Last Updated on 09/12/2021 by Nidhi Khandelwal
Microsoft has announced the availability of the first Secured-core certified Windows Server and Microsoft Azure Stack HCI devices to safeguard customers’ networks from security threats such as ransomware.
Secured-core devices are advertised as a solution to the growing number of firmware vulnerabilities that attackers can use to bypass Secure Boot on Windows workstations and the lack of visibility at the firmware level in today’s endpoint security solutions.
Since October 2019, all Secured-core devices have had built-in protection against threats that exploit firmware and driver security issues. They can help guard against malware that tries to disable security solutions by exploiting driver security holes.
Secure boot and the Trusted Platform Module 2.0 are used by the newly certified Secured-core servers to ensure that only trusted applications can load on boot.
They also use Dynamic Root of Trust Measurement (DRTM) to put the operating system in a trustworthy state, which prevents malware from interfering with it.
Hypervisor-Protected Code Integrity (HVCI) is also used by Secured-core servers to prevent all executables and drivers (such as Mimikatz) from launching unless they are signed by known and permitted authorities.
“In addition, because Virtualization-based security (VBS) is enabled out of the box, IT managers can easily enable features like Credential Guard, which safeguards credentials in an isolated environment that is invisible to attackers,” according to Microsoft.
Secured-core servers can assist make it considerably tougher for threat actors (particularly ransomware gangs like REvil) to move laterally through the network by rejecting credential theft attempts, effectively stopping their attacks before they can achieve persistence and release their payloads.
Secured-core servers, for example, would have prevented RobbinHood Ransomware operators from elevating privileges and installing malicious unregistered Windows drivers by leveraging a vulnerable GIGABYTE driver.
This allowed attackers to overcome anti-ransomware defences and spread their payloads across the victim’s network by terminating antivirus and security software processes on compromised systems.