Dynamic Partitioning (DP) Some high-end highly-scalable server systems contain
partition units of memory, processors, and IO which can be grouped together by the
server's management console into partitions. Each partition is, in effect, an independent
server, and the system is capable of hosting several such partitions, each running
an independent operating system. Such servers are referred to as partitionable.
Some partitionable servers are dynamically partitionable, which means partition
units can be re-assigned to various partitions without requiring a system shutdown.
Windows Server 2008 R2 Datacenter and Windows Server 2008 R2 for Itanium-Based Systems
support both hot-add for processors, memory, and IO partition units, and hot-replace
of such units on supporting hardware. Hot-add allows for increasing the resources
available to a partition facing increasing resource demands. Hot-replace allows
for supporting systems to swap-out partition units (memory and processor units only)
in the event of hardware failure, while the system stays up and running, and providing
services to users. All current editions of Windows Server support Hot Add of memory
and processors, if the underlying system hardware and firmware supports that functionality.
Enhanced Platform Integrity This is sometimes referred to as "Assurance".
A system that has this Additional Qualification supports all the hardware and firmware
technologies required to support a higher level of security. Those technologies
are:
-
Inclusion of a Trusted Platform Module, version 2.0 or later. Note that systems
equipped with Trusted Cryptographic Module (TCM) do NOT meet the requirements for
this AQ.
- UEFI version 2.31c or higher firmware support
- SecureBoot
- IO Memory Management Unit (IOMMU)
Enhanced Power Management The Enhanced Power Management feature identifies
servers which support the next generation power management technology available
with Windows Server 2008 R2 and later versions of the Windows Server operating system.
The software infrastructure and management interfaces in Windows Server 2008 R2
and later versions of the Windows Server operating system that help improve the
power efficiency of the server platform and enable remote monitoring of power consumption
and remote control of the power profile. There are three major requirements for
a system to qualify for this Additional Feature;
-
The server system provides a system power meter and system power budget capability
in hardware
-
The server system supports the new power metering and budgeting ACPI interface (ACPI
V4.0) specification (Windows Server 2012 only)
-
The server system enables control of processor performance states by the Operating
System
These features in Windows Server 2008 R2 and later versions will provide cost-savings
associated with reducing power consumption on each server. They will also help with
capacity planning by making power consumption and power budget information available
to administrators. This helps enable more efficient allocation of power and cooling
infrastructure in the data center. System Center Operations Manager (SCOM) provides
a Management Pack that takes advantage of all of these new features in Windows Server.
Any server that qualifies for the Enhanced Power Management qualifier has native
support for the features in this Management Pack.
Fault Tolerance (FT) Fault tolerant hardware contains redundant components
such as extra power supplies, fans, and even memory and processors which can take
over in the event of a hardware failure. These features can help improve the server
reliability.
Hardware Assurance Windows Server systems that are awarded the Hardware Assurance Additional Qualification include the critical hardware and firmware features needed to support the most important Security features of Windows Server, starting with Windows Server 2016. The server systems are UEFI-based, with a minimum UEFI version of 2.3.1c, and additionally support both Secure Boot and
BitLocker. The system supports
Hyper-V virtualization and includes
IOMMU that allows hardware assisted protection of processes memory and input/output. Finally, the server system must also include support for
TPM2.0 that further protects the operating system, drivers, applications and user information.
The technical requirements are:
- The system must support for UEFI 2.3.1c or later, including Secure Boot and BitLocker support, and all the components in the system provided by the OEM (network adapters with or without PXE boot support, storage adapters, graphics chips or adapters, etc.) must also support Secure Boot.
- The UEFI configuration must support remote management out of the box.
- UEFI Data pages must be separate from Code pages and aligned at page level granularity. The same page may not contain both data (read or write) and executable Code.
- System and processors support IOMMU and require signed processor microcode updates.
- TPM 2.0 is fully supported.
- The platform implements the Microsoft defined Hardware Security Test Interface, see https://msdn.microsoft.com/en-us/library/windows/hardware/dn879006.aspx.
NV-DIMM-N Capable and NV-DIMM-I Capable Non-Volatile Memory used in computers is known by several phrases, acronyms and brand names.Examples of phrases and acronyms:
- Storage Class Memory (SCM)
- Direct Access Storage (DAS)
- Byte Addressable Storage (BAS)
- Persistent Memory (PM)
- Non-Volatile Memory (NVM)
Non-Volatile Memory can provide higher application and workload performance through improved storage latency and response times.
Windows Server 2016 and later versions, and Windows 10 Pro for Workstation, both support Non-Volatile (NV) Memory. Any Windows Server system listed in the Windows Server Catalog which has been awarded the “NV-DIMM Capable” Additional Qualification supports one of the implementations which Microsoft Windows can utilize. See these links for more information:
https://docs.microsoft.com/en-us/windows/desktop/persistent-memory-programming-in-windows---nvml-integration
https://www.microsoft.com/en-us/microsoft-365/blog/2017/08/10/microsoft-announces-windows-10-pro-workstations
There are different physical implementations of Non-Volatile Memory. The system OEM can provide information on the specific implementation their system supports, what capabilities it provides, and so on. The details of the implementation are abstracted by the Device Specific Module (DSM) that the system OEM provides, and which the Windows operating system uses to manage the NV memory. The DSM provides a common basis of reporting device functions & capabilities, so that Windows can interact with various NV Memory implementations through the same mechanisms. Further, the DSM allows support for vendor-specific functionality, information on which the system vendor can provide.
Notes:
- Not all Windows file systems may support NV Memory. See this link for more information
- Not all functionality of the Windows file systems that do support NV Memory has been implemented or is possible. Examples includes; encryption, compression, etc.
- Not all 3rd Party File System and Storage Filter drivers, such as those for; Anti-Virus, Replication, Hierarchical Storage Management, Encryption, Compression, Monitor, Quota, etc., may work, or the filter driver vendor may be required to modify their product in order to work as expected.
Secured-core Server The Secured-core functionality spans the following areas:
Hardware root-of-trust: Trusted Platform Module 2.0 (TPM 2.0) come standard with Secured-core servers. TPM 2.0 provides a secure store for sensitive keys and data, such as measurements of the components loaded during boot. This hardware root-of-trust raises the protection provided by capabilities like BitLocker which uses the TPM 2.0 and facilitates creating attestation-based workflows that can be incorporated into zero-trust security strategies.
Firmware protection: There is a clear rise in security vulnerabilities being reported in the firmware space given the high privileges that firmware runs with and the relative opacity of what happens in firmware to traditional anti-virus solutions. Using processor support for Dynamic Root of Trust of Measurement (DRTM) technology, along with DMA protection, Secured-core systems isolate the security critical hypervisor from attacks such as this.
Virtualization-based security (VBS): Secured-core servers support VBS and hypervisor-based code integrity (HVCI). VBS and HVCI protects against this entire class of vulnerabilities given the isolation VBS provides between the privileged parts of the operating system such as the kernel and the rest of the system. VBS also provides additional capabilities that customers can enable like Credential Guard which better protects domain credentials.
Out Of Band Manageability AQ?