Six new security features for Windows Server 2022
Shielded
Windows Admin Center Control
Microsoft has been promoting the web-based Windows Admin Center (WAC) as a modern alternative to the outdated Server Manager for quite some time. If you have not used WAC before, now is a good time to do so. WAC gives you an overview of the status of all the Secured-core server components, and you can enable functions that have not yet been configured (Figure 1).
You can download the latest version [8] for free and install it on a Windows server; it does not need to be one of the machines you want to configure as a Secured-core server. In production, you need to issue an SSL certificate for the fully qualified DNS name of your WAC server with an Active Directory (AD)-integrated or external PKI before the install.
The setup is just a few steps. WAC sends diagnostic data to Microsoft. You can only choose between the mandatory data or additional optional data, and you can decide whether or not WAC should use the Microsoft update service for updates. The wizard defaults to TCP port 443 for the web front end. At this point you can also specify the fingerprint of your own certificate, if available. Alternatively, the setup generates a self-signed certificate that is only valid for 60 days.
The wizard guides you through the last step of dialog. Click on the URL, which will look like https://<fully qualified domain name of server>:<port> or transfer it to your browser. The WAC then prompts you to log in. The server on which the WAC is installed acts as a gateway for connecting to and managing other systems. With the All Connections button in the window header, you can then add additional servers, client computers, and clusters. Navigate to the All connections | Server Manager area and use the + Add button to set up connections to your instances of Windows Server 2022.
If you now click on one of the server connections, WAC prompts you to authenticate again. If you want to avoid this in the future, you need to set up Kerberos restricted delegation from WAC to the respective target server, which can be done in PowerShell on a domain controller or a server with the AD snap-ins [9] installed. In the detailed view of the respective server, select the Security item from the vertical navigation bar. In the main area of the page, you can then access the Secured-core tab to view the status of the six security features.
TPM 2.0 and Secure Boot
You cannot influence Secure Boot and TPM at this point. If WAC indicates Not supported for the two functions, your system either does not have the appropriate hardware or the functions are simply not enabled in the UEFI or the properties of the VM. As soon as you enable Secure Boot and TPM in the firmware of a physical system or the properties of a VM, the status in WAC changes to On . The two functions are automatically enabled with no further configuration options.
Enabling Functions with WAC
Assuming your machine meets the requirements, WAC displays a status of Not configured for the other functions. In each case, check the box in the first column and click the Enable button to change the status of the components to Enabled but not running ; the WAC then requests a server restart, which you can trigger immediately in the interface or schedule for a suitable time. The status of the functions then changes to On .
Virtual instances of Windows Server 2022 have to do without DMA protection at boot time, as well as system monitoring; they have reached their highest protection level with four out of six Secured-core functions. Physical machines can also enable the remaining two options if all of the device drivers are compliant.
Buy this article as PDF
(incl. VAT)