Security and Windows 8
While Mac partisans and tech pundits like to present a tortured view of how difficult it is to secure a Windows PC, the truth is far less dramatic. Previous to Windows 8, there were a few simple steps you could take to technically secure your PC-enabling automatic updates and installing an antivirus solution-and that, combined with some good old-fashioned common sense was all that was required.
In Windows 8, you'll be ecstatic to know, it's even easier.
Under the hood, of course, Microsoft's decades-long commitment to system security continues. This version of Windows includes the same anti-malware technology, firewall, User Account Control, and other security features that made Windows 7 the most secure version of Windows yet. And then they turned it up a notch by adding two crucial new features: Antivirus is now included in the OS, finally, so you won't need to add that separately. And the SmartScreen protection feature that the company debuted in Internet Explorer 9 is now part of Windows, so you're protected even if you use competing browsers.
Windows Defender
Microsoft has included an integrated anti-spyware and anti-malware solution called Windows Defender since Windows Vista. Defender was good at what it did-in fact, most Windows users simply aren't even aware of its existence, which is proof of its efficiency-but it's always been lacking one crucial feature: It didn't include antivirus functionality. So we recommended an external and free utility called Microsoft Security Essentials (MSE) for this purpose: MSE looked and worked just like Defender, but it added that one crucial feature, completing the Windows security picture.
Now, Windows Defender includes the same antivirus functionality that used to be part of Microsoft Security Essentials. It's built into Windows 8, it's enabled by default, and you get it for free, just for buying into Windows 8.
This is exciting because both of us have used MSE for years, and we trust it to protect not only our own PCs, but more crucially those of our families and friends. And we've experienced no major issues yet. Not once.
So our advice is simple. Assuming you're not spending your time in the nether regions of the web, downloading illegal software and goodness knows what else, Windows Defender is enough. It's lightweight and quiet, and it won't bother you with annoying pop-up dialogs. You won't need other security applications or even more expensive security suites. You know, assuming that common sense is employed.
Tip: there is one more thing you can continue doing from time to time: Use a second anti-malware utility. (You should never use two antivirus solutions, however, because they will interfere with each other.) It's not necessary to leave the second anti-malware utility running in real time, but it's a good idea to run it once in a while, just to make sure something hasn't slipped by.
But we know you want to know a bit more about Windows Defender.
Windows Defender has a simple interface. From here, you can trigger a malware and virus scan, check for updates, view the history of Defender's activities, or access various options. It works just as Defender did in Windows 7, except that it's now checking, in real time, for viruses as well as spyware and other malware.
There's not a heck of a lot to do here. Configured properly, Defender's real-time protection against viruses and malware will be enabled, and its virus and malware definitions-part of its ability to detect errant software-should be up to date. You can manually update the definitions from the Update tab, but it's unlikely there's an issue here unless the PC has been offline for weeks or longer.
Potentially harmful items that have been found are cataloged on the History tab. Here, you'll see different buckets for quarantined, allowed, and all detected items. If there are any items here, you can further remediate them if you'd like-perhaps by removing them entirely-but there's usually no reason to bother.
The Settings tab has, as expected, a number of configuration options and is worth looking at. For example, you can configure Defender to scan removable drives during a full scan. This is desirable if you regularly use an external disk, like a USB hard drive, when you're home. You can also configure Defender to automatically remove quarantined items after a set time period-by default it does nothing-and determine whether to participate in Microsoft's Active Protection Service, or MAPS, which is used to make Defender more effective for everyone. Do your part: We recommend at least a basic membership.
Boot-Time Security
Windows Defender, like its predecessor, is great at what it does. But there's one problem with an integrated antivirus and anti-malware solution like Defender, and that is that Windows 8 must be running for it to work. There are certain situations in which you may wish to secure your PC's hard disk-just as when it's booting-or need to run a security scan against the hard disk when Windows isn't running. And while one might argue that these capabilities aren't technically Windows 8 features per se, you need to know about them.
First, as PCs have become more sophisticated, the architecture on which Windows runs has evolved. And one of the biggest changes that Windows 8 has been designed to accommodate is the long overdue switch from the primitive BIOS (basic input/output system) environments that have graced (disgraced?) PCs since the 1980s. BIOS is a type of firmware, a tiny bit of software that runs before Windows when the PC first powers on. And while it's possible to run Windows 8 on a BIOS-based computer-basically every single PC made before 2012-a new generation of more sophisticated PCs and devices are instead using BIOS's replacement. It's called UEFI, or the Unified Extensible Firmware Interface.
UEFI provides many advantages over BIOS, but from a security perspective the big deal is that PCs based on this firmware type can support a new technology called Secure Boot. Based on industry standards, Secure Boot ensures that a system hasn't been tampered with while offline. (That is, while Windows isn't running.)
It sounds Orwellian but the purpose of Secure Boot is valid: It targets a growing class of electronic attacks that insert code before Windows boots and try to prevent the OS from loading security software like Windows Defender at boot time, leaving the system vulnerable to further attack. Secure Boot ensures that only properly authorized components are allowed to execute at boot time. It is literally a more secure form of booting.
All Windows 8 PCs and devices will be configured from the factory to support Secure Boot and have this firmware feature enabled. But if you are going to install Windows 8 on a previous PC, you can check to see whether this feature is supported and then enable it before installing the OS.
As a feature of the PC firmware, Secure Boot isn't configured in Windows; it's configured in the UEFI firmware interface. This interface will vary from PC to PC, but it's generally available via a Boot or Security screen in the firmware and is toggled via an option that will be labeled UEFI Boot. This can be set to Enabled or Disabled. The other security issue that arises at boot time occasionally is the need to scan an offline system. That is, you may want to run a Windows Defender security scan against a Windows 8 hard disk, but when Windows isn't running. This can be a vital capability if your system is infested with a bootkit or rootkit, malicious forms of software that are both hard to detect and almost impossible to remove . . . when Windows is running. But if you can attack bootkits and rootkits while Windows is offline, Problem solved.
Fortunately, Microsoft makes a standalone version of Windows Defender called the Windows Defender Offline. As you might expect, it is based on Windows Defender, and looks almost identical to that tool. But you install it to a bootable optical disc or USB memory stick and then boot the PC from that. Windows Defender Offline is shown.
Strictly speaking, there's no reason to run Windows Defender Offline unless you know you have a problem. But don't wait to create a bootable Windows Defender Offline disc or USB key until you have a problem: This is a tool you should have at the ready, just in case. You can download Windows Defender Offline from the Microsoft website at tinyurl.com/defenderoffline.
Windows SmartScreen
Microsoft added an interesting and useful security feature to Internet Explorer 9 called SmartScreen that helps guard your PC against malicious software downloads. IE 9's SmartScreen feature works very well, but of course it can't help you if you use a different browser, such as Google Chrome or Mozilla Firefox, or if you download a malicious file through another means, such as an e?mail application or USB storage device.
SmartScreen uses a Microsoft hosted "reputation" service that uses actual user feedback to help determine whether files are trustworthy. So that means you can help make the service more useful for everyone simply by using this feature.
To help protect you against malicious software more globally, Windows 8 includes a special version of SmartScreen, called Windows SmartScreen, which protects the filesystem against malicious files, no matter where they come from. Windows Smart- Screen works exactly like IE 9's SmartScreen feature, meaning it utilizes both holistic sensing technologies and an Internet-hosted service to determine whether files are malicious or at least suspected of being so.
Configuring Windows Smart Screen
To configure Windows SmartScreen, you'll need to launch Action Center, which is available via the system tray (it's the icon that resembles a cute little white flag) or through Start Search.
Using the Action Center route, you'll see an option on the left of the window called Change Windows Start Screen settings. Click this option to display the window.
We recommend using the default setting, which is "Get administrator approval before running an unrecognized app from the Internet." Unless you're regularly hanging out in torrent sites or other gray areas of the Interwebs, you'll find this isn't too annoying.
Using Windows Smart Screen
When Windows SmartScreen fires up, you'll know it: The full-screen notification displays, interrupting whatever you were doing.
As with any full-screen notification, you'll want to deal with this before proceeding. And while SmartScreen can certainly suffer from false positives, our advice is to think very carefully before just dismissing this. It's warning you for a reason.
Action Center Improvements
If you're familiar with Action Center from Windows 7, you know that it's an improved version of the Security Center that dates all the way back to Windows XP with Service Pack 2. In Windows 8, Action Center carries forward largely unchanged in that it still performs the same function of tracking security and troubleshooting items in the OS and popping up notifications when something goes wrong.
What's changed is that Action Center now tracks far more items than it did in Windows 7. And while many of the items it tracks are, as you might expect, related to new features in Windows 8, some aren't. It's just fleshed out better.
In Windows 8, Action Center now tracks these additional items:
- Windows SmartScreen: This security feature, described earlier, debuted in Windows 8 and provides anti-malware protection directly through the Windows filesystem.
- Windows activation: While activation is hardly new to Windows 8, Microsoft has created an Action Center experience in this release that tracks whether your copy of Windows is activated, and thus valid.
- Microsoft Account: The ability to sign in to Windows 8 with a Microsoft account is obviously new to this version of the OS, but the underlying technology that Action Center is actually tracking here is whether your account is working properly and syncing settings from the PC to SkyDrive (and thus to other PCs) and vice versa.
- Automatic maintenance: Like previous Windows versions, Windows 8 will automatically run a scheduled maintenance routine at a set time, 3:00 a.m. What's changed in Windows 8 is that this activity is now tracked by Action Center to ensure that it completes successfully. But you can use the Start maintenance link to run a manual check or Change maintenance settings to configure a new time.
- HomeGroup: Action Center now checks to see whether you're part of a homegroup. This is important because signing in with a Microsoft account breaks the normal workgroup-style home network sharing we used to use.
- File History: The new File History feature works with the Push Button Reset functionality in Windows 8 to create a more flexible way of restoring lost data than the old method, a combination of Previous Files (which no one even knew existed) and Windows Backup (which was ponderous and slow).
- Drive status: Action Center now checks to see whether all of the fixed disks attached to your computer are working properly.
When Action Center detects an issue, it provides notifications via its system tray icon. Clicking these, or the associated warnings that appear in the Action Center control panel, brings you to the user interface you need to mitigate the issue. For example, as part of its overall system performance and reliability tracking, Action Center could eventually warn you to disable app[lication]s to help improve performance. This slightly off-base recommendation-it really means, "disable startup applications to improve boot-time performance" and has nothing to do with Metro-style apps-links to the Task Manager. In Windows 8, the Task Manager now provides a Startup tab that lets you enable and disable applications (but not Metro-style apps) that are configured to run at boot time.
In addition to the features discussed previously, Microsoft has improved a number of security features that debuted in previous Windows versions, too. Most of the features don't require any user interaction. They simply work in the background, ensuring that Windows 8 is as secure as it can be.
A small sampling includes the following:
- Credential Manager: Windows has long included a Credential Manager interface-previously called Windows Vault-that helps you combine the usernames and passwords for the local network and for websites with your Windows user account. New to this release is that you can now tie these other sign-ins with your Microsoft account for the first time, since most people will be signing in to Windows 8 with that account type.
- Windows kernel: The innermost part of Windows has been shored up with protection technologies that were curiously available only to other Windows components in previous OS versions.
- ASLR: Since Windows Vista, Windows has employed a technique called address space layout randomization (ASLR) to randomly load code and data into different memory addresses at run time, cutting down on an entire class of memory-based attacks. In Windows 8, ASLR has been improved with even more randomness. And it's been extended to even more Windows components.
- Memory: Modern Windows versions have of course always included various forms of protection against memory-based attacks, and the move to isolated Metro-style apps will help in this and other regards. But Windows 8 also includes new protections against "use after free" vulnerabilities, where rogue or malicious applications are able to examine and exploit freed up memory that still includes valuable data or other code.
There's still more, but you get the idea. While many Windows 8 security features are in your face when required, some simply work behind the scenes, tirelessly keeping you safe without you doing a thing. What's missing is the "security theater" that used to dog older Windows versions, where the security features were purposefully made to be overly chatty and interruptive, providing you with a sense that something good was happening.
