Are Zero Trust Features Practical for Endpoint Security?
Zero Trust features in endpoint security can be effective in controlled environments like kiosks, where interactions are limited and predictable. However, for everyday workstations, the administrative burden, performance issues, and user disruptions often outweigh the benefits.
In recent years, Zero Trust has become a key principle in endpoint security, aiming to eliminate the implicit trust granted to users or devices within a network. Every request is treated as untrustworthy until verified, enhancing protection against insider threats and lateral movement. Several enterprise products now include some form of Zero Trust features, such as application control, network segmentation, identity verification, etc. However, implementing these features—especially in dynamic environments like workstations—presents challenges. Continuous verification processes can introduce performance overhead, affecting user experience and daily operations if not carefully managed.
Zero Trust and Workstations: Too Much Overhead for Everyday Use
On workstations, where employees perform dynamic tasks and frequently install software, implementing Zero Trust can introduce significant challenges. Frequent changes in usage patterns make training lengthy and complex, even with cloud-based assistance. Moreover, the highly restrictive nature of Zero Trust can lead to excessive alerts and blocks during normal operations. The constant need for authorization, even for legitimate tasks, interrupts workflows, frustrates users, and burdens IT teams with the continuous task of approving or denying activities. In addition to this, features like continuous verification and real-time checks may negatively affect system performance, causing slower response times and reducing overall productivity. As a result, maintaining such a system is resource-intensive, with diminishing returns in terms of improved security. The overall user experience and operational efficiency are significantly impacted, making Zero Trust features impractical for most workstation environments. This is why these features are often disabled by default.
Zero Trust and Kiosk Computers: A Suitable Match
Kiosk computers, often used in public settings or tightly controlled environments, are designed for limited interaction, with users restricted from installing software or making system changes. In such cases, Zero Trust can be particularly beneficial. Its restrictive approach suits the limited and predictable usage patterns of kiosks—nothing is installed, executed, or modified without explicit authorization. This minimizes the attack surface while maintaining a high level of security with minimal user friction.
Since kiosks operate in a highly predictable and stable manner, the learning phase of Zero Trust systems is less burdensome. Administrators can pre-approve the necessary applications and workflows, resulting in fewer alerts and reduced maintenance requirements. As a result, Zero Trust can effectively enhance kiosk security by preventing unauthorized actions with minimal ongoing adjustments.
Where Zero Trust Makes Sense
Given these challenges, most organizations find Zero Trust more suitable for specialized systems like kiosks, while it is often disabled on workstations. Therefore, it’s crucial to assess the performance and security efficacy of endpoint protection products under “normal” conditions—without Zero Trust enabled. This helps determine the true value of the security solution for day-to-day operations, where a balance between security and usability is essential.
Built-in Windows Protections: Easier Alternatives
Windows 10 and 11 Pro editions offer built-in security features that can achieve similar levels of protection with significantly less complexity than Zero Trust models. Key features include:
- Attack Surface Reduction (ASR) Rules: ASR rules help reduce the attack surface by blocking potentially malicious behaviours, such as preventing Office macros from executing content downloaded from the web, blocking executable files running from email attachments, and more. These rules are flexible and can be tailored to different risk profiles, allowing for fine-grained control without overwhelming users with alerts.
- Controlled Folder Access: This feature protects critical system files and user data by preventing unauthorized applications from making changes. It’s particularly effective against ransomware and other malware that targets sensitive data.
- AppLocker: Another valuable feature in Windows, AppLocker allows administrators to control which applications and files users can run. By creating policies that restrict unauthorized executables, scripts, and installers, AppLocker helps reduce exposure to malicious software. AppLocker is particularly useful in environments where maintaining tight control over executable permissions is crucial, offering a more straightforward alternative to Zero Trust for controlling application execution.
Collectively, these built-in features can provide strong protection, especially when configured correctly, making them viable alternatives to more expensive and operationally demanding Zero Trust implementations.
Key ASR Rules and Effectiveness
One of the most powerful sets of these features is Microsoft Defender’s Attack Surface Reduction (ASR) rules. These rules are configurable controls that block or limit specific behaviours often associated with malware and other malicious activities.
ASR Rules Examples:
- Block executable files from running unless they meet a prevalence, age, or trusted list criterion: This rule prevents new or low-reputation executables from running, reducing the risk of zero-day attacks or novel malware. It assesses whether an executable is widely used, has been around long enough, or is from a known trusted source before allowing it to execute.
- Block Office applications from creating child processes: Many attacks exploit Office applications (like Word or Excel) to launch malicious scripts or executables.
- Block executable content from email and webmail clients: This rule blocks users from running executable files or scripts directly from email attachments or web-based email clients, a frequent entry point for malware.
- Block Office applications from injecting code into other processes: Some sophisticated attacks involve injecting malicious code into trusted processes, making them harder to detect.
- Use advanced protection against credential theft: Credential-stealing malware is a serious threat, and this rule blocks unauthorized processes from accessing sensitive credential stores or memory locations where authentication data is held.
- Block untrusted and unsigned processes that run from USB: Removable media like USB drives can introduce malware into networks. This prevents untrusted and unsigned software from launching directly from USB devices, reducing exposure to risks.
Conclusion
Zero Trust features in endpoint security products can be highly effective in environments like kiosks, where interactions are limited and predictable. However, for workstations used in everyday operations, the administrative burden, performance degradation, and user disruptions it introduces often make it impractical. While a very strict Zero Trust approach could potentially block 100% of malware, it would also overwhelm users and administrators with excessive false positives and maintenance requirements, making it less practical for day-to-day use.
Organizations should carefully evaluate whether the increased security provided by Zero Trust justifies the impact on productivity and maintenance. Using a reliable product that can block most attacks with minimal false positives, as verified by independent evaluations by organizations like AV-Comparatives, even without applying Zero Trust features, is ultimately more cost-effective and flexible across different environments. Built-in Windows security features such as ASR rules, AppLocker, and Controlled Folder Access offer strong protection with less complexity, providing cost-effective, easier-to-manage alternatives that deliver robust security.
By taking a balanced approach, organizations can secure their endpoints effectively while minimizing the operational challenges associated with Zero Trust deployments.