Windows 11: Is it the most secure version of Windows yet ?
Much has already been written about Windows 11, the latest operating system from Microsoft, which the software giant is calling “the most secure Windows yet.” However, as many in the tech world have been quick to point out, most PCs currently running Windows don’t support the advanced system requirements for the new operating system (OS).
System requirements for Windows 11
To take full advantage of Windows 11 security enhancements, PCs must be equipped with an ultra-modern CPU with virtualization extensions, Secure Boot-capable UEFI firmware, and an advanced TPM 2.0-compatible security chip. These and other restrictions ensure support for a plethora of cybersecurity features that make Windows 11 much more resilient than its predecessors. However, they also ensure that most organizations will take their time upgrading their systems.
To effectively analyze the pros and cons of upgrading to Windows 11, you’ll need to understand what security features are included and available; how these features are facilitated by the new hardware and software requirements; and just how much impact the upgrade is expected to have on your overall cybersecurity posture.
CPU requirements and virtualization-based security
Among the more onerous mandates for upgrading to Windows 11 are the CPU requirements. Windows 11 requires an advanced 64-bit, 1 GHz processor with virtualization extensions and two or more cores (e.g., 8th generation Intel processor, AMD Zen 2, or Qualcomm 7 or 8 Series). These specs enable Windows 11 to take full advantage of a feature known as virtualization-based security (VBS).
Using hardware virtualization features, VBS creates and isolates a secure petition of memory from the rest of the OS to manage sensitive data or processes. This isolation limits the degree to which a given hack or exploit can compromise the system’s security.
According to a statement by the Windows Team in August, 2021:
“While we are not requiring VBS when upgrading to Windows 11, we believe the security benefits it offers are so important that we wanted the minimum system requirements to ensure that every PC running Windows 11 can meet the same security the United States Department of Defense (DoD) relies on. In partnership with our OEM and silicon partners, we will be enabling VBS and HVCI on most new PCs over this next year. And we will continue to seek opportunities to expand VBS across more systems over time.”
Several different security features in Windows 11 rely on VBS for implementation:
- Kernel Data Protection (KDP), for example, uses VBS to mark parts of the Windows kernel as read only, ensuring that drivers and software running in the Windows kernel (i.e., the OS code itself) cannot be tampered with.
- Application Guard uses VBS to create disposable virtual environments (containers) in which users can interact with websites or Microsoft Office files that have not been explicitly whitelisted. This ensures that untrusted content loaded via Microsoft Edge, Internet Explorer, or Microsoft Office remains isolated from the host operating system and enterprise data, limiting the damage that any infected content can cause.
- Credential Guard is an operating system security feature that isolates Windows NTLM, Kerberos credentials, and other secrets in a VBS-protected environment, ensuring that only privileged system software can gain access. This feature helps protect your system from credential theft attacks like pass the ticket (PtT) and pass the Hash (PtH).
- Similarly, Windows Hello Enhanced Sign-In Security uses VBS to isolate and protect the authentication data (including biometrics) used to sign in to a given device, ensuring that the data can only be accessed through secure processes running in the VBS environment. It also supports the creation of secure pathways for authentication data that is provided via external components (e.g., a fingerprint sensor or camera).
Trusted Platform Module (TPM) 2.0
In addition to processor requirements, Windows 11 requires a TPM chip for managing cryptographic keys as well as protecting the firmware and OS of your personal computer. The Trusted Platform Module (TPM) provides hardware-level anti-tamper protection for sensitive operations such as key generation, encryption, and system boot. The TPM specification 2.0 version is embedded in all Windows 11 supported CPUs and features some important enhancements.
United Extensible Firmware Interface (UEFI) and Secure Boot
United Extensible Firmware Interface (UEFI) comes in place of the traditional Legacy BIOS. This programmable boot environment initializes devices and starts the OS bootloader. PCs with UEFI 2.3.1 and a TPM chip also support Secure Boot, a feature that checks all code that runs before the operating system is loaded, as well as the OS bootloader’s digital signature. All Windows 11 machines come with UEFI Secure Boot fully enabled from the get-go, ensuring that authorized firmware and software with trusted digital signatures alone can execute during the boot process, and protecting the system against both boot kits and rootkits.
Windows 11 is the first OS to support Microsoft Pluton, the new Microsoft-designed and updated security processor that will be embedded in future Intel, AMD, and Qualcomm CPUs for Windows PCs. Pluton implements end-to-end security that is authored, maintained, and updated by Microsoft, and will be integrated with the standard Windows Update process, providing tighter and more secure integration with the OS at the hardware level. This integration helps remediate a physical vulnerability of current TPM implementations, wherein attackers in possession of a device can still target the communication channel between the CPU and TPM to steal or modify information in transit.
Secure by design
These Windows 11 requirements ensure support for a number of advanced security technologies. Some, like UEFI Secure Boot, are enabled by default in any Windows 11 installation, facilitating out-of-the-box Zero Trust protection.
Hardware-enforced stack protection
Hardware-enforced stack protection (HSP) is a feature that helps identify and shut down exploits that work by hijacking an application’s code execution flow. HSP allows applications to use the local CPU hardware to protect the (memory) stack — where the code is stored in runtime — against modification. This is accomplished by comparing the application’s call stack against a shadow stack (a hardware-secured record of the app’s normal code execution flow). If stack integrity has been compromised, the process will be terminated.
While this feature has been available since March of 2020 (at least in developer builds), the shadow stack mechanism is available only on certain advanced chipsets, such as those required by Windows 11, ensuring more widespread adoption on the new OS.
Microsoft Azure Attestation
Device health is assured with Windows 11, thanks to features such as UEFI Secure Boot and Kernel Data Protection. As such, the OS also ensures out-of-the-box support for remote device attestation; that is, remote verification that any Windows devices connecting to your network are indeed trustworthy. Attestation establishes trust by validating the identity and integrity of essential hardware and software components. The remote attestation method provides relying parties with a verifiable, unbiased, and tamper-resilient device report about a remote peer.
Microsoft Azure Attestation (MAA) is a prime example of a remote attestation service that can be used to review Windows device health comprehensively, and use this information to enforce conditional access to cloud-based applications and data via Azure Active Directory.
So, can Windows 11 keep hackers at bay?
ImageMicrosoft has taken great strides to ensure that its new OS is secure out of the box. The necessary security-focused hardware, supporting features such as VBS and UEFI Secure Boot, may yet enable Windows 11 to totally neutralize entire classes of malware attacks such as rootkits and return-oriented programming (ROP) attacks.
However, most Windows users continue to work with older machines. Many of those users are already eager to try out the new operating system and may not fully understand that the new Windows 11 security enhancements go hand in hand with the new hardware restrictions. Some may even be considering bypassing the system requirements. Yet users (or IT admins) who install Windows 11 while bypassing the hardware requirements or otherwise disabling important security features are consequently losing out on many of the platform’s security benefits.
Moreover, keep in mind that many of the attack vectors addressed by your current cybersecurity strategy are not specifically addressed by the new security features in Windows 11. Cybercriminals are constantly seeking out new vulnerabilities and creating new malware and other exploits, some of which will still work fine on TPM protected systems, such as phishing. This becomes even more apparent when you consider that — notwithstanding the influx of new technologies implemented in Windows 11 — Microsoft is still obligated to continue supporting numerous legacy applications and provide backwards compatibility. Consequently, it’s reasonable to expect that many previously unreported vulnerabilities affecting Windows 10 may also apply to Windows 11 (as was in fact revealed in one recent patch update).
Cyber Aeronautycs Ltd. offers winning cybersecurity for Windows 11
When all is said and done, the new security features in Windows 11 are absolutely a step in the right direction. Moreover, Microsoft seems to be addressing newly reported issues fairly quickly. That said, individuals, organizations and managed service providers (MSPs) will discover that they can achieve efficient security and protection only with solutions that are developed by cybersecurity vendors like Cyber Aeronautycs Ltd. Focused on integrating data protection, cybersecurity, and workload management, CAL solutions prevent modern cyberthreats, including zero-day attacks and enable security administrators to recover data, applications, and systems via a single platform.
Whether you are an at-home user, business, or a service provider, Cyber Aeronautycs Ltd. offers the best cybersecurity protection on the market today. Its solutions include:
For at-home users: CAL Defense for Home Users offers everything an at-home user needs to safeguard their PC or Mac and backup data, making it more resilient to today’s threats — from disk failures to ransomware attacks. Thanks to its unique integration of backup and cybersecurity in one, it saves time and reduces the cost, complexity, and risk caused by managing multiple point solutions.
For businesses: CAL Defense offers businesses a cyber protection solution that natively integrates cybersecurity, business data backup, and workload management to protect endpoints, systems, and data. By integrating data protection with cybersecurity, your business can eliminate complexity, deliver better protection against today’s threats, and maximize efficiency by saving time and money.
For service providers: CAL Defense unites cloud backup and recovery, next-generation anti-malware and workload management in one solution. Integration and automation provide unmatched ease for MSPs — reducing complexity while increasing productivity and decreasing operating costs.
Wanna say Hi to me ? Here is my linkedin .
Did you find this article valuable?
Support Cyber Aeronautycs Ltd. Blog by becoming a sponsor. Any amount is appreciated!