Here are my biggest and best Windows Server 2016 security improvements in order of importance.
1. Shielded Virtual Machines
Shielded Virtual Machines offer protection from Virtual Machines against malicious Hyper-V admins and malware attacks on both public and private cloud. They are encrypted using BitLocker and basically prevent a malicious attacker getting access to the Virtual Machine data. They also help protect virtual machines from a compromised fabric as well as improve compliance.
2. Credential Guard and Remote Credential Guard
These help protect administrator credentials from Pass-the-Hash attacks. A Pass-the-Hash attack is a technique used to harvest credentials as they move from one machine to another. It also provides two different administration levels:
Just Enough Administration: Granular rights for the job in hand
Just-In-Time Administration: Rights granted only when needed
Here’s a Credential Guard demo
3. Windows Nano Server
Nano Server is a tiny version of Windows Server with just the minimum number of operating system files. Its tiny size means that the attack surface is also tiny. To install Windows Nano Server, you need just 130MB of RAM and 600MB on your C drive.
4. Windows Defender
Windows Defender is optimised for server roles, helps protect against known malware and runs without a GUI. This means it takes up less resource and therefore reduces the area open to vulnerabilities.
5. Device Guard helps ensure only trusted software runs on the server.
6. Control Flow Guard helps protect against memory corruption attacks.
7. Advanced auditing capabilities detects suspicious behaviour in the kernel or other sensitive processes.
8. Hyper-V containers. Use the distributed firewall, a software-defined networking capability, to control internal and external network traffic to virtual machines.
9.Set up alerts and reporting using Microsoft Operations Management Suite Insights & Analytics tools.
These 9 form the basis of what we at Trilogy believe to be the key Windows Server 2016 security improvements and completes our Windows Server 2016 blog trilogy. Read the first: Why you should deploy it now and the second: 6 best new features.