Windows 2016 Server New Security Features
What are some of the new security features in Windows 2016?
Windows 2016 is the soon-to-be released version of Windows server software. The Server version of Windows is the software designed to power business, engineering, and other applications. It is not for desktop users. Prior to Windows 2016 there was Windows 2012 and Windows 2008. So it looks like Microsoft releases a new version about every 4 years.
Changes to Windows 2016 this time can be said to be incremental rather than wholesale. The basic architecture is the same.
One addition to Windows is containers. These have gained a wide following with Linux servers. A container lets a user download and start running application software in just a few minutes or seconds as opposed to hours, days, or weeks to install that by hand. It is like a virtual machine, but it is much smaller since it is not a full operating system.
The Nano Server is something in between the container and hypervisor.
Now you can install Windows as a Nano server. This is a small operating system that lacks, for example, a graphical interface. A Nano server would be used to run databases and other applications on the cloud. The idea is if it is small then there are less components to attack. For example there are less security updates to install. It is the minimum OS needed to run applications. The Nano server is stripped of many Windows features, thus making it suitable for doing just one task.
A container could pose security issues, although no vulnerabilities have been discovered so far. This is because the container shares resources with the host operating system. One of the features with virtual machines is they cannot share memory or disk space with other virtual machines and are blocked from direct access to physical devices and the host OS’s memory. This is why multiple companies can run their applications on, for example, Amazon’s EC2 cloud and not have to worry about another company gaining access to their data.
Virtual machines on Windows are called Hyper-V.
Credential Guard is a feature that has been added to Windows 10 as well. The idea is to prevent a hacker from reading a hashed password or Kerberos session ticket from the machine.
When a user logs into Windows, the operating system issues a session ticket and stores a hashed value of the password in memory. Using a hacking technique called Pass-the-Hash a hacker can present the hashed value of a password to a program and thus login that way. The same is true with the session ticket.
Credential Guard takes all of that and runs it in a mini-virtual machine that only certain processes can access. So a request for the hashed password or session ticket would have to pass through that protected process.
Device Guard is also a Windows 2016 feature that is included with Windows 10.
You can think of Device Guard the same way you think of whitelisting email. To whitelist an email address means you list that address in anti-spam software so that anti-spam software will not mark that as spam. Anti-virus software takes the approach of a blacklist. That means if a program is blacklisted then it is blocked from running.
Device Guard turns that model around by only allowing software to run that has been specifically signed by Microsoft with a digital certificate. That is, it has been whitelisted.
A logical question at this point would be how does the user whitelist software? For business users that is done by a tool called Package Inspector. That lets companies write Device Guard security policies and then push those out to desktop and laptop PCs thus controlling what can run on employee machines. So if the user downloads malware or attempts to install any program not whitelisted that software will not run.
Windows Defender is Microsoft’s anti-virus software. The only change here is that Microsoft has removed the graphical interface. Now users can only update policies using the Windows Powershell. That is a command line tool in Windows designed for advanced users. So the idea is that only advanced users could change the settings there.
Shielded Virtual Machines and the Power Shell
This adds security policies so that only certain administrators can take actions on virtual machines. This takes away the long-standing practice of giving people with the Administrator password full reign to do what they want on the machine. It also changes virtual machines so that they cannot be copied to and run on another host. (That is counterintuitive. One of the reasons people have virtual machines is to allow precisely that. That make it easy to spin up copies of a system for other users and applications.) A virtual machine is just a file. So it can be copied. Obviously if a hacker can steal this file they can walk right out the door with an entire system.
This principle of Just Enough Administration (JEA) is also pushed out to the Power Shell. The Powershell lets users can write scripts to make changes to the system.
Users in an office or data center usually login to Windows with Active Directory (AD). That is the system that stores userids and passwords. Windows 2016 adds new features to AD. One is TPM key attestation. This is useful for, for example, storing the private key for a user account on a smart card. The user can use the smart card physical device to login. In that case their password login is disabled, so they cannot login using the keyboard. So a hacker cannot user that account since they do not have the physical smart card. This feature has existed before. What is different now is new protection for the private key.
Windows 2016 also adds additional support for LDAP. LDAP is what many businesses use to store userids and passwords. It is used in heterogeneous environments, meaning those that mix Linux and Windows. Plus there are free versions of that.