I’m confident that everyone reading this has received spam from a friend’s Hotmail account and then got the apologetic “sorry my account was hacked” email. Or worst, had it happen to them.

If you thought compromising Windows Live ID’s was attractive before, now that it will get you to a person’s SkyDrive, browsing history, Wi-Fi and browser stored passwords, etc, it just got a whole lot more attractive to hackers to phish for.  I predict a substantial increase in Windows Live ID phishing.

Now Microsoft has made some efforts to increase security around your Live ID.  Someone logging in from an un-trusted machine (as defined by you) does have some extra hoops to jump.  What gets synchronized and how it is protected is described in the following blog post by the Windows 8 engineering team. http://blogs.msdn.com/b/b8/archive/2011/09/26/signing-in-to-windows-8-with-a-windows-live-id.aspx 

What business needs to do

If you’re a corporation and your enterprise is allowing Windows 8 based devices to attach, even the odd one, I suggest you look at creating both a policy and some user education.  Yes, all of these settings can be controlled by Group Policy, you’ll find them in the GPO Editor under Computer Configuration -> Administrative Templates -> Windows Components -> Settings Sync.

I’m sure I’ll get some of you commenting “this is not new, Dropbox and similar services have existed for a long time”.  I’ll argue that any of these services require a fair bit of user intention and knowledge.  A user needs to want a file sharing and synchronization solution, then they need to sign up and install it.  With Windows Live and SkyDrive it just happens as they log on to their PC for the first time.  With Office 2013 integration to SkyDrive, users will instinctively start saving corporate date off into their personal SkyDrive.

At this point, Microsoft is not providing functionality for corporations to manage user SkyDrives.  There is no functionality similar to the “Dropbox for Teams” service.  SkyDrive Pro does provide corporate administration functionality with the Office365 offering, but runs alongside SkyDrive and is synchronization of Sharepoint libraries, not a similar service to SkyDrive at all. 

Make decisions on security

As a user, take a few extra moments to review your security settings for your Windows Live ID.  You can do this at https://account.live.com/ – make sure your primary mobile and trusted computer list is correct.  If you ever find yourself logging in with your Live id from any dodgy machines such as an Internet café, take advantage of Microsoft’s “Sign in with a single-use code”.  They’ll SMS your mobile with a one-time password.  Be extra vigilant of signing in to a phishing site.

As a business, you’ll need to immediately give some thought to whether you’re OK with things like Wi-Fi passwords, browser saved passwords, company documents and the like being saved to the Microsoft online services.  If you’re OK with it, help your users do it securely.  If you want to disable it, hurry up and set those group policy items.

 

Share on LinkedIn Comment on this article Share with Google+
More Articles

  • gisabun

    Bigger question is why an enterprise would allow SkyDrive anyways. It’s an open way for people to dump company data outside of the network [whether for actual use for work or for illegal activity].
    Plus you have no control over what passwords they use. At work you can force harder passwords but on something you have no control, forget it. That’s why many users have their account hacked [if not data breaches from the hosting company].