Windows Security Deep-Dive for Tablets and 2-in-1s

Posted on 08 March 2014, Last updated on 02 February 2020 by

Computer and digital security has changed a lot since I left my job as a security architect for a major ISP many years ago. At that time we were adding very expensive intrusion prevention technology into server farms and now the same technology is being used in consumer security software built into low-cost operating systems. The knowledge, tools and methods available to the consumer are vastly improved and a lot easier but, as always, the hacking techniques are more complex, the potential for vulnerabilities is greater and the rewards for the attacker increase as consumers move more information and financial transactions online.

As users we need to become more aware of the risks but even more accepting of the new ways to increase our personal data and identity security. Some of the tools are easy to use, others require more effort, and all of them require the end user to trust a third party.

In this report I take a look at security on consumer-focused Windows mobile PC products and I compare the features available to common security requirements for individuals.

For author background and audience notes, see footnote. A consumer-focused summary is provided.

Contents

  • Consumer Summary
  • Overview of Consumer Computer Security
  • Elements of Consumer Computer Security
  • Consumer PC and Data Security Checklist
  • What’s NOT available in Baytrail-T tablets with Windows 8.1?
  • Windows 8.1 on Baytrail-T: Security Highlights.
  • Windows Defender. A Good Anti-Virus Solution?
  • Microsoft Live Account comes with Ease of Use, Increased Security Features…and Risk.
  • Top Three Windows 8 Tablet Security Tips
  • Summary
  • Windows 8 Security Resources

Consumer Summary

Windows 8.1 improves on Windows 7 security and on an InstantGo-enabled PC (more on InstantGo below) includes disk encryption. The features cover a good range of security but the consumer must trust Microsoft with personal data and keys in order to use the full range of features. Full disk encryption has never been seen on Windows at such a low price point and secure boot, online account tracking, built-in Trusted Platform Manager (TPM, and off-disk, off-memory secure storage chip,)  two-stage authentication with application passwords, built-in anti-virus, network activity detection, URL screening and firewall add to the package. Windows 8 Modern applications have a more secure ‘fenced’ space to run in and memory ‘locking’ features prevent many common exploits. Out-of-the box Windows 8.1 gives the average user a strong set of preconfigured tools and assuming the end user configures a strong password, the solution is acceptable.

A complete security package also includes post-hack/theft/loss-recovery tools and some of these are missing. Remote device tracking for cellular-data-enabled devices including management and lockdown is something that can be added via Windows 8 Pro and third party tools but consumers are starting to expect these solution through experiences in the smartphone world. Two simple features which we would have expected are missing: A locally encrypted password / personal data ‘locker’ and a secure file delete function.  Again, 3rd party software can add these features but these should really be part of the Microsoft package.

We tested McAfee Live Safe as an additional security tool and while the anti-virus is said to be much better than the built-in Microsoft Defender tool, the penalty in terms of load makes this a non-transparent solution on the Baytrail-T platform. Considering this is an Intel-owned company it’s surprising that there doesn’t seem to be a McAfee product that fits on this platform. For conusmers using more powerful platforms (for example Intel Core processors) the solution offers a good range of features and for those operating many personal computing devices, including smartphones, it offers useful device management tools.

If you are happy with trusting Microsoft with your data then we recommend Windows 8.1 on an InstantGo tablet (Baytrail-T / Atom Z-series is the main processor platform that provides this right now – products here.) and using the Microsoft Live account features to provide what we believe is one of easiest and transparent ways to achieve a very good level of online security. Disk encryption helps to secure data in case of device theft or loss.

If you don’t trust Microsoft and don’t use an online Live account, a large number of features are not available but even without disk encryption and the online account features, great advances have been made over Windows 7. When considering the risk associated with trusting a third party, also consider the risks associated with personal data and identity management.

Our tip for the next generation of Windows tablets is facial movement recognition (or some other ‘I am here’ authentication) as a second-stage login method. Advances in the detection of social engineering attacks will also be a big boost.

Top three security tips for Windows 8.1 users.

  • Ensure Microsoft Defender is enabled and Windows Firewall is enabled. It usually is on a new Windows 8.1 PC.
  • Use a Live account. Enable two-stage authentication and configure a strong Live account password. Enjoy full disk encryption, logging, application passwords and many other security enhancements and ease-of-use features.
  • Set up your Microsoft user account as a standard account, not an Administrator account. Configure a separate admin account (local, not Live) and when admin rights are needed, use these credentials.

The sections below provide much more detail on the above topics. Notes on McAfee Live Safe testing and further reading can be found at the base of this article.

Overview of Consumer Computer Security

Data, resource and identity security is important to all consumers. They want their private content to remain private, their identity to be used only by themselves and they want their resources (internet connection, hardware, electricity usage) to remain under their exclusive control. Of critical importance in the consumer security arena is simplicity but even more important is acceptance that consumers are very bad at being gatekeepers. In most cases the user is the weakest link in any security strategy and some elements of consumer security should be trusted to third parties. This does not remove risk, of course, but it can reduce risk if a trusted and expert third-party is involved. In addition to protection the consumer needs alerting and a lock-down/recovery procedure.

Elements of Consumer Computer Security

Expanding on the simple requirements laid out above we can create a list of consumer security requirements.

  • Personal data, key and ID management (Stored data protection. Including documents, passwords, personal identity information.)
  • Protection of remotely stored information (cloud docs, information stored by third parties, information stored on local network devices.)
  • Resource management (network misuse, CPU misuse, storage misuse)
  • Reduction of blackmail and social engineering threats.
  • Reducing the need for (often weak) passwords by using personal biometric identification (voice, finger, face, personal knowledge, personal presence.)
  • Protecting channels used to transfer data (screen scraping, keyboard logging, data transmission channels.)
  • Protection from snooping (web cam, mic, keyboard logging.)
  • Alerts for suspicious activity.
  • Provide ability to ‘lock down’ when compromised.
  • Recovery of data after lock-down.

..and one element of policing that could help – Remote identification and reporting of new threats and identification, logging and reporting of criminals to assist in prosecution.

Consumer PC and Data Security. (A Checklist)

Anti-virus is obviously the first on the list of security topics for most consumers. They are generally aware of what a virus is and anti-virus software is well-marketed but it’s a small element in the overall security ‘package’ that most consumers must deploy. A strong local password is of major importance and remember, if your PC is only used at home it’s less risky to create a long complex password and write it down than it is to have a short but memorable password. Ultimately consumers should be implementing two-stage authentication that includes an ‘I am here’ tool.

Consider the following tools and methods (which are in no particular order) in the consumer security architecture.

  • Disk encryption helps to avoid access to data without encryption keys or login details but remember that trojan software generally works behind a login and in a pre-authenticated environment. Disk encryption is of most use when a device is lost or stolen.
  • Secure Boot check and UEFI password. Stop people booting a PC with an unauthorized OS or installing boot-loader software.
  • Login password.
  • Authorization of removable devices and applications.
  • Automated system updates (security patching.) Microsoft have now been doing this for 10 years.
  • Per-application ‘child’ passwords with remote password reset. Microsoft uses this for a growing number of Windows 8 applications.
  • Cloud-stored password (and ability to change via another PC.) When devices are connected to the internet the password is checked against a central store. You have the ability to change to central store and lock out devices (assuming they are connected to the Internet.) On this note it is arguable that you should have a 3G/4G-connected device with a SIM card that remains connected to the Internet after being stolen. Wifi-only devices will not remain connected to the internet after being stolen.
  • Account use logging (time, location, device, reviewable off-device at a central location.) Allows IP and location tracking. GPS in a device would allow fine control of tracking. 3G/4G is generally not good for IP location tracking and should be combined with GPS (as it often is on Windows PCs.)
  • Alert via SMS /email if the provider is able to detect unexpected behavior. (This is included in Microsoft Live account features.)
  • Remote kill or remote wipe (when a device has been compromised or is being attacked.) Windows 8 Pro has a concept of ‘wipe important data only’ and anti-tamper measured but that is beyond the scope of this article.
  • Anti-Virus / Anti spyware (scanning of existing files on disk)
  • Anti-virus / Anti spyware of files being downloaded or copied. (scan / check against blacklist or sandbox activity testing before making available to consumer.)
  • Firewall (basic port blocking in/out)
  • File archiving. See File History on Windows 8 which continuously archives (not backup-overwrite) copies of local documents on a removable or network drive.
  • Encrypted password storage (local or cloud-based) for non-PC pin numbers and account numbers, personal ID information.
  • Secure document storage (local or cloud access) with transport security. Client-side encryption helps. E.g.  Wuala.com, and local-country (or remote country, depending on requirements and laws) storage might be something to consider.
  • Website blacklist check. File blacklist check. (E.g. Smartscreen on IE11 and in Windows 8 core.)
  • Browser activity monitoring. E.g. Alerting when data sent data over non-encrypted channels or when man-in-middle attack possibility is detected. (No forward-security.)
  • Memory locking and random memory usage. (Windows DEP and Windows ASLR)
  • User account permissions. (Users should run as a Standard user, not with elevated Admin privileges.)
  • Secure Browser form data storage and retrieval (reduces use of keyboard and risk of keystroke logging. Reduces possibility of screen buffer snooping in some cases.)
  • Automatic update (patching vulnerability) NEVER turn this off! (You can mark a network interface as  a ‘Metered Connection’ to prevent updates affecting experience or costs; For example, 3G/4G data links.)
  • Per application peripheral access. E.g. Can an app access network, webcam, mic, be a background task?
  • Resource monitoring and alert  (high CPU, startup programs, memory usage, network usage.)
  • Online content safety (E.g. child-protection /parental control. Similar to URL screening.)
  • Secure file delete.
  • Reducing 3rd party application usage. Example: Use IE11 Modern app to reduce risk of infection through plugins like Java. Use Microsoft Reader which is auto-updated by Windows Update. Windows has a huge suite of built-in apps. Consider testing these before jumping to an over-complex solution.
  • Auto-Sandboxing applications either before deployment or during runtime.

Advanced methods starting to appear in consumer solutions.

  • Intrusion prevention (network packet vulnerability analysis.)
  • Biometric access

Windows 8.1 Consumer Products: Security Highlights

There’s a very rich set of security tools in the basic Windows 8.1 build (not the Pro or Enterprise versions.) These features are all free.

  • Secure boot and boot configuration (UEFI configuration) password protection on new Windows 8.1 products.
  • Soldered (non-removable) eMMC storage (disk) on some devices (mostly Baytrail-T products)
  • TPM2.0 for secure on-device (off-memory, off-disk) storage of some system keys, certificates and passwords. (Not for general use by the user.)
  • Cloud-based central authentication, logging, location logging when using a Microsoft Live account.
  • Windows Live 3rd-party account management. E.g. Facebook, Twitter, Flickr, Google. This reduces per-app 3rd-party account management and provides a central way to disconnect all apps from all applications on all devices in a quick and efficient way. It also means that when changing a service password (.e.g Twitter.) only the connection at the Live account needs to be re-authorized thus making it easier to manage.
  • Two-stage app and Live.com authentication via SMS, email or authenticator app.
  • Generate separate app ‘child’ passwords and provide control under Live.com (to avoid using main account password with applications.)
  • Windows 8 Modern Apps and IE11 Browser tabs are sandboxed. (For more info search for: AppContainer)
  • Firewall – application and port-based filtering. Network packet analysis. Logging. On by default unless OEM has installed third party alternative.
  • Windows Defender Anti-Virus solution.
  • User account control and account access levels.
  • Save documents and images to OneDrive (was SkyDrive) by default. (A backup and remote availability feature. Arguably less secure due to multiple copies of files being stored and distributed.)
  • Random memory writing and ‘No Execution’ memory locking.
  • File History (archiving and backup .)
  • Secure data wipe. (Windows 8.1 full restore.)
  • Simple password store (User Credential Manager or ‘Windows Vault’) that is synchronized across devices using the same live account. (This is for desktop only and not accessible or available for modification in a Live account.

InstantGo and Disk Encryption

InstantGo (which used to be called Connected Standby or Always-On Always-Connected) is a feature that allows Windows 8 Modern applications and services to run when the PC is ‘off.’ It removes the need for traditional PC ‘sleep’ and works in a way similar to a smartphone when the screen is off. A very low power state can keep the PC connected to a WiFi or 3G for many days at a time and administer strict control on an applications ability to use PC resources in that mode. It also enables an additional security feature: Full disk encryption (based on Bitlocker AES encryption) when used in combination with a Microsoft Live account.

Bitlocker can be a complex beast on Windows professional products but what Microsoft have done with Windows 8.1 is to make it simple. If you have an InstantGo / Connected Standby capable device with UEFI Secure Boot enabled and you use a Microsoft Live account to log in the drive is automatically encrypted. Disk encryption brings advantages when PCs are lost or stolen as, assuming you didn’t configure the screen to remain unlocked for hours, your data is safe. Many of the InstantGo tablets targeted at consumers have soldered disks so there’s little risk of the disk being removed but even when the PC is booted into a recovery mode the recovery keys are needed to unlock the drive. We’ve tested that and it works.

Recovery keys are stored in your Microsoft Live account so you’ll need to be happy about that before you use Bitlocker and as we pointed out in our Top Three security tips it makes sense to be using two-stage authentication on your account.

A secondary advantage of an encrypted drive is that even if a drive is restored, using the recovery key, to an unencrypted original state without a sanitizing data-wipe, there will be no usable data on the drive. We tried to perform what you might call an ‘emergency wipe’ by clearing keys and clearing the TPM but standard tools didn’t work. If your aim is to prevent authorities accessing your data though, remember that there is often a legal process for authorities to be able to get copies of recovery keys. It is possible to delete the recovery keys in your live account as as the encryption process never reveals them to the user or gives an offline backup option there’s an interesting case where one could say “Sorry, I can’t remember the 42 character key I’ve seen. I deleted the online version out of fear.”

Disk encryption doesn’t add any noticeable drain on the PC or slow it down as the encryption and decryption is done in dedicated hardware so as long as you’re happy with Microsoft being the gatekeeper, it’s an advantage.

Note: You might want to add a password to the UEFI interface for additional security so that Secure Boot can’t be turned off.

List of InstantGo-enabled Windows 8.1 devices.

All Windows-on-Baytrail-T (Atom Z-Series) devices are InstantGo enabled with UEFO and Secure Boot. Some Ultrabooks (Haswell Core i3, i5, i7) too. As yet there aren’t any AMD-platforms that support this and we’ve yet to see any Baytrail-M (Celeron, Pentium) based products.

What’s NOT available in Baytrail-T tablets with Windows 8.1?

Here’s a list of features that aren’t supported well, or not supported at all on the consumer-focused Windows 8.1 tablets and 2-in-1s

  • Cloud-based storage (One Drive) does not perform client-side encryption. Files are stored encrypted in the cloud but can be accessed through legal process. (Actually, the same applies in some countries if you control your own encryption keys but there may be a time-delay or level of difficulty that is in the users favor. This topic goes beyond consumer security though. )
  • No 2-stage Windows 8.1 user login. (Authenticator app, face, voice could be useful, even when offline.) In my opinion this is one of the weak points in Windows security for consumers considering the weak passwords that are often used. We hope to see future Windows tablets coming with biometric-enhanced login or some other ‘physical presence’ login features. Tip: Yubico is interesting. $25 for a key. Free Windows s/w for two-stage login.
  • No Identity Protection Hardware on low-end Windows 8.1 PCs to prevent screen-buffer grabbing. (Intel IPT is a Core CPU feature and it is arguable that this is beyond consumer requirements.
  • No remote access (Remote Desktop is only on Windows 8 Pro. VPro tools are a high-end Core-CPU feature.) Remote assistance is available. [This is a management feature rather than security feature and in some cases could be a security risk if it was enabled and a users password was compromised.]
  • No remote kill / disable. Remote kill generally only works when a device is stolen and still connected to the internet, which requires login first or auto-connect to open WiFi (itself a security risk.) Two-stage authentication can help and you should untrust all your devices first from your Microsoft Live account. Clear guidelines from Microsoft on how to force logout or lock a device (assuming it’s connected to the internet) would be helpful along with advice on how TPM implments ‘anti-knocking’ lockout features or ‘max failed passwords – remove encryption keys’ feature. 3G data module would help with remote kill.
  • No device-based tracking (only account login tracking.) Login tracking only uses IP for location tracking. (Useless when 3G/4G module is in use.)
  • No ability to reset application passwords. (Although a full password reset might do this. The information on this topic is not clear.)
  • No secure Recycle Bin or file deletion. (Although this is an option on full device reset via Windows 8 Restore.)

Windows Defender. A Good Anti-Virus Solution?

My opinion: There are two trains of thought with Microsoft Defender. On one hand it’s a reasonable (but not generally accepted to be ‘good’) anti virus solution that is on by default (assuming an OEM has not installed AV trialware – a security risk when the trialware runs out) and is transparent to the end user. The other train of though is that it’s not the best A/V solution and may leave the user more open to attack than on other A/V solutions. Again, my opinion: On Windows 8.1 tablets with Baytrail-T the high-end A/V solutions may not be transparent and could affect the user experience. (Memory usage, CPU usage, battery life impact.) Defender is getting better too. V4.3 now includes network traffic analysis as well as file analysis for example. I am personally happy with Defender being able to reduce much of the risk through virus attack while leaving me with a usable tablet experience. AV-Test.org is a good place to get information. Currently Bitdefender and Kaspersky solutions are listed as offering efficient high-grade protection but these have not been tested by us.

Microsoft Live Account comes with Ease of Use, Increased Security Features…and Risk

Personal opinion and experience from Chippy:

Do you want to manage your own security or do you want to choose a trusted partner to do that? In general we, as consumers, are terrible at security. I have proven to myself, a security-aware person, many times that I am more of a risk to myself than if I was to trust a third party who’s business it is to manage security. With managed security comes ease-of-use, continuous improvement and, sometimes, a service level agreement [Not in the consumer space though.] What I do risk is placing my data with an entity that could be a target. There is no doubt that MS is a target. Microsoft is also, however, an entity that must adhere to US business security requirements and legal requests for release of data. Microsoft is also storing my data in another country which could (but I don’t know for sure) be a security risk. On a personal level, the theft of personal data is important but in a mass data theft there is often time before your data is used, quicker alerts on the theft of data and automated processes that take place to reduce the risk after the theft. Example: Chase implemented credit card restrictions after a recent data theft at Target.  Personal data theft is often quick, requires a user to notice and also requires a user to have a quick process to lock-down after theft. That lockdown ‘process’ is, in my opinion, not something a consumer has knowledge of and because of that I am happy to give Microsoft control via the Live account and two-stage authentication to reduce my overall risk.

On the question of NSA data access: While this is worrying on a global level, on a personal level, I don’t rate NSA’s possible data access as a risk to my normal daily life. I don’t associate it with theft of financial data or of identity theft or of profit-by-sale and therefore government access to my data is considered by me to be low risk.

Top Three Windows 8.1 Security Tips for Consumers

  • Ensure Microsoft Defender is enabled (Firewall is less important if you are on a trusted home hotspot but there’s no disadvantage in enabling it.)
  • Use a Live account. Enable two-stage authentication and configure a strong Live account password. Enjoy full disk encryption, logging, application passwords and many other security enhancements and ease-of-use features.
  • Set up your Microsoft user account as a standard account, not an Administrator account. Configure a separate admin account (local, not Live) and when admin rights are needed, use these credentials.

Best efforts have been made in the creation of this document but please be aware that there’s a risk of errors. If you see an error, experience an issue or have additional information you think might be useful to users, please add it in the comments below and it will be considered as an update to this report.

Final Tips for security on Windows Tablets

  • Don’t use public, open WiFi hotspots. Windows tablets with 3G are great at mimicking a hotspot while collecting all the data that passes through them!
  • Reduce the number of devices and amount of 3rd-party software you use.
  • If you are thinking of upgrading to Windows 8 from Windows 7, consider buying a new device with UEFI and InstantGo support. You’ll get Secure Boot and free Hard Disk Encryption.

If you use an authenticator app for two-stage authentication, ensure that you can remote-wipe your phone if it gets stolen or lost.

Windows 8 Security Resources / Further Reading.

Note: This article is focused on security for consumers and independent professionals although it is not necessarily written for that target group to read. (A Consumer Summary is available in the article.)  I am not a certified Windows security professional although I am certified in some other areas of security and have worked in various IT security positions. This article has not been peer-reviewed. Product mentions and links in this article are not endorsements. This article is not sponsored. Only Windows 8.1-based PC products are considered in this document. This is not a comparison of Windows 8.1 security against other vendors offerings.

5 Comments For This Post

  1. Peprita A. Heart says:

    Thanks for assembling all the data and making it available.

  2. dizi says:

    I prefer to run a 3rd party security suite but sometimes it can be impossible to switch vendors when the one you’re using has gone down in tests (ie. MSE used to be one of the best but now it’s one of the worst) or another suite has significantly beat it. These suites are so embedded into your system, uninstalling them can cause a lot of damage. I experienced this with McAfee, Symantec, Kaspersky and others.

    Sometimes, they can cause problems with legitimate software. I experienced this with McAfee.

    Oh well, these are just the trade-offs trying to secure your PC when common sense wasn’t enough (ie. browser/OS exploits spread by website ads).

  3. ravellar says:

    Hi Chippy , any news on this device Zlate 11 ? I received some info from friends that it looks good and I have visited their website and looks quite impressive . Any advice on it ?

  4. Rex says:

    Anyone know a good malware file scanner for Linux? Something that can detect malware for multiple platforms.

    Thanks!

  5. peanuts says:

    I run Windows 7 virtual machines and used MSE and MalwareBytes Pro (only because I got a $10 lifetime license) ever since MSE used to be considered one of the top (too bad it supposedly has fallen to the bottom now). Currently, if I get hit, I figured I’ll just restore a known good backup of the VM. Although, not being a security expert, I’d probably not know if I’ve been infected. Sometimes, malware doesn’t consume lots of CPU, memory, internet bandwidth, etc. to be noticeable by non-experts. Maybe that’s why I haven’t needed to restore from a backup.

    I plan on getting an 8″ Windows 8 tablet with an active digitizer and deciding on changing the security software I use for it and my VMs. Out of the top suites from AV-Test and AV-Comparatives for performance and protection (like Bitdefender, Kaspersky, Avira, F-Secure, etc.), which ones have a better track record of not breaking your system when uninstalled?

    Like another commenter, I’ve seen security suites mess up a system when uninstalled to switch to a different vendor. In particular, I’ve seen this with people using Symantec Norton 360 and Internet Security. After uninstallation and a reboot, one or more of the following occurred: the Ethernet connection won’t connect, DNS settings won’t get updated by DHCP, DHCP just doesn’t work, blue screens, crashes, non-booting OS, the other anti-malware software won’t install, etc. Symantec even has a removal tool but that didn’t work. These PCs were working fine before the uninstall.

    For cloud backup, what are people’s thoughts on using Amazon S3? I’ve been using OpenSSL to encrypt my local backup files and upload them to Amazon S3. The large backups get automatically transitioned to Amazon Glacier for cheaper storage but slow and possibly expensive recovery.

Search UMPCPortal

Find ultra mobile PCs, Ultrabooks, Netbooks and handhelds PCs quickly using the following links:

Acer C740
11.6" Intel Celeron 3205U
Acer Aspire Switch 10
10.1" Intel Atom Z3745
Acer Aspire E11 ES1
11.6" Intel Celeron N2840
Dell Latitude E7440
14.0" Intel Core i5-4200U
Acer TravelMate B113
11.6" Intel Core i3
Lenovo Ideapad Flex 10
10.1" Intel Celeron N2806
ASUS Zenbook UX305
13.3" Intel Core M 5Y10a
HP Elitebook 820 G2
12.5" Intel Core i5 5300U
Dell Chromebook 11
11.6" Intel Celeron 2955U
WiBrain B1H
4.8" VIA C7-M