Windows Server 2022 has arrived.
Microsoft recently held a virtual Windows Server Summit to launch it, with a two-hour livestream featuring different presenters covering different aspects of new features, plus some on-demand video content. The three main areas are Secure Core Server, SMB, and Storage Migration Service.
Secure Core Server
As the name implies, Microsoft is taking the tech incorporated into newer PC devices to protect against firmware attacks and expanding it to the server platform. This is timely as firmware attacks are on the rise and having a strong guarantee that the underlying hardware is secure is important.
Comprising six areas, Secure Core Servers from the major server manufacturers will come with a Trusted Platform Module (TPM) 2.0 chip, Bitlocker plus Virtualization Based Security (VBS), enabled straight out of the box. The six areas are:
Hypervisor based Code Integrity (HVCI)
Boot DMA Protection
Each of these contribute to a trusted hardware platform: the TPM stores Bitlocker keys plus other secrets securely; VBS uses hardware virtualization to stop credential attacks; and Secure Boot verifies the signatures on the boot software.
HVCI builds on top of VBS to protect modifications to the Control Flow Guard (CFG) bitmap and checks device drivers for EV certificates. CFG is a part of Windows that stops malicious applications trying to corrupt the memory of benign applications. System Guard builds on these lower-level features and validates the whole boot chain using Static Root of Trust for Measurement (SRTM), Dynamic Root of Trust for Measurement (DRTM) and System Management Mode (SMM) protection.
If you run your DCs virtualized, if you run Windows VMs on VMware, Secure Core server will bring few if any benefits to you. That’s not to say that some of these features will (and some already are) available for VMs running on top of Hyper-V, or as IaaS VMs in Azure, but they’re not fully protected as Secure Core servers.
If you’re using Remote Direct Memory Access (RDMA) to speed up your Hyper-V nodes access to storage spaces direct for instance using SMB Direct, you can now encrypt that traffic. Furthermore, you now have granular control over encryption between nodes in a cluster as well as inbound/outbound traffic to the cluster.
Note that all these features are only available between Windows Server 2022 nodes or when they’re communicating with Windows 11 clients. The encryption features for instance will negotiate what each end supports and fall back to unencrypted, so to really ensure that all traffic is protected at the highest level you need to upgrade ALL servers/clients.
Windows Server 2022 comes in the same Standard and Datacenter variations (with Desktop/Core) we’re used to, plus a new version, Datacenter: Azure Edition. This new edition is the only one that supports SMB over QUIC. Azure Edition only runs in Azure as the name implies OR on Azure Stack HCI. That name itself is very confusing as it implies it runs in Azure (it doesn’t, you run this on-premises) and that it’s got something to do with Azure Stack Hub (it doesn’t, Hub is an integrated system you purchase from a vendor which runs the same software as Azure does, just a few versions behind). Azure Stack HCI is a version of Windows Server that you run on your own hardware, with Hyper-Converged Infrastructure (HCI) so the storage is shared between the nodes using Storage Spaces Direct (S2D). This version of Windows server is a subscription version that you pay monthly for, and in turn it’ll receive regular updates.
The bottom line: SMB over QUIC is only available for a new file server that you run in Azure or on Azure Stack HCI in your datacenter, and only if you connect from a Windows 11 client. This artificial limitation of not offering SMB over QUIC in Windows Server 2022 Standard/Datacenter is particularly disappointing. It should be noted that SMB over QUIC is currently in preview, but you do receive support from Microsoft.
Storage Migration Service has been in Windows for a few versions now, enabling seamless migration of file servers from legacy OS versions to more modern ones. You point a destination server at an existing file server (or if you have a fleet of them, you can have a Storage Migration Service server orchestrating the migrations from multiple source to multiple destination servers), it’ll copy the data until both are in sync, and then you can seamlessly migrate to the new one. Server names, share names, permissions, everything is migrated, and your users will notice very little impact. This service now supports Linux Samba servers, NetApp file shares and continues the support for Windows file servers, including clustered ones.
Windows Server with Lighthouse Technology Partners
Lighthouse Technology Partners is an award-winning, strategic IT Provider delivering managed IT services, cyber security and cloud consulting for the modern workplace. We have over 35 years dedicated to bringing enterprise-ready solutions and security to small and mid-sized businesses across North America.
Have questions? Feel free to contact Lighthouse Technology Partners today for a free consultation.