Enhanced foundational security for Windows Server 2022 and Azure Stack HCI

Looking to the future, two clear trends are emerging. First, organizations around the world are building technologies, deploying applications and deploying services across the cloud and the edge. Many customers have similar goals: to thrive through improved information collection, more accurate decision making and more responsive services.  Associated with this, we see a tremendous investment in the infrastructure that ensures that these services are scalable and available.  Unfortunately, attackers are evolving to target this high value infrastructure with advanced technical capabilities. One example are marketplaces such as the MagBo portal.  This website provides access for a price to over 43,000 hacked servers, lowering the bar for entry to attack servers while providing attackers additional monetary incentives. Compromised servers are being used to mine cryptocurrency and also targeted for phishing and/or ransomware attacks.

Given the many incentives motivating these attacks, raising the bar for attackers is a clear and urgent need for Windows Server and Azure Stack HCI. Using our learnings from the Secured-core PC initiative, we are now bringing these innovations to Windows Server and Azure Stack HCI. In collaboration with our OEM partners and hardware ecosystem, we expect this effort to bring your devices advanced hardware-based protection, while maintaining ease of management.

Secured-core server

Like PCs, Secured-core server is built on three key pillars:

• Simplified security
• Advanced protection
• Preventative defense

Simplified security

When customers acquire a Secured-core server, there is an assurance that the OEM has provided a set of hardware, firmware and drivers that satisfy the Secured-core promise.  Windows Server and Azure Stack HCI systems will have easy configuration experiences in the Windows Admin Center to enable the security features of Secured-core. With Integrated Azure Stack HCI systems, OEMs will also enable the operating system features by default, further simplifying the configuration for end customers.

Advanced protection

Secured-core servers use hardware, firmware and operating system capabilities to the fullest extent to provide protection against current and future threats. The protections enabled by a Secured-core server are targeted to create a secure platform for critical applications and data used on that server. The Secured-core functionality spans the following areas:

• Hardware-based root of trust: Trusted Platform Module 2.0s (TPM 2.0) come standard with Secured-core servers. TPM 2.0 provides a secure store for sensitive keys and data, such as measurements of the components loaded during boot. This hardware-based root of trust raises the protection provided by capabilities like BitLocker which uses the TPM 2.0 and facilitates creating attestation-based workflows that can be incorporated into zero-trust security strategies.
• Firmware protection: There is a clear rise in security vulnerabilities being reported in the firmware space given the high privileges that firmware runs with and the relative opacity of what happens in firmware to traditional anti-virus solutions. Recent reports show that malware and ransomware platforms like Trickbot are adding firmware capabilities raising the risk of firmware attacks. Trickbot has already been seen targeting enterprise resources like Active Directory domain controllers. Using processor support for Dynamic Root of Trust of Measurement (DRTM) technology, along with DMA protection, Secured-core systems isolate the security critical hypervisor from attacks such as this.
• Virtualization-based security (VBS): Secured-core servers support VBS and hypervisor-based code integrity (HVCI). The cryptocurrency mining attack mentioned above leverages the EternalBlue exploit. VBS and HVCI protects against this entire class of vulnerabilities given the isolation VBS provides between the privileged parts of the operating system such as the kernel and the rest of the system. VBS also provides additional capabilities that customers can enable like Credential Guard which better protects domain credentials.

Preventative defense

Enabling Secured-core functionality helps proactively defend against and disrupt many of the paths attackers may use to exploit a system.  This set of defenses also enables IT and SecOps teams better leverage their time across the many areas that need their attention.    

Management made easy with the Windows Admin Center

Windows Admin Center now has capabilities to both report on the current state of Secured-core features and where applicable, allow customers to enable the features.

The Windows Admin Center security tool is currently available as a preview and can be accessed by the insider extensions feed. Navigate to aka.ms/WindowsAdminCenter to download the latest version of Windows Admin Center, and add aka.ms/wac-insiders-feed to your extension feed. Feedback can be shared through the Windows Admin Center User Voice: http://aka.ms/wacfeedback.

Windows Admin Center Security extension makes management easy

End-to-end security

Secured-core servers complement other security capabilities in Windows Server 2022 across multiple areas. Taken together, Secured-core and Windows Server 2022 provide the comprehensive protection that servers need today.

• Enhanced exploit protection: Hardware innovations allow for robust and performant implementations of exploit mitigations. Hardware-enforced Stack Protection will take advantage of the latest chipset security extension, Control flow Enforcement Technology. Windows Server 2022 and protected applications will be secured from a common exploit technique, return oriented programming (ROP), often used to hijack intended control flow of a program.
• Connection security: Secure connections are at the heart of today’s interconnected systems. Transport Layer Security (TLS) 1.3 is the latest version of the internet’s most deployed security protocol, which encrypts data to provide a secure communication channel between two endpoints. TLS 1.3 eliminates obsolete cryptographic algorithms, enhances security over older versions, and aims to encrypt as much of the handshake as possible. Windows Server 2022 includes TLS 1.3 enabled by default, protecting the data of clients connecting to the server.
• Improved account support for containers: Containers are being embraced by many customers as a preferred building block for their applications and services. Customers use group Managed Service Accounts (gMSA) as the recommended Active Directory identity solution for running a service across a server farm. Today, anyone trying to containerize their Windows services and applications that use gMSA is required to domain join their container host to enable gMSA functionality. This can cause scalability and management issues. Windows Server 2022 supports improvements to gMSA for Windows Containers that allow you to enable support for gMSA without domain joining the host.

For customers deploying Windows Server 2022 in Azure, the Azure Marketplace will have Windows Server 2022 virtual machine images available that have the Azure Security baselines configured by default, making it easier for customers to use Windows Server 2022 securely in Azure. More information on image configuration will be available through the Azure Security blog. 

Coming soon, with the support of the ecosystem

Secured-core servers across Windows Server 2022 and Azure Stack HCI will help customers stay ahead of attackers and protect their infrastructure across hardware, firmware, drivers and the operating system. Supported hardware will be available in future product generations from Intel, AMD and our vibrant OEM ecosystem.