What’s New With Windows Server 2016?

Windows Server 2016 became commercially available on Oct. 12, 2016. The new operating system includes a few noteworthy and important security features, such as a bare-bones Nano Server to reduce the potential attack surface, a more protected hypervisor that can run encrypted virtual disks, minimal administration to bring the principle of least privilege to remote PowerShell environments and more.

Stripped-Down Nano Server

Since 2008, Windows Server featured a more austere core installation feature. Server 2016, however, achieves a new level of minimalism with its Nano Server. This is a very compact version that eliminates the graphical interface and just about everything else to give you the smallest possible attack surface. According to InfoWorld, you can run Nano on 512 MB of disk space and less than 300 MB of memory. Boot time takes only nine seconds, compared to the two minutes it takes to boot up the full desktop server.

Nano supports some server roles, such as application servers like Hyper-V and Internet Information Services (IIS) web hosting. You will need to manage it with either PowerShell or new Remote Server Administration Tools (RSAT).

Just Enough Administration (JEA)

Speaking of admin tools, Microsoft has adopted the notion of least privilege with PowerShell. This approach, called Just Enough Administration (JEA), is part of the Windows Management Framework 5.0. Basically, there are more granular roles that can be restricted to specific instances, providing more ways to reduce admin access than previously possible. For example, an admin might need read access to server logs, but he or she can’t make changes to them or reconfigure a particular server. This way, auditors can’t inadvertently alter logs.

It’s important to note, however, that cybercriminals can break JEA by exploiting vulnerabilities found in role capabilities. JEA should not be viewed as a security barrier. Rather, it should be controlled and monitored like regular admin access.

JEA sample documents and resources are available on GitHub.

Windows Defender: Headless Version

Windows Defender has been beefed up with the latest version of Windows 10, which is managed with this version of Server 2016. The new wrinkle is the lack of a graphical interface — all management is done with PowerShell command line prompts.

Leverage the Latest Hardware Extensions

PCs have come with UEFI firmware, trusted platform module (TPM) chips and hardware-assisted central processing unit (CPU) virtual extensions for years. Server 2016 is finally leveraging them with a new feature called Device Guard.

This will lock down your servers to only run digitally signed applications permitted by particular security policies. The idea is to protect the integrity of your servers so that any malware can be better contained.

VM Encryption

One of the biggest flaws in using virtual machines (VMs) is that those with admin access to the hypervisor can wreak havoc on your virtual infrastructure. However, a new feature in Windows Server 2016 allows VMs to run from encrypted hard drive files, which in turn makes it more difficult to make changes. Each VM uses a virtual TPM to enable disk encryption with BitLocker.

New Identity Management Services

There is a whole collection of identity management services that leverage hardware extensions, making certificates and Active Directory domains more secure. This introduces the idea of a bastion forest, also known as a red forest, where administrative accounts live. Bastion forests can be isolated to protect accounts.

The bottom line is that Windows Server 2016 assumes you are going to be attacked and provides better ways to defend your critical servers with its new features.

More from Risk Management

Operationalize cyber risk quantification for smart security

4 min read - Organizations constantly face new tactics from cyber criminals who aim to compromise their most valuable assets. Yet despite evolving techniques, many security leaders still rely on subjective terms, such as low, medium and high, to communicate and manage cyber risk. These vague terms do not convey the necessary detail or insight to produce actionable outcomes that accurately identify, measure, manage and communicate cyber risks. As a result, executives and board members remain uninformed and ill-prepared to manage organizational risk effectively.…

The evolution of ransomware: Lessons for the future

5 min read - Ransomware has been part of the cyber crime ecosystem since the late 1980s and remains a major threat in the cyber landscape today. Evolving ransomware attacks are becoming increasingly more sophisticated as threat actors leverage vulnerabilities, social engineering and insider threats. While the future of ransomware is full of unknown threats, we can look to the past and recent trends to predict the future. 2005 to 2020: A rapidly changing landscape While the first ransomware incident was observed in 1989,…

Defense in depth: Layering your security coverage

2 min read - The more valuable a possession, the more steps you take to protect it. A home, for example, is protected by the lock systems on doors and windows, but the valuable or sensitive items that a criminal might steal are stored with even more security — in a locked filing cabinet or a safe. This provides layers of protection for the things you really don’t want a thief to get their hands on. You tailor each item’s protection accordingly, depending on…

The evolution of 20 years of cybersecurity awareness

3 min read - Since 2004, the White House and Congress have designated October National Cybersecurity Awareness Month. This year marks the 20th anniversary of this effort to raise awareness about the importance of cybersecurity and online safety. How have cybersecurity and malware evolved over the last two decades? What types of threat management tools surfaced and when? The Cybersecurity Awareness Month themes over the years give us a clue. 2004 - 2009: Inaugural year and beyond This early period emphasized general cybersecurity hygiene,…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today