Windows 8.1 Security Improvements
Although it can be difficult to quantify the benefit of upgrading to the latest version of an operating system, one of the few things we universally agree on is improved security.
I know a lot of people are interested in that sort of thing but unfortunately a lot of the security stuff goes under the radar in the general news outlets, and since it will undoubtedly form the basis of questions between now and launch I thought I'd give a quick, distilled summary of what's new in Windows 8.1 and some of the objectives Microsoft claim to be headed toward.
We have of course the usual ASLR and DEP improvements that seem to come with every new release these days. This has the advantage of a) breaking lots of existing malware and b) raising the bar for new malware.
We also have a few more tangible talking points which I summarize below. The list isn't exhaustive but contains the bread and butter of what I think most people will find interesting.
TPMs, PTT & Device Encryption as standard
Microsoft are moving towards making TPM a Windows certification requirement for 2015, with a longer term view of making Device Encryption standard on all Windows computers.
People familiar with Device Encryption will know that the system is unmanaged. The solution to this is to store the user's recovery key in their SkyDrive and protection is enabled as soon as an administrator on the device signs in with a Microsoft Account.
The new Haswell CPUs and some of the Atoms available currently have PTT (Platform Trust Technology) enabled, which is a firmware based implementation of TPM. Microsoft are encouraging Intel to make this standard across all their processors.
Windows Defender
Microsoft have added network behaviour monitoring for Windows Defender in 8.1. This is an improvement in the heuristic detection of new malware for which signatures aren't yet available. An emphasis is being placed on a 'conservative' approach to reduce the likelihood of false-positives.
Internet Explorer
For binary extensions (ActiveX etc.) it is common for malicious websites to send a payload to exploit a vulnerability in the control. These payloads are not scanned before being executed. In Windows 8.1, Internet Explorer is able to offload the file to the AV solution (Windows Defender or third party products) for inspection before execution.
Biometrics
A long term Microsoft goal is to eradicate traditional passwords. One of the first steps in achieving this goal is to incorporate native biometric authentication. The plan is to make this authentication method a 'first class' experience which will hopefully make it the preferred method for users and thus drive OEMs to adopt the technology in more and more of their products (instead of limiting it to their higher-end business models)
By making this an option native to Windows, Microsoft can give users a consistent enrollment process instead of the current situation whereby 3rd party companies provide the drivers and the enrollment frameworks.
This will allow not only basic log-on scenarios in 8.1, but also UAC approval, and 'touch to purchase' options in the Windows store. App-specific security is now enabled, for example requiring biometric authentication to use certain features within the app, or even to launch the app itself.
Microsoft aren't alone in taking this path (Apple buying AuthenTec is not unrelated) so it's conceivable that it could be adopted more quickly than you think.
Remote PC Health Attestation
Or, in other words, remote analysis of system information to confirm the integrity of the system. Measured boot data, Action Centre status (anti-malware, firewall etc.) and also hashes of third party kernel mode drivers are periodically sent to the cloud service for inspection.
If suspicious results are detected, Microsoft will notify the client with recommendations. If it is suspected that your Microsoft Account has been compromised, appropriate remediation notifications will be sent via alternative email, SMS etc.
Cloud-based Certificate Crawler
Although not strictly an 8.1 feature, it's worthy of mention.
It's quite clear that Microsoft took the Flame attack very, very seriously. At the time they overhauled Windows Update within a few days, and almost certainly set to work immediately on technologies to help combat the threat going forward.
A lot of modern security systems are based on a tentative mixture of encryption and trust. The problem is, not all encryption is created equally, and chains of trust introduce weak links into the system.
Microsoft have created what I can probably best describe as a certificate 'watchdog', that crawls the web collecting certificates, analysing them for signs of suspicious activity and/or forgery. If a problem is detected Microsoft will notify the owner of the certificate who can then take appropriate action. This is platform agnostic and is a win for everybody, as we will all benefit from a more trustworthy certificate ecosystem.
So, that's a quick overview of the improvements. There is a bunch of other stuff relating to work folders and remote wiping, but if you're into that sort of thing you're going to want to do your own research.