Windows 11 logo seen on the screen of tablet and user pointing a

Introduction to Windows 11 (beta) security

Tim

15th September 2021

5 min read

Windows 11, coming October 5th 2021, is expected to become the new operating system of choice for most home, business and enterprise users. With a long history of poor backward compatibility, unintelligible configuration options and confusing support lifecycles, IT professionals around the world are holding their breath, waiting to see if Microsoft has hit the sweet spot with its latest release.

The new Operating System from Microsoft comes with promises to provide “advanced security from the chip to the cloud”, but what does that mean for users who prefer technical specifications over the brochure? The strict new hardware requirements are certainly causing a ruckus. However, Windows security is a complex topic that goes far beyond the Trusted Platform Module (TPM) and Microsoft’s Zero Trust Model.

Here are 6 considerations we have made in the preview builds of Windows 11 so far:

 

1. Hardware

Windows 11 is intended to require TPM 2.0 but there are bypasses that exist for older hardware. It is currently unclear whether Microsoft intends to block bypass techniques as they arise.

The requirement to use TPM 2.0 also means that UEFI is the only supported firmware for Windows 11, and Secure Boot must be enabled. Together, these features provide a strong baseline to protect the physical device. This makes the hardware incredibly difficult to tamper with during and after restarts, and protects the core features of the operating system and processor.

 

2. Browsers

Microsoft is finally doing away with Internet Explorer, which has been on life support for the best part of a decade. Whilst the quiet passing of a legacy browser may be considered a conservative victory for most, there are many organisations with users still reliant on Internet Explorer for compatibility with their 20th Century enterprise applications, which are sometimes mission-critical. Could this be the push needed for certain industry sectors to overhaul their remaining legacy technologies? We are afraid not. Microsoft Edge now contains a feature called IE Mode.

The latest Windows release is packaged with the fairly new Chromium-based Microsoft Edge browser, as opposed to the earlier versions that use Microsoft’s proprietary browser engine. In many cases of Windows Update pushing Microsoft Edge (Chromium) as an additional package to Windows 10 rather than replacing the proprietary version, organisations often have many versions of Microsoft Edge across their environments. Windows 11 will provide an opportunity to start fresh, using a clean baseline build containing non-legacy browsers (providing there is a way to disable IE Mode in Edge via policy).

Of course, it is not all good news. We are talking about Microsoft browsers here. Windows 11 makes it even harder to change your default browser from Edge to a 3rd party product like Google Chrome. With the new operating system, you have to go through the Settings app to set the default application for each file type that you want to open in a browser.

 

3. Microsoft Store

The Store app is getting some attention, with Microsoft acknowledging developers’ complaints that the technical and policy constraints have previously made it too difficult to get apps published. The new Microsoft Store has been “redesigned from the ground up” and promises that “all content is tested for security, family safety and compatibility”.

Developers can now publish apps using different frameworks and packaging technologies, including Win32, .NET, UWP, Xamarin, Electron, React Native and Java. If developers adopt the Microsoft Store on a wider scale, installing applications from the web may become a less common occurrence. This would limit the use cases for installing apps downloaded from an untrusted source. Organisations may be able to block running web downloaded executable files entirely, which is a challenge many IT departments currently face due to complex operational needs.

 

4. DNS over HTTPS

Networking in Windows 11 provides a native feature to force the use of DNS-over-HTTPS (DoH). This is a big step towards overcoming international censorship and privacy challenges, as certain organisations (such as ISPs and governments) are known to snoop on users via their DNS activity, and in some cases, block sites that do not align with political or ethical motives. DoH encrypts all DNS traffic between the operating system and the DNS server, which increases users’ privacy as this traffic cannot be monitored as easily.   

 

5. Group Policy, Local Policy and Security Baselines

Group and Local Policy editors look very similar to those of Windows 10. Configuring secure base builds has been a challenge for a long time and it looks like Windows 11 will follow its predecessors in this department. From the variety of configuration options set to “Not Configured”, it remains unclear which settings are defaults until Microsoft releases documentation, or until 3rd parties gradually release this information from their testing.

Building a comprehensive security baseline will likely require a collaborative and substantial effort from multiple organisations such as NIST, CIS and NCSC. Microsoft is yet to release a Security Baseline for Windows 11. On this basis, it is unlikely that organisations will be able to build and deploy an “out-of-the-box” gold build for Windows 11 for the foreseeable future.

 

6. Privacy

As Microsoft continues to avoid privacy improvements, Windows 11 is configured with default privacy and telemetry options, which forces home users to have a Microsoft account, and Android apps are being brought to Windows via the Amazon App Store (with an Amazon account, of course). Whilst DNS-over-HTTPS is a big privacy addition to Windows 11, it does not prevent these services from collecting your personal data whilst you are signed in, nor can a 3rd party VPN service.

 

In summary, Windows 11 is taking steps towards security at the expense of compatibility. Perhaps this is an acceptable trade-off given that Windows 10 is expected to be supported until the 14th October 2025, which gives home and enterprise users time to ditch the legacy technologies that still litter the digital age.

Microsoft is clearly building Windows 11 to complement its Zero Trust Model, pushing business users towards Microsoft 365 and doubling down on security features like Windows Hello for Business. Time will tell how successfully Microsoft has developed Windows 11 to meet the needs of a cyber-scared world as more information arises. We will be keeping our eyes on this narrative as it continues to unfold.

Sentrium can assist with your security needs, view our penetration testing services for more details or contact us today.

Resources

  • Insights
  • Labs
White box penetration testing

Uncovering vulnerabilities with white box penetration testing

As a business owner or IT professional, you understand the importance of protecting your company’s sensitive data, systems and reputation from cyber threats. One of…

API penetration testing

Securing APIs through penetration testing

APIs (Application Programming Interfaces) have become the backbone of many modern applications, and indeed the foundation of some businesses services. APIs enable seamless communication between…

The importance of a post-penetration test action plan

The importance of a post-penetration test action plan

As cyber threats continue to evolve and become more sophisticated, businesses must stay one step ahead in protecting their sensitive data and network infrastructure. Penetration…

How to choose the right penetration testing partner

How to choose the right penetration testing partner for your business

In today’s digital landscape, cybersecurity threats are evolving at an alarming rate. With the growing number of cyber-attacks and data breaches, businesses must prioritise their…

IoT device security, penetration testing

Securing the Internet of Things: Penetration testing’s role in IoT device security

The world is witnessing a remarkable transformation as more devices become interconnected, forming what’s known as the Internet of Things (IoT). From smart refrigerators and…

Man working as a junior penetration tester

My first month working as a junior penetration tester

Entering the world of cyber security as a junior penetration tester has been an eye-opening experience for me. In my first month, I’ve encountered challenges,…

Password cracking: How to crack a password

An introduction to password security: How to crack a password

Online Password Cracking An online attack is performed in real-time, against live services or applications to compromise active user accounts. Such attacks typically occur when…

Application Security 101 – HTTP headers

Application Security 101 – HTTP Headers Information Disclosure

Server Header Information Disclosure The most common HTTP header that is enabled by default in most web servers is the ‘Server’ header, which can lead…

SPF, DKIM, DMARC and BIMI for Email Security

SPF, DKIM, DMARC and BIMI for Email Security

Sender Policy Framework Sender Policy Framework (SPF) is a DNS TXT record that is added to a domain that tells email recipients which IP addresses…

Terraform security best practices

Terraform security best practices (2022)

The following sections discuss our most important Terraform security best practices: The importance of Terraform State Terraform must keep track of the resources created. When…

Security vulnerability in Follina exploit

Preventing exploitation of the Follina vulnerability in MSDT

The Follina Exploit A zero-click Remote Code Execution (RCE) vulnerability has started making the rounds which is leveraging functionality within applications such as Microsoft Word.…

Application Security 101 – HTTP headers

Application Security 101 – HTTP headers

1. Strict-Transport-Security The HTTP Strict Transport Security (HSTS) header forces browsers and other agents to interact with web servers over the encrypted HTTPS protocol, which…