December 19, 2012 11:09 am

The Unsung Hero: Windows 8 Security

We’ve shared a lot on this blog about the business features and value of Windows 8, including stories from some of the early adopters who are taking advantage of Windows 8 in a lot of ways, from tablets to apps, to Windows To Go. Security has been mentioned in almost every one of these instances, but we haven’t gone into great detail; so today I’d like to provide you with a deeper dive on the investments we’ve made in Windows 8 security. In the weeks and months to come, I’ll continue to share more information on the features within these investment areas as well, so stay tuned!

For several generations of Windows, we’ve made security a top priority, and while Windows 7 represented our most secure version of Windows at the time, there were still more improvements that could be made. We had to improve on what we’d delivered in the past and we needed to innovate to address new and emerging threats. With Windows 8, security remains a high priority investment area and with it we’ve delivered a broad range of new capabilities that address the top security needs and threats that you’re facing today, including:

  • Malware’s ability to compromise core operating system and antimalware components.
  • Complexities related to efficiently protecting corporate data with encryption.
  • High cost of deploying, using, and managing strong multifactor authentication.
  • Challenges of managing access control in dynamic and constantly changing environments.

Malware Resistance

Delivering products that are resistant to malware requires the use of a process such as the Security Development Lifecycle (SDL), which helps ensure that the best security design, development, and testing practices are used. All software that ships from Microsoft uses this process, and we’re proud of the impact that it’s made, which can be seen in Kaspersky Lab’s recent Q3 2012 IT threat report detailing how Microsoft products are not listed amongst the top 10 products with vulnerabilities. We think this is a remarkable achievement given the broad customer base of a product like Windows.

We’ve made significant investments in Windows 8 to make sure that even if a vulnerability is discovered, the likelihood of a successful attack will have been minimized, if not eliminated. Security researchers who evaluated the Windows 8 Release Preview and spoke at Black Hhat in July had some pretty impressive things to say about progress that we’ve made in Windows 8. For instance, one senior researcher stated that the improvements made between Windows 7 and Windows 8 are as significant as those made between Windows XP and Windows 7.

In addition to making the system less vulnerable to exploitation, we’ve also redesigned some aspects of Windows 8 to be completely immune to malware. Bootkits and rootkits, notorious types of malware that have the ability to take over a PC while remaining hidden from the system and the antimalware solution, have literally been designed out of the architecture with Windows 8 features like Secure and Trusted Boot.

While Secure and Trusted Boot eliminate some of the most dangerous types of malware, they aren’t meant to provide comprehensive protection and thus need to be paired with a high quality antimalware software solution. We believe in this so strongly that we’ve included a significantly improved version of Windows Defender in every edition of Windows 8. Windows Defender will help protect you from all types of malware, including viruses, worms, bots and rootkits by using the complete set of malware signatures from the Microsoft Malware Protection Center.

Protecting Corporate Data

Protecting corporate data is a top concern for customers and many of you know that provisioning and managing encryption on devices, regardless of vendor, is a huge challenge. One of the biggest challenges is the sheer amount of time it takes to provision encryption to the device. It can take hours, and in the case of some third party solutions, it can even block end user productivity while the encryption process is taking place.

In Windows 8, we wanted to make sure that our encryption solutions, including BitLocker and BitLocker to Go, are the fastest options to provision and that they never get in the way of the end user. To enable this, Windows 8 includes Data Only Encryption, which allows BitLocker to encrypt just the portions of the disk that contain data. This can reduce encryption times from hours to minutes in many cases. Data Only Encryption is a great enhancement, but wouldn’t it be great if provisioning encryption didn’t take any time? Encrypted Hard Drives, a new type of Self-Encrypting Drive (SED), will do just that. In this case, the drive provides onboard hardware assisted encryption and protecting the drive with BitLocker takes just a few seconds, if that.

Modernizing Authentication and Access Control

Deploying strong multi-factor authentication in organizations is either perpetually on the wish list, or if it’s deployed it’s used in limited scenarios. Customers face many challenges when deploying strong multi-factor authentication today, including the provisioning process, its cost, and support. To address these challenges, we’ve delivered a new authentication form factor that we call the Virtual Smart Card. Virtual Smart Cards literally turn your TPM enabled PC into a smartcard and because it’s all implemented in software it’s easy to deploy and manage. This technology is going make strong multi-factor authentication cheap and mainstream rather than an expensive luxury!

The model for access control has been the same for as long as anyone can remember. You have an object that you want to secure and a list of users that should have access to it. The challenge with this model is that it’s based on static lists that need to be managed, and with dynamic organizations that are constantly changing; keeping up to date with the changes is a near impossible task. With Windows 8 and Server 2012, we wanted to create the condition where access control can automatically stay up to date with organizational changes. To do this, we’ve delivered a new feature called Dynamic Access Control (DAC), which enables access to resources controlled through the use of rules that operate on user and device properties (e.g. department, location, title, access level, etc.). Imagine easily creating a rule that indicates that all users from the United State Finance department who are Directors have access to quarterly progress reports. You can do that with DAC!

I hope that these details on the three key investment areas for Windows 8 security are in alignment with the some of the top security needs that you have within your organization. Stay tuned for more info on the security features within these areas. In the meantime, I recommend you download and begin your evaluation of Windows 8 if you haven’t done so already. I think you’ll enjoy experiencing Windows reimagined and appreciate the great security improvements that we’ve delivered.

Updated November 8, 2014 1:17 am