Cyberattacks come from every conceivable angle in the data center, but several improved and new network security features in Windows Server 2022 aim to thwart these breach attempts.
The past few years have seen numerous data breaches in organizations of all sizes, highlighting the need for better network security. Due to the importance of Windows Server as a key component of the enterprise infrastructure, it is essential to implement all the means available to the administrator to reduce the risk of falling victim to a intrusion. For organizations that want to improve their defensive posture, using Windows Server 2022’s enhanced network security features can help limit their exposure to a wide range of attacks.
Transport Layer Security 1.3
In addition to its secure server defensive measures, one of the biggest security enhancements that Microsoft has added to Windows Server 2022 is native support for Transport Layer Security (TLS) 1.3, which was released in 2018. This latest version of the protocol used to encrypt network traffic fixes vulnerabilities found in TLS 1.2 and provides better performance, especially during the handshake process.
Microsoft enabled TLS 1.3 by default in Windows Server 2022, but the operating system can still use earlier versions of TLS to support incompatible clients.
HTTP has been around since 1989. Developed to transfer content from the World Wide Web to clients, its creators may not have anticipated the rapid pace of its adoption. The last major HTTP update in 2016 addressed security and performance issues and now the third HTTP/3 revision has been implemented in Windows Server 2022.
HTTP/3 is currently in development but is already used by Google and Facebook. HTTP/3 uses the QUIC transport protocol based on the User Datagram Protocol. In addition to better performance, HTTP/3 uses encryption by default to maintain a secure connection.
Enabling HTTP/3 requires adding the following registry key:
reg add “HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesHTTPParameters” /v EnableHttp3 /t REG_DWORD /d 1 /f
Microsoft recommends that administrators configure Windows Web Service to advertise service availability over HTTP/3. Clients connecting with an older protocol will be notified of HTTP/3 support and upgrade to the more secure protocol. To enable HTTP/3 advertising, add the following registry key:
“HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesHTTPParameters” /v EnableAltSvc /t REG_DWORD /d 1 /f
Restart the server for the registry keys to take effect.
Microsoft has enhanced Windows Server 2022 network security with support for Secure DNS, which is an industry standard that goes by a variety of other names such as DNS-over-HTTPS (DoH).
DoH keeps DNS queries private. If someone is monitoring network traffic, they will see DNS queries in progress, but the contents of those queries will be hidden. Some organizations use secure DNS to hide their online activities from the ISP. Secure DNS can also help prevent DNS manipulation attacks.
Organizations need to determine if it is in their best interest to use secure DNS. Although it has security benefits, secure DNS can also make it more difficult for malicious activity to be detected from the network because it masks the DNS queries generated by these attacks.
SMB AES-256 encryption
SMB encryption encrypts Server Message Block (SMB) traffic on the network. SMB is the protocol used by Windows devices to access Windows file shares. SMB is also commonly used for connectivity to NAS appliances and other storage arrays.
Microsoft added SMB encryption to Windows Server 2012 and enhanced it in Windows Server 2022 by adding support for AES-256-GCM and AES-256-CCM encryption.
Administrators enable SMB encryption from the Windows Admin Center by connecting to the server hosting an SMB share, clicking Files and File Sharing, then the File Shares tab. From there, select the share to encrypt and check Enable SMB encryption.
To perform the same procedure but from PowerShell, enter the following command to use SMB encryption on a Windows file share:
When using SMB encryption, understand the difference between enabling and requiring SMB encryption. Enabling means that clients connecting to an SMB share will use encryption if possible, while requiring SMB encryption will reject all unencrypted connections.
Windows Server 2022 and Windows 11 are currently the only Windows operating systems that support AES-256 encryption. Legacy Windows clients connecting to an SMB share hosted on a Windows Server 2022 host will revert to an older encryption standard, such as AES-128.
Windows Server 2022 also supports SMB encryption for East-West traffic, which refers to SMB traffic that flows between Windows Failover Cluster nodes and a Cluster Shared Volume. If the failover cluster uses Storage Spaces Direct, this option enables encryption of cluster communications for better overall security.
The easiest way to force a cluster node to encrypt all SMB traffic is to enter the following command in PowerShell:
Set-SMBServerConfiguration -EncryptData $True -Force
Verify that the operation was successful by checking the EncryptData value after running the Get-SMBServerConfiguration command.
SMB Direct and RDMA encryption
Microsoft has expanded support for encryption with SMB Direct in Windows Server 2022. This protocol uses Remote Data Memory Access (RDMA) to transfer large amounts of data without the CPU overhead normally required for these types of operations.
In previous versions of Windows Server, enabling SMB encryption disabled direct data placement, which significantly slowed the performance of SMB Direct, making it comparable to a normal SMB session. Microsoft addressed this issue in Windows Server 2022 to provide organizations with high-speed encrypted transfers by encrypting data before placement. Although the encryption process requires some CPU resources, the performance impact is usually very minor.
Microsoft covers these SMB enhancements at the following link.