Windows 8 Ecosystem Security at Microsoft IT
Published: July 2013
Learn how Microsoft Information Technology (Microsoft IT) deployed Windows 8, Windows Phone 8, and Windows RT to meet the evolving needs of the Microsoft enterprise. This article discusses the commitment of Microsoft IT to deploy and support an operating system that provides improved performance and increased productivity, while delivering a more secure environment.
|Intended Audience||Products & Technologies|
Article, 580 KB, Microsoft Word file
The Microsoft Information Technology (Microsoft IT) organization is committed to creating a secure, productive, and collaborative environment by implementing products and services that address evolving business requirements. Microsoft IT used the deployment of Windows 8 to balance an unwavering focus on security and performance with the need for flexibility as employees' work styles change to include working remotely with multiple devices.
When implementing new systems and technologies, companies want to make sure that their intellectual property is protected and secure. At the same time, employees want and expect the ability to access corporate resources and work with important, sometimes sensitive content across multiple devices and from a wide variety of locations. Although Windows 7 is one of the most advanced and secure operating systems in the market today, with Microsoft’s recent release of Windows 8, Windows Phone 8 and Windows RT, improvements to security and performance are exceeding customer expectations.
Enhancing Security at Microsoft
With every release of Windows, improving security through innovation is one of Microsoft IT's primary goals. The release of Windows 8 includes significant enhancements and upgrades that secure the environment, protect users, and safeguard valuable intellectual property better than ever before. Several new features in Windows 8 provide users with more flexibility over where they work, which device they use, and how quickly they can access corporate resources.
Enhanced Strong Authentication Services with Virtual Smart Card
Microsoft IT is deploying Virtual Smart Cards, which are a new feature for Windows 8. A Virtual Smart Card (VSC) enables user authentication with a variety of devices and without the need for a physical smart card. This improves users’ experience when required to use two-factor authentication for scenarios such as remote access.
Similar to physical smart cards, the VSC uses hardware to protect the security token’s secrets. The VSC leverages the Trusted Platform Module (TPM) chip in the user's computer to provide strong authentication ensuring secure access to corporate resources regardless of their location.
With Windows 8, the VSC eliminates the potential of users misplacing their smart card when they need it. More importantly, for companies using devices with Trusted Platform Modules (TPM), the Windows 8 VSC provides the benefits of two-factor authentication while reducing the cost of token devices and readers as well as the investments in hardware and infrastructure necessary for physical smartcards. Additionally, Microsoft Windows 8 logo devices have TPM as part of their required specifications so companies investing in new Windows 8 devices can benefit from the capabilities associated with Virtual Smart Cards.
Note: While convenient, Virtual Smart Cards are not portable between devices, so users must enroll for a new virtual smart card for each device.
Security from the Start with Windows 8 Secure Boot
If a user inadvertently downloads a program or driver that contains a malware Operating System loader, the next time the user boots their device, the malware is initiated, loading during the boot process. Because the malware typically becomes active before Windows starts, the antivirus programs and other security features are unable to detect and stop the malware from modifying key operating system files, and users may never know their system has been compromised.
To address this, Microsoft IT delivered Secure Boot, a new security feature that makes Windows 8 very resistant to malware that attacks the boot process and earliest loading OS components (i.e., Rootkits or Boot kits). Windows 8 leverages new updates to the Unified Extensible Firmware Interface (UEFI - version 2.3.1 standard) to check the digital signature on the OS loader when any Windows 8 device is started, comparing it to a list of approved digital signatures stored within the UEFI chip. If the OS loader digital signature doesn't match one of the approved signatures (if it's been tampered with), the device firmware will not allow that malware to load.
Secure Boot ensures that only approved, valid, and signed operating system files are loaded onto the user's device ensuring the kernel, system files, boot-critical drivers, and antimalware software are protected.
Note: Secure Boot requires hardware that conforms to Windows 8 Hardware Certification Requirements.
Safeguarding Critical Data with Microsoft BitLocker
Sensitive corporate data is protected by encrypting the data with Microsoft BitLocker. For Windows 8, Microsoft IT updated BitLocker to make it easier to manage and to improve the user experience.
One of the improvements is an option to encrypt only the portion of the drive that contains the data or the used space of the drive. This means that users no longer need to wait for the entire drive to be encrypted. This is especially useful for a brand new drive where no previous data has been stored or for removable drives where encryption has to be complete in order to remove the drive. This means that data is protected much more quickly while meeting security requirements. BitLocker for Windows 8 is also easier to suspend, and more resilient with automatic re-enable at next system restart.
In addition, there is added support for new technology called Encrypted Drive. This is hardware-based encryption requiring Windows 8 Hardware Certification and to natively boot from UEFI where the drive (not the processor) encrypts data as it is written. One advantage of Windows 8 support of BitLocker, administrators who previously invested in using BitLocker can now use encryption technology that allows the drive to do the encryption while the management and recovery of keys works the same way as the previous BitLocker version. Administrators don't need to use different processes and recovery procedures.
Another new feature with Windows 8 BitLocker is the ability to pre-provision BitLocker, encrypting the drive at the same time the OS is installed. By using this feature in the new BitLocker, the rollout across an enterprise will be easier, faster, and a much better user experience.
Network Unlock devised is a new feature that allows IT administrators to push important security updates to a user's machine when it's connected to the corporate network even when unattended. In addition, they no longer need to be concerned with a PC hanging after reboot waiting for the BitLocker PIN to be entered. For a machine that requires the user to enter a PIN at startup, Network Unlock allows the user's system to securely access a second authentication factor (different from the user's PIN) from a server on the corporate network. This second authentication factor allows IT to restart and complete the update process while bypassing the re-entry of a PIN.
If the computer is lost or stolen, it can't be started without the user's PIN, and the secondary authentication isn't available without a corporate network connection. The unauthorized user cannot override the two safeguards to access the computer.
Note: Network Unlock requires a Windows Server 2012 with Windows Deployment Services (WDS) installed and Windows 8 Certified hardware clients.
For Windows Phone 8 and Windows RT the first time a user logs on to a Windows 8 device with a Microsoft account, BitLocker is turned on automatically by default. This is another example of how security has been improved while making it easier and more efficient for users to comply with security requirements across all of their devices.
Note: For enterprise customers, Microsoft IT recommends Microsoft BitLocker Administration and Monitoring (MBAM) 2.0, which provides a simplified administrative interface to BitLocker drive encryption. To learn more about MBAM 2.0 visit: http://technet.microsoft.com/library/dn145063.aspx
Secure and Trusted Modern and Line-of-Business Applications
Windows 8 provides a great platform for building useful apps that can be made available through the Windows Store. Windows Store apps are built based on the new Windows UI, which emphasizes content quality. To ensure that all Modern and Line-of-Business (LOB) applications available meet Microsoft's high quality and security standards, Windows apps:
- Must depend on software listed in the Windows Store or identified as Windows 8 compatible
- Are easily identified and understood
- Behave predictably and are fully functional
- Must provide value to the customer
- Put the customer in control by complying with privacy requirements
- Are appropriate for a global audience
LOB apps designed for enterprise customers are typically aimed at users involved with that specific business. Examples of LOB apps might include dashboards, sales apps, or apps that monitor processes within the enterprise. These apps tend to access and work with sensitive corporate data and specific processes within the business. Because of this, security for LOB apps is critical. With Windows Store apps, including LOB apps, any number of authentication capabilities can be used including domain sign-in, multi-factor authentication using smart cards, or Microsoft accounts, etc. to ensure security.
Improved Access with EAS Policy
Exchange ActiveSync® (EAS) is a protocol developed by Microsoft specifically for mobile devices and enables users to access email, calendar, contacts, and tasks from the Microsoft Exchange server. EAS is more efficient with network and battery usage. And by automatically synchronizing with the mail server, EAS provides near real-time mail delivery improving the user experience.
EAS allows the system to enforce policy settings such as requiring a password on your Windows Phone 8, maximum number of password retries, privacy screen lock after a certain amount of time, etc. With the Modern Mail application, for a user to access their corporate Exchange mailbox, an opt-in notification is sent to the user's device that requires the addition of a compliance policy to their device. With this compliance in place, the device then allows secure access to corporate calendar and email. EAS makes it easier to use both personal and work devices to access corporate resources while applying the required security controls.
Note: To learn more about Exchange ActiveSync and EAS policy management, additional information is available in the following articles:
"Managing Exchange ActiveSync Devices"
Microsoft IT's Commitment to Improving Performance and Productivity
With the deployment of Windows 8, Microsoft IT has demonstrated a keen focus on improving security. At the same time, development of new and enhanced tools and processes that increase productivity and performance throughout the enterprise is a top priority for the Microsoft IT team.
Automatic updates and improved countdown process
New for Windows 8, automatic update is turned on as part of the initial setup process so that as soon as important updates or patches are available, the device is automatically updated. This ensures devices are secure and current and potentially reduces the time it takes to install updates. The settings for this feature are based on rules defined by the enterprise administrator.
Note: Windows Update will not add any applications to a user's computer without asking for permission.
Another improvement for Windows 8 is the pending restart and countdown notices. After important updates are installed, a restart notice indicates that the computer must be restarted within three days to complete the installation. This gives users the ability to postpone restarting their computer to when it's convenient and won't interfere with deadlines.
The notices continue at regular intervals reminding the user to restart their computer. If the restart doesn't occur in three days, a 15-minute countdown timer displays and at the end of 15 minutes, the computer restarts automatically. If the computer is locked, the automatic restart is delayed until the next time the user signs in and then the 15-minute countdown begins.
Additionally, users can force automatic restarts to install important updates whether or not they are at their computer. This restart behavior is a new feature that can be modified through the registry. To learn more about this new feature, visit: http://support.microsoft.com/kb/2835627
Increasing Security and Performance
Increasing security in the enterprise while optimizing performance have been concurrent efforts for Microsoft IT for quite some time. Windows 8 provided the opportunity to collect and manage a broad spectrum of performance measurements. Microsoft IT employed the built-in assessment tools from Windows Assessment and Deployment Kit (ADK) for Windows 8* to analyze boot time—both the standard, full boot time as well as the optimized Fast Startup, which is new with Windows 8. By conducting assessments on real-world systems as well as lab systems to establish baselines and comparative measurements, Microsoft IT was able to make continuous performance improvements.
By June 2012, Windows 7 boot time had been cut by almost 60% (from 195 sec to 80 sec). In FY13, boot time was reduced by an additional 41.7% (from 80 sec to 46.39 sec).
For Windows 7, the time from boot to the desktop improved across the
corporate forest by over an additional 17% on top of the 2012 numbers (from
79.67 seconds to 65.97 seconds). For Windows 8, the time from boot to the
desktop improved from 64.27 seconds to 29.87 seconds across the corporate
forest—an over 50% boot improvement from October 2012 to June 2013—just the
last eight months.
Additional key improvement measures:
- Boot time improved by 40 seconds for customers in the Redmond domain. This was done by remediation of Application Publishing GPOs (Group Policy Objects) in the Redmond domain caused by incorrect registry CSE GUID. This issue was identified through the Remote Boot Performance Measurement and Assessment Platform.
- Through Folder Redirection GPO remediation across all of the corporate domains, boot times were improved by 40 seconds for all Microsoft IntelliMirror® users. This was done though a split of registry Client Side Extension (CSE) setting(s) and Folder Redirection settings reducing the number of synchronous logons.
- Reduced number on synchronous logons by retiring Application Publishing GPOs across all corporate domains resulting in 40 seconds of boot time improvement for all customers. This change also improves overall boot performance baseline.
As a result of the work with Group Policy optimization, Microsoft IT reduced synchronous logons across the enterprise from 40.70% in January to 2.63% at the end of May—a 93.5% improvement.
By focusing on boot performance optimization, boot time was reduced across the Microsoft Enterprise by roughly 42%, delivering 33 seconds in boot time reduction in FY13. Getting users to the useable desktop more quickly resulted in over $3.3 million in increased user productivity.
Through Microsoft IT's partnership with the Premier Field Engineering (PFE) organization, PFE is hoping to deliver similar benefits to enterprise customers through use of the Microsoft IT Boot Performance Assessment Platform—a customized Microsoft IT tool built in partnership with PFE using components of the Windows Assessment and Deployment Kit (ADK) for Windows 8.
Figure 1. Client Health, represents overall boot time improvement; both in reduction of the time it takes for users to get to the productive desktop as well as the reduction of the number of synchronous policies across Microsoft.
These efficiencies and improvements were made without diluting foundational security policies and procedures; password age and complexity, the use of BitLocker as well as patching and compliance are still enforced through Group Policy, which runs continuously in the background. By making improvements to the Windows 8 infrastructure and how Windows 8 processes Group Policy, Microsoft is now more secure while impacting the users less than before, improving their overall experience when using this new operating system, Windows 8.
Figure 1. Client Health
*Designed to work with Windows 8, the Windows
Assessment and Deployment Kit (Windows ADK) is a set of tools that enterprise
customers can use to customize, assess, and deploy Windows operating systems to
new computers. In this scenario, Microsoft IT used the assessment to measure
boot performance with Windows 8. Windows 8 Enterprise customers can download
the ADK at Microsoft.com http://www.microsoft.com/en-us/download/details.aspx?id=30652
Note: The measurements and outcomes defined in Figure 1 are specific to Microsoft IT and improvement efforts within their organization. These results are not meant to be used as targets or recommendations. Improvement results may vary and enterprise IT teams must define targets and measurements specific to their business needs.
Microsoft IT has built an infrastructure that includes comprehensive support, allowing Windows 8, Windows Phone 8 and Windows RT devices to securely share internal only information and resources as well as external content across the devices and experiences throughout the enterprise.
This infrastructure ensures users can work from almost any location, using any of their Windows 8 devices to leverage the productivity and security tools and services they need, such as:
- SkyDrive Pro: A library that synchronizes files and folders across multiple devices and securely stores files in the cloud. Microsoft SkyDrive® Pro makes it very easy to collaborate on shared documents. A simple link in an email can provide access and permission allowing teammates to review and edit documents without emailing the file back and forth. This is especially useful when working or collaborating on large files.
- Exchange ActiveSync on the Windows Phone 8: Automatically configures SkyDrive Pro. From the Office Hub on the Windows Phone 8, users are able to conveniently link to their SkyDrive Pro location without having to remember the address.
- Information Rights Management (IRM): Windows Phone 8 provides support for IRM Mail through Exchange ActiveSync.
- Improvements to Office applications: Users can make updates to documents, spreadsheets, or presentations, provide comments and feedback and send the documents back to the people who need them, quickly and securely from almost any location using their Windows Phone 8.
- Document Rights Management DRM: Similar to IRM, Windows Phone 8 supports reading DRM documents from Office. (Note: You cannot create DRM documents on the phone.)
- BitLocker Support: Enterprise-grade encryption enabled automatically on the Windows Phone 8 and Windows RT through Exchange ActiveSync the first time a user links to the Exchange server, ensuring data is secure.
- Lync and Skype: Collaboration tools that provide connectivity as well as conferencing, instant messaging, and calling features when working remotely. With Microsoft Lync® 2013, a new add-on app allows Windows Phone 8 users to attend meetings, view slides, etc.
By continuing to assess the end-to-end security story, Microsoft IT used the deployment of Microsoft Windows 8, Windows Phone 8, and Windows RT as an important opportunity to provide significant advancements in securing the enterprise while increasing performance and improving employee productivity. By incorporating new policies, systems, and tools that are designed to support convenience and flexibility, Microsoft IT created a better user experience for everyone in the enterprise using a device running Microsoft Windows 8.
For More Information
For more information about Microsoft products or services, call the Microsoft Sales Information Center at (800) 426-9400. In Canada, call the Microsoft Canada information Centre at (800) 563-9048. Outside the 50 United States and Canada, please contact your local Microsoft subsidiary. To access information through the World Wide Web, go to:
© 2013 Microsoft Corporation. All rights reserved.
This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY. Microsoft, ActiveSync, BitLocker, IntelliMirror, Lync, SkyDrive, Windows, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.