Windows 8’s stealth advantage: Better security

This fall, new computers will be sold with Windows 8. Desktops, laptops, Ultrabooks, and so on will have the latest OS from Microsoft, and people will slowly adapt. They may not like the Metro UI, but it won’t kill them; they will adjust. But as we’ve learned from the “Save XP” days, if the enterprise doesn’t see the value in switching to the next OS, it won’t bother. We see many organizations — most, in fact — remain entrenched with a decade-old OS rather than budge. Only now are many of these holdouts moving to Windows 7 (finally!).

Does Windows 8 have a prayer in the enterprise space?

[ Windows 8 is coming, and InfoWorld can help you get ready with the Windows 8 Deep Dive PDF special report, which explains Microsoft’s bold new direction for Windows, the new Metro interface for tablet and desktop apps, the transition from Windows 7, and more. | Stay abreast of key Microsoft technologies in our Technology: Microsoft newsletter. ]

A week ago, I would have said no. After a day at Microsoft’s TechEd user conference and two keynotes that were less than stellar, I noted no developments that would warrant a dip into the IT budget. In fact, I would have told most folks to upgrade to Windows 7 now — which may still be the best advice.

However, Microsoft gave me and other journalists and columnists some deep time with Windows 8, and we saw features like Windows to Go, VDI improvements, networking enhancements, and security features up close and personal. That’s where I found the compelling enterprise motivation to consider Windows 8: security.

Security enhancements in Windows 8 boot process One of the more controversial features to the new Windows release is called Secure Boot. The hubbub doesn’t have anything to do with the technology itself but with the drama surrounding Microsoft’s mandates for its implementation on Intel and ARM systems. Essentially, it takes advantage of UEFI (Unified Extensible Firmware Interface), the modern-day replacement to the BIOS.

The problem with the BIOS is that it can’t tell the difference between the legitimate boot loader and a rootkit. That’s why Windows 8 systems will ship with a certificate in the UEFI that analyzes the boot loader to ensure it is both the right one and is signed by Microsoft. If your system were infected with a rootkit, the UEFI won’t boot. In other words, UEFI protects the pre-OS environment. To me, this is essential to avoid the horrible scenarios described by Mark Russinovich in his book “Zero Day” — these kinds of attacks can harm us in many ways.

Secure Boot is the first part of what Microsoft calls the Trusted Boot process. The second part is a new security feature where Windows can protect the integrity of the kernel, system files, boot-critical drivers, and even the antimalware software (which is the first third-party piece to start up). As the system is booting, Windows 8 detects if any of these elements have been tampered with and automatically restores the unmodified versions. I don’t know why this wasn’t implemented long ago, but I’m happy to see it now.

Another security capability available for systems using a Trusted Platform Module (TPM) is called Measured Boot. Microsoft has supported TPM for years, mainly for access and encryption management, but it not is widely adopted. It should be. As enhanced in Windows 8, this feature lets Windows measure every component from firmware through the boot drivers and stores these on the TPM on the system. This log is considered trusted (it’s spoof-and tamper-resistant), so the antimalware tool can use it to ensure the system is not running any malware. The antimalware tool can send this log to a remote system to have it evaluated, and the remote system may initiate corrective measures. Although this feature requires systems with the TPM built in, it brings greater security.

Additional security features in Windows 8 Along with the boot process enhancements to security, Microsoft focuses on every aspect of Windows 8 to ensure greater protection. For example, there are two new password types: a four-digit PIN and a picture password where you use a photo and set three gestures (on touchscreen devices) that ultimately comprise your “password.”

Although you can choose your antimalware tool, Windows 8 comes with Microsoft’s Windows Defender, beefed up to protect your system from all forms of malware. It uses Windows Update to update its malware signatures.

If you’ve played around with Internet Explorer, you know the Smart Screen filter protects your system from phishing attacks and harmful sites on the Internet. In IE9, Microsoft added a new feature called application reputation to help shield users from downloading applications that may be harmful. In Windows 7, Microsoft expanded the Smart Screen technology, URL reputation system, and file/application system to work across the entire OS — you’re protected no matter what browsers you use. The version in Windows 8 is a bit stronger.

Windows to Go is another interesting capabillity that will appeal to IT: It lets you put a fully functional copy of Windows 8 on a USB drive that can boot from systems at work, at home, or anywhere that supports USB boot. Employees can carry a secure corporate PC in their pockets.

Microsoft has also ehanced security features such as BitLocker (which now supports drives that come encrypted from the manufacturer), AppLocker (which lets you control which applications that can be run), and DirectAccess (which manages VPN connections).

Time to get past the Start button I’m tired of arguing about the lack of a Start button or the pros and cons of the dual Windows 7/Metro UI. Now that I’ve seen Windows 8 in action, I am impressed — not with the UI per se (I’m still not there) but with the security value under the hood. In a world of increasing danger, it’s nice to know Microsoft knows how to provide a locked door so that we can be safe while looking out the, er, window.

This story, “Windows 8’s stealth advantage: Better security,” was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow InfoWorld.com on Twitter.