It's no secret that Windows XP is nearly six months away from its formal end-of-life support from Microsoft. Although many IT organizations have begun the migration to Windows 7 and some are testing Windows 8, a very large percentage of companies have made little effort to move from XP.
I believe users will prefer Window 7 because it's more familiar and has fewer big changes to stress about compared to Windows 8 or its newly released update, Windows 8.1. Plus, few PCs have touch capability, which is important because using Windows 8 on nontouch PCs is awkward. But there's an important reason to consider moving to Windows 8.1 despite the greater comfort of using Windows 7: Windows 8.1's better security.
According to Dustin Ingalls, group program manager at Microsoft for Windows security and identity, one of the major problems enterprises face today is the hit-or-miss security functionality seen in users' PCs. For example, many PCs don't have a Trusted Platform Module (TPM) chip, which is required to encrypt a Windows 8 PC's contents via Microsoft's BitLocker encryption technology. A TPM is also required to support InstantGo (previously called Connected Standby), which keeps Metro data, apps, and tiles updated with current information through a network connection that allows automatic syncing. Microsoft is pushing for TPM 2.0 to be required on all devices by January 2015, but there's no such requirement for today's devices.
All editions of Windows 8.1 (including the RT version) now support BitLocker encryption using both TPMs and the hardware-level UEFI protection approach. The trick is to make sure your PCs are InstantGo-certified so that you can take advantage of the encryption. Microsoft is also working on biometrics for both touch and swipe readers. "The goal is to move toward biometrics for everything from the Windows Store app to logging into secure sites, as well as your OS itself," Ingalls says.
Multifactor authentication is also enhanced in Windows 8.1 with virtual smart cards (VSCs), which uses the TPM to provides two-factor authentication, just like a physical smart card does. One is factor is the password or PIN, the other is VSC, with the private key stored on the system's hard drive.
Windows Defender has been enhanced with network behavior monitoring to help stop the execution of malware. Sometimes malware is known, other times it isn't, so Defender now looks at "bad behaviors in memory, the registry, or the file system, even before signatures have been created," Ingalls says. In addition, Internet Explorer 11 scans binary extensions (ActiveX, for example) in use before potentially harmful code runs. In contrast, pre-Windows 8.1 systems may allow malicious sites to exploit vulnerabilities in binary extensions like ActiveX controls. Additionally, IE's Enhanced Protection Mode is now enabled by default in the Windows Desktop version of IE. (It was autoenabled in the Metro edition in Windows 8.0, as it still is in Windows 8.1.)
Sign up for CIO Asia eNewsletters.