At the recent Ignite 2021 conference Microsoft announced the preview of the next version of Windows Server 2022. This is not huge news as we can follow the direction that Windows Server is heading through the Semi-Annual Channel (SAC) releases that come out twice a year, however, there are some interesting features of note and in this article, we’ll take a look at them.
Security in Windows Server 2022
It’s no secret that most businesses worldwide are struggling with IT security – as organizations and society becomes more and more reliant on digital systems there are just too many avenues for increasingly sophisticated attackers to find a way in. Compromising systems before they start up through boot kits or root kits is becoming more popular and building on the work Microsoft’s done for Secured Core PCs, Windows Server 2022 brings Secured Core Servers.
If you haven’t heard of Secure-core, think of marrying a Trusted Platform Module (TPM) 2.0 chip for securely storing secrets, Bitlocker for full volume drive encryption and Virtualization Based Security (VBS) to protect credentials while the system is running. In other words, all the optional Microsoft security features that you could turn on for a normal PC, but all enabled out of the box. First out of the gate was Surface Pro X (which I’m writing this article on) but Secured Core PCs are available from Lenovo, Dell, Panasonic, HP and others.
For servers this means that when you purchase a system with this label the OEM will have provided secure firmware and drivers and also will have enabled all these security features out of the box. You can also check on the status of your servers, plus enable security features using the new add-in for Windows Admin Center (WAC).
Secured-core features in Windows Admin Center
Note that Secured-core servers lay the foundation for the forthcoming generation of processors from Intel, AMD and Qualcomm that’ll include the Pluton security processor, built on security features first seen in Xbox One. TPM has been very successful over the last 10 years as the first broadly available hardware security root of trust but as it’s a separate chip advanced attacks leverage the connection between the TPM chip and the main CPU to gain access to secure information or tamper with the data. Because Pluton is built into the processor itself it will mitigate this vector.
Let’s look at each of the Secured-core features in details.
Trusted Platform Module
TPM provides storage for security information such as Bitlocker keys, while Secure Boot checks the signatures of all boot software (UEFI firmware, EFI applications and the OS itself) to ensure that they haven’t been subverted by a root kit.
Virtualization-based Security (VBS) uses hardware virtualization (based on Hyper-V technology but don’t think of this as a separate VM, just an isolated part of the memory space in the OS) to stop attacks against credentials (Pass-the-Hash / Mimikatz for example). VBS is also the platform for Hypervisor-Enforced Code Integrity (HVCI) which protects modification of the Control Flow Guard (CFG) bitmap, provides a valid certificate for Credential Guard and checks that device drivers have an EV certificate.
Control Flow and System Guard
Control Flow Guard is a way that Windows protects against malicious applications corrupting memory of legitimate applications.
System Guard is the umbrella term for taking the above technologies and providing these security guarantees for Windows: protect the integrity of the system as it starts up and validate this through local and remote attestation. It uses Static Root of Trust for Measurement (SRTM), Dynamic Root of Trust for Measurement (DRTM) and System Management Mode (SMM) protection to achieve this.
Boot Direct Memory Access (DMA) protection is part of Kernel DMA Protection which can stop attacks against Bitlocker and other security technologies that rely on storing secrets in memory while the system is running. Plug a drive with malicious software into a port that supports DMA mapping for fast transfers and hey presto – it just read your Bitlocker key, with DMA protection this isn’t possible.
Other security enhancements
Windows Server 2022 will have the latest version of Transport Layer Security (TLS) 1.3 enabled by default but this version will be available across earlier Windows Server versions as well.
When managing lots of Windows or Hyper-V containers across a server farm, the preferred approach is to give them an identity in Active Directory using group Managed Service Accounts (gMSA) but today that requires you to domain-join the container host – in 2022 this won’t be necessary. And if you’re encrypting your SMB (file server) traffic you can now use AES-256 encryption.
Windows Server 2022 Scalability
Another headline in the preview announcement is the increase in scalability, a physical server can now have 48 TB of RAM, 64 sockets with 2048 Logical Processors (cores, or Hyperthreaded cores). While these figures are incredible (VMware vSphere 7 update 1 supports 24 TB and 768 CPUs per host) they matter to exactly 0.000001% of Windows Server customers. And mostly that customer is Microsoft itself, where in Azure the benefit of humongous machines is the ability to provide gigantic VMs for SAP and other huge database workloads for enterprises with very deep pockets.
On the other end of the spectrum, the Server Core container image for Windows Server 2022 is 1 GB / 20% smaller than in previous versions, shaving start-up and transfer times for containers running the Windows Server 2022 container image.
Windows Server 2022 build 20303.120329
Other Enhancements in Windows Server 2022
Windows Server 2022 will also bring (in the right context, details are scant at the moment) another feature that’s been forged in the fire of Azure’s hosts – reboot-less patching. Here patches are applied to a running OS without requiring a restart, improving uptime.
If you’re running a mix of Windows and Linux containers in Kubernetes you can use Calico to manage networking across the entire cluster. If you’re running globally distributed applications, managing time zones in containers has been difficult (it’s based on the host’s time-zone, making it difficult to move containers around), virtualized time zones in Windows Server 2022 will take care of this.
Speaking of Linux, Microsoft is aiming to bring the improved boot security to Linux as well, just as they’re doing in Azure.
Windows Server 2022 and the Hybrid World
Most of the presentation at Ignite on Windows Server 2022 was taken up by talking about features around, not in, the product itself, such as the ones recently released in GA 2103 version of Windows Admin Center. Windows Admin Center can now be run in the Azure portal, can automatically update your extensions, supports outbound proxy configuration, lets you pop out tools into separate browser windows, brings a revamped Event Viewer UI (first update since 1993 believe it or not) and lets you reassign virtual switches when moving a VM from one host or cluster to another. WAC also supports HTTP/2 which equals faster performance.
Windows Server 2022 will also be a first-class citizen in Azure and will power Azure Stack HCI and can be managed by Azure Arc. When it’s available in Azure you can use Automanage to ease your administrative burden in running VMs but like so many features mentioned in the announcement, none of these are unique to Windows Server 2022.
A one-year-old Dell system without full support for Secure-Core Servers
In case you weren’t aware, Microsoft actually releases two versions of Windows Server per year, the Semi-Annual Channel (SAC). These versions are only supported for 18 months after they’ve been released, are only available to Software Assurance customers and only come in the Server Core flavor. Nevertheless, they point the way to where Windows Server is heading and Windows Server 2022 will be the next Long Term Servicing Channel (LTSC) release, with five-year mainstream and five-year extended support.
Windows Server 2022 Networking Improvements
Fortunately, the 100 level session at Ignite isn’t the only source of information for what’s new in the Windows Server 2022 preview, this blog article from August 2020 provides some more technical details.
MsQuic is probably the enhancement that’s going to impact IT Pros the most in the future. It’s Microsoft’s implementation of the QUIC protocol (open sourced) which will power the HTTP/3 implementation as well as provide improvements in SMB file transfers. The most interesting part for SMB is that it’ll be possible to set up file shares to be accessed securely over the internet with no VPN required. Read about it and watch Ned Pyle’s video for more info.
UDP will get a speed boost as well, similar to TCP offload, from NICs that support UDP Segmentation Offload (USO). TCP will benefit from support for TCP HyStart++ while packet capturing will see deeper into TCP/IP using PktMon.
Adding features in Windows Server 2022
Hyper-V networking isn’t left out in the cold, Receive Segment Coalescing (RSC) was introduced in Server 2019 and brings packets together to be processed as one larger segment in the virtual switch, lowering CPU load. In 2019 the traffic is re-segmented as it’s transferred to the VMBus, whereas in Server 2022 it’ll remain coalesced all the way to the application.
Containers and Kubernetes will benefit from Direct Server Return where request and response traffic can use different paths.
Hyper-V Enhancements in Windows Server 2022
Managing what VMs should be kept on the same host and which ones should be kept apart (virtualized Domain Controllers for instance) has been possible for a few versions, using Affinity/AntiAffinity rules. However, they weren’t site aware, if you have stretched clusters there are now PowerShell cmdlets to configure rules for this as well as better management overall of anti/affinity through rules.
In Failover Clusters, if you wanted to use Bitlocker on the nodes they all had to be in the same domain, now you can use local encrypted storage for key safekeeping in workgroup / cross-domain clusters.
Comparing Windows Server 2019 and 2022
|Feature||Windows Server 2019||Windows Server 2022|
|Max host memory||24 TB||48 TB|
|Max Logical CPUs (cores / hyperthreaded cores)||512||2048|
|Max VM memory||12 TB||?? (24 TB)*|
|Max Virtual CPUs in a VM||240||?? (960)*|
|AES 256 Bit encryption for SMB traffic||V|
|20% smaller Windows Server containers||V|
|TLS 1.3 enabled by default||V|
|Virtualized time zones for containers||V|
|MsQuic (no VPN on-prem file share access)||V|
|Bitlocker local key storage||V|
*Microsoft hasn’t published scalability figures for VMs in Windows Server 2022 yet which makes sense as testing and optimizing performance happens late in an Operating System development. However, if the scalability increases on bare metal carries over to VMs the amount of supported memory should double, and the number of virtual CPUs should quadruple.
As you can tell from the screenshot above, the preview version doesn’t have any visible details distinguishing it from Windows Server 2019 (or 2016). However, it looks like there are some exciting features under the hood, both for Hyper-V and networking and my suspicion is that there will be more news coming throughout 2021 as we head for a release late in the year.
Not a DOJO Member yet?
Join thousands of other IT pros and receive a weekly roundup email with the latest content & updates!