In-Depth

Microsoft Makes the Case for Windows Server 2016

The company showcased the latest Windows Server improvements in security, cost savings and cloud-based app management.

• By Kurt Mackie
• 10/18/2016

Microsoft largely skipped outlining Windows Server 2016 during its September Ignite keynote talk, but it did offer a broad outline this month.

The details were spelled out in a talk by Jeffrey Snover, a Microsoft technical fellow and chief architect, Jeff Woolsey, a principal program manager for Windows Server, and Erin Chapple, a partner director of program management. Chapple offered high-level views of Windows Server 2016, while Woolsey offered technical details. Snover added overall perspective, including some possible "Snoverisms."

The full hour-long talk can be found in a Microsoft-produced "Introducing Windows Server 2016" webinar, originally aired on Oct. 13. It's available on demand here.

Snover said that Microsoft's Windows Server customers were primarily seeking help in three areas: addressing security threats, datacenter costs and application innovation. Microsoft's Windows Server 2016 developments were influenced by technologies used to run Microsoft Azure, the company's worldwide datacenter services operations, he added.

Security Perks
The starting point of the presentation was the security benefits of Windows Server 2016. Chapple said Microsoft added "layers of security" in Windows Server 2016. The idea is to shorten the time between attacks and detecting security breaches.

"From the time between the first host is compromised, it really is only between 24 and 48 hours between that and when the main admin is compromised," Chapple said. Breaches typically go undetected for an average of 200 days, she added. Microsoft sees protecting identity as key, along with protecting the operating system and assuring that it's running what you want it to run.

Woolsey warned IT pros to be on guard against phishing attacks. Attackers use org charts to try to divert end users toward malicious Web sites to gain access to corporate sites. Next, given a foothold, an attacker might conduct pass-the-hash exploit attempts to escalate privileges on a network. Woolsey asserted that administrative credentials are provided far more than necessary on networks. IT pros should enforce login policies that keep users with standard user access privileges 99 percent of the time, he added.

Microsoft added technologies in Windows Server 2016 to provide such protections. For instance, Credential Guard is designed prevents pass-the-hash and pass-the-ticket attacks. There's also Remote Credential Guard, which mitigates those threats when logging in remotely. There also are some constraints on administrator access privileges using PowerShell with Just Enough Administration and Just-in-Time Administration. A temporary account is provided with access to just the privileges needed to complete the task. These measures can be used to "guard-rail new administrators," Woolsey added. And it's audited, so it's possible to see who made network changes and when.

"Admins are an attack surface," Snover commented, regarding those security measures. Chapple explained that Microsoft was adding best practices on the back end with those security additions.

Here's Microsoft's slide on the credential protections enabled in Windows Server 2016:

Another security feature is the ability to set code integrity policy with Device Guard. It assures that the only thing that can run on Windows Server 2016 is what has been white listed. Only the permitted binaries can run at bootup.

"Most importantly, it [Device Guard] protects an admin from another admin installing something later that they shouldn't be running," Woolsey said.

Windows Server 2016 also includes Windows Defender. As with the client operating system, Windows Defender in Windows Server 2016 protects against known malware. However, it's also possible to use third-party antimalware solutions as well with Windows Defender on Windows Server 2016.

Windows Server 2016 also has Control Flow Guard. It's a security feature designed to deter unknown exploits that was introduced in Windows 8.1 and Windows Server 2012. Control Flow Guard protects against classes of memory corruption attacks.

Microsoft also added Shielded Virtual Machines to Windows Server 2016. It guards against security breaches that can happen internally when a virtual machine (VM) gets copied. Woolsey explained that once an infiltrator gets into a host, essentially the whole virtualization fabric has been compromised. An attacker can own your entire VM infrastructure by simply copying the VM.

"That's another thing about virtualization -- we made it really easy to steal workloads," Woolsey said.

A VM is literally a couple of files, he added. With Microsoft's Shielded Virtual Machines feature, a stolen VM can't be run it because it's an encrypted Blob.

Shielded Virtual Machines represents a "whole new world of protection for virtualization that doesn't exist on any platform in the world, quite simply," Woolsey claimed.

"Yeah, this is a game changer," Snover agreed.

Chapple stated that Shielded Virtual Machines also provides defense in depth within an enterprise because it can protect an organization's Active Directory.

"If you have a mission-critical workload -- your domain controller, your PKI server, your search servers, all of these things -- there is absolutely no better way to run it than to virtualize it using shielded Virtual Machines," Woolsey added.

The Host Guardian Service role in Windows Server 2016 is part of the Shielded Virtual Machines protection scheme, Woolsey said. It's used as an attestation service for the host. It only runs healthy workloads.

"The Guardian Service is actually running in a separate domain of the infrastructure," Woolsey said. "It actually attests to the fabric. So it makes sure that when a Hyper-V Server booted up, it actually went though the boot process; it actually tested and attested and measured the boot process. When it actually booted, it then checked the code integrity policy. Are you running only things that are allowed via the code integrity? Does code integrity pass? And then finally we can also check for things like debuggers. If we see a debugger on one of these, we know that perhaps someone is trying to do something they shouldn't be doing, like trying to inspect memory or something like that. If it doesn't pass the test, then the Shielded VM cannot start on that server."

Shielded Virtual Machines each have an encrypted virtual TPM, which protects the key for each virtual disk. They're a black box for fabric admins and are controlled by the admin of the guest OS, Woolsey said.

Microsoft illustrated the Shielded Virtual Machines and Host Guardian Service features in this slide.

Networking Benefits
Next, the Webinar focused on Windows Server 2016's networking benefits.

Chapple said that Windows Server 2016 includes datacenter efficiency technologies. It has enterprise-class virtualization, software-defined storage and software-defined networking capabilities.

Woolsey noted that Microsoft took learnings from running its Azure datacenters and added it to Windows Server 2016. The Windows Server Hyper-V hypervisor is an example, as it's used for Azure virtualization, too.

Microsoft, in devising Windows Server 2016, found that its customers were looking at running large-scale workloads. In Windows Server 2016, Microsoft added up to 24TB of RAM per physical server and 512 Logical Processors. The VM memory was boosted to 12TB in a VM. Windows Server 2016 supports up to 240 virtual processors in a VM, and that's true for both the Standard and Datacenter editions, Woolsey said.

Microsoft showed the following slide, comparing the Hyper-V scalability stats between Windows Server 2016 and its predecessor:

Microsoft also did some work in clustering and resiliency in Windows Server 2016. The new server has a cluster OS rolling upgrade feature without downtime. It also supports interoperability with Windows Server 2012 R2 cluster nodes. For cloud environments, Microsoft is promising VM resiliency during network or storage disruptions. Windows Server 2016 also has "fault domain-aware clusters," per Microsoft's slide:

Also, load balancing is built into Windows Server 2016 now. In the past, it was a feature of System Center. Now it's in there and it's on by default in Windows Server 2016, Woolsey said.

"We are designing the drama out of your server," Snover commented.

Storage Improvements
Windows Server 2016 has a Storage Replica feature that "allows us to create stretched clusters," Woolsey said. It creates "affordable business continuity and disaster recovery in the box for the first time," Woolsey said.