The enterprise headache with Windows Live ID and SkyDrive

I’m confident that everyone reading this has received spam from a friend’s Hotmail account and then got the apologetic “sorry my account was hacked” email. Or worst, had it happen to them.

If you thought compromising Windows Live ID’s was attractive before, now that it will get you to a person’s SkyDrive, browsing history, Wi-Fi and browser stored passwords, etc, it just got a whole lot more attractive to hackers to phish for.  I predict a substantial increase in Windows Live ID phishing.

Now Microsoft has made some efforts to increase security around your Live ID.  Someone logging in from an un-trusted machine (as defined by you) does have some extra hoops to jump.  What gets synchronized and how it is protected is described in the following blog post by the Windows 8 engineering team. 

What business needs to do

If you’re a corporation and your enterprise is allowing Windows 8 based devices to attach, even the odd one, I suggest you look at creating both a policy and some user education.  Yes, all of these settings can be controlled by Group Policy, you’ll find them in the GPO Editor under Computer Configuration -> Administrative Templates -> Windows Components -> Settings Sync.

I’m sure I’ll get some of you commenting “this is not new, Dropbox and similar services have existed for a long time”.  I’ll argue that any of these services require a fair bit of user intention and knowledge.  A user needs to want a file sharing and synchronization solution, then they need to sign up and install it.  With Windows Live and SkyDrive it just happens as they log on to their PC for the first time.  With Office 2013 integration to SkyDrive, users will instinctively start saving corporate date off into their personal SkyDrive.

At this point, Microsoft is not providing functionality for corporations to manage user SkyDrives.  There is no functionality similar to the “Dropbox for Teams” service.  SkyDrive Pro does provide corporate administration functionality with the Office365 offering, but runs alongside SkyDrive and is synchronization of Sharepoint libraries, not a similar service to SkyDrive at all. 

Make decisions on security

As a user, take a few extra moments to review your security settings for your Windows Live ID.  You can do this at – make sure your primary mobile and trusted computer list is correct.  If you ever find yourself logging in with your Live id from any dodgy machines such as an Internet café, take advantage of Microsoft’s “Sign in with a single-use code”.  They’ll SMS your mobile with a one-time password.  Be extra vigilant of signing in to a phishing site.

As a business, you’ll need to immediately give some thought to whether you’re OK with things like Wi-Fi passwords, browser saved passwords, company documents and the like being saved to the Microsoft online services.  If you’re OK with it, help your users do it securely.  If you want to disable it, hurry up and set those group policy items.


Brian Bourne
Brian Bourne
Brian Bourne started his career back in 1992 working on large, complex infrastructure for one of the big Canadian banks. Today he provides leadership to 3 separate companies, a professional services firm, CMS Consulting Inc., a managed services firm, Infrastructure Guardian Inc., and what has become the largest security event in Canada, the Security Education Conference in Toronto (SecTor), operated by Black Arts Illuminated Inc. Brian is also the co-founder and sits on the current executive of TASK, a Toronto based security user group with over 3100 members. When he’s not working or triathlon training, he’s spending time with his amazingly supportive wife and kids or wrenching in the garage.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Blogger Spotlight

Latest Blogs

ITB in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.