What's Changed in Security Technologies in Windows 8
Published: April 12, 2013
Updated: April 12, 2013
Applies To: Windows 8
This evaluation topic describes the security features in Windows 8 and provides links to additional content about the features for the IT professional.
The Windows 8 operating system provides enterprise-grade security features that can protect devices and data from unauthorized access and threats such as malware. Windows 8 builds on the strong security foundation in Windows 7 to provide improved malware resistance that can protect the client, data, and network by making the computer less vulnerable to attacks.
Windows 8 simplifies the provisioning process and user experience for encrypted devices on a variety of computer form factors and storage technologies, so all organizations can encrypt every drive. It also modernizes access control and data management while increasing data security in the enterprise.
Enhancements in security auditing in Windows 8 can improve your ability to monitor and manage security in your environment, and improvements in authentication and access control gives you better ability to protect your organization’s resources.
This topic contains information about:
Windows 8 helps keep your computers and data safe by making them more resistant to all forms of malware, including those that use phishing attacks and rootkits. Malware risks are dramatically reduced by eliminating known exploit techniques and making it more difficult to create new ones. In the event of a malware intrusion, Windows is more capable to detect and remove bootkits and rootkits.
Bootkits are the most dangerous form of malware. They start before Windows starts, and they hide between the hardware and operating system where they are virtually undetectable and have unlimited access to system resources. With Secure Boot, the computer’s UEFI verifies that the Windows bootloader is secure before loading it. If the bootloader has been modified (for example, if a bootkit is installed) or replaced, Secure Boot will prevent running it.
For more information, see Secure Boot Overview.
Windows continues the chain of trust that begins with Secure Boot by verifying the integrity of Windows startup files. Trusted Boot also includes an early launch antimalware (ELAM) capability that enables the antimalware software to start before any non-Microsoft software. By starting the antimalware solution early and within the protected boot process, the operation and integrity of the antimalware solution can be better guaranteed.
As part of the boot process, Windows also runs Measured Boot, which allows non-Microsoft software on a remote server to securely verify the security of every startup component in a way that would be very difficult for malware to forge. If any tampering with the Windows boot process or the antimalware’s ELAM driver is detected, Trusted Boot repairs the system by restoring the original files.
Windows Store apps dramatically reduce the risk of malware. Users can install only Windows Store apps that have been approved by Microsoft or your organization, reducing the risk that an app will have malware hidden within it. Windows 8 runs Windows Store apps with very limited privileges and no system-level access, reducing the ability of malware to exploit vulnerability in an app.
For more information, see Manage Client Access to the Windows Store.
AppLocker in Windows 8 gives IT pros complete control over which desktop and Windows Store apps users can run. Windows Store apps are easier to manage than desktop apps. AppLocker rules for Windows Store apps automatically apply to the app installer and all files included with the app. You create only simple publisher rules, instead of error-prone hash- or path-based rules. Additionally, a single AppLocker rule can contain rule collections for desktop apps and packaged apps, which makes it easy to manage your new packaged apps alongside your existing apps. You can use AppLocker to reduce the risk of malware by allowing users to run only approved apps.
For more information, see AppLocker Technical Overview.
Introduced in Internet Explorer 8, SmartScreen helps protect you from malicious websites and applications that come from the web by using URL reputation services. To help protect people who use several types of web browsers, Windows 8 extends the reputation services in SmartScreen to the operating system. The first time you run an app that originates from the Internet, no matter how it was copied to the computer, SmartScreen checks the reputation of the application, based on digital signatures and other factors. If the app lacks a reputation, or it is known to be malicious, SmartScreen warns you or blocks it entirely. Optionally, if you trust the app, you can choose to run it.
In Windows 8, Windows Defender has been upgraded from antispyware to a full-featured antimalware solution that is capable of detecting and stopping a wider range of potentially malicious software, including viruses. Windows 8 users no longer need Microsoft Security Essentials, because Windows Defender fulfills the antimalware functions.
Windows 8 includes low-level improvements to make it more difficult for malware to gain unauthorized access to system resources. An improved version of Address Space Layout Randomization (ASLR) makes it more difficult for malware to predict where Windows 8 stores vital data.
Apps are no longer allowed to allocate the lowest 64 K of process memory. The Windows heap (which stores some app data) has additional integrity checks. Data Execution Prevention (DEP) is required and the feature is more accessible to app developers. Each of these low-level changes eliminate exploit techniques that malware has used in the past to gain higher privileges to computers. These improvements can dramatically reduce the likelihood that newly discovered vulnerabilities will result in a successful exploit.
When users and their computers are mobile, they take your organization’s confidential data with them. In Windows 8, The following features in BitLocker simplify provisioning and compliance management for encrypted devices on a variety of computer form factors and storage technologies.
BitLocker in Windows 8 provides a new type of hard drive called Encrypted Hard Drive. When a computer is equipped with Encrypted Hard Drive, BitLocker offloads the cryptography to the processor in Encrypted Hard Drive. This instantly encrypts the drive and improves desktop performance by decreasing the computer’s processor utilization. Security can be stronger because the drive uses the highly regarded Opal Storage Specification standards.
With Windows 8, you can turn on BitLocker and the Trusted Platform Module (TPM) from within Windows Preinstallation Environment (WinPE) before installing Windows, without any end-user interaction. Because Windows is not installed yet and the drive is nearly empty, enabling BitLocker takes only a few seconds.
For more information, see BitLocker provisioning.
BitLocker in earlier versions of Windows could take a long time to encrypt a drive because it encrypted every byte on the volume (including parts that didn’t have data). For new computers, it is a waste of time to encrypt the unused portions of a disk, so BitLocker in Windows 8 lets you choose to encrypt only your data. This can reduce the encryption time and provisioning time by several hours.
For more information, see Used Disk Space Only encryption.
With Windows 8, users can update their BitLocker PINs and passwords without opening a Help Desk ticket. This reduces your support costs, and it can improve your security by enabling users to change their PINs and passwords more often.
For more information, see Standard User PIN and password change.
Requiring a user to type a PIN to start a computer that is protected with BitLocker helps ensure the computer is in the hands of an authorized user. However, it prevents computers from restarting automatically—a problem when you install apps and updates after hours because computers restart automatically but then wait for a user to type a PIN before starting Windows. Network Unlock allows computers that are protected with BitLocker to start automatically if they are connected to your local network. When the computer is disconnected from the network, a user must type a PIN to unlock the drive.
For more information, see Network Unlock.
Trusted Platform Module (TPM) technology is designed to provide hardware-based, security-related functions. During the boot process of a system, the boot code that is loaded (including firmware and the operating system components) can be measured and recorded in the TPM. The integrity measurements can be used as evidence for how a system started and to make sure that a TPM-based key was used only when the correct software was used to boot the system. New functionality in Windows 8 includes:
Automated provisioning and management of the TPM
Measured Boot with support for attestation
A TPM-based virtual smart card
A TPM owner authentication value, which is stored separately
TPM-based certificate storage
For more information, see Trusted Platform Module Technology Overview.
Access to resources in your organization becomes complicated when your users are mobile. Windows 8 provides improved controls and technologies to address productivity and security.
Smart cards provide more secure, strong multifactor authentication by requiring users to authenticate by using a smart card (something they have) and a PIN (something they know). With virtual smart cards, Windows 8 stores the smart card certificate in the computer, and the TPM protects it. In this way, the computer actually becomes the smart card. The user still needs to type a PIN, but they no longer need to physically connect a smart card or carry a smart card reader. Without a physical smart card, there’s also one less item for users to lose or forget. Because users still need a computer with their stored certificate and a PIN, virtual smart cards can fulfill two-factor authentication requirements for some scenarios including remote access.
For more information, see Understanding and Evaluating Virtual Smart Cards.
It can be difficult to type a password on a touch screen because you can’t see the letters as you type them. In Windows 8, picture passwords provide a touch-friendly way to sign in to a device. Instead of typing a password, users draw a combination of three gestures, which can include dots, lines, or circles; and they apply them to points of interest on the picture. Most pictures have the potential for millions of picture passwords, making the authentication technique secure for most organizations. If users forget their picture passwords, they can type their conventional password to sign in to their computers.
For more information, see the following articles:
DirectAccess keeps your users securely connected to your internal network any time they have an Internet connection. If they have Internet access, they can access internal email, files, and apps, and an IT profressional can manage their computers. In Windows Server 2012 and Windows 8 Enterprise, you can configure a DirectAccess infrastructure, even if your network uses Network Address Translation (NAT) and IPv4. With additional configuration, DirectAccess can support client computers running Windows 7.
For more information, see Remote Access.
In Windows Server 2012 and Windows 8, you can use Dynamic Access Control to provide access control to folders, files, and shared resources based on dynamic rules-based policies, rather than static user lists and security groups. You can create policies that allow or deny access, based on combinations of user, device, and data properties.
The ACL Editor has been redesigned in Windows Server 2012 and Windows 8 to more clearly present the key information needed to assess and manage access control, including support for Dynamic Access Control.
For more information, see Enhanced ACL Editor.
Windows Firewall with Advanced Security provides host-based, two-way network traffic filtering for a computer. Windows Firewall with Advanced Security blocks unauthorized network traffic that flows into or out of the local computer. It works with Network Awareness so that it can apply security settings that are appropriate to the type of network to which the computer is connected. Improvements include Internet Key Exchange version 2 (IKEv2) for IPsec transport mode, Windows Store app network isolation, and Windows PowerShell cmdlets for Windows Firewall management.
For more information, see Windows Firewall with Advanced Security Overview.
Because the increased use of personal devices and the possible use of the Microsoft account in your enterprise, establishing the authentic identity of a user or device has become more important. Windows 8 includes the following authentication features:
Credential Locker is a service that creates and maintains a secure storage area on the local computer, which stores user names and passwords that the user saved from websites and Windows 8 apps. New functionality and defaults include:
Apps in Windows 8 can be programmed to leverage Credential Locker.
Credential roaming is accomplished by synchronizing a user’s profile, which uses a Microsoft account. (This was formerly known as the Windows Live ID.)
Credential roaming is enabled by default on non-domain-joined computers, and it is disabled on domain-joined computers.
For more information, see Credential Locker Overview.
Smart cards together with personal identification numbers (PINs) are an increasingly popular, reliable, and cost-effective form of two-factor authentication. With the right controls in place, a user must have the smart card and know the PIN to gain access to network resources. New and improved features include:
Changes to the smart card sign-in experience
Smart Card Service start and stop behavior
Smart card transactions
Smart card support on Windows RT
Smart card support in Windows 8 applications
For more information, see What's New in Smart Cards.
The Windows Server operating systems implement the Kerberos version 5 authentication protocol and extensions for public key and password-based authentication. Many improvements have been implemented to support features in Windows Server 2012 and Windows 8, in addition to improvements to core Kerberos authentication performance.
For more information, see What's New in Kerberos Authentication.
Schannel is a Security Support Provider (SSP) that implements the SSL, TLS, and DTLS Internet standard authentication protocols. The following capabilities have been added in Windows Server 2012 and Windows 8:
TLS support for Server Name Indicator extensions
Addition of the Datagram Transport Layer Security protocol
For more information, see What's New in TLS/SSL (Schannel SSP)
Windows 8 provides improvements to existing tools that are used to monitor and manage security.
Security audits help detect anomalous behavior, identify and mitigate gaps in security policy, and deter irresponsible behavior. Audits create a record of user activity that can be used for forensic analysis. Although security auditing is typically performed at the domain level, improvements in Windows Server 2012 and Windows 8 impact auditing in:
Enhanced user logon
New types of securable objects
Removable storage devices
For more information, see What's New in Security Auditing.
Security settings that are incorporated into policies are rules that administrators configure on a computer or multiple computers for the purpose of protecting resources on a computer or network. The Security Settings extension in the Local Group Policy Editor allows you to define security configurations as part of a Group Policy Object (GPO). Four new security policy settings have been introduced in Windows 8:
Accounts: Block Microsoft accounts
Interactive logon: Machine account threshold
Interactive logon: Machine inactivity limit
Microsoft network server: Attempt S4U2Self to obtain claim information
For more information, see Security Policy Settings Overview.