Product and service reviews are conducted independently by our editorial team, but we sometimes make money when you click on links. Learn more.

Windows Server 2016: Best Security Features

Windows Server 2016: Best Security Features

In keeping with modern security threats and countermeasures, Microsoft has introduced some great new security features in Windows Server 2016. Check out the top 5 you need to know.

Microsoft is expected to release Windows Server 2016 at the Ignite conference in Atlanta (Sept. 26 to 30, 2016). This evolutionary upgrade to the server operating system adds significant new security features to the platform. Let's have a closer look at our top five:

Nano Server

Windows Server 2008 introduced the Server Core installation option, which represented a minimalist approach to Windows Server. The server systems don't need a heavy and potentially vulnerable graphical user interface (GUI).

MORE: Windows Server 2016 Features: Nano Server

Windows Server 2016 takes that idea one step further with the Nano Server installation option. Nano Server is an ultra-compact Windows Server version that not only includes no GUI, but also only the bare minimum operating system files, rendering the system's attack surface exceedingly small.

Nano Server can be managed locally, only in the most threadbare way, typically for initial setup. The following screenshot depicts the Nano Server Recovery Console.

Nano Server is the smallest Windows Server yet.Nano Server is the smallest Windows Server yet.Nano Server requires far less disk space, reduced patching and far fewer reboots than the full Windows Server 2016 installation option. Although Nano doesn't run all server roles, it can handle some workhorse scenarios such as Hyper-V hosting, IIS web hosting and Scale-Out File Server (SoFS).

Shielded Virtual Machines

Shielded Hyper-V virtual machines address the administration scenario in which not all systems administrators should be allowed to manage all virtual machines (VMs) residing on a Hyper-V hardware host.

Windows Server 2016 supports virtual Trusted Platform Module (TPM), which unlocks (pun intended) high-security scenarios for UEFI Secure Boot and BitLocker Drive Encryption

Essentially, a shielded virtual machine is a VM with an encrypted virtual hard disk (VHD) file. Depending on how you've configured the new Host Guardian Service in your Hyper-V cluster, any administrator action on protected VMs is screened, and access is either granted or denied.

MORE: 10 Best New Features in Windows Server 2016

Just Enough Administration (JEA)

Just Enough Administration (JEA) is Microsoft's application of "least privilege" security in the Windows PowerShell remoting context. As we saw in shielded virtual machines, we're past the days of giving systems administrator the figurative "keys to the kingdom." Admin1 may require full privileges on server01, server04 and server05, but she doesn't and shouldn't have full control of server02, server03 and server06.

The following schematic diagram outlines how JEA works at a high level:

JEA conceptual diagram.JEA conceptual diagram.In keeping with IT security best practice, the domain administrator in the previous diagram operates his Windows Client workstation as a standard user. He uses Windows PowerShell remoting to establish a connection to a JEA endpoint advertised on a target server.

Notice that the JEA endpoint constrains precisely which PowerShell cmdlets are allowed in the JEA session. Moreover, the user's context is temporary shifted to that of a local administrator to give him the ability to do his remote administration work. Once the session closes, the administrator is back to being a limited user. Pretty clever, eh?

"Headless" Windows Defender

Windows Defender is the built-in antimalware software in Windows Server and Windows client operating systems. What's cool about Windows Server 2016 is that the underlying antimalware service now runs "headless," without a graphical user interface?

Why all the focus on GUIs on server systems? It comes down to two points:

  • A GUI consumes system resources that the server can apply in other areas to much greater effect
  • A GUI represents extraneous OS bits that may contain security vulnerabilities and thereby reduce the overall security posture of the server

If Windows Defender has no GUI, you may ask, then how the heck are administrators supposed to manage the software? Windows PowerShell, of course.

For example, we can run the following to list the Windows Defender components programmatically:

Get-WindowsFeature -Name *defender* | Format-Table -AutoSize

Display Name                      Name                            Install State
------------                       ----                           -------------
[X] Windows Defender Features      Windows-Defender-Features      Installed
    [X] Windows Defender           Windows-Defender               Installed
    [X] GUI for Windows Defender   Windows-Defender-Gui           Installed

We use Install-WindowsFeature to install server features, and Uninstall-WindowsFeature to remove them. Finally, we can use the next PowerShell "one-liner" to list available Windows Defender configuration commands:

Get-Command -Module Defender | Select-Object -Property Name | Format-Wide -Column 2

Add-MpPreference                      Get-MpComputerStatus
Get-MpPreference                      Get-MpThreat
Get-MpThreatCatalog                   Get-MpThreatDetection
Remove-MpPreference                   Remove-MpThreat
Set-MpPreference                      Start-MpScan
Start-MpWDOScan                       Update-MpSignature

Device Guard/Credential Guard

Nowadays you should never purchase a physical server or client machine without the following hardware features:
Hardware-assisted CPU virtualization extensions

  • UEFI firmware
  • TPM chip

Assuming that your server meets the physical requirements, you can consider employing application white listing in the form of Device Guard. It will lock down the system such that it can run only software applications that (a) have been digitally signed; and (b) are allowed in your security policy.
Device Guard is tough — if the app isn't allowed, it simply will not run, nor can you even install it in the first place. This is a technology that will likely make your user base go bananas, especially if they've been allowed to install their own software on company-owned systems in the past.

On the other hand, Device Guard protects the integrity of the system at a fundamental level. Digitally signed code means that if a single bit changes in that software — for instance, if malware attempted to replace or modify a file — then Device Guard raises an alarm.

If a violation of the boot environment is detected, then the system won't start up. If a violation occurs in a piece of system or user-mode software, then that software won't function unless and until the original, signed code is restored.

Credential Guard uses Hyper-V virtualization to protect in-memory credentials. Think of it this way: if you're logged onto your administrative workstation with domain administrator credentials, then those NTLM hashes and/or Kerberos tickets reside in unprotected Local Security Authority (LSA) memory space.

It's very possible for an attacker to tap into that unprotected memory from across the network, or possibly the Internet, and steal those secrets. Credential Guard uses a protected, isolated LSA process to store the cached creds, keeping them out of the reach of malicious code and attackers.

Bottom Line

The Windows Server development team puts a strong focus on system security. In fact, their mantra nowadays is "assume breach." This methodology involves assuming that our system has been compromised, and developing countermeasures based on that scary assumption.
Some of the aforementioned ideas, especially running as a standard user and employing Windows PowerShell more intensely, take some getting used to. However, it's the way of the future, and these are required skills for the modern Windows systems administrator.