Now that all the hype over Windows XP's end of life is simmering down, many enterprises are making the move to Windows 8.1. That's not surprising to me because Microsoft's latest operating system is superfast, has some nice workflow improvements for IT professionals and is considerably more secure out of the box.
People are still wary of Windows 8. Much of the initially negative reaction to the OS has been around its Start screen and touch-centric user interface, which users can ignore thanks to third-party tools. So, given everything you have going on in IT right now, is the upgrade to Windows 8.1 worth the security trade-out? Will the benefits outweigh the potential user backlash? What does upgrading really deliver in terms of managing enterprise desktop risks? Here are some assumptions to be aware of (and avoid) when it comes to Windows 8.1 security.
The newest version with the latest security updates is better. We live and work in an expedient society. It's human nature to want the latest and greatest. Sometimes that's a smart move, but other times it's unnecessary. If you upgrade to Windows 8.1, you'll no doubt have the latest and greatest technologies and updates, but it doesn't mean that desktop security will automatically improve. In fact, you could theoretically create a well-managed Windows XP environment that's more secure than an average Windows 8.1 environment.
BitLocker's improvements will keep my information secure. I wasn't a big fan of BitLocker early on with Windows Vista and Windows 7. However, starting in Windows 8, Microsoft made numerous improvements in its full disk encryption technology such as preventing data from being written to non-BitLocker-protected drives, enhanced management of users' own PINs/passphrases, and preboot authentication for unattended patch deployment.
What I've discovered, however, is you can have all the encryption in the world, but all it takes is a system with a weak password or insufficient screensaver timeout to completely negate the benefits of full disk encryption. BitLocker looks good on paper, even compared with the commercial alternatives, but it's easily circumvented because of these common weaknesses.
More about Windows 8.1 features and security
Review: Goverlan RAS may help centralize Windows desktop control
Will Windows 8.1 security and management enhancements entice enterprise IT?
Windows 8.1 includes five new security features
Find enterprise-class tools in the Windows 8 app store
Windows 8 features might be reason enough to upgrade
Windows 8.1's malware protection out of the box will finally provide a means for ensuring endpoint security. The integrated Windows Defender and SmartScreen technologies are nice features to help protect the OS from targeted attacks. However, they're not going to protect desktops from the enormous amount of threats targeting third-party software such as Java, Adobe Reader and other programs users are installing.
In fact, a recent study found that 76% of vulnerabilities are not Microsoft problems but instead everything else running on top of the OS. I can't imagine that this imbalance of desktop vulnerabilities will change anytime soon.
The Group Policy Objects (GPOs) now available for managing Windows 8.1 will provide the essentials necessary for maintaining desktop oversight. Microsoft made huge strides in this area with Windows 8 and Server 2012. But GPOs are not everything. Policy doesn't have a one-to-one relationship with risk.
There are numerous other potential "gotchas" with Windows 8.1 -- really, any version of Windows -- including security risks from data leakage, click-happy users, the creation of vulnerable network shares and the general lack of threat/event correlation when bad things happen.
If you're trying to make the case for Windows 8.1 security, just make sure you properly set the expectations of executives, auditors, compliance officers and even the security manager that moving to the OS is not going to fix all of the organization's vulnerabilities. Sure, it can help, but the onus is on desktop admins and everyone using Windows 8.1 to ensure that the rest of the desktop security story is known and taken seriously.
This was first published in July 2014