Blue gradient Windows Server background image Blue gradient Windows Server background image
4 min read

Ten reasons you’ll love Windows Server 2016 #8: Security

This post, authored by Matt McSpirit, Technical Evangelist at Microsoft, is #8 in the “Ten reasons you’ll love Windows Server 2016” series.

In this episode Matt interviews Nir Ben-Zvi, a principal program manager in the Windows Server product group. Nir and his team are one of many within Microsoft working to improve and provide additional layers of security for the datacenter, virtual machines and hosting environments – basically wherever servers are running. Nir’s team collaborates closely with the Windows 10 security and Azure security teams to provide end-to-end coverage across all your devices and environments that run your infrastructure and applications. check it out below.

During the last several years, cybersecurity has consistently rated as a top priority for IT. This is no surprise as major companies and government agencies are publically criticized for being hacked and failing to protect themselves and their customer and employee personal information.

At the same time, attackers are using readily available tools to infiltrate large organizations and remain undetected for a long period of time while conducting exfiltration of secrets or attacking the infrastructure and making ransom demands.
Windows Server 2016 delivers new layers of protection that help address these emerging threats so that the server becomes an active component in your security defenses. These security protections were built with the mindset of how we deal with the overall threat of ongoing attacks inside the datacenter environment and range from threat resistance and enhanced detection to managing privileged identity and protecting virtual machines from a compromised fabric.

When you step back to look at the threat profile in your environment with the assumption that the attackers found their way inside, through phishing or compromised credentials, it can get very overwhelming to think about how many ways there are for the attacker to quickly gain control over your systems (reported average is 24-48 hours).

With that mindset, privileged identity becomes the new security boundary and there is a need to protect and monitor privileged access. Using Just In Time administration enables you to assign, monitor and limit the timespan that people have administrator privilege and Just Enough Administration limits what administrators can do. Even if an attacker infiltrated a server, Credential Guard prevents the attacker from gaining credentials that can be used to attack other systems. Finally, to help you with securing privileged access end-to-end, we have published the Securing Privileged Access step-by-step plan that guides you through best practices and deployment steps.

When an attacker gains access to your environment, running your applications and infrastructure on Windows Server 2016 provide layers of protection against internal attacks using threat resistance technologies such as: Control Flow Guard to block common attack vectors, Code Integrity to control what can run on the server and the built in Windows Defender to detect, protect and report on malware. In addition, to better detect threats, Windows Server 2016 includes enhanced security auditing that can help your security experts detect and investigate threats in your environment.

Virtualization is another major area where new thinking was required. While there are protections from a virtual machine attacking the host or other virtual machines, there is no protection from a compromised host attacking the virtual machines that are running on it. In fact, since a virtual machine is just a file, it is not protected on the storage, the network, backups and so on. This is a fundamental issue present on every virtualization platform today whether it’s Hyper-V, VMware or any other. Quite simply, if a virtual machine gets out of an organization (either maliciously or accidentally) that virtual machine can be run on any other system. Think about high value assets in your organization such as your domain controllers, sensitive file servers, HR systems…

Wouldn’t it be great if you could create a virtual machine that can only run on fabric you designate? What if you could protect these virtual machines even from the underlying fabric administrators? Interested?

We think so too. To help protect against compromised fabric, Windows Server 2016 Hyper-V introduces Shielded VMs. A Shielded VM is a generation 2 VM (supports Windows Server 2012 and later) that has a virtual TPM, is encrypted using BitLocker and can only run on healthy and approved hosts in the fabric. If security is on your mind, you should definitely take a look at Shielded VMs.

Last, a shout out to developers that are using or experimenting with containers. We are thrilled to deliver this technology to help streamline the development process and increase efficiency. Windows Server Containers (like Linux Containers) share the underlying kernel and thus are fine for development hosts and test environments. However, for folks who work in market segments with strict regulatory and compliance requirements especially with regard to isolation, we have created a second type of container for you – Hyper-V Containers. Hyper-V containers are created and developed exactly the same way as Windows Server Containers; however, at runtime if you specify run as a Hyper-V container, then we will add Hyper-V isolation so that you can run the same container that you developed and tested on your production environment with the appropriate isolation to achieve the IT security goals. It’s really cool. If you haven’t tried Windows Containers, now’s a great time!

You can download the latest technical preview of Windows Server 2016 to try out these new security scenarios for yourself. Check out the TechNet security page and the Datacenter and Private Cloud Security Blog to double-click on any of the topics in the video.

Get more updates on Windows Server 2016 by following the Windows Server team @WindowsServer and Matt @mattmcspirit on Twitter.

Check out the other posts in this series: