blog-windows-server-2016-security_SQSecurity has been a key topic at Microsoft for some time, and its new Windows Server operating system is at the very heart of this strategy, bringing some brand new and some improved security features.

In case you missed it, Windows Server 2016 has now reached General Availability, which means customers can now purchase, download and install the full RTM version of the latest Microsoft’s server operating system. We’ve talked about the new Windows Server already on the TalkTechToMe blog, covering the most important new feature improvements, and in this post we’re going to look more closely at the new and improved security features of Windows Server 2016.

Device Guard is taking care of app and driver integrity

Device Guard leverages server hardware, including UEFI firmware and TPM, to protect system integrity by blocking the install or running of any application or device driver not on an approved list. Using signed apps and WHQL drivers, even if a malicious user alters an approved app or renames malware to something permitted, the install or execution is blocked because the signature has changed, making it very difficult for any malware to run.

Of course, you’ll have to develop your own list of approved and signed applications, but given the level of protection this would bring, it is well worth the effort. There is a great blog post on TechNet where you can learn more about this rock-solid new security feature.

More secure logins with Credential Guard

You’ve no doubt heard of Pash the Hash attacks, Golden Tickets, and all the rest of those attacks that allow a malicious user to steal credentials from a system. Credential Guard uses virtualization-based technologies to protect both NTLM hashes and Kerberos TGTs from unauthorized access, effectively blocking even software installed on a local machine running as admin or system from being able to steal or derive those credentials. An isolated Local Security Authority (LSA) process is run in an isolated memory space, inaccessible from the rest of the operating system. The LSA makes API calls when it needs authentication, but nothing else can.

There are some tradeoffs with this, since unconstrained delegation cannot be used, nor can weaker Kerberos algorithms, but that should not be an issue for most people today anyway, and if it is, you probably want this to be an excuse to stop doing either of those things. It requires 64bit systems that have both UEFI and TPM, as well as a CPU that support virtualization and extended page tables, like an Intel VT-x or AMD-V, so you won’t be able to use this on lower end machines. You’ll find more details on this on TechNet.

Is Just Enough Administration really enough?

This feature is taking the concept of “least privilege” to the next level: Just Enough Administration, or JEA, can restrict admins to the specific PowerShell cmdlets necessary based on role, and per server. You can set up a single user to be a full admin on server 1, have only networking administrative privileges on server 2, only be able to review the event logs on server 3, do only a set of queries on server 4… and in all cases that user is only ever logged on as a regular user.

When they connect to the JEA endpoint on the target system, their privileges to only that target system are elevated to only the cmdlets needed to get their job done. They won’t have any more administrative privileges interactively, or to other network endpoints, and closing the session reduces that user to their regular, unprivileged state. While this feature is not unique to WS2016, its functionality has improved significantly than the one in previous versions, and it comes included as a part of the Windows Management Framework 5.0.

Simpler use of AD FS

The most immediate improvement to Active Directory Federation Services in Server 2016 is that you can install Server 2016 AD FS servers into an existing 2012 R2 farm as part of an upgrade. This beats the heck out of the prior approach, which was to build a new farm when going from 2008 to 2012 and cutover. You can see a practical guide on TechNet on how to create a “mixed mode farm”, but that’s not all.

AD FS on Server 2016 is more compatible now with other LDAP sources, like AD LDS, Novell Identity Management, OpenLDAP, and more. For Office 365 customers, AD FS on 2016 supports more conditional access scenarios, which is great for those who moved to the cloud but want to pretend they still have a closed datacenter. Visit TechNet for more details on how perform this operation.

Host Guardian and Shielded VMs

Have you ever wanted to host virtual machines in your own environment, or in a hosted or cloud-based environment, but didn’t want to risk the infrastructure admins having access to the guests? Then shielded VMs are just what you are looking for. Using the Host Guardian Service (HGS) and TPMs in the physical host, shielded VMs are protected from even the local admins of the host, so that whether a rogue admin, a curious file browser, or a malicious user who steals a copy of a VHD tries to access a VM or its virtual hard drive, they cannot gain access to the data.

Shielded VMs protect VM data and state by supporting a virtual TPM (vTPM) device, allowing BitLocker encryption of the VM’s disks and bringing additional protection. More information on how to install, initialize and configure the HGS server can be found in this TechNet article.

Control Flow Guard against common vulnerabilities

Built to combat memory corruption vulnerabilities like buffer overflows, and first included in Windows 8.1, Control Flow Guard is an option that must be compiled into programs, but this is made very easy when using Visual Studio, and once implemented, prevents programs from executing code outside of its own memory space. This extends the protections first offered in DEP, and takes advantage of features in CFG aware operating systems.

When code compiled with CFG is run on non-aware systems, it runs just fine, so this is fully backward compatible and a great way to reduce the attack surface of any apps. Read more about CFG at

While there are more security improvements in Windows Server 2016 than in this list, including enhanced logging and auditing, Hyper-V containers, and Windows Defender ATP to name a few, the above are the most significant and should offer new and improved capabilities to customers of any size.

Which one appeals the most to you, or solves a particular problem you have been facing? Leave a comment below and let us know!

Get your free 30-day GFI LanGuard trial

Get immediate results. Identify where you’re vulnerable with your first scan on your first day of a 30-day trial. Take the necessary steps to fix all issues.