Windows 11 logo seen on the screen of tablet and user pointing a

Introduction to Windows 11 (beta) security

Tim Reed

Tim Reed

Windows 11, coming October 5th 2021, is expected to become the new operating system of choice for most home, business and enterprise users. With a long history of poor backward compatibility, unintelligible configuration options and confusing support lifecycles, IT professionals around the world are holding their breath, waiting to see if Microsoft has hit the sweet spot with its latest release.

The new Operating System from Microsoft comes with promises to provide “advanced security from the chip to the cloud”, but what does that mean for users who prefer technical specifications over the brochure? The strict new hardware requirements are certainly causing a ruckus. However, Windows security is a complex topic that goes far beyond the Trusted Platform Module (TPM) and Microsoft’s Zero Trust Model.

Here are 6 considerations we have made in the preview builds of Windows 11 so far:

Hardware

Windows 11 is intended to require TPM 2.0 but there are bypasses that exist for older hardware. It is currently unclear whether Microsoft intends to block bypass techniques as they arise.

The requirement to use TPM 2.0 also means that UEFI is the only supported firmware for Windows 11, and Secure Boot must be enabled. Together, these features provide a strong baseline to protect the physical device. This makes the hardware incredibly difficult to tamper with during and after restarts, and protects the core features of the operating system and processor.

Browsers

Microsoft is finally doing away with Internet Explorer, which has been on life support for the best part of a decade. Whilst the quiet passing of a legacy browser may be considered a conservative victory for most, there are many organisations with users still reliant on Internet Explorer for compatibility with their 20th Century enterprise applications, which are sometimes mission-critical. Could this be the push needed for certain industry sectors to overhaul their remaining legacy technologies? We are afraid not. Microsoft Edge now contains a feature called IE Mode.

The latest Windows release is packaged with the fairly new Chromium-based Microsoft Edge browser, as opposed to the earlier versions that use Microsoft’s proprietary browser engine. In many cases of Windows Update pushing Microsoft Edge (Chromium) as an additional package to Windows 10 rather than replacing the proprietary version, organisations often have many versions of Microsoft Edge across their environments. Windows 11 will provide an opportunity to start fresh, using a clean baseline build containing non-legacy browsers (providing there is a way to disable IE Mode in Edge via policy).

Of course, it is not all good news. We are talking about Microsoft browsers here. Windows 11 makes it even harder to change your default browser from Edge to a 3rd party product like Google Chrome. With the new operating system, you have to go through the Settings app to set the default application for each file type that you want to open in a browser.

Microsoft Store

The Store app is getting some attention, with Microsoft acknowledging developers’ complaints that the technical and policy constraints have previously made it too difficult to get apps published. The new Microsoft Store has been “redesigned from the ground up” and promises that “all content is tested for security, family safety and compatibility”.

Developers can now publish apps using different frameworks and packaging technologies, including Win32, .NET, UWP, Xamarin, Electron, React Native and Java. If developers adopt the Microsoft Store on a wider scale, installing applications from the web may become a less common occurrence. This would limit the use cases for installing apps downloaded from an untrusted source. Organisations may be able to block running web downloaded executable files entirely, which is a challenge many IT departments currently face due to complex operational needs.

DNS over HTTPS

Networking in Windows 11 provides a native feature to force the use of DNS-over-HTTPS (DoH). This is a big step towards overcoming international censorship and privacy challenges, as certain organisations (such as ISPs and governments) are known to snoop on users via their DNS activity, and in some cases, block sites that do not align with political or ethical motives. DoH encrypts all DNS traffic between the operating system and the DNS server, which increases users’ privacy as this traffic cannot be monitored as easily.

Group Policy, Local Policy and Security Baselines

Group and Local Policy editors look very similar to those of Windows 10. Configuring secure base builds has been a challenge for a long time and it looks like Windows 11 will follow its predecessors in this department. From the variety of configuration options set to “Not Configured”, it remains unclear which settings are defaults until Microsoft releases documentation, or until 3rd parties gradually release this information from their testing.

Building a comprehensive security baseline will likely require a collaborative and substantial effort from multiple organisations such as NIST, CIS and NCSC. Microsoft is yet to release a Security Baseline for Windows 11. On this basis, it is unlikely that organisations will be able to build and deploy an “out-of-the-box” gold build for Windows 11 for the foreseeable future.

Privacy

As Microsoft continues to avoid privacy improvements, Windows 11 is configured with default privacy and telemetry options, which forces home users to have a Microsoft account, and Android apps are being brought to Windows via the Amazon App Store (with an Amazon account, of course). Whilst DNS-over-HTTPS is a big privacy addition to Windows 11, it does not prevent these services from collecting your personal data whilst you are signed in, nor can a 3rd party VPN service.

In summary, Windows 11 is taking steps towards security at the expense of compatibility. Perhaps this is an acceptable trade-off given that Windows 10 is expected to be supported until the 14th October 2025, which gives home and enterprise users time to ditch the legacy technologies that still litter the digital age.

Microsoft is clearly building Windows 11 to complement its Zero Trust Model, pushing business users towards Microsoft 365 and doubling down on security features like Windows Hello for Business. Time will tell how successfully Microsoft has developed Windows 11 to meet the needs of a cyber-scared world as more information arises. We will be keeping our eyes on this narrative as it continues to unfold.

Sentrium can assist with your security needs, view our penetration testing services for more details or contact us today.

Resources

  1. White box penetration testing

    Uncovering vulnerabilities with white box penetration testing

    As a business owner or IT professional, you understand the importance of protecting your company’s sensitive data, systems and reputation from cyber threats. One of the most effective ways to uncover vulnerabilities and strengthen your organisation’s security posture is through penetration testing, particularly white box penetration testing. White box penetration testing is a comprehensive approach…

    Read more

  2. API penetration testing

    Securing APIs through penetration testing

    APIs (Application Programming Interfaces) have become the backbone of many modern applications, and indeed the foundation of some businesses services. APIs enable seamless communication between applications, services and systems, allowing organisations to innovate, collaborate and deliver value to their customers. However, as reliance on APIs grows, so does the need for robust security measures to…

    Read more

  3. Password cracking: How to crack a password

    An introduction to password security: How to crack a password

    Online Password Cracking An online attack is performed in real-time, against live services or applications to compromise active user accounts. Such attacks typically occur when a malicious actor lacks direct access to the target system or application and aims to gain an initial foothold. The first step in conducting online password attacks involves establishing as…

    Read more

  4. The importance of a post-penetration test action plan

    The importance of a post-penetration test action plan

    As cyber threats continue to evolve and become more sophisticated, businesses must stay one step ahead in protecting their sensitive data and network infrastructure. Penetration testing is an essential tool in this ongoing battle. Penetration testing – also known as pen testing or ethical hacking – is a controlled approach to identifying vulnerabilities in an…

    Read more

  5. How to choose the right penetration testing partner

    How to choose the right penetration testing partner for your business

    In today’s digital landscape, cybersecurity threats are evolving at an alarming rate. With the growing number of cyber-attacks and data breaches, businesses must prioritise their security measures to protect sensitive information and safeguard their reputation. Penetration testing is an essential component of this defence strategy. Penetration testing, often referred to as ethical hacking, involves simulating…

    Read more

  6. IoT device security, penetration testing

    Securing the Internet of Things: Penetration testing’s role in IoT device security

    The world is witnessing a remarkable transformation as more devices become interconnected, forming what’s known as the Internet of Things (IoT). From smart refrigerators and thermostats to wearable fitness trackers and home security systems, IoT devices have seamlessly integrated into our daily lives. These innovative gadgets promise convenience, automation and improved efficiency. In a business…

    Read more

Get in touch with our experts to discuss your needs

Phone 01242 388 634 or email [email protected]

Get in touch