Windows 8 security for business

A business guide to the new security improvements in Windows 8

It doesn't replace anti-virus software, but it's a useful extra check and it might catch a new piece of malware that anti-virus software doesn't yet have a signature for.

Moving beyond password security

Forcing users to type in a complex password on a tablet isn't popular because it's just too awkward, even on a decent touchscreen keyboard. Picture password in Windows 8 lets you draw your choice of three gestures onto a picture of your own to unlock your PC.

Assuming you don't pick obvious gestures for the picture and assuming that you touch the screen to operate Windows after you've unlocked the password so those gestures aren't the only smears on the screen, this should be secure enough to protect your PC (and it's certainly more secure than not setting a password.

If you need a much more secure approach, with new hardware Windows 8 will let you do that without the cost and complexity of extra hardware for two-factor authentication.

Windows 8 security for business

Secure Boot needs UEFI; Measured Boot just needs a TPM

New PCs that come with Windows 8 use UEFI rather than BIOS and for the first time, they use UEFI's Secure Boot option. This ships with a database of OS signatures, so PCs can check that all the operating system components that are trying to load at boot are correctly signed. (If you're downgrading a PC that came with Windows 8 on, remember to disable secure boot in the UEFI settings first). OEMs will have ways to update that database and to revoke any certificates that get compromised, and larger businesses will also be able to manage certificates themselves.

Many more PCs – including all Clover Trail Atom devices as well as Windows RT tablets – have the Trusted Protection Modules that have previously shown up only in premium business PCs. TPM adds an extra layer of security with Measured Boot; the TPM calculates a fingerprint for all the boot components of Windows that start before your anti-malware software and check if any of those components have changed the next time you boot. Combined with ELAM, that means a PC can prove it hasn't been tampered with (and that works with both BIOS and UEFI systems).

You can also use the TPM as a virtual smart card; that stores a complex key securely in the TPM's credential database that you can use to authenticate to a security system so you don't have to remember a complex password, just a PIN.

In fact TPMs are going to be so widespread that Microsoft's Chris Hallam told us some banks are considering using Windows 8 virtual smartcards as a way of letting customers log into their bank accounts securely. A bank could also check whether your PC had passed Measured Boot to decide whether to ask you extra security questions before approving a large transactions. Microsoft is going to check employees PCs to see if they've passed Measured Boot before giving them access to file shares remotely with DirectAccess.

A TPM also makes BitLocker full disk encryption (which is now included in Windows 8 Pro as well as Enterprise) more secure.

Easier Wi-Fi authentication

Better mobile broadband support in Windows 8 is great if you have built-in 3G or you want to pull out a dongle and pay for data, but Wi-Fi is nearly always faster and cheaper – it's just hard to find hotspots that you can connect to easily when you travel.

This will get easier with new standards for roaming automatically onto Wi-Fi hotspots that are on the way; Next Generation Hotspot and Passpoint are the two main programs. With these, you'll automatically get logged onto a hotspot that you can use, based on the credentials from your SIM but without using mobile broadband (and there will be options for doing Wi-Fi roaming on laptops without SIM slots).

Currently, if you use a Wi-Fi roaming service you have to install software to get connected; Windows 8 has the important mobile authentication protocols built in (WISPr (Wireless Internet Services Provider Roaming) and three mobile EAP (Enterprise Authentication Protocol) standards so you'll be able to use new Wi-Fi roaming services without needing to install extra utilities.

The same goes for connecting to secure 802.1X Wi-Fi services that use EAP with certificates today; Windows 8 adds EAP-TTLS which has the same level of security but doesn't mean you have to distribute certificates or third-party software to every PC that you want to have connect. That adds convenience without compromising security.