Best security features of Windows Server 2016

Because of the growing threats of a cybersecurity breach, Microsoft has consistently attempted to make its products more secure at each update. While it is clearly still an issue, Windows Server 2016 has a number of new features that attempt to bring its overall security to a higher standard.

If you’re planning on upgrading to Windows Server 2016, here are the most important aspects you need to understand before you make the change. Additionally, Microsoft announced a partnership with Dockers containers on Windows Server 2016 that all admins should read up about.

After that, read on to understand the best security features of Windows Server 2016.

Nano Server

According to Microsoft, Nano Server is the “new headless deployment option for Windows Server 2016.” The purpose of Nano Server is to give you the “lightest and fastest server OS configuration.” A few benefits Microsoft lists for its Nano Server include fewer patches and update events, faster restarts, better resource utilization, and tighter security.

This server offers a very small initial footprint and is easily customized by sourcing packages from repositories either on a local path or from the cloud.

Essentially, Nano Server is another step forward from Microsoft’s Server Core installation option available on Windows Server 2008. Server Core was also made to take up minimal resources and not require heavy graphical user interface (GUI).

Nano Server, then, builds on this server that was previously introduced. Nano Server has no GUI as well as “bare minimum operating system files, rendering the system’s attack surface exceedingly small.” It is important to note that a Nano server must be managed remotely and can only run 64-bit applications.

By running Nano Server, then, a user can take up less disk space as well as need fewer patches and reboots. Nano cannot run all roles that the full version of Windows Server 2016 can, but it is no slouch. It can run some heavy-duty server platforms including Hyper-V hosting and IIS web hosting.

Just Enough Administration and PowerShell 5.0

Just Enough Administration (JEA) is security technology included with the Windows Management Framework 5.0. This technology “helps organizations enforce information security by restricting IT administrative rights,” according to Microsoft.

“JEA provides a practical, role-based approach to set up and automate restrictions for IT personnel,” explains Microsoft more thoroughly, “and reduces the risks associated with providing users full administrative rights.”


Essentially, one admin might be able to control some servers but not others. The domain administrator can use Windows PowerShell to establish a connection to a JEA endpoint on a specific server or set of servers.

Users can access only certain PowerShell cmdlets depending on the JEA endpoint. Also, a user can temporarily be given the power of a local administrator. However, after the session has ended, the administrator can once again become a limited user.

PowerShell has been given a number of new features in Windows Server 2016, such as allowing PS5 to run in Nano Server directly, making the administration of this platform simpler.

Additionally, according to Microsoft, Windows PowerShell 5.0 is backward-compatible. “Cmdlets, providers, modules, snap-ins, scripts, functions, and profiles that were designed for Windows PowerShell 4.0, Windows PowerShell 3.0, and Windows PowerShell 2.0 generally work in Windows PowerShell 5.0 without changes,” Microsoft says on its blog post.

Credential Guard and Device Guard

Credential Guard and Device Guard run on virtual secure mode, a place where sensitive “operations can be securely performed … without being exposed to the host operating system.”

As you can understand from the name, Credential Guard works against in-memory user credentials being compromised in any way by utilizing Hyper-V virtualization. Credential Guard keeps this information secure by using a protected Local Security Authority (LSA) process to store any cached credentials.

To protect the LSA, which provides authentication services, generates security tokens, and more, Credential Guard moves it into Isolated User Mode. So, the LSA’s memory becomes isolated like a virtual machine’s memory. Also, other code, such as drivers, is stopped from running in Isolated User Mode, among other things.

Device Guard, instead, works by very strictly monitoring software application downloads. Under Device Guard, only software applications that have both been digitally signed and are allowed in your security policy will be able to be downloaded.

Device Guard is made up of three individual security features: Configurable Code Integrity, VSM Protected Code Integrity, and Platform and UEFI Secure Boot.

Because not all applications are signed, Microsoft offers a tool called SignTool.exe that allows you to create a signature for applications that need it. Only allowing signed code helps continuously protect your computer, because if some type of malware attempts to replace or modify a file, Device Guard will see that that code is not signed, and thus, alarm the administrator.

Essentially, if the app is not allowed for any number of reasons, it will not be downloaded; if it has already been installed, it will not run. “If a violation occurs in a piece of system or user-mode software,” explains Tom’s IT Pro, “then that software won’t function unless and until the original, signed code is restored.”

Put simply in the words of Ash de Zylva on Microsoft’s blog, “Device Guard is a group of key features designed to harden a computer system against malware. Its focus is preventing malicious code from running.”

Likewise, Credential Guard “aims to isolate and harden key system and user secrets against compromise, helping to minimize the impact and breadth of a Pass the Hash style attack in the event that malicious code is already running.”

Is it enough security?

Overall, Microsoft has really stepped up to the plate on Windows Server 2016’s security. They’ve attempted to fix their previous vulnerabilities and plan ahead for future breaches. In today’s cyber environment, some sort of attack will almost certainly be attempted.

Windows Server 2016 attempts to block out malware from invading sensitive material and protect the integrity of its users, both by strengthening initial security and planning counterattacks against those that get through.

While nothing is foolproof, Windows Server 2016 is certainly ahead of its 2012 counterpart.

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top