Windows 11 22H2 adds kernel exploit protection to security baseline

Windows 11


Microsoft has released the final version of security configuration baseline settings for Windows 11, version 22H2, downloadable today using the Microsoft Security Compliance Toolkit.


"This release includes numerous changes to further assist in the security of enterprise customers," Microsoft security consultant Rick Munck said.


"Changes have been made for additional protections around hardware and driver security, credential theft, printers, DNS, and account lockout."


Protection against control-flow hijacking attacks


While the new baseline adds extra defenses focusing on multiple areas, the highlight of the latest Windows 11 security baseline is the addition of Kernel Mode Hardware-enforced Stack Protection that provides additional hardware-level protection for kernel code against malware threats.


It works on systems featuring chipsets that support hardware shadow stacks like Intel's Control-flow Enforcement Technology (CET) or AMD shadow stacks.


It secures the kernel from common exploit techniques, including Return-Oriented Programming (ROP) and Jump Oriented Programming (JOP), by automatically triggering exceptions when it detects that a process' natural flow has been modified.


Attackers regularly use such exploitation tactics to hijack a program's intended control flow, for instance, attempting to execute malicious code to escape a web browser's sandbox or remotely running code when visiting maliciously crafted web pages.


"A new feature has been added to the setting located in SystemDevice GuardTurn On Virtualization Based Security called Kernel Mode Hardware Enforced Stack Protection," Munck added.


"There is a hardware dependency for this new feature that requires Intel Tiger Lake and beyond or AMD Zen3 and beyond.


"This setting has a dependency on HVCI (Virtualization Based Protection of Code Integrity). There shouldn't be any issues as long as enterprises are following the baselines but, if the organization deviates from HVCI, then Kernel Mode Hardware Enforced Stack Protection cannot be enabled."


Further Windows 11 security protection improvements


The new baseline adds protection against phishing attacks with the addition of Windows Defender SmartScreen Enhanced Phishing Protection for users still relying on username and password Windows authentication.


"These new features, located in Windows ComponentsWindows Defender SmartScreenEnhanced Phishing Protection, ensure that enterprise credentials cannot be used for malicious or unintended purposes," Munck explained.


"Because this is an end-user option, the security baseline enforces enablement of the service (the Service Enabled setting) to ensure that the enterprise credentials used in the system are appropriately monitored and audited."


Several new settings are enabled under Administrative TemplatesPrinters to protect enterprises, including 'Configure RPC over TCP port,' support for 'RedirectionGuard,' the enforcement of TCP for the 'Configure RPC connection' and 'Configure RPC listener settings.'


The Windows 11 22H2 security baseline also includes credential theft protection via the 'Allow Custom SSPs and APs to be loaded into LSASS,' 'Configure LSASS to run as a protected process,' and 'Enable MPR notifications for the system' to restrict the loading of custom security packages and block password disclosure to providers.


The operating system baseline reduces attack surface through the new 'Block abuse of exploited vulnerable signed drivers' rule, which helps prevent apps from writing vulnerable signed drivers to disk, and brute-force authentication attack mitigation via the new 'Allow Administrator account lockout' rule.


Microsoft also recommends enabling 'Configure DNS over HTTPS (DoH) name resolution' under Administrative TemplatesNetworkDNS Client. While not yet in the baseline, enterprises who wish to use encrypted DNS can enable it manually.


Download and implement the security baseline


The Windows security baseline enables enterprise security admins to use Microsoft-recommended Group Policy Object (GPO) baselines to reduce the attack surface and to improve the security posture of Windows enterprise endpoints.


"A security baseline is a group of Microsoft-recommended configuration settings that explains their security impact," Microsoft explains. "These settings are based on feedback from Microsoft security engineering teams, product groups, partners, and customers."


The Windows 11 22H2 security baseline is now available via the Microsoft Security Compliance Toolkit. It includes Group Policy Object (GPO) backups and reports, scripts to apply settings to the local GPO, and Policy Analyzer rules files.


"Please download the content from the Microsoft Security Compliance Toolkit, test the recommended configurations, and customize / implement as appropriate," Munck added.


You can find additional details on the changes implemented in the new Windows 11 in the Microsoft Security Baselines blog post announcing this release.