Secure-core Windows Servers: Why are they so important

Photo of author
Written By JasonWashington

Lorem ipsum dolor sit amet consectetur pulvinar ligula augue quis venenatis. 

Microsoft has recently been focusing on hardware security. Windows 11 requires the use of TPMs (or other security systems) to ensure your software is secure and that your operating system is not compromised. This hardware-based security approach is not limited to personal and desktop systems. Windows Server 2022 provides many of these tools for your data center.

Must Read: jl audio subwoofer

What is secure-core in Windows Servers?

Secured-core server is a hardware-based security tool that protects your servers from the moment they boot. Your systems will be protected by stopping malicious code running by using either digital signatures or checking the code as it runs to authenticate drivers and applications. Secured-core is built on modern processors’ hardware security features, such as AMD’s ASP secure processor which helps to manage and lock down the trusted execution environments used for secure boot.

Microsoft will use a hardware root of trust to manage its secure-core platform. It is starting with TPM-based systems. The Trusted Platform module can be either firmware- or hardware-based. It provides a secure environment for digital signatures, encryption keys, checksums, hashes, and certificates. It doesn’t have to be large; it just needs to be secure. Secure-core systems require a second generation TPM.

First and foremost, the TPM is used to verify the integrity of the BIOS and firmware of a server. It uses pro-loaded signatures. These signatures are set up when the hardware is manufactured and will depend on the manufacturer. This allows you to check that the OS has not been installed before your server starts to boot. This creates a secure boot service similar to Windows.

We can use the TPM to manage signed documents as part of what Microsoft calls a dynamic root trust for measurement. As software updates are made and new services installed, the way that systems boot can change. This involves measuring the load of various components and then storing these measurements and verifying them. DRTM is a way to verify that your environment boots correctly. This reduces the risk of rootkits and other low-level malware infecting your servers.

Never Miss: camera hard case

Virtualization-based security

Virtualization-based security is an important part of secured-core. Windows Server uses the hypervisor functionality in modern processors to isolate critical processes from the rest. It creates a restricted environment for admin logins, which helps to protect your credentials. The virtualized log-on environment is protected from background applications. This means that malware cannot steal passwords or IDs by monitoring your keystrokes.

VBS supports more than Windows’ log-on services. This secure section of memory can be used by Windows to manage security tools and protect them from attacks. This virtual secure mode allows code to be checked before execution. It also controls how Windows creates new pages of memory and checks them before they are allowed to execute. This extra precaution code cannot write to executable pages, significantly reducing the chance of buffer overflow.

Hypervisor-protected Code Integrity also adds an additional layer of protection to Windows Kernel. This is known in Windows security settings as Memory Integrity. It checks all kernel mode code before it runs. Windows can block unsigned drivers. The VBS levels reduce the chance of malware infecting the kernel. This feature is part of the Microsoft signed driver tools, and the recently announced smart app control service.

These techniques have the advantage of protecting your systems from malware and reducing the chance of bugs infecting your servers. It is a good coincidence that many malware techniques are similar to common kernel mode and driver failures. Tools like HVCI or VBS can help keep systems reliable.

Also Read: illinois hunting license

Secured-core management

Secure-core functionality can be managed from Windows Admin Center. This allows you to enable it on supported hardware and without the need to manually manage each machine. Although the best way to get security-core functionality working is from the first boot of a server, as it is possible to test everything on a clean system with no downtime, you can still use services such as Memory integrity. These techniques offer a higher level of protection than an unprotected server, even if malware is lurking on your servers.

Microsoft offers other management tools to secure-core systems. For example, you can use it with MDM delivered policies to lock down configurations. Anyone with admin rights can accidentally turn off a secured core service. We need additional protections that reverse any changes made. For example, HVCI will automatically be turned on if it is needed and turned off. This ensures that servers are following your centrally applied security guidelines.

Most Popular: solve a rubiks cube

This is just the first generation Microsoft’s secure core approach. The second generation uses technologies such as its Pluton security processor, which provides a proactive protection model that is more effective than the passive TPM. Pluton’s advantage is its ability to update the security subsystem using the same tooling Microsoft uses for Azure Sphere secure Internet of Things platform. Updates are pushed out regularly, similar to Patch Tuesday but at a hardware-level level. You’ll always have the most recent version of your processor’s security firmware. There’s no need to maintain updates across multiple data centers.

Secured core is a tool that can help you make your systems safer. You shouldn’t abandon your existing security tools and models even though secured core is running. An attacker with a dedicated goal can still have opportunities. They just need to work at a higher level than the Windows kernel and attack parts of the stack.

It’s still a good idea to implement secured-core servers within your network. Although secured core is not a perfect defense, it can significantly reduce your risk and require very little effort on your part. That is always a win.