Guide to Running Amazon WorkSpaces with Windows Server 2022

/ Tutorial

Windows Server 2022

Introduction

Amazon WorkSpaces is a cloud-based virtual desktop service that allows users to access their applications and data from any supported device. With the recent addition of support for Windows Server 2022, WorkSpaces users can now take advantage of the latest features and security enhancements offered by this new operating system. In this guide, we will explore the process of running Amazon WorkSpaces with Windows Server 2022, highlighting key features and providing step-by-step instructions for setup and configuration.

Table of Contents

  1. Introduction
  2. Table of Contents
  3. Benefits of Windows Server 2022 for Amazon WorkSpaces
  4. Getting Started with Windows Server 2022 WorkSpaces
  5. Creating a Custom Windows Server 2022 WorkSpaces Bundle
  6. Configuring Trusted Platform Module 2.0 (TPM 2.0)
  7. Enabling Unified Extensible Firmware Interface (UEFI) Secure Boot
  8. Securing WorkSpaces with Secured-core Server
  9. Utilizing Credential Guard
  10. Implementing Hypervisor-protected Code Integrity (HVCI)
  11. Enhancing DNS Security with DNS-over-HTTPS
  12. Best Practices for Windows Server 2022 WorkSpaces
  13. Conclusion
  14. References

Benefits of Windows Server 2022 for Amazon WorkSpaces

With the availability of Windows Server 2022 bundles for Amazon WorkSpaces, users can harness a range of new features and improvements that enhance performance, security, and manageability. Some of the key benefits include:

  1. Trusted Platform Module 2.0 (TPM 2.0): Windows Server 2022 supports TPM 2.0, which provides enhanced hardware security for encryption keys and sensitive data.

  2. Unified Extensible Firmware Interface (UEFI) Secure Boot: UEFI Secure Boot ensures that only trusted operating system components are loaded during boot, protecting against malware and unauthorized modifications.

  3. Secured-core server: Windows Server 2022 offers Secured-core server capabilities, providing a comprehensive security foundation that combines hardware and software security features to protect against advanced threats.

  4. Credential Guard: Protect sensitive credentials with Credential Guard, a feature that utilizes virtualization-based security to isolate sensitive data from potential attackers.

  5. Hypervisor-protected Code Integrity (HVCI): HVCI helps prevent attacks by ensuring that only signed, trusted code can be executed in the hypervisor.

  6. DNS-over-HTTPS: Windows Server 2022 introduces support for DNS-over-HTTPS (DoH), encrypting DNS traffic to enhance privacy and security.

Getting Started with Windows Server 2022 WorkSpaces

To get started with Amazon WorkSpaces powered by Windows Server 2022, follow these steps:

  1. Sign in to the Amazon WorkSpaces console using your AWS credentials.

  2. Navigate to the “WorkSpaces” section and click on “Directories” in the left menu.

  3. Select the desired directory and click on “Actions” > “Update Directory Details”.

  4. In the “Images” tab, select “Add Bundle” and choose “Windows Server 2022” as the operating system.

  5. Customize the bundle by selecting the desired hardware specifications, storage size, and other configuration options.

  6. Save the changes and return to the main WorkSpaces console.

  7. Click on “Launch WorkSpaces” and select the Windows Server 2022 bundle you just created.

  8. Follow the on-screen instructions to complete the WorkSpaces provisioning process.

Congratulations! You have now successfully provisioned an Amazon WorkSpace powered by Windows Server 2022.

Creating a Custom Windows Server 2022 WorkSpaces Bundle

While the managed Windows Server 2022 WorkSpaces bundle provides a convenient out-of-the-box solution, you may have specific requirements or preferences that necessitate creating a custom bundle. Here’s how you can create a custom Windows Server 2022 WorkSpaces bundle:

  1. Navigate to the Amazon WorkSpaces console and click on “Bundles” in the left menu.

  2. Select “Create Bundle” and choose “Custom Bundle” as the bundle type.

  3. Specify the operating system as “Windows Server 2022” and configure the hardware, storage, and other settings according to your requirements.

  4. Choose the desired license type and review the pricing information.

  5. Save the changes and click on “Create Bundle” to begin the creation process.

  6. Once the bundle is created, it will be available for selection when launching new WorkSpaces.

Creating a custom Windows Server 2022 WorkSpaces bundle allows you to tailor the virtual desktop environment to your specific needs, ensuring optimal performance and resource utilization.

Configuring Trusted Platform Module 2.0 (TPM 2.0)

One of the notable security features of Windows Server 2022 is the support for Trusted Platform Module 2.0 (TPM 2.0). To configure TPM 2.0 for Amazon WorkSpaces, follow these steps:

  1. Launch a WorkSpace powered by Windows Server 2022.

  2. Connect to the WorkSpace using a remote desktop client.

  3. Open the “TPM Management Console” by searching for it in the Start menu.

  4. Follow the on-screen instructions to initialize the TPM and create a TPM owner password.

  5. Once the TPM is initialized, you can enable features such as Secure Boot and BitLocker encryption.

Enabling Unified Extensible Firmware Interface (UEFI) Secure Boot

UEFI Secure Boot adds an additional layer of protection against malicious software by ensuring that only trusted components are loaded during system boot. Here’s how you can enable UEFI Secure Boot for Amazon WorkSpaces powered by Windows Server 2022:

  1. Launch a WorkSpace powered by Windows Server 2022.

  2. Open the WorkSpace console and navigate to the “Actions” menu.

  3. Select “Update Directory Details” and click on the “Images” tab.

  4. Edit the Windows Server 2022 bundle properties and enable UEFI Secure Boot.

  5. Save the changes and relaunch the WorkSpace for the new settings to take effect.

UEFI Secure Boot helps protect against unauthorized modifications and malware infections during the boot process, enhancing the security posture of your WorkSpaces.

Securing WorkSpaces with Secured-core Server

Windows Server 2022 introduces the concept of Secured-core server, which combines hardware and software security features to provide advanced protection against sophisticated attacks. To secure your WorkSpaces with Secured-core server capabilities, consider implementing the following measures:

  1. Ensure that the underlying hardware meets the requirements for Secured-core server. This may include using trusted platform modules (TPMs), hardware-based root of trust, and secure boot capabilities.

  2. Enable Secure Boot for all WorkSpaces to ensure that only trusted and signed operating system components are loaded.

  3. Implement strong access controls and enforce least privilege principles for user accounts.

  4. Regularly update and patch the operating system and installed applications.

  5. Utilize built-in security features such as Windows Defender Antivirus and Windows Defender Firewall.

By leveraging the Secured-core server capabilities of Windows Server 2022, you can significantly enhance the security posture of your Amazon WorkSpaces environment.

Utilizing Credential Guard

Credential Guard is a virtualization-based security feature in Windows Server 2022 that helps protect sensitive credentials from potential attackers. To utilize Credential Guard on your WorkSpaces powered by Windows Server 2022, follow these steps:

  1. Launch a WorkSpace powered by Windows Server 2022.

  2. Connect to the WorkSpace using a remote desktop client.

  3. Open the Group Policy Editor by searching for “gpedit.msc” in the Start menu.

  4. Navigate to “Computer Configuration” > “Administrative Templates” > “System” > “Device Guard” > “Credential Guard”.

  5. Enable the “Turn On Credential Guard” policy setting.

  6. Save the changes and restart the WorkSpace for the policy to take effect.

Credential Guard isolates sensitive credentials in a secure container, preventing unauthorized access and reducing the risk of credential theft.

Implementing Hypervisor-protected Code Integrity (HVCI)

Hypervisor-protected Code Integrity (HVCI) is a security feature in Windows Server 2022 that helps prevent attacks by enforcing strict execution policies for code running in the hypervisor. To implement HVCI for your WorkSpaces powered by Windows Server 2022, follow these steps:

  1. Launch a WorkSpace powered by Windows Server 2022.

  2. Connect to the WorkSpace using a remote desktop client.

  3. Open the Group Policy Editor by searching for “gpedit.msc” in the Start menu.

  4. Navigate to “Computer Configuration” > “Administrative Templates” > “System” > “Device Guard” > “HVCI”.

  5. Enable the “Enable Hypervisor-protected Code Integrity” policy setting.

  6. Save the changes and restart the WorkSpace for the policy to take effect.

By implementing HVCI, you can protect against code execution attacks and ensure that only signed and trusted code can be executed in the hypervisor.

Enhancing DNS Security with DNS-over-HTTPS

DNS-over-HTTPS (DoH) is a new feature introduced in Windows Server 2022 that encrypts DNS traffic, enhancing privacy and security. To enhance DNS security for your WorkSpaces powered by Windows Server 2022, consider implementing DNS-over-HTTPS:

  1. Launch a WorkSpace powered by Windows Server 2022.

  2. Connect to the WorkSpace using a remote desktop client.

  3. Open the Group Policy Editor by searching for “gpedit.msc” in the Start menu.

  4. Navigate to “Computer Configuration” > “Administrative Templates” > “Network” > “DNS Client”.

  5. Enable the “Use DNS-over-HTTPS” policy setting and specify the desired DoH server.

  6. Save the changes and restart the WorkSpace for the policy to take effect.

Encrypting DNS traffic with DNS-over-HTTPS helps protect the privacy and integrity of DNS queries, mitigating the risk of eavesdropping and spoofing attacks.

Best Practices for Windows Server 2022 WorkSpaces

Here are some best practices to consider when running Amazon WorkSpaces with Windows Server 2022:

  1. Regularly update and patch the operating system and installed applications to ensure the latest security fixes and feature enhancements are applied.

  2. Implement multi-factor authentication (MFA) for user accounts to add an extra layer of security.

  3. Enable auditing and monitoring features to detect and respond to security incidents.

  4. Implement network segmentation and access control to limit lateral movement and unauthorized access.

  5. Regularly backup user data and configure disaster recovery measures to minimize data loss in the event of a failure.

  6. Monitor and analyze logs and events to proactively identify and mitigate security risks.

By following these best practices, you can maximize the security and performance of your Windows Server 2022 WorkSpaces environment.

Conclusion

In this guide, we have explored the process of running Amazon WorkSpaces with Windows Server 2022, highlighting the benefits, features, and security enhancements offered by this new operating system. By leveraging these new capabilities, WorkSpaces users can enhance the security, performance, and manageability of their virtual desktop environment. Whether utilizing the managed Windows Server 2022 bundle or creating a custom image, the integration of WorkSpaces and Windows Server 2022 provides a powerful and secure solution for remote desktop access. By following the step-by-step instructions and best practices outlined in this guide, users can confidently deploy and manage their Windows Server 2022 WorkSpaces environment.

References