Article Details

Security? We've heard of it: How Microsoft plans to better defend Windows. Did we say CrowdStrike? We meant, er, The July Incident.... IGNITE The sound of cyber security professionals spraying their screens with coffee could be heard this week as Microsoft claimed, "security is our top priority," as it talked up its Secure Future Initiative (SFI) once again and explained how Windows could be secured. In a post that did not mention the word "CrowdStrike" and instead referred to "learnings from the incident we saw in July," Microsoft introduced the "Windows Resiliency Initiative" or, as administrators still in therapy after that particular July incident might describe it, "nailing jelly to a wall." As well as taking lessons from the CrowdStrike incident, in which millions of Windows devices were left hopelessly broken by a malformed update from a security vendor, Microsoft has said areas of focus include enabling more apps and users to run without administrative privileges, stronger controls for what apps and drivers are allowed to run, and improved identity protection to prevent phishing attacks. It's all laudable stuff, although much of it feels like it could have happened earlier. SFI is already more than a year old. In September 2024, Microsoft boasted of the 34,000 full-time engineers it had dedicated to SFI. With that many engineers are needed, the company should probably take a look at the surface area available for attack. And then there are the incidents, such as July's, that have only highlighted architectural weaknesses. The reliance by some cybersecurity vendors on kernel-mode code has been an accident waiting to happen and lay at the heart of the CrowdStrike problem. To help administrators recover machines unable to boot without having to get hands-on with the hardware, Microsoft has announced Quick Machine Recovery, due to roll out to Windows Insiders in the early part of 2025. The trick is, however, not to get an enterprise's Windows devices to that stage. To that end, Microsoft repeated its vow to open up more of Windows so that vendors can run their solutions in user mode rather than dive down to the potentially riskier kernel level. The company also talked about adopting Safe Deployment Practices, "which means that all security product updates must be gradual, leverage deployment rings, as well as monitoring to ensure any negative impact from updates is kept to a minimum." It will take until July 2025, a year after CrowdStrike's update took down a large chunk of the Windows ecosystem, before Microsoft will make a private preview of the new capabilities available. Other changes in preview now include Administrator protection, where users have standard permissions, but temporary rights can be granted if needed, and Hotpatch in Windows, a "revolutionary" feature that allows critical security updates to be applied without requiring a restart.