Saturday, November 30, 2013

Security in Windows 8.1 or how secure is windows 8.1

According to Microsoft product documentation, Windows 8 and Windows 8.1 are more secure than their predecessors and significantly more effective in preventing malware infections.

The question is, how windows 8 or windows 8.1 are more secure than their predecessors?
The answer is; Windows 8.1 enables crucial features in different forms and layers such as hardware based and network based.

Typically the layers can be categories as –
Hardware based – (UEFI, TPM, Biometrics)
Secure boot process – (Secureboot, ELAM, Trusted boot and Measured boot)
Secure sign in process – ( Bio-metrics and VCS)
Malware protection -  (ASLR and DEP)
Internet explorer – (EPM and SmartScreen and phishing protection)
Data security on devices – (Device encryption, BitLocker and Remote business data removal)

Hardware based protection:
One of the basic protection starts with the hardware itself. Hardware based security has 3 main features-

Unified Extensible Firmware Interface (UEFI): UEFI offers the secure boot capability and it provides support for self-encrypted drives.

Trusted Platform Module (TPM): TPM is a hardware chip that supports high level encryption and presents tampering with or unauthorised export of certificates and encryption keys. The TPM can perform cryptographic operations and store keys for BitLocker volumes and virtual smartcards. TPM itself won’t provide the maximum security to the windows 8.1 system’s but the presence of a TPM enables several key Windows 8.1 features, including BitLocker drive encryption, virtual smartcards, and Measured Boot.

Extended support for biometric devices: One way of overcome the password flaws is using biometric information, typically using a fingerprint reader. Even though we have biometric technology since Windows XP, this feature has improved in Windows 8.1.

Secure boot Process:
In Windows 8.1 the security starts from the start of the boot process. Most of the aggressive forms of malware tries to compromise the systems through the boot process as early as possible so that they can take control of the system early and prevent antimalware. The best way to avoid this type of security breach is to secure the boot process so that it’s protected from the very start. Windows 8.1 supports multiple layers of boot protection, based on the hardware type and available features.
Some of the key features of Windows 8.1 secure boot process are;

Secure boot : This is a basic protection which is a standard part of the UEFI architecture. Where UEFI architecture support hardware is available, when secure boot is enabled, we can boot using only an OS loader that’s signed using a certificate stored in the UEFI firmware.

Early Launch Antimalware (ELAM) is antimalware software that’s compatible with the advanced security features in Windows 8 and 8.1 can be certified and signed by Microsoft. Windows defender (Now part of windows 8.1) supports this feature.

Trusted boot: Trusted Boot feature verifies that all Windows boot components have integrity and can be trusted. The boot loader verifies the digital signatures of the kernel before loading it.

Measured Boot:  This feature requires the presence of a TPM on the Windows 8.1 device. Measured boot feature takes measurements of the UEFI firmware and each of the Windows and antimalware components as they load during the boot process. When these measurements are complete, their values are digitally signed and stored securely in the TPM and cannot be changed unless the system is reset. During each subsequent boot, the same components are measured, allowing the current values to be compared with those in the TPM.

Securing the sign-in process:
Previously all the windows login (at least most of the windows logon) authentications were based on the usernames and passwords. Sometime these username and passwords are ineffective and can be easily stolen. Considering these issues, there is a requirement for a second physical factor for authentication. In Windows 8.1 this requirement has been fulfilled by adding a second form of authentication based on hardware-based authentication. Fingerprint reader is one of the widely used hardware based authentication. Windows offered support for fingerprint readers in previous versions, but the overall experience for crucial activities like enrolling fingerprints has historically required third-party software with its own user experience. Whereas Windows 8.1, for the first time, manages the fingerprint-authentication process from end to end with a consistent enrolment process.

 Another built-in, hardware-based authentication option is Virtual Smart Card (VSC), was introduced in Windows 8 and gets some improvements in Windows 8.1. The idea behind a VSC is to require two-factor authentication, with an authorized device and a PIN (or biometric authentication) to access specific resources.

Malware Protection:
Windows 8.1 uses Address Space Layout Randomization (ASLR)  and Data Execution Prevention (DEP)  to protect the systems from malware and phishing attacks. These two features are designed to protect against exploits that use vulnerabilities such as buffer overruns in the operating system and in applications:
Address Space Layout Randomization (ASLR): This feature randomizes how and where important data is stored in memory, making it more likely that attacks that try to write directly to system memory will fail because the malware can’t find the specific location it needs to attack. ASLR is unique across devices, making it more difficult for an exploit that works on one device to also work on another.
Data Execution Prevention (DEP): This feature substantially reduces the range of memory that code (including malicious code) can run in. Windows 8 and 8.1 require hardware-based DEP support and will not install on a device that lacks this feature.

Internet Explorer 11:
Windows 8.1 includes Internet Explorer 11 as part of a default installation. The most notable change in Internet Explorer 11 is that Enhanced Protected Mode (EPM) is enabled in the desktop browser by default. This feature was available in Internet Explorer 10 in Windows 8 but was disabled by default.

Windows 8.1 adds further more security to online activity with new features called SmartScreen and phishing protection.

SmartScreen and phishing protection:
SmartScreen checks any executable file when it’s run. Based on the Microsoft reputation database, applications with positive responses will be executed and the negative reputed applications will be blocked. Windows SmartScreen technology is particularly effective at preventing untrained users from running files of unknown provenance that have a greater-than-normal chance of being malicious.

Data Security:
Windows 8.1 incorporates robust data-encryption options that encompass a full range of devices using Device encryption and BitLocker.

Device encryption:
On any device that supports the InstantGo standard and is running Windows 8.1, data is encrypted by default. This encryption is automatically enabled for the operating-system volume during setup.

BitLocker Drive Encryption:
From a technological point of view Device Encryption and BitLocker are identical. Both device encryption and BitLocker default to 128-bit Advanced Encryption Standard (AES), but BitLocker can be configured to use AES-256.
BitLocker comes with a long list of features that are appropriate for enterprise-class data protection, including the capability to use a TPM plus a PIN for encryption as well as Network Unlock, which allows management of BitLocker-enabled devices in a domain environment by providing automatic unlocking of operating-system volumes at system reboot when connected to a trusted wired corporate network.

Remote business data removal:
In Windows 8.1, System  admins can mark and encrypt corporate content to distinguish it from ordinary user data. When the relationship between the organization and the user ends, the encrypted corporate data can be wiped on command using Exchange. This capability requires implementation in the client application (Mail, for example) and in the server application (Exchange Server). The client application determines whether the wipe simply makes the data inaccessible or actually deletes it. This feature includes support for an API that allows third-party apps to adopt the remote-wipe capability.

No comments:

Post a Comment