WINDOWS SERVER 2016: WHAT'S NEW WITH SECURITY?

Rich LillyCloud & Datacenter EvangelistNetrix LLC

Twitter: @RichLillyhttp://www.acloudabove.com

https://www.linkedin.com/in/rich04

AGENDA

SecurityNano ServerContainersStorageNetworking

ClusteringHyper-VRemote Desktop ServicesPowerShellActive Directory

PRICING/SKUS• Core-based licensing model (no longer Proc)

• Differences between Standard/DatacenterLocks and Limits Windows Server 2016 Standard Windows Server 2016 DatacenterCan be used as virtualization guest

Yes; 2 virtual machines, plus one Hyper-V host per license

Yes; unlimited virtual machines, plus one Hyper-V host per license

Windows Server roles available

Windows Server 2016 Standard Windows Server 2016 Datacenter

Hyper-V Yes Yes; including Shielded Virtual MachinesNetwork Controller No Yes

Windows Server Features installable with Server Manager (or PowerShell)

Windows Server 2016 Standard Windows Server 2016 Datacenter

Containers Yes (Windows containers unlimited; Hyper-V containers up to 2)

Yes (all container types unlimited)

Host Guardian Hyper-V Support No YesStorage Replica No Yes

Features available generally Windows Server 2016 Standard Windows Server 2016 DatacenterSoftware-defined Networking No YesStorage Spaces Direct No Yes

Source: McKinsey, Ponemon Institute, Verizon

CYBER THREATS ARE A MATERIAL R ISK TO YOUR BUSINESS

Impact of lost productivity and growth

Average cost of a data breach (15% YoY increase)

$3.0 TRILL ION $4 MILL ION

Corporate liability coverage.

$500 MILL ION

WANNACRYWell, does it?

In the case of WannaCry, disabling SMB v1 (Server Message Block) it is key to prevent or stop the spread. SMB1 is a 30 years old protocol that is enabled on every version of Windows Server (that should not be used by any application or service).

If you still have applications using SMB1 our strong recommendation is to work towards deprecating the use of it in your environment. Think of using Automation to help here! Think PowerShell, DSC, Azure Automation, Chef, etc

SMB1

Breaches cost a lot of money

(Average $4M based on Ponemon Institute)

Customers pay for your service

You pay customers compensation to keep them using your service

Productivity

Employees efficiently perform the majority of work activities using a desktop computer

Employees waste hours a day running back and forth to a fax machine(assuming you still have one)

Overspending ReflexAppropriately sized & dedicated IT Security team

IT Security team exponentially increases in size and remediation efforts require new and expensive products

$ $$

$

$

Industry Reputation

Industry credibility, positive reputation, customer confidence

Corporate secrets are secret

Loss of credibility, embarrassing information exposed, customer’s lose faith

Corporate secrets are public knowledge; potential loss of competitive advantage

Ransomware

HBI/MBI assets available forday-to-day business operations

Assets encrypted and key business IT services rendered useless

Customer trust Customers happy to trust you with their PII

Customers reluctant to share informationwith you

SUMMARY OF THE HIGH-LEVEL ATTACK TYPES

Attack applications and infrastructure

Attack the virtualization fabric itself

ATTACK TIMELINE

24–48 hours Mean dwell time 150+ days(varies by industry)

First host compromised

Domain admin compromised

Attack discovered

WHAT DO MOST ATTACKS HAVE IN-COMMON?

Insiderattacks

Phishing attacks

Fabricattacks

Pass-the-hash(PtH) attacks

Stolencredentials

Stolen admincredentials

Insiderattacks

Phishing attacks

Fabricattacks

These privileged accounts have the keys to the kingdom; we gave them those keys decades ago

But now, those administrators’ privileges are being compromised through social engineering, bribery, coercion, private initiatives, etc.

Administrative Privileges

P E R S O N A L C O M P U T E R : admin privileges in a single system can compromise all assets within it

V I RT U A L I Z AT I O N : admin on the host can compromise all guests

P R I VAT E / P U B L I C C L O U D : admin in the fabric can compromise all guests

CENTRAL RISK: ADMINISTRATOR PRIVILEGESPATH: 1. ENTRY 2. LATERAL TRAVERSAL 3. ELEVATION 4. EXPLOITATION

HELPING PREVENT ABUSE OF PRIVILEGED CREDSHTTP://AKA.MS/PRIVSEC

Privileged credentials must be controlled/managed

Use of privileged credentials requires approval; approval supports extensible workflows

Grant privilege as needed and for a limited time

Limit the value of credentials(Constrain use of privileges in time and space)

Bind credentials to specific devices

Protect credential artifacts to limit replay attacks

HARD LESSONS…

The network is no longer the security perimeter (it hasn’t been for some time)

Identity is the (new) security perimeter

Entry—we can’t stop this from happening People will be fooled, bribed, blackmailed, etc.

Eliminating human error isn’t possible Phishing works and will continue to do so

Insider-attacks are a big problem Anomalous activity monitoring helps in detection; limit access through identity management & isolation

Compliance is very important But compliance and security are not the same thing: compliant != secure

Prevention methods aren’t always technical or architectural

Many will be operational and that will impose some level of additional operational friction—security has a price $$$

• This is at the core of everything in Windows Server 2016• “Assume breach” is a fundamental tenant in todays IT world• Technologies for both personas of Windows Server 2016

SECURITY

Shielded VMs and Host Guardian ServiceVM Security

Virtualization Based Security(code integrity, credential guard)

Hyper-V ContainersNano

Control Flow GuardDevice Guard

Credential Guard and Remote Credential GuardPrivileged Identity Management, JEA and JIT

Enhanced LoggingBuilt-in Anti-Malware

Nano

Ongoing focus & innovation on preventative measures; block

known attacks & known malware

1. Protect

Comprehensive monitoring tools to help you spot abnormalities and respond to attacks faster

2. Detect

Leading response and recovery technologies plus deep

consulting expertise

3. Respond

Isolate OS components & secrets; limit admin. privileges; rigorously measure host health

4. Isolate

Security Posture

– Security isn’t a bolt-on;

2. Secure the OS1. Managed privileged identities

3. Secure virtualization

4 CORE PRINCIPLES; 3 BROAD BUCKETS

Protect Respond

Detect Isolate

1. Managed privileged identities

WHAT DO WE NEED TO SECURE AND HOW?4 CORE PRINCIPLES; 3 BROAD BUCKETS

Protect Respond

Detect Isolate

INITIATIVES TO ADDRESS EMERGING THREATS WITH WINDOWS SERVER 2016AND/OR WINDOWS 10

Manage privileged identities

Prevent credential theft

2. Secure the OS

WHAT DO WE NEED TO SECURE AND HOW?4 CORE PRINCIPLES; 3 BROAD BUCKETS

1. Managed privileged identities

Protect Respond

Detect Isolate

INITIATIVES TO ADDRESS EMERGING THREATS WITH WINDOWS SERVER 2016 AND/OR WINDOWS 10

Secure the OS: host & guest

Host Integrity Guest Integrity

Manage privileged identities

Prevent credential theft

3. Secure virtualization

WHAT DO WE NEED TO SECURE AND HOW?4 CORE PRINCIPLES; 3 BROAD BUCKETS

2. Secure the OS1. Managed privileged identities

Protect Respond

Detect Isolate

INITIATIVES TO ADDRESS EMERGING THREATS WITH WINDOWS SERVER 2016 AND/OR WINDOWS 10

Secure the OS: host & guest

Host Integrity Guest Integrity

Manage privileged identities

Prevent credential theft

Secure virtualization

MONITORING/DETECTION THROUGH ENHANCED AUDITING + LOG & BEHAVIORAL ANALYSIS

Secure the OS: host & guest

Host Integrity Guest Integrity

Manage privileged identities

Prevent credential theft

Secure virtualization

Monitoring/Detection

Secure the OS: host & guest

Host Integrity Guest Integrity

Manage privileged identities

Prevent credential theft

Secure virtualization

CONFIGURATION LEVELS

Desktop Experience

Graphical Shell

Management Tools

MinShell

Windows Server withDesktop Experience

MinShell

Windows Server Core

Minimal OS

Nano Server

• Smallest ever footprint– 93 percent lower VHD size– Very fast deployment and reboots

• Focus on two key scenarios– Born-in-the-cloud applications– Cloud platform - Hyper-V and Scale-

out File Servers• Not installed in traditional manner• Enables the new cloud era!• Managed through familiar and new

ways

NANO SERVER

• Windows Server 2016 utilizes Cumulative Updates like Windows 10

• Only need the latest Cumulative Update to bring an install to the latest patch version

• Removes the challenge of every customer deploying their own combinations of patches that were not tested

• Security updates will still be delivered on an “as needed” basis

CUMULATIVE UPDATES AND WINDOWS

• Most people have struggled to deploy a custom application to production environment. Why?

• Containers solves this by enabling applications and libraries to run in their own containers which have dependencies

• Very fast deployment and high density• Share an OS instance with user mode isolation• Can be managed with Docker CLI or PowerShell (uses

Docker REST API)

CONTAINERS

CONTAINERS

Host OS

Host OS Kernel

User Mode

Binaries/Libraries

Container App 1

Container App 2

Binaries/Libraries

Container App 3

Container App 4

Container App 5Docker Pull App 1

App 1

Host OS

Bins/Libs

Dependency

Dependency

WINDOWS VS HYPER-V CONTAINERS

Host OS Host OS Kernel

User Mode

Binaries/Libraries

Container App 1

Container App 2

Binaries/Libraries

Container App 3

Container App 4

Container App 5

Base Image 1 Kernel

User Mode

Bins/Libs

Container App 6

Hyper-V VM

Base Image 2 Kernel

User Mode

Bins/Libs

Container App 7

Hyper-V VM

Windows Containers Hyper-V Containers

STORAGE

• Focus on two features– Storage Spaces Direct– Storage Replica

• Features in Datacenter SKU only• Other improvements include storage QoS,

deduplication and more ReFS

• Aggregates internal disksor connected via externalstorage enclosure

• Creates a storage pool usedby cluster as CSV

• Formatted with ReFS for mixed resiliency and can house Hyper-V or used as SoFS

• Can mix NVMe, SSD and HDD to enable tiering

• Resiliency across nodes

STORAGE SPACES DIRECT

SAS SAS SAS SAS

Cluster

SMB3

• Block-level replication between stand-alone or clustered servers

• Synchronous (preferred) or asynchronous

• Replication via SMB 3• Features such as BitLocker,

deduplication continue to work since this is block-level

• Example scenarios:– Stretched cluster, cluster-to-cluster replication, server-to-server

replication

STORAGE REPLICA

Data Log Data Log

• Major changes with Network Virtualization– Network Controller part of Windows Server now and Azure inspired– Network function virtualization to hold various feature capabilities

• Multi-tenant Gateway• Software Load Balancer and separate MUX to handle incoming requests

to better scale• Multi-tenant firewall

• Enables network virtualization without SCVMM• Manageable via PowerShell, Azure Stack or SCVMM• Broad SDN support

NETWORKING

Physical Network

SDN CAN HELP INCREASE SECURITY

DDoSProtection

FirewallACLs

VMFirewall

VM GuestVirtual

NetworkIsolation

DFW &NSG

VirtualAppliances

SDN

• The assumption that clustering would be built on quality hardware is not applicable in many deployments today

• Windows Server 2016 takes step to protect against transitory network, storage and compute problems

• Domain boundaries gone• Easier to get to 2016

– Node removed from cluster– Installed with 2016 and added back into mixed mode cluster– Once all nodes are 2016 flip a switch to move to 2016 native

CLUSTERING

• Enables an Azure Storage account to be used as the witness

• Enables stretched clusters without requiring a 3rd site• Create clusters in Azure• Means witness can be:

– Disk– File share– Azure storage account

TO THE CLOUD

• New Compute Resiliency enables VMs to continue running even if a node falls out of cluster membership

• Customizable tolerance• VM moves to a Paused-Critical state and waits for storage

to recovery without losing any session state if storage lost• Less flapping for nodes falling in and out of cluster• If a node ungracefully leaves 3 times in an hour the VMs

are drained and it is quarantined• Can rejoin after 2 hours

COMPUTE AND STORAGE RESILIENCY

• Nested virtualization• New Hyper-V VMCX binary format• Production checkpoints that leverages backup technologies for app-

consistent• Hot-add/remove memory to Gen 1/2 and NICs to Generation 2 VMs• PowerShell Direct• Linux Secure Boot• Virtualized TPM (vTPM) for Generation 2 VMs• Management Improvements• Hyper-V IC’s updated via Windows Update• Discrete Device Assignment

HYPER-V

• Provides protection for shielded VMs from all levels of administrator (datacenter, storage, network etc.)

• Uses TPM 2.0 or AD attestation used by attestation service• Hyper-V host requests a key from the Host Guardian

Service and only if healthy will get the key and store in the VSM to access the VM

• Requirements:– Generation 2 VMs (UEFI firmware, Secure Boot, vTPM 2.0)– Windows Server 2012 and above guest OS

SHIELDED VMS

• BitLocker encrypted disks• Live Migration traffic encrypted• Hardened VMWP• Existing Windows Server 2012 and

above workloads can be used• Only real usability difference is

no console access• Provides compliance for

environmentsrequiring machines to be encrypted

WHAT DOES SHIELDED VMS GIVE US?

• OpenGL 4.4 and OpenCL 1.1 RemoteFX support• RemoteFX support in Windows Server 2016 guest• Larger amounts of dedicated memory per VM (1 GB from

256 MB in 2012 R2)• Generation 2 VM support for VDI• Personal session desktops, i.e. specific RDSH per user• MultiPoint a role of Windows Server 2016• Pen remoting support (instead of pen acting like a mouse)• Remote Credential Guard

REMOTE DESKTOP SERVICES

POWERSHELL PROGRESSION

Version Server Key FeatureMonad Manifesto Server 2000 Vision and prototype

PowerShell 1.0 Server 2008 .Net CmdletsPowerShell 2.0 Server 2008 R2 RemotingPowerShell 3.0 Server 2012 CoveragePowerShell 4.0 Server 2012 R2 Desired State ConfigPowerShell 5.0 Server 2016 DevOps

• PowerShell is at the center of management and interfacing with Windows and the entire IT ecosystem

• PowerShell has continued to evolve with huge numbers of cmdlets, workflows, desired state configuration and more

• PowerShell 5 continues this constant innovation with:– Huge number of new cmdlets across entire range of actions– Integration with Internet based software packages with

PackageManagement module– New DSC capabilities including running as set of credentials, just

enough administration– ISE color coding extends to PowerShell console

POWERSHELL 5

• Privileged identity management (PIM) to mitigate credential theft using a bastion forest– Utilizes Microsoft Identity Manager (MIM)– New workflows for administrative privilege access

• Time-bound memberships– Kerberos ticket lifetimes restricted to time of lowest time-

bound membership• Remember Azure AD Join for Windows 10 corp

devices

ACTIVE DIRECTORY

PIM EXAMPLE