What's Microsoft been up to? A quick tour of Windows 11 22H2's security features
And some requirements to be aware of
In brief As it rolled out a laundry list of features in the latest version of Windows 11, namely version 22H2, this month, Microsoft has also detailed some of the added security mechanisms.
These changes touch on a range of areas, including hardware, drivers, and printers as well as protections against credential theft and account lookout.
Included among the features is Kernel Mode Hardware Enforced Stack Protection, with Rick Munck, cloud security solution architect at Microsoft, stressing its dependency on hypervisor-protected code integrity (HVCI). HVCI enables Kernel Mode Code Integrity (KMCI) – a feature introduced with Vista that ensures low-level, highly privileged code, such as drivers and parts of the OS, are suitably signed before they are run. This code integrity check happens in a virtualization-protected space in the system.
Munck wrote in a blog post – which handily summarizes 22H2's security measures – that the hardware-enforced stack protection, which can be used with Windows 11 version 22H2 and above, provides additional security to kernel-level software, by hampering exploitation of certain code-execution vulnerabilities.
Along with HVCI, the feature requires shadow stack functionality in either Intel's Tiger Lake series of CPUs – first launched in 2020 – or AMD's Zen 3 family, or later chips.
"There shouldn't be any issues as long as enterprises are following the baselines but, if the organization deviates from HVCI, then Kernel Mode Hardware Enforced Stack Protection cannot be enabled," Munck wrote. "If the hardware platform does not support it, then no enforcements are enabled. While compatibility concerns are unlikely, customers are encouraged to test compatibility to ensure an incompatible driver doesn't lead to instability."
Software alone won't cut it
The feature is part of a larger push Microsoft has been making for several years to more tightly integrate hardware and software security capabilities. In a lengthy Windows 11 security guide issued last year, and updated in time for the release of version 22H2, Microsoft highlighted the work it has done with chipmakers and system builders to improve its operating system's security.
"Today's ever-evolving threats require strong alignment between hardware and software technologies to keep users, data, and devices protected," the report's authors wrote. "The operating system alone cannot protect from the wide range of tools and techniques cybercriminals use to compromise a computer."
In a tweet, David Weston, vice president of enterprise and OS security at Microsoft, pointed to updates in the guide, including the inclusion of support for Pluton, a coprocessor designed by Microsoft with chip makers to provide strong protection for encryption keys and system integrity, among other duties, in PCs and is integrated with the host processor. It provides a Trusted Platform Module (TPM) and leaves room for other features to be added via updates. Pluton is available with select Windows 11 PCs, though for now it isn't mandatory.
A hardware and software approach to security is important for any company, but particularly Microsoft, according to Darryl MacLeod, vCISO at Lares Consulting.
"Their products are used by billions of people around the world, making them a prime target for attackers," MacLeod told The Register. "By offering both hardware and software security solutions, Microsoft can provide a more comprehensive level of protection for its customers by minimizing the overall attack surface."
- Microsoft debuts Windows 11 2022 Update – now with features added monthly
- Check out this Android spyware, says Microsoft, the home of a gazillion Windows flaws
- Admins run into Group Policy problems after Win10 update
- Microsoft Outlook sends users back to 1930 with (very) mini-Millennium-Bug glitch
Microsoft has also added settings to protect printers used by enterprises, such as RedirectionGuard to protect against unauthorized redirection primitives from being followed, and the ability to configure remote procedure calls (RPC) over a TCP port to ensure incoming and outgoing connections default to a dynamic TCP port.
In addition, other features have been designed to protect enterprises that continue to lean on usernames and passwords for Windows authentication. This functionality aims to keep enterprise credentials from being used for unintended or malicious purposes and log related user activity in the Microsoft Defender for Endpoint portal.
"Because this is an end-user option, the security baseline enforces enablement of the service (the Service Enabled setting) to ensure that the enterprise credentials used in the system are appropriately monitored and audited," Munck wrote. "Based on Microsoft Defender SmartScreen's robust security infrastructure, when a user enters their credentials into a known phishing or malicious site, the service alerts the user as illustrated below. In this scenario, the setting Notify Malicious is set to Enabled."
Organizations can use the Microsoft Security Compliance Kit to manage and test their configurations in light of the updated operating system – and see the above blog post for more details. ®