In the first post of this series, I provided an introduction to some of the top level ways that Windows Server 2016 and Windows 10 provide a better together story, and in today's post I'll focus on some of the security enhancements that both operating systems provide.
Let's start with the items listed in the PDF referenced in the first post.
|Enterprises need to:||Example scenario:||How Windows Server 2016 + Windows 10 help:|
|Protect users, apps, servers, and devices against cyber attacks||Attacker uses a Pass-the-Hash attack on a laptop and a server to steal administrator credentials.||
Credential Guard isolates credentials on both client and server so only privileged system software can access them, making Pass-the-Hash or Pass-the-Ticket attacks ineffective.
Remote Credential Guard, which requires both Windows Server 2016 and Windows 10, delivers Single Sign-On (SSO) for RDP sessions, meaning credentials aren’t passed to the RDP host and cannot be intercepted by attackers.
|User clicks on a malicious URL, which installs ransomware on all corporate clients and servers.||
Device Guard ensures that only trusted software can be run on a server or device, preventing malicious code – like ransomware – from executing.
One of the important things to start with here, is understanding that on Windows 10 that these technologies are only available in the Enterprise (and Education) SKUs. What does this mean if you sell systems with Pro? You've got several options for upgrading to Enterprise, including the traditional volume licensing options Microsoft has had available for a long time, as well as via Microsoft's Cloud Solution Provider (CSP) program. Under CSP, you license the same way that you would for Office 365 or Enterprise Mobility + Security, for example, where it is per user subscription, with upgrade rights from Pro to Enterprise included for five devices for that user. You assign the license via PowerShell or the Office 356 portal, and that user's copy of Windows 10 Pro will automatically be upgraded to Enterprise.
If you aren't overly familiar with Azure Active Directory (AAD, which is the identity service used for Office 365, EMS, and other Microsoft Online Services), we can choose to have cloud only identities, so those that we aren't synchronising to an existing Active Directory environment. For those looking to extend their on-premises Active Directory users and groups into Azure Active Directory, Azure Active Directory Connect is Microsoft's recommended synchronisation tool. For smaller organisations using Windows Server Essentials 2016 or the Windows Server Essentials role, you don't get all of the capabilities of AAD Connect, but it's a great starting point if you don't need everything that AAD Connect provides.
Anyway, back to the technologies referenced above... here are some links to get you started on these security technologies.
- Protect derived domain credentials with Credential Guard
- Protect Remote Desktop credentials with Remote Credential Guard
- Device Guard deployment guide