Windows Server 2016 Security Better protection begins at the OS 1
Contents Getting out in front of cyber attacks 3 How attacks work 3 Windows Server 2016: Active defense and compliance 4 Protect credentials and limit administrator privileges 5 Credential Guard 5 Remote Credential Guard 5 Just Enough and Just-in-Time Administration 5 Secure OS to run your applications and infrastructure 7 Device Guard 7 Control Flow Guard 7 Windows Defender 8 Enhanced security auditing 8 Secure virtualization Shielded Virtual Machines 8 8 Host Guardian Service 10
I n today’s business environment, cyber attacks have become a normal occurrence for companies of all sizes, across all industries. The attacker profile has grown beyond independent actors, and now includes organized crime, nation states, and terror groups. These groups not only go after the biggest companies to steal information for the biggest payoff, they are also focused on interrupting businesses for profit or other malicious intent.
Windows Server 2016 was designed to defend server infrastructures against the methods attackers use to compromise data and interrupt business: stealing credentials, inserting malware into servers and applications, and targeting virtualization vulnerabilities. New protections at the identity, OS, and virtualization layers work to disrupt standard attacker toolkits and isolate vulnerable targets, making the server OS an active participant in its own defense.
B ecause attackers typically access sensitive data through compromised administrator credentials, securing administrator identities is key to blocking attacks. In many ways, identity has become the new perimeter when it comes to defending infrastructure and data. If your privileged credentials are secure, then you can keep attackers at bay – even if they are inside your network.
identity before granting the requested privileges. Once granted, those DNS privileges provide access to the PowerShell role for DNS for a specific time span. Imagine this scenario if the DNS admin’s credentials were stolen. First, since the credentials have no admin privileges attached to them, the attacker wouldn’t be able to gain access to the DNS server – or any other systems – to make any changes.
P reventing cyber threats also requires finding and blocking malware and attacks that seek to gain control by subverting the standard operating practices of your infrastructure. If attackers can get an operating system or application to run in a non-predetermined, non-viable way, they are likely using that system to take malicious actions. Windows Server 2016 provides layers of protection that block external attackers running malicious software or exploiting vulnerabilities.
Windows Server 2016 includes the industryleading, active detection capabilities of Windows Defender to block known malware. Windows Defender works hand-in-hand with Device Guard and Control Flow Guard to prevent malicious code of any kind from being installed on your servers. It is turned on by default – the administrator does not need to take any action for it to start working. Windows Defender is also optimized to support the various server roles in Windows Server 2016.
the VM will run only on approved hosts in the virtualization fabric. This means that even if an attacker compromises the host, as in the case of a malicious administrator, the attacker wouldn’t be able to access the data in any individual VM. This protection – combined with the Host Guardian Service – brings VMs a level of protection never before available. Only the designated VM administrator has access to a Shielded Virtual Machine, preventing access by hackers with administrator credentials.
Alongside Shielded VMs, the Host Guardian using Admin-trusted attestation, which may be Service is an essential component for creating a desirable if TPM 2.0 hardware is not in use in your secure virtualization fabric. Its job is to attest to organization. This attestation model is easy to the health of a Hyper-V host before it will allow deploy. Hosts are simply placed into a security a Shielded Virtual Machine to group and the Host Guardian boot or to migrate to that host.
I n addition to protecting your infrastructure, Windows Server 2016 also helps developers incorporate security into their application development process in ways that were not previously possible. There are many technologies that developers use today to ensure that they can deliver Hyper-V containers Containers are great for streamlining development and increasing application efficiency. Unlike VMs, however, typical containers are not fully isolated.
IT organizations and developers alike can benefit from Nano Server, a lightweight installation option that minimizes the attack surface area. It can be used with physical servers, virtual machines, and containers but has no local login and supports only 64-bit applications, tools, and agents. Since supported server roles and optional features live outside Nano Server, organizations don’t expend resources on what they don’t install.
