Windows 11 security: Is it good enough?

Are Windows 11’s security and antivirus tools good enough to safeguard you from all of today’s threats? “I don't think so,” say the experts in IT security. Windows 11 antivirus will not protect your devices from all potential threats and unexpected events. It may be the most secure version of the Windows Security app, but it is not capable to protect you from all threats. Luckily, we have the best solutions available on the market for solving this problem 

Acronis Cyber Protect Home Office is the ultimate threat protection for your business. With its countless security tools, safety features and innovations that not only protects you from malicious software, but also gives you full threat protection, because threats are real and they are waiting just behind the corner — preparing for the right moment to strike.

A lot has already been written about Windows 11, the latest operating system from Microsoft, which the software giant is calling “the most secure Windows yet.” However, as many in the tech world have been quick to point out, most PCs currently running Windows don't support the advanced system requirements for the new operating system (OS). As per latest surveys, the number of threats continues to rise on a daily basis, which is a concern for everyone using Windows 11, where they don’t feel protected enough by the provided Windows security settings. Despite the fact that Microsoft releases constant updates for their Windows security software — like implementing exploit protection and a TPM chart for preventing unauthorized users from accessing your encryption keys — the same way Windows device security should constantly update and develop increasingly better protection services, so that users can feel protected and confident about their most precious asset — their data. Because, we all know that the basic protection Windows security already features is not enough to cover all risks and potential threats.

To take full advantage of Windows security enhancements, PCs must be equipped with an ultra-modern CPU with virtualization extensions, Secure Boot-capable UEFI firmware, and an advanced TPM 2.0-compatible security chip. These and other restrictions ensure support for a plethora of cybersecurity features that make Windows 11 much more resilient than its predecessors. However, they also ensure that most organizations will take their time upgrading their systems.

To effectively analyze the pros and cons of upgrading to Windows 11, you'll need to understand what Windows security software is included and available. How are these Windows security features facilitated by the new hardware and software requirements? And what will be the impact of the updated security and firewall settings to ensure protection — not only from malicious code, but full protection from all the constant, unwanted and unpredictable threats waiting to strike.

Among the more onerous mandates for upgrading to Windows 11 are the CPU requirements. Windows 11 requires an advanced 64-bit, 1 GHz processor with virtualization extensions and two or more cores (e.g., 8th generation Intel processor, AMD Zen 2, or Qualcomm 7 or 8 Series). These specs enable Windows 11 to take full advantage of the Windows security feature known as virtualization-based security (VBS).

Using hardware virtualization Windows features, VBS creates a virtual machine and isolates a secure petition of memory from the rest of the system settings of the OS to manage sensitive data or processes. This isolation limits the degree to which a given hack or exploit can compromise the system's other security settings.

“While we are not requiring VBS when upgrading to Windows 11, we believe the security benefits it offers are so important that we wanted the minimum system requirements to ensure that every PC running Windows security software can meet the same security the United States Department of Defense (DoD) relies on. In partnership with our OEM and silicon partners, we will be enabling VBS and HVCI on most new PCs over this next year. And we will continue to seek opportunities to expand VBS across more systems over time.”

• Kernel Data Protection (KDP), for example, uses VBS to mark parts of the Windows kernel as read only, ensuring that drivers and software running in the Windows kernel (i.e., the OS code itself) cannot be tampered with.
• Application Guard uses VBS to create disposable virtual environments (containers) in which users can interact with websites or Microsoft Office apps and files that have not been explicitly whitelisted. This ensures that untrusted content loaded via Microsoft Edge, Internet Explorer or Microsoft Office remains isolated from the host operating system and enterprise data — limiting the damage that any infected content can cause while surfing or using your online accounts.
• Credential Guard is a Windows security system feature that isolates Windows NTLM, Kerberos credentials, and other secrets in a VBS-protected environment, ensuring that only privileged system software can gain access. This feature helps protect your system from credential theft attacks like pass the ticket (PtT) and pass the Hash (PtH).
• Similarly, Windows Hello Enhanced Sign-In Security uses VBS to isolate and protect the authentication data (including biometrics) used to sign in to a given device — ensuring that the data can only be accessed through Windows security processes running in the VBS environment. It also supports the creation of secure pathways for authentication data that is provided via external components (e.g., a fingerprint sensor or camera).

In addition to processor requirements, Windows 11 requires a TPM chip for managing cryptographic keys as well as protecting the firmware and OS of your personal computer. The Trusted Platform Module (TPM) provides hardware-level anti-tamper protection for sensitive operations such as key generation, encryption, and system boot. The TPM specification 2.0 version is embedded in all Windows 11 supported CPUs and features some important enhancements for Windows security.

United Extensible Firmware Interface (UEFI) comes in place of the traditional Legacy BIOS. This programmable boot environment initializes devices and starts the OS bootloader. PCs with UEFI 2.3.1 and a TPM chip also support Secure Boot, a feature that checks all code that runs before the operating system is loaded, as well as the OS bootloader's digital signature. All Windows 11 machines come with UEFI Secure Boot fully enabled from the get go — ensuring that authorized firmware and software with trusted digital signatures alone can execute during the boot process, and can protect the system against both boot kits and rootkits.

Windows 11 is the first OS to support Microsoft Pluton, the new Microsoft-designed and updated security processor that will be embedded in future Intel, AMD and Qualcomm CPUs for Windows PCs. Pluton implements end-to-end Windows security that is authored, maintained and updated by Microsoft, and will be integrated with the standard Windows Update process, providing tighter and more secure integration with the OS at the hardware level. This integration helps remediate a physical vulnerability of current TPM implementations, wherein attackers in possession of a device can still target the communication channel between the CPU and TPM to steal or modify information in transit.

These Windows 11 requirements ensure support for a number of advanced Windows security technologies like device encryption. Some, like UEFI Secure Boot, are enabled by default in any Windows 11 installation, facilitating out-of-the-box zero trust protection

Hardware-enforced stack protection (HSP) is a feature that helps identify and shut down exploits that work by hijacking an application's code execution flow. HSP allows applications to use the local CPU hardware to protect the (memory) stack — where the code is stored in runtime — against modification. This is accomplished by comparing the application's call stack against a shadow stack (a hardware-secured record of the app's normal code execution flow). If stack integrity has been compromised, the process will be terminated.

While this feature has been available since March 2020 (at least in developer builds), the shadow stack mechanism is available only on certain advanced chipsets, such as those required by Windows 11, ensuring better Windows security and more widespread adoption on the new OS.

Device health and network protection is assured with Windows 11, thanks to features such as UEFI Secure Boot and Kernel Data Protection. As such, the OS also ensures out-of-the-box support for remote device attestation; that is, remote verification that any Windows devices connecting to your network are indeed trustworthy, so you need the best network protection and Windows security out there. Attestation establishes trust by validating the identity and integrity of essential hardware and software components. The remote attestation method provides relying parties with a verifiable, unbiased and tamper-resilient device report about a remote peer.

Microsoft Azure Attestation (MAA) is a prime example of a remote attestation service that can be used to review Windows device health comprehensively, which can be executed and scanned offline. And you can use this information to enforce conditional access to cloud-based application location services and data via Azure Active Directory.

Microsoft has taken great strides to ensure that its new OS is secure out of the box, by the Windows Security software. The necessary security-focused hardware, supporting features such as VBS and UEFI Secure Boot, may yet enable built-in antivirus in Windows 11 to totally neutralize entire classes of malware attacks and ensure full ransomware protection against rootkits and return-oriented programming (ROP) attacks. Another useful application of the Windows Security app is Defender SmartScreen, which protects also against phishing and malware websites for potentially malicious files.

However, most Windows users continue to work with older machines. Some of them use a virtual private network as a guarantee for stronger protection when connecting a device and the internet. Many of those users are already eager to try out Windows security features of the new operating system and may not fully understand that the new Windows 11 security enhancements go hand in hand with the new hardware restrictions, so the chance for malicious apps and malware attacks increases greatly. Some may even be considering bypassing the system requirements, as in this way, they will not receive even the basic virus threat protection, which can lead to catastrophic consequences. Yet users (or IT admins) who install Windows 11 while bypassing the hardware requirements or otherwise disabling important Windows security features are consequently losing out on many of the platform's security benefits and antivirus tools.

Moreover, keep in mind that many of the attack vectors addressed by your current cybersecurity strategy are not specifically addressed by the Microsoft services new security features in Windows 11. Cybercriminals are constantly seeking out new vulnerabilities and creating new malware and other exploits, some of which will still work fine on TPM protected systems, such as phishing. Despite the fact that Windows 11 has a virus and thread protection software that executes periodically deep scans that will detect threats automatically, it is not a bad idea to execute a manual scan once in a while. This becomes even more important when you consider that — notwithstanding the influx of new technologies implemented in Windows 11 — Microsoft is still obligated to continue supporting numerous legacy applications in Windows security, like Security Boot listed on the device security page, which has been created to prevent malware from attacking the boot process. All you have to do is to enable secure boot and execute it safely. Windows 11 also provides backwards compatibility and improved security. Consequently, it's reasonable to expect that many previously unreported vulnerabilities affecting Windows 10 may also apply to Windows 11 (as was in fact revealed in one recent patch update).

There’s a survey that 80% of Windows users are still using only passwords, instead of using much safer biometric authentication like fingerprint and facial recognition in their Microsoft account, where you can also find and enable dynamic locks used to automatically lock your PC when you leave with your smartphone in hand. Also, if you want to connect any bluetooth device to your PC, you can still use the dynamic lock for all connected devices. All these useful applications of Windows security can be found in the sign-in options settings of your administrator account, where you can manage and change system settings, if needed, by your choice. There is another great application for browser control, if you want to stay safeguarded by the Windows Security app while online, storing files, and browsing the internet. On the other hand, it is very important to use password manager when you need to log into an existing or new account. Thus, you will generate unique and strong passwords for every website you log into.

Windows security is not enough to keep hackers at bay, despite the reputation-based protection, and that is a concern, because thus you can experience software or hardware failure at any moment. IT experts advise everyone to change your account password at least twice a year, and always have a special symbol in all your passwords, for increased sign-in security.

Another great bit of advice is to open the Windows Security app and carefully browse the settings app, and look at the encryption mode, in case you want to encrypt your most precious data with a password. In case you forget your password, it’s important to create a recovery key. You can also see detailed information about other useful tools and choosing where to give app permissions, for the best possible security of your primary account or standard account.

When all is said and done, the new Windows security features are absolutely a step in the right direction. Moreover, Microsoft seems to be addressing newly reported issues fairly quickly. That said, individuals, organizations and managed service providers (MSPs) will discover that they can achieve efficient Windows security and virus threat protection only with solutions that are developed by cybersecurity vendors like Acronis, because the Microsoft Defender antivirus cannot cover all the threats out there. Focused on integrating data protection, cybersecurity and workload management, Acronis' solutions prevent modern cyberthreats — including zero-day attacks — and enable Windows security administrators to recover data, applications and systems via a single platform. So, you can be completely confident about all your online accounts and devices being secured continuously.

Whether you are an at-home user, business or a service provider, Acronis offers the best cybersecurity protection on the market today. Its solutions include:

For at-home users: Acronis Cyber Protect Home Office offers everything an at-home user needs to safeguard their PC or Mac and backup data, making it more resilient to today's threats — from disk failures to ransomware attacks, and thus will make your operating systems safeguarded from these unexpected events. Thanks to its unique integration of backup and cybersecurity in one, it saves time and reduces the cost, complexity and risk caused by managing multiple point solutions.

For businesses: Acronis Cyber Protect offers businesses a cyber protection solution that natively integrates cybersecurity, business data backup and workload management to protect endpoints, systems and data. By integrating data protection with cybersecurity, your business can eliminate complexity, deliver better protection against today's threats, and maximize efficiency by saving time and money.

For service providers: Acronis Cyber Protect Cloud unites cloud backup and recovery, next-generation anti-malware and workload management in one solution. Integration and automation provide unmatched ease for MSPs — reducing complexity while increasing productivity and decreasing operating costs.