Windows Server 2022 Security Hardening Guide for Administrators
As with all recent versions of Windows Server, Microsoft has enhanced the security capabilities of Windows Server 2022 to protect this important infrastructure component.
The release of Windows Server 2022 introduced several important security enhancements. While there is no requirement for states to upgrade to Windows Server 2022 before support for older versions of Windows Server ends, it is a good idea to consider migrating to Windows Server 2022, especially for critical infrastructures such as domain controllers. An upgrade from Windows Server 2022 brings the benefit of security features not found in earlier versions of Windows Server. Given the sensitive nature of domain controllers and other data center infrastructure components, it makes sense to harden these servers as much as possible using Microsoft’s latest server operating system.
Windows Server Core Security Improvements
One tool offered to administrators to harden the Windows environment is the Microsoft Security Compliance Toolkit, which contains Windows Server 2022’s security foundation, consisting of Group Policy Objects (GPOs) configured according to Microsoft’s recommended best practices. The toolkit includes a Policy Viewer utility to compare a system’s configuration to baseline security settings.
The Microsoft Security Compliance Toolkit is not a new tool, but Microsoft has made some changes to the baselines for Windows Server 2022. For example, the domain controller browser restrictions list shows Internet Explorer, because Edge is the browser recommended by Microsoft. Similarly, the Windows Server 2022 security baseline now treats script scanning as a security best practice. Microsoft has also made it a good practice that only administrators can install print drivers.
Get started with Windows Server 2022 security baselines
To get started, you will need to visit the Microsoft Security Compliance Toolkit page and download the Windows Server 2022 Security Baseline and Policy Analyzer as .zip files that you will need to extract.
To compare a Windows Server 2022 system to the security baseline, run the PolicyAnalyzer.exe file. Once the interface is open, click on the Add then follow the prompts to open the policy file importer. Now select the Add files from GPOs option in the File menu, as shown in Figure 1.
The Policy File Importer now displays available GPOs, as shown in Figure 2. GPOs are role-specific. For example, there are general-purpose GPOs, but there are different GPOs for domain controllers, which need to be hardened more than basic servers.
Choose the policy file to use, then click the Import button. When prompted, save the imported GPO as a policy rules file. If you want to compare the baseline to the current state of a server, click the button View/Compare button. This opens the Policy Viewer to compare the baseline to the actual system state, as shown in Figure 3.
During its comparison test, the Policy Analyzer will highlight the differences between the security baseline and the current system GPOs. The tool will also check for unnecessary or conflicting settings. Admins can export their results to Excel and create a snapshot to review changes at another time.
You can find more details about the Windows Server 2022 security baselines at the following link.
What tools can help harden Windows Server 2022 security?
Microsoft introduced several security features in Windows Server 2022, including:
- Secure server. Windows Server 2022 supports the use of secure hardware, which stores cryptographic keys inside the processor rather than in a separate Trusted Platform Module (TPM) chip. This greatly improves the security of the keys by making them much harder to access, even if an attacker has physical possession of the machine.
- Material root of trust. Windows Server 2022 uses TPM 2.0 on the motherboard or newer processors to implement its Secure Boot feature to check for unauthorized code before loading the operating system.
- Firmware protection. Traditionally, anti-malware software cannot scan system firmware. If a server is equipped with a secure-core processor, it can verify the boot process through a dynamic root of trust for measurement technology. It is also possible to isolate the drivers using direct memory access protection.
- UEFI Secure Boot. With this feature, the system will only boot firmware and operating system files that the server manufacturer trusts to protect against rootkit attacks.
- Virtualization-based security. This security feature stores credentials and keys in a secure container that the operating system cannot directly access to prevent breach in the event of a malware attack.
- HTTPS and Transport Layer Security (TLS) 1.3 enabled by default. Microsoft enabled HTTPS and TLS 1.3 by default in Windows Server 2022 to replace older, less secure protocols. Administrators may need to configure applications or services to use it.
- Secure DNS. This feature, also known as DNS-over-HTTPS, encrypts DNS queries to improve privacy by securing traffic to prevent network eavesdropping.
- SMB East-West encryption. This feature scrambles communications within Storage Spaces Direct clusters to protect data transfer between servers.
- SMB Direct and RDMA encryption. The SMB Direct feature for high-speed transfers in file servers now supports encryption. Windows Server 2022 performs encryption before data placement for much better performance compared to earlier manifestations of this technology.
- SMB over QUIC. This feature, combined with TLS 1.3, uses a relatively new transport protocol so data can be accessed securely without the need for a VPN. This feature is only available in Windows Server 2022 Datacenter Azure Edition.
Windows Server 2022 Security Hardening Best Practices
When securing a Windows server, it is important to remember to practice defense in depth. The idea behind this concept is that no security mechanism is without its weaknesses, so it’s best to create a layered approach that uses a variety of security features.
The Security Compliance Toolkit helps verify system settings, but there are other actions administrators should consider to enhance server security. For example, you might consider using Just Enough Administration and domain isolation policies. Whenever possible, it’s also a good idea to configure Windows servers to run in primary server mode.
Finally, each Windows server should be dedicated to a specific purpose. Running multiple roles or applications on a single server can lead to unintended permissions elevations that could compromise your security.