Evaluate As Microsoft rolled out a list of the latest options in Windows 11 model 22H2 this week, Microsoft also unveiled a baseline of configurations that methods should meet to reap the benefits of the latest security features.
In addition to credential theft security and account lookup security, the latest model’s security configuration baselines are tied to modifications in many areas, including {hardware}—which Microsoft has been increasingly focusing on lately—drivers and printers.
New options include kernel-mode {hardware} enforcing stack security, and Microsoft’s cloud security options architect Rick Munck emphasized the reliance on Hypervisor-Protected Code Integrity (HVCI) or memory integrity. HVCI allows Kernel Mode Code Integrity (KMCI)—a feature introduced in Vista that ensures drivers, working system log data, and similar code are signed and trusted—as an alternative to the Windows kernel in a secure virtualization-based environment run in.
This protects the kernel from attacks against driver-like options, where KMCI checks that each kernel code has not been tampered with before execution. HVCI ensures that only verified code runs in kernel mode.
Kernel-mode {hardware} enforced stack security is available for Windows 11 model 22H2 and later, providing additional security to kernel code, Munck wrote in a blog post.
In addition to HVCI, the feature requires methods to run on Intel’s “Tiger Lake” CPUs (first introduced in 2020) or AMD’s Zen3 or newer chips.
“As long as the organization adheres to the baseline, there should be no credits, but when the group deviates from HVCI, the kernel-mode {hardware} enforced stack security will not be enabled,” Munck wrote. “If the {hardware} platform doesn’t help with this, no enforcement should be enabled. While compatibility issues are unlikely, potential customers are inspired to check compatibility to ensure that incompatible drivers don’t bring unstable.”
Software programs alone won’t work
The feature is a bigger enabler that Microsoft has been working more closely together over the years to integrate {hardware} and software program security features. In a lengthy report published over the past 12 months discussing the security features of Windows 11 22H2 and this week’s update to coincide with the release of brand-new models, Microsoft highlighted how it is working with chipmakers and system makers to enhance Windows 11. Security does work in areas such as Root of Trust, Silicon Assisted Security, and Security at the Core of Advanced PCs.
“At this juncture, evolving threats require a tight integration between the applied science of {hardware} and software programs to protect customers, knowledge and gadgets,” the report’s authors wrote. “Working systems alone cannot defend against cybercriminals. The number of tools and methods used to break into computers.”
In a single tweetDavid Weston, vice president of enterprise and operating system security at Microsoft, pointed to many of the security updates in the report, including Pluton, a security processor developed with chip makers that provides and integrates greater security for encryption keys that are on the chip. It integrates options into Microsoft’s Trusted Platform Module (TPM), leaving room for adding different Pluton firmware and working system options via updates. The Pluton chip ships with select Windows 11 PCs.
According to Darryl MacLeod, vCISO at Lares Consulting, {hardware} and software program security policies are critical for any group, but especially for Microsoft.
“Their goods are used by billions of people around the world, making them prime targets for attackers,” McLeod said registry. “By providing security options for each {hardware} and software program, Microsoft is ready to provide its potential customers with more comprehensive security by minimizing the scope of general attack.”
time to base
For the security configuration baseline, Microsoft has also added new settings to protect printers used by companies, similar to connections that use dynamic TCP ports by default.
In addition, different new options have been developed to protect organizations that continue to rely on usernames and passwords for Windows authentication. These options are designed to prevent corporate credentials from being used for accidental or malicious functions and log related consumer activity in the Microsoft Defender for Endpoint portal.
“As this is the choice of the end user, the security baseline enforces the activation of the service (‘service enabled’ setting) to ensure that corporate credentials used in the system are properly monitored and audited,” Monk wrote. “The service is primarily based on the robust security infrastructure of Microsoft Defender SmartScreen, which alerts consumers when they enter their credentials on an identified phishing or malicious website, as shown below. In this case, Notify Malicious option will be enabled soon.”
Organizations can obtain data from Microsoft Security Compliance Appliances to review configurations and make changes as needed. ®
Microsoft relies on {hardware}/software program duo to keep Windows 11 secure Sign up