From Windows 9x to 11: Tracing Microsoft’s security evolution
Over its journey from Windows 9x to Windows 11, Microsoft has implemented multiple security overhauls, each addressing the challenges of its time and setting the stage for future developments.
In this Help Net Security interview, we feature security researcher Alex Ionescu, the co-author of Windows Internals, one of the founding employees of CrowdStrike, now running his consulting company, Winsider Seminars & Solutions, where he continues to do security research focusing on platform security.
Ionescu evaluates the strides Microsoft has made, the criticisms it has faced, and what the future might hold for Windows security. From the early adoption of a modern 32-bit kernel to the secure-by-default model of Windows 11, we explore the decisions that have defined Microsoft’s security trajectory and what it means for the digital ecosystem.
How would you evaluate the evolution of Microsoft Windows security from the early days to Windows 11?
Windows security took, I would say, four large leaps across its history:
1. From 9x to Windows NT, which saw the move away from 16-bit DOS (and a lack of process and meaningful user/kernel protections) to a modern 32-bit kernel, with appropriate hardware-based security (ring levels, protected virtual memory & padding, etc).
2. The introduction of Windows XP SP2 coincides with the Bill Gates Memo and the Security Development Lifecycle (SDL) throughout Microsoft’s code base.
3. The introduction of Windows Vista added many new platform security mitigations for the first time since stack canaries and DEP. Innovations such as ASLR, the User Mode Driver Framework, BitLocker, Windows Advanced Firewall, integration of Windows Defender, UAC were all added to Windows Vista. Additionally, Vista was the first time that x64 architecture systems became pervasive, which increased security through a larger address space and enabled x64-specific features such as PatchGuard.
4. The introduction of Windows 10, which took several Windows 8.1 features (SecureBoot, Protected Processes, Kernel ASLR, Hyper-V Integration, Control Flow Guard) and made them mainstream, and then introduced the new Virtualization Based Security features such as Hypervisor-Protected Code Integrity and Credential Guard, while adding new code signing restrictions for Windows Kernel Drivers.
With Windows 11, Microsoft is taking Windows 10 innovations and aggressively turning them on by default on new clean installs (HVCI, LSASS Protection, Kernel Driver Signatures, etc.), taking a decade of security innovation that was hidden behind registry settings, and promoting a secure-by-default model.
Given the historical context, how do you think Microsoft has prioritized security in its more recent iterations, particularly Windows 11? Some critics argue that Microsoft has compromised security for innovation and speed. What’s your take?
Microsoft has added several security improvements in Windows 8.1, and Windows 10, and enabling them in Windows 11 by default continues to show their commitment to security. That being said, it’s true that security is always a compromise between performance, compatibility, and features (innovation/speed). If we look at today’s major platform operating systems, iOS and Windows are the best blend of all 4 (with Windows winning on compatibility at the cost of some security). macOS and Linux, the other 2 dominant desktop operating systems, provide less security than Windows, and Linux certainly does so while offering worse compatibility and features simultaneously.
Could Microsoft do better? Certainly. Have they potentially gone too far in one direction in their cloud-based services (Azure & others)? One could argue this point (equally, they’ve gone a lot further in security on Xbox, a system that has, to this day, not been broken, at the cost of compatibility and control).
I’m not trying to sound like a Microsoft apologist (and I’m often known for the opposite), but it’s hard to point to a vendor with a better job while solving for the same parameters.
Tenable CEO Amit Yoran recently pointed out Microsoft’s “negligent cybersecurity practices.” How do you perceive Microsoft’s response and transparency regarding breaches and vulnerabilities?
Microsoft is acting in the best interest of its shareholders, which is what a company in a capitalistic economic environment should be acting like. As is Amit.
If we (society) want to change that, we have laws, regulations, compliance, fines, etc., which we should push our governments to apply, leverage, and use. Companies will not behave transparently and ethically when it gets in the way of business without a system of penalties and responsibilities – which does not exist in our field outside of highly regulated industries such as banking or healthcare.
Thankfully, this is starting to change in some regions, but we have a long way to go. Otherwise, the other way companies change their behaviors is when market dynamics shift so that their behavior hurts the bottom line. So as companies such as Tenable, Wiz, and CrowdStrike start taking Microsoft’s lunch money away because companies no longer trust the latter, this can also incentivize better behavior.
Has Microsoft been transparent enough about its security practices, vulnerabilities, and breaches to maintain the trust of professionals and large enterprises?
My answer above partially covers this already, but to put a point on it, my personal belief is that they need to do better from an ethical and moral standpoint. However, they have little to no competitors in domains like Azure AD, so while they may anger the industry (which will go off and buy third party products to mitigate), there’s no alternative, and hence, again, from a capitalistic public company perspective, they’re maintaining shareholder value.
If you could give one piece of advice to Microsoft to improve its security posture and public perception, what would it be?
Become part of the conversation that government agencies are having regarding regulation and compliance of the cyber sector, instead of being a passerby and then falling victim to them – because governments often don’t get regulation right either. And, to Microsoft’s credit, their work with CISA, for example, already shows that they’re willing to do this.
Are there other tech giants or operating systems you believe are setting the gold standard for security, and what can Microsoft learn from them?
I alluded to this in my earlier answer – for better or worse, Microsoft is the gold standard for what they’re solving for. I do believe iOS has the most robust platform security of any consumer device (and, we’ve seen with Pegasus and other attacks, it’s not immune either), but that comes at a very high usability cost – the iPhone is not a general computing device with compatibility back to 1986, nor should it be. Life would be different if iPhone 15 could run MacOS System 6.8 software and I could play Escape Velocity or Bubble Trouble on it.
Given the increasing complexities of digital threats and the growing interconnectedness of devices, how do you foresee the future of Microsoft Windows security?
Windows security is in a good place, and we’ll continue to enable the technologies Microsoft has poured resources into. I’m much more concerned about the cloud world and the lack of logging, visibility, security plugins/interfaces/APIs, extensibility, vendor lock-in… all of which contribute to a black box computing environment where information asymmetry will result in very successful outcomes for advanced attackers. If Azure (or AWS) were fully open source, I think some of us would be having at least a couple of heart attacks.