by Constantine von Hoffman

Enterprise Version of Windows 8 Focuses on Security

Mar 08, 20123 mins
Data and Information SecurityEncryptionMalware

If it works as promised you may want to skip 7 all together

Although many companies are only now upgrading to Windows 7 if Windows 8 does all it claims, CIOs and CISOs may want to head straight to the new version.

Number 8 has clearly been designed with an eye toward the security features essential for enterprise-level use.

Windows To Go gives freelance workers and contractors access to the OS and apps but not the full-server permissions full time employees have. It also lets users boot a preconfigured, IT-certified Windows 8 image onto any laptop from a USB drive and boot up a Windows 8 image on a Windows 7 PC.

Secure Boot aims to prevent malware from infecting computers during startup — before Windows and its built-in safety features kick in. It does this by confirming all components contain appropriate security certificates before letting them launch. To meet those certification requirements, PCs and tablets must ship with Secure Boot enabled. While it can be turned off by the end user in PCs, this can’t be done on tablets. Secure Boot requires unified extensible firmware interface (UEFI) BIOS to run — something only found on the newest PCs.

This has prompted criticism from some in the open source community as a stealth attack against installing open source operating systems on Windows-branded PCs. InformationWeek’s Mathew J. Schwartz reports

Open source advocates are warning that the Microsoft move to UEFI could disenfranchise people who use PCs to run non-Windows operating systems. “As things stand, Windows 8 certified systems will make it either more difficult or impossible to install alternative operating systems,” said Matthew Garrett, who works on power management and mobile development for Linux distributor Red Hat.

As Schwartz points out, this is because UEFI will only hand off to an operating system environment using digital certificates that the PC firmware recognizes. That certification program won’t require manufacturers to include certificates that authenticate non-Windows operating systems. Because Windows 8 machines are shipped with Secure Boot on people who install other operating systems on “Windows 8 certified” machines may not be able to get their PCs to boot.

BitLocker drive encryption is a holdover from Windows Vista but the new version is supposed to encrypt drives more quickly than before. It will do this in part by only encrypting those parts of the disk drive actually being used. Why encrypt what you aren’t using yet? It will run best on PCs equipped with the Trusted Platform Module, which may need to be enabled in the BIOS settings.

Smartscreen Application Reputation Service is designed to let employees know if they are in danger of downloading applications that are unsafe or are out and out malware. It does this by comparing the app to known reputation data and then warning users if it has a bad rep. So programs from trusted vendors will get a green light but less-well known software triggers a warning. Of course this won’t protect against corrupted versions of otherwise OK software.