How secure is Windows 8?

The latest addition to the Windows operating system family has been out for a while now, but is it secure enough for business users? Davey Winder investigates...

Windows 8 has been around long enough now for any small business considering the upgrade to know if it's a good fit for them.

However, there's one question that should always be at the forefront of any IT pro’s mind when planning a move to the new operating system (OS) that, unfortunately, often isn't. And, that question is, just how secure is Windows 8?

Security assessment

Sarah Shields, executive director of consumer and small Business at Microsoft OEM partner Dell UK & Ireland, said Windows 8’s new features should make the product more secure than previous versions of the OS.

A number of internal features in Windows 8 security have been improved.

The new ‘Refresh’ application that restores Windows in minutes, but will keep all personal data and vital setting secure is one of the new security features that Shields rates.

She also told IT Pro that Windows 8 should “automatically improve” network connectivity for users.

“It will give employees enhanced mobile broadband when working away from a PC with the benefit of the system checking across the available Wi-Fi connections and automatically connect the user to the one providing the best bandwidth,” she claimed.

Mark Austin, chief technology officer of Windows security software firm Avecto, said he is a fan of the new ‘Trusted Boot’ feature on Windows 8, which protects a PC’s booting up process from malware attacks.

"As malware gets more sophisticated, rootkits have become more prevalent, as they can bury themselves deep in the operating system and cloak themselves from detection, often hijacking the boot process itself by overwriting the master boot record,” Austin explained.

The hardware view

Joseph Souren, vice president of hardware security vendor Wave Systems, is a self-confessed fan of Windows 8 security.

"Windows 8 represents a powerful endorsement of open industry standard for hardware embedded security,” he said.

“It comes in response to a constantly evolving cyber landscape, epitomised by the threat of sophisticated boot sector viruses, compliance with data protection laws, an increasingly mobile workforce and porous network perimeters.

“The new OS also brings fresh capability for the management of virtual smart cards and DirectAccess, allowing enterprise users to establish their identity using the machine as a token-for-network logon, negating the need for tens of passwords which fail to live up to the current threats we face,” he added.

The Trusted Boot technology comprises three components – UEFI Secured Boot, Early-launch Anti-Malware (ELAM) and Measured Boot – that ensure that Windows only boots up if it is free from rootkits and other malware, Austin explained.

“It does this by only allowing trusted software to execute during the boot process and ensuring that anti-malware software loads much earlier [and] before other components and drivers,” he said.

“The boot process is also validated through measurements, which are stored on the TPM chip."

Wolfgang Kandek, chief technical officer at IT security vendor Qualys, also flagged up the changes Microsoft has made to Windows Defender.

"Defender is now more comprehensive and the formerly separate Microsoft product, Security Essentials, an anti-virus package, has been integrated,” he said.

“This package is included on Windows 8 by default, offering a more secure solution out of the box for end-users and SMB organisations.”

However, firms that need management capabilities, such as reports on machine update statuses and alerts about neutralised malware – will need to procure an enterprise malware solution, advised Kandek.

“A number of internal features in Windows 8 security have been improved. Its memory management has added randomisation, making the writing of exploit code harder,” he added.

“There are also the new Windows Runtime (RT) applications that will benefit from a default Sandboxing technology, providing another layer of security against exploits by attackers.”

And the downsides?

Avecto’s Austin contradicts Kandek by citing the inclusion of the enhanced version of Windows Defender as a potential downside.

“Although [it] is a positive step in some respects, it has the danger of giving organisations a false sense of security, as it shouldn’t be relied upon to protect against malware threats,” he said.

“The nature of malware attacks has changed and more sophisticated security technology and proactive measures are required to protect against these threats.

“It is important to always take a defence-in-depth strategy to security, and to not rely solely on the built-in features of the operating system,” he warned.

Kandek also sounded a cautious note about how the newness of Windows 8 could leave users exposed to security risks, as businesses tend to opt for products that are mature, stable and well-supported.

“The radical change that Windows has undergone means that small businesses will be taking more of a plunge if they move to Windows 8,” he said

“The architecture of Windows RT systems is completely different and will need different processes and tools to be secured.”

He also claimed some of the new security capabilities that Windows 8 offers will require certified hardware, which means older units may be unable to support improvements.