3 ways Windows Server 2016 is tackling security

Windows Server 2016 could be a generational shift in security on par with Bill Gates’ introduction of Trustworthy Computing in 2002.

1 2 Page 2
Page 2 of 2

Device Guard is a new type of code integrity that limits what binaries can run. “It’s no longer just applying to the user, it can now protect itself against admin abuse,” explains Wells. If an admin tampers with code integrity policy and reboots a server, it will deliberately blue screen. That’s based on customer feedback, he says. “They’re making the call that a box contains sensitive workloads or data [and] would rather lose the workload than potentially lose the data.” Wells recommends deploying Device Guard in audit mode to see what will be affected.

Control Flow Guard also restricts what application code can be executed to protect against memory-corruption attacks and return-oriented programming. It’s a technology from Windows 10, and Windows Server 2016 adds another client feature — Windows Defender anti-malware.

“The problem is when you install anti-malware on a server, there are some additional optimizations need for Hyper-V that [third-party tools] don't do,” explains Woolsey. “That leads to some weird technology support calls and really weird performance. They didn't take into account roles and services. Now you get anti-malware out of the box; it understands server workloads and it’s optimized for the scale-out file server role.”

Software-defined networking in Windows Server 2016 includes network security groups and a distributed firewall that can put virtual security appliances inside the network. “If I have a firewall blocking access into my data center, it’s simply too far away from the mission-critical workloads,” says Microsoft principal lead program manager Ravi Rao.

“Once the attackers get in, they wreak havoc. Now I can restrict security on my front end servers, so only the internet can talk to the front tier and it can’t talk to any other tiers, and the other tiers can only talk to each other and not to the internet,” Rao says. “Even if someone attacks your front end and even takes it out with a vulnerability, they can’t perform lateral attacks. And you can dynamically segment your network to meet changing security needs.”

The new Nano Server deployment option for Windows Server 2016 also improves security; with no graphical interface and fewer components and services, it has a much smaller attack surface than even Server Core. Snover calls it “just enough OS.”

Switching to Nano Server to run Hyper-V, clustering, IIS, DNS, scale-out file servers and any workloads that run in .NET Core and ASP.NET Core will reduce the number of vulnerabilities that will affect your servers — and the amount of patching you have to do. Given how many successful attacks use vulnerabilities for which there are patches, patching continues to be an issue.

Nano Server will also be the logical way to switch to containers and cloud-style app development, and it’s the basis of Microsoft’s hybrid cloud Azure Stack offering. If you’re ready to move to this new way of working, Nano Server gives you a secure basis. But Windows Server 2016 has so many security improvements for the way businesses use servers today that address the key methods of attack businesses face today, that it’s a significant upgrade.

Related video:

Copyright © 2016 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
FREE Download: Get the Spring 2019 digital issue of CIO magazine!