Microsoft Announces Secured-Core Hardware for Windows Server 2022 and Azure Stack HCI
Certified Secured-core server hardware products are now available for running Azure Stack HCI and Windows Server 2022 software implementations, according to an announcement on Tuesday.
The announcement pointed to Hewlett Packard Enterprise Gen 10 Plus server hardware with Secured-core server support for Azure Stack HCI. On the Windows Server 2022 side, Secured-core server products are available from Dell, Hewlett Packard Enterprise, NEC and Lenovo, per this Windows Server Catalog page. Windows Server 2022 reached "general availability" (commercial release) status back in September.
Microsoft touted its browser-based Windows Admin Center as enabling easy management of various Secured-core server capabilities.
"The Windows Admin Center UI allows you to easily configure the six features that encompass Secured-core server: Hypervisor Enforced Code Integrity, Boot Direct Memory Access (DMA) Protection, System Guard, Secure Boot, Virtualization-based security, and Trusted Platform Module 2.0."
Microsoft began requiring the use of Trusted Platform Module 2.0 chips and Secure Boot protections in new Windows Server hardware in 2021, as announced a year-and-a-half ago. Secure boot and TPM 2.0 chips ensure that boot loaders are properly signed via a hardware root of trust.
However, in late 2018, researchers found that Secure Boot alone wasn't wholly adequate, which led to the Secured-core products. Secured-core systems add other protections on top of Secure Boot.
Secured-core products add Dynamic Root of Trust for Measurement, which is software that assures that the boot process hasn't been tampered with. Also added is Kernel Direct Memory Access, which ensures memory isolation is supported by PCI devices before running them. The addition of Virtualization-Based Security protects credentials by creating a secure memory region away from the operating system. Also, Hypervisor-Based Code Integrity in Secured-core systems works with Virtualization-Based Security to "check the integrity of kernel mode drivers and binaries before they are started," explained Sonia Cuff of Microsoft, in this "Introduction to Secured-core computing" post.
Secured-core PC products also exist. They've been available for a couple of years.
Windows 11 ups the processor requirements for secured-core machines. Microsoft's rationale for making that change can be found in this talk between Scott Hanselman, partner program manager at Microsoft, and David Weston, director of enterprise and OS security for Windows at Microsoft.
Back in March, Weston indicated that the certified Secured-core approach would also be coming for edge devices or Internet of Things machines at some point.
Kurt Mackie is senior news producer for 1105 Media's Converge360 group.