By Mary Branscombe and Azure Security News
With regular updates to Windows Admin Center and the Semi Annual Channel, plus Azure Stack HCI and Arc positioned as key tools for hybrid infrastructure, where does a new Windows Server release fit in?
Windows Server 2022, the next Long Term Servicing Channel (LTSC) release, will be generally available before the end of 2021, combining the Windows Containers improvements that early adopters have been getting in the Semi Annual Channel (SAC) with security improvements like secured-core from Windows client alongside low-level developments in networking.
There’s also more integration with Azure for both management and security monitoring, including new features in Windows Admin Center for containerising apps to ‘lift and shift’ to the cloud — whether that’s Azure, where Automanage can handle VM lifecycle management and hot patching, or Azure Stack HCI on your own infrastructure.
Infrastructure and server roles
But with so much emphasis on hybrid and migration strategies, where does that leave the server OS? (While there is still comprehensive information available for Windows Server on Microsoft Learn, there’s no longer an official Microsoft certification for the server product outside Azure.)
“Windows Server is a highly versatile, multi-purpose operating system, with dozens of roles and hundreds of features, including guest rights,” Vijay Kumar, director of Windows Server and Azure product marketing at Microsoft, told TechRepublic. “Windows Server includes Software-Defined Data Center (SDDC) features which customers can use for multi-purpose, for example running file services, SQL Server, or custom apps on Software-defined Storage with Storage Spaces Direct.”
Azure Stack HCI is “for running virtual machines on-premises with connections to Azure hybrid services,” Kumar said. It’s also the way to get Azure Kubernetes Service on your own hardware — that’s still very much about infrastructure rather than being an application server or a storage server. Windows Server 2022 scales to even larger applications than previous releases, supporting up to 48 terabytes of memory, up to 64 sockets, and 2,048 logical processors. It also supports confidential computing with Intel SGX on Ice Lake CPUs.
Windows Server Azure Edition is a new option for virtual machines on Azure, but it’s not a new SKU, Kumar told TechRepublic — just a new Windows Server OS image that enables new lifecycle management. “We recently introduced Azure Automanage for Windows Server that enables customers to apply rebootless security patching for their new Windows Server virtual machines. To use rebootless security patching, customers will require the new OS image.” As Automanage gets new capabilities in the future, the Azure Edition image will get updated to make them work.
Regular insider builds for Windows Server allow admins to try out options like the in-place upgrade from Server 2016 and 2019, which Microsoft expects to work for major roles like DNS, DHCP, File and Storage Services, Hyper-V, and IIS. While there will be the usual laundry list of small improvements in the next version — like command-line options for Robocopy and Xcopy to improve file copy performance over SMB by compressing the files, or cluster validation tests that cover more complex network configuration options — the big improvements are in security, Windows Admin Center and containers.
Secured-core, secure connectivity
Secured-core server and secure connectivity offer more layers of security from the hardware up, without much extra work. “Secured-core server builds on technologies such as Windows Defender System Guard and Virtualization-based Security to minimize risk from firmware vulnerabilities and advanced malware,” Kumar said. This is the same security option that’s already an option for Windows 10 systems, where the operating system uses virtualisation-based security to isolate key parts of the server from malware — including advanced kernel attacks — by validating Secure Boot rather than trusting the firmware. This makes it a lot harder for attackers to get access to one device and then move on to compromise servers across your network.
There’s also a new secured-core snap-in for Windows Admin Center. Integration with Azure Security Center means admins can get alerts about events associated with malicious drivers that indicate an attacker is targeting a server.
Secured-core will need new server hardware for the firmware security protection, Kumar confirmed, but it also enables options that are already in Windows Server like HVCI, which admins can also turn on from Windows Admin Center — and even remotely — if they see alerts about an attack.
“Other capabilities like virtualization-based security, hypervisor-based code integrity, secure boot and TPM are available on current hardware. The Windows Admin Center Security extension will report on these capabilities on current hardware and operating system platforms.”
Windows Server 2022 also does more to secure network connections: TLS 1.3 is enabled by default and there’s DNS client support for HTTPS and SMB protocol hardening such as AES 256 encryption. Microsoft is calling that ‘secured connectivity’, and Kumar suggested that adoption should be straightforward for organisations. “SMB’s new AES-256 encryption is completely abstracted in the SMB 3 protocol to mitigate compatibility concerns. SMB Direct also now supports encryption over RDMA networks, both with AES-128 and AES-256.” As well as improving network performance by supporting compression over SMB, there’s better performance with SMB encryption or signing with SMB Direct with RDMA-enabled network cards.
Microsoft’s open-source implementation of the QUIC protocol that will form the basis of HTTP/3 will be in Windows Server 2022. It’s being used for SMB over QUIC, which is a more secure replacement for WebDAV to deliver SMB access without the expense and complexity of a VPN. This uses QUIC as the transport for SMB instead of TCP/IP and RDMA, with a tunnel that secures SMB even if encryption isn’t enabled. “SMB over QUIC will be available with Azure Automanage and Windows Server 2022,” Kumar told TechRepublic. “It will also be supported as a client in Windows 10 and on third-party platforms like Android and others.”
SEE: Office 365: A guide for tech and business leaders (free PDF) (TechRepublic)
It’s possible, but not yet decided, that SMB over QUIC might also come to Windows Server 2019, because Azure Files will be using it, and several vendors whose products use SMB are working on adopting QUIC transport.
QUIC uses UDP instead of TCP as its network protocol, and to improve UDP performance Windows Server 2022 offloads UDP sending and processing from the CPU to the NIC, using UDP Segmentation Offload and Receive Side Coalescing. There are also improvements to TCP performance that reduce packet loss when starting connections and retransmit time-outs.
Improving app modernisation with containers
Windows Admin Center isn’t tied to any release of Windows Server, although v2103 did come out at the same time as the preview of Windows Server 2022, and Kumar noted that “we have packed in a number of enhancements that we anticipate admins would love to get their hands on.”
That includes the Containers extension that makes it easier to package existing ASP.NET, WebDeploy, .NET and MSI server apps into containers. There are other improvements to Windows Containers (some of which SAC customers have already been getting, others that are new), Kumar said: “Smaller image size for faster download, simplified network policy implementation, containerization tools for .NET applications and improvements to group Managed Service Accounts [gMSA] for Windows Containers that allow customers to enable support for gMSA without domain joining the host.” That makes it easier to run apps that depend on Active Directory (AD) without making changes to the container host machine. An AD identity protected in a secret store can be used by the unjoined host to retrieve the gMSA password, which makes it much easier to use gMSA with Kubernetes.
You can also virtualise time zones so you can run globally scalable applications without needing to consider (or have access to) the timezone of the host.
The container image is about 1GB smaller than before, so it’s small to download and faster to start up. All of the scale and performance improvements to overlay network support from the SAC releases are included. IPv6 support is coming to Kubernetes on Windows, although that will need Kubernetes 1.20 for full end-to-end IPv6 support.
There’s a new HostProcess container type coming in a future Kubernetes release that will arrive with Windows Server 2022 (it will also be available for Windows Server 2019), which supports running more applications in Windows containers. HostProcess containers run directly on the host and can be created in the host’s network namespace instead of their own. But cluster operators won’t have to log in and individually configure each Windows node for administrative tasks and Windows servicing: they can just deploy management policy to clusters like any other container policy.
SEE: Top 5 programming languages for systems admins to learn (free PDF) (TechRepublic)
“HostProcess containers are enabled with similar access to the host as processes that run on the host directly,” Kumar explained. “With HostProcess containers, users can package and distribute management operations and functionalities that require host access while retaining versioning and deployment methods provided by containers. This allows Windows containers to be used for a variety of device plugin, storage, and networking management scenarios in Kubernetes. HostProcess containers can be built on top of existing Windows Server 2019 (or later) base OS images, managed through the Windows container runtime, and run as any user that is available on or in the domain of the host machine.”
WSL 2 has been available in insider builds of Windows Server but as an SAC rather than an LTSC feature, and it’s currently not working. Kumar didn’t confirm whether it would be available on Server 2022, saying that it’s “technically not part of Windows Server” but added that “customers using Windows Subsystem for Linux version 1 on previous versions of Windows Server can continue to use it”.
For customers specifically interested in running Linux containers on Windows (known as LCOW), Kumar suggested that Azure Stack HCI will be the best option. “As we talked to customers interested in using the LCOW technology on Windows Server, it was evident that they also required a robust container orchestration experience along with supported storage and networking technology. This was one of the factors in our introduction of Azure Kubernetes Service (AKS) on Azure Stack HCI for customers wanting to run containerized Linux and Windows applications on-premises and at the edge. Secondly, .NET Core can run in Windows containers (Nano or Server Core) on AKS, AKS on Azure Stack HCI, and Windows Server 2022.”
Customers using Nano Server inside containers now get a longer support lifecycle that matches the mainstream support of Windows Server 2022 (until 2026). “Nano is targeted at being the premium container runtime, this does not change,” Kumar told TechRepublic.
The long support for Windows Server LTSC is why it’s the version that most customers are using, Kumar explained. “We expect this as many customers use Windows Server for running business-critical applications and services. They love the fact that we support LTSC for five-plus years and we do roll up all the Semi-Annual Channel (SAC) features and capabilities into the next LTSC, such as Windows Server 2022.”