Stuart Aston is the Chief Security Advisor for Microsoft in the UK and runs the Government Security Programme and the Security Co-operation Programme.
Late last week CESG replaced their guidance on the use of Windows 8 with guidance on Windows 8.1, available here. The update is significant, partly because of the changes, but mostly because of how quickly the update was issued. Under previous guidance processes, it was unlikely that an interim release would have been published at all.
The new guidance itself remains in the same crisp, lightweight approach. So what has changed?
The new guidance allows customers to evaluate the risks of an operating system in line with the system’s ability to support organisational requirements. The customer can make their own decisions about what risks they care about, in line with the business functionality they want to deliver. So we could say that we have fewer serious risks than other desktop operating systems, with Windows 8.1 Enterprise -- and we do. But that statement on its own is meaningless. Security in the abstract is redundant without an organisational context.
An office’s organisational context is an assessment of the capabilities an office needs to function, balanced against their tolerance for security risks. Out of the box we deliver all the functions needed to run your office securely, letting you run legacy and modern applications with minimal effort. You can also store data securely on your device, communicate with your infrastructure securely and be protected from malware using Secure Boot (requires UEFI compatible hardware) and AppLocker.
We think all of those features make Windows 8.1 the best choice for your organisation’s security. But you don’t have to take our word for it. Check out the guidance, consider your organisation’s application and security needs – and then decide for yourself
The use of a Foundation grade VPN together with the firewall policies suggested within the guidance will render an end user device unable to use internet connections which feature a 'landing page' (Captive Portal). These landing pages require some information (acceptance of Ts&Cs, credentials or payment) to unlock access.
In addition, most organisations will use content management and web proxying to ensure corporate web browsing policies are adhered to on corporate devices. This too could interfere with access to a landing page.
Fortunately, COTS solutions exist to this issue which enable the captive portal to be handled on a smartphone or tablet and the 'unlocked' internet connection used to establish a secure connection.