Windows RT: Fortified against malware

Windows RT devices and their apps set new high-water mark for Windows security. But without support for Active Directory, their enterprise use is limited

Page 2 of 2

The AppContainer, which all Windows RT applications will run in by default, has sandbox security features. While I'm not a huge fan of security sandboxes over the long term, there's no denying they make the attacker's job more difficult in certain circumstances. In Windows RT, Windows Store applications will have a hard time reading and writing outside of the AppContainer, creating new network connections, or accepting new inbound connections. If the Windows Store app needs that sort of access, it will be declared and transparent to the user.

Note, however, that this sort of declarative need for features outside the security sandbox has been a default feature in other languages, such as Java, for more than a decade. It hasn't, by itself, resulted in better security.

Where the security sandbox features of the AppContainer will be especially useful is in blocking the sharing of browser cookies and files with other applications. This new boundary will block a ton of malicious apps that prey upon cookie stealing or using out-of-boundary attacks to launch files previously stored as temporary Internet files and the like.

More lines of defense
Better, the Metro version of Internet Explorer 10 -- the only version allowed on Windows RT -- will not load add-ons. Considering that the majority of today's successful attacks launch from third-party add-ons, this is a huge security improvement.

Suppose the bad guy gets around all the previous protections we've discussed. They still have one huge hurdle to overcome: Windows RT runs on ARM processors. Ninety-nine percent of today's malware runs for x86 processors and will not run on ARM processors. That means hundreds of millions of malicious programs that exist today will not work on Windows RT. That's huge!

Yes, you can expect malware writers to become ARM-educated and to produce malware capable of doing bad things on Windows RT. But Windows RT immediately means over two decades of malware education and skills are no longer relevant.

What's missing in RT
Windows RT will offer significantly lower security risk than its Windows 8 counterpart, thanks primarily to a new processor model and fewer attack vectors. But what will Windows RT users have to give up?

The biggest and most notable missing feature is the inability to join Windows RT devices to an Active Directory domain. This will be a showstopper in numerous environments because Windows RT users will not be subject to the group policies many enterprises rely upon. Eventually, you can expect MDM vendors to offer some sort of management control. Microsoft itself has announced coming improvements in Microsoft SCCM and Windows Intune that will be directed toward Windows RT devices.

Another missing feature is BitLocker Drive Encryption. Windows RT devices will support their own full-disk encryption enabled by default. It goes without saying that Microsoft will not support Encrypting File System (EFS) in Windows RT, but with full-disk encryption, you don't need it.

The bottom line is that the inherent security of Windows RT devices -- in terms of vulnerability to attack -- is pretty much ironclad. But the lack of support for Active Directory will limit the use of Windows RT devices in the enterprise.

This article, "Windows RT: Fortified against malware," was originally published at Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest business technology news, follow on Twitter.

| 1 2 Page 2