Sep 04 2014

How to Make the Most of the Surface Pro 3's Security Features

Microsoft's latest tablet comes with a full suite of tools to keep your data secure.

Although the Surface Pro 3 is designed to be easy to use, that doesn’t mean that security has been compromised. In fact, business users will find that the new tablet has quite a few features designed to keep it — and its data — secure. Some of these features are disabled by default, but activating them takes only a few seconds.

The Surface Pro 3 boots off of a Unified Extensible Firmware Interface (UEFI), which replaced the aging BIOS and works in conjunction with a Trusted Platform Module chip. The TPM creates a hash value for every component in the system and allows the device to boot up only if all of the components match, ensuring that nothing has been modified or changed since the last power-up.

The Surface Pro 3 also is designed to work with Microsoft BitLocker, which coordinates its activities with the TPM chip. BitLocker uses the TPM to lock down unique encryption keys. The entire hard drive and all its contents remain encrypted until the TPM verifies that the tablet hasn’t been tampered with. This prevents someone from stealing data by removing the hard drive, which would remain encrypted and locked.

An additional, optional security feature displays an onscreen keyboard as part of the Surface Pro 3’s boot-up process. This can be used in conjunction with a PIN-based security program that will keep the device in a locked state until the proper number or password is typed, adding a second layer of authentication beyond the standard user name and password setup.

A couple of easy-to-activate options in the UEFI settings can enhance security even further. Disabling the ability to boot from the USB port is one of the most important ones. Although a full USB 3.0 port is a great feature, it adds vulnerability; a hacker could potentially bypass some security by booting from a portable drive. Disabling this feature allows full use of the USB port for everything but booting, but both the USB port and microSD reader can be completely disabled if preferred.

Finally, the Surface Pro 3 comes with native Absolute Computrace support; if the Computrace app is removed, it will reinstall itself. IT staff still must activate and purchase accounts for the software, which tracks lost or (more likely) stolen devices using location-based services. But the Surface Pro 3 is ready to go if needed.