In February 2022, CIS (Center for Internet Security) released the Microsoft Windows Server 2022 Benchmark v1.0.0 that includes 50+ new features, GPOs (Group Policy Objects), capabilities and services. The document offers a comparison between Server 2019 vs. Server 2022 for similarities and differences as well as similarities and differences of Windows 11 vs Windows 10.
With the benchmark being so new to the public, companies will need to locate a remediation and hardening solution such as CalCom’s Hardening Suite that enforces CIS' most recent Microsoft Windows Server 2022 Benchmark.
Windows Server 2022 update
Microsoft has long provided both Standard and Datacenter editions of its Windows Server operating systems, a tradition that persists with the release of Windows Server 2022. However they have included a new feature and improvement with their Windows Server 2022 Datacenter Azure edition. As the moniker suggests, this edition aligns server workloads more intricately with the Microsoft cloud ecosystem and presents distinctive functionalities aimed at enticing customers seeking streamlined patch management and other advantageous incentives.
Windows Server 2019 vs 2022 difference
Windows Server 2022 offers enhanced security, increased flexibility, and improved support for hybrid deployments compared to its Windows Server 2019 predecessor.
The three main differences include updated security features and advanced threat protection:
In the context of security, there are notable distinctions between Windows Server 2019 and Windows Server 2022. Windows Server 2019 provides security features such as Defender Advanced Threat Protection, Exploit Guard, and Attack Surface Reduction. In contrast, Windows Server 2022 introduces a layered security approach, enhancing cryptographic key protection, firmware security, and the security of virtualization environments.
Regarding connectivity, Windows Server 2022 brings advancements with features like Transport Layer 1.3 security, Secure DNS, Server Message Block (SMB), and SMB over QUIC. In contrast, Windows Server 2019 includes Software-Defined Network (SDN) Security.
Recognizing the increasing importance of the cloud in modern IT infrastructure, Microsoft made strides in both versions. In Windows Server 2019, they introduced a hybrid cloud service that maintains compatibility with the server’s core applications. However, Windows Server 2022 takes a step further by integrating Azure Arc technology, enabling centralized management of multiple cloud environments through the Azure platform. This evolution aligns with the evolving needs of cloud-centric IT strategies.
Windows Server 2022 comparison to Windows Server 2019
Windows Server 2022 represents a significant advancement in security compared to its predecessors. It introduces the Secured-Core Server feature, which safeguards not only the operating system but also the hardware and firmware against various threats. Furthermore, the default encryption of the Server Message Block (SMB) network file-sharing protocol enhances security for all users, further bolstering the overall protection of the system. Let’s look at some of the changes in the key features:
| Key Features | Windows Server 2019 | Windows Server 2022 |
| Automatic Windows Admin Center Updates | No | Yes |
| Customizable Columns for VM Information | No | Yes |
| Detachable Events Overview Screen | Configurable | Built-in |
| Configurable Destination Virtual Switch | No | Yes |
| Event Workspace to track data | No | Yes |
| Automated Extension Lifecycle Management | No | Yes |
| Enhanced Security | ||
| Hardware-enforced Stack Protection | No | Yes |
| TLS | Supports 1.2 | 1.3 Is Enabled by Default |
| Secured-core server | No | Yes |
| Hypervisor-based code integrity | No | Yes |
| Hybrid Cloud Capabilities | ||
| Azure Arc | supported | 1.3 Is Enabled by Default |
| Storage Migration Service | Supported | Deployment and Management Is Simplified |
| Improved Platform Flexibility | ||
| Uncompressed Image Size | Approx. 3.7 GB | Approx. 2.7 GB |
| Virtualized Time Zone | Mirrors Host Timezone | Configurable Within Container |
| Group Managed Service Accounts (gMSA) Requires Domain Joining | Yes | No |
| DSR Routing | No | Yes |
| Better Kubernetes Experience | ||
| HostProcess containers | No | Yes |
| Multiple Subnets Per Windows Worker Node | No | Yes |
| Upgraded Hyper V Manager | ||
| Action Bar | No | Yes |
| New Partitioning Tool | No | Yes |
| Live Storage Migration | No | Yes |
| Running Workloads Between Server | No | Yes |
| Affinity and Anti-Affinity Rules | No | Yes |
| VM Clones | No | Yes |
(Source: Accuwebhosting blog ‘Windows Server 2022 vs Windows Server 2019 - Feature Comparison‘)
Windows Server 2022 CIS Benchmark guidelines
CIS benchmarks can be regarded as the dedicated set of the best practices and configuration settings for organizations to 'harden' the security of their digital assets. Currently, around 100 benchmarks are made available in around 14 technology groups – including IBM, Microsoft, AWS, and Cisco.
Some ways in which CIS benchmarks tend to be distinct from other security standards are:
- While CIS benchmarks are not regulatory requirements, most important compliance frameworks highlight CIS benchmarks according to the industry standards.
- CIS benchmarks are developed by consensus between industry experts -including security vendors, SMEs, the benchmarking team, and the global security community through the CIS Workbench.
- CIS benchmarks tend to relate particularly to the configuration of the existing assets. They are not known for covering security defenses like EDRs (Endpoint Detection and Response) and firewalls.
CIS Levels
Based on the compliance and security needs of the organization, there are two distinct levels of CIS benchmarks:
- Level 1: It is designed for rapidly minimizing the existing attack surface of the organization without affecting business functionality or usability. These CIS standards offer the base level of compliance and security that organizations are expected to meet.
- Level 2: It offers access to a highly stringent standard designed for maximizing the security posture of the organization with the help of 'defense in depth.' These security standards are aimed for environments wherein security might be crucial.
Implementing CIS Benchmarks
As far as the implementation of CIS benchmarks is concerned, there are some options:
- Downloading the CIS benchmarking documents and implementing the suggestions manually -The approach will deliver the benefit of being independent to start. However, it turns into a highly labor-intensive task especially when organizations upgrade, and assets are added.
- Using an automated solution for identifying and resolving areas of non-compliance: While it is not possible to implement relevant CIS benchmarks on a manual basis, most companies make use of an automated tool for CIS benchmarks. An automated solution will make it quicker and simpler to implement as well as ensure compliance with the respective CIS benchmarks.
It is important to make use of compliance, security, and integrity tools in the IT departments to quickly reach and maintain compliance with the respective CIS benchmarks. Reliable solutions usually involve scanning functionality for quickly identifying areas of non-compliance, but they are unable to do the remediation.
CalCom's automated hardening solution, CalCom Hardening Suite (CHS) enforces CIS' most recent Microsoft Windows Server 2022 Benchmark v1.0.0. CHS eliminates outages and reduces hardening costs by indicating the impact of a security hardening change on the production services. CalCom's CHS is a must-have solution for any enterprise seeking to quickly and cost-effectively implement CIS benchmarks and maintain extensive, robust server security policies.
