Remember back in 2015 when Microsoft ‘developer evangelist’ Jerry Nixon now famously stated that “Windows 10 is the last version of Windows” at the Microsoft Ignite conference that year? If not, maybe you recall how the company called it “the most secure Windows ever” just before it launched that same year? Guess what? The first statement hasn’t aged well, with Windows 11 now looking likely for release in October.
Microsoft is also beating the Windows 11 security drum and beating it hard by talking up how it features the strongest protection against malware yet. However, it’s the claim that Windows 11 will “raise the security baseline” to protect against ransomware that has got many infosecurity professionals scratching their collective heads.
The great Windows 11 TPM kerfuffle
Before we get to the Windows 11 ransomware red herring, let’s deal with the security stink that been wafting around social media and tech forums since the hardware requirements for running the next-generation Windows operating system were revealed, shall we?
Yes, I’m talking about the great TPM kerfuffle. The Trusted Platform Module (TPM) is a hardware requirement for running Windows 11, specifically TPM 2.0, which replaced the previous TPM 1.2 standard in 2019, hence the online anger over needing to upgrade your computer to upgrade the OS.
An uproar which isn’t totally justified as Chester Wisniewski, a principal research scientist at Sophos, says, “TPM 2.0 is available to almost all hardware at no real cost these days as it has built into nearly all Intel and AMD processors for many years now.”
What’s more, if you have a TPM 1.2 chip, this can likely be upgraded to TPM 2.0 by way of a firmware update from the computer vendor at no cost, rather than requiring a new hardware module to be purchased and installed.
Although Microsoft has withdrawn the somewhat controversial, because of the lack of detailed information it provided to users, Windows 11 compatibility checker at the moment, it’s easy enough to find out if you have the TPM 2.0 component required to run Windows 11. Open device manager, expand the ‘security device’ option and you’ll see a TPM entry if you have one.
What does a TPM do?
As to what it does, here’s how David Weston, the director of enterprise and OS security at Microsoft, described TPM, “Its purpose is to help protect encryption keys, user credentials, and other sensitive data behind a hardware barrier so that malware and attackers can’t access or tamper with that data.” This is something already available to Windows 10 Professional users, of course, with the TPM being required to use BitLocker for full disk encryption.
“On the assumption that Windows 11 will be using full disk encryption by default utilizing the TPM,” Wisniewski says, “this is important for security as used, discarded or stolen hardware is largely unencrypted due to Microsoft not including BitLocker in Windows Home.” Wisniewski sees this as a giant win. Corey Nachreiner, the chief security officer at WatchGuard Technologies, agrees. “TPM use benefits home users, and overall improves their device security,” he says, “by providing a secure enclave for lots of private info like security keys and certificates, this provides a way to create a hardware boot process that is secure from the start, making sure to validate the integrity of the operating systems as it loads.”
Secure Boot and other security use cases TPMs offer restrict what types of attacks might work and, Nachreiner says, “will make things harder for the cybercriminal adversary.” However, he also points out that it is not a panacea. “While it improves the security of a device, some attacks and malware still work fine on TPM protected systems.”
The Windows 11 ransomware red herring
This is where the ransomware red herring enters stage left. As Nachreiner says, Secure Boot makes it harder for an attacker to modify the OS or tamper with specific system files. However, it certainly doesn’t prevent all malware or ransomware from getting on your computer and working.
“It does make certain malicious persistence techniques harder,” Nachreiner confirms, “preventing some, but I think it would be false to say TPMs prevent all malware and ransomware.”
While Microsoft’s David Weston didn’t claim as much, he did write that “PCs of the future need this modern hardware root-of-trust to help protect from both common and sophisticated attacks like ransomware and more sophisticated attacks from nation-states.”
This has, perhaps predictably, set the infosec cats amongst the marketing pigeons. “Microsoft’s public justification for the move to TPM 2.0 is a distraction,” says Mario Santana, a security fellow for threat research at Appgate. TPM is, Santana insists, a very poor fix for the ransomware threat.
“I can’t think of a single ransomware attack that would have been prevented by today’s common use cases for TPM,” Santana says, concluding that “there’s an argument to be made that a vendor-controlled desktop experience could reduce some ransomware, but ransomware isn’t a very big problem at the consumer level where this kind of vendor-controlled experience is more palatable.”
Martin Jartelius, the chief security officer at Outpost24, told me that Microsoft would not be limiting their potential install base unless they had good reasons for their decision. “It’s more likely associated with the licensing bits than the security bits at this point,” Jartelius argues, adding that “a hardware-based root of trust versus the existing PKI infrastructure with certification would not add to the ransomware solution in a significant manner.”
Sure, detecting when system integrity has been compromised and booting into a quarantined state triggered by the TPM can possibly help mitigate some ransomware. But, as Michael Barragry, operations lead at Edgescan, says, while this example describes how TPM might help against ransomware in a booting up scenario, it’s unclear if there’s any TPM-dependent defensive process that will kick in during a live scenario such as where the user has just inadvertently downloaded malware.”
More a marketing pitch than a ransomware panacea?
Aaron Cockerill, chief strategy officer at Lookout, calls it more of a blue goldfish than a red herring. “Hardware Root of Trust can ensure the integrity of the operating system and a secure boot process,” Cockerill says, “this prevents some ways that ransomware could attack a machine, but not all. TPMs are a ‘necessary but not sufficient’ measure that removes some attack surfaces for ransomware, but it’s not a complete guarantee against any particular form of attack, including ransomware.”
What it will do, of course, is help with the Windows 11 marketing effort. “The mention of ransomware protection in today’s climate is certainly going to capture user’s attention and be a significant selling point for business’s already fearing the crippling threat of ransomware against their organization,” says Natalie Page, threat intelligence analyst at Talion.
When it comes to ransomware protection, the Windows 11 TPM argument would require levels of adoption that are not, in my never humble opinion, realistic. Robert Golladay, a director at Illusive, agrees. “If Windows 11 and TPM adoption rates are similar to Windows 10 adoption from Windows 7,” Golladay says, “it will take years for sufficient coverage to drive improved security posture.” In the meantime, security teams must continue to improve their security processes and controls to mitigate the impact of human-operated ransomware attacks, he insists.
As John Bambenek, a threat intelligence advisor at Netenrich, concludes, “Microsoft is trying to use ransomware, a threat this defense won’t stop, as a way to justify what probably is a good security move generally; but one everyone else but Microsoft is going to have to pay for. The move, however, isn’t really going to stop the most relevant attacks for most consumers or enterprises. TPM 2.0 isn’t going to stop the frequent malicious use of PowerShell that is killing us all right now…” Dirk Schrader, global vice-president of security research at New Net Technologies (NNT), says that “pushing this ‘security story’ is, at least in parts, a deviation from other security issues still lurking in Microsoft’s family of products and an attempt to convince consumers to upgrade fast.”
Windows 11 is incrementally upping the security game for all
Look, I’m all in favor of incrementally upping the security game, and Microsoft is doing that here. What’s more, these security measures aren’t just for the enterprise but will benefit homes users as well. That’s all a very good thing. Will Windows 11 be the end of malware, ransomware and the rest? Hell no, but it is another move in the right direction. Just don’t think that ‘the most secure Windows yet’ will be a panacea to all security woes; the vulnerabilities will keep coming just as they did when the last ‘most secure Windows yet’ was launched. As Sgt. Phil Erasmus used to say in Hill Street Blues (am I showing my age here?), “let’s be careful out there.”