DutchEnglish

Blog

Let Windows 11 excel for IT Security

August 9

Lennert Hut

Online Marketer

When it comes to ease of use, Windows 11 appears to be a bull's eye for Microsoft. But in 2022 it has to compete against all threats in the field of IT Security. For this, Windows 11 enters into partnership with your hardware. What does it get you and what do you need? We figured it out with our Solution Partner Acronis.

Windows 11 focuses more than ever on working and communicating securely via the operating system. Will it succeed? The number to that question is not simply given. We'll give you these in advance: provided that Windows 11 has been professionally installed in the right environment and with the right specifications, this new operating system provides you with a good basis for IT Security. That is easy to say, but more difficult to achieve. Take the following advice with you, then Windows 11 is a certain factor in the security of your company network.

Contemporary software, contemporary hardware

Windows 11 can be safe by itself, if it's installed in an insecure environment, you're nowhere. It's like buying new batteries for a broken flashlight. You lost more money, but you were not helped. And Windows 11 has quite a few requirements in terms of hardware to keep IT Security in order. For example, you need a new CPU with virtualization extension, Secure Boot-capable UEFI firmware and a TPM 2.0 security chip. That is a whole laundry list of technical terms, with one important message: only market-compliant and updated software will not help you, without the safe hardware.

In the Center: The CPU for Windows 11

The most important requirements for Windows 11 to function safely are placed on the CPU. Windows requires at least an advanced 64-bit processor with 1 GHz speed and at least two extra cores. Good examples today are an Intel processor of the 8th generation and AMD Zen 2 or a Qualcomm 7 or 8 series.

With this hardware you can work securely in the cloud without any hickups or showstoppers. But above all; it reserves some of the memory, separate from the operating system. If you are attacked, you reduce the chance that malicious parties can immediately break into your operating system. In IT this is called Virtualization-based Security (VBS). In collaboration with Windows 11, you can count on the following measures for extra IT Security:

Kernel Data Protection (KDP) With VBS, a portion of the kernel in your PC is marked as read-only. The kernel is an essential part of your device and manages applications and controls data processing at the hardware level. Examples are disk management, load balancing and memory management. Quite indispensable and essential to stay out of the line of fire, so.

Application Guard uses VBS to create temporary virtual environments, so that you can use important files from Office in online tools and on websites, and vice versa without risk. In the event that you load untrusted content into your system at an unguarded moment, the damage can be limited.

Credential Guard is an operating system that restricts all personal information to system software with appropriate permissions. It prevents theft of this data and identity theft.

Finally put Windows Hello Enhanced Sign-In Security VBS to protect and restrict credentials for other devices. For example, to prevent your fingerprint from being stolen for misuse by others.   

Is that it? Certainly not, outside of VBS you can count on the following collaborations between Windows 11 and your hardware:

TPM – Trusted Platform Module 2.0

Windows 11 also requires hardware that works with Trusted Platform Module 2.0, which is responsible for encryption. A demanding job that requires a lot of capacity and also a safe, secluded environment. Furthermore, it calls for United Extensible Formware Interface (UEFI) to replace the old BIOS.

The TPM boots your device and prepares the operating system for you. TPM ensures that this is done as safely as possible and that you only use authorized firmware and software. With untrusted copies, coming from shady downloads, it's different asking for trouble. Also at startup.

In this regard it is also good to mention the name of Microsoft Pluton. This security processor comes exclusively from Microsoft, but will appear in all kinds of places in the future. Pluton, for example, will be fitted to CPUs from Intel, AMD and Qualcomm. This ensures a large range. The security processor is designed for trouble-free operation with Microsoft software and provides security between the hardware and Microsoft software.

With all this hardware and Windows 11 you are in possession of adequate Zero Trust security. But that does not guarantee that malicious parties will not invade your system after all. More measures have been taken to prevent intrusion into the entire company network. One for that is worth mentioning.

Hardware-enforced stack protection (HSP)
Hardware-enforced stack protection recognizes and stops attacks that use code execution. Code that is executed in the memory stack - the current command list - is given a green or red signal with HSP. Is the output different than expected? Then it is very possible that the code will be hijacked and its execution will be blocked.

Finally, Windows 11 Microsoft Azure Attestation in (MAA). The platform for seamless and secure working in the cloud uses Azure Attestation to authorize devices to use Azure online.

The most important question: keep these modern measures out of the door of malicious people in Windows 11. In part for sure. For the full 100%? We have yet to meet the first software producer who claims that. You can get close, under these conditions:

  • Are you updating your operating system? Take your hardware with you and have it checked by an IT partner if you are fully up to date under the hood
  • It concerns hardware and software on your device. But your device is in turn connected to a (company) network. You may have put hardware and software in order. But what about the IT Security of the entire company network? IT Security stands or falls with the strength of the weakest link.
  • Windows 11 and the right hardware is just the starting point. Is the environment in order today? Then that morning it will no longer be 100% protected against all spam, phishing and viruses, so are not yet known, but have just been thrown online. IT Security partners such as Acronis are closely monitoring all these new threats online.
  • Closing gaps sometimes also has to be done retroactively. Even in Windows 11! That's because during its development, vulnerabilities from Windows 10 were sometimes transferred 1 on 1 to Windows 11. You have to know how to find them, to close them.
  • If things go wrong, you will also need a solution for, for example, data backup. In addition, you do not want IT Security measures to make your company network unwieldy and unworkable. You can also contact Aumatics for this. We combine IT Security, for example with workload management from our solution partner acronis.
With my colleagues at Aumatics I bring the world of IT to the forefront, understandable and practical. This way you get out what's in it (and it will probably make you just as enthusiastic as we are!) Do you have a tip or news?

Lennert Hut

Online Marketer