Windows Server is one of the most widely used operating systems for servers. It provides a variety of features and options that allow businesses to tailor their servers to match their specific needs. But with emerging threats continuing to target Windows-based systems, it's more important than ever for businesses to harden their security so they don't fall victim to malicious hack attempts.
Each release of new Microsoft Windows represents a milestone of new features, capabilities, and technologies that organizations can use to solve the present challenges they face. Windows Server 2022 is the latest release and builds on previous improvements with Windows Server 2019 hybrid features and security innovations. This version of windows server was released in September 2021.
Other main releases of Windows Server include:
- Windows Server 2016 - with support until 2027
- Windows Server 2012 - with support until 2023
- Windows Server 2008 - with support until 2020
Between 2015 and 2021, Microsoft referred to these releases as long-term support releases to set them apart from semi-annual releases.
Windows Server 2022 Security Checklist
The new security features in Windows Server 2022 merge other security capabilities in Windows Server across multiple areas to offer defense-in-depth (DiD) protection against advanced threats. It offers a comprehensive set of built-in security capabilities and tools that help organizations secure their hybrid environments.
These include:
- Secured-core server: Secured-core server uses firmware, hardware, and driver capabilities to enable the latest Windows Server security features. The hardware adds an extra security layer of protection against complex attacks, which is critical for data-sensitive industries handling mission-critical data.
- Hardware root-of-trust: The Trusted Platform Module 2.0 (TPM2.0) provides a hardware-based key store that can be used to protect server secrets and keys. It is an important part of the Windows Server 2022 security model and helps to ensure that only trusted code and components are allowed to run on the server platform. TPM 2.0 is used by features like BitLocker drive encryption.
- Firmware Protection: Traditional anti-virus solutions cannot protect a system's firmware from attacks. Secure-core server processors can use Dynamic Root of Trust for Measurement (DRTM) to measure and verify the authenticity of firmware components during boot-up so that only authorized and unmodified code can run. It also uses Direct Memory Access (DMA) protection to isolate driver access to memory.
- UEFI secure boot: Windows Server 2022 uses Unified Extensible Firmware Interface (UEFI) secure boot to ensure that only digitally signed code can run on the server. This helps to prevent malicious code, such as bootkits and rootkits, from running on the server.
- Virtualization-based security (VBS): VBS uses hardware virtualization features to create an isolated, highly secure area on the server. This can be used to run critical workloads, and to store encryption keys that the OS cannot access directly. VBS also helps to prevent malicious code from running on the server by using hypervisor-enforced code integrity (HVCI) to verify the digital signature of code running in guest a virtual machine.
- Transport Layer Security (TLS) 1.3: TLS 1.3 is the latest version of the TLS protocol and offers significant security improvements over previous versions. It uses cryptographic algorithms that are more resistant to attack and offers better performance by reducing the number of round trips needed to establish a connection. TLS 1.3 is enabled by default on Windows Server 2022, but applications and services need to actively support it.
- DNS-over-HTTPS (DoH): DoH encrypts DNS traffic between clients and servers so that it cannot be eavesdropped on or tampered with. It helps to prevent DNS hijacking and can be used to bypass DNS filtering and censoring. DoH is not enabled by default on Windows Server 2022 but can be enabled through Group Policy or the registry.
- East-West SMB encryption: SMB encryption can be used to encrypt traffic between servers, and between clients and servers. It helps to prevent eavesdropping and data tampering and is transparent to applications that use the SMB protocol.
- SMB Direct and RDMA encryption: SMB Direct and RDMA offer high-performance, low-latency connectivity for Scale-out File servers, Storage Replica, Storage Spaces Direct, Hyper-V, SQL Servers, and other workloads that require fast data transfers.
- Windows Admin Center: While not a security feature, the windows admin center in Windows Server 2022 can report on the latest Secured-core features discussed above.
Tips for Securing Windows Server
Windows Server 2022 has advanced security features that can help to protect your server and data. However, no security system is perfect, and there are always ways that attackers can bypass security measures. As such, organizations should take steps to further secure their servers, even if they are using the latest version of Windows Server. Some tips for securing Windows Server include:
Practice Defense in Depth
Windows Server 2022 is a secure platform, but no server is entirely immune to attack. It is important to practice defense in depth, by implementing multiple layers of security. This could include:
- Using a firewall
- Deploying intrusion detection/prevention systems
- Using encryption to protect data in transit
- Configuring servers to sync time with Network Time Synchronization (NTP)
- Protecting the admin account by using strong passwords, or renaming it to something else. You should also not put administrative account names or passwords on Active Server Pages.
Keep Your Windows Server Up To Date
It is important to keep your Windows Server up to date with the latest security patches and updates. Failing to update can expose your server to known security vulnerabilities that could be exploited by attackers. Microsoft releases regular updates for Windows Server, and these can be downloaded and installed through the Windows Update feature.
Install Only Essential OS Components via Windows Server Core
Windows Server 2022 uses OS in its core mode. This means that it is not necessary to install extra software components, which can be a security risk. Windows Server Core can be used to install only the essential components needed to run a specific workload. This reduces the server's attack surface and helps to improve security.
Use Microsoft Baseline Security Analyzer
The Microsoft Security Compliance Toolkit (SCT) is a powerful tool that can help organizations secure their Windows Server deployments. The SCT contains the Windows Server 2022 security baseline, featuring Group Policy Objects (GPOs) that can be deployed to servers to help harden them against attack. It also includes a Policy Viewer utility, which allows administrators to view and compare the security settings in different GPOs. This can help troubleshoot security issues or determine which settings need to be tweaked to achieve the desired level of security.
Dedicate Each Windows Server to a Specific Purpose
When possible, it is best to dedicate each Windows Server to a specific purpose. This helps to minimize the server's attack surface and improve security.
Windows Server Hardening Can Reduce the Risk of Cyber-Attacks
Organizations that rely on Windows Server to host critical applications and data can take steps to harden their servers and reduce the risk of cyber-attacks. By following best practices for security, and using tools like the Microsoft Security Compliance Toolkit, organizations can help to ensure that their Windows Server deployments are as secure as possible.
At MyChoiceSoftware, we provide a range of solutions to help organizations deploy and secure their Windows Server deployments. We have the expertise to ensure that your servers are compliant with the latest security standards, and that they are configured correctly for optimal performance. Contact us today to see how we can help you get the most out of your Windows Server 2022 deployment.
