Windows Server 2022 Gets Hotpatching Support, and Much More
Microsoft announced that Windows Server 2022 was released to OEMs for testing earlier this month. And in a presentation last week, we got more detailed information about the features included in this release.
Best on Azure
Microsoft is pushing Azure as the best platform for hosting Windows Server 2022. And for the first time, there will be an ‘Azure Edition’ of Windows Server connected to the 2022 release, which offers features not available outside of the Azure public cloud and Azure Stack.
Microsoft’s presentation highlighted close integration with cloud services like Azure App Service for building fully managed .NET apps, Azure Automanage for simplifying operations for Windows Server virtual machines (VM), Windows Admin Center (WAC) in the Azure portal, and Azure Kubernetes Service (AKS) on Azure Stack HCI.
Windows Server 2022 will be part of Microsoft’s Secured-Core program. Initially launched with hardware partners for PCs, the Secured-Core program brings secure hardware, firmware, and OS features to help protect servers against advanced threats.
Using a combination of identity, virtualization, OS, and hardware defenses, Secured-Core servers have protection at both the hardware and software layers. Along with Windows Defender System Guard, which is built-in to Windows Server 2022, Secured-Core servers provide organizations with assurances of OS integrity and verifiable measurements to help prevent firmware attacks. Microsoft says:
This release brings Secured-core to Windows Server to help secure the systems that would run workloads on Windows Server 2022. Secured-core builds on technologies such as System Guard and Windows Server Virtualization-based Security to minimize risk from firmware vulnerabilities and advanced malware.
Once devices have been protected by enabling Secured-Core features in Windows Admin Center, organizations can further protect servers with Azure Defender. In WAC, administrators can onboard servers into Azure Security Center. Azure Security Center requires your Azure subscription, and associated Log Analytics Workspace, to have an Azure Defender license.
For more information on Windows Server 2022 and Secured-Core Server, check out Windows Server 2022 Secured-Core and Azure Hybrid Services Block Kernel Level Attacks on Petri.
Windows Server 2022 will enable TLS 1.3 by default, bringing faster and more secure HTTPS connections. Server 2022 also gets Secure DNS with DNS over HTTPS (DoH).
Fileserver features also get improvements with SMB AES-256 encryption for organizations looking for the most secure connections. East-West SMB encryption controls are included for internal cluster communications. And in this release, organizations can enable encryption for Remote Direct Memory Access (RDMA) without compromising performance.
SMB Compression in Windows Server 2022 lowers bandwidth and decreases operation times when copying large files like VM disks, uncompressed graphics and video, scientific data, and other large file types that cause network congestion.
Using inline whitespace compression to transfer files, SMB Compression benefits performance with very compressible file types. The only caveat is that SMB Compression doesn’t work on RDMA network cards in SMB Direct mode. But Microsoft says it’s looking to support this scenario in the future.
Azure Automanage (Hotpatching)
Hotpatching has been available for a while, but for Windows Server Azure Edition. Microsoft announced that hot patching will also be available for Windows Server 2022 Server Core, with desktop support planned for a future release.
Hotpatching is a new way of installing updates on Windows Server VMs. Azure Automanage is used to orchestrate the installation of security patches on top of a baseline cumulative update, which is released every 3 months. The baseline update requires a reboot. But security patches issued between baseline updates can modify code running in memory without a reboot.
Windows Server 2022 with Azure
Microsoft is also promoting Windows Server 2022 Datacenter – Azure Edition.
Azure Edition offers the latest hybrid and compute features, and it works in the Azure public cloud and on Azure Stack HCI 21H2. This edition gets hotpaching, SMB over QUIC, and Azure Extended Networking.
“SMB VPN” for remote workers
SMB over QUIC is an SMB Virtual Private Network (VPN) designed for mobile users and high-security organizations. It uses a TLS 1.3 encrypted tunnel over UDP port 443. Microsoft says:
All SMB traffic, including authentication and authorization within the tunnel is never exposed to the network. Inside that tunnel, SMB behaves totally normally with all its usual capabilities.
QUIC is a standard protocol designed to provide a more reliable connection over untrusted networks, like the public Internet. It uses UDP to bring the following benefits:
- All packets are always encrypted and the handshake is authenticated with TLS 1.3
- Parallel streams of reliable and unreliable application data
- Exchanges application data in the first round trip (0-RTT)
- Improved congestion control and loss recovery
- Survives a change in the clients IP address or port
Windows Server is already a mature platform and the updates in this release are evolutionary. Nevertheless, there are enough benefits for organizations to consider upgrading. Especially, for those deploying Windows Server in Azure.