Group Program Manager for Windows Security and Identity Dustin Ingalls recently posted an interesting item to the Windows for your Business blog, in the wake of his attendance at the Black Hat security conference. Entitled “Black Hat 2013: Windows 8.1 Helps Keep Data Secure in a Modern Environment,” it walks readers through a list of changes and enhancements to Windows 8.1 explicitly added or beefed up to improve the new operating systems’ security capabilities.
Following Black Hat 2013, MS opens up further on new or extended Win8.1 security stuff.
Here’s a list of topics with some detail summarized from that blog post:
- Trustworthy Hardware: MS is moving toward requiring support for a Trusted Platform Module (TPM), circuitry that provides enhanced cryptography, on-board secure storage for keys and certificates, and other strong security functions in future hardware (“We are working towards requiring TPM 2.0 on all devices by January 2015.”). Provides the foundation for improved security for BYOD situations.
- Modern Access Control: ways that IT can restrict physical access to devices. Biometrics will gain capacitive full fingerprint support on touchscreen devices using the app-based Settings widget, with biometrics now applicable to any Windows credential prompt of any kind (instead of during login only). Improved APIs for biometric support in Windows Apps, including WinRT.
- Multifactor Authentication for BYOD: Continued streamlining for managing Virtual Smart Cards (VCS) including support for enrollment and management in WinRT, with more controls over how devices connect to internal networks, and secure access controls for personal devices in BYOD situations.
- Trustworthy Identities and Devices: MS will seek to “increase the trustworthiness of the PKI by help manage and drive certificate best practices and adherence to standards…” This will include a daily scanning service for the top 2,000,000 SSL/TLS sites to look for anomalies or bad practices, and a requirement from servers or sevices to require attestation that private certificates and keys are protected by hardware (if not, access is denied — see the first bullet point above).
- Data Protection: In Win8.1 devices encryption applies to all editions for devices that support InstantGo, where Windows 8.1 Pro and Enterprise will also get the benefits of BitLocker, including BitLocker To Go, a network key protector, and automatic recovery key escrow in AD, plus a “remote wipe” capability that enables IT to delete sensitive data if a machine gets lost or stolen, or on BYOD machines (without affecting personal data).
- Malware Resistance: Windows Defender gains heuristics to monitor “bad behaviors” in memory, the registry, or the file system (before malware signatures get created or are available), and Internet Explorer gains the ability to screen binary extensions before they get loaded, along with default use of Enhanced Protection Mode in IE11.
It will be interesting to see how all this plays out, and how well the TPM requirements perform on systems that include such circuitry.