Windows Server 2016 Alive (Part 2)

By /

If you would like to read the first part of this article series please go to Windows Server 2016 Alive (Part 1).

In Part 1 of this two-part article series, I began a discussion about what’s new in Windows Server 2016, which was officially launched in September at this year’s Microsoft Ignite conference. This is Microsoft’s attempt to bridge the gap with a “cloud-ready” server operating system that also provides an updated, feature-laden on-premises data center solution for those organizations that aren’t ready to move to the cloud yet, while making it easier for them to make that transition when the time is right.

We briefly looked at some of the ways Server 2016 improves the virtualized experience with the latest additions to Hyper-V, including the new Hyper-V Manager tool, the WS-MAN protocol, discrete device assignment, host resource protection, on-the-fly configuration changes and nested virtual machines.

Containerization comes home

In our new DevOps-centric IT world, containerization is the hot tech topic of the day. Containers provide a new type of virtualized environment that isolates applications and makes them easy to deploy because all of the app’s dependencies are contained in one package. Unlike traditional VMs, containers share the underlying operating system, which conserves resources. Docker made Linux-based containers a household word, and now Microsoft has introduced two types of containers for Windows Server 2016 users: Windows Containers and Hyper-V Containers.

Windows Containers work very much like Linux containers, with isolated apps running in user mode on a shared host OS. Hyper-V containers provide greater isolation because the Windows containers run inside of Hyper-V VMs with their own OS binaries – in other words, like a traditional VM, but able to be managed as a container. Windows containers give you better performance, whereas Hyper-V containers give you better security. Windows Server 2016 gives you the choice so you can use the solution that’s most appropriate for your purposes.

More virtualization goodness

Other new virtualization-related features in Windows Server 2016 include:

  • Production checkpoints – These are “point in time” images (snapshots) of a virtual machine based on backups in the guest OS instead of a saved state like the traditional standard checkpoints. In Server 2016 and Windows 10 Hyper-V, new VMs that you create use production checkpoints by default, but you can still use standard checkpoints if you wish.
  • Hyper-V cluster upgrade “on the fly” – This new feature, also called rolling Hyper-V cluster upgrade, lets you upgrade a cluster’s functional level with Windows PowerShell without incurring downtime. All nodes have to run Server 2016 to use the new Hyper-V features.
  • Linux Secure Boot – You can now boot popular distros of Linux operating systems that are running on Hyper-V gen 2 VMs with Secure Boot enabled, after configuring the VMs to use the Microsoft UEFI Certification Authority.
  • Start order priority for clustered VMs – This is another feature that’s new to Server 2016. It lets you specify the order in which your clustered VMs are started (or restarted). To do this, you create sets of VMs and place your VMs into those sets.
  • Windows PowerShell Direct – With this new feature, you can easily run PowerShell commands in a VM from the host machine, without worrying about remote management configuration or firewall settings. This makes it easier to automate commands.

New storage options and features

Although many organizations are putting some or all of their data in the cloud, there will always be a place for on-premises storage of data that’s sensitive or confidential, or for some other reason deemed inappropriate for offloading to a cloud storage service. Windows Server 2016 offers new functionalities for storage of data, including data deduplication and Storage Spaces Direct.

Data deduplication

The purpose of this new feature in Server 2016 help conserve storage space by optimizing redundant data. The duplicate data is identified by an examination of the data on a volume, and then that data is stored once and can also be compressed for further savings in space. It works on file servers, where multiple users often have many copies of the same file, and also in VDI (Virtual Desktop Infrastructure) environments, where the virtual hard disks for users’ remote desktops are generally identical. Data dedupe is also useful for backup applications, where many of the backup snapshots are the same.

Storage Spaces Direct

Storage Spaces Direct is an outgrowth of Storage Spaces and is Microsoft’s means of deploying Software Defined Storage. It is a feature of Windows Server 2016 Datacenter Edition (only) that can be deployed in a converged or hyper-converged architecture, and it helps enterprises to reduce the cost of storage in comparison to traditional SAN and NAS solutions.

Security matters

In today’s threat-laden networking environment, security matters more than ever, and Microsoft recognizes this and builds new security mechanisms into Server 2016 to help organizations keep their on-premises servers and data centers safer from intruders, attacks and malware.

Security begins with identity and access management and a large percentage of attacks are accomplished by compromised legitimate user credentials. The holy grail for attackers and the most dangerous user accounts that can be compromised are those with administrative privileges, so Server 2016 introduces Privileged Access Management (PAM), which does for Windows Server 2016 Active Directory Domain Services the same thing Privileged Identity Management (PIM) does for Azure Active Directory.

PAM uses Just in Time administration (JIT) and Just Enough Administration (JEA) to restrict the time duration and the scope, respectively, of the administrative privileges an individual user has. PAM leverages Microsoft Identity Manager (MIM) to do this, and works by creating a bastion administrative forest to isolate privileged accounts and reduce the risk associated with stolen admin credentials.

Microsoft has also added a number of features to Active Directory Federation Services (AD FS), including expanded functionality with multi-factor authentication (MFA). MFA setup is simplified with the addition of a built-in Azure MFA adapter. Other improvements and additions are better device registration capabilities, Windows Hello and Microsoft Passport integration, more streamlined auditing, AD FS app customized sign-in, simpler management of passwords for federated Office 365 users, easier configuration of access control policies, and easier migration from Server 2012 R2 AD FS to Server 2016 AD FS.

Threat management is a big challenge and an important part of any organization’s security strategy, and one of the ways that Microsoft is helping customers keep attackers from accessing their networks and resources – including the internal attackers who are often overlooked – is with new features Control Flow Guard and Code Integrity, also called Device Guard.

  • Control Flow Guard specifically targets memory corruption vulnerabilities. Any glance at any month’s slate of Patch Tuesday security updates will reveal that memory corruption issues are at the center of a large proportion of the vulnerabilities and more important, they are responsible for more of the critical vulnerabilities that can be exploited by attackers to run remote code on a system. Control Flow Guard restricts the locations from which an application can execute code.
  • Device Guard (Code Integrity) is a feature that protects against malware by essentially changing from a model that blocks applications that are known to be malicious (using signatures) to a more “whitelist” type of model that only allows those applications that have been specified as trusted. It works with both user-mode and kernel-mode software. In the latter case, you can either allow software based on signature or block all drivers that aren’t explicitly whitelisted. You can create code integrity policies that are for general usage servers or to lock down servers that need to be high security (e.g., domain controllers). Software that doesn’t meet the policy requirements will show the attempt to run in the event log if you deploy Code Integrity in audit mode.

In addition, security auditing overall has been improved in Server 2016, and Windows Defender is installed by default, both of which help to protect against malware.

One of the most interesting and important new security features in Server 2016 brings us back to virtualization, because one of the downsides of VMs was that virtual machines were not protected from a compromised host machine. In fact, if an unauthorized person gets access to the VM file, it could be run on another system. If that VM is running a critical highly sensitive server, such as a domain controller or a file server with confidential information stored on it, this could be disastrous.

That’s where the new Shielded VMs feature in Windows Server 2016 Hyper-V comes in. Shielded VMs are encrypted with BitLocker, using a virtual Trusted Platform Module (vTPM). This means these VMs can only run on authorized host machines. Shielded VMs run on a guarded fabric deployment, using the Host Guardian Service, and help to protect against both untrusted software running on the host and compromised fabric administrators. Deployment of shielded VMs is a complicated procedure; you can download the Guarded Fabric Deployment Guide for Windows Server 2016 from TechNet for much more detailed information about this feature.

Less is More

Finally, Server 2016 brings us Nano Server, which takes the server core installation concept even further. The Nano Server installation option reduces the server’s disk space usage even more and operates only in “headless” mode – it’s remotely managed and has no local logon capability at all. This makes it both faster in performance and more secure due to the decreased attack surface. Nano Server is installed by configuring a VHD; there is no migration from Server 2012 R2 or previous server operating systems to Nano Server.

Final Thought

In this two-part series, we have very briefly introduced some (not all) of the new features that are included in Windows Server 2016, which was launched in September at Microsoft’s Ignite conference (which replaced TechEd). To dig deeper into all of these, check out What’s New in Windows Server 2016 on the TechNet web site, and/or come back to this site for more in-depth articles on individual new and improved features.

If you would like to read the first part of this article series please go to Windows Server 2016 Alive (Part 1).

About The Author

Debra Littlejohn Shinder is a technology and security analyst and author specializing in identity, security and cybercrime, utilizing her past experience as a police officer and police academy/criminal justice instructor. She has written numerous books and articles for web and print publications and has been awarded the Microsoft MVP designation for fourteen years in a row.

Read Next

Static vs Dynamic IP Address

Static vs Dynamic IP Address

Most people are familiar with Internet Protocol (IP) Addresses, but many people don’t know you have 2 types. In this article, you’ll learn about static…

Read More »

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top