Introduction to Windows 11 (beta) security

Tim

15th September 2021

5 min read

Windows 11, coming October 5th 2021, is expected to become the new operating system of choice for most home, business and enterprise users. With a long history of poor backward compatibility, unintelligible configuration options and confusing support lifecycles, IT professionals around the world are holding their breath, waiting to see if Microsoft has hit the sweet spot with its latest release.

The new Operating System from Microsoft comes with promises to provide “advanced security from the chip to the cloud”, but what does that mean for users who prefer technical specifications over the brochure? The strict new hardware requirements are certainly causing a ruckus. However, Windows security is a complex topic that goes far beyond the Trusted Platform Module (TPM) and Microsoft’s Zero Trust Model.

Here are 6 considerations we have made in the preview builds of Windows 11 so far:

 

1. Hardware

Windows 11 is intended to require TPM 2.0 but there are bypasses that exist for older hardware. It is currently unclear whether Microsoft intends to block bypass techniques as they arise.

The requirement to use TPM 2.0 also means that UEFI is the only supported firmware for Windows 11, and Secure Boot must be enabled. Together, these features provide a strong baseline to protect the physical device. This makes the hardware incredibly difficult to tamper with during and after restarts, and protects the core features of the operating system and processor.

 

2. Browsers

Microsoft is finally doing away with Internet Explorer, which has been on life support for the best part of a decade. Whilst the quiet passing of a legacy browser may be considered a conservative victory for most, there are many organisations with users still reliant on Internet Explorer for compatibility with their 20th Century enterprise applications, which are sometimes mission-critical. Could this be the push needed for certain industry sectors to overhaul their remaining legacy technologies? We are afraid not. Microsoft Edge now contains a feature called IE Mode.

The latest Windows release is packaged with the fairly new Chromium-based Microsoft Edge browser, as opposed to the earlier versions that use Microsoft’s proprietary browser engine. In many cases of Windows Update pushing Microsoft Edge (Chromium) as an additional package to Windows 10 rather than replacing the proprietary version, organisations often have many versions of Microsoft Edge across their environments. Windows 11 will provide an opportunity to start fresh, using a clean baseline build containing non-legacy browsers (providing there is a way to disable IE Mode in Edge via policy).

Of course, it is not all good news. We are talking about Microsoft browsers here. Windows 11 makes it even harder to change your default browser from Edge to a 3rd party product like Google Chrome. With the new operating system, you have to go through the Settings app to set the default application for each file type that you want to open in a browser.

 

3. Microsoft Store

The Store app is getting some attention, with Microsoft acknowledging developers’ complaints that the technical and policy constraints have previously made it too difficult to get apps published. The new Microsoft Store has been “redesigned from the ground up” and promises that “all content is tested for security, family safety and compatibility”.

Developers can now publish apps using different frameworks and packaging technologies, including Win32, .NET, UWP, Xamarin, Electron, React Native and Java. If developers adopt the Microsoft Store on a wider scale, installing applications from the web may become a less common occurrence. This would limit the use cases for installing apps downloaded from an untrusted source. Organisations may be able to block running web downloaded executable files entirely, which is a challenge many IT departments currently face due to complex operational needs.

 

4. DNS over HTTPS

Networking in Windows 11 provides a native feature to force the use of DNS-over-HTTPS (DoH). This is a big step towards overcoming international censorship and privacy challenges, as certain organisations (such as ISPs and governments) are known to snoop on users via their DNS activity, and in some cases, block sites that do not align with political or ethical motives. DoH encrypts all DNS traffic between the operating system and the DNS server, which increases users’ privacy as this traffic cannot be monitored as easily.   

 

5. Group Policy, Local Policy and Security Baselines

Group and Local Policy editors look very similar to those of Windows 10. Configuring secure base builds has been a challenge for a long time and it looks like Windows 11 will follow its predecessors in this department. From the variety of configuration options set to “Not Configured”, it remains unclear which settings are defaults until Microsoft releases documentation, or until 3rd parties gradually release this information from their testing.

Building a comprehensive security baseline will likely require a collaborative and substantial effort from multiple organisations such as NIST, CIS and NCSC. Microsoft is yet to release a Security Baseline for Windows 11. On this basis, it is unlikely that organisations will be able to build and deploy an “out-of-the-box” gold build for Windows 11 for the foreseeable future.

 

6. Privacy

As Microsoft continues to avoid privacy improvements, Windows 11 is configured with default privacy and telemetry options, which forces home users to have a Microsoft account, and Android apps are being brought to Windows via the Amazon App Store (with an Amazon account, of course). Whilst DNS-over-HTTPS is a big privacy addition to Windows 11, it does not prevent these services from collecting your personal data whilst you are signed in, nor can a 3rd party VPN service.

 

In summary, Windows 11 is taking steps towards security at the expense of compatibility. Perhaps this is an acceptable trade-off given that Windows 10 is expected to be supported until the 14th October 2025, which gives home and enterprise users time to ditch the legacy technologies that still litter the digital age.

Microsoft is clearly building Windows 11 to complement its Zero Trust Model, pushing business users towards Microsoft 365 and doubling down on security features like Windows Hello for Business. Time will tell how successfully Microsoft has developed Windows 11 to meet the needs of a cyber-scared world as more information arises. We will be keeping our eyes on this narrative as it continues to unfold.

Resources

  • Insights
  • Labs

OWASP Top 10 2021 Released

The Open Web Application Security Project (OWASP) is a not-for-profit organisation that aims, through community-led open-source projects, to improve the security of web-based software. OWASP…

What is penetration testing and why is it important to use a CREST-approved provider?

Trusting the effectiveness of your IT security controls is crucial to mitigate risks and malicious access to your systems and the information they store. Penetration…

How secure use of the cloud can digitally transform your business

Companies that move towards digital transformation can innovate more quickly, scale efficiently and reduce risk by implementing cloud security best practices. Businesses must keep up…

How to prepare your business for secure cloud migration

The cloud holds a lot of potential for organisations. Moving your IT environment to a secure cloud provides flexibility and agility. It allows your team…

Celebrating Sentrium’s contribution to cyber security

2020 is the year that remote working exploded. Businesses and the general public had to quickly adapt to new ways of working caused by the…

What is CREST and what are the benefits of using a CREST accredited company?

We’re delighted to announce that Sentrium Security is now a CREST accredited company! This is an exciting achievement for us and it’s great to be…

Preventing exploitation of the Follina vulnerability in MSDT

The Follina Exploit A zero-click Remote Code Execution (RCE) vulnerability has started making the rounds which is leveraging functionality within applications such as Microsoft Word.…

Application Security 101 – HTTP headers

1. Strict-Transport-Security The HTTP Strict Transport Security (HSTS) header forces browsers and other agents to interact with web servers over the encrypted HTTPS protocol, which…

New Exchange RCE vulnerability actively exploited

Exchange admins now have another exploit to deal with despite still reeling from a number of high profile attacks this year including ProxyLogon and ProxyShell.…

How effective is secure code review for discovering vulnerabilities?

We’ve recently discussed application security and the trend we’re seeing in which companies are increasingly implementing security early on in the Software Development Life Cycle…

Application Security (AppSec)

There is a movement in the IT security world that is gaining traction, and it is based around the implementation of security within applications from…

Enhancing Security in your Software Development LifeCycle – Dealing with Dependencies

The adoption of agile practices has resulted in the emergence of shift-lift testing, where testing is performed much earlier in the Software Development LifeCycle (SDLC).…

TOP