- What’s your ENow AppGov Score? Free Microsoft Entra ID app security assessment - Thu, Nov 30 2023
- Docker logs tail: Troubleshoot Docker containers with real-time logging - Wed, Sep 13 2023
- dsregcmd: Troubleshoot and manage Azure Active Directory (Microsoft Entra ID) joined devices - Thu, Aug 31 2023
Microsoft is continually adding new features to Windows Admin Center. It is steadily becoming a tremendously powerful tool for Windows admins to use for Windows administration across the board and is increasingly gaining in popularity and adoption. The latest version available for download is Windows Admin Center Preview 2012. In this release, Microsoft has added some exciting new features and capabilities.
One of the new features is a Preview release of the security extension available for download, called the Secured-core extension. What is the Secured-core extension? How do you enable it? What does it do, and how can Windows administrators use it to ensure their Windows Server is secure?
Enabling the Insider Preview Extensions feed in WAC
A great feature Microsoft has enabled with Windows Admin Center is pulling down Insider Previews of the default extensions available for download. However, this functionality is not enabled by default. You must add a new feed from which to pull the Windows Admin Center extensions. How do you enable the Windows Admin Center Preview feed?
To enable the Insiders Preview feed, click the settings icon in the upper right-hand corner. Click the Feeds tab. Then click the Add button. Enter the feed URL: https://aka.ms/wac-insiders-feed.
Now you can download the latest Security extension to view the new Secured-core feature. As you can see below, there are two Security Preview extensions listed. However, the Security Preview 0.13.0 release is the version you get when you enable the Insider Preview feed in Windows Admin Center. It is this release that contains the new Secured-core feature.
What is the Windows Admin Center Secured-core extension?
The new Secured-core extension provides a high-level view of the core security features that are enabled. After installing the new Security Preview 0.13.0 extension, you will see the Secure-core tab available. This tab is not contained in the 0.9.4 non-Insider release. As you can see below, the server only meets two of the Secured-core checks.
What is Microsoft checking for in the Secured-core check? As shown, there are six areas the Secured-core assessment validates for your Windows machine. These include:
- Boot DMA protection
- System guard
- Secure boot
- VBS (Virtualization-based security)
- TPM 2.0
What are each of these areas?
HVCI stands for hypervisor-protected code integrity. The HVCI feature provides the following protections to your Windows node:
- It prevents modification of the Control Flow Guard (CFG) settings.
- It ensures that other security processes have a valid certificate. Certificates need to be valid for processes such as Credential Guard.
- Device drivers must also make use of an extended validation (EV) certificate and support HVCI.
There are various ways to enable the HVCI feature. You can enable HVCI manually by navigating to Settings > Update & Security > Windows Security > Device security > Core isolation details > Memory integrity.
To enable HVCI using Group Policy, configure the setting under the Turn On Virtualization Based Security policy. The Virtualization Based Protection of Code Integrity setting turns on HVCI.
Boot DMA Protection
The next setting is Boot DMA Protection. Starting with Windows 10 version 1803, Microsoft introduced a new security feature dubbed Kernel DMA Protection. This new security feature protects against drive-by direct memory access (DMA) attacks using hot-plug devices connected to ports such as Thunderbolt and CFexpress, which are externally accessible PCIe ports.
Note that there are system compatibility issues to be considered regarding the Kernel DMA protection capability. Kernel DMA protection requires new UEFI firmware support and is anticipated only on newly introduced Intel-based systems shipping with Windows 10 version 1803 and higher. You can use MSINFO32.EXE to verify whether kernel DMA protection is enabled for your Windows system.
Windows Defender System Guard allows managing existing Windows 10 system integrity features under a single pane of glass. It is designed to enable protecting and maintaining system integrity as it boots. It helps to validate that the system integrity has been maintained through both local and remote attestation.
With Windows 10 installed on modern hardware platforms, the system uses hardware-based trust that guarantees the firmware and other software is authorized. It is a component of the Secure Boot feature, which leverages UEFI to measure the system's boot phase for integrity. It leverages a Dynamic Root of Trust for Measurement (DRTM) boot flow to securely launch the hypervisor.
The Secure Boot mechanism is a newer standard that allows ensuring a device boots using only trusted software used by the OEM. At the time of boot, Secure Boot checks to ensure each software component, including UEFI firmware drivers, EFI apps, and the operating system, is characterized by the expected signatures. If not, this may indicate that the system has been compromised.
VBS (Virtualization-based Security)
Virtualization-based security (VBS) uses hardware virtualization technology to isolate secure areas of memory from the normal operating system. This virtual secure mode can serve as the host of other security solutions to protect them from operating system vulnerabilities or malicious exploits. An example of a security solution that can take advantage of virtualization-based security is the aforementioned hypervisor-enforced code integrity (HVCI).
Trusted Platform Module (TPM) 2.0 is a technology designed to allow hardware-based security functions. The TPM chip is a specially designed crypt-processor that allows generating, storing, and limiting access to keys. TPM chips have been discrete hardware devices that are part of the motherboard. TPM has even evolved to a virtualized solution, such as now found in VMware vSphere, to allow for a virtual trusted platform module or vTPM. The vTPM allows cryptographic capabilities to be performed in the software layer, extending the hardware TPM chip's benefits into the software layer.
Subscribe to 4sysops newsletter!
The new Windows Admin Center Secured-core functionality allows admins to view what Microsoft refers to as the Secured-core or core recommended Windows security features. There are six areas checked as part of the Secured-core assessment. These include HVCI, Boot DMA Protection, System Guard, Secure Boot, VBS, and TPM 2.0. Using and configuring systems capable of enabling all six security features provides for drastically increased security compared to systems running without these features enabled. As a note, the Secured-core feature is view-only at this point. In other words, you can only see the security settings configured or not configured. It would be nice to see Microsoft provide an "easy button" with each of the Secured-core dashboard features to enable them.