Windows Server 2022 Secured-Core and Azure Hybrid Services Block Kernel Level Attacks

Microsoft announced at its Ignite conference earlier this year that it is extending its Secured-Core initiative to Windows Server 2022. Currently available for selected Windows 10 devices, Secured-Core requires hardware to meet new standards that follow isolation best practices and to have minimal trust of firmware. Microsoft says that Secured-Core devices are intended for industries that handle intellectual property, customer, or personal data, including Personally Identifiable Information (PII). Secured-Core servers are designed to prevent firmware attacks.

Using a combination of identity, virtualization, OS, and hardware defenses, Secured-Core servers have protection at both the hardware and software layers. Along with Windows Defender System Guard, which is built-in to Windows Server 2022, Secured-Core servers provide organizations with assurances of OS integrity and verifiable measurements to help prevent firmware attacks. Microsoft says:

This release brings Secured-core to Windows Server to help secure the systems that would run workloads on Windows Server 2022. Secured-core builds on technologies such as System Guard and Windows Server Virtualization-based Security to minimize risk from firmware vulnerabilities and advanced malware.

Microsoft acknowledges that securing servers is one of today’s hardest tasks for IT departments. With Secured-Core, customers get simplified security because much of the hard work has already been done by Microsoft and its silicon partners.

Enabling Windows Server 2022 protections in Windows Admin Center

Windows Server 2022 devices are protected against firmware attacks with Windows Defender System Guard. Once a server has booted and the CPU initiated safely, Windows takes control and uses Virtualization-Based Security (VBS) to isolate critical parts of the system to protect them from malware, even when running with elevated privileges.

During Ignite, Microsoft demonstrated the inbox Secured-Core capabilities of Windows Server 2022 to block and detect advanced kernel attacks. An advanced kernel attack might involve a hacker loading malicious or vulnerable kernel drivers to corrupt or change workloads. Using the Windows Admin Center (WAC) Secured-Core snap in, administrators can enable Hypervisor-Protected Code Integrity (HVCI) to secure servers. Using Windows Admin Center, administrators can enable Secured-Core features like HVCI, Boot DMA Protection, System Guard, Secure Boot, VBS, and TPM 2.0, without having to use PowerShell or run any complex commands.

Threat detection using and Azure hybrid services

Once devices have been protected by enabling Secured-Core features in Windows Admin Center, organizations can further protect servers using Azure Defender. In WAC, administrators can onboard servers into Azure Security Center. Azure Security Center requires your Azure subscription, and associated Log Analytics Workspace, to have an Azure Defender license.

Azure Defender is a cloud workload protection platform that brings advanced protection to Azure and hybrid workloads. It can be used to protect servers, regardless of their location, IoT, SQL, container workloads, Kubernetes, and more. Microsoft Defender for Endpoint, Microsoft’s endpoint detection and response (EDR) product, is included with Azure Defender for servers.

Image #1 Expand
Figure1 4
Windows Server 2022 Secured-Core and Azure Hybrid Services Block Kernel Level Attacks (Image Credit: Microsoft)

Azure Defender generates alerts when threats are detected on protected workloads. Alerts can then be exported to Security Information and Event Management (SIEM) solutions, like Azure Sentinel. Azure Defender also has vulnerability scanning of virtual machines (VMs) and container registries.

For more information on Azure Defender pricing, check out Microsoft’s website here.

Using the logs in Azure Monitor, administrators can look for events that indicate malicious activity, like when a driver has been blocked by Windows Code Integrity. Then using the information loaded into Log Analytics, create a new alert using a simple search query. Within a few minutes starting from WAC, administrators can create a full incident that protects Windows Server 2022 with Secured-Core and detects the threat in Azure.

Windows Server 2022 Secured-Core Server Hardware

Microsoft says that new Secured-Core hardware that supports Windows Server 2022 is coming from Dell EMC, HP Enterprise, Lenovo, and other OEM partners later in 2021. Whether organizations are using Windows Server 2022 to containerize legacy apps or maintain and develop current line-of-business applications, Windows Server 2022 and Microsoft’s hybrid cloud services will make it easier for organizations to secure Windows Server, whether running in an organization’s own datacenter, the Azure cloud, or Amazon Web Services (AWS).