Ahead of its Build conference this week, Microsoft announced a series of enhancements to Windows 11 aimed at making it more secure against a more intimidating, varied, and AI-enable threat landscape.
In a blog post detailing the enhancements, David Weston, Microsoft’s vice president of enterprise and OS security, pointed out that in 2015, the company detected around 115 password attacks per second. Today, there are more than 4,000.
“This landscape requires stronger and more comprehensive security approaches than ever before, across all devices and technologies we use in our lives, both at home and at work,” he wrote.
Here is a look at some of the new and upcoming ways Microsoft is helping IT organizations combat those threats.
Security in Copilot+ PCs
On Monday the company announced that its new Copilot+ PCs will be secure-cored PCs, providing firmware protection and dynamic root-of-trust measurement. The Microsoft Pluton security processor, which stores sensitive data such as encryption keys in isolation from the rest of the system, will be enabled by default.
The Copilot+ PCs will also ship with Windows Hello Enhanced Sign-in Security, announced last October, which uses specialized hardware and software to better protect users’ authentication data.
Mark Tauschek, vice president of research fellowships and distinguished analyst at Info-Tech Research Group, sees the new class of Windows computers leveraging Copilot a logical next step for Microsoft, especially given the rise of AI-enabled attacks.
“The only way to defend against AI-enabled attacks is with AI-enabled defenses,” he said. “Leveraging OpenAI in Azure and now Copilot, it’s only logical that Microsoft scales this to the edge using Copilot and task-specific small language models (SLMs) paired with the plethora of incredibly powerful ARM, x86, and GPU processors.”
But the proof will be in Microsoft’s execution — and iteration — of its Copilot+ strategy, Tauschek said, and CISOs would be wise to introduce the PCs gradually.
“IT security leaders will undoubtedly need to evaluate the Copilot+ PCs,” he said. “They will be manageable using existing Windows management tools, but until they are used and tested in the organization’s environment, the magnitude of benefits will be unclear. I would expect rapid iterations and improvements on the software and OS side in order to leverage the power of the hardware. Nobody will be going all-in on these PCs out of the gate, but I expect a lot of interest in proof of concept and small-scale test deployments. Over time, it will likely become the standard as PC refresh cycles allow.”
Software and OS protection
Removing legacy weaknesses is another way in which Microsoft is improving security with its latest round of announcements. NT LAN Manager (NTLM), a 1993-vintage network authentication and security protocol that still exists within Windows, for example, will be deprecated later this year. In addition, transport layer security (TLS) server authentication certificates, which verify a server’s identity, will no longer be trusted by the Microsoft Trusted Root Program if their RSA encryption keys chaining to roots are shorter than 2048 bits.
For services requiring high security, reliability, and performance, Microsoft is adding virtualization-based security (VBS) to create an isolated secure environment to protect keys; the feature is now in preview. VBS is also used to isolate Windows credentials if a device doesn’t have built-in biometrics. VBS enclaves are now available to third-party developers.
Malicious applications are a perpetual threat to Windows systems, so Microsoft has introduced additional features to help users avoid them. Smart App control has been enhanced with AI learning to predict whether an app is safe. “The policy keeps common, known-to-be-safe apps running while unknown, malware-connected apps are blocked,” Weston wrote in his blog.
Because a great deal of malware arrives in unsigned apps, Microsoft has also developed Trusted Signing, now in public preview. The feature manages all aspects of the app certificate lifecycle, and integrates with GitHub and Azure DevOps.
Also in preview is Win32 app isolation, a new feature that, according to Weston, “makes it easier for Windows app developers to contain damage and safeguard user privacy choices in the event of an application compromise. Win32 app isolation is built on the foundation of AppContainers, which offer a security boundary, and components that virtualize resources and provide brokered access to other resources — like printer, registry, and file access.”
Enterprise security enhancements
Microsoft is adjusting how admin users are managed as well. Because most Windows users have full administration rights, everything they do has access to the kernel and other critical services, allowing malware to do its worst. Microsoft is updating Windows to only offer just-in-time administrative access to critical services. If an app needs special advanced permissions, Windows will ask the user whether it’s allowed these rights, and Windows Hello will let them approve or deny the request. The change is currently in private preview, and will soon be available in public preview.
Finally, Microsoft is adding a series of features specifically designed for commercial customers.
- Config Refresh automatically reapplies policy settings every 90 minutes by default, or can be set to do so as frequently as every 30 minutes.
- The Firewall Configuration Service Provider (CSP) has been altered to enforce an all-or-nothing approach to firewall rules. If an issue with a rule in an atomic block prevents its execution, the CSP won’t process subsequent rules in that block, and will roll back all rules from the block. Previously, a failed rule would cause CSP to just bypass subsequent rules in the block, leaving it partially deployed and potentially creating a security gap.
- Personal Data Encryption (PDE) complements BitLocker’s volume level protection, encrypting data while a PC is locked, and only decrypting it when the machine is unlocked using Windows Hello for Business. Developers can use its API to protect app content. It is currently in preview.
- Zero Trust DNS will only allow Windows devices to connect to approved network destinations by domain name. Outbound IPv4 and IPv6 traffic will be blocked unless a trusted, protected DNS server has resolved it, or an IT admin has created an exception. This feature is now in private preview. Weston’s advice to admins: “Plan now to avoid blocking issues by configuring apps and services to use the system DNS resolver.”
Info-Tech’s Tauschek noted that all this is likely just the beginning.
“In the blog post announcement, Microsoft has a large section entitled, ‘Stay ahead of evolving threats with Windows,’ where it discusses evolutionary upgrades and advancements on the security front,” he said. “While expected, Microsoft will have to stay ahead of the revolutionary threat landscape. What I mean is that there will be revolutionary advances by the bad guys, so the good guys need to be prepared with revolutionary threat mitigation advances.”
According to Tauschek, much of that will depend on what Copilot and enhanced PC hardware can do together to anticipate and mitigate those threats.
“I think we’ll see the most interesting features in the coming months, just as we did with Copilot in the months following its launch,” he said.