Microsoft today outlined some of the security improvements coming with Windows 8.1, broken down into four areas: trustworthy hardware, modern access control, protecting sensitive data, and malware resistance. The company’s Trustworthy Computing team announced the enhancements at Black Hat 2013 yesterday, and now today they’re sharing them with everyone.
This is mainly aimed at bring your own device (BYOD) scenarios:
- The Trusted Platform Module: TPM is a hardware security device or chip that provides a number of crypto functions, including securely storing keys and performing cryptographic measurements. It’s a great tool for the enterprise, but has been an optional piece of technology for consumer devices.
- TPM 2.0 is required for all InstantGo (Connected Standby) devices and Microsoft wants TPM 2.0 to be q requirement for all devices by January 2015. Features include key attestation, which allows you to ensure your private key is safely bound to hardware instead of malware, and virtual smartcard management WinRT APIs to enable Windows Store apps to set up and manage virtual smartcards.
Modern Access Control
The controls that IT departments can place on devices to restrict who can physically access a device:
- First Class Biometrics: Microsoft believes that biometrics is the solution to replace passwords over time. Biometrics goes beyond swipe to capacitive full fingerprint and can be set up on any Windows 8.1 device through Modern Settings using a standard, consistent Windows experience. Any time a user sees a Windows credential prompt, he or she can use biometrics, effectively eliminating the password for logging into secure sites and in-app user account validations. There are also new APIs to support biometrics on the WinRT platform.
- Multifactor Authentication for BYOD: Microsoft has added support for enrollment and management via WinRT APIs so all of these scenarios can be supported through a modern app experience, letting businesses control how devices connect to internal networks.
- Trustworthy Identities and Devices: The trustworthiness of the PKI has been increased by helping manage and drive certificate best practices and adherence to standards within the ecosystem. A service now scans the top 2 million SSL/TLS sites on the Web daily to look for anomalies or bad practices and will notify partners (certificate authorities or companies that had a fraudulent certificate issued in their name) quickly when there are issues. A server or service can also require proof (attestation) that private certificates and keys are protected by hardware; it not, access is denied.
Protecting Sensitive Data
Businesses can protect their data even when it resides on employees’ personal devices:
- Pervasive Device Encryption: Device encryption is available on all editions of Windows for devices that support InstantGo. If the device supports InstantGo, device encryption can be automatically enabled.
- Selective Wipe of Corporate Data: Remote Data Removal allows an IT department to wipe corporate data (e.g. emails, attachments, corporate data that came from Work Folders) off a BYOD device without affecting personal data.
Microsoft is beefing up its built-in malware resistance measures:
- Improved Windows Defender: High performance behavior monitoring for detecting certain bad behaviors in memory, the registry, or the file system; even before signatures have been created.
- Enhancements to Internet Explorer: A new API enables anti-malware solutions to make a security determination before a binary extension is loaded. In addition, Enhanced Protection Mode is on by default in Internet Explorer 11.
“Security continues to be a top priority for Microsoft, from secure development practices, to addressing any emerging vulnerabilities, to collaborating with others in the industry to protect our customers,” Dustin Ingalls, the Group Program Manager for Windows Security & Identity, said in a statement. The above certainly makes the case that Windows 8.1 will be worth upgrading to for the security improvements alone.
See also – Microsoft’s security team is killing it: Not one product on Kaspersky’s top 10 vulnerabilities list and Microsoft now gives developers 180 days to plug security holes in Windows, Windows Phone, Office, and Azure apps
Top Image Credit: Timothy A. Clary/Getty Images