Windows Server 2022 is coming! – Virtualization review
Windows Server 2022 is coming!
The big theme of Windows Server 2022 is security – primarily bringing the concept of Secure Core from the Windows client to the server world with Secure Core Servers.
The next version of Windows Server will be known as 2022 and is a public preview from Ignite in March 2021. The Long Term Servicing Channel release (LTSC = five years consumer + five years extended support) is scheduled for later in 2021.
There was a time when this would have been huge news, with (almost) every computer store on the planet searching for new features that would make their life easier and planning how to get bosses to approve the upgrade. This is no longer really the case.
The preview had a unique 30-minute presentation dedicated to it, and half of this presentation covered updates to Azure and Windows Admin Center, tangentially connected to Windows Server.
That’s not to say that there aren’t some cool things to come that will likely make your life easier, but it sends a clear message: Windows Server is not a priority at Microsoft like it was there was. a few years. We have two sources for the new features we can expect: the presentation to Ignite, as well as the Semi Annual Channel (SAC) releases of Windows Server. If you have Software Assurance for your Windows Server licenses and want to use the latest from the server team, there is actually two versions each year of Windows Server with new features, as long as you don’t mind using Server Core only and upgrading at least every 18 months. This blog post from August 2020 and this one As of September 2020, there are more sources for what’s to come.
A strong emphasis on safety
The big theme of Windows Server 2022 is security – primarily bringing the concept of Secure Core from the Windows client to the server world with Secure Core Servers. This is a type of PC that you can buy from Microsoft, Lenovo, Dell, Panasonic, HP and others that have a Trusted Platform Module (TPM) 2.0 chip, Bitlocker enabled, and Virtualization Based Security (VBS) to protect credentials while the system is running. Instead of activating these security features (and others) after taking delivery, everything is activated right out of the box.
On servers, this will protect against starter kits and root kits, malware designed to compromise the system before it boots, thereby bypassing any defenses running in the operating system. To wear the label Secure primary server OEM should provide secure firmware and drivers and enable these features by default.
To be able to audit this on a fleet of servers, there is a new extension for Windows Admin Center that lists the six requirements that a server meets. Here’s a one-year-old Dell Hyper-V host with quite a few missing pieces.
There has been some interesting work in the security community over the past few years demonstrating the issues with the TPM platform as they are a separate component on the motherboard and traffic between it and the rest of the system can be manipulated. This new Secure Core Server platform lays the foundations for the future Pluto security processor, built on technologies first incorporated in Xbox One. Pluto will be different from TPM because it will be part of the processor itself, the three major vendors, Qualcomm, Intel and AMD, are integrated with Pluto.
Each of the six areas pictured above protects different parts of the boot process and operating system, so let’s take a look at them in detail. TPM stores Bitlocker keys and other secrets and key material while Secure boot checks the signatures on the boot software (UEFI firmware, EFI applications, and the operating system itself) to ensure they was not subverted by a root kit.
Virtualization-based security (VBS) uses hardware virtualization (based on Hyper-V technology, but don’t think of it as a separate virtual machine, just an isolated part of the operating system memory space) to stop information attacks. identification such as Pass-the-Hash via Mimikatz. Above VBS is Code integrity imposed by the hypervisor (HVCI) which protects the modification of the Control flow guard (CFG) bitmap, provide a valid certificate for Credential Guard, and verify that device drivers have an EV certificate. Control Flow Guard helps Windows protect against malicious applications that corrupt the memory of legitimate applications.
System Guard builds on these features and provides the following security guarantees for Windows: protects the integrity of the system when it starts up and validates it through local and remote attestation using Static Root of Trust for Measurement (SRTM) , dynamic root of trust for measurement (DRTM) and system management mode protection (SMM) (see more).
Boot Direct Memory Access (DMA) protection is part of DMA kernel protection which protects Bitlocker keys and other secrets stored in memory while the operating system is running. The classic attack here is to plug a drive containing malware into a port offering DMA on a running PC and read the Bitlocker keys from memory. DMA offers fast data transfer, mostly directly to memory (as noted on the box), but comes with this risk as well – startup DMA mitigates it. These improvements are not just for Windows, Microsoft also wants to bring improved boot security to Linux, as they do in Azure.
In addition to the features of Secure Core Server, Windows Server 2022 will ship with the latest version of Transport Layer Security (TLS), 1.3 enabled by default and offers 256-bit AES encryption for SMB traffic.
Windows Server 2022 will also allow containers to be identified in Active Directory using Managed Service Account Group (gMSA) which you can only do today by joining the host’s domain – this will not be required in 2022.
There’s one upcoming feature that I think any IT professional dealing with deployments and on-premises access will love and that’s MsQuic. This implements the QUIC protocol and Microsoft opened its flavor.