What’s New With Windows Server 2016?
Windows Server 2016 became commercially available on Oct. 12, 2016. The new operating system includes a few noteworthy and important security features, such as a bare-bones Nano Server to reduce the potential attack surface, a more protected hypervisor that can run encrypted virtual disks, minimal administration to bring the principle of least privilege to remote PowerShell environments and more.
Stripped-Down Nano Server
Since 2008, Windows Server featured a more austere core installation feature. Server 2016, however, achieves a new level of minimalism with its Nano Server. This is a very compact version that eliminates the graphical interface and just about everything else to give you the smallest possible attack surface. According to InfoWorld, you can run Nano on 512 MB of disk space and less than 300 MB of memory. Boot time takes only nine seconds, compared to the two minutes it takes to boot up the full desktop server.
Nano supports some server roles, such as application servers like Hyper-V and Internet Information Services (IIS) web hosting. You will need to manage it with either PowerShell or new Remote Server Administration Tools (RSAT).
Just Enough Administration (JEA)
Speaking of admin tools, Microsoft has adopted the notion of least privilege with PowerShell. This approach, called Just Enough Administration (JEA), is part of the Windows Management Framework 5.0. Basically, there are more granular roles that can be restricted to specific instances, providing more ways to reduce admin access than previously possible. For example, an admin might need read access to server logs, but he or she can’t make changes to them or reconfigure a particular server. This way, auditors can’t inadvertently alter logs.
It’s important to note, however, that cybercriminals can break JEA by exploiting vulnerabilities found in role capabilities. JEA should not be viewed as a security barrier. Rather, it should be controlled and monitored like regular admin access.
JEA sample documents and resources are available on GitHub.
Windows Defender: Headless Version
Windows Defender has been beefed up with the latest version of Windows 10, which is managed with this version of Server 2016. The new wrinkle is the lack of a graphical interface — all management is done with PowerShell command line prompts.
Leverage the Latest Hardware Extensions
PCs have come with UEFI firmware, trusted platform module (TPM) chips and hardware-assisted central processing unit (CPU) virtual extensions for years. Server 2016 is finally leveraging them with a new feature called Device Guard.
This will lock down your servers to only run digitally signed applications permitted by particular security policies. The idea is to protect the integrity of your servers so that any malware can be better contained.
One of the biggest flaws in using virtual machines (VMs) is that those with admin access to the hypervisor can wreak havoc on your virtual infrastructure. However, a new feature in Windows Server 2016 allows VMs to run from encrypted hard drive files, which in turn makes it more difficult to make changes. Each VM uses a virtual TPM to enable disk encryption with BitLocker.
New Identity Management Services
There is a whole collection of identity management services that leverage hardware extensions, making certificates and Active Directory domains more secure. This introduces the idea of a bastion forest, also known as a red forest, where administrative accounts live. Bastion forests can be isolated to protect accounts.
The bottom line is that Windows Server 2016 assumes you are going to be attacked and provides better ways to defend your critical servers with its new features.