Windows 8.1: The key security improvements

Although users may prefer the comfort of Windows 7, Windows 8.1's security advantages should pique IT's interest

It's no secret that Windows XP is nearly six months away from its formal end-of-life support from Microsoft. Although many IT organizations have begun the migration to Windows 7 and some are testing Windows 8, a very large percentage of companies have made little effort to move from XP.

I believe users will prefer Window 7 because it's more familiar and has fewer big changes to stress about compared to Windows 8 or its newly released update, Windows 8.1. Plus, few PCs have touch capability, which is important because using Windows 8 on nontouch PCs is awkward. But there's an important reason to consider moving to Windows 8.1 despite the greater comfort of using Windows 7: Windows 8.1's better security.

[ Woody Leonhard says Windows 8.1 is a new version but the same mess. | Galen Gruman compares Windows 8.1 to OS X Mavericks. | Roger Grimes explains how Windows 8.1 stops pass-the-hash attacks. | Stay abreast of key Microsoft technologies in our Technology: Microsoft newsletter. ]

According to Dustin Ingalls, group program manager at Microsoft for Windows security and identity, one of the major problems enterprises face today is the hit-or-miss security functionality seen in users' PCs. For example, many PCs don't have a Trusted Platform Module (TPM) chip, which is required to encrypt a Windows 8 PC's contents via Microsoft's BitLocker encryption technology. A TPM is also required to support InstantGo (previously called Connected Standby), which keeps Metro data, apps, and tiles updated with current information through a network connection that allows automatic syncing. Microsoft is pushing for TPM 2.0 to be required on all devices by January 2015, but there's no such requirement for today's devices.

All editions of Windows 8.1 (including the RT version) now support BitLocker encryption using both TPMs and the hardware-level UEFI protection approach. The trick is to make sure your PCs are InstantGo-certified so that you can take advantage of the encryption. Microsoft is also working on biometrics for both touch and swipe readers. "The goal is to move toward biometrics for everything from the Windows Store app to logging into secure sites, as well as your OS itself," Ingalls says.

Multifactor authentication is also enhanced in Windows 8.1 with virtual smart cards (VSCs), which uses the TPM to provides two-factor authentication, just like a physical smart card does. One is factor is the password or PIN, the other is VSC, with the private key stored on the system's hard drive.

Windows Defender has been enhanced with network behavior monitoring to help stop the execution of malware. Sometimes malware is known, other times it isn't, so Defender now looks at "bad behaviors in memory, the registry, or the file system, even before signatures have been created," Ingalls says. In addition, Internet Explorer 11 scans binary extensions (ActiveX, for example) in use before potentially harmful code runs. In contrast, pre-Windows 8.1 systems may allow malicious sites to exploit vulnerabilities in binary extensions like ActiveX controls. Additionally, IE's Enhanced Protection Mode is now enabled by default in the Windows Desktop version of IE. (It was autoenabled in the Metro edition in Windows 8.0, as it still is in Windows 8.1.)

Windows 8.1 introduces Remote Data Removal, which allows organizations to remove company data (email, attachments, and orporate data that came from Work Folders) without completely wiping the personal user's data in the process. Note that this capability requires Windows Server 2012 R2 to support Work Place Join and Work Folders.

Security is always going to be a concern for both the home and corporate user, even more so when you consider many users work from home PCs and other personal devices. As an IT admin looking to ensure the greatest level of security, you should give serious consideration to adopting Windows 8.1 instead of Windows 7.

This story, "Windows 8.1: The key security improvements," was originally published at Read more of J. Peter Bruzzese's Enterprise Windows blog and follow the latest developments in Windows at For the latest business technology news, follow on Twitter.


Copyright © 2013 IDG Communications, Inc.