BACKGROUND IMAGE: iSTOCK/GETTY IMAGES
Windows 7 has a strong enterprise user base, and Windows 10 is just around the corner, but where does that leave Windows 8.x? Microsoft's operating system that everyone loves to hate has a mere 15% market share. That's still enough to keep IT administrators thinking about how to best lock down Windows 8.1 security for the foreseeable future.
The good news is that Windows 8 and Windows 8.1 are Microsoft's most secure OSes to date. They're not without weaknesses, however. Desktop admins should be familiar with Windows 8 security, understand lingering vulnerabilities, and perform the proper ongoing maintenance and vulnerability testing of these systems.
Even if you have Windows 8.x installed on a relatively small number of desktops, laptops or tablets, you still have to factor in what's required to keep them locked down. After all, it just takes one overlooked or undersecured device for criminal hackers to harm your business.
As far as features go, Windows 8 and 8.1 have a lot to offer in terms of enterprise security out of the box:
- A hardened kernel and Windows Defender enabled by default to help fight off malware attacks
- Workplace Join for a quasi-domain-connected experience offering better IT control
- Open mobile device management, or MDM, for third-party product integration to improve bring your own device (BYOD) controls
- Much-improved BitLocker, especially when combined with Microsoft BitLocker Administration and Monitoring, or MBAM, including preboot authentication and user-administered PIN and passphrase resets
- New Group Policy Objects (GPOs) for Internet Explorer 11 that can help in the fight against malware and improve user privacy
Make sure you're using these security features to your advantage on Windows 8.x systems. Windows admins and users often take built-in security controls for granted. The last thing you want is management -- or a plaintiff's attorneys -- discovering that you overlooked Windows security controls that could have helped prevent a breach. In many situations, you can use what Microsoft has provided and not have to spend an extra penny on third-party security products.
Given the nature of Microsoft's OS architecture and security management in general, you should still be aware of some security vulnerabilities in Windows 8.x.
- Full-disk encryption is not enabled by default. This is something that should be on every laptop and desktop, period.
- Screensaver timeouts are not enabled by default, a vulnerability that can negate many security controls including full disk encryption.
- Local users can set a blank or weak password.
- Users can still have administrator privileges -- arguably one of the greatest vulnerabilities in any enterprise.
- Software patches for the OS, applications such as Microsoft Office, and third-party programs such as Java and Adobe Reader can still be installed at the discretion of the user.
- Windows Defender has been found to be less than adequate in protecting against malware.
None of these vulnerabilities should come as a surprise, since all modern operating systems are susceptible to them. Microsoft can build a super-resilient OS, but it can't make Windows completely secure if you want to get anything done on it. It's also easy to get caught up in the day-to-day operations and complexity of your environment and forget some of these basics.
Here are several steps you need to take to ensure that your desktop systems are properly maintained and to minimize Windows 8.1 security risks:
Step 1: Get a current inventory of your Windows 8- and Windows 8.1-based systems in Active Directory, using Windows Server Update Services (WSUS) or via a simple vulnerability scan using a scanner such as LanGuard or Nexpose. Even if you believe you know where Windows 8.x is installed, you may be overlooking some key systems. Many Windows 8 and Windows 8.1 devices may fly under the radar. Whether it's related to the challenges associated with BYOD or just the fact that you (like many others) are trying to forget Windows 8, you can't afford to miss the enterprise security risks associated with the OS.
Step 2: Make sure that Windows 8.x systems are current on patches and do not have any outstanding vulnerabilities. Even if you're using WSUS, Windows 8.x systems may appear to be current but can still be missing key updates.
Step 3: Include Windows 8.x systems in any security policies, procedures and documented standards. This should include -- at a minimum -- malware protection, passwords, patching, system hardening and incident response. Also, ensure that any Windows 8.x desktops and laptops that connect to your network and/or domain fall within the scope of your GPOs.
Step 4: Stay current with information that Microsoft provides on keeping Windows 8.x-based systems locked down, such as the security baselines that are part of its Security Compliance Manager tool. Third-party resources such as the Center for Internet Security's Microsoft Windows 8 Benchmark can be great resources as well.
Step 5: Run periodic vulnerability scans on all Windows systems, both with and without user authentication. Looking at endpoint devices from both perspectives will show you the extent of any Windows 8.x vulnerabilities and how they can be exploited. Regardless of what Microsoft or others are saying, only you will truly know which threats and associated business risks Windows 8.x systems are introducing into your IT environment.
These steps incorporate the core principles of information security management: Know what you've got, understand how it's at risk, and then do something about it -- again and again. It's up to you to maintain Windows 8.1 security for as long as such systems are still in use. They'll likely be around for a while, so why not formalize your approach?
Windows 8.1 includes tougher encryption
Microsoft tries to entice enterprise IT with Windows 8.1 enhancements
Don't make assumptions about Windows 8.1 security
Windows 8.1 systems could be vulnerable to "pass the hash" attacks
Top five new Windows 8.1 security features
Any review of desktop vulnerabilities should still include Windows 8
Windows 8 is safer, but security gaps remain