New security features for Windows 11 will help protect hybrid work


  • Staff
Attackers haven’t wasted any time capitalizing on the rapid move to hybrid work. Every day cybercriminals and nation-states alike have improved their targeting, speed, and accuracy as the world adapted to working outside the office. These changes have put “cybersecurity issues and risks” at the top of the list when it comes to worries or concerns for business decision-makers in the year ahead, as shown in new data from Microsoft‘s 2022 Work Trend Index.1 Malware, stolen credentials, phishing attacks, devices that lack security updates, user error, and physical attacks on lost or stolen devices are major concerns for security and IT teams as they try to protect their workforce.

In 2021, protections built into Windows, Azure, Microsoft 365, and Microsoft Defender for Office 365 have blocked more than 9.6 billion malware threats, more than 35.7 billion phishing and other malicious emails, and 25.6 billion attempts to hijack our enterprise customers by brute-forcing stolen passwords—that’s more than 800 password attacks per second. The intelligence we get from this, combined with the 8,500 security professionals we have and 24 trillion security signals processed by our cloud every 24 hours, gives us a unique view into what our customers need to protect themselves from threats now and in the future. The combination of modern hardware and software required for Windows 11, delivered alongside our ecosystem partners, is what will enable us to help protect our customers from wherever and however they choose to work.

Security designed for hybrid work​

In a future release of Windows 11, you’re going to see significant security updates that add even more protection from the chip to the cloud by combining modern hardware and software. Microsoft has made groundbreaking investments to help secure our Windows customers with hardware security innovations like Secured-core PCs. Our data shows that these devices are 60 percent more resilient to malware than PCs that don’t meet the Secured-core specifications. The stronger protection these devices provide helped build the foundation that the Windows 11 hardware baselines were designed upon. In upcoming releases of Windows, we are advancing security even further with built-in protections to help defend from advanced and targeted phishing attacks. We’re also adding more protection for your applications, personal data, and devices and empowering IT with the ability to lock security configurations as more enterprise devices are sent directly to users. Here’s a look at what’s coming to Windows 11 to help our customers combat the biggest security challenges of distributed work scenarios and the threat landscape of the future.

Zero Trust security, from the chip to the cloud, rooted in hardware​

  • Microsoft Pluton: Built on the principles of Zero Trust, the hardware and silicon-assisted security features in Windows 11—including the TPM 2.0, firmware and identity protection, Direct Memory Access, and Memory Integrity protection—help protect core parts of the OS as well the user’s credentials as soon as the device powers on. While those features provide protection from many attack patterns we see today, we know that attackers have shifted their sights to hardware which is why we’re looking ahead to the Microsoft Pluton Security Processor as an innovative solution to securing that critical layer of computing.
  • Microsoft Pluton has several key capabilities that stem from its direct integration into the CPU and the OS. First, Pluton is the only security processor which is kept regularly up to date with key security and functionality updates coming through Windows Update just like any other Windows component. This means that Pluton does not require enterprises to take the traditional manual steps to update firmware, making it much easier to stay secure. In addition, the Pluton firmware is developed by the same Windows team that builds the features that use it, like Windows Hello and Bitlocker. This means Pluton is optimized for the best performance and reliability in Windows 11. Pluton also undergoes world-class penetration testing along with external bug bounties to ensure it remains secure. Pluton offers more than just optimized firmware, it also offers protection against physical attacks through its direct integration into the CPU. This avoids any additional attack surface, increasing security and simplifying additional configuration traditionally needed to address physical attacks. Pluton is a testament to the investment in our chip to the cloud security strategy and the success of Secured-core PCs.
“While the industry has made great strides in defending against increasingly sophisticated attacks, there’s always more to be done in the realm of hardware and software protection. The best way to propel the ecosystem forward and raise the bar for platform integrity is to leverage open standards; the Pluton security processor does exactly that.”—Michael Mattioli, Co-chair, Supply Chain Security Work Group at Trusted Computing Group, Vice President of Hardware Security, Goldman Sachs.

App security without the app store from Smart App Control​

  • Smart App Control is a major enhancement to the Windows 11 security model that prevents users from running malicious applications on Windows devices that default blocks untrusted or unsigned applications. Smart App Control goes beyond previous built-in browser protections and is woven directly into the core of the OS at the process level. Using code signing along with AI, our new Smart App Control only allows processes to run that are predicted to be safe based on either code certificates or an AI model for application trust within the Microsoft cloud. Model inference occurs 24 hours a day on the latest threat intelligence that provides trillions of signals. When a new application is run on Windows 11, its core signing and core features are checked against this model, ensuring only known safe applications are allowed to run. This means Windows 11 users can be confident they are using only safe and reliable applications on their newWindows devices. Smart App Control will ship on new devices with Windows 11 installed. Devices running previous versions of Windows 11 will have to be reset and have a clean installation of Windows 11 to take advantage of this feature.

Increased account and credential security​

  • Enhanced phishing detection and protection with Microsoft Defender SmartScreen: In the last year, we’ve blocked more than 25.6 billion Microsoft Azure Active Directory (Azure AD) brute force authentication attacks and intercepted 35.7 billion phishing emails with Microsoft Defender for Office 365. The enhanced phishing detection and protection built into Windows with Microsoft Defender SmartScreen will help protect users from phishing attacks by identifying and alerting users when they are entering their Microsoft credentials into a malicious application or hacked website. These enhancements will make Windows the world’s first operating system with phishing safeguards built directly into the platform and shipped out-of-box to help users stay productive and secure without having to learn to be their own IT department.

  • Credential Guard by default: Windows 11 makes use of hardware-backed, virtualization-based security capabilities to help protect systems from credential theft attack techniques like pass-the-hash or pass-the-ticket. It also helps prevent malware from accessing system secrets even if the process is running with admin privileges. In the future, Credential Guard will be enabled by default for organizations using the Enterprise edition of Windows 11.
  • Additional protection for Local Security Authority (LSA) by default: Windows has several critical processes to verify a user’s identity. The LSA is one of those processes, responsible for authenticating users and verifying Windows logins. It is responsible for handling user credentials, like passwords, and tokens used to provide single sign-on to Microsoft accounts and Azure services. Attackers have developed tools and have abused Microsoft tools to take advantage of this process to steal credentials. To combat this, additional LSA protection will be enabled by default in the future for new, enterprise-joined Windows 11 devices making it significantly more difficult for attackers to steal credentials by ensuring LSA loads only trusted, signed code.

Personal Data Encryption adds a second layer of security for personal data​

  • Forty percent of respondents in Verizon’s 2021 Mobile Security Index said mobile devices are the biggest IT security threat, 97 percent consider remote workers to be at more risk than office workers, and 56 percent were worried about device loss or theft. No matter where users are working, the new Personal Data Encryption coming to Windows 11 provides a platform, available for use by applications and IT, to protect user files and data when the user is not signed into the device. To access the data, the user must first authenticate with Windows Hello for Business, linking data encryption keys with the user’s passwordless credentials so that even if a device is lost or stolen, data is more resistant to attack and sensitive data has another layer of protection built-in.

Protect users from themselves with Config Lock​

  • More than 60 percent of security decision-makers reported that they’re challenged when it comes to implementing security solutions and a big reason for that is the limited control they have once the device is in the hands of the user. Config Lock changes that. This feature, already in Windows 11, monitors registry keys through mobile device management (MDM) policies to help ensure devices in your ecosystem comply with industrial and company security baselines. If Config Lock detects a change in registry keys, it will automatically revert the impacted system to the IT-desired state in seconds. With Config Lock, IT administrators can be confident that devices in their organization are protected, and users have not changed critical security settings.

Block vulnerable drivers by default with HVCI​

  • Hypervisor-Protected Code Integrity (HVCI) default enhancements: Malware attacks over the last few years (RobbinHood, Uroburos, Derusbi, GrayFish, and Sauron)2 have increasingly leveraged driver vulnerabilities to compromise systems. In the next Windows 11 release, HVCI will be enabled by default on a broader set of devices running Windows 11. This feature prevents attackers from injecting their own malicious code (for example, WannaCry)3 and helps ensure that all drivers loaded onto the OS are signed and trustworthy. Using data from the broader security community, the Microsoft Vulnerable and Malicious Driver Reporting Center helps enable Windows to automatically block known vulnerable drivers.
  • The Microsoft vulnerable driver blocklist leverages Windows Defender Application Control (WDAC) to help prevent advanced persistent threats (APTs) and ransomware attacks abusing and exploiting known vulnerable drivers. The kernel blocklisting feature mitigates these threats by preventing these drivers from being exploited by blocking their load in the Windows kernel. Devices running HVCI or Windows SE have the blocklist enabled by default. Additionally, the feature can be enabled by the new experience in the Core isolation page within the Windows Security App.
The Microsoft vulnerable driver blocklist feature enabled in the Core isolation page within the Windows Security app.

Redesigning security from the chip to the cloud​

Microsoft is continuously investing in improving the default security baseline for Windows and is focused on closing gaps on top attack vectors like those we shared here today. Those investments are designed to help simplify and deepen the security experience for Windows customers by default. With built-in chip to the cloud protection and layers of security, Windows 11 helps organizations meet the new security challenges of the hybrid workplace, now and in the future. With every release, we are making Windows more secure by default, designing new protections as we continue to power the future of business.

Check out our breakout security session to see how these upcoming Windows Security features help protect you from real-world attacks. And learn more about Windows 11 security in our Windows 11 Security Book.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.


Source:

See also:
 

Attachments

  • Windows_Security.png
    Windows_Security.png
    6 KB · Views: 0

Brink

Administrator
Staff member
MVP
Thread Starter
Local time
1:03 PM
Posts
5,511
OS
Windows 11 Pro for Workstations

My Computers

System One System Two

  • OS
    Windows 11 Pro for Workstations
    Computer type
    PC/Desktop
    Manufacturer/Model
    Custom self build
    CPU
    Intel i7-8700K 5 GHz
    Motherboard
    ASUS ROG Maximus XI Formula Z390
    Memory
    16 GB (8GBx2) G.SKILL TridentZ DDR4 3200 MHz
    Graphics Card(s)
    ASUS ROG-STRIX-GTX1080TI-O11G-GAMING
    Sound Card
    Integrated Digital Audio (S/PDIF)
    Monitor(s) Displays
    2 x Samsung Odyssey G75 27"
    Screen Resolution
    2560x1440
    Hard Drives
    1TB Samsung 980 PRO M.2,
    1TB Samsung 970 EVO Plus M.2,
    6TB WD Black WD6001FZWX
    8TB WD MyCloudEX2Ultra NAS
    PSU
    Seasonic Prime Titanium 850W
    Case
    Thermaltake Core P3 wall mounted
    Cooling
    Corsair Hydro H115i
    Keyboard
    Logitech wireless K800
    Mouse
    Logitech MX Master 3
    Internet Speed
    1 Gbps Download and 35 Mbps Upload
    Browser
    Google Chrome
    Antivirus
    Microsoft Defender and Malwarebytes Premium
    Other Info
    Logitech Z625 speaker system,
    Logitech BRIO 4K Pro webcam,
    HP Color LaserJet Pro MFP M477fdn,
    Linksys EA9500 router,
    Motorola MB8611 cable modem,
    APC SMART-UPS RT 1000 XL - SURT1000XLI,
    Galaxy S20 Ultra 5G phone
  • Operating System
    Windows 11 Pro for Workstations
    Computer type
    Laptop
    Manufacturer/Model
    HP Spectre x360 2in1
    CPU
    i7-1065G7 3.9 GHz
    Memory
    16 GB LPDDR4-3200
    Graphics card(s)
    Intel Iris Plus
    Sound Card
    Intel SST
    Monitor(s) Displays
    13.3" 4K UWVA AMOLED multitouch
    Screen Resolution
    3840 x 2160
    Hard Drives
    512 GB PCIe NVMe M.2 SSD
    Browser
    Google Chrome
    Antivirus
    Windows Defender and Malwarebytes Premium

magilla

Well-known member
Member
VIP
Local time
11:03 AM
Posts
601
Location
Southern California
OS
windows 10 & 11
I read that in order to enable you must do a ‘refresh’ - I.e reinstall - of windows 11 and that means all friggin apps.
 

My Computers

System One System Two

  • OS
    windows 10 & 11
    Computer type
    PC/Desktop
    Manufacturer/Model
    iBuyPower (special build)
    CPU
    AMD Ryzen 7X
    Motherboard
    Asus Prime x370 Pro
    Memory
    64Gb
    Graphics Card(s)
    Radeon RX 480 8Gb
    Monitor(s) Displays
    Samsung UHD 27 inch
    Screen Resolution
    UHD
    Hard Drives
    3 Samsung 1 TB SSD each; 1 Samsung PCIe M.2 at 2 TB
  • Operating System
    Windows 11 pro
    Computer type
    PC/Desktop
    Manufacturer/Model
    IBuyPower
    CPU
    AMD 9 5900X
    Motherboard
    Asus x570 ROG Crosshair VIII Dark Hero WI-FI 6E ARGB
    Memory
    32 Gb
    Graphics card(s)
    Nvidia GeForce RTX 3080 Ti 12 GB GDDR6X
    Sound Card
    3D PREMIUM surround sound onboard
    Monitor(s) Displays
    Samsung 32 inch UHD curved monitor
    Screen Resolution
    UHD
    Hard Drives
    Samsung 980 pro 2 tb gen 4 NVMe ssd
    PSU
    850 watt consair RM850X
    Case
    Lian Li LANCOOL ONE tempered glass RGB gaming case
    Cooling
    DEEPCOOL GAMERSTORM RGB 240 mm CASTLE 240EX liquid cooler
    Mouse
    Ares m.2 gaming optical mouse
    Keyboard
    Ares m.2 gaming keyboard
    Internet Speed
    450
    Browser
    Firefox / Edge
    Antivirus
    Windows defender
    Other Info
    With all this gaming rig I am not a gamer!
Top Bottom