This Windows Server 2022 release is in our Long-Term Servicing Channel (LTSC). It builds on Windows Server 2019, our fastest adopted Windows Server ever. This release includes advanced multi-layer security, hybrid capabilities with Azure, and a flexible platform to modernize applications with containers.
As a LTSC release, Windows Server 2022 includes the Desktop Experience and Server Core installation options for Datacenter and Standard editions. Security features that are part of the current Windows 10 release (20H2) are now included in Windows Server 2022, like tamper and reputation-based protection.
Security in Windows Server 2022
It’s no secret that most businesses worldwide are struggling with IT security – as organizations and society becomes more and more reliant on digital systems there are just too many avenues for increasingly sophisticated attackers to find a way in. Compromising systems before they start up through boot kits or root kits is becoming more popular and building on the work Microsoft’s done for Secured Core PCs, Windows Server 2022 brings Secured Core Servers.
If you haven’t heard of Secure-core, think of marrying a Trusted Platform Module (TPM) 2.0 chip for securely storing secrets, Bitlocker for full volume drive encryption and Virtualization Based Security (VBS) to protect credentials while the system is running. In other words, all the optional Microsoft security features that you could turn on for a normal PC, but all enabled out of the box. First out of the gate was Surface Pro X (which I’m writing this article on) but Secured Core PCs are available from Lenovo, Dell, Panasonic, HP and others.
For servers this means that when you purchase a system with this label the OEM will have provided secure firmware and drivers and also will have enabled all these security features out of the box. You can also check on the status of your servers, plus enable security features using the new add-in for Windows Admin Center (WAC).
Note that Secured-core servers lay the foundation for the forthcoming generation of processors from Intel, AMD and Qualcomm that’ll include the Pluton security processor, built on security features first seen in Xbox One. TPM has been very successful over the last 10 years as the first broadly available hardware security root of trust but as it’s a separate chip advanced attacks leverage the connection between the TPM chip and the main CPU to gain access to secure information or tamper with the data. Because Pluton is built into the processor itself it will mitigate this vector.
Trusted Platform Module
TPM provides storage for security information such as Bitlocker keys, while Secure Boot checks the signatures of all boot software (UEFI firmware, EFI applications and the OS itself) to ensure that they haven’t been subverted by a root kit.
Virtualization-based Security (VBS) uses hardware virtualization (based on Hyper-V technology but don’t think of this as a separate VM, just an isolated part of the memory space in the OS) to stop attacks against credentials (Pass-the-Hash / Mimikatz for example). VBS is also the platform for Hypervisor-Enforced Code Integrity (HVCI) which protects modification of the Control Flow Guard (CFG) bitmap, provides a valid certificate for Credential Guard and checks that device drivers have an EV certificate.
Control Flow and System Guard
Control Flow Guard is a way that Windows protects against malicious applications corrupting memory of legitimate applications. System Guard is the umbrella term for taking the above technologies and providing these security guarantees for Windows: protect the integrity of the system as it starts up and validate this through local and remote attestation. It uses Static Root of Trust for Measurement (SRTM), Dynamic Root of Trust for Measurement (DRTM) and System Management Mode (SMM) protection to achieve this.
Boot Direct Memory Access (DMA) protection is part of Kernel DMA Protection which can stop attacks against Bitlocker and other security technologies that rely on storing secrets in memory while the system is running. Plug a drive with malicious software into a port that supports DMA mapping for fast transfers and hey presto – it just read your Bitlocker key, with DMA protection this isn’t possible.
Other security enhancements
Windows Server 2022 will have the latest version of Transport Layer Security (TLS) 1.3 enabled by default but this version will be available across earlier Windows Server versions as well. When managing lots of Windows or Hyper-V containers across a server farm, the preferred approach is to give them an identity in Active Directory using group Managed Service Accounts (gMSA) but today that requires you to domain-join the container host – in 2022 this won’t be necessary. And if you’re encrypting your SMB (file server) traffic you can now use AES-256 encryption.
Windows Server 2022 Scalability
Another headline in the announcement is the increase in scalability, a physical server can now have 48 TB of RAM, 64 sockets with 2048 Logical Processors (cores, or Hyperthreaded cores). While these figures are incredible (VMware vSphere 7 update 1 supports 24 TB and 768 CPUs per host) they matter to exactly 0.000001% of Windows Server customers. And mostly that customer is Microsoft itself, where in Azure the benefit of humongous machines is the ability to provide gigantic VMs for SAP and other huge database workloads for enterprises with very deep pockets. On the other end of the spectrum, the Server Core container image for Windows Server 2022 is 1 GB / 20% smaller than in previous versions, shaving start-up and transfer times for containers running the Windows Server 2022 container image.
Other Enhancements in Windows Server 2022
Windows Server 2022 will also bring (in the right context, details are scant at the moment) another feature that’s been forged in the fire of Azure’s hosts – reboot-less patching. Here patches are applied to a running OS without requiring a restart, improving uptime. If you’re running a mix of Windows and Linux containers in Kubernetes you can use Calico to manage networking across the entire cluster. If you’re running globally distributed applications, managing time zones in containers has been difficult (it’s based on the host’s time-zone, making it difficult to move containers around), virtualized time zones in Windows Server 2022 will take care of this. Speaking of Linux, Microsoft is aiming to bring the improved boot security to Linux as well, just as they’re doing in Azure.
Windows Server 2022 and the Hybrid World
Most of the presentation at Ignite on Windows Server 2022 was taken up by talking about features around, not in, the product itself, such as the ones recently released in GA 2103 version of Windows Admin Center. Windows Admin Center can now be run in the Azure portal, can automatically update your extensions, supports outbound proxy configuration, lets you pop out tools into separate browser windows, brings a revamped Event Viewer UI (first update since 1993 believe it or not) and lets you reassign virtual switches when moving a VM from one host or cluster to another. WAC also supports HTTP/2 which equals faster performance.