Home > Integrated Products > Microsoft HCI Solutions from Dell Technologies > Guides 22H2 and earlier > Tech Book—Dell Integrated System For Microsoft Azure Stack HCI > Dell integrated systems with security built-in
At Dell , hardware devices and drivers are tested as part of the Windows Hardware Compatibility Program using the Microsoft test framework known Windows Hardware Lab Kit or Windows HLK .This is done to ensure that the system which is getting developed is certified as compatible with Windows Server operating systems starting from Windows Server 2016.
Industry-standard UEFI (Unified Extensible Firmware Interface) Secure Boot checks the cryptographic signatures of UEFI drivers and other code loaded prior to the operating system running ensuring only authorized firmware and operating system bootloaders are initialized during the boot process.
TPM can be used to perform public key cryptographic functions, compute hash functions, generate, manage, securely store keys, and do attestation. Attestation and remote attestation solutions can use the TPM technology to take measurements at boot time of a server’s hardware, hypervisor, BIOS, and operating system, and compare them in a cryptographically secure manner against base measurements stored in the TPM. If they are not identical, the server identity may have been compromised and system administrators can disable and disconnect the server either locally or remotely.
Virtualization-based security (VBS) and Windows Hypervisor Code Integrity (HVCI) service create a secure, hardware-isolated environment that effectively isolates memory and critical components to prevent attacks and unauthorized access to critical parts of the operating system.
DRTM is a technology which lets the server boot initially into untrusted code, but shortly after that launches the system into a trusted state by taking control of all CPUs and forcing them down a well-known and measured code path. This has the benefit of allowing untrusted early UEFI code to boot the hypervisor, but then being able to securely transition into a trusted and measured state. The AX nodes based on intel processor comes with the Intel® Trusted Execution Technology (Intel® TXT) whereas the AMD based platforms are with the SKINIT (Secure Init and Jump with Attestation) instruction.
Through the DMA Protection feature (also known as Direct Memory Access Protection), the operating system and the system firmware are protected against malicious and unintended Direct Memory Access (DMA) attacks for all DMA-capable devices (including M.2 PCIe slots) during the boot process and operating system runtime.
The AX nodes are shipped with a unique, factory-generated iDRAC password to provide additional security. They are made available on the pull-out Service Tag on the front of the chassis, adjacent to the server asset label. Users who choose to use this default option must note this password and may use it to log in to iDRAC for the first time, rather than using a universal default password. For security purposes, Dell Technologies strongly recommends changing the default password.
The Networking Topologies for Azure Stack HCI Solutions chapter encompasses on various configurations of AX nodes to form the primary compute cluster that is deployed as HCI.