As expected, there has been a lot of hype over the forthcoming Windows 8 operating system. Will it be good for the enterprise? Well, that's sort of a personal preference. I'm certainly not in love with the new Windows 8 interface, formerly known as Metro. Windows 8, however, has some new controls that can help enterprises minimize the impact of malware -- at least for now.
In addition to address space layout randomization (ASLR) and the Data Execution Prevention feature, Windows 8 handles memory allocation differently. The kernel has been hardened, as outlined recently at a Black Hat event. These are definitely nice to have, since the last thing any enterprise needs is a desktop OS that merely facilitates the gullibility of users and the advanced attack vectors of today's malware.
Malware aside, I believe that, like any other OS, Microsoft Windows 8 security is susceptible to some commonly overlooked flaws. If you deploy Windows 8 in the enterprise, you're still going to have some work to do. Numerous flaws can put your business into a bind as quickly and easily as any niche malware or technical exploit ever could.
Some vulnerabilities don't get the respect they deserve, including accounts with non-expiring passwords and logon auditing that is not enabled. These are things that the Microsoft Baseline Security Analyzer found on an out-of-the-box setup of Windows 8 Release Preview.
More about Microsoft Windows 8
What IT can expect from Windows 8
A look at alternatives to Windows 8
Windows migrations move ahead, despite BYOD and the cloud
Windows 8's new user interface may not be good for all users
Microsoft focuses on security for Windows 8 on tablets
Exchange shops get ActiveSync support in Windows 8 for BYOD control
Oh, and what about no full disk encryption being enabled by default? This is one of the greatest vulnerabilities among mobile computers and even certain desktops. Microsoft BitLocker may not be the best control for Windows 8 security because it can be cracked using a tool such as Passware Kit Forensic. But even if it's not enabled by default, BitLocker is a great defense against certain attacks.
A further look at Windows 8 security using GFI's LanGuard 2012 revealed even more vulnerabilities, such as unnecessary shares being enabled, cached logon credentials and the ability for a user (or attacker) to shut down the system without logging on. These may or may not affect your organization, but they're still good to know.
LanGuard also reported that no supported firewall product was found, even though Windows Firewall was indeed enabled by default. That could just be an incompatibility between LanGuard and Windows 8 Release Preview, but you need to decide if Windows Firewall is sufficient for your enterprise desktop security needs.
Digging in further, what about all those logs you need to enable and be monitoring? And what about the baseline security configurations put out by standards bodies and even Microsoft itself through its Security Compliance Manager toolkit? Even something as seemingly pointless as a Group Policy Object (or a local policy for standalone Windows workstations) that manages screensaver timeouts can come in handy. Screensaver timeouts aren't enabled by default -- at least in Windows 8 Release Preview. Who's going to do that for you when your users procure their own systems and never connect to your domain? Yet another line item on your Windows hardening to-do list.
Speaking of full disk encryption, the general lack of screensaver timeouts (and user discipline) to lock screens when systems are left alone is arguably the best way to negate any disk protection. What if a bad guy wants what's on someone's encrypted Windows 8 machine? No problem; just wait for the user to walk away without locking the screen. All security controls are out the door starting at that moment.
My point about Windows 8 security is simple: Don't buy into the headlines and marketing trickery. Microsoft Windows 8 is sure to be the most secure enterprise-ready OS we've ever seen. Big deal. Based on what I see in my work, it's not the niche and nuanced security holes that'll get you but rather the Windows security best practices around account administration, patching and system hardening that some in IT continue to ignore. You have to focus on what counts the most if you're going to gain control of your desktops.
Don't get me wrong; the malware threat is real, especially given the advanced attacks taking place today. The stronger memory allocation and kernel controls will no doubt help for Windows 8 security. But as I found, even the world's "most secure" OS can actually be vulnerable out of the box. In bring your own device (BYOD) environments, everyday users with Windows 8 tablets can make systems even more vulnerable. Proceed with optimistic caution with Windows 8. Just be smart with your approach.
This was first published in October 2012