Microsoft answers some Windows 11 security questions
Microsoft’s upcoming Windows 11 security enhancements, announced last week, may also be available for Windows 10 machines.
That notion came from David Weston, vice president of enterprise and operating system security at Microsoft, who led a Thursday “Windows Security AMA” Q&A session (now available on demand) with members of the Microsoft security teams. The talk featured five panelists and covered security topics, including Windows 11 security.
With Windows 11, Microsoft is simply making it easier to access operating system security features such as Windows Defender Application Control, BitLocker Drive Encryption and Driver Lockdown, Weston said.
“I would say that the vast majority of the security features that we’re talking about in Windows 11 can also be implemented in Windows 10, and sometimes in a different way,” Weston said. “A big part of our goal in Windows 11 is to make it easier, better, and faster at home by default.”
In its announcement last week, Microsoft highlighted new Windows 11 features to come, such as Pluto processors in PCs, personal data encryption tied to Window Hello biometric logins, driver block lists, and Smart app control for app lock. However, the arrival dates of these new functions were not specified.
Smart App Control and WDAC
One Windows 11 security feature that won’t be in Windows 10 is the upcoming Intelligent Application Control, which blocks untrusted or unsigned apps from running.
Additionally, Microsoft had previously explained that Smart App Control, when available, will appear on new Windows 11 PCs. Smart App Control would only be available for existing Windows 11 PCs if a “clean install” OS upgrade was performed.
However, Windows 10 users can still get similar app protections using Microsoft’s Windows. [Defender] Application control solution to block untrusted applications from running. Jordan Geurten, a Microsoft program manager on the OS security team, explained this point as follows:
Smart App Control is limited to Windows 11. Smart App Control runs on a feature called WDAC or Windows Application Control. Application Control essentially allows a user or IT administrator to specify a policy for which applications and essentially all code running on the system, both in kernel mode and in user mode. So even though Smart App Control is not necessarily available in Windows 10, you can make use of the great app control features from Windows 10. Therefore, WDAC or App Control is available in Windows 10 and above. There are no hardware or SKU limitations and it also ties in with Defender’s reputation AI in the cloud.
Geurten built Microsoft’s open source WDAC Policy Wizard Toolwhich provides a graphical user interface for configuring WDAC policies, rather than having to use XML or PowerShell.
WDAC used to be called “Configurable Code Integrity” and was part of Microsoft’s “Device Guard” operating system feature (which is now a defunct name), according to this Microsoft document. Basically, WDAC is replacing AppLocker, another app lock solution, which was first introduced with Windows 7.
Microsoft explained why it is favoring WDAC over AppLocker as follows, according to the document:
In general, it is recommended that customers who can implement application control using WDAC instead of AppLocker do so. WDAC is undergoing continuous enhancements and will gain additional support from Microsoft management platforms. Although AppLocker will continue to receive security fixes, it will not experience new feature enhancements.
However, there is still a case for using AppLocker, for organizations that have “a mixed Windows operating system (OS) environment” or that have shared computers, the document explains.
Driver Block List
Microsoft will bring a Driver Block List feature to Windows 11, which will block vulnerable drivers by default when Hypervisor Protected Code Integrity (HVCI) protections are activated. Various members of the security team update the block list, according to Geurten.
“The way we really bring it up to date is that we have a virtual team of people on our security teams: enterprise security, Defender, Defender for Endpoint, MSRC. [and] we work closely to classify and investigate drivers who are reported,” Geurten said.
Microsoft uses static analysis and reverse engineering to figure out what drivers are doing and then coordinates with driver publishers, Geurten added.
Microsoft has a portal for reporting suspicious drivers, called “Microsoft Vulnerable and Malicious Driver Reporting Centerbut it is not tied to a bug bounty program. Microsoft is also working on a Windows enhancement that will limit what the Windows kernel will trust.
“We are evaluating a new feature shortly that will help limit the scope of what Windows relies on in the kernel, but will also keep compatibility and performance at the forefront,” Geurten said.
Weston noted that groups such as the Confidential Computing Consortium have been looking to create “transparent ledgers or viewpoints on the security and integrity of binary files,” which could hold promise for operating system kernel security.
Pluton is Microsoft’s security solution already used in Xbox gaming systems and Azure Sphere chips for Internet of Things devices. Pluto is also expected to appear on some new Windows 11 PCs this year.
The Windows Security team was asked if Microsoft’s Pluton security component uses any new way of talking to a machine’s CPU. Instead, Weston described Pluton as an approach to reducing the attack surface along the CPU’s “trust path.”
“Basically, the concept of Pluto is to integrate what we call the trust path or the security processor into the CPU package or die,” Weston said. “And that’s going to be very architectural, depending on how the CPU vendor does it.”
The more this trust path is packed, the smaller the physical attack surface on the device. Weston also clarified later during the talk that the physical side channel attack he had performed in a demo to leak processor information from a machine would not only crash on Pluton-based PCs, but would also crash on a machine with a Trusted Platform Module, or even in BitLocker plus PIN authentication scenarios.
The Windows Security team was asked how to make it easier to implement multi-factor authentication with Windows Hello. Weston suggested that it was an easy matter for Windows 11 users.
“You can, from a Windows 11 machine, use Windows Hello, enroll in Windows Hello for Business, and have multi-factor authentication without logging into the phone or making any kind of push request, which can be challenging from a deployment perspective” Weston said.
For organizations that need more fine-grained control over multifactor authentication, Microsoft has a configuration tool called “Multifactor Unlock,” which allows IT professionals to specify the use of “a combination of trusted factors and tokens” for users to use. unlock your devices. according to Microsoft Document “Multi-factor unlock”.
The hour-long Q&A was filled with many other insights shared by members of the Windows security team, including pro tips for getting into the security field. Technical questions were also answered.