Windows 11 security improves and joins Zero Trust

Sergio de los Santos    18 April, 2022
Person working on Windows 11 computer

Windows 11 has just announced, despite already being on the market since October 2021, its improvements in cybersecurity. We are going to analyse the new functionalities, some of them old and even known, but applied by default or substantially improved.

Of course, the overall strategy had to be based on the fashionable concept of Zero Trust and hybrid work in several layers, and this is how they have organised it. Let’s analyse them roughly as there are not yet too many technical details known.

Screenshot - Image: Zero Trust Approach in Windows 11
Image: Zero Trust Approach in Windows 11

Hardware: Pluto

Pluto is a processor solely dedicated to security and is embedded in Qualcomm and AMD Ryzen versions. That is, a TPM directly in the processor that stores e.g., BitLocker or Hello ID keys. What is it for and how does it improve on current TPMs? The fact that it is embedded prevents someone from physically opening the device and “sniffing” from the bus the information that travels from the TPM to the processor.

After all, as complicated as it sounds, it is possible to trap BitLocker passwords by connecting a piece of hardware to the processor and reading this traffic with a certain program. In fact, during the official presentation of the functionality, there is a quite practical demonstration of the attack process.

Computer hack - The attack to get the BitLocker password of a computer to which you have physical Access
The attack to get the BitLocker password of a computer to which you have physical Access

Windows 11 does not work without TPM devices, but now it can also benefit from that TPM on the processor itself. In addition, Pluto’s firmware will be controlled by Windows’ own updates. Indeed, it will be made open source so that it can be used by other operating systems.

Config Lock

Config Lock is simple to explain. In MDM-managed systems, there was already Secured-Core PC (SCPC), a configuration that allowed the device to be controlled and managed by administrators in companies. Using Config Lock, there will be no window of opportunity between the time of a user-perpetrated change to a security setting and the enforcement of the security policy imposed by the administration.

If the user disables any security system, it will immediately revert back to the site as configured by the policy designer. The configuration is thus “locked” and does not need to wait even minutes for it to be reversed.

Personal Data Encryption

An interesting new feature. It basically encrypts files over BitLocker, with a layer of encryption that is also invisible to the user. But the user does not have to remember or execute anything to decrypt his data but can access the data without any problems when logging in with Hello in Windows. If the user has not logged into Windows with Hello, the files will be encrypted and cannot be accessed. What is this for?

As the example in the presentation says, it prevents attacks that bypass the lock screen through direct access attacks to unprotected DMA memory. An attacker who has not authenticated to the system through the “usual” channels, but has bypassed the lock screen, will not be able to access the files thanks to PDE.

One layer above BitLocker’s cold encryption is PDE for hot encryption. The PDE password is not known to the user, it is simply erased from memory when the system is locked and decrypted when unlocked with the usual login. It would also serve as additional security if the attacker bypasses BitLocker. It seems to clash or overlap somewhat with the EFS functionality.

How is this implemented? If the attacker tries to log in without being authenticated as a user (by bypassing the lock screen or mounting the disk on another computer), a closed lock would appear on the files and a message prohibiting access would appear.

Screenshot - File cannot be accessed thanks to PED
File cannot be accessed thanks to PED

Smart App Control

SAC seems very much oriented towards checking the signature and certificates of the manufacturer of the binaries. It will try to determine if it is correct (with its valid and correct certificate), before even going through Windows Defender to add an extra layer of security. SAC is AI-based, which implies telemetry. Microsoft seems to be moving towards requiring by default that programs are signed or downloaded from a trusted repository, as MacOS or Android already do.

It improves the usual SmartScreen where Windows, thanks to its telemetry, tells you whether an app is legitimate or not. It also improves AppLocker which is more static. SAC will be based on AI hosted in the cloud, learning from the user. In fact, for those who want to activate it, it requires a reinstallation of the system so that it can learn from the beginning what programs are common on that computer.

Screenshot - Smart App Control -- Smart App thinks the application is untrustworthy and sends you to the official Store
Smart App thinks the application is untrustworthy and sends you to the official Store

Enhanced phishing protection for Microsoft Defender

This is perhaps one of the most interesting measures. SmartScreen has so far, via the browser (or in professional versions, by other means) protected the system from a malicious URL, or a suspicious domain. Just for the sake of comparison. Now it goes further, and Windows protects passwords on several levels, always watching where they are used or sent. Whether it is a visible URL, an internal URL (to which URL they travel) or even if they are stored insecurely.

On the one hand, it observes the network connections in any application (including Teams) and if it concludes that the password travels to a domain that it should not, it alerts the user, even if it is not the main URL of the domain being visited. The image shows how a page pretending to be the Office login embedded in TEAMS is actually (the connection is highlighted in the Fiddler sniffer) carrying the Office password to another domain.

Screenshot - Process of detecting that the password travels somewhere else it shouldn't
Process of detecting that the password travels somewhere else it shouldn’t

However, it goes further. If you happen to store passwords in a TXT file in Notepad, you will be alerted to the error. Even worse, if you reuse a password known to the operating system (in the picture, for example, on LinkedIn), it will also alert you to the problem it could pose.

This way, Windows as an operating system does not treat the password as just another string but knows it at all levels and monitors it throughout its use within the operating system. Could it lead to false positives with password storage apps?

SCreenshot - Alerts when reusing the password on Linkedin and when storing it in a TXT
Alerts when reusing the password on Linkedin and when storing it in a TXT

All these options can be disabled by the user.

Screenshot Windows 11 phishing protection (options)
How to activate or deactivate these functions

Windows 11 also enables by default VBS, or virtualisation as a security feature. Since the inclusion in 2008 of Hiper-V, Microsoft’s software that takes advantage of the native virtualisation capabilities of Intel and AMD processors, this functionality has been targeted to improve security. In fact, this strategy is called Virtualization-Based Security or VBS. It focuses on virtualising memory to isolate processes from each other as much as possible.

If an attacker tries to exploit a flaw in the kernel and is operating from there, an even higher (or lower, depending on how you look at it) abstraction with even more power than the kernel would be available, which would allow preventing processes or access to certain resources even when the attacker already has powers in the ring0. Hence its usefulness. This is implemented with hypervisor-protected code integrity (HVCI) which would prevent injecting dynamic code into the kernel (as Wannacry did).

In turn, this will allow the Credential Guard (not new, but underutilised) and LSASS protection to work directly, so that it does not load unsigned code into this crucial process, which is also an old acquaintance (RunAsPPL in the registry, basically a protection against Mimikatz). All of these, despite being already known, will be enabled as standard in Windows 11.

Leave a Reply

Your email address will not be published.