In today's rapidly evolving digital landscape, the emergence of new security risks necessitates organizations to adopt robust security measures. One such model gaining importance is the zero-trust security model, based on the concept that access should not be granted to any person or device until their safety and integrity are verified. Windows 11 is built on the principles of zero trust, offering a platform that enables hybrid productivity and new type of experiences without compromising security. This article delves into the built-in security features of Windows 11, explaining how they can enhance organizational security at no additional cost. This article has 2 parts where in the first part we will dive into application, identity, and password security features where in the second part we will look at hardware and memory protections.
Windows Hello for Business
Phishing is still currently the most popular attack method sitting beside stolen credentials. This is one of the reasons that phishing resistant authentication had to be developed. An example is Windows Hello for Business which provides enhanced security through phish-resistant two-factor authentication and built-in brute force protection as well as certificate-based authentication, conditional access policies and enterprise grade security and management. Windows Hello for Business can as well be used to sign into supported websites which reduces the need to remember multiple complex passwords.
Windows Hello for Business is considered a two-factor authentication based on the authentication factors: something you have, something you know and something that you are/is part of you.
The two-factor authentication method of Windows Hello for Business is created by combining device-specific credential with a biometric or PIN gesture. This credential is tied to your identity provider such as Entra ID or Active Directory and can be used to access apps, websites, and services.
Smart App Control
Supply chain attacks or simple software downloading can introduce malware to devices which can circumvent traditional security solutions such as signature-based anti-malware solutions. Microsoft came forward with a feature which analyses each application and compares the application against a cloud database to determine its reputation. If an application is known to be safe, it is allowed to run. In case the application is considered to be unsafe or malicious, Windows prevents it from running. In case the application is not in the cloud database or one is working offline, preventing a connection to the cloud database, Windows uses application’s signature as a secondary mean of validation. If application’s signature is valid, application is allowed to run, if the application is unsigned or if the signature is not valid then the application is prevented from running.
Smart App Control has 3 operational modes: On, Off and Evaluation. The Smart App Control can only be turned On, on a fresh installation of Windows 11. If Smart App Control is turned Off, the only way to turn it on is by reinstalling Windows 11. When the Windows 11 is freshly installed, Smart App Control will run in Evaluation mode to determine if one is a good fit for it based on the used applications. If Windows determines Smart App Control will prevent you from regular use, then it will automatically turn it off, otherwise it will eventually be automatically enabled.
There is one important downside of the Smart App Control apart from that it only works on fresh installations of Windows 11. There is no “overwrite” for Smart App Control. If Windows determines that an application is malicious and blocks it, one cannot remove the block.
Turning Smart App Control off is a permanent action which cannot be reversed without resetting or re-installing Windows 11.
Although Smart App Control takes Windows Security to the next level, I would still recommend for enterprise environments to use AppLocker or Windows Defender Application Control policies which give more freedom. For enterprise managed devices Smart App Control is automatically turned off unless the user has turned it on first.
Microsoft Defender SmartScreen
Earlier we saw how endpoint devices are protected when applications are run, now let’s dive into how endpoint devices can be protected from malware being downloaded from the internet as well as users from being tricked by phishing attacks by going to malicious websites.
Microsoft Defender SmartScreen can protect users from accessing potentially malicious websites. This is done in 2 steps depending on the confidence:
First, a website is analyzed for indications of suspicious behavior. If website is determined to be suspicious, Microsoft Defender for SmartScreen will show a warning page to advise caution.
Second, a website is analyzed against a dynamic list of phishing sites and malicious software sites. If a match is found, Microsoft Defender SmartScreen shows a warning to inform the user that the site might be malicious.
Similar protection measures are as well taken for file downloads, before files start to be downloaded:
First, a file is checked against a list of reported malicious software sites and unsafe programs. If a match is found, a warning is shown to inform the user that the site might be malicious.
File is checked against a list of files that are well known and frequently downloaded. If file is not on the list a warning advising caution is shown.
Microsoft Defender SmartScreen is a very nice out of the box solution for all Windows 11 devices as it adequately protects devices and users from phishing attacks, malware and potentially unwanted applications (PUAs) by analyzing files before they are downloaded as well as URLs before they are accessed.
Microsoft Defender SmartScreen also supports enterprise management either via GPO or MEM. Company administrators can configure settings in a stricter way so that users cannot bypass Microsoft Defender SmartScreen warnings additionally enhancing security of the organization.
Phishing Protection
Passwords are still the weakest link of identity security as they can be phished. Another superb feature of Microsoft Defender SmartScreen is Enhanced Phishing Protection which prevents you from writing your work/school account password (credentials) into a malicious site. If such action occur it will as well request that you change the password as it was potentially compromised.
If you reuse your credentials on other sites or apps, Enhanced Phishing Protection will warn you and prompt you to change your password.
A similar warning as seen in the photo bellow, will be received if you type your credentials into an application such as Notepad or Microsoft 365 Office application.
Enhanced Phishing protection adds an additional layer of protection to Windows identities making more difficult for them to be phished or compromised.
The solution can be managed both via GPO and MEM.
In today's fast-changing digital world, keeping our stuff safe from new online dangers is super important. Windows 11 is all about making sure our computers stay safe while we work and play. We've covered the first part of how Windows 11 keeps us safe, looking at things like keeping bad applications out and making sure that our identities are not compromised. Next up, we'll dig into how Windows 11 protects our computer's insides, like its hardware and memory. Stick around to learn more about how Windows 11 keeps us safe from cyber trouble while we use our computers every day.
Comentarios