Windows 8.1 security improvements
Applies to: Windows 8, Windows 8.1, Windows Server 2012, Windows Server 2012 R2
The Windows 8.1 operating system provides enterprise-grade security features that can protect devices and data from unauthorized access and threats like malware. Windows 8.1 builds on the strong security foundation in Windows 7 to provide groundbreaking malware resistance that can protect the client, data, and network by making the PC inherently secure and less vulnerable to attacks.
Additionally, Windows 8.1 simplifies the provisioning process and user experience for encrypted devices on a variety of PC form factors and storage technologies so all organizations can encrypt every drive. It also modernizes access control and data management while increasing data security in the enterprise.
This article describes noteworthy improvements to the security features in Windows 8.1 and includes links to more detailed information for each.
Groundbreaking malware resistance
Windows 8.1 can keep your PCs and data safe by making them more resistant to all forms of malware, including those that use phishing attacks and rootkits. To help resist malware, Windows 8.1 supports the following features:
Bootkits are the most dangerous form of malware; they start before Windows and hide themselves between the hardware and operating system where they are virtually undetectable and have unlimited access to system resources. With Secure Boot, the PC’s UEFI verifies that the Windows bootloader is secure before loading it. If the bootloader has been modified (for example, if a bootkit is installed) or replaced, Secure Boot will prevent execution. For more information about secure boot, see the article Secure Boot Overview.
Windows continues the chain of trust started by Secure Boot by verifying the integrity of Windows startup files. Trusted Boot also includes an Early Launch AntiMalware (ELAM) capability that enables the antimalware software to start before any third party software. By starting the antimalware solution early and within the protected boot process, the operation and integrity of the antimalware solution can be better guaranteed. As part of the boot process, Windows also runs Measured Boot, which allows third-party software on a remote server to securely verify the security of every startup component in a way that would be very difficult for malware to forge. If any tampering with the Windows boot process or the antimalware’s ELAM driver is detected, Trusted Boot will repair the system by restoring the original files.
Windows 8.1 apps
Windows Store apps dramatically reduce the risk of malware. Users can only install Windows Stores apps that have been approved by Microsoft or your organization, reducing the risk that an app will have malware hidden within it. Windows 8.1 runs Windows Store apps with very limited privileges and no system-level access, reducing the ability of malware to exploit a vulnerability in an app.
AppLocker in Windows 8.1 gives IT complete control over which desktop and Windows Store apps users can run, and Windows Store apps are even easier to manage than desktop apps. AppLocker rules for Windows Store apps automatically apply to the app installer and all files included with the app, and you create only simple publisher rules, instead of error-prone hash- or path-based rules. Additionally, a single AppLocker rule can contain rule collections for both desktop apps and packaged apps, making it easy to manage your new packaged apps alongside your existing apps. You can use AppLocker to reduce the risk of malware by only allowing users to run approved apps. For more information about AppLocker improvements, visit AppLocker Technical Overview.
Starting with Internet Explorer 8, SmartScreen has helped protect you from malicious websites and applications coming from the web using SmartScreen’s application and URL reputation services. To help protect people who use different web browsers, Windows 8.1 extends SmartScreen’s application reputation services to the operating system. The first time you run an app that originates from the Internet, no matter how it got copied to the PC, SmartScreen checks the reputation of the application based on digital signatures and other factors. If the app lacks a reputation, or it is known to be malicious, SmartScreen warns you or blocks execution entirely. If you trust the app, you can choose to run it anyway. For more information about SmartScreen, see SmartScreen Application Reputation.
In Windows 8.1, Windows Defender has been upgraded from antispyware to a full-featured antimalware solution capable of detecting and stopping a wider range of potentially malicious software, including viruses. Windows 8.1 users no longer need Microsoft Security Essentials, because Windows Defender is now just as powerful. While Windows Defender is primarily intended for unmanaged PCs, more and more people are using their home PCs for work and to connect to the internal network. Therefore, it’s good to know that Windows 8.1 includes powerful and free anti-malware that is enabled by default. For more information about Windows Defender, visit Protect your PC.
Windows 8.1 includes low-level improvements to make it more difficult for malware to gain unauthorized access to system resources. A much improved version of Address Space Layout Randomization (ASLR) makes it even more difficult for malware to predict where Windows 8.1 stores vital data. Apps are no longer allowed to allocate the lowest 64k of process memory. The Windows heap (which stores some app data) now has additional integrity checks. Data Execution Prevention (DEP) is now required and the feature is more accessible to app developers. Each of these low-level changes eliminate exploit techniques that malware has used in the past to gain higher privileges to PCs. Additionally, these improvements can dramatically reduce the likelihood that newly discovered vulnerabilities will result in a successful exploit.
Windows 8.1 gives you complete control over the software that runs on your PCs. Malware risks are dramatically reduced by eliminating known exploit techniques and making it more difficult to create new ones. Boot and Rootkits have literally been designed out of the threat landscape and in the increasingly unlikely event of a malware intrusion, Windows is more capable to detect and remove it. To your organization, this means improved client uptime, reduced support costs, and reduced security risks.
Pervasive device encryption
When users go mobile, they take your organization’s confidential data with them. BitLocker has been your solution for encrypting that confidential data, and Windows 8.1 improves BitLocker by simplifying provisioning and compliance management of encrypted devices on a variety of PC form factors and storage technologies. See What's New in BitLocker for more detailed information about the following improvements that Windows 8.1 makes to BitLocker:
Encrypted hard drive support
BitLocker in Windows 8.1 supports a new type of hard drive: the Encrypted Hard Drive. When a PC is equipped with an Encrypted Hard Drive, BitLocker offloads the cryptography to the Encrypted Hard Drive’s processor, instantly encrypting the drive and improving desktop performance by decreasing the PC’s processor utilization. Security can be stronger, too, because the drive uses the highly regarded Opal Storage Specification standards. In a nutshell, Windows 8.1 PCs with an Encrypted Hard Drive can give you the ultimate data security without any performance penalty or management headaches.
With Windows 8.1, you can now turn on BitLocker and the TPM from within the Windows Preinstallation Environment (WinPE) before installing Windows, without any end-user interaction. Because Windows is not installed yet and the drive is nearly empty, enabling BitLocker takes only a few seconds.
Used disk space only encryption
BitLocker in earlier Windows versions could take a long time to encrypt a drive, because it encrypted every byte on the volume (including parts that didn’t have data). For new PCs, it is a waste of time to encrypt the unused portions of a disk, so BitLocker in Windows 8.1 lets you choose to encrypt just your data. This can reduce the encryption time and provisioning time by several hours.
Standard user PIN and password change
With Windows 8.1, users can update their BitLocker PINs and passwords without opening a help desk ticket. Not only will this reduce your support costs, but it could improve your security, too, by enabling users to change their PINs and passwords more often.
Requiring a user to type a PIN to start a BitLocker-protected PC helps ensure the PC is in the hands of an authorized user. However, it prevents PCs from restarting automatically—a problem when you install apps and updates after hours because PCs restart automatically but wait for a user to type a PIN before starting Windows. Network Unlock allows BitLocker-protected PCs to start automatically when connected to your local wired network. Anytime the PC isn’t connected to the network, a user must type a PIN to unlock the drive. For more information, see BitLocker: How to enable Network Unlock.
Each Windows version has improved on BitLocker, and Windows 8.1 is no exception. As a result of these improvements, you can more easily provision and management BitLocker on your Windows 8.1 PCs.
|Note: Part of the Microsoft Desktop Optimization Pack, Microsoft BitLocker Administration and Monitoring (MBAM) makes it simple to manage and support BitLocker and BitLocker To Go. MBAM 2.0 adds several features to take advantage of the new Windows 8.1 BitLocker features, provide self-service to users, maintain compliance, and to integrate MBAM with your existing management tools, such as System Center Configuration Manager. For more information about MBAM, see Microsoft BitLocker Administration and Monitoring.|
Modern access control
Modern users aren’t tied to a desk. They are mobile, and their mobility helps them be responsive and productive. However, modern users need modern access control, which Windows 8.1 provides while increasing data security within the enterprise. In particular, we recommend you explore the following:
Virtual smart cards
Smart cards provide more secure, strong multifactor authentication by requiring users to authenticate using a smart card (something they have) and a PIN (something they know). With virtual smart cards, Windows 8.1 stores the smart card certificate in the PC and protects it with the TPM. In this way, the PC actually becomes the smart card. The user still needs to type a PIN, but they no longer need to physically connect a smart card or carry a smart card reader. Without a physical smart card, there’s also one less item for users to lose or forget. Because users still need a PC with their certificate (something they have) and a PIN (something they know), virtual smart cards can fulfill two-factor authentication requirements for some scenarios including remote access. For more information about virtual smart cards, see Understanding and Evaluating Virtual Smart Cards.
It can be hard to type a password on a touch screen because you can’t see the letters as you type them. In Windows 8.1, picture passwords provide a touch-friendly way to sign-into your device. Instead of typing a password, users draw a combination of three gestures, which can include dots, lines, or circles, which they apply to points of interest on the picture. Most pictures have the potential for millions of different picture passwords, making the authentication technique secure enough for many organizations. If a user forgets her picture password, she can type their conventional password to log onto her PC. See the blog post Signing in with a picture password to learn more about picture passwords.
DirectAccess keeps your users securely connected to your internal network any time they have an Internet connection. If they have Internet access, they can access internal email, files, and apps, and IT can manage their PC. To the user, it’s that simple. With Windows Server 2012 and Windows 8.1 Enterprise, it’s almost that simple for IT. With just three clicks, you can configure a DirectAccess infrastructure, even if your network uses Network Address Translation (NAT) and IPv4. With additional configuration, DirectAccess can support clients running Windows 7. For more information about DirectAccess, see Work Smart: Connecting Remotely Using Windows 8 DirectAccess.
Dynamic Access Control
With Windows Server 2012 and Windows 8.1, you can use Dynamic Access Control to provide access control to shares, folders, and files based on dynamic rules based policies, rather than static user lists and security groups. You can create policies that allow or deny access based on combinations of user, device, and data properties. To compare the two access control methods, imagine how you might restrict access to confidential personnel records:
- File permissions. You restrict files and folders so that only members of the Human Resources security group can access them. IT needs to maintain the group membership over time.
- Dynamic Access Control. You create a policy that allows only members of the Human Resources organization with classified security clearance to access confidential personnel records with Personally Identifiable Information (PII) from secured, on-premises PCs. IT just maintains Active Directory properties about the user, which is something most organizations do already.
To recap, Windows 8.1 modernizes access control to help you provision strong multi-factor authentication and better manage access to resources with reduced cost and impact on end users. Virtual smart cards make multi-factor authentication easier to use and deploy. PCs can be secure, always connected, and always managed from everywhere with Windows 8.1 and Server 2012’s improvements in Direct Access. Finally, Dynamic Access Control in Windows 8.1 and Server 2012 provides an access control option that automatically adapts to changing environments.
Security is a top feature area in every Windows release and Windows 8.1 is no exception. Improvements to malware resistance are arguably revolutionary in Windows 8.1, providing protection right out of the box. Modern access control helps you better manage resource access and provide always-on access to healthy and secure PCs in changing environments. Last, improvements that Windows 8.1 makes to BitLocker can help you more easily and quickly provision drive encryption across the enterprise. Are you interested in learning more about how Windows 8.1 can help improve security in your enterprise? See Secure Windows 8.1 in the TechNet Library.