1
00:00:01,110 --> 00:00:04,080
The new security features in Windows Server 2022.

2
00:00:04,080 --> 00:00:06,430
This is what we're going to cover.

3
00:00:06,430 --> 00:00:11,450
Secured‑core servers, which offer a hardware solution to security,

4
00:00:11,450 --> 00:00:14,400
virtualization‑based security, or VBS,

5
00:00:14,400 --> 00:00:20,280
and what secure connectivity features are new to Windows Server 2022.

6
00:00:20,280 --> 00:00:25,240
Let's begin by looking at a Secured‑core server.

7
00:00:25,240 --> 00:00:29,500
Secured‑core servers in Windows Server 2022.

8
00:00:29,500 --> 00:00:33,220
Secured‑core servers are basically where you have your OEM

9
00:00:33,220 --> 00:00:38,510
partner certify their hardware in order to meet this

10
00:00:38,510 --> 00:00:41,390
criteria to be a Secured‑core server.

11
00:00:41,390 --> 00:00:44,240
These servers use the hardware, firmware,

12
00:00:44,240 --> 00:00:48,920
and driver capabilities to enable the advanced Windows Server security features.

13
00:00:48,920 --> 00:00:52,740
This is very useful against sophisticated attacks.

14
00:00:52,740 --> 00:00:57,040
A lot of the attacks are coming these days on the firmware,

15
00:00:57,040 --> 00:01:02,350
on the kernel, which the operating system can't necessarily get to,

16
00:01:02,350 --> 00:01:06,690
so all of the software that you have on the operating system can't

17
00:01:06,690 --> 00:01:09,390
really see the firmware and can't really see the kernel.

18
00:01:09,390 --> 00:01:12,140
So this is a protection against that.

19
00:01:12,140 --> 00:01:13,840
Some more details.

20
00:01:13,840 --> 00:01:17,610
This involves something called the hardware‑based root of trust.

21
00:01:17,610 --> 00:01:22,850
This is the reason you need the TPM and Windows Server 2022.

22
00:01:22,850 --> 00:01:26,530
This provides a secure store for the sensitive keys and the

23
00:01:26,530 --> 00:01:29,390
sensitive data that you have on your machine.

24
00:01:29,390 --> 00:01:32,340
Basically, if you're familiar with BitLocker,

25
00:01:32,340 --> 00:01:36,120
this uses the same capabilities that BitLocker uses.

26
00:01:36,120 --> 00:01:39,380
We're trying to achieve something called attestation,

27
00:01:39,380 --> 00:01:43,970
meaning that something is accountable all the way from the launch of the

28
00:01:43,970 --> 00:01:48,640
machine to the launch of the hypervisor and secure kernel.

29
00:01:48,640 --> 00:01:52,420
The operating system, hypervisor, and secure kernel binaries,

30
00:01:52,420 --> 00:01:55,280
they have to be signed by Microsoft.

31
00:01:55,280 --> 00:01:59,130
And what we're trying to do here is verify the trustworthiness of

32
00:01:59,130 --> 00:02:03,020
a platform and the integrity of the binaries.

33
00:02:03,020 --> 00:02:06,870
This will enable security paradigms such as the Azure confidential

34
00:02:06,870 --> 00:02:10,060
computing and the intelligent edge protection,

35
00:02:10,060 --> 00:02:12,920
all in order to protect the firmware.

36
00:02:12,920 --> 00:02:17,360
This can use the Dynamic Root of Trust Measurement technology.

37
00:02:17,360 --> 00:02:21,030
And what you're doing here is you're measuring all the different

38
00:02:21,030 --> 00:02:24,790
things that went in as the kernel is loading.

39
00:02:24,790 --> 00:02:27,580
And it can check that to make sure that,

40
00:02:27,580 --> 00:02:28,280
wow,

41
00:02:28,280 --> 00:02:33,110
something got loaded that you didn't want to get loaded that would

42
00:02:33,110 --> 00:02:37,110
probably be some kind of attack on your firmware.

43
00:02:37,110 --> 00:02:41,110
This also protects the dynamic memory access from an

44
00:02:41,110 --> 00:02:44,260
invasive installation of a virus,

45
00:02:44,260 --> 00:02:49,040
and it isolates the security‑critical hypervisor from attacks.

46
00:02:49,040 --> 00:02:54,750
So with all these protections, what we're looking at is to certify the hardware,

47
00:02:54,750 --> 00:02:55,900
the firmware,

48
00:02:55,900 --> 00:03:01,460
and the kernel in order to have it certified as a Secured‑core server.

49
00:03:01,460 --> 00:03:05,970
So that's a look at Secured‑core server in Windows Server 2022.

50
00:03:05,970 --> 00:03:13,000
Up next, we'll examine another security feature called virtualization‑based security.