Initial Thoughts on Windows 8 Security
Paul Henry - November 19th, 2012
While not an all encompassing review of the security features available in Windows 8, this post takes a quick look at some of the more noteworthy capabilities in this latest iteration from Microsoft.
Windows 8 Base Security Features
Windows Defender has evolved from a spyware product to a relatively good malware defense product. Naturally a commercial AV vendor recently tried to take Windows Defender to task. They claimed in their testing Windows Defender allowed 16% of malware to infect a Windows 8 PC. We all know that signature based AV is obsolete so I took a quick look at the AV Comparatives testing on AV for heuristic detection which goes well beyond traditional signature based AV and found several commercial product vendors that fell well below the effectiveness of Windows Defender. In fact 13 out of 17 products tested only equaled or were below the protections for heuristic detection of Windows Defender. Even when adding behavioral protection in to the mix, Windows Defender still beat the performance of 4 of the 17 well-established commercial products tested. For a new offering right out of the gate, Windows Defender is sure to raise the bar in AV product offerings.
With that being said though, you really need to look at the bigger picture – even a solution that affords the capability to block 99% of malware is still not an effective solution in an environment where we are seeing 75,000 new malicious programs every day and a database of known unique instances of malware that has now exceeded 90,000,000 malware instances. Do the math. Even with 99% effectiveness, 750 pieces of malware (1% of 75,000) will get through undetected every day and you are still potentially exposed from the 900,000 unique instance of malware (1% of 90,000,000).
Bottom line: Windows Defender, as a free product from Microsoft, is poised to offer better protection then many commercial AV products but it shouldn’t be your only defense.
UEFI – Secure Boot
In Windows 8, your traditional BIOS has now been replaced with UEFI, the Unified Extensible Firmware Interface. While UEFI alone is not controversial, one of its features called “Secure” Boot” certainly is. Secure Boot prevents a computer from booting into an operating system unless the boot loader code is digitally signed with a certificate derived from a key stored in the UEFI firmware. This digital signature allows the UEFI firmware to verify that the boot loader code it reads from the disk into memory is in fact from a trusted source before allowing the processor to execute it. This effectively mitigates the risk of a malicious “boot-kit” from being run on boot to facilitate persistent malware. In considering the security aspects of Secure Boot you must consider that hackers have stolen digital certificates in the past and those certificates have been used to successfully sign malware. So with that line of thinking, the jury is still out on the UEFI Secure Boot benefits.
Improvements to ASLR & DEP and an introduction to App Sandboxing and SMEP
Windows 8 also includes improvements to Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP). ASLR ensures that the address space of a process is randomized, thereby making it more difficult to predict the location of code within memory while DEP prevents data from being executed. The improvements to ASLR & DEP are combined with the new Windows 8 application sandboxing capability that effectively limits the access of a compromised application. This feature means the bad guys will be fighting an uphill battle to deliver effective exploits for Windows 8.
It is also worth noting there are other new mitigations in the kernel that go well beyond just improvements to ASLR & DEP. New integrity checks in the kernel and improvements with randomization using a similar approach are also new mitigations in Windows 8.
One of the issues of ASLR & DEP of course is that you have to rely on the programmer writing an application to actually turn them on. In Windows 8, the capability to literally mark data in memory as “non-executable” is a great step forward. However it limits the ability to run Windows 8 only on a CPU that can handle this requirement via this “NX” capability to mark data in memory as non-executable.
Another interesting new security feature built into Windows 8 is support for “Supervisor Mode Execution Protection” (SMEP). It is supported on today’s Intel Ivy Bridge CPUs and because user pages are only for data, it can effectively stop an Ivy Bridge CPU using Windows 8 from running any memory pages that are marked as ‘user’ rather than ‘kernel’. This is another security feature that will likely complicate the development of reliable and repeatable malware.
Windows 8 Pro Version Security Features
Bitlocker has a new Bitlocker To Go capability that allows the encryption key for Bitlocker to be saved in the users SkyDrive Account.
Domain membership and Group Policy Objects
You need to have the Pro version of Windows 8 to join a domain and take advantage of Group Policy Objects. This is the big differentiator between the basic consumer version of Windows 8 and the business-oriented Pro version of Windows 8. There are several new policies that have been introduced in Windows 8 Pro. Here is a sampling of some of the newly introduced policies:
- Assign default domain for login
- Turn off PIN login and picture password login
- Exclude external credential providers
- Do not process the legacy run list
- Do not process the run once list
- Turn off App Notifications on the lock screen
- Turn off Windows Startup Sound
- No not enumerate connected users on domain joined computers
- Enumerate local users on domain joined computers
- Hide entry points for Fast User Switching
- Always use classic login
First introduced in Windows 7, Applocker is Microsoft’s application control solution. It works with either blacklists or whitelists of applications. With Applocker, an administrator can create policies that restrict or allow specific applications from being installed or run by users. In the Windows 8 version, Applocker has now evolved to manage both the traditional desktop applications and the new Metro apps. While it is perhaps not as comprehensive as other Whitelisting / Application Control solutions, it is a step in the right direction. One of the biggest and most glaring differentiators between the Microsoft Applocker solution and other current generation Whitelisting / Application controls is the lack of support for a Trust Model for their products or third-party applications. This is important to help reduce the administrative burden of both the implementation and ongoing maintenance of an effective Whitelisting / Application Control solution enterprise wide.
Windows To Go
Not to be left out of the current wave in the on going Bring Your Own Device (BYOD) mania, Windows 8 supports “Windows To Go”. Administrators can now build a corporate image of Windows 8 that can be provisioned on a 32 GB USB stick. The Windows To Go USB stick can then be booted from any x64 PC at any location whether the PC is connected to the enterprise network or not. Again this is a corporate defined image that can include the full compliment of Windows 8 security features so the administrator effectively has full control of the users USB booted endpoint device.
Clearly the security enhancements in Windows 8 will make life more difficult for malware writers. More importantly – it does so without the many issues users faced in the initial roll-out of Windows Vista. Moving to a common “Look & Feel” for the Microsoft Phone, Tablets and PC operating systems is a smart move for Microsoft and potentially will result in fewer user (mistake) related issues.
Combining this latest OS release from Microsoft with current generation whitelisting & application control will provide unprecedented risk mitigation across the enterprise.