Why new Windows 11 security features will support hybrid work
/At GDK Network Systems we are always seeking out the best in innovation so we can bring it to our clients.
The new Windows 11 security features are the perfect solution for hybrid work as they provide additional protection for all the team. We are very excited about this and want to share with you information about these new features.
David Weston Vice President, Enterprise and OS Security Microsoft introduces the new features to us in this article:
Attackers are constantly evolving, becoming increasingly sophisticated and destructive—the median time for an attacker to access your private data if you fall victim to a phishing email is 1 hour, 12 minutes.
Microsoft tracks more than 35 ransomware families and more than 250 unique nation-state attackers, cybercriminals, and other actors. We have unparalleled threat intelligence—processing more than 43 trillion signals per day, including 2.5 billion daily endpoint queries and 921 password attacks blocked every second. We work alongside more than 15,000 partners in our security ecosystem and we have more than 8,500 engineers, researchers, data scientists, cybersecurity experts, threat hunters, geopolitical analysts, investigators, and frontline responders across 77 countries. We combine human and machine intelligence with built-in AI to continuously learn from the attack landscape, and we have a dedicated team, the Microsoft Offensive Research and Security Engineering (MORSE), that works to stop threats before they reach your device. All of this goes into the design process to deliver a more secure Windows with every release.
Protection that evolves with the threat landscape
Today, we’re proud to announce that the security features you heard about in April 2022 are now available on Windows 11.
Application Control
We’ve added features that give people the flexibility to choose their own applications, while still maintaining tight security. Smart App Control is a new feature for individuals or small businesses designed to help prevent scripting attacks and protect users from running untrusted or unsigned applications often associated with malware or attack tools. This feature creates an AI model using intelligence, based on the 43 trillion security signals gathered daily, to predict if an app is safe. App control is known to be one of the most effective approaches to protecting against malware but can be complex to deploy. Windows 11 uses the power of AI to generate a continually updated app control policy that allows common and known safe apps to run while blocking unknown apps often associated with new malware. Our customers have asked us to make this simpler and we have responded.
The Smart App Control approach achieves the goal of making advanced app control protection widely available. Smart App Control is built on the same same OS core capabilities used in Windows Defender Application Control. Smart App Control is provided on all Windows client editions with clean installations of Windows 11 2022 Update. Alternatively, for enterprises, your IT team can use Microsoft Intune with Windows Defender Application Control to remotely apply policies to control what apps run on workplace devices.
Vulnerable driver protection
Malware increasingly targets drivers to exploit vulnerabilities, disable security agents, and compromise systems. Window 11 uses virtualization-based security (VBS) for enhanced kernel protection against potential threats.
Hypervisor-protected code integrity (HVCI), also called memory integrity, will be enabled by default on all new Windows 11 devices. HVCI uses VBS to run kernel mode code integrity (KMCI) inside the secure VBS environment instead of the main Windows kernel. This helps prevent attacks that attempt to modify kernel mode code such as drivers. The KMCI role is to check that all kernel code is properly signed and hasn’t been tampered with before it is allowed to run.
HVCI ensures that only validated code can be executed in kernel mode. The hypervisor leverages processor virtualization extensions to enforce memory protections that prevent kernel-mode software from executing code that has not been first validated by the code integrity subsystem. HVCI protects against common attacks like WannaCry that rely on the ability to inject malicious code into the kernel. HVCI can help prevent the injection of malicious kernel-mode code even when drivers and other kernel-mode software have bugs.
The Microsoft vulnerable driver block list is another important safeguard against advanced persistent threats and ransomware attacks that exploit known vulnerable drivers. Beginning with the 2022 Update, the block policy is now on by default for all new Windows computers, and users can opt in to enforce the policy from the Windows Security app.
The Windows kernel is the most privileged software and is therefore a compelling target for malware authors. Since Windows has strict requirements for code running in the kernel, cybercriminals commonly exploit vulnerabilities in kernel drivers to get access. Taking advantage of Windows Defender Application Control, the kernel blocklisting feature prevents vulnerable versions of drivers from running. Microsoft works with ecosystem partners to constantly identify and respond to potentially vulnerable kernel drivers. Users who want the highest level of protection can still specify an allow list to implement driver control.
Enhanced identity protection and simplified password management
With Windows 11, you can protect your valuable data and enable secure hybrid work with the latest advanced security that small or medium-sized businesses say results in 2.8 times fewer instances of identity theft.
Here are a few enhancements that can help you stay secure now and in the future:
Windows Defender Credential Guard is enabled by default with Windows 11 Enterprise. Credential Guard uses hardware-backed, virtualization security to help protect against credential theft techniques such as pass-the-hash or pass-the-ticket. In addition, this feature helps prevent malware from accessing system secrets even if the process is running with admin privileges.
Credential isolation with Local Security Authority (LSA) protection enabled by default provides extra protection to new, enterprise-joined Windows 11 devices. LSA is one of the critical processes that verify a user’s identity. With LSA protection, Windows will load only trusted, signed code, making it significantly more difficult for attackers to steal credentials.
Enhanced phishing protection in Microsoft Defender Smartscreen can detect and warn you when you’re entering your password into a known compromised app or website. It also promotes good credential hygiene by warning users when they try to re-use passwords or store them in an unsafe location such as a text file. This goes beyond browser-based protection to build advanced phishing protection into the operating system itself, empowering users to take proactive action before passwords can be used against them or their organization. IT admins can customize alerts using a mobile device management (MDM) solution like Microsoft Intune.
Go Passwordless with Windows Hello for Business. With built-in protection already enabled, Windows 11 helps block software and firmware attack from the moment you turn on your device. And for secure, convenient single sign-on (SSO), you can take advantage of the protection and convenience of passwordless authentication using Windows Hello for Business and a unique identifier such as your face, fingerprint, or PIN. These unique identifiers are bound to your device and can only be used by you from that device for secure, convenient SSO across your computer and cloud services.
We’ve also made Windows Hello for Business much easier to deploy. For example, we’ve removed requirements for public key infrastructure (PKI). Look into this deployment model for an easy, secure way to set up a modern, passwordless sign-in experience.
And if you’re going passwordless, you’ll be able to take advantage of presence sensing for hands-free secure sign-in. Presence detection sensors work with Windows Hello to sign you in when you approach, and lock when you leave. The feature is optional and can be easily enabled on devices equipped with presence sensors.
Locking down IT policy and compliance
Config lock, available only on Secured-core PCs that are designed for added security, helps prevent the configuration drift that occurs when users with local admin rights change settings and put devices out-of-sync with IT security policies. With config lock, Windows 11 monitors the registry keys that configure each feature even when the device isn’t connected to the internet. When a drift is detected, the device immediately reverts to the IT-desired Secured-core computer state.
Config lock builds on the security fundamentals of Windows 11 and is, in part, secured by specific hardware features. The feature monitors a pre-configured set of configuration service providers (CSPs) and policies. If you assign any of these policies to devices in your tenant, enabling config lock will maintain your defined settings.
For more information on these additional security features, or for any query relating to your IT requirements please get in contact with the expert team at GDK Network Systems.