Windows 8's stealth advantage: Better security

Microsoft's best improvement to Windows is under the hood, and it should drive fast adoption by smart companies

This fall, new computers will be sold with Windows 8. Desktops, laptops, Ultrabooks, and so on will have the latest OS from Microsoft, and people will slowly adapt. They may not like the Metro UI, but it won't kill them; they will adjust. But as we've learned from the "Save XP" days, if the enterprise doesn't see the value in switching to the next OS, it won't bother. We see many organizations -- most, in fact -- remain entrenched with a decade-old OS rather than budge. Only now are many of these holdouts moving to Windows 7 (finally!).

Does Windows 8 have a prayer in the enterprise space?

[ Windows 8 is coming, and InfoWorld can help you get ready with the Windows 8 Deep Dive PDF special report, which explains Microsoft's bold new direction for Windows, the new Metro interface for tablet and desktop apps, the transition from Windows 7, and more. | Stay abreast of key Microsoft technologies in our Technology: Microsoft newsletter. ]

A week ago, I would have said no. After a day at Microsoft's TechEd user conference and two keynotes that were less than stellar, I noted no developments that would warrant a dip into the IT budget. In fact, I would have told most folks to upgrade to Windows 7 now -- which may still be the best advice.

However, Microsoft gave me and other journalists and columnists some deep time with Windows 8, and we saw features like Windows to Go, VDI improvements, networking enhancements, and security features up close and personal. That's where I found the compelling enterprise motivation to consider Windows 8: security.

Security enhancements in Windows 8 boot process
One of the more controversial features to the new Windows release is called Secure Boot. The hubbub doesn't have anything to do with the technology itself but with the drama surrounding Microsoft's mandates for its implementation on Intel and ARM systems. Essentially, it takes advantage of UEFI (Unified Extensible Firmware Interface), the modern-day replacement to the BIOS.

The problem with the BIOS is that it can't tell the difference between the legitimate boot loader and a rootkit. That's why Windows 8 systems will ship with a certificate in the UEFI that analyzes the boot loader to ensure it is both the right one and is signed by Microsoft. If your system were infected with a rootkit, the UEFI won't boot. In other words, UEFI protects the pre-OS environment. To me, this is essential to avoid the horrible scenarios described by Mark Russinovich in his book "Zero Day" -- these kinds of attacks can harm us in many ways.

Secure Boot is the first part of what Microsoft calls the Trusted Boot process. The second part is a new security feature where Windows can protect the integrity of the kernel, system files, boot-critical drivers, and even the antimalware software (which is the first third-party piece to start up). As the system is booting, Windows 8 detects if any of these elements have been tampered with and automatically restores the unmodified versions. I don't know why this wasn't implemented long ago, but I'm happy to see it now.

1 2 Page
Mobile Security Insider: iOS vs. Android vs. BlackBerry vs. Windows Phone
Recommended
Join the discussion
Be the first to comment on this article. Our Commenting Policies