Sizing Up the Security Features Slated for Windows 11Microsoft Promises Better 'Zero Trust' Capability, Passwordless Access
Security specialists are offering preliminary feedback on Microsoft's sneak peek at the new security measures to be included in the Windows 11 operating system, which is slated for release in December.
The operating system, which is essentially an upgraded version of Windows 10, will include "zero trust" capability, hardware-based isolation, encryption and malware prevention turned on by default. The OS also will be designed to make it easier for users to have the option to go passwordless, the company says.
"The new security features in Windows 11 are absolutely a step in the right direction," says Mike Fleck, senior director of engineering with the cloud security firm Cyren. "However, it will be a while before most businesses can adopt these features. Like Formula One racing technology or haute couture fashion, I think it's a signal of things to come more than solutions that can be immediately implemented."
David Weston, Microsoft's director of enterprise and operating system security, says: "This next generation of Windows will raise the security baseline by requiring more modern CPUs, with protections like virtualization-based security, hypervisor-protected code integrity and Secure Boot built-in and enabled by default to protect from both common malware, ransomware and more sophisticated attacks."
In its Thursday announcement about Windows 11, Microsoft did not offer granular details on the new security features. It also did not offer a timeline for when support for Windows 10 might end. The company ceased supporting Windows 7 in January 2020.
"We have worked closely with our manufacturer and silicon partners to raise security baselines to meet the needs of the evolving threat landscape and the new world of hybrid work and learning," Microsoft says in its Windows 11 announcement. "The new set of hardware security requirements that comes with Windows 11 is designed to build a foundation that is even stronger and more resilient to attacks."
Microsoft says Windows 11 will have improved capability to deliver chip-to-cloud zero trust protection by requiring Trusted Platform Module version 2.0. Windows 11 also will offer, by default, support for Microsoft Azure Attestation, which is designed to enable users to enforce zero trust policies when accessing sensitive resources in the cloud with supported mobile device management systems.
Weston notes the Windows Hello password manager, which allows sign-in using facial or fingerprint recognition or a PIN, will be upgraded in Windows 11 for business use.
"Windows Hello for Business supports simplified passwordless deployment models for achieving a deploy-to-run state within a few minutes," Weston says. "This includes granular control of authentication methods by IT admins while securing communication between cloud tools to better protect corporate data and identity. And for consumers, new Windows 11 devices will be passwordless by default from day one."
To run Windows 11, computers must run at least an eighth-generation or newer Intel Core processor or an AMD Ryzen 2000 or new processor, have 4GB of RAM, a minimum of 64GB of storage and be compatible with DirectX 12 or later with WDDM 2.0 driver.
To access Windows 11 security upgrades, users must have a computer running the TPM 2.0 security chip.
A TPM chip is a secure crypto-processor that carries out cryptographic operations. The chip includes physical security mechanisms to make it tamper-resistant, and malicious software is unable to tamper with the security functions of the TPM, Microsoft says.
Cybersecurity Experts React
Microsoft's decision to offload more security requirements onto hardware is the right move, some security experts say. But they add that many companies running older gear could have a hard time taking advantage of what Windows 11 has to offer.
"Much of the security will be offloaded to dedicated hardware, aka the TPM [chip]. Its job is to perform more robust encryption to secure Windows Hello, PINs, encrypt passwords and enable advanced features like Windows Defender System Guard," says Fleck of Cyren.
Bert Kashyap, CEO and co-founder of the certificate management firm SecureW2, notes: "Forcing users to login to a Microsoft account instead of just a local account is definitely better for login security. Plus it registers the user with the device's TPM/certificate, which can be used for device trust."
Because Windows 11 requires use of the TPM 2.0 chip, many organizations will need to upgrade or replace devices, Fleck says. Passwordless authentication and the underlying standard for it - FIDO - is not compatible with many legacy systems, he points out. And many enterprises have made massive investments in third-party multifactor authentication/single sign-on solutions, which they won't replace until those contracts expire, he adds.
"Until then, we'll continue to have passwords, password managers, account takeover, vulnerabilities and exploits," Fleck says. "We might even have all those things after we have solved the management challenges of zero trust and passwordless. After all, there are no such things as software with zero bugs or humans with zero faults."
Dirk Schrader, global vice president for security research at the security firm New Net Technologies, says building adequate security protections into Windows is difficult.
Microsoft promising that default key security features, such as hardware-based isolation, encryption and malware prevention, will be turned on by default may sound like "problem solved," he says. "Quite likely, it isn't solved, as the operating system Windows is a complex behemoth, with many non-Microsoft developers doing development their way regardless of any recommendation by Microsoft."