Windows 11: why new security features are enabled by default – ZDNET

Monday, at the same time as many new computers equipped with CopilotMicrosoft has notification new security features for Windows 11.

“We didn’t just integrate new security features Windows 11but we have also strengthened the security features that will be enabled by default,” the company explained in a blog post.

This is based on Microsoft’s own researchThe number of password attacks has increased by 3,378% since 2015 to more than 4,000 per second.

Hardware improvements

That’s why Microsoft is improving hardware security “out of the box” by ensuring that all Copilot+ computers are devices with a secure core, according to the press release. “Secure Core PCs offer advanced firmware protection and a dynamic root of trust for chip-to-cloud protection.”

Return of Pluto

New computers will also be equipped as standard Pluto, the security processor Zero trust companies. Pluto protects identifiers, personal data and encryption keys. Which, according to Microsoft, “makes it significantly more difficult to remove, even if a cyber attacker installs malware or physically owns the PC.”

Windows Hello Enhanced Sign-in Security replaces passwords with biometrics

In addition, new Copilot+ computers will be delivered Enhanced sign-in security with Windows Hello (ESS), which replaces passwords with biometric systems. And this with the help of specialized hardware and software, such as:

  • Virtualization-Based Security (VBS) – an isolated virtual environment that protects security solutions from operating system vulnerabilities
  • THE Trusted Platform Module 2.0

If you don’t plan to get a Copilot+ PC, ESS is also available on other Windows 11 devices.

Software update

Microsoft is enabling several new Windows 11 features by default, rather than letting each user take their own security initiatives. These include anti-malware shields, credential protection, and application protection, which Microsoft says reduced incidents by 58%, according to a 2022 report.

Multi-factor authentication is no longer enough to defeat cyber attackers

According to the announcement, multi-factor authentication is no longer enough to defeat cyber attackers. Microsoft is addressing this issue with several updates, including Local Security Authority (LSA) protection. LSA authenticates users and manages single sign-on (SSO) credentials. LSA protection “prevents LSA from loading untrusted code and prevents untrusted processes from accessing LSA memory.” In addition:

  • LSA protection, previously only enabled by default for professional devices, is now enabled by default for consumer devices.
  • Microsoft will also remove NT LAN Manager (NTLNM), an outdated security suite known for its vulnerabilities, later this year.
  • In addition, the company uses VBS to improve key protection and strengthen Windows Hello.

Windows Hello can now protect keys and isolate credentials from “administrator-level attacks” for devices that don’t have built-in biometrics.

Key Protection is now available in public preview for Windows Insiders.

Improved application controls

Microsoft also announced new features to improve application security for Windows developers. Intelligent application control uses an artificial intelligence model trained on 78 trillion security signals to predict whether an app is safe. Available on some systems and enabled by default, this feature allows apps to run while blocking those attached to malware.

other functions, Trusted signing, allows the app to stay in good standing with Smart App Control through updates by “managing all aspects of the certificate’s lifecycle,” the release explains. Recently released to public preview, this feature also integrates with Azure DevOps and Github.

Win32 Application Isolation is also available in preview. It allows app developers to limit damage and protect privacy. This feature can now be used with Visual Studio.

In addition, Microsoft increases administrator security by reducing the scope of administrator rights deployed on devices. If an app requires certain permissions, for example, this feature will ask the user for specific approvals, and Windows Hello makes it easy to approve or deny requests.

“Windows is being updated to require administrative access to the kernel and other critical services as needed, not all the time, and certainly not by default,” the company said in a statement. This feature is in the private version, but Microsoft says it will soon be expanded to the public version.

The company also announced it VBS Enclave, which help protect sensitive workloads, are now available to third-party application developers. Users can try it out Enclave API.

Reinforced code

Microsoft also announced that it is hardening Windows code. WPP – Windows Protected Print Mode – which prevents third parties from loading drivers, will now be the default mode on devices.

The company is also improving tooltips. “Responsibility for managing the Help lifecycle has been transferred to the application in use,” the statement said. “The kernel now monitors cursor activity and starts a countdown to show and hide help windows. At the end of these countdowns, the kernel notifies the user environment to generate or remove a help window.

Microsoft also announced that TLS (Transport Layer Security) server authentication, which confirms the server’s identity to the client, will be strengthened. Windows will now only trust TLS certificates with RSA keys of 2048 bits or higher, as opposed to the weaker 1024-bit encryption keys that the software supported by default.

Improvements for business customers

The company has also made specific updates for professional users. In particular with regard to:

New configuration update

Config Refresh allows administrators to “set a schedule for devices to reapply policy settings without having to Microsoft Intune or from other mobile device management vendors, ensuring that settings remain as configured by the administrator,” the blog post reads.

Default refreshes every 90 minutes. But it can be done in 30 minute intervals. And they may be interrupted during maintenance or troubleshooting periods.

All or nothing firewall access

The Windows Firewall Configuration Service Provider (CSP) enforces rules using an all-or-nothing approach.

“If the CSP previously encountered a problem applying a rule in a block, it would not only stop that rule, but also stop processing subsequent rules, leaving a potential security hole with partially deployed rule blocks,” the blog explains. “Now, if a rule in a block cannot be successfully applied to a device, CSP will stop processing subsequent rules and all rules in the same block will be rolled back, eliminating the ambiguity of deployed rule blocks.”

New for personal data encryption

Finally, PDE only decrypts data when the computer is unlocked using Windows Hello for Business. Currently in preview, this feature maintains two levels of data protection and works with BitLocker.

Zero Trust DNS, currently in a private version, ensures that Windows devices only connect to approved network destinations and blocks outgoing IPv4 and IPv6 traffic.

Source link

Leave a Comment