In the first post of this series I highlighted that with Windows Server 2016 there are some feature differences between the Standard and the Enterprise Editions that might get lost in some of the messaging, so in this series of posts I’m going to be highlighting the feature set of Windows Server 2016, and will include information from a few different resources, but the primary one is the Windows Server 2016 Technical Preview 5 Feature Comparison. As mentioned in the first post of the series, these will focus on what’s new from a Windows Server 2012 R2 perspective, rather than Windows Server 2008 R2 or Windows Server 2012 perspective, I will focus on those later if needed.
Following on from the previous post in the series, which was on Identity, Today’s topic is Security, and following you will find the information from the Feature Comparison Guide.
Unlike the last post, security is one of the areas where there are additional features and capabilities in Datacenter edition, including technologies such as the new Shielded VM solution, but Standard edition still includes extensive threat resistance components built into the Windows Server 2016 operating system and enhanced auditing events that will help security systems detect malicious activity.
Please note that these are subject to change and are based on Windows Server 2016 Technical Preview 5. If any adjustments need to be made, please leave a comment.
Windows Server 2016 delivers layers of protection that help address emerging threats and make Windows Server 2016 an active participant in your security defenses.
Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Credential Guard offers better protection against advanced persistent threats by protecting credentials on the system from being stolen by a compromised administrator or malware.
Code Integrity (Device Guard)
Code Integrity uses Virtualization Based Security to ensure that only allowed binaries can be run on the system. If the app or driver isn’t trusted, it can’t run. It also means that even if an attacker manages to get control of the Windows kernel, they will be much less likely to be able to run malicious executable code.
Control Flow Guard
Control Flow Guard (CFG) is a highly-optimized platform security feature that was created to combat memory corruption vulnerabilities. By placing tight restrictions on where an application can execute code from, it makes it much harder for exploits to execute arbitrary code through vulnerabilities such as buffer overflows. Windows user mode components are created with Control Flow Guard built-in and vendors can also include Control Flow Guard in their binaries using Visual Studio 2015
In-Box Windows Defender: Antimalware Windows Defender is malware protection that actively protects Windows Server 2016 against known malware and can regularly update antimalware definitions through Windows Update. Windows Defender is optimized to run on Windows Server supporting the various server roles and is integrated with PowerShell for malware scanning.
Device Health Attestation
For Windows 10-based devices, Microsoft introduces a new public API that will allow Mobile Device Management (MDM) software to access a remote attestation service called Windows Health Attestation Service. A health attestation result, in addition to other elements, can be used to allow or deny access to networks, apps, or services, based on whether devices prove to be healthy.
Privileged Access: Just Enough Administration (JEA)
Administrators should only be able to perform their role and nothing more. For example: A File Server administrator can restart services, but should not be able to browse the data on the server.
Just Enough Administration provides a role based access platform through Windows PowerShell. It allows specific users to perform specific adminstrative tasks on servers without giving them administrator rights.
JEA is built into Windows Server 2016 and you can also use WMF 5.0 to take advantage of JEA on Windows Server 2008 R2 and higher.
SMB 3.1.1 Security Improvements
Security improvements to SMB 3.1.1 include Pre-Authentication Integrity and SMB Encryption Improvements.
Pre-authentication integrity provides improved protection from a man-in-the-middle attacker tampering with SMB’s connection establishment and authentication messages. Pre-Auth integrity verifies all the “negotiate” and “session setup” exchanges used by SMB with a strong cryptographic hash (SHA-512). If your client and your server establish an SMB 3.1.1 session, you can be sure that no one has tampered with the connection and session properties.
SMB 3.1.1 offers a mechanism to negotiate the crypto algorithm per connection, with options for AES-128-CCM and AES128-GCM.
PowerShell 5.0 Security Features
There are several new security features included in PowerShell 5.0. These include: Script block logging, Antimalware Integration, Constrained PowerShell and transcript logging.
PowerShell 5.0 is also available for install on previous operating systems starting from Windows Server 2008 R2 and on.