Apr 09 2013

Windows 8 Is Worth Trying for the Security Features Alone

Windows To Go and a secure boot process make the operating system attractive for IT workers.

If it’s not already there, Windows 8 is probably coming to your network in the near future.

Although some companies are delaying the official adoption of Microsoft’s new operating system, manufacturers are shipping devices with the operating system preinstalled. And if your company allows any form of bring-your-own-device (BYOD) program, it has even less say in the matter. In fact, it’s quite difficult for a consumer to walk into a store and purchase a system running the now “outdated” Windows 7 OS.

When it comes to new operating systems, IT workers are usually interested in hearing about security improvements first. Fortunately, Windows 8 is strong on that front.

Windows 8 Secures the Boot Process

Rootkits are some of the most insidious forms of malware circulating today. These packages gain privileged access and reach into the lowest levels of an operating system and undermine traditional antimalware controls that run at the application level.

The rootkits often function by replacing critical components of the operating system that facilitate the boot process, allowing them to gain a foothold in the system when it boots, before antimalware software is able to load.

Windows 8 adds two features to the boot process that greatly enhance security by protecting against rootkit infections: Secured Boot, with Early Launch Antimalware (ELAM); and Measured Boot. Together, these technologies combat rootkits by minimizing the likelihood of their successful launch and by using remote trusted systems to identify the presence of untrusted software that bypassed antimalware controls.

Secured Boot’s ELAM capability loads during the very early stages of the boot process, before the kernel is given the opportunity to load other hardware drivers. ELAM then monitors the other drivers that the kernel attempts to load and verifies their digital signatures, classifying each driver as “good,” “bad” or “unknown.”

The kernel then uses this information to implement an administrator-defined policy. In most cases, especially until ELAM technology is widely adopted by hardware vendors, administrators should follow the default policy: allow the loading of both “good” and “unknown” drivers while preventing the loading of known malicious drivers.

It is important to understand that ELAM is not a replacement for antivirus software. It merely complements existing packages by adding security to a phase of the boot process that is inaccessible to traditional antimalware packages.

Once Windows 8 finishes loading boot drivers, ELAM terminates and the system’s other antimalware software assumes control. ELAM can, however, perform a seamless transfer of status information to the system’s runtime antimalware software.

While Secured Boot takes an active approach to securing the boot process, Measured Boot combines passive monitoring with remote attestation to provide administrators with assurance about the integrity of the boot process.

Measured Boot monitors the launch of all system components that load prior to the launch of antimalware software. It records this information in a tamper-proof fashion using the Trusted Platform Module (TPM), a secured piece of hardware attached to the motherboard. When antimalware software loads, it may access (but not modify) the information stored in the TPM to verify the steps that occurred on the system before the activation of antimalware software.

The remote-attestation feature of Measured Boot is also a promising development that administrators should keep an eye on. It facilitates the use of a remote server to verify that systems on the network are booting into a known trusted state.

With remote attestation, Measured Boot sends a securely encrypted copy of the TPM data to the remote-attestation server. The server then verifies that the values recorded in the TPM match previously known secure states for that specific system. If the values do not match, the remote attestation server may alert the administrator or trigger corrective action. Full implementation of remote-attestation will require the cooperation of third-party software vendors, so stay tuned.

Security on the Run: Windows To Go

The new Windows To Go feature provided with Windows 8 Enterprise edition offers administrators a solution to a problem that has plagued them for years: how to provide remote users with access to enterprise data in a secured environment. While VPNs and other remote-access technologies have long offered a means to protect sensitive information transferred over the Internet, administrators were still left to worry about the security of the systems used to access that data from home, hotel business centers and similar environments outside the protection of enterprise security controls.

Windows To Go allows administrators to provide users with a complete Windows 8 image on a supported USB drive. Users simply insert the drive into any hardware that supports Windows 7 or Windows 8, boot the system and find themselves up and running in the familiar corporate computing environment.

When they are finished, they just remove the drive and reboot the computer; the system will return to its normal use, with no trace of the user’s computing activity left behind.

Windows To Go also protects against a user accidentally leaving a session open after stepping away from the computer. If the USB drive is removed, Windows To Go pauses for one minute to allow reinsertion of the drive. If the drive is not reinserted, the machine shuts down. To protect against the risk of loss, Windows To Go is also compatible with BitLocker drive encryption.

The downside? Currently, there are only a small number of USB drives certified by Microsoft as compatible with Windows To Go. These include:

  • IronKey Workspace W300
  • Kingston DataTraveler Workspace for Windows To Go
  • Spyrus Portable Workplace
  • Spyrus Secure Portable Workplace
  • Western Digital My Passport Enterprise

Watch for additional products to support this technology as its adoption grows.

Regardless of when Windows 8 makes its way to your enterprise, the additional security provided by ELAM, Measured Boot and Windows To Go makes it an attractive OS for IT workers.

A recent Spiceworks survey found that 69 percent of small and medium-size businesses were currently testing Windows 8, so if you don’t want to roll the new OS out to the whole company, it’s worth conducting pilot evaluations to assess potential future uses.


aaa 1