Microsoft says Windows Server 2022 will come with security improvements and bring Secured-core to the Windows Server platform.
Windows Server 2022 is now in preview and “provides secure connectivity enabled by industry-standard AES 256 encryption,” as Microsoft announced today.
The next release of Windows Server will also improve hybrid server management by improving performance monitoring and event alerts in the Windows Admin Center.
“In addition, this release includes significant improvements to the Windows container runtime, such as virtualized time zones and IPV6 support for globally scalable applications, as well as container tools for .NET, ASP.NET and IIS applications,” he added. Microsoft on Microsoft Ignite 2021.
Windows Server 2022 also brings Secured-core to Windows Server for additional protection against a wide range of threats.
Secure core servers with integrated threat protection
Secure-core PCs are a solution to the number of growing firmware vulnerabilities that attackers can exploit to bypass the secure boot of a Windows machine and the lack of visibility at the firmware level present in today’s endpoint security solutions.
Integrated protection features designed to protect users from threats (state-sponsored hacker attacks and common malware) that abuse driver and firmware security holes have been included on all Secured-core PCs since October 2019.
They can defend users against malware designed to take advantage of driver security holes to disable security solutions.
Safe-core PCs developed by Microsoft in collaboration with OEM partners and silicon suppliers protect users against such attacks by following these requirements:
- Securely loading Windows: Enabled with Hypervisor Enforced Integrity, a secure core PC starts only executables signed by known and approved authorities. In addition, the hypervisor sets and enforces permissions to prevent malware from attempting to modify memory and make it executable
- Firmware protection: System Guard Secure Launch uses the CPU to validate the device to boot safely, preventing advanced firmware attacks
- Identity protection: Windows Hello lets you sign in without a password, Credential Guard takes advantage of VBS to prevent identity attacks
- Secure and isolated hardware operating environment: Uses Trusted Platform Module 2.0 and a modern CPU with dynamic root trust measurement (DRTM) to safely boot your PC and minimize firmware vulnerabilities
Secure core servers now follow these provisions to boot securely, protect themselves from firmware security bugs, protect the operating system from attack, prevent unauthorized access, and protect users’ identities and domain credentials.
Together, Windows Server 2022 and Secured-core add the following preventive defense capabilities to servers:
- Enhanced exploit protection: Hardware innovations enable robust, high-performance implementations of exploit mitigations. Hardware-enforced stack protection will take advantage of the latest chipset security extension, flow control application technology. Windows Server 2022 and protected applications will be protected by a common exploitation technique, return-oriented programming (ROP), which is often used to hijack a program’s intended flow of control.
- Connection security: Secure connections are at the heart of today’s interconnected systems. Transport Layer Security (TLS) 1.3 is the latest version of the most widely deployed security protocol on the Internet, which encrypts data to provide a secure communication channel between two endpoints. TLS 1.3 eliminates obsolete cryptographic algorithms, increases security over older versions and aims to encrypt as much of the handshake as possible. Windows Server 2022 includes TLS 1.3 enabled by default, protecting the data of clients connecting to the server.
- Enhanced account support for containers: Containers are being adopted by many customers as a preferred building block for their applications and services. Customers use managed group service accounts (gMSA) as the recommended Active Directory identity solution to run a service on a server farm. Today, anyone trying to containerize their Windows services and applications using gMSA must join their container host’s domain to enable gMSA functionality. This can cause scalability and management problems. Windows Server 2022 supports improvements to gMSA for Windows containers that allow you to enable support for gMSA without the domain joining the host.
Secured-core for Azure IoT Edge devices
Microsoft also introduced the Edge Secured-core device label on Microsoft Ignite 2021 to identify Azure IoT Edge devices that meet Secured-core specifications.
The new device label is not publicly visible in the Azure Certified Device program after it was previously announced for Windows Enterprise devices.
“Enterprise customers looking for Internet of Things (IoT) devices that meet the security bar defined by Azure can now easily identify device models that bear the Edge Secured-core label in the Azure Device Catalog,” said Microsoft. . “As part of this requirement, devices will have Azure Defender for IoT integrated.”