WIXLIB

Windows 8.1 SecurityNew and Improved

Windows 8.1 Security—New and ImprovedContentsIntroductionIntroduction1Putting a finger (print) on it2InstantGoing where no version of Windowshas gone before2Evolutionary encryption3Defender of the realm, revisited3New features, yes, but new risks as well?3Should I stay or should I go?4Windows 8.1's curious processor affinity4The hard truth about operatingsystem upgrades4A double-edged sword5Conclusion5References6The release of Windows 8.1 may have been moreeagerly anticipated for the changes it makes tothe Start Screen than for the security improvementsit brings, but despite being “just a point release” thereare quite a few under-the-hood improvements1,2,3,to Microsoft's flagship desktop operating system.If you have not done so already, you may wishto review our earlier articles, Windows 8's SecurityFeatures and Six Months with Windows 8 to familiarizeyourself with what was new in Windows 8.0.At the time of ESET's last paper on Windows 8 4,nearly half a year ago, it was in use by about 3% of ourcustomers, compared with 49% running Windows7 and 44% running Windows XP. How has Windows8 fared since then? The following pie chart showscurrent Microsoft Windows desktop operatingsystem percentages based on telemetry providedby ESET Live Grid as of mid-November, 2013:In the past six months, Windows 8 usage has doubledto nearly 6% [note that this covers both Windows 8and 8.1]. Windows 7 remains the top operating system,having increased to a 54% share. Windows XP continuesto hold on to second place, despite a 7% drop in usageto 37%. As Windows XP's end of life approaches inApril 2014, we can expect these trends to accelerate.But for now, let's return our focus to Windows 8.1and peel the wrapping off the box to take a lookat some of the most important features for bothbusinesses and consumers in this latest iteration ofMicrosoft's flagship desktop operating system.Win 2000NT 4.0 Win 85.73%0.15%Win XP36.77%WindowsDesktop OS53.84%3.51%Win 7Vista1

Windows 8.1 Security—New and ImprovedPutting a finger (print) on itOne of the biggest changes to Windows 8.1 is itsimproved support for reading fingerprints5,6. Whilefingerprint readers have been a staple of businesslaptops for over a decade, they have never been used tothe same extent in the consumer space. This is probablydue to the increased device cost in the more pricesensitive consumer market as well as the additionalcomplexity of integrating them into user experience—not just with the operating system, but with thirdparty software7, such as web browsers. In Windows7, Microsoft introduced the Windows BiometricFramework applications programming interface (API)to simplify development of such technologies, butWindows 8.1 has made it much easier for developersto take advantage of fingerprint reading technology.By handling the scanning of fingerprints to registerthem within the system, as well as extendingtheir management within the operating system,Microsoft has made it easier for both hardwaremanufacturers and third-party software developersto develop usage scenarios and applicationsaround fingerprint registration that go beyondsimply authenticating a person at login.Another advantage of using fingerprint readers is thatas Windows becomes dominant on more devices, suchas tablets and smartphones, fingerprint scanning willbecome an easier way to identify a user, especiallywhen typing a complex password may be made moredifficult by lack of access to a traditional keyboard.It should be noted, though, that for high-securityapplications and environments, no one form ofauthentication, no matter how secure, should be reliedon to provide access. A scan of a fingerprint couldbe coupled with entering a password or passphraseor with another access device, such as a smartcardor access token, in order to obtain authentication.InstantGoing where no version ofWindows has gone beforeAnother area in which Microsoft has improved uponWindows 8.0 is that of Connected Standby. Firstintroduced in Windows 8, this feature has beenrenamed InstantGo8 in Windows 8.1. While InstantGois not a security feature per se, however it does haveimportant implications for device manageabilityand integrity, which are security concerns.So, what exactly is InstantGo? Simply put, InstantGois a new ultra‑low-power “sleep” mode built intonew PCs, which allows the CPU, storage, networkadapter and motherboard to continue to operatewhen a computer is asleep, but in a greatlyreduced power mode that consumes a fraction ofthe electricity that more-traditional “doze” statesrequire. PCs have had sleep (S3) and hibernate(S4) states for nearly twenty years using AdvancedConfiguration and Power Interface (ACPI) standard, butin those modes, all programs were suspended.With InstantGo, the PC will remain connectedto the Internet, and modern Windows apps willcontinue to receive updates, even in this newlow power state. Windows 8.1 will also havethe ability to suspend and pause applicationsin order to reduce energy use even further.As InstantGo is a new technology (or at leasta refinement of one about a year old), we havenot had a chance to do an exhaustive study ofapplications and services that make use of it. However,it sounds like InstantGo will allow developers toprovide some interesting new features in severalareas. Here are a few scenarios we envision: Additional remote device management Updates to software (including downloadinganti-malware signature updates) Improvements to anti-thefttracking and reportingIt’s important to bear in mind that conventionalactivities that require a fully powered systemcan’t be performed while a system is in low-powermode. So (for example) don’t expect to installsoftware or run an on-demand scan for malware ona PC while it is asleep, but it should eventually bepossible to push updates and new configurationsto devices, and have those install or come intoeffect when the device goes to full-power mode.2

Windows 8.1 Security—New and ImprovedIt should also be noted that while the systemrequirements for InstantGo are modest, it only workson the latest hardware, so organizations wishing totake advantage of it will need to upgrade their fleetof computers in order to realize any of its benefits.Evolutionary encryptionFilesystem-level encryption is not a new feature toWindows. Microsoft introduced the Encrypting FileSystem9 (EFS) almost fifteen years ago, a feature thathas allowed the operating system to encrypt individualfiles, directories and disk volumes. It was not untilthe release of Windows Vista in 2006 that full diskencryption (FDE) was added, in the form of BitLockerDrive Encryption10,11. Since then, BitLocker has beenupdated in each subsequent version of Windows,adding improved functionality and even providinglimited support under Windows XP for reading (but notwriting to) BitLocker-encrypted drives. Regardless ofwhich encryption technology or technologies are beingused, though, there is always one feature that hasremained the same—the encryption has always hadto be enabled by the person managing the computer.With Windows 8.1, Microsoft has introducedpervasive Device Encryption12. And what exactlydoes that mean? It means that if the PC’s hardwaresupports it, all disks will automatically be encrypted.To simplify key management, a backup copy ofthe recovery key for the system is either storedin the Active Directory Domain Services if the useraccount is a domain account, or “in the cloud” onSkyDrive if the user account is Microsoft Account.With device theft a continuing issue for businesses,institutions and any organization with portabledevices, encryption has become a topic at the forefrontof most IT departments’ radar (and budgets).Having FDE integrated at the operating systemlevel and managed using familiar existing toolswill greatly reduce the administrative overhead forIT managers. However, like the aforementionedInstantGo technology, only the newest systems arecapable of taking advantage of this technology.Defender of the realm, revisitedFor Windows 8.0, Microsoft re-badged its MicrosoftSecurity Essentials product, renaming it WindowsDefender, creating a new modern user interface,introducing drivers for Early Launch Anti Malwaresupport and bundling it into the operating system.While Windows 8.1’s Windows Defender does nothave as many changes as its predecessor, it doescontain some new and improved functionality13,14: Windows 8.1’s Windows Defender nowimplements an intrusion detection system(IDS) at the network level to continuouslymonitor the connections and identifypotentially malicious behavior patterns. Inthis respect, the software is behaving likea classic virus scanner, except that instead ofscanning files it is scanning network traffic. Similarly, Windows Defender adds anothertechnology to Windows Defender 8.1 atthe operating system level: its Host IntrusionPrevention System, or HIPS, will allow it tomonitor system memory, the registry andthe file system for malicious activity. Another new addition is that ActiveX controlsdownloaded by Internet Explorer are nowscanned automatically before execution. Provides unspecified improvementsto cloud-based detection.While none of these announcements address noveltechnologies (in particular, IDS technology firstappeared in third-party Windows programs inthe Windows 95 era), all of these steps mean additionallayers of protection for users of Windows 8.1, and thatis definitely a good practice from a security perspective.New features, yes, but new risksas well?Microsoft classifies some of these improvements—such as biometric authorization, TPM 2.0 andvirtual smart cards—under the umbrella term“Microsoft User and Device Authentication15.These technologies are designed to make mobiledevices more secure and manageable, but doimprovements in user authentication have furtherimplications for security and privacy as well?3