2014-03-08

Computer and digital security has changed a lot since I left my job as a security architect for a major ISP 8 years ago. At that time we were adding very expensive intrusion prevention technology into server farms and now the same technology is being used in consumer security software built into low-cost operating systems. The knowledge, tools and methods available to the consumer are vastly improved and a lot easier but, as always, the hacking techniques are getting more complex, the potential for vulnerabilities is greater and the rewards for the attacker increase as consumers move more information and financial transactions online.

As users we need to become more aware of the risks but even more accepting of the new ways to increase our personal data and identity security. Some of the tools are easy to use, others require a little bit more effort an all of them require the end user to trust a third party.

In this report I take a look at security on the latest consumer-focused Windows 8.1 mobile PC products and I compare the features available to common security requirements for individuals. I also take a look at a commercial solution from McAfee that is designed to improve on the standard Windows 8.1 offering.

For author background and audience notes, see footnote. A consumer-focused summary is provided.

Contents:

Consumer Summary

Overview of Consumer Computer Security

Elements of Consumer Computer Security

Consumer PC and Data Security Checklist

What’s NOT available in Baytrail-T tablets with Windows 8.1?

Windows 8.1 on Baytrail-T: Security Highlights.

Windows Defender. A Good Anti-Virus Solution?

Microsoft Live Account comes with Ease of Use, Increased Security Features…and Risk.

Top Three Windows 8 Tablet Security Tips

Supplementing Windows 8.1 Security With McAfee Live Secure.

Summary

Windows 8 Security Resources.

Consumer Summary.

Windows 8.1 improves on Windows 7 security and on an InstantGo-enabled PC (more on InstantGo below) includes disk encryption. The features cover a good range of security but the consumer must trust Microsoft with personal data and keys in order to use the full range of features. Full disk encryption has never been seen on Windows at such a low price point and secure boot, online account tracking, built-in Trusted Platform Manager (TPM, and off-disk, off-memory secure storage chip,)  two-stage authentication with application passwords, built-in anti-virus, network activity detection, URL screening and firewall add to the package. Windows 8 Modern applications have a more secure ‘fenced’ space to run in and memory ‘locking’ features prevent many common exploits. Out-of-the box Windows 8.1 gives the average user a strong set of preconfigured tools and assuming the end user configures a strong password, the solution is acceptable.

A complete security package also includes post-hack/theft/loss-recovery tools and some of these are missing. Remote device tracking for cellular-data-enabled devices including management and lockdown is something that can be added via Windows 8 Pro and third party tools but consumers are starting to expect these solution through experiences in the smartphone world. Two simple features which we would have expected are missing: A locally encrypted password / personal data ‘locker’ and a secure file delete function.  Again, 3rd party software can add these features but these should really be part of the Microsoft package.

We tested McAfee Live Safe as an additional security tool and while the anti-virus is said to be much better than the built-in Microsoft Defender tool, the penalty in terms of load makes this a non-transparent solution on the Baytrail-T platform. Considering this is an Intel-owned company it’s surprising that there doesn’t seem to be a McAfee product that fits on this platform. For conusmers using more powerful platforms (for example Intel Core processors) the solution offers a good range of features and for those operating many personal computing devices, including smartphones, it offers useful device management tools.

If you are happy with trusting Microsoft with your data then we recommend Windows 8.1 on an InstantGo tablet (Baytrail-T / Atom Z-series is the main processor platform that provides this right now – products here.) and using the Microsoft Live account features to provide what we believe is one of easiest and transparent ways to achieve a very good level of online security. Disk encryption helps to secure data in case of device theft or loss.

If you don’t trust Microsoft and don’t use an online Live account, a large number of features are not available but even without disk encryption and the online account features, great advances have been made over Windows 7. When considering the risk associated with trusting a third party, also consider the risks associated with personal data and identity management.

Our tip for the next generation of Windows tablets is facial movement recognition (or some other ‘I am here’ authentication) as a second-stage login method. Advances in the detection of social engineering attacks will also be a big boost.

Top three security tips for Windows 8.1 users.

Ensure Microsoft Defender is enabled and Windows Firewall is enabled. It usually is on a new Windows 8.1 PC.

Use a Live account. Enable two-stage authentication and configure a strong Live account password. Enjoy full disk encryption, logging, application passwords and many other security enhancements and ease-of-use features.

Set up your Microsoft user account as a standard account, not an Administrator account. Configure a separate admin account (local, not Live) and when admin rights are needed, use these credentials.

 

The sections below provide much more detail on the above topics. Notes on McAfee Live Safe testing and further reading can be found at the base of this article.

Overview of Consumer Computer Security

Data, resource and identity security is important to all consumers. They want their private content to remain private, their identity to be used only by themselves and they want their resources (internet connection, hardware, electricity usage) to remain under their exclusive control. Of critical importance in the consumer security arena is simplicity but even more important is acceptance that consumers are very bad at being gatekeepers. In most cases the user is the weakest link in any security strategy and some elements of consumer security should be trusted to third parties. This does not remove risk, of course, but it can reduce risk if a trusted and expert third-party is involved. In addition to protection the consumer needs alerting and a lock-down/recovery procedure.

Elements of Consumer Computer Security

Expanding on the simple requirements laid out above we can create a list of consumer security requirements.

Personal data, key and ID management (Stored data protection. Including documents, passwords, personal identity information.)

Protection of remotely stored information (cloud docs, information stored by third parties, information stored on local network devices.)

Resource management (network misuse, CPU misuse, storage misuse)

Reduction of blackmail and social engineering threats.

Reducing the need for (often weak) passwords by using personal biometric identification (voice, finger, face, personal knowledge, personal presence.)

Protecting channels used to transfer data (screen scraping, keyboard logging, data transmission channels.)

Protection from snooping (web cam, mic, keyboard logging.)

Alerts for suspicious activity.

Provide ability to ‘lock down’ when compromised.

Recovery of data after lock-down.

..and one element of policing that could help – Remote identification and reporting of new threats and identification, logging and reporting of criminals to assist in prosecution.

 

Consumer PC and Data Security. (A Checklist)

Anti-virus is obviously the first on the list of security topics for most consumers. They are generally aware of what a virus is and anti-virus software is well-marketed but it’s a small element in the overall security ‘package’ that most consumers must deploy. A strong local password is of major importance and remember, if your PC is only used at home it’s less risky to create a long complex password and write it down than it is to have a short but memorable password. Ultimately consumers should be implementing two-stage authentication that includes an ‘I am here’ tool.

Consider the following tools and methods (which are in no particular order) in the consumer security architecture.

Disk encryption helps to avoid access to data without encryption keys or login details but remember that trojan software generally works behind a login and in a pre-authenticated environment. Disk encryption is of most use when a device is lost or stolen.

Secure Boot check and UEFI password. Stop people booting a PC with an unauthorized OS or installing boot-loader software.

Login password.

Authorization of removable devices and applications.

Automated system updates (security patching.) Microsoft have now been doing this for 10 years.

Per-application ‘child’ passwords with remote password reset. Microsoft uses this for a growing number of Windows 8 applications.

Cloud-stored password (and ability to change via another PC.) When devices are connected to the internet the password is checked against a central store. You have the ability to change to central store and lock out devices (assuming they are connected to the Internet.) On this note it is arguable that you should have a 3G/4G-connected device with a SIM card that remains connected to the Internet after being stolen. Wifi-only devices will not remain connected to the internet after being stolen.

Account use logging (time, location, device, reviewable off-device at a central location.) Allows IP and location tracking. GPS in a device would allow fine control of tracking. 3G/4G is generally not good for IP location tracking and should be combined with GPS (as it often is on Windows PCs.)

Alert via SMS /email if the provider is able to detect unexpected behavior. (This is included in Microsoft Live account features.)

Remote kill or remote wipe (when a device has been compromised or is being attacked.) Windows 8 Pro has a concept of ‘wipe important data only’ and anti-tamper measured but that is beyond the scope of this article.

Anti-Virus / Anti spyware (scanning of existing files on disk)

Anti-virus / Anti spyware of files being downloaded or copied. (scan / check against blacklist or sandbox activity testing before making available to consumer.)

Firewall (basic port blocking in/out)

File archiving. See File History on Windows 8 which continuously archives (not backup-overwrite) copies of local documents on a removable or network drive.

Encrypted password storage (local or cloud-based) for non-PC pin numbers and account numbers, personal ID information.

Secure document storage (local or cloud access) with transport security. Client-side encryption helps. E.g.  Wuala.com, and local-country (or remote country, depending on requirements and laws) storage might be something to consider.

Website blacklist check. File blacklist check. (E.g. Smartscreen on IE11 and in Windows 8 core.)

Browser activity monitoring. E.g. Alerting when data sent data over non-encrypted channels or when man-in-middle attack possibility is detected. (No forward-security.)

Memory locking and random memory usage. (Windows DEP and Windows ASLR)

User account permissions. (Users should run as a Standard user, not with elevated Admin privileges.)

Secure Browser form data storage and retrieval (reduces use of keyboard and risk of keystroke logging. Reduces possibility of screen buffer snooping in some cases.)

Automatic update (patching vulnerability) NEVER turn this off! (You can mark a network interface as  a ‘Metered Connection’ to prevent updates affecting experience or costs; For example, 3G/4G data links.)

Per application peripheral access. E.g. Can an app access network, webcam, mic, be a background task?

Resource monitoring and alert  (high CPU, startup programs, memory usage, network usage.)

Online content safety (E.g. child-protection /parental control. Similar to URL screening.)

Secure file delete.

Reducing 3rd party application usage. Example: Use IE11 Modern app to reduce risk of infection through plugins like Java. Use Microsoft Reader which is auto-updated by Windows Update. Windows has a huge suite of built-in apps. Consider testing these before jumping to an over-complex solution.

Auto-Sandboxing applications either before deployment or during runtime.

Advanced methods starting to appear in consumer solutions.

Intrusion prevention (network packet vulnerability analysis.)

Biometric access

 

Windows 8.1 Consumer Products: Security Highlights.

There’s a very rich set of security tools in the basic Windows 8.1 build (not the Pro or Enterprise versions.) These features are all free.

 

Secure boot and boot configuration (UEFI configuration) password protection on new Windows 8.1 products.

Soldered (non-removable) eMMC storage (disk) on some devices (mostly Baytrail-T products)

TPM2.0 for secure on-device (off-memory, off-disk) storage of some system keys, certificates and passwords. (Not for general use by the user.)

Cloud-based central authentication, logging, location logging when using a Microsoft Live account.

Windows Live 3rd-party account management. E.g. Facebook, Twitter, Flickr, Google. This reduces per-app 3rd-party account management and provides a central way to disconnect all apps from all applications on all devices in a quick and efficient way. It also means that when changing a service password (.e.g Twitter.) only the connection at the Live account needs to be re-authorized thus making it easier to manage.

Two-stage app and Live.com authentication via SMS, email or authenticator app.

Generate separate app ‘child’ passwords and provide control under Live.com (to avoid using main account password with applications.)

Windows 8 Modern Apps and IE11 Browser tabs are sandboxed. (For more info search for: AppContainer)

Firewall – application and port-based filtering. Network packet analysis. Logging. On by default unless OEM has installed third party alternative.

Windows Defender Anti-Virus solution.

User account control and account access levels.

Save documents and images to OneDrive (was SkyDrive) by default. (A backup and remote availability feature. Arguably less secure due to multiple copies of files being stored and distributed.)

Random memory writing and ‘No Execution’ memory locking.

File History (archiving and backup .)

Secure data wipe. (Windows 8.1 full restore.)

Simple password store (User Credential Manager or ‘Windows Vault’) that is synchronized across devices using the same live account. (This is for desktop only and not accessible or available for modification in a Live account.

InstantGo and Disk Encryption.

InstantGo (which used to be called Connected Standby or Always-On Always-Connected) is a feature that allows Windows 8 Modern applications and services to run when the PC is ‘off.’ It removes the need for traditional PC ‘sleep’ and works in a way similar to a smartphone when the screen is off. A very low power state can keep the PC connected to a WiFi or 3G for many days at a time and administer strict control on an applications ability to use PC resources in that mode. It also enables an additional security feature: Full disk encryption (based on Bitlocker AES encryption) when used in combination with a Microsoft Live account.

Bitlocker can be a complex beast on Windows professional products but what Microsoft have done with Windows 8.1 is to make it simple. If you have an InstantGo / Connected Standby capable device with UEFI Secure Boot enabled and you use a Microsoft Live account to log in the drive is automatically encrypted. Disk encryption brings advantages when PCs are lost or stolen as, assuming you didn’t configure the screen to remain unlocked for hours, your data is safe. Many of the InstantGo tablets targeted at consumers have soldered disks so there’s little risk of the disk being removed but even when the PC is booted into a recovery mode the recovery keys are needed to unlock the drive. We’ve tested that and it works.

Recovery keys are stored in your Microsoft Live account so you’ll need to be happy about that before you use Bitlocker and as we pointed out in our Top Three security tips it makes sense to be using two-stage authentication on your account.

A secondary advantage of an encrypted drive is that even if a drive is restored, using the recovery key, to an unencrypted original state without a sanitizing data-wipe, there will be no usable data on the drive. We tried to perform what you might call an ‘emergency wipe’ by clearing keys and clearing the TPM but standard tools didn’t work. If your aim is to prevent authorities accessing your data though, remember that there is often a legal process for authorities to be able to get copies of recovery keys. It is possible to delete the recovery keys in your live account as as the encryption process never reveals them to the user or gives an offline backup option there’s an interesting case where one could say “Sorry, I can’t remember the 42 character key I’ve seen. I deleted the online version out of fear.”

Disk encryption doesn’t add any noticeable drain on the PC or slow it down as the encryption and decryption is done in dedicated hardware so as long as you’re happy with Microsoft being the gatekeeper, it’s an advantage.

Note: You might want to add a password to the UEFI interface for additional security so that Secure Boot can’t be turned off.

List of InstantGo-enabled Windows 8.1 devices.

All Windows-on-Baytrail-T (Atom Z-Series) devices are InstantGo enabled with UEFO and Secure Boot. Some Ultrabooks (Haswell Core i3, i5, i7) too. As yet there aren’t any AMD-platforms that support this and we’ve yet to see any Baytrail-M (Celeron, Pentium) based products.

You can find a list of Baytrail PCs here.

All Ultrabooks are listed here.

What’s NOT available in Baytrail-T tablets with Windows 8.1?

Here’s a list of features that aren’t supported well, or not supported at all on the consumer-focused Windows 8.1 tablets and 2-in-1s

Cloud-based storage (One Drive) does not perform client-side encryption. Files are stored encrypted in the cloud but can be accessed through legal process. (Actually, the same applies in some countries if you control your own encryption keys but there may be a time-delay or level of difficulty that is in the users favor. This topic goes beyond consumer security though. )

No 2-stage Windows 8.1 user login. (Authenticator app, face, voice could be useful, even when offline.) In my opinion this is one of the weak points in Windows security for consumers considering the weak passwords that are often used. We hope to see future Windows tablets coming with biometric-enhanced login or some other ‘physical presence’ login features. Tip: Yubico is interesting. $25 for a key. Free Windows s/w for two-stage login.

No Identity Protection Hardware on low-end Windows 8.1 PCs to prevent screen-buffer grabbing. (Intel IPT is a Core CPU feature and it is arguable that this is beyond consumer requirements.

No remote access (Remote Desktop is only on Windows 8 Pro. VPro tools are a high-end Core-CPU feature.) Remote assistance is available. [This is a management feature rather than security feature and in some cases could be a security risk if it was enabled and a users password was compromised.]

No remote kill / disable. Remote kill generally only works when a device is stolen and still connected to the internet, which requires login first or auto-connect to open WiFi (itself a security risk.) Two-stage authentication can help and you should untrust all your devices first from your Microsoft Live account. Clear guidelines from Microsoft on how to force logout or lock a device (assuming it’s connected to the internet) would be helpful along with advice on how TPM implments ‘anti-knocking’ lockout features or ‘max failed passwords – remove encryption keys’ feature. 3G data module would help with remote kill.

No device-based tracking (only account login tracking.) Login tracking only uses IP for location tracking. (Useless when 3G/4G module is in use.)

No ability to reset application passwords. (Although a full password reset might do this. The information on this topic is not clear.)

No secure Recycle Bin or file deletion. (Although this is an option on full device reset via Windows 8 Restore.)

 

Windows Defender. A Good Anti-Virus Solution?

My opinion: There are two trains of thought with Microsoft Defender. On one hand it’s a reasonable (but not generally accepted to be ‘good’) anti virus solution that is on by default (assuming an OEM has not installed AV trialware – a security risk when the trialware runs out) and is transparent to the end user. The other train of though is that it’s not the best A/V solution and may leave the user more open to attack than on other A/V solutions. Again, my opinion: On Windows 8.1 tablets with Baytrail-T the high-end A/V solutions may not be transparent and could affect the user experience. (Memory usage, CPU usage, battery life impact.) Defender is getting better too. V4.3 now includes network traffic analysis as well as file analysis for example. I am personally happy with Defender being able to reduce much of the risk through virus attack while leaving me with a usable tablet experience. AV-Test.org is a good place to get information. Currently Bitdefender and Kaspersky solutions are listed as offering efficient high-grade protection but these have not been tested by us.

Microsoft Live Account comes with Ease of Use, Increased Security Features…and Risk.

Personal opinion and experience from Chippy:

Do you want to manage your own security or do you want to choose a trusted partner to do that? In general we, as consumers, are terrible at security. I have proven to myself, a security-aware person, many times that I am more of a risk to myself than if I was to trust a third party who’s business it is to manage security. With managed security comes ease-of-use, continuous improvement and, sometimes, a service level agreement [Not in the consumer space though.] What I do risk is placing my data with an entity that could be a target. There is no doubt that MS is a target. Microsoft is also, however, an entity that must adhere to US business security requirements and legal requests for release of data. Microsoft is also storing my data in another country which could (but I don’t know for sure) be a security risk. On a personal level, the theft of personal data is important but in a mass data theft there is often time before your data is used, quicker alerts on the theft of data and automated processes that take place to reduce the risk after the theft. Example: Chase implemented credit card restrictions after a recent data theft at Target.  Personal data theft is often quick, requires a user to notice and also requires a user to have a quick process to lock-down after theft. That lockdown ‘process’ is, in my opinion, not something a consumer has knowledge of and because of that I am happy to give Microsoft control via the Live account and two-stage authentication to reduce my overall risk.

On the question of NSA data access: While this is worrying on a global level, on a personal level, I don’t rate NSA’s possible data access as a risk to my normal daily life. I don’t associate it with theft of financial data or of identity theft or of profit-by-sale and therefore government access to my data is considered by me to be low risk.

 

Top Three Windows 8.1 Security Tips for Consumers

Ensure Microsoft Defender is enabled (Firewall is less important if you are on a trusted home hotspot but there’s no disadvantage in enabling it.)

Use a Live account. Enable two-stage authentication and configure a strong Live account password. Enjoy full disk encryption, logging, application passwords and many other security enhancements and ease-of-use features.

Set up your Microsoft user account as a standard account, not an Administrator account. Configure a separate admin account (local, not Live) and when admin rights are needed, use these credentials.

Help Improve this reference document.

Best efforts have been made in the creation of this document but please be aware that there’s a risk of errors. If you see an error, experience an issue or have additional information you think might be useful to users, please add it in the comments below and We’ll consider transferring it to the main article. Thanks!

 

Supplementing Windows 8.1 Security With McAfee Live Secure.

McAfee Live Secure is a windows desktop application, Windows 8 Modern app and an online service that provides many of the services mentioned above. In many cases, e.g. Anti Virus, Firewall and Intrusion Prevention, the McAfee solution should provide a better service than the built-in solutions in Windows 8.1. Certainly in online reviews it consistently beats the built-in Defender application. AV-Test.org recently completed a round of Anti-Virus tests and Defender was considered the worst solution for AV protection. Despite that it was able to protect against 81% of day-zero attacks and detect 99% of recent malware and scored a perfect 6 on ‘false positives.’  Full report here.  Disclosure: I was given one year of McAfee Live Safe for free. Note: I am not planning to test other A/V packages at this time.

Important Features of McAfee Live Safe

LiveSafe offers a number of features that aren’t well supported in Windows 8.1. The SafeKey (multi-device synchronized password vault) and the Personal Locker (secure access to secure online storage) are features you won’t find in Windows 8.1. (the McAfee password vault goes way beyond the simple web-password-focused three-field-per-entry Credentials Manager.)

A ‘Shredder’ tool adds secure delete, a file cleaning tool frees up space due to temporary files (although the built-in Windows Disk Cleanup can do a similar function) and an application vulnerability scanner guides the user through 3rd-party app updates.

A browser plugin for Chrome helps to manage passwords across browsers and to filter sites and activity. Note that Windows SmartScreen does monitor links and downloads accessed through Chrome and other browsers.

Email filtering of common protocols (presumably unencrypted channels) and of some webmail channels is provided. Your email connections should already be set up to use encrypted channels so this feature, hopefully, is of no advantage.

Logging of activity goes beyond what Windows 8.1 offers.

For Intel platforms that have IPT (Identity Protection Technology) this is used to hide passwords from screen-scraping tools.

Integrates with devices and operating systems other than Windows 8.

Features Not provided with McAfee Live Safe

There is no device track and lock feature. (Intel Anti-Theft is supported but this service is being closed down.)

As with Windows 8.1 security there’s no special SLA or guarantee of security. It covers all ‘personal’ devices and extends to Mac, Android and other platforms. “The Software is not fault-tolerant and is not designed or intended for high-risk activities such as use in hazardous environments requiring failsafe performance.”

Live Safe is not free. (Around $80 for ‘unlimited’ personal computers, tablets and phones.)

Performance Impact

The performance impact on the Windows 8.1 device under test (ASUS Vivotab Note 8 with disk encryption disabled) was noticeable. Applications took longer to load, CPU load was obvious and memory usage was significant. Remember that we are talking about a low-power PC here with a limited 2GB of RAM and an important requirement for low-power idle.

Some examples of CPU and memory usage are shown below.

Memory usage after 5 days: 150-170MB (The Defender Antimalware Service Executable process uses around a third of that on my laptop PCs)

Additional CPU usage on Chrome start 4-10%

Additional CPU usage on boot: 5 mins: 10-20% CPU usage.

Trade-Off. Better Protection vs Performance Impact.

The performance impact of McAfee Live Safe is significant on these low-power devices and is at odds with the way these mobile, long-battery life devices are used. Where users require mobility and additional anti-virus / intrusion detection quality but may be happy with the performance and potential battery life impact a trail of the software is suggested. For that average consumer using the consumer focused (mainly Baytrail-T platform) Windows 8.1 tablets and 2-in-1’s the McAfee Live Safe software is not recommended.

 

Windows 8.1 Consumer PC Security Summary

With a fully-encrypted, secure-boot Windows 8.1 tablet and a Live account with two-stage authentication you get a very good computing security solution. A lot of trust needs to be placed in Microsoft but in many consumer cases the advantages outweigh the disadvantages. A cloud-synchronized password management tool is one of the most obvious omissions from the Windows 8.1 security suite and an ‘I am present’ authentication for Windows 8 login is something we would like to see in the next major version of Windows. Windows Defender anti-virus is potentially a weak point but covers a very large percentage of attack vectors while remaining transparent. Better device tracking in the Live account could be useful for devices with 3G/4G modems.

After testing Live Safe and seeing it in action on at least 5 devices as a pre-installed trial we don’t consider it  to be of significant value to Windows 8.1 PCs using the Baytrail platform. We have not tested other A/V solutions at this time.

 

Final tips:

Don’t use public, open WiFi hotspots. Windows tablets with 3G are great at mimicking a hotspot while collecting all the data that passes through them!

Reduce the number of devices and amount of 3rd-party software you use.

If you are thinking of upgrading to Windows 8 from Windows 7, consider buying a new device with UEFI and InstantGo support. You’ll get Secure Boot and free Hard Disk Encryption.

If you use an authenticator app for two-stage authentication, ensure that you can remote-wipe your phone if it gets stolen or lost.

 

Windows 8 Security Resources / Further Reading.

Microsoft Security Center (latest updates.)

Windows 8.1 Vulnerabilities (CVEDetails.com).

A reported Secure Boot / UEFI vulnerability (ITWorld.com.)

Critical Security Controls (advanced) by SANS.

If you are worried about the NSA. (Schneier)

Security Now Podcast. Can get detailed but it’s not a boring sec. podcast.

Microsoft Security for Home Users

Microsoft Technet Windows 8.1 Security (Advanced)

Microsoft Windows Security Checklist. 

Free PDF version of this document? Coming soon.

Note: This article is focused on security for consumers and independent professionals although it is not necessarily written for that target group to read. (A Consumer Summary is available in the article.)  I am not a certified Windows security professional although I am certified in some other areas of security and have worked in various IT security positions. This article has not been peer-reviewed. Product mentions and links in this article are not endorsements. This article is not sponsored. Only Windows 8.1-based PC products are considered in this document. This is not a comparison of Windows 8.1 security against other vendors offerings. Updates to this document will be marked “[Update]”.

 

Show more