Search icon Close icon
Search icon
Subscription
0
Cart icon
Close icon
You have no products in your basket yet
Arrow left icon
All Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Newsletters
Free Learning
Arrow right icon
Windows 11 for Enterprise Administrators - Second Edition

You're reading from  Windows 11 for Enterprise Administrators - Second Edition

Product type Book
Published in Oct 2023
Publisher Packt
ISBN-13 9781804618592
Pages 286 pages
Edition 2nd Edition
Languages
Concepts
Authors (5):
Manuel Singer Manuel Singer
Profile icon Manuel Singer
LinkedIn
Manuel Singer works as a Senior Premier Field Engineer for Windows Client at Microsoft and is based in Germany. He has more than 10 years of experience in system management and deployment using Microsoft technologies. He specializes in client enterprise design, deployment, performance, reliability, and Microsoft devices. Manuel works with local and international top customers from the private and public sector to provide professional technical and technological support.
See other products by Manuel Singer
Jeff Stokes Jeff Stokes
Profile icon Jeff Stokes
LinkedIn
Jeff Stokes is a Windows / Microsoft Engineer currently employed at Microsoft. He specializes in Operating System Health, Reliability, and Performance. He is skilled in Windows Deployment with MDT (Microsoft Deployment Toolkit) and has exceptional skills in VDI (Virtual Desktop) and performance analysis. He is an active writer and blogger and loves technology.
See other products by Jeff Stokes
Steve Miles Steve Miles
Profile icon Steve Miles
LinkedIn
Steve Miles is a Microsoft security and Azure/hybrid MVP and MCT with over 20 years of experience in security, networking, storage, end user computing, and cloud solutions. His current focus is on securing, protecting, and managing identities, Windows clients, and Windows server workloads in hybrid and multi-cloud platform environments. His first Microsoft certification was on Windows NT and he is an MCP, MCITP, MCSA, and MCSE for Windows and many other Microsoft products. He also holds multiple Microsoft Fundamentals, Associate, Expert, and Specialty certifications in Azure security, identity, network, M365, and D365. He also holds multiple security, networking vendor, and other public cloud provider certifications.
See other products by Steve Miles
Thomas Lee Thomas Lee
Profile icon Thomas Lee
LinkedIn
Thomas Lee is a consultant/trainer/writer based in the UK and has been in the IT business since the late 1960s. After graduating from Carnegie Mellon University, Thomas joined ComShare where he was a systems programmer building the Commander II time-sharing operating system, a forerunner of today's cloud computing paradigm. In the mid-1970s, he moved to ICL to work on the VME/K operating system. After a sabbatical in 1980/81, he joined Accenture, leaving in 1988 to run his own consulting and training business, which is still active today. Thomas holds numerous Microsoft certifications, including MCSE (one of the first in the world) and later versions, MCT (25 years), and was awarded Microsoft's MVP award 17 times.
See other products by Thomas Lee
Richard Diver Richard Diver
Profile icon Richard Diver
LinkedIn
Richard Diver is a senior technical business strategy manager for the Microsoft Security Solutions group, focused on developing security partners. Based in Chicago, Richard works with advanced security and compliance partners to help them build solutions across the entire Microsoft platform, including Microsoft Sentinel, Microsoft Defender, Microsoft 365 security solutions, and many more. Prior to Microsoft, Richard worked in multiple industries and for several Microsoft partners to architect and implement cloud security solutions for a wide variety of customers around the world. Any spare time he gets is usually spent with his family.
See other products by Richard Diver
View More author details

Table of Contents (13) Chapters

Preface 1. Chapter 1: Windows 11 – Installation and Upgrading 2. Chapter 2: Introduction to PowerShell 3. Chapter 3: Configuration and Customization 4. Chapter 4: User Account Administration 5. Chapter 5: Tools to Manage Windows 11 6. Chapter 6: Device Management 7. Chapter 7: Accessing Enterprise Data in BYOD and CYOD Scenarios 8. Chapter 8: Windows 11 Security 9. Chapter 9: Advanced Configurations 10. Chapter 10: Windows 11 21H2 and 22H2 Changes (versus Windows 10) 11. Index 12. Other Books You May Enjoy

Windows 11 Security

This chapter covers all aspects of Windows 11 security. While we have covered some aspects of security in some of the previous chapters of this book, we will look at them collectively and in more detail in this single security-focused chapter. If you are a security professional, this chapter is dedicated to your role and responsibilities in securing Windows 11 in a company.

The attacker’s chain of events can be prevented and disrupted through a zero-trust and defense-in-depth approach. We need to put multiple obstacles in the attacker’s way and increase their attack costs so that they will move on to launching an easier attack elsewhere that offers the least resistance. We will look at both of these approaches in subsequent sections of this chapter and understand why it is important to implement a good security posture to address these threats.

In this chapter, we’ll learn about the following:

  • Introducing security posture
  • Zero...

Introducing security posture

A security strategy must start from an inward look at a company’s current security position and secure score. A secure score is like a credit-rating score, but it looks at your positioning on the attack vulnerability scale of 1 to 10.

A security posture refers to an organization’s current threat-protection and threat-response capabilities. This ensures that an organization has the ability for systems, data, and identities to be recoverable and operational should an attack be successful.

It is critical to understand that we cannot prevent or eliminate threats and attacks, and the fact is that an attacker only has to be successful once, while you must protect everything all the time.

A security posture’s goal should be to reduce exposure to threats, shrinking attack surface areas and vectors while building resilience to attacks, as they cannot be eliminated.

A security strategy and security posture should use the guiding principles...

Zero trust

With many companies embracing a hybrid workforce, a new security model mindset is required more than ever. We need to adopt a holistic approach to security, a model that thinks beyond traditional network-perimeter-based security. The traditional firewalls and security-service-controlled network perimeters have vanished due to this hybrid workforce.

Zero trust, which uses the never trust, always verify approach, is not a service or solution but a wider security strategy and framework to be adopted. It ensures compliance and securing of access to the resources rather than the location or network it is on. We must not assume trust because of the device or resource’s network or location. We can no longer assume trust based on identity or self-attestation.

The zero-trust framework is built upon the following foundational principles:

  • Assume breach: From the start, we must adopt the mindset that there is a breach; it is all about damage limitation. As it is...

Defense in depth

When considering securing Windows 11 in our enterprises, we should take a defense-in-depth (DiD) approach. This means we should not rely on a single security layer solution.

Adopting a DiD strategy allows an organization to adopt a strong security posture and helps ensure that all systems, data, and users are better protected from threats and compromise. A DiD strategy means no single layer of protection or security service is solely responsible for protecting resources. Still, you can slow down an attack path by implementing many different types of defense at individual layers. It may successfully breach one defensive layer but be halted by subsequent protection layers, preventing the protected resource from being exposed. The following figure shows that DiD as a concept is nothing new as a strategy; it can be considered the medieval castle concept of protecting resources:

Figure 8.2 – Medieval castle defense approach

Figure 8.2 – Medieval castle defense approach

The medieval...

Ensuring hardware security

We need to secure our hardware through device protection. Hackers have historically easily compromised a device before it is booted by dropping in rootkit malware without it even being noticed. It remains undetected after the device starts.

Trusted Platform Module (TPM), the Microsoft Pluton security processor, Hypervisor-Protected Code Integrity, and Windows Defender System Guard are all measures that can be used to provide the integrity of the device and OS before it even starts up. We will look at these measures in detail in the following sections.

TPM

TPM is a hardware-based security measure that provides tampering protection and can provide device health attestation. At the heart of TPM is a secure crypto-processor chip used for actions such as cryptographic key generation, storing, and use limitation.

Device health attestation enables trust to be established for a managed device based on the hardware and software components under the control...

Ensuring that we operate system security

As a part of our defense-in-depth look at securing Windows 11 systems, this section looks at the security measures we can take to protect the OS. These include Secure Boot and Trusted Boot, the Windows Security app, encryption, security baselines, and Defender, which we will discuss in the following sections.

Introducing Secure Boot and Trusted Boot

Secure Boot and Trusted Boot work together to provide OS-level protection of a Windows device during startup, preventing the loading of malware and corrupted components.

The initial boot-up protection is carried out by Secure Boot. The firmware is verified that it is digitally signed, and then all code that runs before the OS is checked by Secure Boot.

The digital signature of the OS bootloader is then checked to ensure the Secure Boot policy will trust it and that there has been no tampering.

Trusted Boot then picks up the process. The digital signal of the Windows kernel is verified...

Ensuring user identity security

In our defense-in-depth look at securing Windows 11 systems, this section looks at the security measures we can take to protect user identity security. This section will cover Windows Hello for Business and Microsoft Defender Credential Guard.

Windows Hello for Business

Windows Hello for Business is a secure authentication solution that uses two-factor authentication on devices to replace passwords. The two factors used for authentication are a device-tied user credential and a biometric or PIN. A PIN is more secure than a password as it is tied to the device.

The following problems with passwords are addressed with Windows Hello:

  • It’s difficult to remember strong passwords, leading to reuse across sites
  • Passwords can be exposed upon breach/phishing attacks
  • Replay attacks on passwords

Windows Hello authenticates user identities to allow them access to the following:

  • Microsoft Account
  • Microsoft Active...

Summary

We should reiterate the relevance of what has been learned in this chapter by understanding that an attack chain of events can be prevented and disrupted through a zero-trust and defense-in-depth approach. We covered various aspects of hardware security and OS security, particularly Windows 11 security. We concluded the chapter with a section on user identity security, where we looked at Windows Hello for Business and Microsoft Defender Credential Guard.

By implementing these measures and adopting security posture management, we can make an attacker consider an easier attack elsewhere that offers the least resistance by putting multiple obstacles in the attacker’s way and increasing their attack costs.

In the next chapter, we will cover advanced topics of configuration for use cases in the enterprise.

lock icon The rest of the chapter is locked
arrow left Previous Chapter
Chapter 1 of 13
Next Chapter arrow right
You have been reading a chapter from
Windows 11 for Enterprise Administrators - Second Edition
Published in: Oct 2023 Publisher: Packt ISBN-13: 9781804618592
© 2023 Packt Publishing Limited All Rights Reserved
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Sign up now
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Start free trial
Renews at €14.99/month. Cancel anytime}

Authors (5)

Left arrow icon
Profile icon Manuel Singer
LinkedIn
Manuel Singer works as a Senior Premier Field Engineer for Windows Client at Microsoft and is based in Germany. He has more than 10 years of experience in system management and deployment using Microsoft technologies. He specializes in client enterprise design, deployment, performance, reliability, and Microsoft devices. Manuel works with local and international top customers from the private and public sector to provide professional technical and technological support.
See other products by Manuel Singer
Profile icon Jeff Stokes
LinkedIn
Jeff Stokes is a Windows / Microsoft Engineer currently employed at Microsoft. He specializes in Operating System Health, Reliability, and Performance. He is skilled in Windows Deployment with MDT (Microsoft Deployment Toolkit) and has exceptional skills in VDI (Virtual Desktop) and performance analysis. He is an active writer and blogger and loves technology.
See other products by Jeff Stokes
Profile icon Steve Miles
LinkedIn
Steve Miles is a Microsoft security and Azure/hybrid MVP and MCT with over 20 years of experience in security, networking, storage, end user computing, and cloud solutions. His current focus is on securing, protecting, and managing identities, Windows clients, and Windows server workloads in hybrid and multi-cloud platform environments. His first Microsoft certification was on Windows NT and he is an MCP, MCITP, MCSA, and MCSE for Windows and many other Microsoft products. He also holds multiple Microsoft Fundamentals, Associate, Expert, and Specialty certifications in Azure security, identity, network, M365, and D365. He also holds multiple security, networking vendor, and other public cloud provider certifications.
Read more
See other products by Steve Miles
Profile icon Thomas Lee
LinkedIn
Thomas Lee is a consultant/trainer/writer based in the UK and has been in the IT business since the late 1960s. After graduating from Carnegie Mellon University, Thomas joined ComShare where he was a systems programmer building the Commander II time-sharing operating system, a forerunner of today's cloud computing paradigm. In the mid-1970s, he moved to ICL to work on the VME/K operating system. After a sabbatical in 1980/81, he joined Accenture, leaving in 1988 to run his own consulting and training business, which is still active today. Thomas holds numerous Microsoft certifications, including MCSE (one of the first in the world) and later versions, MCT (25 years), and was awarded Microsoft's MVP award 17 times.
Read more
See other products by Thomas Lee
Profile icon Richard Diver
LinkedIn
Richard Diver is a senior technical business strategy manager for the Microsoft Security Solutions group, focused on developing security partners. Based in Chicago, Richard works with advanced security and compliance partners to help them build solutions across the entire Microsoft platform, including Microsoft Sentinel, Microsoft Defender, Microsoft 365 security solutions, and many more. Prior to Microsoft, Richard worked in multiple industries and for several Microsoft partners to architect and implement cloud security solutions for a wide variety of customers around the world. Any spare time he gets is usually spent with his family.
Read more
See other products by Richard Diver
Right arrow icon

Personalised recommendations for you

Based on your interests and search pattern
Left arrow icon
Designing and Implementing Microsoft Azure Networking Solutions
Designing and Implementing Microsoft Azure Networking Solutions
Designing and Implementing Microsoft Azure Networking Solutions Exam Ref AZ-700 is an all-encompassing guide to the AZ-700 exam and contains all the information you need to succeed in the world of virtual networking with Azure. With this book, you will be fully prepared for the exam and the world of cloud networking.
Aug 2023 17 hours 28 minutes
Microsoft 365 Security, Compliance, and Identity Administration
Microsoft 365 Security, Compliance, and Identity Administration
The Microsoft 365 Security, Compliance, and Identity Administration is a comprehensive guide that helps you employ Microsoft 365's robust suite of features and empowers you to optimize your administrative tasks.
Aug 2023 21 hours 0 minutes
Zero Trust Overview and Playbook Introduction
Zero Trust Overview and Playbook Introduction
Get started on Zero Trust with this step-by-step playbook and learn everything you need to know for a successful Zero Trust journey with tailored guidance for every role, covering strategy, operations, architecture, implementation, and measuring success. This book will become an indispensable reference for everyone in your organization.
Oct 2023 8 hours 0 minutes
The Self-Taught Cloud Computing Engineer
The Self-Taught Cloud Computing Engineer
This self-study book helps you master multiple clouds, including AWS, Azure, and GCP, and serves as a roadmap to becoming a certified cloud computing expert. The book will guide you to develop a professional cloud career by helping you build a broad cloud knowledge base, developing hands-on cloud computing skills, and getting cloud certified.
Sep 2023 15 hours 44 minutes
Technology Operating Models for Cloud and Edge
Technology Operating Models for Cloud and Edge
This book will help you build and create ownership of a technology operating model, as well as connect your leadership with engineering and operations, keeping your internal and external customers in mind. It provides practical tips on why, where, and how to make the cloud and edge platform paradigm sing for you, your team, and your organization.
Aug 2023 7 hours 36 minutes
Azure Architecture Explained
Azure Architecture Explained
Azure is the preferred platform to build mission-critical and secure apps. This book provides comprehensive coverage of essential Azure products, services, and solutions vital for every solution architect's success. Elevate your knowledge and master the critical components of Azure to excel in your role with Azure Architecture Explained.
Sep 2023 14 hours 52 minutes
Pentesting Active Directory and Windows-based Infrastructure
Pentesting Active Directory and Windows-based Infrastructure
This practical guide helps you explore the pentesting of Microsoft infrastructure in detail, and enhances your offensive skillset by showing you the different ways to perform security assessment. This book will help blue teamers and IT engineers get up to speed with possible security issues they may encounter in their Windows environments.
Nov 2023 12 hours 0 minutes
Practical Ansible
Practical Ansible
In Practical Ansible, you'll work with the latest release of Ansible and learn to solve complex issues quickly with the help of task-oriented scenarios. You'll start by installing and configuring Ansible to automate monotonous and repetitive IT tasks and get to grips with concepts such as playbooks, inventories, plugins, collections, and network modules.
Sep 2023 14 hours 0 minutes
Windows 11 for Enterprise Administrators
Windows 11 for Enterprise Administrators
Microsoft’s launch of Windows 11 is a step toward satisfying the enterprise administrator’s needs for better management and enhanced user experience customization. This book provides the enterprise administrator with the knowledge needed to fully utilize the advanced feature set of Windows 11 Enterprise.
Oct 2023 9 hours 32 minutes
The Linux DevOps Handbook
The Linux DevOps Handbook
This book is for software and IT professionals seeking knowledge on Linux systems and DevOps practices. This book will provide you with guidance and tools to learn and gain proficiency in managing Linux-based infrastructures and knowledge of DevOps.
Nov 2023 14 hours 16 minutes
Right arrow icon