The Microsoft cooperation has been adding more features and capabilities to its Operating systems (OS) over the years. Massive improvements can be seen across version after version of Windows. Version after version, Microsoft always delivers a new operating system with significant improvements, such as the look and feel, its normal operational features and most importantly, its security features. These are software changes that ensure that the operating system runs more efficiently, is more secure and it supports the hardware better and utilises that hardware more efficiently and effectively, in terms of speed, memory management and security.
One of the biggest draw backs of this Operating system is the NEW User interface ' which comes complete with an overly different start menu, which is different from the normal (or classic) windows start menu. Because of this, the OS has received a lot of criticism. The user interface introduced, in windows 8/8.1 was aimed Microsoft's vision to have a single operating system spawned from one device to another ' from traditional PCs, tablets and more. Paul (2012) discussed that 'The operating system includes fundamental enhancements, such as better multiple-monitor setups, an overhauled Windows Explorer, cloud-based account syncing, and new ways to personalize your desktop'. But again, the most essential upgrades to the system are the security updates which I shall discuss in the next sections.
Windows 8 Security Features
With the introduction to the proposed operations out of the way, now we can ask the question of interest: How secure is windows 8?? Microsoft (2012) in their product guide, state that windows 8's new security features should make it the most secure product so far. This make windows 8 more secure than its predecessors, the previous versions. Microsoft has improved a number of internal security features in Windows 8, making it more secure and worth considering for businesses. This section looks at the key security features that come with windows 8. With this operating system, Microsoft have broadened their support for on-board hardware security, included a fully functional security suite into the operating system, and they have included and enabled alternate authentications schemes amongst many other things. These (some) new security innovations offer special support for, and are aimed at enterprise customers (users) by meetings their business needs. The following subsections discuss these features.
2.1 Secure boot feature
The secure boot feature prevents operating systems and software which are not authorized from loading or running when the computer starts up. So during the startup process, unauthorized software and processes are prevented from loading. Microsoft (2014) state that 'Secure Boot is a security standard developed by members of the PC industry to help make sure that your PC boots using only software that is trusted by the PC manufacturer.' So whether or not people plan to use windows 8, they will still use secure boot enabled machines in the future. So far, any computer that bears the windows 8 logo has this feature enabled. Secure boot was designed to protect computers from low-level threats and exploits and from rootkits. A rootkit is a type of a malicious software which is activated when a computer system starts (boots up). These are difficult to detect due to the fact that they are activated before the operating system can fully boot up. Rootkits can perform malicious operations such as installing new hidden files and processes, and also monitor and intercept network and input (keyboard) data.
This new feature is enabled by UEFI (Unified Extensible Firmware Interface), which is a replacement for BIOS. BIOS is the computer's Basic Input-Output system, which is software stored on a chip on the motherboard (Winder, 2012). During startup, the bios initiates various components and makes sure they are working, then it lets the Operating system take over. With the traditional BIOS, it is possible for malware such as rootkits to replace the boot loader (Sinofsky, 2011). After the rootkit takes over, it can load the operating system with no signs of anything wrong, and stay concealed and undetectable on the computer. The BIOS does not distinguish between the malware and the trusted bootloader, so it allows both to boot. Sinofsky (2011) discusses that UEFI, on startup will first check the bootloader before it even launches it, and makes sure it is signed by Microsoft. If a rootkit or any other malware software has replaced the bootloader, then UEFI won't permit it to boot, which prevents the hijacking of the boot process by the rootkit or other malware program. Figure 2.1.1 depicts the process of booting with secure boot.
Figure 2.1.1 ' Secure boot in windows 8 (Microsoft-MSDN, 2011)
Windows secure boot can be made available by installing windows 8, and can be enabled and disabled, but as I discussed above, it is recommended that secure boot be enabled.
2.2 Early Launch Anti-Malware
As an extension of the previous sub-section, I shall further discuss another early detection feature called Early Launch Anti-Malware. With the advancement and improvements of Anti-malware software, cyber criminals (attackers) are also improving their skills and the levels of their rootkits, by making them more undetectable. Anti-malware vendors are improving their software diligently in the area of detecting malware during booting. Regardless of what anti-malware product you use, this feature makes sure that the Anti-malware software runs first, ensuring that the first software driver loaded into the Operating system is the Anti-malwares software driver.
2.3 Windows 8 Access Control
Windows 8 reflects Microsoft's continued efforts to provide users with security features that can be used personally and for corporate reasons. These features and tools are needed by managers in corporate environments. Windows 8 security includes biometric and multifactor (to be discussed) authentication support for more secure and improved access control. Windows 8 does not rely solely on password-based authentication, but uses alternatives such as support for virtual smartcards and picture passwords authentication.
2.3.1 Local and Microsoft Accounts
Windows 8 on setup (after installation) gives the user an option to create a new user or to sync a Microsoft password. Microsoft uses two accounts, which are Local accounts and Microsoft accounts. A Local account is the one that is created remotely on the computer during setup, on Control panel and a Microsoft account is one created on one of Microsoft's service, i.e. Hotmail account. Windows 8 allows users to optionally sign into Windows using that email address. This is an account that allows the user to use many of Microsoft's services, via one account. The account stores the user's personal windows settings and data. This also includes preferences, passwords, history, favourites and many services on Microsoft's Servers. This account can be used across all devices that have windows 8, from a desktop machine to a phone. When the user logs on using their Windows 8 account on a windows device, all the data is automatically synced with the device. This feature allows for data backup and remote access of data.
2.3.2 Picture Password Authentication
Another convenient, secure and 'cool' feature of Windows8 is the picture password feature. Picture password is a new secure login which is touch-based and allows the user to select a picture and make three (pre-set) touch gestures on top of the picture. This gestures can be performed on multi-touch devices by fingers or by mouse rolls and click on non-touch PCs. Windows8 gives you a choice to use a picture from Microsoft's database, or to choose your own personal picture and select the gesture pattern you prefer. For example, a user can draw a smile over a face in a picture, or they can place dots and lines in object or points on the picture and make it a password. This is secure because it eliminates the idea of phrase (word) passwords, which are not that easy to think up when considering how safe they must be. So it eliminates the usage of passwords such as '1234me' or 'qwerty'. The addition of these picture passwords offers more sophistication and complexity to password-generation algorithms. This make the feature very easy to use and it does not require the user to write anything down or try to memorise hard passwords. Windows allows you to also use traditional text passwords, as long as the user uses non-simple easy to guess passwords.
2.3.3 Windows 8 Biometrics support
Microsoft has taken a leap forward with their commitment to biometrics with the release of windows 8 and an even further step with windows 8.1. Microsoft has made changes to the Windows biometric framework, which has resulted in the biometric functionality being more integrated into the operating system. The changes have been made mainly around finger-based authentication. The Windows Biometric framework (WBF) also provides mean for integration with windows store app purchasing and running. Of cause finger print scanners are needed to take advantage of these biometric features, but with Windows8/8.1, it has been made easy to implement.
To improve the Authentication process and security in Windows8, Microsoft has put quite an effort into biometrics. This technology identifies (and Authenticates) people by checking their unique physical traits. This puts a secure barrier around sensitive resources when accessing sensitive information and resources. The operating system comes with necessary software for the registration and management of fingerprint-based authentication. This relieves hardware manufactures from providing their own applications ' which eliminates the problems that come with third-party software. It is now easier to setup fingerprint-scanning devices and to use fingerprint-based authentication with Windows 8's Biometric framework. Users would only need to scan-register their fingerprints then they scan them to authenticate when they log in. The Biometric framework allows users to also use fingerprint-based authentication for various types of software and services, i.e. Remote Device Connection.
Fingerprint-based authentication is also extended to the windows store and apps. Fingerprints can be used to purchase apps, provided the users Microsoft Account used in the transaction associated with the computer which the transaction is being conducted on and he account must be registered for fingerprint authorization as well. The Biometric framework in windows 8 also provide APIs for developers, which can be used in their Windows store apps for authentication. An App using these API, they use the fingerprint scan technology to verify if the singed-in user matches the fingerprint. With Biometric Authentication becoming more common, it is easier for businesses to intergrade this technology into their windows security strategies.
2.3.4 Multifactor Authentication
Multifactor authentication is a same method for securing online accounts. This feature in is an important feature for windows 8 accounts, and it works by validating the identity of a user. After the initial validation, a secondary authentication process is gets initiated via mobile, prompting for a password. So according to Microsoft (2013) 'Two-step (multifactor) verification uses two ways to verify your identity whenever you sign in to your Microsoft account', the first being an initial password, then the second one being an extra code which the user will enter via a mobile device. This type of verification protects a user's account by making it more difficult for unauthorised users (or hackers) to sign in even when they have the user's password. The multifactor authentication in Windows 8 works with cloud services from Microsoft and other supported cloud services. Microsoft also offers a Microsoft Authentication App for devices Windows Phone OS.
There are a few options for Microsoft's Multi-factor Authentication, which provide flexibility for users and a backup option, should the user fail to authenticate using their preferred method. Microsoft's provides three ways (or options) in which the user can use this type of Authentication ' and these are; Multi-factor Authentications Apps, Automated phone calls and text messages. Taking a closer look into these methods shows us how effective and secure these methods are, and how they assure users of the need for Multifactor-authentication:
' Multi-Factor Authentication apps ' These apps are available for a variety of mobile devices and platforms such as Windows Phone, Android, IOS devices. The app is free for download by users into their mobile device and it requires activation using the code provided during the apps set up. During a prompt for authentication, the users would then select to approve or deny the request. The app provides two different modes of operation:
' Notification ' When this mode is used, the Multi-factor Authentication app prevents unauthorised access to the users account s and stops any transactions provided by the account. This method works by using a PUSH notification, send to the users registered mobile device. The user will then view the sent notification and will authenticate it if it is genuine or reject it if it is not. In the event of a rejection, a fraudulent notification will be sent to report the fraudulent attempt of access.
' One-Time Passcode ' The Multi-factor Authentication app can be used as a software token that generates an OATH passcode, when in this mode. OATH is a standardized open source algorithm used to generate a series of one-time passwords from a secret shared key. These passcodes are unguessable and are unique with each generation.
' Automated phone calls ' When using this method, automated phone calls can be made to a land-line or device by the service running Multi-Factor Authentication. When a call is placed, the user would then answer the call and press the hash (#) key to complete their signing, or reject if they are not the one trying to access the service.
' Text Messages ' The Multi-factor Authentication service sends a text message to the users phone (mobile or landline) when this method is used. The text message that gets sent will contain a one-time passcode ' which would then require and prompt the user to reply to the message with the passcode or type in the passcode on the active Authorization (sign in) screen.