By Onuora Amobi, Editor, Windows8update.com
A Comprehensive Overview of Security in Microsoft’s Newest OS
The following was excerpted from Onuora Amobi’s eBook “Windows 8 Security – A comprehensive Overview of security in Microsoft’s newest Operating System.” For more information, and to read the full eBook, go to: http://www.windows8enterprise.com/new-windows-8-ebookwindows-8-security-a-comprehensive-overview/.
Enterprise Security: UEFI –Secure Boot
With Windows 8, Microsoft is now requiring adoption of a boot solution called United Extensible Firmware Interface (UEFI). UEFI changes the start-up procedure for a computer system, known as a boot or booting and is required on all PCs using the Windows 8 operating system.
UEFI replaces the traditional BIOS system used by PCs. UEFI helps productivity by creating much faster boot times. The handoff from power on to operating system is somewhere around 8 seconds. UEFI also aids productivity by requiring fewer restarts. This keeps your office staff working and saves IT time when applying upgrades or installing software. At least this is the promise.
The most important benefit of UEFI for your organization is security. UEFI is effective at battling rootkits, a class of malware frequently used by hackers to open a backdoor and allow criminals to control a PC.
A rootkit replaces the code used to start a computer within itself and disables antivirus software. UEFI makes loading rootkits difficult by requiring the initial boot up code to be digitally signed with a certificate derived from a key in the WEFI firmware. This feature, known as Secure Boot, ensures that code is from a trusted source prior to loading.
UEFI then leverages Early Launch Anti-Malware (ELAM) to protect against boot loader attacks. ELAM allows anti-virus software to start up prior to other forms of programming. This ensures programs are scanned for viruses prior to start up.
Secure Boot uses three databases. The signature database and contains signatures and hashes of images for UEFI applications and operating system loaders. The revoked signatures database contains images that are revoked or have been marked as untrusted by the system. The Key Enrollment Key database contains keys that can be used to sign updates to the signature and revoked databases.
These databases are put in place when the computer is manufactured. Changes to them are prevented unless the change is signed with the correct signature. In the UEFI Secure Boot process, these databases are used to keep nontrusted software from taking control of the boot process.
These improvements increase the operating system’s ability to detect malware before it has a chance to load and run. It also makes it difficult for users to unknowingly install malware in the first place. So UEFI will add a level of protection to your organization, right? Maybe.
Critics and analysts feel that the UEFI platform is still vulnerable to attack. If the Secure Boot technology is turned off, which It must be to allow partitioning and running other operating systems such as Linux alongside Windows 8, then the system is just as vulnerable as BIOS or maybe more so.
Malware is not a stagnant threat. Eventually malware writers will overcome UEFI technology. At this time, however, Windows 8 offers the highest level of security for your organization.
One of the drawbacks of the UEFI or Secure Boot feature is the limitations it presents when you want to install an operating system other than Windows 8 or create partitions within your system. In the past, operating systems have included information on how to disable Secure Boot. This information is not included in Windows 8, although it is possible.
Dynamic Access Control
Tired of maintaining groups in Microsoft Active Directory? If you aren’t now, you may soon be with the movement of many organizations to enact BYOD (Bring Your Own Device) policies and use cloud services as a part of their business plan. How do you give everyone access where they need it while making sure sensitive information stays protected? Securing files using folders or shares governed by group policy within the file server is an increasingly complex process.
Dynamic Access Control is Microsoft’s answer to this need in the IT world. The idea behind DAC is integrating claims-based authentication using tokens. Users are described by attributes such as department, location, role, title, and security clearance rather than by the security groups they are assigned to. This is a powerful new way to control access and allows flexibility in an increasingly complex data management environment.
Dynamic Access Control works by using a concept of central access rules and central access policies along with claims. Claims are the unique data points that describe the users, devices, or resources involved in the request. For example, a user might have access to a certain file when in the office. That same access may be restricted, however, when the user is traveling due to the sensitive nature of the data or lack of security availability on the user’s mobile device.
DAC includes Rights Management Services (RMS) allowing files that are defined as sensitive to be encrypted when they are moved from the file server. You can, for example, encrypt all documents that contain HIPAA information, vital organizational secrets, or other sensitive data just by applying RMS to documents of that kind.
The power of DAC is the ability to tag data, classify it, and apply access control to the data along with automatic encryption when the data is defined as sensitive. It reduces the constraints on IT and allows application of dynamic policies at the resource level. You can make decisions without dealing with a static system of protections that limit your flexibility.
Basically, the DAC allows you to reduce the need for extra active directory groups. It accomplishes this by allowing an “and” function rather than just an “or” function. Here’s an example. If a manager in your remote office needs access to a group of files for another remote office, you can simply allow them permission by adding them to the group for those files. They can be in both their current group and have access to the new group. You no longer need to create a third group that allows access to both. As user roles change within the organization, it’s much easier to adjust AD tokens and make sure proper access controls remain in place.
DAC also makes it easier to control file access at a more granular level. You can assign policies to files and shares by allowing conditional control such as read-write access to some documents and read-only to others. You can also set conditions based on the device being used to access the data. Full access, for instance, might be restricted when using a tablet or smartphone but full access is allowed on company administered hardware.
Where is Direct Access Control most appealing? Clearly organizations with a high degree of sensitive information, such as government contractors, agencies or healthcare organization will benefit from locking down files through DAC. Even the smallest organizations, however, may rest easier knowing their most sensitive documents are safely protected and encrypted.
Onuora Amobi is the Founder and Executive Editor of Windows8update.com (http://www.windows8update.com). A former Microsoft MVP for Windows Desktop, Onuora has more than a decade of information security, project management and management consulting experience. He has specialized in the management and deployment of large scale ERP client/server systems.
Want more news? Check out the SMB Nation Magazine, Issue 7-3!