Microsoft might kick security vendors out of the Windows kernel
Reducing kernel-level access could undermine security vendors’ ability to protect systems effectively.
Triggered by the CrowdStrike incident, Microsoft invited a diverse group of endpoint security vendors and government officials from the US and Europe to discuss performance needs and the challenges for security vendors to operate outside of kernel mode.
The summit, hosted on Tuesday, Sept. 10, saw partner companies such as CrowdStrike and ESET discuss complexity of the modern security landscape, including the extent to which security software should directly interact with the Windows kernel.
Weeks prior, Microsoft told the Financial Times it “had not ruled out completely blocking access to the Windows kernel” in considering options to make its systems more stable.
Granting kernel-level access to vendors carries significant risks, as any flaw or misconfiguration at that level can lead to widespread system failures, as seen in the CrowdStrike incident. A single mistake can trigger broader outages or system crashes.
Yet, limiting kernel access could come at the cost of effectiveness—security tools like TDSSKiller need deep system access to detect and eliminate threats like rootkits, which would otherwise remain hidden. Reducing this access could undermine security vendors’ ability to protect systems effectively.
Microsoft also must be cautious not to create a monopoly by granting its own security products exclusive access to kernel-level functions, while blocking competitors from using the same critical system resources.
Even so, the idea of restricting kernel access isn’t new—Apple implemented a similar change in October 2019 with the release of macOS Catalina 10.15. System extensions allowed software like network and endpoint security solutions to function without kernel-level access. This move aimed to reduce the attack surface by limiting direct kernel interaction, but it also required security vendors to adapt their tools.
Understanding how Apple’s restrictions on kernel access impacted security operations could offer valuable insights as Microsoft considers similar changes. However, while improving kernel-level security is critical, I believe it’s also essential to address the broader implications of incidents like the CrowdStrike outage.
In my opinion, the real issues with the CrowdStrike incident weren’t just the kernel-level access or the incident itself, but the sheer number of affected systems, the complexity of resolving blue screens of death (BSODs), and the unpreparedness of many organizations to function without access to their computer systems. These factors should be the primary focus of future remediation efforts.
Microsoft’s article about the Windows Endpoint Security Ecosystem Summit can be found on the Windows blog.