Windows 11’s best security features

Despite the hype and gnashing of teeth over its hardware requirements, Windows 11 fundamentally shifts how Microsoft approaches both consumer and enterprise security. Even though the upgrade process from Windows 10 will be minor and more like a feature release of Windows 10, hardware requirements draw lines in the sand to make Windows more secure. The decision to move to Windows 11 will be different for each organization. It might be one person making a hard decision, a natural evolution of the Windows security, or a bit premature for ecosystems not ready for the mandates.

At the same time Microsoft is taking a step back from possibly its most secure operating system, Windows S, which forces users to obtain software through the vetted Microsoft Store. Windows 11 Enterprise will no longer support this method, which will be allowed only on consumer versions. It appears that Microsoft realized what I had long thought: The Windows ecosystem is not ready for the Windows S mode process of whitelisting applications even though that’s ultimately where we need to be. Rather, Microsoft is focusing on security features and mandates that will ensure a secure ecosystem, as they call it, from silicon all the way to the cloud.

Why hardware is important to Windows 11 Security

Windows secured-core computers are the foundation of Windows 11 requirements, but they are not new. It starts with a mandated Trusted Platform Module (TPM) 2.0 that ensures a hardware root of trust, secure boot, and BitLocker drive encryption. The next mandate is virtualization-based security (VBS) enabled in the motherboard. This ensures that the computer system can leverage virtualization capabilities as well as allow the hypervisor to provide additional protection for critical systems. This isolation allows browsers to be separated from Office processes and other features on the machine.

The processor is defined as “secured-core”, which allows the system to provide protection from firmware attacks. These mandates demand a higher level of system performance. Microsoft is stating that processors need to be Generation 8 or higher, but they may lower it to certain Generation 7 processors if performance won’t be impacted.

TPM 2.0 or higher and VBS enabled by default allows Microsoft to mandate a “hardware root of trust.” VBS creates and isolates a secure region of memory from the normal operating system. It requires a 64-bit processor. The processor must also support second level address translation (SLAT), either Intel VT-X2 with Extended Page Tables (EPT), or AMD-v with Rapid Virtualization Indexing (RVI). Privilege escalation attacks are attempted every day. In fact, the recent PrintNightmare vulnerability in Windows Print Spooler code allowed attackers to gain rights on a domain controller was one such privilege attack that hardware root of trust should prevent.

Isolation helps mitigate common threats

Microsoft developed VBS and Hypervisor-Protected Code Integrity (HVCI), commonly referred to as memory integrity, provides better protection against common and sophisticated malware by performing sensitive security operations in an isolated environment. HVCI can mitigate like Trickbot that deploys kernel drivers. You can see the impact of HVCI already in Surface computers that are shipping with this feature.

Secure Boot protects firmware

Next, Microsoft wants to mandate Secure Boot by default to ensure that the firmware has not been tampered with since the computer was manufactured. As the system boots, System Guard checks that the device integrity is maintained. If the system lacks integrity, a management system such as Intune or Microsoft Endpoint Configuration Manager can take action and even deny the device access to the network.

Improved identity management and access control

Microsoft is planning to mandate that Windows 10 Home version installs use a Microsoft account when logging into the operating system. Furthermore, there will be improvements to the onboarding process when starting the computer to connect to two-factor platforms. It appears that they are including more framework to include federated sign-in providers such as ADFS, Okta and Ping. Credential Guard BIOS prerequisites (including VBS) ensure that identities and secrets are protected from external threats.

Susan Bradley

Virtualization enables security features

Several features can be enabled when a computer supports virtualization security. For example, Windows Subsystem for Linux 2 allows you to run a Linux kernel inside of a lightweight utility virtual machine. It is faster than WSLv1 and allows for full system calls. Windows Defender Application Guard (WDAG) will now be able to be run by default since VS enabled by default. To include all the defensive features of WDAG you will need to properly license Windows and Office. For example to fully enable Application Guard for Office,  you will need a Microsoft 365 E5 or Microsoft 365 E5 Security license. When you open an untrusted file from the internet, Application Guard for Office will open the file in a sandbox. You can open it once the file has been fully scanned and evaluated.

One trade-off: When virtualization security is on by default, it affects performance, causing the age-old problem of balancing security and usability.

Windows Sandbox is also not a new feature but will now be mandated in Windows 11. It builds on the technologies used within Windows containers to allow you to open files and websites isolated from your machine. This ensures that you can safely open a potentially damaging file or link inside the sandbox without impacting your machine. Once you shut down the Windows sandbox, the virtual machine is shut down and all artifacts are trashed in the process.

Susan Bradley

Windows 11 will also provide support for third-party virtualization software and allow developers and scripters to quickly build custom tools, utilities, and enhancements for the virtualization platform. These improvements are inspired by enhancements in Azure. Ransomware attacks have used driver vulnerabilities to launch RobbinHood, Uroburos, Derusbi, GrayFish, and Sauron. So have campaigns by the threat actor Strontium to gain kernel privileges and disable security programs on compromised machines.

Protection against threats from unverified code

Arbitrary Code Generation (ACG), Control Flow Guard (CFG), and Code Integrity Guard (CIG) can keep systems from running unverified code execution. Microsoft’s case study on secured-core computers points out the features that were optional with Windows 10 and mandated in Windows 11. Secured-core PCs have Kernel Data Protection (KDP) enabled by default.

What Windows 11 brings to the table isn’t necessarily new security features. Rather, it’s drawing the line in the sand to enforce the features that Microsoft has been bringing to the marketplace over the last year. Security admins will have to decide how soon to join in that journey to better secure networks.  

.