Skip to content
Menu
ChrisOnSecurity
  • Blog
  • Microsoft Security portals
  • Presentations
  • GitHub
  • About me
  • Impressum
  • Disclaimer
ChrisOnSecurity

Windows 11 security – a first look

Posted on 15. July 202111. November 2021

“Windows 10 will be the last Windows version.” Yeah, not really. Microsoft recently announced Windows 11 being in development with a targeted release in late 2021. Even more than Windows 10, it focuses on a secure hardware root of trust as a foundation for the operating system’s overall security posture. So let’s have a look at Windows 11 security.

New hardware requirements

A hardware root of trust requires – you’ve guessed it – certain hardware and firmware features to be enabled on the device. Why is that necessary? Microsoft focuses on Virtualization-Based Security (VBS) to encapsulate parts of the operating systems into different so called enclaves. This helps to maintain system integrity even in the event of malware attacks. What do we need for that:

  • A trusted platform module (TPM) in version 2.0
  • Secure Boot (as part of UEFI)
  • Certain CPU-side functionality like
    • Intel Mode-based execute control for EPT (MBEC): Windows Processor Requirements Windows 11 Supported Intel Processors | Microsoft Docs
    • AMD Guest-mode execute trap for NPT (GMET): Windows Processor Requirements Windows 11 Supported AMD Processors | Microsoft Docs
    • ARM Translation table stage 2 Unprivileged Execute-never (TTSUXN): Windows Processor Requirements Windows 11 Supported Qualcomm Processors | Microsoft Docs
    • For all manufacturers: support for the Windows Drivers model

You probably won’t need to memorize the latter but it is important to understand that the level of protection that is desired can’t be implemented by software only. Features that use this hardware foundation are e.g.:

  • System Guard for low level system integrity
  • Device Guard for kernel level code integrity
  • Application Guard for user level code integrity
  • Credential Guard for securely storing account credentials
  • BitLocker
  • Windows Hello for Business
  • Windows Sandbox

Microsoft also provides a full table for most of those features:

Windows FeatureTPM requiredTPM 1.2 supportTPM 2.0 support
Secure BootNoYesYes
Measured BootYesYesYes
System GuardYesNoYes
Device Health AttestationYesYesYes
AutopilotNoN/AYes
BitLockerNoYesYes
Device EncryptionYesN/AYes
Credential GuardNoYesYes
Windows Defender Application ControlNoYesYes
Windows Hello/Windows Hello for BusinessNoYesYes
TPM Platform Crypto Provider Key Storage ProviderYesYesYes
Virtual Smart CardYesYesYes
Certificate storageNoYesYes
source: https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/tpm-recommendations#tpm-and-windows-features

What really changes

All features discussed above are already present in Windows 10. What Microsoft will now enable by default is memory integrity as part of Hypervisor-protected Code Integrity. This was already part of Windows 10 for quite some time but an optional feature. It still is, but dependent on device hardware and the OEM image it will now be enabled by default. The requirements for that can be found here: https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-hvci-enablement#hardware-features-for-automatic-enablement

Besides, not much changes. Windows 11 will enforce certain requirements like a TPM but the functionality that builds upon it must in parts still be configured on the administrative side. Here, Windows 10 already is quite secure and has many options to protect the operating system against threats.

In my opinion, what Microsoft really wants to achieve here is to make sure that any Windows 11 installation already fulfills the hardware requirements for enhanced security, so any admin can just go ahead and be more secure if required.

Windows 11 security

It was already possible with Windows 10, but Windows 11 now is the opportunity to deploy more secure baseline configurations to clients. Windows 10 will still be supported until 2025, so there is time to move. How can we use that time? Well, let’s have a look at a more secure client design (no guarantee to be complete) with Windows 11 security features:

  • BitLocker: For years one of the most reliable and manageable volume encryption solutions for Windows. Mandatory for mobile devices, recommended for all. Self service is available with Azure AD.
  • SmartScreen / Network Protection: two features that are simple to deploy and still a huge benefit. Windows 10 will go ahead an check for malicious files and web traffic in Microsoft Edge and Explorer (SmartScreen) or at the network level independent from the client application (Network Protection). This way malicious entities as identified by the Microsoft Intelligent Security Graph will be audited or blocked on the client.
  • User Account Control: yes, it can be bypassed. Please use it nevertheless. You don’t want your local admin access token present in the session all the time.
  • Microsoft Defender Antivirus / Microsoft Defender for Endpoint: Microsoft Defender Antivirus and Defender for Endpoint are a great combination for client-side antimalware + EDR / EPP
  • Safe Documents as part of Defender for Office 365: Microsoft Defender for Endpoint scans any office file from an external source and only allows enabling the editing mode if it was determined to be clean. This is a significant protection against malicious macros or other prepared office files.
  • Attack Surface Reduction: ASR is part of the EPP approach in Windows. It provides protection capabilities against the most common threats, like macros dropping code or unknown executables from external devices, and many more.
  • Credential Guard: isolates (domain) credentials and prevents extracting them, no perfect protection but still a valuable component
  • Windows Defender Firewall: Isolate devices on the network to prevent lateral movement. With Intune, it is very easy to set the Firewall to stealth / shielded mode to completely prohibit incoming connections and probing. This must of course fit your helpdesk scenarios.
  • Application Control / AppLocker: both features can be used to define a allow list of applications. AppLocker does the job but is there since Windows 7. Application Control is more advanced and allows more granular identification of application + the option to sign policies to prevent modifications. In combination with HVCI (previously known as Device Guard which, however, – as a product name- included both HVCI and Application Control), Application Control can govern kernel mode and user mode binaries.
  • Application Guard: Hardware based isolation of Microsoft Edge and Microsoft Office to keep any potential infection to the container instead of letting it spread to the whole system.
  • LAPS: use random local administrator passwords to prevent lateral movement to other systems with the same password.
  • Passwordless authentication: Use Windows Hello for Business for single-user devices or FIDO2 security keys for shop floors / production systems.

Thanks for reading!

Chris

Note

Please note that all content on this blog is provided ‘as is’ without any warranty.

1 thought on “Windows 11 security – a first look”

  1. Pingback: Windows 11 Security - Skaylink

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

@ChrisOnSecurity@infosec.exchange

Recent posts

  • What’s new: Microsoft 365 Security & Compliance December 2022
  • What’s new: Microsoft 365 Security & Compliance November 2022
  • Counter MFA spam attacks with Azure Active Directory
  • Windows 11 security – a first look
  • Conditional Access – device identification using certificates

@ChrisOnSecurity

Tweets by ChrisOnSecurity

Recent posts

  • What’s new: Microsoft 365 Security & Compliance December 2022
  • What’s new: Microsoft 365 Security & Compliance November 2022
  • Counter MFA spam attacks with Azure Active Directory
  • Windows 11 security – a first look
  • Conditional Access – device identification using certificates

Tags

Administration Administrative Units Android AV Azure Active Directory Azure AD Azure Sentinel Client Security Conditional Access Conditional Access App Control Defender ATP Delegation EDR EMS Enterprise Mobility + Security Identity Protection Information Protection & Compliance Linux M365 M365 E3 Mail Security MCAS MDAPT MDATP MFA Microsoft 365 Microsoft 365 E3 Microsoft 365 Security Microsoft Cloud App Security Microsoft Defender ATP Microsoft Ignite Mobile Security Monitoring Network Control Office 365 Office ATP passwordless Perimeter Security Baseline Session Control Sysmon Unified Incidents User submissions Web Content Filtering Windows 10 Enterprise
©2023 ChrisOnSecurity | WordPress Theme by Superbthemes.com
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies.
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT