During the development of Windows 8 and following the OS's release in fourth quarter 2012, the media focused largely on the new Windows 8 Modern UI (previously known as Metro), which was primarily designed for touch-enabled PCs, laptops, and tablets.Less attention has been given to Windows 8 security, but there's much more on the table than you might have imagined.
Windows 8 UI Applications
Microsoft sees the future in Windows 8 applications—and the new programming model that enables developers to quickly provision apps. This model is based on JavaScript with HTML5 and CSS3 as the presentation layer (or alternatively, Visual Basic, C++, or C# and Extensible Application Markup Language—XAML).
This new development environment has givenMicrosoft the ability to integrate security from the get-go as opposed to bolting on security measures, as we see in traditional desktop applications. As such, low-level changes in Windows 8 are designed to make Modern UI apps more secure than their desktop counterparts.
Application Sandboxing
Prior to Windows Vista, access control lists (ACLs) determined which user or users could access files and other system objects, such as registry entries. Integrity levels were introduced in Windows Vista, partly to help implement Internet Explorer (IE) Protected Mode, which restricts websites from modifying objects that have medium or high integrity. Integrity levels add another dimension to Windows security, so that processes and objects that are accessible to a user can also be marked with a level of trust. For example, applications or files that are deemed to be a risk to system security, such as IE or files downloaded from the Internet, run with low integrity and can't modify objects that are marked with a higher integrity level.
AppContainer is a new security mechanism for Windows 8 Modern UI applications. AppContainer is enabled by a new integrity level that blocks Read and Write access to items with higher integrity. This approach differs from Windows Vista and Windows 7, in which applications that run with low integrity can read objects with medium or high integrity. All Windows 8 Modern UI applications run with the AppContainer integrity level, except for Internet Explorer 10 (IE10), which runs with medium integrity.
When users log on to Windows 7, each user session is assigned a separate kernel namespace to prevent conflicts. The Windows kernel uses namespaces to hierarchically organize Windows resources (or objects). In Windows 8, apps with the AppContainer integrity level create named kernel objects in a separate namespace from the user session. Unlike other integrity levels in Windows 8, AppContainers can be fine-tuned to suit individual applications. A set of defined capabilities allow the apps to access areas of the OS that are denied by default.
Declarations
By default, Windows 8 Modern UI applications can access only their own storage areas. To get access to a user library, the network, or a hardware device, an app must declare this intention in its manifest file. When you install an app from the Windows Store, the declarations about the kind of access the app needs to run are displayed. The user can decide whether to allow this access. These 10 capabilities can be declared:
- internetClient
- internetClientServer
- privateNetworkClientServer
- documentsLibrary
- picturesLibrary
- videosLibrary
- musicLibrary
- enterpriseAuthentication
- sharedUserCertificates
- removableStorage
The enterpriseAuthentication capability allows apps to impersonate the credentials of the logged-in user on the network. All the other capabilities are self-explanatory, but note that apps can access files on removable storage only when the file type is specifically declared in the manifest. Files on HomeGroup network shares aren't accessible. At the time of writing, Windows 8 Modern UI apps can't access SQL Server for local data storage, but Microsoft is expected to introduce more capabilities in future Windows releases. For more information on declaring capabilities for Modern UI applications, see the Capabilities topic in the Windows Dev Center.
IE Enhanced Protected Mode
Tabs in the desktop version of IE10 also run in an AppContainer sandbox when Enhanced Protected Mode (EPM) is enabled. Protected Mode uses Mandatory Integrity Control to help prevent the installation of malicious code or changes to system files if the browser is exploited. EPM builds on Protected Mode by adding a series of new security features.
If you've loaded Windows 8 and started IE, you might have noticed that IE10 runs in mixed 32-bit/64-bit mode by default. The window borders and menus run in 64-bit processes and the tabs run in 32-bit processes.
Whenever possible, run 64-bit processes to take advantage of advanced security features, such as Address Space Layout Randomization (ASLR)—more on ASLR later in this article. Some toolbars and plug-ins are incompatible with 64-bit IE, so EPM is disabled by default in desktop IE. Because the Windows 8 Modern UI app version of IE has a no-plug-in architecture, EPM is unlikely to cause any compatibility problems and is enabled by default. If desktop IE comes across a plug-in that's incompatible with EPM, then the plug-in is automatically disabled. You can then choose whether to disable EPM specifically for the website in question.
To give extra protection to personal data, EPM uses a broker process when a user tries to upload a document to a website. This process gives IE access to the document only when the user clicks Open in the File Upload dialog box. When EPM is enabled, IE has access to user documents only when necessary, rather than all the time. Tabs are also restricted from accessing local sites running on the corporate Intranet and from accessing users' domain-login credentials. Finally, EPM tabs can't run as a local webserver. EPM can be switched on from the Advanced tab in the Internet Settings applet in Control Panel or by using Group Policy, as Figure 1 shows.
SmartScreen
First introduced to check the integrity of websites that are loaded in IE, the SmartScreen filter has been expanded in Windows 8. The filter now also checks all files that are downloaded from the Internet against the Microsoft reputation service.
In Windows 8, SmartScreen is configured by default to require administrator approval before a file with no reputation can be run. You can change SmartScreen settings in the Action Center or via Group Policy under Computer Configuration, Administrative Templates, Windows Components, File Explorer, as Figure 2 shows.
The SmartScreen filter can also be controlled via Group Policy for IE security zones.
Platform Integrity Architecture: Measured and Secured Boot
Hardware-based security has been beefed up in Windows 8. It now supports several new features that are enabled by Unified Extensible Firmware Interface (UEFI) firmware and the Trusted Platform Module (TPM), which can also been used by BitLocker in Windows Vista or later. The Measured Boot and Secure Boot protocols help identify rootkits and prevent malicious code from hiding from the OS. Measured Boot requires TPM but will work with conventional BIOS.
Secure Boot. Windows 8 supports the UEFI Secure Boot protocol, as part of the Windows 8 secured boot architecture. Secure Boot is designed to work with hardware devices that run a UEFI-compatible BIOS, to verify the integrity of the pre-Windows environment and stop malware from modifying the firmware and injecting itself pre-boot. An independent forum is developingUEFI to use the capabilities of modern hardware so that the pre-OS environment can communicate directly with the hardware, using fast block I/O instead of legacy software interrupts. The Trusted Computing Group (TCG) defines the UEFI specifications.
Secure Boot prevents the device firmware from booting malicious OS loaders, which can remain undetected by Windows. Windows 8 platform integrity architecture also includes Early Launch Anti-Malware (ELAM) and the ability to verify client health by comparing the system start state, as recorded in the device's TPM, with data held in a remote verifier.
Public Key Infrastructure (PKI) is used to establish a chain of trust. During manufacture, OEMs install a platform key that protects firmware from malicious changes. When a computer with UEFI Secure Boot starts, the firmware verifies the state of boot-loader files and the firmware on devices such as network and video cards, before handoff. Verification occurs by comparing the signatures stored in the various firmwares against databases of allowed and disallowed signatures. Your motherboard must support UEFI, which must be enabled in the firmware before Windows 8 is installed. After UEFI is enabled, Windows 8 can be installed from DVD media or from a bootable FAT32 USB stick. UEFI requires that Windows be installed on a GUID Partition Table (GPT) disk partition; if you have a previous installation of Windows on a Master Boot Record (MBR) partition, you'll need to wipe it and convert to GPT. You can do this by using the Diskpart command from Windows Preinstallation Environment (Windows PE), if necessary.
|
Partition |
Size |
|---|---|
|
Windows Recovery Environment (RE) tools |
300MB |
|
System |
100MB |
|
Microsoft Reserved Partition (MSR) |
128MB |
|
Windows |
Remaining disk space |
After the boot partition is prepared, you can start installing Windows 8. To install Windows 8 in UEFI mode and not BIOS mode, make sure that you boot from a designated Extensible Firmware Interface (EFI) drive when you boot from DVD or USB to install Windows. The simplest way to ensure this is to set the boot drive specifically in the firmware. You'll then be able to see drives marked as EFI.
UEFI Secure Boot requires four partitions, but the install process does all the necessary configuration for you. Table 1 shows the required partitions.
After Windows 8 is installed, you can check that UEFI Secure Boot is enabled by running the following PowerShell command:
confirm-SecureBootUEFI
The command returns a value of True if Windows 8 is running in UEFI mode.
Measured Boot. Measured Boot is a new feature, available to antivirus software and building on UEFI's Secure Boot. It confirms the health of a machine by using a log file, stored on the TPM chip, that's generated every time the system boots. This log contains a list of hashes that are used to confirm the integrity of the drivers and components that are loaded during the boot process, before antivirus is started. The log file can also be protected by a cryptographic key that's issued to the TPM. When fully loaded, antivirus software running in Windows can inspect the hashes to check for any unauthorized changes to boot components and drivers.
Remote attestation allows the antivirus software running on the client to send the Measured Boot log file to a server for verification. In this way, the client PC doesn't rely on itself to determine its own health. Servers are deemed to have a higher level of assurance than PCs, so confirming the claims made by client PCs in this way is preferable.
ELAM System
If enabled, the Windows ELAM system driver is the first to load. It allows an ELAM driver, provided by antivirus software, to categorize drivers as good or bad (see Table 2 for classifications).
|
Classification |
Description |
|---|---|
|
Good |
The driver has been signed and has not been tampered with. |
|
Bad |
The driver has been identified as malware. You should not allow known bad drivers to be initialized. |
|
Bad, but required for boot |
The driver has been identified as malware, but the computer cannot successfully boot without loading this driver. |
|
Unknown |
This driver has not been attested to by your malware detection application and has not been classified by the Early Launch Anti-Malware Boot-Start Driver. |
This information is then passed back to the Windows ELAM driver, which determines whether successive boot drivers should be initialized, based on a driver initialization policy. The ELAM Boot-Start Driver Initialization Policy can be found in Group Policy under Computer Configuration, Administrative Templates, System, Early Launch Anti-Malware.
When enabled, the Boot-Start Driver Initialization Policy can be set to initialize only good drivers; good and unknown; good, unknown, and bad but critical; or all drivers. Assuming that your hardware has a TPM, Windows Defender supports ELAM out of the box.
Advanced Exploit Mitigations
ASLR, which has been part of Windows since Windows Vista, randomizes the location of system libraries in memory to make exploits more difficult. ForceASLR in Windows 8 has been improved to randomize the location of DLLs that don't declare themselves compatible with ASLR. ForceASLR is also available for Windows 7 and Windows Server 2008 R2 as an optional download.
Also new to Windows 8 is High Entropy ASLR (HEASLR), which brings a greater level of randomization to ASLR but requires DLLs to opt in before it's applied. If you run devices with Intel's new Ivy Bridge processor architecture, then Windows 8 uses the new random number generator (Intel Secure Key Technology), providing a greater level of randomization than when relying on the system clock. Windows 8 randomizes some low-level memory-allocation functions, randomizing not only system libraries but also standard Windows applications. IE10 uses the full set of ASLR functions. Windows 8 UI apps and Windows Services always opt in for HEASLR.
Windows 8 can't be installed on hardware that doesn't support an Intel NX (No eXecute) bit or its equivalent. Hardware data execution prevention (DEP), which is designed to prevent applications from executing code in non-executable areas of memory, is a system requirement. The Windows 8 kernel now runs in and allocates non-executable memory, making it more difficult to attack. Supervisor Mode Execution Prevention (SMEP) in Intel Ivy Bridge processors helps prevent attackers from exploiting bugs in the system kernel. SMEP works by not allowing the kernel to execute attack code residing in memory that's allocated to a malicious process. For more information on DEP and ASLR, see "Vista and Server 2008 Malware Protection Gems."
Access Control and Data Management
Dynamic Access Control (DAC) is new in Windows Server 2012. It promises to change the way organizations manage access to corporate data. The traditional NTFS-based system of ACLs is too unwieldy to manage on a large scale, partly because it doesn't offer any form of centralized management. Windows 8 is the only Microsoft OS to support claims-based authorization, which is a requirement for working with DAC in Windows Server. Compound claims (user and device claims) also require Windows 8. Changes to DirectAccess and the ability to manage virtual smart cards give Windows 8 users the ability to use the device as a network access token, negating the need for a physical smart card. For more information on DAC, see the Windows Server Blog post "Introduction to Windows Server 2012 Dynamic Access Control" or go to "Understanding and Evaluating Virtual Smart Cards" for a white paper on virtual smart cards.
Windows Defender
Now incorporating functionality that was available separately as Microsoft Security Essentials, Windows 8 computers have antivirus and spyware out of the box via Windows Defender, as Figure 3 shows.
Although Windows Defender is likely to appeal mostly to consumers, small businesses, or those who simply don't want to spend money on security software, providing Windows with basic antivirus capabilities can only be good for the overall security landscape. Windows Defender can't be managed centrally, so large organizations will still need to pay for antivirus to get full management and monitoring functionality.
Boost Hardware-Based Security and More
Windows 8 offers much more than just a shiny new interface. Some (but not all) security improvements rely on new hardware developed by Microsoft and Intel. Although there's no such thing as 100-percent secure, Windows 8 makes it significantly more costly for an attacker to penetrate systems that are properly configured with security in mind.