With ransomware, sophisticated hacking attacks, and phishing threats showing no sign of abating, Microsoft has rethought security in Windows 11 with the aim of blocking more threats by default.
Windows 10 had loads of core security features, but Microsoft left it up to the user to enable and configure based on their own preferred trade-offs with performance and compatibility, David Weston, Microsoft’s vice president of Enterprise and Operating System Security, told ZDNET.
“We’ve really inverted that philosophy. We found a very low percentage of folks could really understand what trade-offs they’re making and were really looking to Microsoft to figure it out. We’ve taken that feedback and integrated it into Windows 11. We’re heavily focused on preventing attacks,” said Weston.
“With Windows 11, we’re focused on the threat landscape and what are the biggest attack vectors — phishing, malware through attachments or downloads, and data protection attacks. We are centered on solving those widespread attacks at the prevention level.”
Windows 11 22H2 — aka Windows 11 Update 2022 — includes many enhancements that offer protection against attacks on the Windows kernel through vulnerable drivers, with more protections for credentials, better defenses against evil-maid attacks, and easier authentication without passwords.
But, according to Weston, the headline security feature of Windows 11 22H2 is Smart App Control, which enables application control by default.
Microsoft tried an allow-list approach in locked-down Windows 10 S in “tens of millions of devices” and saw “no malware” on them thanks to it, says Weston. The problem was it uses a blunt policy instrument: App installs were restricted to the Microsoft Store.
This time, application control relies on artificial intelligence to define the allow-list. Microsoft tested this with Windows 11 Insiders this year via the Smart App Control feature.
The allow-list only permits a set of applications to run on Windows 11. Smart App Control relies on the same Windows features as Windows Defender Application Control, which allows policies to be manually defined.
“Application control is one of the most effective things and also hard to do traditionally,” Weston said.
So, when users get an application that millions of others are using — regardless of whether it’s from the Store or a website — it will “work like normal,” Weston said. But if someone sends an application as an attachment that they recently generated to bypass antivirus protection, that won’t run because it’s not on the allow-list.
“Most of the applications we use today are used by millions of other people. Most malware is seen on only a couple of machines. We plumbed into the core of the operating system [with] this enforcement mechanism. Prior to Windows 11 22H2, this was a policy you had to write up yourself in an XML file. You can imagine, that’s pretty tricky in the enterprise knowing which applications everyone needs to run,” Weston said.
Windows 11 22H2 also blocks “most of the script vectors from the internet.” It’s partly informed by the Office team’s decision to block untrusted macros from the internet by default.
“Windows 11 22H2 took that idea further. We said no PowerShell, no LNK files, no Visual Basic from the internet. Anyone with an eye on the threat landscape knows that these are some of the favorites. Windows 11 in Smart App Control mode blocks those threats,” he said.
Microsoft will roll out the security feature gradually to users. There will be a one-click option for users to leave Smart App Control, which requires a reboot to exit it. Over time Microsoft will release more granular policies, for example, to enable a nominated app to run while the feature has otherwise been enabled.
“For the folks who can stay in this mode, based on our data from things like Defender, this will be one of the most important security features out there and it will block scripting and most malware vectors,” Weston predicted.
Smart App Control is aimed at Windows 11 for consumers and small businesses. It will be on by default for Windows 11 in enterprises, but Microsoft doesn’t expect them to deploy it because many enterprise have their line of business apps. Microsoft expects them to use Windows Defender Application Control instead, Weston said.
More security enhancements for protecting credentials
In the first Windows 11 release, Microsoft turned on virtualization based security (VBS) only for the latest AMD, Intel, and Qualcomm processors. Weston said he sees Windows making more use of VBS in future.
Also, for Enterprise editions of Windows 11 22H2, Microsoft is turning on Credential Guard by default. In Windows 10, Credential Guard moved NTLM credentials outside of Windows and into VBS in order to defeat credential-dumping tools like Mimikatz.
Microsoft has now turned on protected processes for Local Security Authority Subsystem Service (LSASS) for new enterprise-joined Windows 11 devices. LSA stores Microsoft and third-party credentials. With this protection, Windows will load only trusted, signed code, making it more difficult for attackers to steal credentials.
“What we said is, ‘No process, including administrators, can read or write from LSA.’ That defeats a lot of common credential theft and lateral movement tools. It’s not as strong as VBS and we want to eventually move everything into VBS, but this is an excellent bridging technology that will have a real impact. Jumping into LSA and dumping credentials is one of the most common attack vectors. That’s not going to happen again,” Weston said.
For its Secured-core PCs and laptops, Microsoft has also introduced new encryption technology as a second layer to BitLocker called Personal Data Encryption (PDE).
If you lose a laptop and the attacker opens it to the login screen, the data on the disk is still decrypted. If the attacker attaches a special device or bypasses the lock screen to access data or get code running, they can slurp up the data.
While SecuredCore PCs address this threat by locking down the ports, PDE offers a way to enable file-specific encryption beyond BitLocker so that even if attackers had a way of bypassing BitLocker they would still be confronted with an encrypted file, effectively creating a second safety net beyond BitLocker.