What’s New With Windows Server 2016?

Windows Server 2016 became commercially available on Oct. 12, 2016. The new operating system includes a few noteworthy and important security features, such as a bare-bones Nano Server to reduce the potential attack surface, a more protected hypervisor that can run encrypted virtual disks, minimal administration to bring the principle of least privilege to remote PowerShell environments and more.

Stripped-Down Nano Server

Since 2008, Windows Server featured a more austere core installation feature. Server 2016, however, achieves a new level of minimalism with its Nano Server. This is a very compact version that eliminates the graphical interface and just about everything else to give you the smallest possible attack surface. According to InfoWorld, you can run Nano on 512 MB of disk space and less than 300 MB of memory. Boot time takes only nine seconds, compared to the two minutes it takes to boot up the full desktop server.

Nano supports some server roles, such as application servers like Hyper-V and Internet Information Services (IIS) web hosting. You will need to manage it with either PowerShell or new Remote Server Administration Tools (RSAT).

Just Enough Administration (JEA)

Speaking of admin tools, Microsoft has adopted the notion of least privilege with PowerShell. This approach, called Just Enough Administration (JEA), is part of the Windows Management Framework 5.0. Basically, there are more granular roles that can be restricted to specific instances, providing more ways to reduce admin access than previously possible. For example, an admin might need read access to server logs, but he or she can’t make changes to them or reconfigure a particular server. This way, auditors can’t inadvertently alter logs.

It’s important to note, however, that cybercriminals can break JEA by exploiting vulnerabilities found in role capabilities. JEA should not be viewed as a security barrier. Rather, it should be controlled and monitored like regular admin access.

JEA sample documents and resources are available on GitHub.

Windows Defender: Headless Version

Windows Defender has been beefed up with the latest version of Windows 10, which is managed with this version of Server 2016. The new wrinkle is the lack of a graphical interface — all management is done with PowerShell command line prompts.

Leverage the Latest Hardware Extensions

PCs have come with UEFI firmware, trusted platform module (TPM) chips and hardware-assisted central processing unit (CPU) virtual extensions for years. Server 2016 is finally leveraging them with a new feature called Device Guard.

This will lock down your servers to only run digitally signed applications permitted by particular security policies. The idea is to protect the integrity of your servers so that any malware can be better contained.

VM Encryption

One of the biggest flaws in using virtual machines (VMs) is that those with admin access to the hypervisor can wreak havoc on your virtual infrastructure. However, a new feature in Windows Server 2016 allows VMs to run from encrypted hard drive files, which in turn makes it more difficult to make changes. Each VM uses a virtual TPM to enable disk encryption with BitLocker.

New Identity Management Services

There is a whole collection of identity management services that leverage hardware extensions, making certificates and Active Directory domains more secure. This introduces the idea of a bastion forest, also known as a red forest, where administrative accounts live. Bastion forests can be isolated to protect accounts.

The bottom line is that Windows Server 2016 assumes you are going to be attacked and provides better ways to defend your critical servers with its new features.

More from Identity & Access

Cybersecurity in the Next-Generation Space Age, Pt. 3: Securing the New Space

View Part 1, Introduction to New Space, and Part 2, Cybersecurity Threats in New Space, in this series. As we see in the previous article of this series discussing the cybersecurity threats in the New Space, space technology is advancing at an unprecedented rate — with new technologies being launched into orbit at an increasingly rapid pace. The need to ensure the security and safety of these technologies has never been more pressing. So, let’s discover a range of measures…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

Kronos Malware Reemerges with Increased Functionality

The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

An IBM Hacker Breaks Down High-Profile Attacks

On September 19, 2022, an 18-year-old cyberattacker known as "teapotuberhacker" (aka TeaPot) allegedly breached the Slack messages of game developer Rockstar Games. Using this access, they pilfered over 90 videos of the upcoming Grand Theft Auto VI game. They then posted those videos on the fan website GTAForums.com. Gamers got an unsanctioned sneak peek of game footage, characters, plot points and other critical details. It was a game developer's worst nightmare. In addition, the malicious actor claimed responsibility for a…