With its release of Windows Server 2022, Microsoft has placed an emphasis on the security of its secure central server functionality to thwart malicious actors who target on-premises workloads.
Virtualized Windows Server workloads often come from a cloud provider model, which is typically configured with custom basic security settings. In contrast, Windows Server deployments that run on-premises environments might not have the same security configuration, making them attractive targets. Microsoft introduced the concept of a secure core server in Windows Server 2022 to prevent hacking and ransomware attempts. Secure kernel servers use the Trusted Platform Module (TPM) and other hardware features to prevent an attacker from violating the integrity of the Windows Server operating system. With Windows Admin Center, administrators can adjust and verify secure server settings to facilitate the implementation of these features.
Several features combine to form a secure core server
Microsoft’s secure server function follows the defense-in-depth strategy where, if the attacker avoids one defensive measure, there are several others to prevent the attacker from going deeper into the infrastructure. This Windows Server 2022 security feature verifies that the operating system is not modified and protects data in memory to prevent the leakage of sensitive information.
A secure kernel system combines the software protections of the operating system with the hardware defenses of the server to prevent intruders from launching various attacks. A secure core server consists of several features that can be enabled individually or collectively.
Code integrity enforced by the hypervisor. HVCI does three things. First, it prevents modifications of the Control Flow Guard bitmap to stop memory-based attacks. Second, it checks valid certificates for trusted processes, such as Credential Guard, before they are loaded into system memory. Finally, modern device drivers must both support HVCI and have an extended validation certificate. Incompatible drivers or applications can potentially cause the server to display the Blue Screen of Death.
Bootable Direct Memory Access (DMA) protection. This feature protects the system against DMA attacks from connected devices, such as a USB drive, during the boot process and during execution by blocking access to system memory.
System Guard. This feature uses attestation to prevent tampering of operating system files. This feature detects operating system files that have been modified or replaced with counterfeit files.
Secure boot. This function checks the integrity of low-level components used in the boot process. This includes Unified Extensible Firmware Interface (UEFI) firmware drivers, UEFI applications, and the operating system.
Virtualization Based Security (VBS). This feature uses hardware virtualization to store security information in a sandbox area that is inaccessible to running processes.
Trusted Platform Module. This hardware component is part of what Microsoft calls the hardware root of trust. The TPM can be a chip on the motherboard or part of the firmware that the operating system or applications cannot access. Microsoft requires version 2.0 of the TPM specification on server hardware. The TPM 2.0 chip verifies the authenticity of firmware and other software before allowing the operating system to boot. The TPM also stores cryptographic keys used with BitLocker.
How to configure the secure core server
Cybercriminals often target Windows Server workloads that are running in the data center because these deployments may not have the strictest security settings. A common problem for Windows Server administrators is the difficulty of configuring security configuration. The Windows Administration Center attempts to reduce the technical barriers associated with configuring and monitoring secure server settings.
Using the Windows Admin Center to configure the secure kernel settings for Windows Server 2022 requires enabling what Microsoft calls the “insider feed” extension. Open Windows Admin Center, click Settings, then click Extensions on the left side of the screen. Next, click on Feed and then click on Add option. When prompted, enter the https://aka.ms/wac-insiders-feed URL as shown in Figure 1. Click the Add button at the bottom right to complete the process.
After adding the extension, you can enable secure server functionality if the system supports TPM 2.0. If you are running Windows Server in a virtual machine, you will need to enable virtual TPM for the virtual machine. Virtual TPM is supported on both Hyper-V and VMware. You can see the Hyper-V virtual TPM settings in Figure 2.
Then click on the server to activate the secure server function. Click on the Security option on the left side of the screen, then click on the Secured-core tab near the top of the screen. Check the boxes for the desired security features. Not all systems will support all secure security features. For example, Figure 3 shows that this server cannot use Boot DMA Protection or System Guard. After making the selections, click the Activate option and restart the server to complete the process.
After the server is restarted, Windows Admin Center should display the selected security features that have been enabled, as shown in Figure 4.
New Windows Server 2022 security features combined with easier accessibility to setup features from the Windows Admin Center are part of Microsoft’s efforts to prevent malicious actors from causing disruption and launching ransomware attacks . Server hardware certified with the required firmware running Windows Server 2022 can help organizations improve their defensive posture to avoid being a security statistic.