March 23, 2022

Article
5 min

How to Prevent Firmware Attacks with Windows Server 2022 and Dell EMC PowerEdge

Learn how to harden business-critical workloads with a more secure hardware, firmware and operating system environment.

CDW Expert CDW Expert
What's Inside
Two People standing in a centre in a data centre looking at a laptop and smiling.

Firmware attacks can be a particularly dangerous threat for organizations. This is because a vectored attack on firmware can implant malware before the operating system (OS) – and the software-based security running on the OS – has even started. Yet less than half of organizations have taken steps to harden their systems against firmware, even though attacks have grown five times more frequently in the last five years, according to Microsoft. At the end of the day, workloads are only as secure as the entire stacks that they run on.

The good news is that a combination of next-generation Dell EMC™ PowerEdge™ servers and Windows Server® 2022 can help you secure your environment. Secured-core server is a new feature in Windows Server 2022 that uses hardware, firmware and OS capabilities to provide protection against current and future threats.

The combination of Windows Server 2022 Secured-core server software running on next-generation PowerEdge server hardware provides three substantial benefits for businesses, which we will examine:

  • Advanced protection
  • Preventative defence
  • Simplified security

Advanced protection: Create a secure platform for critical workloads and data

Secured-core servers use processor support for Dynamic Root of Trust for Measurement (DRTM) technology to put firmware in a hardware-based sandbox. This isolation helps to limit the impact of vulnerabilities in millions of lines of highly privileged firmware code.

In addition to firmware isolation, virtualization-based security (VBS) isolates critical parts of the OS – such as the kernel – from the rest of the system. This helps to ensure that servers remain devoted to running critical workloads and helps protect related applications and data from attack and exfiltration.

To further harden the firmware in PowerEdge servers from attack, Dell Technologies helps secure the supply chain for PowerEdge servers to ensure that no one has tampered with the server while in transit from the factory to the customer site.

Preventative defence: Proactively defend against exploits

Secured-core functionality helps proactively defend against and disrupt many paths that attackers might use to exploit your systems. Hypervisor-protected code integrity (HVCI) in VBS isolates the code integrity (CI) decision-making function from the rest of the Windows OS, which helps ensure that the only way kernel memory can become executable is through a CI verification. VBS also enables the use of Windows Defender Credential Guard, in which user credentials and secrets are stored in a virtual container that the OS cannot access directly.

Trusted Platform Module 2.0 (TPM 2.0), which comes standard with Secured-core servers, provides a protected store for sensitive keys and data, such as measurements of the components loaded during boot. Being able to verify the firmware that runs during boot is validly signed by the expected author and has not been tampered with helps improve security.

This hardware root-of-trust also elevates the protection provided by capabilities like BitLocker Drive Encryption, which uses TPM 2.0 and facilitates the creation of attestation-based workflows that can be incorporated into zero-trust security strategies. Taken together, these defences can enable your IT and SecOps teams to better manage their time.

Next-generation PowerEdge servers support industry-standard Unified Extensible Firmware Interface (UEFI) Secure Boot. UEFI Secure Boot checks the cryptographic signatures of UEFI drivers and other code loaded prior to the OS running to help ensure that malware has not tampered with the firmware. Moreover, PowerEdge servers support TPM 2.0 to elevate security for firmware and the OS.

Simplified security: Advanced security features with a click of a button

Microsoft collaborates closely with Dell Technologies to simplify security enablement on PowerEdge servers. This means when you acquire a Secured-core PowerEdge server, you can be assured that Dell Technologies has provided a set of hardware, firmware and drivers that satisfy the Secured-core promise.

New functionality in Windows Admin Center allows administrators to enable advanced security with a click of a button. Windows Admin Center presents the status of all required security features for Windows Server 2022 Secured-core servers and enables administrators to turn on features as necessary from a single location.

Dell EMC™ OpenManage™ Integration with Windows Admin Center is an extension for Windows Admin Center that further simplifies management of Secured-core servers. This Windows Admin Center extension simplifies the security tasks (among others) of IT administrators by remotely managing PowerEdge servers. For Windows Server 2022 Secure-core servers, the OpenManage Integration with Windows Admin Center extension enables you to view your inventory of PowerEdge servers from within Windows Admin Center view of health, hardware and firmware inventory information for the PowerEdge server components.

Why it’s time to consider upgrading to Windows Server 2022

If you’re running an older version of Windows Server, upgrading to 2022 makes more sense now than ever. The Secured-core server feature in Windows Server 2022 can help you counter threats to hardware, firmware and the OS.

With the hardware- and software-integrity protections of Dell Technologies, next-generation Dell EMC PowerEdge servers running Windows Server 2022 can provide modern security to the entire stack. The secure connectivity features in Windows Server 2022, supported in next-generation PowerEdge servers, extend this security beyond individual servers to entire clusters within your data centre.

Moreover, support for Windows Server 2012 ends in October 2023, which means it’s a pivotal time to upgrade.