According to Microsoft product documentation, Windows 8
and Windows 8.1 are more secure than their predecessors and significantly more
effective in preventing malware infections.
The question is, how windows 8 or windows 8.1 are more
secure than their predecessors?
The answer is; Windows 8.1 enables crucial features in
different forms and layers such as hardware based and network based.
Typically the layers can be categories as –
Hardware based – (UEFI, TPM,
Biometrics)
Secure boot process –
(Secureboot, ELAM, Trusted boot and Measured boot)
Secure sign in process – (
Bio-metrics and VCS)
Malware protection - (ASLR and DEP)
Internet explorer – (EPM and
SmartScreen and phishing protection)
Data security on devices –
(Device encryption, BitLocker and Remote business data removal)
Hardware based
protection:
One of the basic protection starts with the hardware
itself. Hardware based security has 3 main features-
Unified Extensible
Firmware Interface (UEFI): UEFI offers the secure boot capability and it
provides support for self-encrypted drives.
Trusted Platform
Module (TPM): TPM is a hardware chip that supports high level encryption
and presents tampering with or unauthorised export of certificates and
encryption keys. The TPM can perform cryptographic operations and store keys
for BitLocker volumes and virtual smartcards. TPM itself won’t provide the
maximum security to the windows 8.1 system’s but the presence of a TPM enables
several key Windows 8.1 features, including BitLocker drive encryption, virtual
smartcards, and Measured Boot.
Extended support
for biometric devices: One way of overcome the password flaws is using
biometric information, typically using a fingerprint reader. Even though we
have biometric technology since Windows XP, this feature has improved in
Windows 8.1.
Secure boot
Process:
In Windows 8.1 the security starts from the start of the
boot process. Most of the aggressive forms of malware tries to compromise the
systems through the boot process as early as possible so that they can take
control of the system early and prevent antimalware. The best way to avoid this
type of security breach is to secure the boot process so that it’s protected
from the very start. Windows 8.1 supports multiple layers of boot protection,
based on the hardware type and available features.
Some of the key features of Windows 8.1 secure boot
process are;
Secure boot : This
is a basic protection which is a standard part of the UEFI architecture. Where
UEFI architecture support hardware is available, when secure boot is enabled,
we can boot using only an OS loader that’s signed using a certificate stored in
the UEFI firmware.
Early Launch
Antimalware (ELAM) is antimalware software that’s compatible with the
advanced security features in Windows 8 and 8.1 can be certified and signed by
Microsoft. Windows defender (Now part of windows 8.1) supports this feature.
Trusted boot: Trusted
Boot feature verifies that all Windows boot components have integrity and can
be trusted. The boot loader verifies the digital signatures of the kernel
before loading it.
Measured Boot: This feature requires the presence of a TPM on
the Windows 8.1 device. Measured boot feature takes measurements of the UEFI
firmware and each of the Windows and antimalware components as they load during
the boot process. When these measurements are complete, their values are
digitally signed and stored securely in the TPM and cannot be changed unless
the system is reset. During each subsequent boot, the same components are
measured, allowing the current values to be compared with those in the TPM.
Securing the
sign-in process:
Previously all the windows login (at least most of the
windows logon) authentications were based on the usernames and passwords.
Sometime these username and passwords are ineffective and can be easily stolen.
Considering these issues, there is a requirement for a second physical factor
for authentication. In Windows 8.1 this requirement has been fulfilled by
adding a second form of authentication based on hardware-based authentication.
Fingerprint reader is one of the widely used hardware based authentication.
Windows offered support for fingerprint readers in previous versions, but the
overall experience for crucial activities like enrolling fingerprints has
historically required third-party software with its own user experience.
Whereas Windows 8.1, for the first time, manages the fingerprint-authentication
process from end to end with a consistent enrolment process.
Another built-in,
hardware-based authentication option is Virtual Smart Card (VSC), was
introduced in Windows 8 and gets some improvements in Windows 8.1. The idea
behind a VSC is to require two-factor authentication, with an authorized device
and a PIN (or biometric authentication) to access specific resources.
Malware
Protection:
Windows 8.1 uses Address Space Layout Randomization
(ASLR) and Data Execution Prevention
(DEP) to protect the systems from
malware and phishing attacks. These two features are designed to protect
against exploits that use vulnerabilities such as buffer overruns in the
operating system and in applications:
Address Space
Layout Randomization (ASLR): This feature randomizes how and where
important data is stored in memory, making it more likely that attacks that try
to write directly to system memory will fail because the malware can’t find the
specific location it needs to attack. ASLR is unique across devices, making it
more difficult for an exploit that works on one device to also work on another.
Data Execution
Prevention (DEP): This feature substantially reduces the range of memory
that code (including malicious code) can run in. Windows 8 and 8.1 require
hardware-based DEP support and will not install on a device that lacks this
feature.
Internet Explorer
11:
Windows 8.1 includes Internet Explorer 11 as part of a
default installation. The most notable change in Internet Explorer 11 is that
Enhanced Protected Mode (EPM) is enabled in the desktop browser by default. This
feature was available in Internet Explorer 10 in Windows 8 but was disabled by
default.
Windows 8.1 adds further more security to online activity
with new features called SmartScreen and phishing protection.
SmartScreen and
phishing protection:
SmartScreen checks any executable file when it’s run.
Based on the Microsoft reputation database, applications with positive
responses will be executed and the negative reputed applications will be
blocked. Windows SmartScreen technology is particularly effective at preventing
untrained users from running files of unknown provenance that have a
greater-than-normal chance of being malicious.
Data Security:
Windows 8.1 incorporates robust data-encryption options
that encompass a full range of devices using Device encryption and BitLocker.
Device encryption:
On any device that supports the InstantGo standard and is
running Windows 8.1, data is encrypted by default. This encryption is
automatically enabled for the operating-system volume during setup.
BitLocker Drive
Encryption:
From a technological point of view Device Encryption and
BitLocker are identical. Both device encryption and BitLocker default to
128-bit Advanced Encryption Standard (AES), but BitLocker can be configured to
use AES-256.
BitLocker comes with a long list of features that are
appropriate for enterprise-class data protection, including the capability to
use a TPM plus a PIN for encryption as well as Network Unlock, which allows
management of BitLocker-enabled devices in a domain environment by providing
automatic unlocking of operating-system volumes at system reboot when connected
to a trusted wired corporate network.
Remote business
data removal:
In Windows 8.1, System
admins can mark and encrypt corporate content to distinguish it from
ordinary user data. When the relationship between the organization and the user
ends, the encrypted corporate data can be wiped on command using Exchange. This
capability requires implementation in the client application (Mail, for
example) and in the server application (Exchange Server). The client
application determines whether the wipe simply makes the data inaccessible or
actually deletes it. This feature includes support for an API that allows
third-party apps to adopt the remote-wipe capability.
No comments:
Post a Comment