Companies deploying cloud-based services have discovered how complicated authentication can be. Each cloud service
requires a different username and password combination along with multiple types of secondary authentication options, including tokens and certificates. This complexity can create other security risks as users implement common workarounds such as Post-it Notes stuck to monitors and underneath keyboards.
Security technologies have been evolving to provide simplified authentication methods for cloud services. Security Assertion Markup Language (SAML), OAuth and OpenID are some of the leading standards that provide single sign on capabilities for cloud-based applications. Google, Facebook and Microsoft all offer these open-standard APIs that allow authentication to third-party websites utilizing their accounts, for example. These systems have been very successful in creating simple, user-controlled authentication for Web-based applications and services. However, these authentication methods have seen much slower adoption in the enterprise than in consumer services.
Microsoft has been enviously observing the changes in the way people authenticate to services in the cloud with their Google or Facebook account. The company released a second preview of the latest version of its flagship Windows operating system on Feb. 29 that includes an interesting new Windows 8 authentication feature to help steer users back into the Microsoft ecosystem. It’s easy to miss the fact that Microsoft included the ability to authenticate to Windows using a Web-based Microsoft ID because most of the news about Windows 8 has been focused on the new Metro user interface. However, the ability to login to Windows 8 with a Hotmail account could be considered just as revolutionary as the polarizing Metro UI changes.
The idea of using an account from a Web-based service to login to a device is not new. Google used this same model to authenticate to Chromebooks since their launch, and Apple recently integrated its iCloud accounts into OS X Lion, and even allows the ability to reset local Macintosh account passwords. However, Microsoft’s approach is even more daring than Apple’s or Google’s because of the compatibility requirements inherent with such an enormous ecosystem like Windows. Microsoft has been developing and marketing Active Directory-based authentication to businesses since Windows 2000. It’s safe to assume Microsoft wants to preserve its market share in these business-owned, private clouds while expanding into the hybrid and commercial cloud markets. Success with Windows 8 will be largely based on how well Microsoft can balance the legacy Active Directory model with the new cloud-based authentication model. Let’s look at how the new Windows 8 authentication feature works and the potential risks enterprises will need to consider.
Windows 8 authentication evaluation
The best way to evaluate how Microsoft is progressing in building this new authentication model was to get hands-on with Windows 8. This evaluation was based on Windows 8 Consumer Preview Build 8250, so features and functionality could still change before the final release. The Windows 8 test PC was added to a Windows 2008R2 domain to evaluate interactions with Active Directory.
Windows 8 asked for a Microsoft ID during the first boot while setting up initial user identification; this account can be any of the @hotmail, @live or other Microsoft online properties. Microsoft has accomplished this by adding the @hotmail account as what was traditionally referred to as a local user account. This account was added automatically to the local administrators group, giving it full control over both hardware and software on the machine. This type of user account will look familiar to any experienced Windows desktop technician. At this point, the security/usability balance Microsoft needs to maintain between the new and old authentication models looks achievable.
The next part of the test was to add the PC to the Windows 2008R2 domain and evaluate how these two different security realms were kept separate from each other. This is certainly a risk that enterprises are going to be interested in understanding: Can a Hotmail account access company resources on an Active Directory domain? The answer is clear based on the fact that these Microsoft IDs are handled like standard Windows local user accounts; Local accounts cannot access Active Directory resources so network-based company
assets are safe.
Windows 8 authentication cloud model risks
It’s still important to consider the inherent risk when the local account is configured as an administrator over the local machine, which is still the default. This would allow the Microsoft ID to access files that exist in other users’ directories on the machine and also have access to the offline hashes of the Active Directory accounts cached on the machine. This level of access would allow the Microsoft ID to run various types of password-cracking utilities against these accounts. This is not a new risk as local administrators have always had this capability; the Microsoft ID just adds another variable that will be important for enterprise customers to consider during Windows 8 deployment.
Another risk that will be important to companies to think about when rolling out Windows 8 is the way settings can be synchronized to the Microsoft ID account. Active Directory accounts can be connected to a Microsoft ID, which allows certain settings to be synchronized regardless of the PC the user logs into. These settings only contain desktop customizations, browser settings and other preferences, but the risk would involve potential loss of confidential company information through synchronizing browser favorites or other metadata. The Microsoft Live ID also has access to Microsoft SkyDrive, which could allow employees to leak company data if not configured properly through policies.
There is a new feature that has been added to Windows 8 that could help consolidate credentials to other cloud-based services and boost security. The Credential Manager is located in the Control Panel and allows users to store their external usernames and accounts, which includes multiple Windows-based credentials and certificates. This feature is similar to the Keychain function in Apple OS X and would be a vast improvement over the Post-it Note solution in place in so many organizations. Credential Manager could potentially make Windows 8 the preferred operating system for accessing cloud-based applications.
Windows 8 authentication complications
Ultimately, there is a downside to Microsoft attempting to maintain the legacy Windows authentication model with the cloud-based authentication model: Configuring and maintaining both systems is extremely complex. Windows 8 has multiple locations where the overlapping configuration options are located for both authentication models. This complexity could cause misconfigurations that lead to users or devices with inappropriate levels of security. This complexity is especially obvious when Windows 8 is compared to the newer authentication models used by Google and Apple. It’s clear from testing Windows 8 that the future of authentication will be cloud-based. Microsoft has tried to leapfrog competitors by bolting on cloud-based authentication to its flagship Windows operating system. There is still the need for the creation of more controls and management tools for companies to fully adopt cloud-based authentication. Microsoft is in a unique position to offer these types of tools, which would allow companies to fully embrace the new model. It would also provide a gateway from which users could easily migrate to Microsoft’s cloud-based services such as Windows Azure and Office 365. It’s still early in the Windows 8 development cycle with a release rumored for October. Time will tell if Microsoft takes the lead in cloud-based authentication.
About the author:
Joseph Granneman, CISSP, has over 20 years in information technology and security with experience in both healthcare and financial services. He has been involved in the Health Information Security and Privacy Working Group for Illinois, the Certification Commission for Health Information Technology (CCHIT) Security Working Group, and is an active InfraGard member.