Windows Server 2022 Benchmark v1.0.0 update

 

In February 2022, the Center for Internet Security (CIS) released the Microsoft Windows Server 2022 Benchmark v1.0.0, which includes over 50 new features, Group Policy Objects (GPOs), capabilities, and services. The document compares Server 2019 and Server 2022 for their similarities and differences, as well as Windows 11 and Windows 10.

 

Microsoft continues to provide both Standard and Datacenter editions of its Windows Server operating systems, a tradition that persists with the release of Windows Server 2022. As the name suggests, this edition aligns server workloads more closely with the Microsoft cloud ecosystem and offers distinctive functionalities designed to entice customers seeking streamlined patch management and other advantageous incentives.

 

With the benchmark being new to the public, companies need to find a remediation and hardening solution, such as CalCom’s Hardening Suite, which enforces CIS' latest Microsoft Windows Server 2022 Benchmark.

 

Windows Server 2019 vs 2022 difference

 

Windows Server 2022 offers enhanced security, increased flexibility, and improved support for hybrid deployments compared to its Windows Server 2019 predecessor.

 

There are three main differences between Windows Server 2019 vs Windows Server 2022 update that include security features and advanced threat protection:

 

In the context of security, there are notable distinctions between Windows Server 2019 and Windows Server 2022. Windows Server 2019 provides security features such as Defender Advanced Threat Protection, Exploit Guard, and Attack Surface Reduction. In contrast, Windows Server 2022 introduces a layered security approach, enhancing cryptographic key protection, firmware security, and the security of virtualization environments.

 

Regarding connectivity, Windows Server 2022 brings advancements with features like Transport Layer 1.3 security, Secure DNS, Server Message Block (SMB), and SMB over QUIC. In contrast, Windows Server 2019 includes Software-Defined Network (SDN) Security.

 

Recognizing the increasing importance of the cloud in modern IT infrastructure, Microsoft made strides in both versions. In Windows Server 2019, they introduced a hybrid cloud service that maintains compatibility with the server’s core applications. However, Windows Server 2022 takes a step further by integrating Azure Arc technology, enabling centralized management of multiple cloud environments through the Azure platform. This evolution aligns with the evolving needs of cloud-centric IT strategies.

Windows Server 2022 comparison to Windows Server 2019

 

Windows Server 2022 represents a significant advancement in security compared to its predecessors. It introduces the Secured-Core Server feature, which safeguards not only the operating system but also the hardware and firmware against various threats. Furthermore, the default encryption of the Server Message Block (SMB) network file-sharing protocol enhances security for all users, further bolstering the overall protection of the system. Let’s look at some of the changes in the key features:

 

Key Features Windows Server 2019 Windows Server 2022
Automatic Windows Admin Center Updates No Yes
Customizable Columns for VM Information No Yes
Detachable Events Overview Screen Configurable Built-in
Configurable Destination Virtual Switch No Yes
Event Workspace to track data No Yes
Automated Extension Lifecycle Management No Yes
Enhanced Security
Hardware-enforced Stack Protection No Yes
TLS Supports 1.2 1.3 Is Enabled by Default
Secured-core server No Yes
Hypervisor-based code integrity No Yes
Hybrid Cloud Capabilities
Azure Arc supported 1.3 Is Enabled by Default
Storage Migration Service Supported Deployment and Management Is Simplified
Improved Platform Flexibility
Uncompressed Image Size Approx. 3.7 GB Approx. 2.7 GB
Virtualized Time Zone Mirrors Host Timezone Configurable Within Container
Group Managed Service Accounts (gMSA) Requires Domain Joining Yes No
DSR Routing No Yes
Better Kubernetes Experience
HostProcess containers No Yes
Multiple Subnets Per Windows Worker Node No Yes
Upgraded Hyper V Manager
Action Bar No Yes
New Partitioning Tool No Yes
Live Storage Migration No Yes
Running Workloads Between Server No Yes
Affinity and Anti-Affinity Rules No Yes
VM Clones No Yes

(Source: Accuwebhosting blog ‘Windows Server 2022 vs Windows Server 2019 - Feature Comparison‘)

white paper

 

Windows Server 2022 CIS Benchmark guidelines

 

CIS benchmarks can be regarded as the dedicated set of the best practices and configuration settings for organizations to 'harden' the security of their digital assets. Currently, around 100 benchmarks are made available in around 14 technology groups – including IBM, Microsoft, AWS, and Cisco.

 

Some ways in which CIS benchmarks tend to be distinct from other security standards are:

 

  • While CIS benchmarks are not regulatory requirements, most important compliance frameworks highlight CIS benchmarks according to the industry standards.
  • CIS benchmarks are developed by consensus between industry experts -including security vendors, SMEs, the benchmarking team, and the global security community through the CIS Workbench.
  • CIS benchmarks tend to relate particularly to the configuration of the existing assets. They are not known for covering security defenses like EDRs (Endpoint Detection and Response) and firewalls.

 

CIS Levels

 

Based on the compliance and security needs of the organization, there are two distinct levels of CIS benchmarks:

 

  • Level 1: It is designed for rapidly minimizing the existing attack surface of the organization without affecting business functionality or usability. These CIS standards offer the base level of compliance and security that organizations are expected to meet.

 

  • Level 2: It offers access to a highly stringent standard designed for maximizing the security posture of the organization with the help of 'defense in depth.' These security standards are aimed for environments wherein security might be crucial.

 

Implementing CIS Benchmarks

 

As far as the implementation of CIS benchmarks is concerned, there are some options: companies can use a Windows Server 2022 CIS hardening script or solutions like CalCom’s Hardening Suite to enforce the latest Microsoft Windows Server 2022 Benchmark.

 

  • Downloading the CIS benchmarking documents and implementing the suggestions manually -The approach will deliver the benefit of being independent to start. However, it turns into a highly labor-intensive task especially when organizations upgrade, and assets are added.

 

  • Using an automated solution for identifying and resolving areas of non-compliance: While it is not possible to implement relevant CIS benchmarks on a manual basis, most companies make use of an automated tool for CIS benchmarks. An automated solution will make it quicker and simpler to implement as well as ensure compliance with the respective CIS benchmarks.

 

It is important to make use of compliance, security, and integrity tools in the IT departments to quickly reach and maintain compliance with the respective CIS benchmarks. Reliable solutions usually involve scanning functionality for quickly identifying areas of non-compliance, but they are unable to do the remediation.

 

CalCom's automated hardening solution, CalCom Hardening Suite (CHS) enforces CIS' most recent Microsoft Windows Server 2022 Benchmark v1.0.0.  CHS eliminates outages and reduces hardening costs by indicating the impact of a security hardening change on the production services.

You might be interested