In the evolving landscape of data centers, edge computing, and cloud environments, the importance of server security and platform integrity cannot be overstated. Windows Server customers have long depended on built-in security features such as Secure Boot and BitLocker to safeguard their infrastructure. These features become even more robust when paired with appropriate server hardware, including the Trusted Platform Module (TPM) and adequate support for Unified Extensible Firmware Interface (UEFI). However, while these hardware capabilities are prevalent in x64 servers, they remain optional in the current server offerings.
Enhancing Security Standards
In a significant move, Microsoft plans to elevate the security standards for Windows Server hardware certification in its next major release. This initiative aims to ensure that these essential security features are included by default, thereby instilling greater confidence in customers deploying Windows Server on platforms that prioritize integrity. Notably, the new certification will mandate that TPM 2.0 is installed and enabled by default. Furthermore, systems pre-installed with the upcoming Windows Server will have Secure Boot activated by default. These requirements will extend to all servers running Windows Server, encompassing bare metal setups, virtual machines operating on Hyper-V, and third-party hypervisors approved through the Server Virtualization Validation Program (SVVP).
These enhancements are set to automate and strengthen the built-in security features of the forthcoming Windows Server release.
Secure Boot plays a pivotal role in maintaining system integrity by ensuring that only trusted operating systems are loaded during the boot process. This mechanism is crucial in preventing malware, such as rootkits, from compromising the boot sequence. Given that the code executed during boot has privileged access to system resources and is responsible for critical security initialization, any malicious interference can have dire consequences. Numerous articles have highlighted the serious risks associated with vulnerabilities in this area. By permitting only code signed by trusted authorities to run during the boot process, Secure Boot significantly mitigates these risks and lays a solid foundation for the operating system’s security framework.
TPM 2.0 enhances security further by providing hardware support for secure measurements and key storage. The Secure Boot process can utilize TPM 2.0 to securely capture and store each step of the boot sequence. This capability allows system operators to request a tamper-evident report from the TPM, verifying whether the system booted as intended. Additionally, BitLocker, a native volume encryption solution for Windows Server, leverages TPM 2.0 to bolster security. By ensuring that volumes are decrypted only if the system booted correctly, as validated by TPM measurements, BitLocker, in conjunction with Network Unlock, offers a scalable and secure management solution for encryption, thereby safeguarding sensitive data more effectively.
Looking to the future, Secure Boot and TPM 2.0 will serve as foundational elements of Windows Server security, providing customers with a fortified baseline for systems available in the ecosystem. The enforcement of these requirements will apply to new server platforms introduced after January 1, 2021. Existing server platforms will receive Additional Qualification certification, assisting customers in identifying systems that comply with these standards, akin to the current Assurance AQ for Windows Server 2019.
