Analysis As it rolled out the laundry list of new features in Windows 11, version 22H2 this week, Microsoft also unveiled the configuration baseline that systems will have to meet to take advantage of the latest security capabilities.
The changes in the latest release of the security configuration baseline touch on a range of areas, including hardware – which Microsoft has increasingly emphasized in recent years – drivers and printers as well as protections against credential theft and account lookout.
Included among the new features is Kernel Mode Hardware Enforced Stack Protection, with Rick Munck, cloud security solution architect at Microsoft, stressing its dependency on hypervisor-protected code integrity (HVCI), or memory integrity. HVCI enables Kernel Mode Code Integrity (KMCI) – a feature introduced with Vista that ensures drivers, OS files, and similar code has been signed and trusted – to run inside the secure Virtualization-based Security environment instead of the Windows kernel.
This protects the kernel from attacks aimed at such functions as drivers, with KMCI checking that all kernel code hasn’t been tampered with before it runs. HVCI ensures that only validated code is executed in kernel mode.
Munck wrote in a blog post that Kernel Mode Hardware Enforced Stack Protection, which can be used with Windows 11 version 22H2 and above, provides additional security to the kernel code.
Along with HVCI, the feature also requires systems to run on either Intel’s “Tiger Lake” CPUs – first launched in 2020 – or AMD’s Zen3 or later chips.
“There shouldn’t be any issues as long as enterprises are following the baselines but, if the organization deviates from HVCI, then Kernel Mode Hardware Enforced Stack Protection cannot be enabled,” Munck wrote. “If the hardware platform does not support it, then no enforcements are enabled. While compatibility concerns are unlikely, customers are encouraged to test compatibility to ensure an incompatible driver doesn’t lead to instability.”
Software alone won’t cut it
The feature is part of a larger push Microsoft has been making for several years to more tightly integrate hardware and software security capabilities. In a lengthy report issued last year discussing security features in Windows 11 22H2 and updated this week to coincide with the release of the new version, Microsoft highlighted the work it has done with chipmakers and system makers to drive Windows 11 security in such areas as root-of-trust, silicon-assisted security, and Secured-core PCs.
“Today’s ever-evolving threats require strong alignment between hardware and software technologies to keep users, data, and devices protected,” the report’s authors wrote. “The operating system alone cannot protect from the wide range of tools and techniques cybercriminals use to compromise a computer.”
In a tweet, David Weston, vice president of enterprise and OS security at Microsoft, pointed to a number of security updates in the report, including the inclusion of Pluton, a security processor designed with chip makers that provides greater protection for encryption keys and is integrated onto the chip. It integrates capabilities in Microsoft’s Trusted Platform Module (TPM) and leaves room for other Pluton firmware and OS features to be added via updates. The Pluton chip is available with select Windows 11 PCs.
A hardware and software approach to security is important for any company, but particularly Microsoft, according to Darryl MacLeod, vCISO at Lares Consulting.
“Their products are used by billions of people around the world, making them a prime target for attackers,” MacLeod told The Register. “By offering both hardware and software security solutions, Microsoft can provide a more comprehensive level of protection for its customers by minimizing the overall attack surface.”
Time to get on base
For the security configuration baseline, Microsoft also included new settings to protect printers used by enterprises, such as RedirectionGuard to protect against unauthorized redirection primitives from being followed and the ability to configure remote procedure calls (RPC) over a TCP port to ensure incoming and outgoing connections default to a dynamic TCP port.
In addition, other new features are designed to protect enterprises that continue to lean on usernames and passwords for Windows authentication. The features aim to keep enterprise credentials from being used for unintended or malicious purposes and log related user activity in the Microsoft Defender for Endpoint portal.
“Because this is an end-user option, the security baseline enforces enablement of the service (the Service Enabled setting) to ensure that the enterprise credentials used in the system are appropriately monitored and audited,” Munck wrote. “Based on Microsoft Defender SmartScreen’s robust security infrastructure, when a user enters their credentials into a known phishing or malicious site, the service alerts the user as illustrated below. In this scenario, the setting Notify Malicious is set to Enabled.”
Organizations can download information from the Microsoft Security Compliance Kit to test the configurations and customize as needed. ®