Professional Documents
Culture Documents
PowerPoint Secure-Core Server 2022 Technology
PowerPoint Secure-Core Server 2022 Technology
PowerPoint Secure-Core Server 2022 Technology
Technology
Review
Secure-core
Servers
Windows Server 2022 Technology
2
Information Technology Ecosystem is
constantly moving forward
• SNIA Storage Networking Industry Association
• IETF Internet Engineering Task Force
• IEEE Institute of Electrical and Electronics Engineers
• Linux Foundation
• DTMF Distributed Management Task Force
• W3C World Wide Web Consortium (W3C)
• OASIS Standard Generalized Markup Language (SGML)
3
Secure-core
servers
• Certified OEM hardware
for Secured-core server
4
Intel secure-core server motherboard
5
Firmware Attack
Surface Reduction
(FASR)
• Firmware is becoming an
attractive attack vector due to
firmware running in Ring –2
• Outside the scope of the
operating system
• Most vendors are using S-RTM
6
Intel CPU design
• Ring 0: Kernel (Highest Privilege)
• Ring 1: Virtual Box's Guest Kernel
• Ring 2: Unused
• Ring 3: Windows' User Mode
7
Negative Ring
• Ring -1: Hypervisor
• Ring 0: Kernel (Highest Privilege)
• Ring 1: Virtual Box's Guest Kernel
• Ring 2: unused
• Ring 3: User Applications (Lowest
Privilege)
8
Negative Rings
• Ring -3: Management Engine (ME)
{Highest Privilege}
• Ring -2: System Management Mode
(SMM)
Negative Rings
• Silicon
• Microcode
• Ring -3: Management Engine (ME) {Highest
Privilege}
• Ring -2: System Management Mode (SMM)
• Ring -1: Hypervisor
• Ring 0: Kernel (Highest Privilege)
• Ring 1: Device Drivers
• Ring 2: Device Drivers
• Ring 3: User Applications (Lowest Privilege)
10
Security from chip to cloud
11
S-RTM early method of protecting the boot process
13
Dynamic Root of Trust for
Measurement (DRTM)
14
Protects both boot and runtime firmware code
15
What is the requirement for secure-core?
16
system requirements:
• x64 CPU
• SLAT or Second Level Address Translation
• Intel VT-D or AMD-Vi
• Trusted Platform Module 2.0
• SMM protection supported firmware
• UEFI memory reporting
• Security MOR 2 (Memory Overwrite Request)
• HVCI or Hypervisor Code Integrity
17
Secure-core servers
You can enable these capabilities easily in the Windows Admin Center
18
WAC has this feature in preview
19
Microsoft long list of security features
• Different hardware requirements
System
Guard
• Different versions of Windows
• Different methods of enabling
• Confusing and frustrating to
understand
Application
Guard
20
Lack of simple
methods of
enabling security
• Enterprises struggle to implement
the vast array of security features
• Windows Hello
• FIDO2
• BitLocker
• Microsoft Defender
Application Guard (protected
browser)
• TPM
• Secure Boot
• Kernel DMA Protection
• Device health attestation
• SMB encryption
21
Virtualization-based security (VBS)
22
HVCI is referred
to as Memory
Integrity
• Hypervisor-Enforced Code
Integrity (HVCI), commonly
referred to as Memory
integrity, which uses VBS to
significantly strengthen code
integrity policy enforcement.
• Kernel mode code integrity
checks all kernel mode
drivers and binaries before
they're started, and prevents
unsigned drivers or system
files from being loaded into
system memory.
23
Test your system: DG_readiness script
24
DG_Readiness PowerShell
script
• To Validate: DG_Readiness.ps1 –Capable –
[DG/CG/HVCI] -AutoReboot
• To Enable: DG_Readiness.ps1 –Enable –[DG/CG]
–AutoReboot
• To Disable: DG_Readiness.ps1 –Disable –
[DG/CG] -AutoReboot
25
Test your system: DG_readiness tool
26
Use script to enable features
27
DGreadiness tool log file
28
msinfo32.exe
29
Virtualization-based security (VBS)
30
VBS system requirements:
• x64 CPU
• SLAT or Second Level Address Translation
• Intel VT-D or AMD-Vi
• Trusted Platform Module 2.0
• SMM protection supported firmware
• UEFI memory reporting
• Security MOR 2
• HVCI or Hypervisor Code Integrity
31
How to
enable • Mobile Device Management (MDM)
System • Group Policy
Guard • Windows Security app
• Registry
Secure
Launch
32
Enable via GPO
33
34
Enable:
VBS and hypervisor-
based code integrity
(HVCI)
35
VBS and HVCI requires restart
36
CONTACT US
mrvanderpool@techsavvyproductions.com
SOCIAL MEDIA
• YouTube:
https://www.youtube.com/user/vanderl2796/featured
• Twitter: @_TechSavvyTeam
CREDITS
• Facebook: https://www.facebook.com/Tech-Savvy-
Productions-105287381500897 • Social media logos and “Tech Savvy
• Follow on Instagram: techsavvyproductions Productions” teaser created by The 11th Hour:
• https://www.instagram.com/techsavvyproductions/ https://www.youtube.com/user/The11thH...
• Mr.V: https://www.linkedin.com/in/lowell-
vanderpool-57970623/
37
Become
a
member
38
Check out our website:
https://www.techsavvyproductions.com
39
Want an easy and free way
to support this Channel?
Please Subscribe!
80% of the individuals who watch our content do not
subscribe.
40
We have subtitles for
in many languages:
41
A BIG THANK YOU
TO ALL OF OUR
VIEWERS AND
SUBSCRIBERS!
42