How Microsoft tightened basic security in Windows Server 2022

The release of Windows Server 2022 brought several important security improvements. While there is no requirement for businesses to upgrade to Windows Server 2022 before support for older versions of Windows Server ends, it is a good idea to consider migrating to Windows Server 2022, especially for critical infrastructures such as domain controllers.

An upgrade to Windows Server 2022 brings the benefit of security features not found in earlier versions of Windows Server. Given the sensitive nature of domain controllers and other infrastructure components in the data center, it makes sense to harden these servers as much as possible using the latest server operating system from Microsoft.

Basic security improvements

One of the tools offered to administrators to harden the Windows environment against security vulnerabilities is the Microsoft Security Compliance Toolkit. This is the module that identifies all policies relating to basic security in Windows Server 2022. This module consists of Group Policy Objects (GPOs) configured in accordance with best practices recommended by Microsoft . The toolkit includes a Policy Viewer utility for comparing a system’s configuration against basic security best practices.

By “basic” security, Microsoft means that of Windows and its services at the technical level. Higher level security concerns additional tools and specific uses on a server.

The Microsoft Security Compliance Toolkit is not a new tool, but Microsoft has made some changes to the basic security rules for Windows Server 2022. For example, Internet Explorer software is found among the list of domain controller restrictions, because Microsoft recommends using the Edge browser. Similarly, Windows Server 2022 core security policies now include script scanning, as it is a best practice and no longer an ancillary activity. Another new best practice: installing print drivers should only be done by administrators.

Use Windows Server 2022 basic security rules

To get started, you need to go to the Microsoft Security Compliance Toolkit page and download the Policy Analyzer, as well as the set of Windows Server 2022 security baselines. Both come under the form of .zip files you will need to extract.

To compare a Windows Server 2022 system with security best practices, run the PolicyAnalyzer.exe file. Once the interface is open, click the Add button and follow the instructions to open the Policy File Importer. Then select the Add Files from GPOs option from the File menu, as shown in Figure 1.

Figure 1.

The Policy File Importer now displays available GPOs, as shown in Figure 2. GPOs are role-specific. For example, there are GPOs for general use, as well as dedicated GPOs for domain controllers, which need to be hardened to a higher degree than basic servers.

Screenshot: import GPOs for inspection
Picture 2.

Choose the rules file to use, then click the Import button. When prompted, save the imported GPO as a policy rules file. If you want to compare the baseline to the current state of a server, click the View/Compare button. This opens the Policy Viewer to compare the baseline to the actual system state, as shown in Figure 3.

Screenshot: check the security baseline
Picture 3.

During its comparison test, the Policy Analyzer will highlight the differences between the security baseline and the current system’s GPOs. The tool also checks for unnecessary or conflicting settings. Administrators can export their results in Excel format and take a snapshot to check the changes at another time.

You can find more details about Windows Server 2022 security baselines on this page.

What tools to strengthen the security of Windows Server 2022?

Microsoft introduced several security features in Windows Server 2022, including the following:

  • Secured-core Server (secure kernel server). Windows Server 2022 supports the use of a “secured-core” physical server, which stores cryptographic keys inside the processor rather than in a separate Trusted Platform Module (TPM) chip. This greatly improves the security of the keys by making them much more difficult to access, even when an attacker is in physical possession of the machine.
  • Hardware root-of-trust (material trust basis). Windows Server 2022 uses the TPM 2.0 system present on the motherboard or in the most recent processors to implement its Secure Boot function. This allows it to check for unauthorized code before loading the operating system.
  • Firmware Protection (firmware protection). Traditionally, anti-malware software cannot scan a server’s firmware. If a server is equipped with a secure core processor, it can verify the boot process by comparing it to a trusted database. It is also possible to isolate drivers using DMA protection.
  • UEFI Secure Boot (UEFI secure boot). With this feature, the system will only boot firmware and operating system files that the server manufacturer trusts. This helps protect against rootkit attacks.
  • Virtualization-based security (virtualization-based security). This security feature stores credentials and keys in a secure container that the operating system cannot directly access. This helps to prevent any breach in the event of a malware attack.
  • HTTPS and Transport Layer Security (TLS) 1.3 enabled by default. Microsoft enabled HTTPS and TLS 1.3 by default in Windows Server 2022 to replace older, less secure protocols. Administrators may need to configure applications or services to use them.
  • Secure-DNS (secure DNS). This feature, also known as DNS-over-HTTPS, encrypts DNS queries to prevent network eavesdropping.
  • SMB East-West Encryption (SMB east-west encryption). This feature scrambles communications within Storage Spaces Direct clusters to protect data transfer between servers.
  • SMB Direct and RDMA Encryption (SMB Direct and RDMA encryption). The SMB Direct feature for high-speed transfers in file servers now supports encryption. Windows Server 2022 performs encryption before data placement for much better performance compared to previous versions of this technology.
  • SMB Over QUIC. This feature, along with TLS 1.3, uses a relatively new transport protocol to enable secure data access without the need for a VPN. This feature is only available in the Azure edition of Windows Server 2022 Datacenter.

Best practices for hardening Windows Server 2022 security

When securing a Windows server, it is important to apply rules for defense in depth. The idea behind this concept is that no security mechanism has any flaws. The right approach is to work in successive layers, each with a variety of security features.

The Security Compliance Toolkit helps verify system settings, but there are other actions that administrators should consider to enhance server security. Examples include “Just Enough” administration policies and domain isolation policies. Whenever possible, it is also a good idea to configure Windows servers to operate in Server core mode, ie with the minimum necessary.

Finally, each Windows server must be dedicated to a specific use. Running multiple roles or applications on a single server can lead to unintended permission elevations that can compromise its security.

Leave a Comment