ISO Consensus Papers
ISO Consensus Paper: Windows 8
Windows 8 is due to officially be released on October 26, 2012. It represents a shift in strategy for Microsoft in that it is a unification of their desktop and handheld operating system platforms. Many parts of the operating system, especially focusing on the user interface, have been significantly changed from Windows 7 as a result. User education may therefore be more of a requirement for user adoption and acceptance than recent versions.
Higher education networks often contain a mixture of managed and unmanaged Windows workstations. Managed Windows workstations are usually under the control of an administrative authority through Active Directory; are updated and managed using a central utility, such as SCCM or Absolute Manage; and use an enterprise-wide anti-malware solution. On unmanaged Windows workstations, the typical user has administrator access and relies on automated updates from Microsoft and anti-malware companies.
The purpose of this paper is to provide guidance regarding the security of Windows 8. Where applicable, we include notes on differences in recommendations between unmanaged and managed workstations. Although there are several editions of Windows 8, for the purposes of this paper, we evaluated Windows 8 Enterprise only.
Pay attention to what you're purchasing: There will be five versions of Windows 8, down from six of Windows 7. These are: Windows 8, the basic consumer edition targeted at home users; Windows 8 Pro, targeted to enthusiasts and business users with features such as BitLocker, EFS, and Hyper-V support; Windows 8 Enterprise, similar to the Pro version but for enterprise customers; Windows 8 RT, for ARMbased handheld devices; and Windows 8 "N" versions, for the European market. As was the case with Windows 7, the security and IT management features available to you will depend upon which edition of the operating system you are using, with the basic version missing many of them. Security features such as BitLocker, BitLocker To Go, and EFS are only available in the Pro and Enterprise editions, for example. Many business-oriented features, such as the ability to be an Active Directory member, are not available in the basic edition. A detailed comparison of the features available in each edition of Windows 8 is available at: https://en.wikipedia.org/wiki/Windows_8_editions. In addition to the differences between editions, OEM computer makers may preinstall Windows 8 with a different set of security defaults, or include third-party security packages.
Your upgrade path depends on what you're currently using: As with Windows 7, upgrades are only allowed to the same or higher edition of the version currently installed. So, if you have Windows 7 Professional or Ultimate, you may only upgrade to Windows 8 Pro. Additionally, 32-bit and 64-bit versions of Windows 7 may only be upgraded to the equivalent version of Windows 8 (i.e. a 32-bit version of Windows 7 cannot be upgraded to a 64-bit version of Windows 8). Upgrades to any edition of Windows 8 are allowed from Windows XP with SP 3 and Windows Vista clients. However, the actual upgrade process itself may require a complete re-install; in-place upgrades from Windows XP and Windows Vista without SP 1 are not supported.
The security features are useful only if used: Many of the enhanced security features of Windows 8 are always on and do not need to be enabled. Our concerns from Windows 7 regarding user acceptance of the Firewall, User Account Control, and Action Center remain, however. If users feel that these services are interfering with their activities or simply too noisy, they may disable them if they have administrative rights, reducing the overall security of their systems. User education and restricting administrator access reduces the likelihood of this. The ISO continues to strongly recommend that managed users not have administrative access to their workstations and unmanaged users run under normal user accounts and elevate to administrative accounts only when necessary (e.g. to install drivers). The ISO has published a guide to running as a normal user account for Windows computers at https://wikis.utexas.edu/display/ISO/How+to+Not+Login+as+Administrator+%28and+still+get+your+jo b+done%29.
Consider using centralized management to enforce security: Many of the security controls in Windows 8 can be managed, or at least enabled, centrally. This allows you to force a system to be compliant with your policies. Consider using Active Directory group policies and other management tools. An Absolute Manage environment is also available from ITS, which can be used to streamline configuration and enforcement of many security setting as well as facilitate deployment of applications and patches to large numbers of computers. Documentation for this service is at https://www.utexas.edu/its/products/absolutemanage/.
Don't get a false sense of security: Although Windows 8 has added several new security features and includes many tweaks under the hood to be more resistant to compromise, it is still important to be vigilant and maintain a layered approach to security. An additional security layers that should be considered include a perimeter firewall, host/network intrusion detection, and third-party auditing tools. Even operating systems that have a better security history than Windows, and have implemented some of the same security features (such as privilege separation) for a much longer period of time, occasionally get compromised.
Upgrading from Windows XP and Vista clients should be prioritized: There is unfortunately still a significant portion of campus users on Windows XP. While extended support is not ending until 2014, this only covers critical security updates. Security features and tools present in newer versions of Windows are not being made available for or patched into Windows XP. The latest versions of Internet Explorer, which also contain security enhancements and bug fixes, will not be compatible with Windows XP. At this point, we feel that Windows 7 and 8 offer substantial and compelling security benefits over Windows XP and strongly recommend that Windows XP users upgrade to Windows 7 or 8 as soon as is feasible. Departments should phase Windows XP out of their environment as resources become available.
Support for Windows Vista is ending this year, although extended support will exist until 2017. Still, given the enhanced security, performance, and reliability features present in newer versions, we recommend upgrading.
You can afford to wait to upgrade if you are already on Windows 7: For Windows 7 users, as long as your current systems are up-to-date and have the appropriate security controls in place for your environment, the improvements and new features offered in Windows 8 may not be enough to warrant an immediate upgrade. We recommend a wait-and-see approach for departments that have already migrated to Windows 7.
Windows 8 now comes with Windows Defender, which acts as both an anti-virus and anti-spyware application, installed by default. For campus users, the ISO still recommends the use of Microsoft Forefront, available through Bevoware. Installing another anti-virus product will cause Windows Defender to disable itself, although it is worth noting that if you do not keep the third-party anti-virus up to date, Windows Defender will once again take over.
Download screening via SmartScreen Filter
The SmartScreen Filter was introduced with Internet Explorer 9 and its purpose is to detect and block known malware from being downloaded and executed. With Windows 8, this functionality has been separated from IE and added directly to Windows so that it now works with all browsers. Additionally, instead of prompting users every time a new application downloaded from the Internet is executed via a Security Warning dialog, Windows 8 only prompts users when they execute applications that are unknown to SmartScreen, and thus may be dangerous to run. This should cut down on the number of alerts users experience and help to identify suspicious applications.
PIN and Picture Password options for accounts
Windows 8 introduces two new account authentication methods to make it easier for users to log in: PIN and Picture Password. The PIN is simply a 4-digit number and a Picture Password is a series of movements, clicks, and gestures captured over a user-selected image. Users must still set a regular password, which will be required to perform any tasks that need administrative rights. These new password types are primarily intended for users of handheld devices. The use of these methods with desktops or laptops should be discouraged, as we would not consider either to comply with the Information Resources Use and Security Policy.
Managed environment notes: Group policy can be used to disallow both PIN and Picture Password for account authentication. High security areas should continue to use long passphrases for account security wherever possible. PINs and Picture Passwords are not compliant with the Minimum Security Standards for Systems.
With Windows 8, Microsoft is starting to push the use of UEFI as a replacement to the BIOS boot system used on the vast majority of PCs today. Secure Boot is a new component of the UEFI boot system that is designed to prevent boot loader attacks and other advanced malware that attempts to interfere with the operation of Windows. This is accomplished by having authorized signing keys installed into the system firmware. Once enabled, any executables or drivers must be signed by one of these keys in order to then be loaded.
While this does enhance security, it will make it more difficult to install an alternate operating system onto a Windows 8 certified computer. The Microsoft Windows Certification Program will require all Windows 8 systems have Secure Boot enabled by default. Vendors are allowed by Microsoft to provide options in the UEFI to customize the signature databases and platform keys or even disable Secure Boot entirely, but they are not required to do so. Thus vendor support and implementation of tools to modify Secure Boot for use with operating systems besides Windows 8 will vary widely. Linux users are recommended to avoid Windows 8 certified computers or do research prior to purchasing to make sure the system allows customization of Secure Boot or that their desired distribution supports Secure Boot systems.
SkyDrive, Microsoft Accounts, and cloud service integration
Windows 8 now allows users to use their Microsoft Accounts to login. In fact, this behavior is recommended by many of the new applications, such as the Windows Store and Skydrive. When using a Microsoft Account, many user settings, application settings, IE favorites and history, and web sign-ins are synchronized to Microsoft's cloud. Microsoft Accounts can also be associated with domain user accounts. This is not recommended.
Managed environment notes: Group policy may be configured to block the use of Microsoft Accounts.
The Windows Store offers an online marketplace for applications and is the only place to obtain Metro style apps for Windows 8. Applications purchased through this store may only be installed on five devices concurrently.
Managed environment notes: Group policy can be used to restrict which third party applications may be installed through the Windows Store or disable access to the Windows Store entirely. Additionally group policy can control privacy settings for Metro style applications.
Send computing questions to the ITS Help Desk or call (512) 475-9400.