Microsoft has recently focused on hardware-based security, with Windows 11 requiring the use of TPMs and other security systems to ensure your software is safe and your operating system has not been compromised. This hardware-based approach to security isn’t just for desktops and personal systems; Windows Server 2022 brings many of these tools to your data center.
TO SEE: Software Installation Policy (TechRepublic)
Hardware security is an essential part of securing modern systems, as technologies such as containers and virtualization move your workloads away from the underlying host operating system. The more we ignore the host operating system, the more secure it needs to be, as it is the controller of all your applications and services. They may all be isolated from each other, but they are all visible to the host. A compromise at this level does not endanger an application, but everything running on the server, especially if you are using a private or hybrid cloud.
What is Secure Core in Windows Servers?
That’s where Secure Server comes in, which uses hardware-based security tools to protect your servers from the moment they start up. The intention is to defend your systems by preventing the execution of malicious code, either by verifying running code or by using digital signatures to authenticate applications and drivers. Secured-core builds on the hardware security features built into modern processors, such as AMD’s ASP Secure Processor, which helps manage and lock down the trusted execution environment used for Secure Boot.
Microsoft is focused on using a hardware root of trust to manage its secure platform, starting with familiar TPM-based systems. The Trusted Platform Module is hardware- or firmware-based, providing a secure environment for storing encryption keys, certificates, and other digital signatures, as well as checksums and hashes. It doesn’t have to be particularly tall; it just needs to be secure. Secure-core systems require a second-generation TPM.
The first and most obvious task is to use the TPM to ensure the integrity of a server’s BIOS and firmware, using pro-loaded signatures. These are configured when building the hardware and depend on the server manufacturer. Having it in place before the operating system is even installed allows you to verify that your server has not been tampered with before it begins to boot. This then leads to a Secure Boot service similar to that used by Windows.
By using the TPM to manage signatures, we can use it as part of what Microsoft describes as a dynamic root of trust for measurement. The way systems boot changes over time as software updates and new services are installed. This means measuring the load of different components and storing and verifying these measurements. DRTM gives you another way to make sure your environment boots properly, reducing the risk to your servers from root kits and other low-level malware.
Using virtualization-based security
An important aspect of the secure core is virtualization-based security. Here, Windows Server takes advantage of the hypervisor functionality built into modern processors to isolate key processes from the rest of Windows. So, for example, it runs a tightly targeted environment on login that helps protect your admin credentials. Apps running in the background can’t interact with the virtualized login environment, so malware can’t spy on your keystrokes and capture passwords and credentials.
VBS supports much more than Windows login services. It provides an isolated and secure section of memory that can be used by Windows to manage various security tools, protecting them against exploits. Using this virtual safe mode, it is possible to verify code before it is run, managing how Windows creates new memory pages, verifying them before they are allowed to run. As an added precaution, code cannot write to an executable page, greatly reducing the risk of buffer overflow.
Similarly, hypervisor-protected code integrity adds another layer of protection to the Windows kernel. Referred to in Windows Security Settings as Memory Integrity, it is used to check all kernel mode code, such as drivers, before it runs, allowing Windows to block unsigned drivers. Even if malware enters the kernel, the different levels of VBS reduce the risk that it can access data or the underlying Windows platform. This functionality is at the heart of Microsoft’s signed driver tools, as well as its recently announced Intelligent Application Control Service.
One of the benefits of these techniques is that they not only protect systems against malware, they can also reduce the risk of bugs affecting your servers. It’s a useful coincidence that many of the techniques used by malware are very similar to common driver and kernel mode failures. System reliability is a useful side effect of tools like HVCI and VBS.
Secure core management
You can manage secure core functionality from Windows Admin Center, enabling it on supported hardware without having to manage individual machines. While the main benefits come from running secure server tools on first boot on a new server, where everything can be measured on a clean system, it is still useful to enable services such as memory integrity. Indeed, although malware may be hiding in your servers, as part of an advanced persistent threat, these techniques offer a better level of protection than an unsecured server.
Microsoft provides other management tools for secure-core systems, such as using it with MDM-provided policies to lock down configurations. It is very easy for anyone with administrator permissions to accidentally disable a secure service. So we need to have additional safeguards that roll back changes as soon as they are made. So, for example, if HVCI is required and is disabled, it will automatically be re-enabled, keeping the servers in compliance with your centrally enforced security baseline.
This is only the first generation of Microsoft’s secure core approach. The second generation relies on technologies such as its Pluto security co-processor, offering a more proactive protection model than the relatively passive TPM. One of the benefits of Pluto is that it’s simple to keep the security subsystem up to date, using the same tools Microsoft uses for its Azure Sphere Internet of Things secure platform, updates are pushed regularly, much like Patch Tuesday, but at the hardware level. This way, you’ll always be running the latest version of your processor’s security firmware, without having to manage updates across an entire data center of servers.
It is important to remember that the Secure Kernel is only a tool to help make your systems more secure. Even running, you should not abandon your existing security models and tools. A dedicated striker always has opportunities; it’s just that they now have to operate above the Windows kernel, attacking parts of the stack.
Even so, that’s no reason to skip implementing secure servers in your network, of course. Secure Core may not be a universal defense, but it significantly reduces risk with very little work required on your part. And it will always be a victory.
