Microsoft has recently focused on hardware-based security, as Windows 11 requires the use of TPMs and other security systems to help ensure that your software is secure, and that your operating system has not been compromised. This hardware-based approach to security isn’t just for desktop and personal systems; Windows Server 2022 brings many of these tools to your data center.
be seen: Software installation policy (TechRepublic)
Hardware-based security is key to securing modern systems, as technologies like containers and virtualization strip your workloads away from the primary host operating system. The more we ignore the host OS, the more it needs to be secure, because it’s the console for all your apps and services. They may all be isolated from each other, but they are all visible to the host. Compromising at this level doesn’t risk a single app, it just risks running everything on the server, especially if you’re running a private or hybrid cloud.
What is Secured-Core in Windows Servers?
This is where Secure Core Server comes in, using hardware-based security tools to protect your servers from the moment they boot up. The goal is to defend your systems by preventing malicious code from running, either by checking the code while it’s running or using digital signatures to authenticate apps and drivers. Secured-Core builds on hardware security features built into modern processors, such as the AMD Secure ASP processor, which helps manage and secure the trusted execution environment used for secure booting.
Microsoft is focused on using a hardware root of trust to manage its secure platform, starting with familiar TPM-based systems. The TPM is either hardware or firmware-based, providing a secure environment for storing cryptographic keys, certificates, other digital signatures, checksums, and hashes. It does not have to be particularly large; It just has to be safe. Secure platforms need the second generation of TPM.
The first and most obvious task is to use the TPM to ensure the integrity of the server’s BIOS and firmware, using pre-loaded signatures. They are configured when the device is built and depend on the server manufacturer. Having this in place even before the operating system is installed gives you a way to verify that your server hasn’t been tampered with before it starts to boot. This then results in a secure boot service similar to the one used by Windows.
With a TPM to manage signatures, we can use it as part of what Microsoft describes as a dynamic root of trust for scaling. The way systems boot changes over time, as software updates and new services are installed. This means measuring how different components are loaded and stored and examining these measurements. DRTM gives you another way to ensure your environment runs properly, reducing the risk of rootkits and other low-level malware on your servers.
Use of virtualization-based security
An important aspect of a secure kernel is virtualization-based security. Here Windows Server takes advantage of the hypervisor functionality built into modern processors to isolate key processes from the rest of Windows. So, for example, a tightly focused environment running during login helps protect administrator credentials. Applications running in the background cannot interact with the default login environment, so malware cannot spy on keystrokes and capture passwords and IDs.
VBS supports much more than Windows login services. It provides an isolated and secure partition of memory that can be used by Windows to manage various security tools, protecting them from vulnerabilities. With this virtual safe mode, it is possible to check code before running it, manage how Windows creates new memory pages, and check them before allowing them to execute. Since additional backup code cannot write to an executable page, which greatly reduces the risk of buffer overflow.
Likewise, code integration protected by Hypervisor adds another layer of protection to the Windows Kernel. Referred to in Windows security settings as Memory Integrity, this is used to check all kernel mode codes, such as drivers, before it runs, allowing Windows to block unsigned drivers. Even if malware reaches the kernel, the different levels of VBS reduce the risk that it will be able to access data or the Windows platform. This feature is at the heart of Microsoft’s signature launch tools, as well as the recently announced Smart App Control service.
One of the advantages of these methods is that not only do they protect systems from malware, but they can also reduce the risk of errors affecting your servers. It is a useful coincidence that many of the techniques used by malware are very similar to common drivers and kernel mode failures. Maintaining systems reliability is a beneficial side effect of tools like HVCI and VBS.
Secure Kernel Management
You can manage basic locked functionality from the Windows Admin Center, and enable them on supported devices without having to manage devices individually. While most of the benefits come from running basic secure server tools from the first boot on a new server, where everything can be scaled on a clean system, there is still value in running services like memory integration. This is because even though there is malware lurking in your servers, as part of an advanced persistent threat, these technologies provide a better level of protection than an unsecured server.
Microsoft provides other management tools for secure platforms, for example using them with MDM policies to secure configurations. It’s very easy for someone with admin permissions to accidentally turn off a secured core service, and so we need extra protection that rolls back changes as soon as they’re made. So, for example, if HVCI is required and it is turned off, it will restart automatically, keeping the servers centrally applied security baseline.
This is only the first generation of Microsoft’s secure core policy. The second generation is based on technologies such as the Pluton security coprocessor, providing a more proactive protection model from a relatively passive TPM. One of the advantages of Pluton is that it’s easy to keep the security subsystem up to date, with the same tools Microsoft uses for its secure IoT platform Azure Sphere, updates are pushed regularly, like Patch Tuesday, but on a hardware level. Therefore, you will always be running the latest version of processor security firmware, without the need to manage updates across an entire data center of servers.
It is important to remember that a secure kernel is only a tool to help make your systems more secure. Even with it turned on, you shouldn’t give up your existing security models and tools. The dedicated striker still had chances; It’s just that they now have to run at a higher level than the Windows kernel, and attack parts of the stack.
However, this is no reason to ignore the implementation of secure central servers in your network of course. A secure position may not be a universal defense, but it greatly reduces risk with very little work required on your part. And that will always be a win.