End-to-End Security Features in Windows 8

Trusted boot

Some malware programs target the boot process and insert themselves into the system before Windows or antimalware software is able to start. Because of this, the ability of Windows or the antimalware software to protect the system might be compromised. With UEFI 2.3.1 equipped devices, the UEFI Secure Boot feature helps to ensure that malware is not able to start before Windows 8.

The Windows 8 Trusted boot feature protects the integrity of the remainder of the boot process, including the kernel, system files, boot critical drivers, and even the antimalware software itself. The system’s antimalware software is the first third-party application or driver to start. Moving antimalware into the Trusted boot process prevents it from being tampered with. In the event that malware is able to successfully tamper with the boot process, Windows can automatically detect and repair the system.

Measured boot On Trusted Platform Module (TPM)–based systems, Windows 8 can perform a comprehensive chain of measurements during the boot process that can be used to further validate the boot process beyond Trusted boot. Measured boot process enables all aspects of the boot process to be measured, signed, and stored in a TPM chip. This information can be evaluated by a remote service to further validate a computer’s integrity before granting it access to resources. This process is called Remote Attestation.

BitLocker Drive Encryption

BitLocker Drive Encryption is a data protection feature in Windows 8 Pro and Windows 8 Enterprise editions that helps protect data theft from lost, stolen, or inappropriately decommissioned computers. BitLocker now encrypts hard drives more quickly, helping to keep data safe without significantly interrupting worker productivity.

BitLocker now supports encrypted drives, which are hard drives that come pre- encrypted from the manufacturer. BitLocker offloads the cryptographic operations to hardware, increasing overall encryption performance and decreasing CPU and power consumption.

On devices without hardware encryption, Bitlocker encrypts data more quickly. BitLocker allows you to choose to encrypt the used space on a disk instead of the entire disk. As free space is used, it will be encrypted. This results in a faster, less disruptive encryption of a hard drive, so that enterprises can more easily provision BitLocker, and they can do it with little time impact. In addition, the user experience is improved by allowing a standard user, one without administrative privileges, to reset the BitLocker PIN.

AppLocker

AppLocker is a simple and flexible mechanism that allows you to specify exactly which apps are allowed to run on users’ PCs. Traditional access control technologies such as Active Directory Rights Management Services and Access Control Lists (ACLs) help control the data users are allowed to access. However, these technologies can’t prevent users from installing or using non-standard software.

In Windows 8 Enterprise editions, AppLocker enables you to create security policies through Group Policy to prevent potentially harmful or other non-approved apps from running. With AppLocker, you can set rules based on a number of properties, including the signature of the application’s package or the app’s package installer, and can more effectively control apps with less management.

Windows SmartScreen

Windows SmartScreen app reputation is a safety feature in Windows 8. This service provides application reputation-based technologies to help protect users from malicious software that they may encounter on the Internet. This technology checks the reputation on any new application, helping to keep users safe no matter what browser they use in Windows 8.

This helps to prevent malware and other viruses from infiltrating your organization. The Windows SmartScreen app reputation feature works with the SmartScreen feature in Internet Explorer, which also protects users from websites seeking to acquire personal information such as usernames, passwords, and billing data.

Claim-based access control

Claim-based access control enables you to set up and manage usage policies for files, folders, and shared resources.

With Windows 8, you can dynamically allow users access to the data they need based on the user’s role in the company. Unlike previous statically-controlled security groups, Claim-based access control allows you to dynamically control access to corporate resources based on the user and device properties that are stored in Active Directory. For example, a policy can be created that enables individuals in the finance group to have access to specific budget and forecast data, and the human resources group to have access to personnel files.