Network security gets a boost in Windows Server 2022

Transport Layer Security 1.3

In addition to its secured-core server defensive measures, one of the biggest security improvements Microsoft added to Windows Server 2022 is native support for Transport Layer Security (TLS) 1.3, which was released in 2018. This latest version of the protocol used to encrypt network traffic addresses the vulnerabilities found in TLS 1.2 and provides better performance, particularly during the handshake process.

Microsoft enabled TLS 1.3 by default in Windows Server 2022, but the operating system can still use earlier TLS versions to accommodate incompatible clients.

HTTP/3

HTTP has been around since 1989. Developed to transfer content from the World Wide Web to clients, its creators might not have foreseen the rapid pace of its adoption. The last major update to HTTP in 2016 addressed security and performance concerns and now the third revision HTTP/3 has been implemented in Windows Server 2022.

HTTP/3 is currently in development but is already in use by Google and Facebook. HTTP/3 uses the QUIC transport protocol based on the User Datagram Protocol. In addition to better performance, HTTP/3 uses encryption by default to maintain a secure connection.

Enabling HTTP/3 requires adding the following registry key:

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\HTTP\Parameters" /v EnableHttp3 /t REG_DWORD /d 1 /f

Microsoft recommends administrators configure the Windows Web service to advertise the availability of the service via HTTP/3. Clients that connect with an older protocol will be notified of HTTP/3 support and switch to the more secure protocol. To enable HTTP/3 advertisement, add the following registry key:

"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\HTTP\Parameters" /v EnableAltSvc /t REG_DWORD /d 1 /f

Reboot the server to make the registry keys take effect.

Secure DNS

Microsoft enhanced Windows Server 2022 network security with support for Secure DNS, which is an industry standard that goes by a variety of other names such as DNS-over-HTTPS (DoH).

DoH keeps DNS queries private. If someone monitors network traffic, they will see DNS queries being made, but the contents of those queries will be hidden. Some organizations use Secure DNS to conceal their online activities from the ISP. Secure DNS can also help to prevent DNS manipulation attacks.

Organizations should consider whether it is in their best interest to use Secure DNS. While there are security benefits, Secure DNS can also make it more difficult to detect malicious activity from the network because it will mask DNS queries generated by those attacks.

SMB AES-256 Encryption

SMB encryption encrypts Server Message Block (SMB) traffic across the network. SMB is the protocol that Windows devices use to access Windows file shares. SMB is also commonly used for connectivity to NAS appliances and other storage arrays.

Microsoft added SMB encryption to Windows Server 2012 and enhanced it in Windows Server 2022 by adding support for both AES-256-GCM and AES-256-CCM encryption.

Admins turn on SMB encryption from the Windows Admin Center by connecting to the server hosting an SMB share, clicking on Files and File Sharing, followed by the File Shares tab. From there, select the share to encrypt and check Enable SMB encryption.

To do the same procedure but from PowerShell, enter the following command to use SMB encryption on a Windows file share:

Set-SmbShare –Name <sharename> -EncryptData $true

When using SMB encryption, understand the difference between enabling and requiring SMB encryption. Enabling means clients that connect to an SMB share will use encryption if possible while requiring SMB encryption will reject any non-encrypted connections.

Windows Server 2022 and Windows 11 are currently the only Windows operating systems that support AES-256 encryption. Older Windows clients that connect to an SMB share hosted on a Windows Server 2022 host will revert to an older encryption standard, such as AES-128.

Windows Server 2022 also supports SMB encryption for east-west traffic, which refers to the SMB traffic that flows between Windows failover cluster nodes and a cluster shared volume. If the failover cluster uses Storage Spaces Direct, then this option allows the encryption of cluster communications for better overall security.

The easiest way to force a cluster node to encrypt all SMB traffic is to enter the following command into PowerShell:

Set-SMBServerConfiguration -EncryptData $True -Force

Verify the operation was successful by checking the EncryptData value after running the Get-SMBServerConfiguration command.

SMB Direct and RDMA encryption

Microsoft developed support for encryption with SMB Direct in Windows Server 2022. This protocol uses Remote Data Memory Access (RDMA) to transfer large amounts of data without the CPU overhead normally required for these types of operations.

In previous Windows Server versions, enabling SMB encryption disabled direct data placement, which resulted in significantly slower SMB Direct performance making it on par with a normal SMB session. Microsoft addressed this issue in Windows Server 2022 to give organizations high-speed encrypted transfers by encrypting the data prior to placement. While the encryption process does require some CPU resources, the performance impact is typically very minor.

Microsoft covers these SMB improvements at the following link.