Windows 8 security for business

Hardly a week goes by without yet another data breach in the news; even if your business isn't a target for the kind of routine hacking attempts the government has been warning about, you need to care about whether your confidential information and your customer files are safe.

Additionally you need to care about malware on your users' PCs because at the very least it slows them down, interferes with your productivity and clogs up your network.

So what can security features can Windows 8 offer a business?

For a start, the way the Windows kernel allocates memory has been rewritten to make it harder for viruses to attack.

There are now much stricter limits on how much memory a program can ask for, malware has to work harder to request enough memory to overflow the buffer it's supposed to fit in without getting shut down. Additionally Windows 8 implements 'guard pages' around code, and if data overflows into the guard pages, or if the malware targets the wrong memory while it's trying to attack, then Windows can shut it down.

Memory allocations now start in random locations, rather than based on predictable locations or values that malware could change so it knows where the memory it wants to attack is. And when programs no longer need memory, Windows is more careful about keeping track of it so viruses can't hijack it.

One reason Windows 8 won't run on some older PCs is security; if a CPU doesn't support NX instructions (which mark memory used to store data as Non eXecutable so you can't run code from it), it won't run Windows 8. Unlike the similar Data Execution Prevention (DEP) in Windows 7, that works whether software is written to use it or not.

New Intel Ivy Bridge CPUs also have Supervisor Mode Execution Protection (SMEP or OS Guard as Intel calls it) to stop the CPU running any memory pages that are marked as 'user' (so just for data) rather than 'kernel'.

Malware protection from bootup

Having Microsoft's own anti-virus software built into Windows means PCs are protected as soon as you buy or upgrade them, and you will then have the same level of protection on all your PCs.

For a smaller office, that could be an improvement over getting an assortment of anti-virus software with each new PC you buy, especially as you don't have to worry about renewing licences at a different time for each system (or indeed, budgeting extra for PC anti-virus software).

If you choose to run different anti-virus software make sure it has the same Early Load Anti Malware as Defender (almost all the big name security software does but some commercial packages haven't added this yet).

ELAM loads your anti-virus software before Windows finishes booting, so before any malware that's already on the PC can interfere with it. And if it finds malware trying to interfere with the operating system it will automatically replace the Windows components from the internal Side by Side store.

Users don't get a warning is this happens, because the principle in Windows 8 is to only notify you when there's something you can actually do; instead it enters an event in the Action Centre and in the security log so you'll see it if you're monitoring PC security remotely.

Getting malware onto a PC will be a little harder now that the SmartScreen service is built into Windows; this is the reputation checking service for executable files that's in IE 9 and 10, but it now checks files you access from a network share or USB drive as well as executables you download with a different browser.

Instead of looking for virus signatures SmartScreen checks whether the file you're looking at is frequently and safely downloaded or if it's a new file that hasn't been seen before even though it has the same filename as a commonly used program.