Photo by Matthew Henry on Unsplash

Photo by Matthew Henry on Unsplash

Security features in Windows Server 2022

Fine Tuning

Article from ADMIN 69/2022
By
The release of Windows Server 2022 adds some new security features to its server operating system that might not be earth-shattering; however, you will find Secured-core, DNS over HTTPs, TLS 1.3, and Azure Stack HCI genuinely useful in your constant fight to harden server operations.

Compared with Windows Server 2019, spectacular changes to Windows Server 2022 are few and far between. However, the sum total of improvements make the latest version a more secure option than its predecessors. For example, the 2022 release comes with new Group Managed Service Accounts (gMSAs) for Windows containers without having to add the host to the domain. This change enhances security for container hosts that you do not want to be part of your Active Directory.

If you deploy Windows Server 2022 on Microsoft Azure, you can select the images on which Azure security policies are automatically enabled, which is clear evidence of Microsoft's focus on security with its new operating system. Another factor is replacing the aging Internet Explorer on servers. Windows Server 2022 comes with the state-of-the-art Edge browser preinstalled by default in the core.

Beyond these changes, Microsoft's new Security Baseline for Windows Server 2022 ensures superior protection with additional security settings and recommendations delivered by group policies. In combination with Windows 11, Windows Server 2022 offers greater security than the combination of Windows 10 and Windows Server 2019, which makes it worth your while to take a closer look at the opportunities these innovations present.

Secured Core

Windows Server 2022 also sees Microsoft introduce the Secured-core server, which, in simple terms, is the security standard for a Windows Server, wherein the operating system optionally uses the hardware functions for greater security, and conversely, the server hardware is precisely designed for Windows Server 2022. Secured-core server gives the enterprise a coherent combination of hardware, drivers, software, and Windows Server 2022.

Secured-core uses hypervisor-protected code integrity (HVCI), kernel direct memory access (DMA) protection, SystemGuard, Secure Boot, virtualization-based security (VBS), and Trusted Platform Module (TPM) 2.0 security features. These technologies must be present and enabled on the server. Customers who purchase a Secured-core server in cooperation with a hardware manufacturer are sure to receive server hardware capable of handling the required feature set.

If Windows Server 2022 is not yet configured to support the Secured-core features, the features can be set up centrally in the Windows Admin Center (WAC). You can see the individual mandatory items for Windows Server 2022 as a Secured-core server and enable the security features there.

The new version of the WAC Security extension is essential for admins wanting to manage the hardware aspects of the Secured-core. It comes with a new Secured-core menu item (Figure 1) that you use to determine whether your hardware supports the individual features and whether they are enabled on your Windows Server 2022. To unhide the extension, type the feed address https://aka.ms/wac-insiders-feed under Extensions | Feeds in the Admin Center settings. After doing so, the extensions will be updated to give you the new version of Security .

Figure 1: Secured-core functions can be managed in the Windows Admin Center.

If your server hardware does not support individual parts of Secured-core or if they are not enabled in the Unified Extensible Firmware Interface (UEFI)/BIOS, the Windows Admin Center displays a Not supported message. If the hardware supports the Secured-core feature in question, Not configured is displayed for features that are installed on the server but not enabled. You can then use Windows Admin Center to enable these functions and proceed to configure them as needed. Conveniently, tool tips display when you mouse over the various security features.

DNS over HTTPS

Client-side support for secure name resolution – DNS over HTTPS (DoH) – is another innovation in Windows Server 2022, and you will find it in Windows 11, too. You can configure this in Windows Server 2022 and Windows 11 under Settings | Network & Internet | Ethernet . The options DNS settings and Edit are found in the network adapter settings.

You can also use group policies to define the settings, configured under Computer configuration | Administrative templates | Network | DNS Client | Configure DNS over HTTPS (DoH) name resolution . A word of warning: If you use group policies to enable DoH in Windows Server 2022, but the DNS servers you use do not support DoH, name resolution will stop working.

The encrypted connection between the DNS client and DNS server protects queries against attacks. That said, both Windows Server 2022 and Windows 11 only support DoH as clients. In other words, you cannot use Windows Server 2022 as a secure DoH server. You have three options in the settings for connecting clients to DNS servers (Figure 2):

Figure 2: DNS over HTTPS in Windows Server 2022 secures name resolution, although it must be supported by the DNS server.
  • Unencrypted only : The client with Windows 11 and Windows Server 2022 does not use DoH encryption for DNS queries.
  • Encrypted only (DNS over HTTPS) : The client exclusively uses encrypted connections for resolution with DNS. If no secure connection to the DNS server is available, no name resolution takes place.
  • Encrypted preferred, unencrypted allowed : The client allows the use of encrypted connections but also uses unencrypted connections, if required.

The options are only available if the specified DNS server supports the functions and is stored as such on Windows Server (e.g., servers with IP addresses 1.1.1.1 (Cloudflare) and 8.8.8.8 (Google)). In Windows Server 2022 and Windows 11 PowerShell, you can use the Get-DNSClientDohServerAddress cmdlet to view the currently supported DNS servers. To add new servers, use:

Add-DnsClientDohServerAddress -ServerAddress <IP address> -DohTemplate <template> -AllowFallbackToUdp $False -AutoUpgrade $True

You can also use the name resolution policy table (NRPT) at this point to configure queries to a DNS namespace for use of a static DNS server. In this case, encrypted DNS connections can be used for certain queries.

Protected Data Transfer

Windows Server 2022 supports Server Message Block (SMB) protocol encryption with AES 256 GCM (Galois/counter mode) and CCM (AES 256 counter mode and cipher block chain MAC (message authentication code)). HTTPS and TLS 1.3 are the defaults in Windows Server 2022. When clients connect to the server, the server tries to use HTTPS and TLS 1.3, if possible.

Cluster nodes in Windows Server 2022 also support encryption for internal communication, as is the case for access to Cluster Shared Volumes (CSVs) and for communication in Storage Spaces Direct. Encryption technologies also take effect in Remote Direct Memory Access (RDMA) and SMB Direct. Windows Server 2022 uses AES 128 and AES 256, and the connection variants and encryption technologies that offer maximum security are always enabled by default. This setup is intended to improve security for network traffic. The use of Windows 11 or at least Windows 10 21H2 is ideal in this scenario.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus