Windows 8 is the technological equivalent of marmite. Whilst the system is not as universally hated as Windows Vista, the latest Microsoft operating system certainly polarises opinion. Critics say the modern UI lacks important functionality, the experience of switching between the desktop and the modern apps is jarring, and the lack of genuine start button is confusing.
On the other hand, its supporters say that the faster start-up, excellent OneDrive (formerly SkyDrive) integration, and the ever-growing app store more than make up for its deficiencies elsewhere.
One factor is frequently overlooked though – Windows 8 is unquestionably Microsoft’s most secure version of Windows to date. After being regularly criticised for poor levels of security in past operating systems, Microsoft deserves credit for the wholesale changes made to their latest release.
MakeUseOf investigates the features that make Windows 8 the most secure Windows version yet…
Windows 8 Secure Boot
Secure Boot is a security standard developed by members of the PC industry to help make sure that your PC only boots an operating system that is trusted by your PC manufacturer. You will find it on all new logo-certified Windows machines.
PCs which have Secure Boot use UEFI firmware instead of the traditional BIOS. By default, the machine’s UEFI firmware will only boot software signed by a key embedded in the UEFI firmware. If the software is not trusted, the PC will initiate an OEM-specific recovery sequence to restore the original trusted software.
On older, non-Windows 8 PCs, a rootkit can install itself and become the boot loader. An infected computer’s BIOS would load the rootkit at boot time, which would then help intruders gain access to systems while avoiding detection. Secure Boot prevents this from happening.
If you find the concept of UEFI confusing, try reading our recent article which explains more about UEFI and how it works.
Early Launch Anti Malware (ELAM)
A sub-component of Secure Boot, ELAM is designed to enable security vendors to validate non-Windows components that are loaded during start-up.
When your system starts the kernel will launch ELAM first, thus ensuring that it is launched before any other third-party software. This allows it to detect malware in the boot process itself and prevent the malicious code from loading or initialising.
Once it has scanned all third-party applications and drivers it sends the system kernel a report. The apps and drivers are classified as either ‘good’, ‘bad’, ‘bad but boot critical’ and ‘unknown’. All drivers will be loaded, with the exception of bad drivers.
SmartScreen was a technology Microsoft introduced in Internet Explorer 9 which has now been expanded to cover all EXE files downloaded onto Windows 8 systems. We were so impressed with this expansion that we included it as one of our five surprising facts about Windows 8 back in 2012.
It helps to protect you against online security threats by using three key features. Firstly, it has anti-phishing protection which will screen threats from imposter websites that seek to acquire your personal information such as user names, passwords, and billing data. Secondly it aims to remove all unnecessary warnings for well-known files while showing you severe warnings for high-risk downloads. Finally, it helps to prevent potentially harmful software from infiltrating your computer.
It works by taking a checksum of an EXE file and comparing it to Microsoft’s cloud database of known good and bad application checksums. If the result is unknown, Microsoft will warn you before you open the file that the program could be malicious and is of unknown provenance.
If you are a confident Internet user you might find that SmartScreen’s continuous warnings become tedious. Luckily, Microsoft has allowed users to disable the feature – just head to the ‘Control Panel’, click on ‘Action Centre’, then choose ‘Change Windows SmartScreen settings’ in the left pane. On the menu that appears you need to check the box next to ‘Don’t do anything (turn off Windows SmartScreen)’ and click ‘OK’.
In Windows 8, Microsoft has enhanced its own built-in Windows Defender software by adding anti-virus and anti-malware features. In previous versions of the OS, Windows Defender was exclusively an anti-spyware tool and only offered three ways to protect your PC – there was no protection against other threats.
While these new features are welcomed, you need to be aware that Windows Defender is still not as robust as third-party software. Independent testing suggests it offers a good baseline protection, but little else. If you are a very light Internet user it may be enough, but regular users and most businesses will require more comprehensive protection.
Dynamic Access Control
Dynamic Access Control (DAC) is a data governance tool in Windows Server 2012 and Windows 8 that lets administrators control access settings based on parameters such as the sensitivity of the resources, the job or role of the user, and the configuration of the device that is being used to access the resources.
In practical terms, this means an organisation could allow access to a given folder as long as an individual is using an authorised company-issued device, but prevent that same individual from accessing the folder from their own personal device. Consequently, this reduces the likelihood of security breaches and diminishes the risk around data theft.
Remember, DAC is not supported in Windows operating systems prior to Windows Server 2012 and Windows 8. When DAC is configured in environments with supported and non-supported versions of Windows, only the supported versions will implement the changes.
DirectAccess provides intranet connectivity to client computers whenever they are connected to the Internet. It works similar to a regular VPN, with the difference being that DirectAccess connections are designed to connect automatically as soon as the computer goes online, without any user input.
DirectAccess is more secure than a traditional VPN. Typical VPN-based remote client computers might not connect to the internal network for weeks at a time, preventing them from downloading Group Policy objects and software updates. During these periods they are at a greater risk of being compromised by malware or other attacks, which could then spread inside the corporate network through e-mail, shared folders, or automated network attacks.
The result is that IT departments are reliant on users performing certain actions to keep their computers secure. DirectAccess removes this reliance by letting an IT team continuously manage and update remote computers whenever they are connected to the Internet.
Unlike a regular VPN, DirectAccess also supports selected server access and IPsec authentication with a network server, along with end-to-end authentication and encryption – both of which enhance the overall security of Windows 8.
Windows To Go
Windows To Go is a feature in Windows 8 Enterprise that allows users to boot and run from mass storage devices such as USB flash drives and external hard disk drives.
The feature is perfect for companies who operate a ‘Bring Your Own Device’ (BOYD) policy because it enables a complete, managed Windows 8 desktop to be booted from a company-issued USB flash drive directly onto any laptop that an employee owns. Access to hard disks and other potentially dangerous peripherals is disabled when using Windows To Go, but files, preferences and programs are there for your convenience. It is unquestionably a safer option for companies who want employees to be able to connect from home PCs without opening up VPN access to untrusted home computers.
Microsoft have undeniably taken huge steps forward with the enhanced security features in Windows 8, though some users may argue that it still lags behind Apple’s and Linux’s offerings.
What do you think? Are you impressed with the new features or are Microsoft simply implementing ideas that should have existed five years ago? Are the new features enough to make you consider upgrading from an old version of Windows – or perhaps even making the jump over from an alternative operating system?
Let us know in the comments below.