Below is Part 1 of the Article “Windows 8 Security in Action” featured in this month’s issue of Hakin9 Exploiting Software:
Is Windows 8 the next operating system for your enterprise? In this article, we will take a quick look at Microsoft’s new OS – Windows 8. We will see some of the new security features that make it more secure than its predecessor Windows 7. We will also run the security through the paces and see some of the possible issues that are new to the OS and some that have carried over from previous versions of Windows. From the Backtrack 5 r3 security testing platform, the author uses the Metasploit Framework and Social Engineering Toolkit to see how Windows 8 stands up to the most common internet based threats.
The much anticipated (and debated) next version of Windows software is set to be released on October 26, 2012. Several pre-release versions were made available, and just recently Microsoft released a 90 Day Windows 8 Enterprise RTM (Release to Manufacturer) evaluation copy.
In this article we briefly cover the new look of Windows 8, which has caused some complaints from Enterprise entities and the media alike. We will then highlight some of the new security features, and finally, put them to the test.
From the Backtrack 5 r3 security testing platform, I use the Metasploit Framework and Social Engineering Toolkit to see how Windows 8 stands up to the most common internet based threats. I also cover credential harvesting, Man-in-the-Middle and physical attacks against Microsoft’s latest OS.
So let’s get to it!
Windows 8 Overview
Figure 1 – The new, no longer called “Metro”, desktop
The first thing you will notice is the desktop change (Figure 1), you’re not in Kansas anymore Dorothy. Catering to the mobile touchscreen users, Microsoft has switched the desktop to this new tiled interface. This has caused a split amongst enterprise users; some seem too really like it, others want the standard desktop back.
Don’t get me wrong, the desktop we know and love is still there (Figure 2):
Figure 2 – The “classic” Windows 8 desktop
But if you notice, the start button is gone. If you move the cursor to the side of the screen the new “start menu” will appear (Figure 3):
Figure 3 – The new “Start” bar
Yes, I know it looks different doesn’t it? Clicking the Start button on this menu takes you back to the Metro interface. Apparently Microsoft wanted a consistent look across their product platform. Phones, tablets and desktops would all have the same “Metro” interface.
It is nice to know though that some things still look the same in Windows 8. The Control Panel looks pretty familiar (Figure 4):
Figure 4 – The Control Panel menu
Changes have been made on the server side also. The new Server 2012 has a GUI interface, but Microsoft is really pushing the use of Server Core edition that is configured by command line only. So if you do server work, it is time to brush up on your PowerShell.
In essence, Windows 8 really seems to be an enhanced Windows 7, with a new interface. Everything that you could do in Windows 7 is there, somewhere, it is just a matter of finding its new location.
The New Security Features
Several security improvements have been made to Windows 8, a brief list of some of the new features include:
- Windows Defender comes pre-installed
- Application download screening with SmartScreen
- Protection against buffer overflow and memory corruption/ modification attacks
- UEFI / secure boot to help prevent rootkits and bootkits
- New password options
Let’s take a closer look at the password options and some changes in the way Microsoft handles passwords.
You now have a couple choices for login security options (Figure 5). You can use a password like always, but there are two new options, pin and picture password.
Figure 5 – Windows 8 Account Sign-in options
The PIN option is not new to some users; just select a 4 number pin and that’s it. When you go to login the next time you will now have a choice to login via PIN number (Figure 6) or your password:
Figure 6 – Login Prompt asking for PIN
The interesting one is the Picture Password (Figure 7). It requires a touchscreen interface, but with it you get to pick a picture and create a special password all your own. Once you choose the picture you want, you then record a series of finger swipes, circles and taps that make the final password.
Figure 7 – Picture Password Creation
How cool is that?