Server 2022

Technology
Review
Secure-core
Servers
Windows Server 2022 Technology

2
Information Technology Ecosystem is
constantly moving forward
• SNIA Storage Networking Industry Association
• IETF Internet Engineering Task Force
• IEEE Institute of Electrical and Electronics Engineers
• Linux Foundation
• DTMF Distributed Management Task Force
• W3C World Wide Web Consortium (W3C)
• OASIS Standard Generalized Markup Language (SGML)

3
Secure-core
servers
• Certified OEM hardware
for Secured-core server

4
Intel secure-core server motherboard

5
Firmware Attack
Surface Reduction
(FASR)

• Firmware is becoming an
attractive attack vector due to
firmware running in Ring –2
• Outside the scope of the
operating system
• Most vendors are using S-RTM

6
Intel CPU design
• Ring 0: Kernel (Highest Privilege)
• Ring 1: Virtual Box's Guest Kernel
• Ring 2: Unused
• Ring 3: Windows' User Mode

7
 Negative Ring
• Ring -1: Hypervisor
• Ring 0: Kernel (Highest Privilege)
• Ring 1: Virtual Box's Guest Kernel
• Ring 2: unused
• Ring 3: User Applications (Lowest
Privilege)

8
 Negative Rings
• Ring -3: Management Engine (ME)
{Highest Privilege}
• Ring -2: System Management Mode
(SMM)
Negative Rings
• Silicon
• Microcode
• Ring -3: Management Engine (ME) {Highest
Privilege}
• Ring -2: System Management Mode (SMM)
• Ring -1: Hypervisor
• Ring 0: Kernel (Highest Privilege)
• Ring 1: Device Drivers
• Ring 2: Device Drivers
• Ring 3: User Applications (Lowest Privilege)

10
Security from chip to cloud

11
S-RTM early method of protecting the boot process

A Static Root of Trust for

Measurement (S-RTM)
establishes trust at system
reset and requires that trust
be maintained throughout
the entire boot process.
If trust is compromised at
any point in the boot
process, it is irrecoverable
until system reset.
S-RTM:
problem
• As there are thousands of PC
vendors that produce many
models with different UEFI BIOS
versions, there becomes an
incredibly large number of SRTM
measurements upon bootup.
• Time to move to D-RTM

13
Dynamic Root of Trust for
Measurement (DRTM)

• Windows Defender System Guard Secure

Launch leverages Dynamic Root of Trust
for Measurement (DRTM).
• As Windows 10/11/Server 2016-2019-2022 boots, a
series of integrity measurements are taken by
Windows Defender System Guard using the device’s
Trusted Platform Module 2.0 (TPM 2.0)

14
Protects both boot and runtime firmware code

• After the system

boots, Windows
Defender System
Guard signs and
seals these
measurements
using the TPM
• All of this security
technology is now
under "Windows
Secure Boot"

15
What is the requirement for secure-core?

• A secure supply chain for OEM manufacture's chips and components

• TPM 2.0: Hardware root-of-trust
• Secure Boot with D-RTM
• System Guard with Kernel Direct Memory Access (DMA) protection
• Kernel DMA protection uses the Input/Output Memory Management
Unit (IOMMU)
• Virtualization-based security (VBS)
• Hypervisor-based code integrity (HVCI)

16
system requirements:

• x64 CPU
• SLAT or Second Level Address Translation
• Intel VT-D or AMD-Vi
• Trusted Platform Module 2.0
• SMM protection supported firmware
• UEFI memory reporting
• Security MOR 2 (Memory Overwrite Request)
• HVCI or Hypervisor Code Integrity

17
Secure-core servers
You can enable these capabilities easily in the Windows Admin Center

18
WAC has this feature in preview

19
Microsoft long list of security features
• Different hardware requirements
System
Guard
• Different versions of Windows
• Different methods of enabling
• Confusing and frustrating to
understand

Application
Guard

20
Lack of simple
methods of
enabling security
• Enterprises struggle to implement
the vast array of security features
• Windows Hello
• FIDO2
• BitLocker
• Microsoft Defender
Application Guard (protected
browser)
• TPM
• Secure Boot
• Kernel DMA Protection
• Device health attestation
• SMB encryption

21
Virtualization-based security (VBS)

VBS, uses hardware

virtualization features
to create and isolate a
secure region of
memory from the
normal operating system

22
HVCI is referred
to as Memory
Integrity
• Hypervisor-Enforced Code
Integrity (HVCI), commonly
referred to as Memory
integrity, which uses VBS to
significantly strengthen code
integrity policy enforcement.
• Kernel mode code integrity
checks all kernel mode
drivers and binaries before
they're started, and prevents
unsigned drivers or system
files from being loaded into
system memory.
23
Test your system: DG_readiness script

24
DG_Readiness PowerShell
script
• To Validate: DG_Readiness.ps1 –Capable –
[DG/CG/HVCI] -AutoReboot
• To Enable: DG_Readiness.ps1 –Enable –[DG/CG]
–AutoReboot
• To Disable: DG_Readiness.ps1 –Disable –
[DG/CG] -AutoReboot

25
Test your system: DG_readiness tool

26
Use script to enable features

27
DGreadiness tool log file

28
msinfo32.exe

29
Virtualization-based security (VBS)

30
VBS system requirements:

• x64 CPU
• SLAT or Second Level Address Translation
• Intel VT-D or AMD-Vi
• Trusted Platform Module 2.0
• SMM protection supported firmware
• UEFI memory reporting
• Security MOR 2
• HVCI or Hypervisor Code Integrity

31
How to
enable • Mobile Device Management (MDM)
System • Group Policy
Guard • Windows Security app
• Registry
Secure
Launch

32
Enable via GPO

33
34
Enable:
VBS and hypervisor-
based code integrity
(HVCI)

35
VBS and HVCI requires restart

36
 CONTACT US
mrvanderpool@techsavvyproductions.com

SOCIAL MEDIA
• YouTube:
https://www.youtube.com/user/vanderl2796/featured

• Twitter: @_TechSavvyTeam
• Facebook: https://www.facebook.com/Tech-Savvy-
Productions-105287381500897
• Follow on Instagram: techsavvyproductions
• https://www.instagram.com/techsavvyproductions/
CREDITS
• Social media logos and “Tech Savvy
Productions” teaser created by The 11th Hour:
https://www.youtube.com/user/The11thH...

• Mr.V: https://www.linkedin.com/in/lowell-
vanderpool-57970623/

37
Become
a
member

38
 Check out our website:
https://www.techsavvyproductions.com

39
Want an easy and free way
to support this Channel?
Please Subscribe!
80% of the individuals who watch our content do not
subscribe.

40
We have subtitles for
in many languages:

We provide subtitles on our videos into the

many languages:

41
A BIG THANK YOU
TO ALL OF OUR
VIEWERS AND
SUBSCRIBERS!

42