Introduction to Windows 11 (beta) security

Windows 11, coming October 5th 2021, is expected to become the new operating system of choice for most home, business and enterprise users. With a long history of poor backward compatibility, unintelligible configuration options and confusing support lifecycles, IT professionals around the world are holding their breath, waiting to see if Microsoft has hit the sweet spot with its latest release.

The new Operating System from Microsoft comes with promises to provide “advanced security from the chip to the cloud”, but what does that mean for users who prefer technical specifications over the brochure? The strict new hardware requirements are certainly causing a ruckus. However, Windows security is a complex topic that goes far beyond the Trusted Platform Module (TPM) and Microsoft’s Zero Trust Model.

Here are 6 considerations we have made in the preview builds of Windows 11 so far:

 

1. Hardware

Windows 11 is intended to require TPM 2.0 but there are bypasses that exist for older hardware. It is currently unclear whether Microsoft intends to block bypass techniques as they arise.

The requirement to use TPM 2.0 also means that UEFI is the only supported firmware for Windows 11, and Secure Boot must be enabled. Together, these features provide a strong baseline to protect the physical device. This makes the hardware incredibly difficult to tamper with during and after restarts, and protects the core features of the operating system and processor.

 

2. Browsers

Microsoft is finally doing away with Internet Explorer, which has been on life support for the best part of a decade. Whilst the quiet passing of a legacy browser may be considered a conservative victory for most, there are many organisations with users still reliant on Internet Explorer for compatibility with their 20th Century enterprise applications, which are sometimes mission-critical. Could this be the push needed for certain industry sectors to overhaul their remaining legacy technologies? We are afraid not. Microsoft Edge now contains a feature called IE Mode.

The latest Windows release is packaged with the fairly new Chromium-based Microsoft Edge browser, as opposed to the earlier versions that use Microsoft’s proprietary browser engine. In many cases of Windows Update pushing Microsoft Edge (Chromium) as an additional package to Windows 10 rather than replacing the proprietary version, organisations often have many versions of Microsoft Edge across their environments. Windows 11 will provide an opportunity to start fresh, using a clean baseline build containing non-legacy browsers (providing there is a way to disable IE Mode in Edge via policy).

Of course, it is not all good news. We are talking about Microsoft browsers here. Windows 11 makes it even harder to change your default browser from Edge to a 3rd party product like Google Chrome. With the new operating system, you have to go through the Settings app to set the default application for each file type that you want to open in a browser.

 

3. Microsoft Store

The Store app is getting some attention, with Microsoft acknowledging developers’ complaints that the technical and policy constraints have previously made it too difficult to get apps published. The new Microsoft Store has been “redesigned from the ground up” and promises that “all content is tested for security, family safety and compatibility”.

Developers can now publish apps using different frameworks and packaging technologies, including Win32, .NET, UWP, Xamarin, Electron, React Native and Java. If developers adopt the Microsoft Store on a wider scale, installing applications from the web may become a less common occurrence. This would limit the use cases for installing apps downloaded from an untrusted source. Organisations may be able to block running web downloaded executable files entirely, which is a challenge many IT departments currently face due to complex operational needs.

 

4. DNS over HTTPS

Networking in Windows 11 provides a native feature to force the use of DNS-over-HTTPS (DoH). This is a big step towards overcoming international censorship and privacy challenges, as certain organisations (such as ISPs and governments) are known to snoop on users via their DNS activity, and in some cases, block sites that do not align with political or ethical motives. DoH encrypts all DNS traffic between the operating system and the DNS server, which increases users’ privacy as this traffic cannot be monitored as easily.   

 

5. Group Policy, Local Policy and Security Baselines

Group and Local Policy editors look very similar to those of Windows 10. Configuring secure base builds has been a challenge for a long time and it looks like Windows 11 will follow its predecessors in this department. From the variety of configuration options set to “Not Configured”, it remains unclear which settings are defaults until Microsoft releases documentation, or until 3rd parties gradually release this information from their testing.

Building a comprehensive security baseline will likely require a collaborative and substantial effort from multiple organisations such as NIST, CIS and NCSC. Microsoft is yet to release a Security Baseline for Windows 11. On this basis, it is unlikely that organisations will be able to build and deploy an “out-of-the-box” gold build for Windows 11 for the foreseeable future.

 

6. Privacy

As Microsoft continues to avoid privacy improvements, Windows 11 is configured with default privacy and telemetry options, which forces home users to have a Microsoft account, and Android apps are being brought to Windows via the Amazon App Store (with an Amazon account, of course). Whilst DNS-over-HTTPS is a big privacy addition to Windows 11, it does not prevent these services from collecting your personal data whilst you are signed in, nor can a 3rd party VPN service.

 

In summary, Windows 11 is taking steps towards security at the expense of compatibility. Perhaps this is an acceptable trade-off given that Windows 10 is expected to be supported until the 14th October 2025, which gives home and enterprise users time to ditch the legacy technologies that still litter the digital age.

Microsoft is clearly building Windows 11 to complement its Zero Trust Model, pushing business users towards Microsoft 365 and doubling down on security features like Windows Hello for Business. Time will tell how successfully Microsoft has developed Windows 11 to meet the needs of a cyber-scared world as more information arises. We will be keeping our eyes on this narrative as it continues to unfold.

Sentrium can assist with your security needs, view our penetration testing services for more details or contact us today.