certified For Windows 8 PCs must meet several requirements related to Secure Boot:
They must have Secure Boot enabled by default.
They must trust Microsoft’s certification authority (CA; and thus any bootloader Microsoft has signed).
They must allow the user to add signatures and hashes to the UEFI database.
They must allow the user to completely disable Secure Boot.
Secure Boot does not limit the choice of operating system. In fact, users have three options for running non-Microsoft operating systems:
Use an operating system with a Microsoft-signed bootloader Because all Certified For Windows 8 PCs must trust Microsoft’s CA, Microsoft offers a service to analyze and sign any non-Microsoft bootloader so that it will be trusted by all Certified For Windows 8 PCs. Several different non-Microsoft operating systems, including several varieties of Linux, have certified bootloaders.
Configure UEFI to trust a non–Microsoft-signed bootloader or hashes All Certified For Windows 8 PCs allow users to add non-certified bootloaders by adding a signature or hashes to the UEFI database, allowing them to run any operating system without acquiring a certificate, including homemade operating systems.
Turn off Secure Boot All Certified For Windows 8 PCs allow users to turn off Secure Boot so they can run any software. This behavior is identical to PCs with BIOS: The PC simply runs the bootloader without any verification. Turning off Secure Boot does not help protect against bootkits, and Microsoft recommends that Secure Boot be enabled whenever the device starts Windows.
Malware cannot change these options: The UEFI firmware does not allow software to make changes. Instead, users must manually configure the firmware settings to trust a non-certified bootloader, or they must turn off Secure Boot. For more information about Secure Boot, read Protecting the pre-operating system environment with UEFI.
Like most mobile devices, ARM-based Certified For Windows 8 devices, such as the Microsoft Surface RT device, are designed to run only Windows 8. Therefore, Secure Boot cannot be turned off, and users cannot load a different operating system. Fortunately, there is a large market of ARM devices designed to run other operating systems.
Securing Windows startup
Secure Boot uses hardware technologies to help protect users from rootkits. Secure Boot can only guarantee the integrity of the bootloader, however. After the bootloader launches, users must rely on the operating system to provide the security they need.
Windows 8 includes a series of new features that have the potential to completely eliminate these types of threats. With Windows 8, users can finally trust their PCs.
Trusted Boot
Secure Boot verifies that the bootloader is trusted, and then Trusted Boot protects the rest of the boot process by verifying that all Windows boot components have integrity and can be trusted. The bootloader verifies the digital signature of the Windows 8 kernel before loading it. The Windows 8 kernel, in turn, verifies every other component of the Windows startup process, including the boot drivers, startup files, and the ELAM component.
If a file has been modified (for example, if malware has modified the file to launch malicious code), Trusted Boot will detect the problem and automatically repair the corrupted component. When repaired, Windows will start normally after only a brief delay.
Early Launch Anti-Malware
Malware on previous versions of Windows often attempted to start before the antimalware solution. To do this, some types of malware would update or replace a non-Microsoft–related driver that starts during the Windows boot process. The malicious driver would then use its kernel-level privileges to modify critical parts of the system and disguise its presence so it could not be detected when the antimalware solution later starts.
ELAM starts before the all non-Microsoft drivers and checks their integrity to determine whether the driver is trustworthy. Because Windows needs to start as fast as possible, ELAM cannot be a complicated process of checking the driver files against known malware signatures; doing so would delay startup too much. Instead, ELAM has the simple task of examining every boot driver and determining whether it is on the list of trusted drivers. If malware modifies a boot driver, ELAM will detect the change and Windows will not load it, thus blocking driver-based bootkits.
The design is simple but effective. ELAM does not replace a full-featured antimalware solution: That starts later in the boot process. Indeed, ELAM is only used for a few seconds each time a PC starts. Windows Defender in Windows 8 supports ELAM, as does Microsoft System Center 2012 Endpoint Protection and several non-Microsoft antimalware apps.
If you’re interested in learning how to configure ELAM, you can use Group Policy settings to configure how ELAM responds to potentially malicious boot drivers. In the Group Policy Management Editor, go to Computer Configuration\Administrative Templates\System\Early Launch Antimalware, and enable the Boot-Start Driver Initialization Policy setting. Now, you can select which driver classifications ELAM loads. Selecting Good Only provides the highest level of security, but test it thoroughly to ensure that it does not prevent users with healthy PCs from starting (see Figure 1).
Figure 1. Select which drivers ELAM loads.
Measured Boot
The biggest challenge with rootkits and bootkits on earlier versions of Windows is that they can be undetectable to the client. Because they start before antimalware and they have system-level privileges, they can completely disguise themselves while continuing to access system resources. As a result, PCs infected with rootkits appear to be healthy, even with antimalware running.
If rootkits and bootkits can hide themselves so effectively, how can IT ever be sure that the PCs in the organization are not infected? Without Windows 8, IT cannot be sure.
Windows 8 adds the Measured Boot feature, which uses the TPM hardware component built into newer PCs to securely record a measurements of every boot-related component, including firmware, Windows, and even the ELAM driver. Because Measured Boot leverages the hardware-based security capabilities of TPM, the log of all measured components remains out of the reach of any malware.
Remote Attestation
Measured Boot itself does not prevent malware from loading during the startup process: That is the job of Secure Boot, Trusted Boot, and ELAM. Instead, Measured Boot provides a secure audit log that allows a trusted remote attestation server on the network to evaluate the PC’s startup components. If the remote attestation server detects that the PC loaded an untrusted component, the server could potentially block the PC’s access to network resources or even the network itself. A remote attestation service can even be implemented to initiate the quarantine and remediation processes to fix an infected PC. Measured Boot uses the following process:
The PC uses the TPM to store measurements of the boot loader, boot drivers, and ELAM driver. The TPM prevents the log from being tampered with, so even if malware is successfully loaded, it will not be able to modify the log.
When the remote attestation client starts, it can contact a remote attestation server. The server provides it with a unique key. The key is different every time, preventing the client from simply sending back a previously recorded health report.
The remote attestation client submits the key to the TPM, and the TPM itself digitally signs the log. Because the TPM hardware has signed the log, malware cannot modify it without being detected.
The remote attestation client sends the signed log back to the attestation server, which can verify that the PC loaded only trusted software.
Because the attestation server requires non-Microsoft software, the software vendor and the administrator’s configuration choices determine the exact process. However, depending on the implementation and configuration, the server can now determine whether the client is healthy and grant the client access to either a limited quarantine network or to the full network. Individual network resources, such as servers, could also grant or deny access based on whether the remote attestation client was able to retrieve a valid health certification from the remote attestation server.
Figure 2 illustrates the Measured Boot and remote attestation process.
Figure 2. The Measured Boot process proves the PC’s health to a remote server.
Windows 8 includes the application programming interfaces to support Measured Boot, but administrators will need non-Microsoft tools to implement a remote attestation client and server to take advantage of it. For an example of such a tool, download the TPM Platform Crypto-Provider Toolkit from Microsoft Research or Microsoft Enterprise Security MVP Dan Griffin’s Measured Boot Tool. Measured Boot uses the power of TPM and Windows 8 to give IT a way to confidently assess the trustworthiness of a client PC across the network.
Securing the core
Although applications built for Windows are designed to be secure and free of defects, the reality is that as long as human beings are writing code, we’re likely to see vulnerabilities discovered in the future. When identified, malicious users and software may attempt to exploit vulnerabilities by manipulating data in memory in the hopes that a successful exploit can be bootstrapped.
To mitigate these risks, Windows 8 includes core improvements to make it more difficult for malware to perform buffer overflow and other low-level attacks. In addition, these improvements dramatically reduce the likelihood that newly discovered vulnerabilities result in a successful exploit. It takes a detailed knowledge of operating system architecture and malware exploit techniques to fully appreciate the impact of these improvements, but the sections that follow explain them at a high level.
Microsoft security development life cycle
Windows 8 is the culmination of many years of effort from Microsoft. Many of us still remember the years of Windows XP, when the attacks on the Windows operating system, applications, and data increased in volume and matured into serious threats. Those days are largely past, and we see evidence of this in Kaspersky’s third-quarter 2012 IT Threat Evolution report where, for the first time, Microsoft software avoided being named on the top-10 vulnerability list. This achievement is particularly interesting when you compare the total surface area and complexity of the code in products like Windows and Microsoft Office compared to others on the list.
Attackers have discovered vulnerabilities in previous version of Windows, and there is no doubt they will discover more in the future. Microsoft acknowledges this and has designed the Windows 8 architecture to have multiple levels of protection against vulnerabilities. Even if an attacker discovers a vulnerability and creates a successful exploit, the defense-in-depth design of Windows 8 security can still mitigate the risks by eliminating or at least limiting the damage that can be done.
Address space layout randomization
One of the most common techniques used to gain access to the system is to find a vulnerability in a privileged process that is already running, guess or find a location in memory where important system code and data have been placed, and then overwrite that information with a malicious payload. In the early days of operating systems, this could be done by any malware that could write directly to the system memory; the malware would simply overwrite system memory within well-known and predictable locations.
Address space layout randomization (ASLR) makes that type of attack much more difficult by randomizing how and where important data is stored in memory. With ASLR, it is more difficult for malware to find the specific location it needs to attack. Figure 3 illustrates this by showing how the locations of different critical Windows components can change in memory between restarts.
Figure 3. ASLR randomizes the location of critical components.
Although the ASLR implementation in Windows 7 was effective, it wasn’t applied holistically across the Windows system, and the level of entropy (cryptographic randomization) wasn’t always at the highest possible level. To decrease the likelihood that sophisticated attacks such as heap spraying could succeed, Microsoft applied ASLR holistically across the system and increased the level of entropy many times.
The ASLR implementation in Windows 8 is greatly improved over Windows 7, especially with 64-bit system and application processes that can take advantage of a vastly increased memory space, making it even more difficult for malware to predict where Windows 8 stores vital data. When used on systems with TPMs, ASLR memory randomization will be increasingly unique across devices, making it even more difficult for a successful exploit that works on one system to work reliably on another.
Data execution prevention
Malware depends on its ability to put a malicious payload into memory with the hope that it will be executed later, and ASLR is going to make that much more difficult. Wouldn’t it be great if we could make sure that malware could be prevented from running if it writes to an area that has been allocated solely for the storage of information?
Data execution prevention (DEP) does exactly that and substantially reduces the range of memory that malicious code can use for its benefit. DEP uses the No eXecute (NX) bit on modern CPUs to mark blocks of memory as data that should never be executed as code. Therefore, even if an attacker succeeds in loading the malware code into memory, they will not be able to execute it.
Because of the importance of DEP, Windows 8 is the first version of Windows that requires a processor that includes hardware-based DEP support. Users cannot install Windows 8 on a computer that does not have DEP enabled. Fortunately, most processors released since the mid-2000s support DEP.
In addition, Windows 8 makes using DEP easier for developers, so more apps can take advantage of the security benefits. If you’re interested in seeing which apps use DEP, complete these steps:
Open Task Manager by pressing Ctrl+Alt+Esc or by searching the Start screen.
Click More Details (if necessary), and then click the Details tab.
Right-click any column heading, and then click Select Columns.
In the Select Columns dialog box, select the last Data Execution Prevention check box.
Click OK.
Now, you can see which processes have DEP enabled. Figure 4 shows the processes running on a Windows 8 PC with a single process that does not support DEP.
Figure 4. DEP helps reduce the risk of successful attacks against an app.
Windows heap
The heap is a location in memory that Windows uses to store dynamic application data. Windows 8 improves on the Windows 7 heap design by mitigating the risk of heap exploits that could be used as part of an attack to successfully compromise Windows 7.
Windows 8 has several important improvements to the heap, including:
Internal data structures used by the heap are now better protected against memory corruption.
Heap memory allocations now have randomized locations and sizes, making it more difficult for an attacker to predict the location of critical memory to overwrite. Specifically, Windows 8 adds a random offset to the address of a newly allocated heap, making the allocation much less predictable.
Windows 8 adds “guard pages” before and after blocks of memory. If an attacker attempts to write past a block of memory (a common technique known as a buffer overflow), the attacker will have to overwrite a guard page. Any attempt to modify a guard page is considered a memory corruption, and Windows 8 responds by instantly terminating the app
Windows 8 resolves known heap attacks that could be used to compromise a PC running Windows Vista or Windows 7.Windows 8 resolves known heap attacks that could be used to compromise a PC running Windows Vista or Windows 7.
Memory reservations
The lowest 64 KB of process memory is now reserved for the system. Apps are no longer allowed to allocate that portion of the memory, which makes it more difficult for malware to overwrite critical system data structures in memory.
Securing the desktop
Windows 8 includes critical improvements to user-level malware protection. The familiar desktop environment is now more resistant to malware, thanks to improvements to Windows Defender, Internet Explorer, and SmartScreen. The new Windows Store has the potential to further reduce the likelihood that malware will infect devices through the careful review of all Windows Store app submissions. Even if malware managed to slip past the review process, Windows mitigates the risks and impact by running all Windows Store apps a tightly restricted operating environment.
The sections that follow describe Windows 8 improvements to application security in more detail.
Windows Defender
In Windows 8, Windows Defender has been upgraded from antispyware to a full-featured antimalware solution capable of detecting and stopping a wider range of potentially malicious software, including viruses. Windows 8 users no longer need Microsoft Security Essentials, because Windows Defender is now just as powerful. Windows Defender supports Windows 8’s ELAM feature, which makes it capable of detecting rootkits that infect non-Microsoft drivers. If Windows Defender detects an infected driver, it will prevent the driver from starting.
Windows Defender is primarily intended for consumer and unmanaged PCs scenarios, and thus most large organizations will want an enterprise antimalware solution such as System Center 2012 Endpoint Protection, which can offer advanced centralized management capabilities such as monitoring and reporting. Like Windows Defender, System Center 2012 Endpoint Protection includes support for ELAM. Regardless, with more and more people using unmanaged personal PCs for work, it is good to know that Windows 8 includes powerful and free antimalware that is enabled by default.
For more information about Windows Defender, visit Protect your PC.
The SmartScreen filter
Recent versions of Windows have many effective techniques for preventing malware from installing itself without the user’s knowledge. To work around those restrictions, malware attacks often use social engineering techniques to trick users into running software. For example, malware known as a Trojan horse pretends to be something useful, such as a game or a utility, but it carries an additional, malicious payload.
Starting with Windows Internet Explorer 8, SmartScreen has helped protect users from both malicious applications and websites by using SmartScreen’s application and URL reputation services. SmartScreen in Internet Explorer would check URLs and newly downloaded apps against a list that Microsoft maintained. If the app or URL was not known to be safe, SmartScreen would warn the user or even block the app or URL, depending on how systems administrators had configured Group Policy settings.
In Windows 8, SmartScreen is integrated into the operating system, allowing SmartScreen’s application reputation services to protect users regardless of the web browser they are using. The first time a user runs an app that originates from the Internet, even if the user copied it from another PC, SmartScreen checks the reputation of the application using digital signatures and other factors against a service that Microsoft maintains. If the app lacks a reputation or is known to be malicious, SmartScreen warns the user (as shown in Figure 5) or blocks execution entirely, depending on how the administrator has configured Group Policy.
Figure 5. SmartScreen can warn users before allowing them to run potentially malicious apps, regardless of how they download the app.
By default, users have the option of bypassing SmartScreen protection, so it will never prevent a user from running a legitimate app. You can use Group Policy settings to disable SmartScreen or to completely prevent users from running apps that SmartScreen does not recognize.
For more information about SmartScreen, see SmartScreen Application Reputation.
If you’re interested in trying out SmartScreen, use Windows 7 or an earlier version of Windows to download this simulated (but not dangerous) malware file: freevideo.exe. Save it to your computer, and then run it from Windows Explorer. As shown in Figure 6, Windows runs the app without much warning. In Windows 7, you might get a warning about the app not having a certificate, but it is easily bypassed.
Figure 6. Earlier versions of Windows do little to warn users before allowing them to run unknown apps.
Now, repeat the test on Windows 8 by copying the file to a Windows 8 PC or by re-downloading it and saving the file to your local computer. Run the file directly from File Explorer, and SmartScreen will warn you before allowing it to run. For many users, that extra warning will be enough to save them from a malware infection.
Internet Explorer 10
Internet Explorer 10 on Windows 8 includes two experiences: a full-screen, touch-friendly browser interface (launched from the Start screen) and the traditional desktop browser (launched from the desktop). Both experiences of Internet Explorer 10 use the same iexplore.exe process and include numerous security improvements, such as:
Enhanced Protected Mode. The improved version of this feature enhances security in several ways. On 64-bit versions of Windows 8, Internet Explorer 10 now randomly allocates the entire address space—about a terabyte of addressable space—making heap spray attacks that malicious code on a website might use to elevate privileges impractical. Internet Explorer 10 now uses a broker process when users access files (for example, when uploading an attachment to a browser-based email app such as Hotmail). The brokering happens automatically when the user clicks Open in the file upload dialog box, increasing security without inconveniencing the user. Enhanced Protected Mode also prevents tabs accessing the public Internet from accessing the user’s domain credentials, acting as a local web server (reducing the risk that malicious website code could impersonate an intranet site) and connecting to intranet servers. Enhanced Protected Mode is enabled by default in the Windows Store version of Internet Explorer 10 but is disabled by default in the desktop version, because some add-ons are not yet compatible. For more information, read the Internet Explorer blog entry, Enhanced Protected Mode.
Improved memory protection. In the past, it has been possible for a website with malicious code embedded within it to exploit a vulnerability in a web browser to run malware on a client PC. Often, the user simply visited a trusted website that had been compromised, and the malware installed itself without the user’s permission or knowledge. Internet Explorer 10 offers improved protection against these types of attacks, drastically reducing the likelihood that an exploit can elevate privileges to run code, even if a vulnerability in Internet Explorer 10 is discovered. Of particular note, Internet Explorer 10 randomizes the location of all modules, making them more difficult to attack. For more information, read the Internet Explorer blog entry, Enhanced Memory Protections in IE10.
Improved cross-site scripting (XSS) filter. XSS attacks can add malicious content to a trusted website without the user’s knowledge. Internet Explorer 10 includes an XSS filter to help protect users from such attacks.
In addition, the Windows Store version of Internet Explorer 10 includes a drastic security improvement: It does not run add-ons. Gone are the days of annoying toolbars and plug-ins that slow performance. Internet Explorer 10 does, however, include increased support for modern standards like HTML5 and CSS3, allowing it to display the latest generation of rich and interactive websites (without the security risks and annoyances of unnecessary add-ons).
As the Web continues to evolve, Microsoft expects that website owners will create versions of their websites that do not rely on potentially dangerous plug-ins, and Internet Explorer users can enjoy the Web without these associated risks.
Note that the Windows Store version of Internet Explorer 10 does support Adobe Flash for a limited number of trusted websites.
Windows Store apps
SmartScreen helps to reduce the risk of users downloading malware from the Internet, but the reality is that the Internet offers such tremendous freedom of choice that there is always some risk. In the past, even websites that users trust have been attacked and distributed malware without the knowledge of the website administrators and users. When downloading apps from the Internet, users simply can never be sure whether an app contains malware.
The good news is that downloading and using apps from the Windows Store will dramatically reduce the likelihood that you will encounter malware to your PC, as all apps go through a careful screening process before being made available in the store. Windows Store apps built by organizations and distributed through sideloading processes will need to be reviewed internally to help ensure they meet organizational security requirements.
Regardless of how Windows Store apps are acquired, users can use them with increased confidence. Unlike desktop apps that can run with elevated privileges and have potentially sweeping access to the system and data, Windows Store apps run in an AppContainer sandbox that runs the application with limited privileges and capabilities. For example, Windows Store apps have no system-level access, have tightly controlled interactions between other apps, and have no access to data unless the user explicitly grants the application permission.
In addition, all Windows Store apps follow the security principal of least privilege. Apps receive only the minimal privileges they need to perform their legitimate tasks, so even if an attacker exploits an app, the damage the exploit can do is severely limited and should be contained within the sandbox. The Windows Store displays the exact permissions that the app requires, along with the app’s age rating and publisher, as shown in Figure 7.
Figure 7. The Windows Store’s architecture reduces the risk of malware and provides detailed and trustworthy information about the app’s permissions and rating.
In the end, the Windows Store app distribution process and the app sandboxing capabilities of Windows 8 will dramatically reduce the likelihood that users will encounter malicious apps on the system.
AppLocker
As with earlier versions of Windows, Windows 8 supports AppLocker to give you complete and centralized control over the apps users are allowed to run. With AppLocker and Group Policy settings in an Active Directory Domain Services (AD DS) environment, you can create a list of every app users can run, specify which publishers they trust, or simply block apps that might not help the company’s productivity, like Solitaire.
Windows 8 extends AppLocker support to Windows Store apps and simplifies AppLocker rules, making them easier to implement and more reliable. AppLocker rules for Windows Store apps automatically apply to the app installer and all files included with the app. Because all Windows Store apps are signed by the publisher, administrators create only simple publisher rules and never need to use error-prone hash- or path-based rules. In addition, a single AppLocker rule can contain rule collections for both desktop apps and Windows Store apps, making it easy to manage new packaged apps alongside existing apps.
Although AppLocker was primarily designed to give IT tight control over the non-malicious applications that their users may choose to use, that same functionality also can be used to reduce malware risks within your organization. Many organizations use it solely with that purpose in mind.
If you are interested trying an AppLocker configuration on Windows 8, complete these steps:
On a test PC running Windows 8, launch the Local Group Policy Editor by running gpedit.msc.
Right-click the Computer Configuration\Windows Settings\Security Settings\Application Control Policies\AppLocker\Packaged App Rules node, and then click Automatically Generate Rules.
Follow the prompts that appear, and accept the default settings.
This procedure automatically creates AppLocker rules that allow users to run all the currently installed apps as well as any future versions of the same apps. Follow this same procedure in an AD DS domain to apply the same rules to every Windows 8 PC in your organization. With just a few clicks, you can also create a default rule that prevents users from running other packaged apps, instantly giving you complete control over the packaged apps users in the organization can run.
Figure 8 shows the extremely simple publisher rule for allowing a packaged app to run. In contrast, creating rules for desktop apps could be extremely complex, requiring you to configure a combination of hashes, file paths, and digital signatures. Because the configuration was so complex, it was also error-prone, often resulting in inconvenienced users (when legitimate apps were accidentally blocked) or potential security vulnerability (when unwanted apps were not blocked).
Figure 8. AppLocker apps for Windows 8 are straightforward and reliable.
For more information about AppLocker improvements, visit AppLocker Technical Overview.
Data protection
Where users travel, so does their organization’s confidential data. Since Windows Vista, BitLocker has provided full drive encryption capable of protecting both confidential data and system integrity. Windows 8 improves BitLocker by making it easy and faster to deploy, more convenient, and more manageable.
Table 2 lists specific data-protection challenges in Windows 7 and the Windows 8 solution.
Table 2. Windows 8 solutions to Windows 7 data-protection challenges
Windows 7 challenge | Windows 8 challenge |
---|---|
When BitLocker is used with a PIN to protect startup, PCs such as servers and kiosks cannot be restarted remotely. |
Network Unlock allows PCs to start automatically when connected to the internal network. |
Users must contact IT to change their BitLocker PIN or password. |
Windows 8 allows users with standard privileges to change their BitLocker PIN or password. |
Enabling BitLocker can make the provisioning process take several hours. |
BitLocker preprovisioning and Used Space Only encryption allow BitLocker to be quickly enabled on new computers. |
No support for using BitLocker with Self-Encrypting Drives (SEDs). |
BitLocker supports offloading encryption to encrypted hard drives. |
Administrators have to use separate tools to manage encrypted hard drives. |
BitLocker supports encrypted hard drives with onboard encryption hardware built in, allowing administrators to use the familiar BitLocker administrative tools to manage them. |
Encrypting a new flash drive can take more than 20 minutes. |
BitLocker To Go’s Used Space Only encryption allows users to encrypt drives in seconds. |
BitLocker could require users to enter a recovery key when system configuration changes occur. |
BitLocker requires the user to enter a recovery key only when disk corruption occurs or when the user loses their PIN or password. |
The sections that follow describe these improvements in more detail.
TPM preprovisioning
In Windows 7, preparing the TPM for use offered a couple of challenges:
The TPM can be turned off in BIOS, requiring someone to either go into the BIOS settings to turn it on or to install a driver to turn it on from within Windows.
Enabling the TPM may require one or more restarts.
Basically, it was a big hassle. If IT is provisioning new PCs, they can handle all of this, but if you want to add BitLocker to devices that are already in users’ hands, they will probably struggle with the technical challenges and either call IT for support or simply leave BitLocker disabled.
With Windows 8, Microsoft has added instrumentation that enables the operating system to fully manage the TPM. There is no need to go into the BIOS, and all scenarios that required a restart have been eliminated.
BitLocker preprovisioning
BitLocker is capable of encrypting entire hard drives, including both system and data drives. Although Windows 7 and Windows Vista both supported BitLocker, Windows 8 adds several key improvements.
BitLocker preprovisioning can drastically reduce the time required to provision new PCs with BitLocker enabled. With Windows 8, administrators can now turn on BitLocker and the TPM from within the Windows Preinstallation Environment before installing Windows, without any user interaction. Combined with Used Disk Space Only encryption and a mostly empty drive (because Windows is not yet installed), enabling BitLocker takes only a few seconds.
With earlier versions of Windows, administrators had to enable BitLocker after Windows was installed. Although this process could be automated, BitLocker would need to encrypt the entire drive, a process that could take anywhere from several hours to more than a day depending on the drive size and performance, significantly delaying deployment.
Used Disk Space Only encryption
BitLocker in earlier Windows versions could take a long time to encrypt a drive, because it encrypted every byte on the volume (including parts that did not have data). That is still the most secure way to encrypt a drive, especially if a drive has previously contained confidential data that has since been moved or deleted, in which case traces of the confidential data could remain on portions of the drive marked as unused.
But why encrypt a new drive when you can simply encrypt the data as it’s being written? To reduce encryption time, BitLocker in Windows 8 lets users choose to encrypt just their data. Depending on the amount of data on the drive, this can reduce encryption time by more than 99 percent.
If you’re interested in running your own tests to compare Used Disk Space Only encryption and full disk encryption, read Try It Out: Encrypt Used Space Only.
Encrypted hard drive support
SEDs have been available for years. However, Microsoft couldn’t support the use of SEDs with Windows 7, because they lacked important key management features. Microsoft worked with storage vendors to improve the hardware capabilities, and now BitLocker in Windows 8 supports the next-generation encrypted hard drives. These drives provide onboard cryptographic capabilities to encrypt data on drives, thus offloading cryptographic calculations from the PC’s processor to the drive itself and instantly encrypting the drive.
Standard user PIN and password change
When BitLocker is enabled on a system drive and the PC has a TPM, administrators can choose to require the user to type a PIN before BitLocker will unlocks the drive. Requiring a PIN can prevent an attacker with physical access to a PC from even getting to the Windows login, making it virtually impossible for the attacker to access or modify user data and system files.
Requiring a PIN at startup is a tremendously useful security feature, but it comes with some costs. One of the most significant is the need to change the PIN regularly. In enterprises using BitLocker with Windows 7 and Windows Vista, users must contact systems administrators to update their BitLocker PIN or password. This requirement not only increased management costs but made users less willing to change their BitLocker PIN or password on a regular basis.
With Windows 8, users can update their BitLocker PINs and passwords themselves, without administrator credentials. Not only will this reduce support costs, but it could improve security, too, by enabling users to change their PINs and passwords more often.
Network Unlock
Requiring a user to type a PIN to start a BitLocker-protected PC helps ensure that the PC is in the hands of an authorized user. However, it prevents PCs from restarting automatically, which is a problem when installing apps and updates after hours, because PCs restart automatically but wait for a user to type a PIN before starting Windows. This makes the PIN option a non-starter for protecting volumes on servers and shared devices such as kiosks and problematic for desktops that may need to be accessible remotely.
Network Unlock solves this problem by allowing BitLocker-protected PCs to start automatically when connected to a wired corporate network that has a Windows Deployment Server present. Anytime the PC is not connected to the corporate network, a user must type a PIN to unlock the drive. For more information, see BitLocker: How to enable Network Unlock.
Network Unlock requires the following infrastructure:
Client PCs must have UEFI firmware that supports a Dynamic Host Configuration Protocol (DHCP) driver
A server running Windows Server 2012 with the optional BitLocker Network Unlock feature
A separate server running Windows Server 2012 with the Windows Deployment Services role
A separate DHCP server
Microsoft BitLocker Administration and Monitoring 2.0
Part of the Microsoft Desktop Optimization Pack, Microsoft BitLocker Administration and Monitoring (MBAM) makes it simple to manage and support BitLocker and BitLocker To Go. MBAM 2.0 adds several features that address top feedback from the previous release and includes features like self-service key recovery for users, better compliance management, integration of MBAM with existing management tools such as Microsoft System Center Configuration Manager, and of course support for Windows 8 and Windows to Go. For more information about MBAM, see Microsoft BitLocker Administration and Monitoring.
Access control
Pervasive Internet access and the latest generation of lightweight tablets and Ultrabook devices have changed the way users work. They are not sitting at a desk with a mouse and keyboard anymore; they are using touch interfaces, travelling around the world, and working from untrusted networks. Let’s explore the different ways Windows 8 meets these modern work styles.
Besides providing new defenses, Windows 8 refines many Windows 7 defenses, reducing their cost and improving usability. For organizations that had not deployed the features in Windows 7, these refinements will make deployment more practical. For organizations that had deployed the Windows 7 feature, Windows 8 will reduce the associated costs.
Table 3 lists specific access control challenges in Windows 7 and the Windows 8 solution.
Table 3. Windows 8 solutions to Windows 7 access control challenges
Windows 7 challenge | Windows 8 challenge |
---|---|
Organizations must purchase and manage smart card readers, smart cards, and management software. Mobile users must carry a smart card reader and smart card for authentication. Mailing smart cards to remote offices could delay productivity by several days. |
Virtual smart cards store the smart card in the PC itself. |
Tablet users must type their password on a touch screen, which is error prone and less efficient than a keyboard. |
Picture passwords provide convenient and intuitive authentication for touch interfaces. |
IT must purchase and manage non-Microsoft tools to meet regulatory requirements for access control and auditing. |
Combined with the Windows Server 2012 operating system, Dynamic Access Control provides flexible access control and auditing designed to meet many government security and regulatory requirements. |
Configuring Microsoft DirectAccess is complex and often requires additional infrastructure. |
Combined with Windows Server 2012, you can configure DirectAccess with as few as three clicks, providing users with automatic and continuous access to internal resources. |
Users hate typing their passwords. |
Single sign-on allows Windows Store apps to automatically authenticate the user with shared credentials. |
Creating AppLocker rules to control which apps users can run is complex and error-prone. |
AppLocker rules for Windows Store apps are straightforward and simple for administrators to configure. |
Administrators have to use separate tools to manage encrypted hard drives. |
BitLocker supports encrypted hard drives with onboard encryption hardware built in, allowing administrators to use the familiar BitLocker administrative tools to manage them. |
Windows adds increasing delays between login attempts and can lock out a user account when brute force attacks are detected. |
When BitLocker is enabled on the system drive and brute force protection is enabled, Windows can restart the PC after a specified number of incorrect password entries, lock access to the hard drive, and require the user to type the 48-character BitLocker recovery key to start the device and access the disk. |
The sections that follow describe these improvements in more detail.
Picture Passwords
Security must be convenient for it to be effective. For a user with a keyboard, a password is extremely convenient to type; therefore, passwords have remained an effective form of authentication for decades.
Although passwords remain as the most frequently used mean to sign in to a device, they are simply not convenient for tablet users, because typing is less precise. To address these challenges, Windows 8 introduces picture passwords to allow users to authenticate themselves using a series of touch gestures instead of a traditional password. After selecting their user name at Windows sign-in, the user draws a combination of three gestures on a picture of their choosing. The gestures can be any of the following:
A tap
A small clockwise circle
A large clockwise circle
A small counterclockwise circle
A large counterclockwise circle
That might sound too simple to be effective, but a picture with 10 points of interest has 2,744,000 possible combinations of gestures. By default, Windows 8 locks out attackers after five incorrect guesses, meaning that on average, an attacker would need about a quarter of a million separate attempts (without repeating gestures) to guess a password.
If users forget their picture password, they can always type their conventional password to log on to their PC. Of course, if picture passwords do not meet security requirements, you can use Group Policy settings to disable their use in the organization. See the blog post, Signing in with a picture password, to learn more about picture passwords.
If you’re interested in trying out picture passwords, from PC Settings on a computer running Windows 8, select the Users page, and then click Create A Picture Password. As shown in Figure 9, Windows 8 prompts you to set up three gestures for your favorite picture. Next, log in a few times to be sure you remember your gestures. If you are concerned about security, show friends how picture passwords work, and ask them to try and guess your picture password.
Figure 9. Picture passwords provide great convenience with excellent security.
Brute force protection
A brute force attack is the process used to break into a device by simply guessing a user’s password over and over until the attacker gets it right. Windows 7 and previous versions defended against brute force attacks in a straightforward way—by slowing or preventing additional guesses after multiple mistakes. For example, Windows 8 limits the number of times a user can attempt a picture password or PIN authentication. When using a full password to log in, Windows forces the user to wait several seconds between attempts if they type their password incorrectly multiple times. You can even choose to have Windows lock out an account for a period of time when a brute force attack is detected.
Windows 8 adds an even more powerful—but optional—form of brute force protection. If a brute force attack is detected against any authentication method and BitLocker is used to protect the system drive, Windows 8 will automatically restart the device and put it in BitLocker recovery mode unless a recovery key password is entered. This password is a virtually unguessable 48-character recovery code that must be used before Windows will be able to start normally.
If you’re interested in learning how to configure brute force protection, use a test Windows 8 PC with BitLocker protection enabled for the system drive, and print out the BitLocker recovery key to ensure that you have it available. Then, open the Local Group Policy Editor by running gpedit.msc and go to Computer Configuration\Windows Settings\Security Settings\Security Options. Open the policy Interactive Login: Machine Account Lockout Threshold, and set the value to 5, as shown in Figure 10.
Figure 10. Brute force protection uses BitLocker security to make it almost mathematically impossible to guess most passwords.
Now, your PC is configured with brute force protection. Restart your PC. When prompted to log in, mistype your password until the PC restarts. Now, try to guess the 48-character recovery key. You will probably be glad you printed it out beforehand.
Virtual smart cards
For many enterprises, a user name and password, which offer single-factor authentication, are increasingly not good enough to secure organization networks, resources, and data. Smart cards have become one of the most common methods of providing multifactor authentication. In the case of smart cards, users need to provide the card itself (something they have) and a PIN (something they know). This prevents an attacker who guesses a user’s password from successfully impersonating that user; they’ll need to steal their smart card, as well.
Smart cards are not particularly convenient for users, especially mobile users. Imagine an employee travelling on business with their Windows 8 tablet who wants to check their email while waiting for their flight at a crowded terminal. First, they need to start their Windows 8 tablet, which is easy enough. Next, they would need to connect an external USB smart card reader (most tablet PCs do not have internal smart card readers). Then, they would need to dig through their bag to find their smart card, insert it into the smart card reader, and log in—all with other waiting passengers pushing past them to find a seat.
The fact is, if it is that difficult to check their email, most employees simply will not bother. Instead, they will stay out of touch, or they will choose a less secure means of communication that does not require a smart card login, such as personal email, defeating the purpose of the smart card.
Virtual smart cards offer multifactor authentication and compatibility with many smart card infrastructures. Most importantly, virtual smart cards offer users the convenience of not having to carry anything extra, making users more likely to follow their organization’s security guidelines rather than working around them.
With virtual smart cards, Windows 8 stores the smart card’s certificate in the PC, and then protects it using the device’s tamper-proof TPM security chip. In this way, the PC actually becomes the smart card. The user can only access the virtual smart card from PCs that their administrators configure, fulfilling the “something they have” requirement. The user still needs to type a PIN, fulfilling the “something they know” requirement. However, users no longer need to physically connect a smart card or carry a smart card reader, meaning that they can now check their internal email while standing in line waiting to check in—without digging through their bag for a smart card reader. There is also one less item for users to lose or forget, reducing the lost productivity associated with damaged and lost cards.
Of course, enterprises need an efficient way to manage hundreds or thousands of virtual smart cards. Although Microsoft expects several non-Microsoft vendors to offer virtual smart card management solutions, the first available is Intercede’s MyID. For more information about MyID, visit Intercede’s website. For more information about virtual smart cards, see Understanding and Evaluating Virtual Smart Cards.
If you currently use smart cards, you might choose to use virtual smart cards for specific scenarios. For example, you could allow multifactor authentication using virtual smart cards when connecting remotely to your network but still require a physical smart card to access classified file servers. If you haven’t used multifactor authentication before, virtual smart cards are an easy and inexpensive way to get started.
DirectAccess
DirectAccess transparently establishes connections between corporate networks and users any time their PC has an Internet connection. What users will notice is they can access internal resources anytime they have Internet access, without a special login and without starting a virtual private network (VPN) connection. If a user with mobile broadband checks their email and clicks a link to a document on the internal network, the link simply works. If a travelling user connected to an airport Wi-Fi hotspot wants to update internal customer data with information from their latest meeting, it works exactly like it does when the user is sitting at their own desk.
As shown in Figure 11, DirectAccess provides automatic, transparent, encrypted, and authenticated connectivity to the internal network. In some ways, DirectAccess works like a VPN, although DirectAccess does not require the user to log in. Figure 11 shows DirectAccess being used in split tunneling mode, which is just one configuration option.
Figure 11. DirectAccess keeps users constantly and automatically connected.
DirectAccess was introduced in the Windows 7 and Windows Server 2008 R2 operating systems but has been improved for Windows 8 and Windows Server 2012. With Windows Server 2012 and Windows 8 Enterprise, you can deploy a DirectAccess infrastructure with a few clicks, even if the network uses Network Address Translation and Internet Protocol version 4 (IPv4). Using more advanced configurations, DirectAccess with Windows Server 2012 can support clients running Windows 8 and Windows 7.
In addition to providing transparent connectivity, DirectAccess also simplifies management of remote PCs by connecting them to the internal network more often and keeping them connected for longer periods of time. For more information about DirectAccess, see Work Smart: Connecting Remotely Using Windows 8 DirectAccess.
Dynamic Access Control
Every systems administrator knows how permissions work: You take the object that you want to secure, give a user or a security group permissions to it, and then you try to keep the user list and security groups up to the date with the correct set of users. It is pretty simple.
This model doesn’t scale well; nor does it work for every situation. In the case of file permissions, it does not take into account the content within the files, so a classified document is treated exactly like an unclassified document. File permissions also do not factor in whether the user accessing a file is connected to a secure network or sitting in a coffee shop. Consequently, for many organizations, file permissions just are not flexible enough to protect their data.
With Windows Server 2012 and Windows 8, administrators can solve this problem using a new technology called Dynamic Access Control, which uses dynamic rules-based policies to protect shares, folders, and files. These policies can allow or deny access based on combinations of user, device, and data properties rather than statically maintained user lists and security groups.
The protection capabilities of Dynamic Access Control go beyond simple access control scenarios and can be used to provide persistent protection to data that will continue to protect it even when it is moved off of the original file servers. This is possible when using Dynamic Access Control in combination with Active Directory Rights Management Services (AD RMS), which can encrypt sensitive Microsoft Office documents so that only authorized users can access them. AD RMS also allows administrators to specify whether users can copy, print, forward, and edit documents. For more information about AD RMS, visit Active Directory Rights Management Services on Microsoft TechNet.
Besides authorization, security-focused organizations need detailed information about who accesses confidential files. Using Dynamic Access Control, administrators can also create detail audit policies, potentially documenting who accesses highly sensitive information and meeting compliance reporting and forensic analysis requirements. Unlike traditional auditing capabilities where an ocean of prioritized audit data is collected, Dynamic Access Control and its rules-based policies enable you to either collect everything or, if you choose, target specific data and types of data for auditing.
To compare the two access control methods, imagine how an administrator might restrict access to confidential personnel records:
File permissions. Restrict files and folders so that only members of the Human Resources security group can access them. IT manually adds members of the Human Resources organization to the appropriate groups and manages the group memberships over time.
Dynamic Access Control. Create a policy that allows only members of the Human Resources organization with classified security clearance to access confidential personnel records with personally identifiable information from on-premises PCs configured to meet the organization’s security requirements. IT maintains each the user account’s properties in AD DS rather than maintaining the users’ many group memberships.
Clearly, Dynamic Access Control policies are a more powerful and flexible way to control authorization, and they are particularly useful for meeting regulatory requirements. For more information about Dynamic Access Control, see the blog post, Introduction to Windows Server 2012 Dynamic Access Control.