Windows Server 2022 Is Coming! — Virtualization Review | #linux | #linuxsecurity


Windows Server 2022 Is Coming!

The big theme of Windows Server 2022 is security — primarily bringing the concept of Secure Core from Windows client to the server world with Secure Core Servers.

The next version of Windows Server will be known as 2022 and it’s in public preview since Ignite in March 2021. The Long-Term Servicing Channel (LTSC=five years mainstream + five years extended support) release is planned for later in 2021.

There was a time when this would have been huge news, with (nearly) every IT shop on the planet looking for new features that were going to make their life easier and planning how to convince bosses to approve the upgrade. That’s not really the case anymore.

The preview news had a single 30-minute presentation devoted to it, and half that presentation covered updates to Azure and Windows Admin Center, tangentially connected to Windows Server.

This isn’t to say that there aren’t some interesting things coming that will probably make your life easier, but it sends a clear message — Windows Server isn’t a priority at Microsoft like it was some years ago. We have two sources for what new features we can expect — the presentation at Ignite, as well as the Semi-Annual Channel (SAC) releases of Windows Server. If you have Software Assurance for your Windows Server licenses and you want to use the latest from the server team — there are actually two releases each year of Windows Server with new features, as long as you don’t mind using Server Core only and upgrade at least every 18 months. This blog post from August 2020 and this one from September 2020 are more sources for what’s coming.

A Strong Focus on Security
The big theme of Windows Server 2022 is security — primarily bringing the concept of Secure Core from Windows client to the server world with Secure Core Servers. This is a type of PC that you can buy from Microsoft, Lenovo, Dell, Panasonic, HP and others that has a Trusted Platform Module (TPM) 2.0 chip, Bitlocker turned on and Virtualization Based Security (VBS) to protect credentials while the system is running. Instead of enabling these (and other) security features after taking delivery, it’s all turned on out of the box.

On servers this will protect against boot kits and root kits, malware designed to compromise the system before it starts, thus bypassing any defenses running in the OS. To carry the label Secure Core Server the OEM must provide secure firmware and drivers and enable these features by default.

To be able to audit this across a fleet of servers, there’s a new extension for Windows Admin Center that lists which of the six requirements a server meets. Here’s a one-year-old Dell Hyper-V host with quite a few missing.

Windows Admin Center Secure Core Features
[Click on image for larger view.] Windows Admin Center Secure Core Features(source: Microsoft).

There’s been some interesting work in the security community over the last few years, demonstrating issues with the TPM platform, as they’re a separate component on the motherboard and the traffic between it and the rest of the system can be manipulated. This new Secure Core Server platform lays the foundation for the forthcoming Pluton security processor, built on technologies first incorporated into Xbox One. Pluton will be different than TPM as it will be part of the CPU itself, all three main vendors, Qualcomm, Intel and AMD are on-board with Pluton.

Each of the six areas shown above protects different parts of the boot process and the OS so let’s look at them in detail. TPM stores Bitlocker keys and other secrets and key material while Secure Boot verifies signatures on boot software (UEFI firmware, EFI applications and the OS itself) to ensure that they haven’t been subverted by a root kit.

Virtualization-based Security (VBS) uses hardware virtualization (based on Hyper-V technology but don’t think of this as a separate VM, just an isolated part of the memory space in the OS) to stop credential attacks like Pass-the-Hash through Mimikatz. On top of VBS is Hypervisor-Enforced Code Integrity (HVCI) which protects modification of the Control Flow Guard (CFG) bitmap, provides a valid certificate for Credential Guard and checks that device drivers have an EV certificate. Control Flow Guard lets Windows protect itself against malicious applications that corrupt memory of legitimate applications.

System Guard sits on top of these features and provides the following security guarantees for Windows: protects the integrity of the system as it starts up and validate this through local and remote attestation using Static Root of Trust for Measurement (SRTM), Dynamic Root of Trust for Measurement (DRTM) and System Management Mode (SMM) protection (see more).

Boot Direct Memory Access (DMA) protection is part of Kernel DMA Protection which protects Bitlocker keys and other secrets stored in memory while the OS is running. The classic attack here is to plug a drive with malware into a port that offers DMA on a running PC and read Bitlocker keys from memory. DMA offers fast transfer of data, essentially directly into memory (as it says on the tin) but also comes with this risk — Boot DMA mitigates it. These improvements aren’t just for Windows, Microsoft wants to bring the improved boot security to Linux as well, just as they’re doing in Azure.

Apart from the Secure Core Server features, Windows Server 2022 will come with the newest version of Transport Layer Security (TLS), 1.3 enabled by default and offers AES 256-bit encryption for SMB traffic.

Windows Server 2022 will also make it possible to give containers an identity in Active Directory using group Managed Service Accounts (gMSAs) which you can only do today by domain joining the host — this won’t be required in 2022.

Windows Server 2022 preview build 20317.1 -- it looks like Windows Server 2016/2019
[Click on image for larger view.] Windows Server 2022 preview build 20317.1 — it looks like Windows Server 2016/2019(source: Microsoft).

Networking Improvements
There is one feature coming that I think any IT Pro dealing with on-premises deployments and access will love and that’s MsQuic. This implements the QUIC protocol and Microsoft has open sourced their flavor.

Original Source link

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Leave a Reply

Your email address will not be published. Required fields are marked *

+ 86 = 95