Every version of Windows \u2014 client and server \u2014 has promised improved security. But with Windows 10 and Windows Server 2016, Microsoft is going beyond the usual incremental improvements and closing of loopholes and giving you the tools to reduce the dangers of phished credentials, over-privileged admins and untrustworthy binaries.\u201cIn the past, security was always something that was part of another technology\u201d says Jeff Woolsey, principal group program manager at Microsoft. \u201cWe needed to pull it out.\u201dSecurity and protecting identity comes up in every conversation Microsoft has with customers, he says. And the scale of attacks means that security isn\u2019t just something for the IT team to worry about any more, adds Jeffrey Snover, lead architect for the enterprise cloud group and the Microsoft Azure stack. \u201cWhen we asked customers \u2018what are your IT concerns?\u2019 there were some messages we heard consistently. There were too many stories about getting hacked and not knowing for months.\u201dSecurity, Snover says, has become a CEO issue since the CEO of Target was sacked over security issues. \u201cTarget was using IT as the core of its business value proposition. When that got hacked it threatened the business value and that\u2019s why it was such an issue.\u201dWindows Server 2016 aims to offer better security in three main areas: protecting identity and credentials, securing virtual machines and protecting the operating system on your own servers and in the cloud.Protect admin accountsThe way into organizations today is nearly always through the people who work there, with credentials stolen through social engineering and phishing attacks.\u201cWe\u2019re seeing a massive rise in what the bad guys are doing. They\u2019re attacking from overseas in their pyjamas because they're not worried they\u2019re going to get extradited. Historically, the network was seen as the primary attack surface. Really, identity is the new attack surface; this is how people are getting in the infrastructure. Getting malware into an infrastructure is not hard; getting you to click on something isn't as hard as people think.\u201dThat\u2019s not to say that you should forget about zero-day vulnerabilities and advanced attacks altogether. As Snover points out, \u201cif nation states can do it today, it\u2019s only a matter of time before the bad guys and the script kiddies can do it.\u201d But, by and large, attackers will take the easiest route, and currently that\u2019s identity.Once they have one login, attackers can use it to move sideways to other systems in your business using techniques like \u2018pass the hash\u2019 and \u2018pass the ticket\u2019.If the first account they get into doesn\u2019t have much access, Snover says, \u201cthey will initiate a problem on the machine to get the helpdesk to log in to fix it, and often they have admin credentials.\u201d Stealing those credentials gives them more access and it usually takes only 24 to 48 hours before attackers get into the domain admin account. That\u2019s a big problem when attacks can remain undetected for up to 200 days. \u201cA domain admin can do anything, for an unlimited amount of time,\u201d he points out.\u201cWith Windows Server 2016, we\u2019ve made a big dent in the problem. For a start, the hash is encrypted. Credential Guard uses modern hardware \u2014 and it\u2019s not even that modern, it\u2019s a few years old; it leverages virtualization technology to protect the secrets on a machine against pass the hash and pass the ticket attacks. We also have remote Credential Guard: when you log in to RDP, we don\u2019t send the credentials \u2014 instead we use single sign-on.\u201dWindows Server 2016 also includes defenses previously shipped as a PowerShell option. Just Enough Admin (JEA), Just in Time (JIT) reduces the usual unlimited admin privileges to \u201ca bare minimum set of actions, which go through a workflow that\u2019s both audited and limited in time,\u201d Snover says. \u201cWith JEA when you connect to a machine as admin, it logs you in with a virtual shadow account that\u2019s created on the fly, given limited privileges and locked down through PowerShell. With JIT, we have a model where the process grants you a secure token that\u2019s valid for a limited set of machines for a limited amount of time.\u201d\u201cPart of the challenge is that there's security and then there\u2019s operational security. This is security you can operationalize. Operationally, you can set this up so you can get access during working hours, but not at times when admins aren\u2019t working. Next, you have to say what you\u2019re working on, so you could set that up through your trouble ticketing system. Then you think about what the workflow is for the different admin tasks, so you can assign a set of privileges on a set of machines for a duration.\u201dWoolsey explains what that might look like: \u201cSay I\u2019m the network admin and my job is to manage the network firewall. Ninety-nine percent of the time I should never be logged in as admin but people still log in and do email and browse the web as network admin. If I need to make a change on the firewall, maybe a majority of three people have got to vote yes to that and I have an hour to make those changes. If I come back after an hour and say didn't get things done, now there\u2019s an auditing process. People can say \u2018are you having a problem? do we need to look into this?\u2019\u201d\u201cWe\u2019ve upped our logging and auditing game,\u201d adds Snover. \u201cThe new mentality is \u2018assume breach\u2019 \u2014 assume the bad guys are going to be there. So now everything is logged so you can find it. We\u2019ve got over-the-shoulder and deep engine-level logging of all the content.\u201dMicrosoft is also working on templates to help you assign JEA privileges to different roles and developing a tool to help you scan your domain servers to see how many admins you have. \u201cOne customer had 2,000 domain admins; they\u2019d wanted to have 20. Another found one machine that had 187,000 unintentional admins,\u201d principal program manager Dean Wells told CIO.com.Currently, JEA works for Windows Server workloads. \u201cThis works in a Windows environment but when you need credentials to go outside that environment, you still have problems,\u201d Snover admits. But JEA is a PowerShell tool, and that\u2019s one reason why Microsoft is bringing PowerShell to Linux. The intent is to support this in PowerShell on other platforms. \u201cSecurity on Linux is different, but we\u2019re convinced we can do this.\u201dShielding your virtual machines\u00a0For all its advantages, virtualization has also created some big problems, Woolsey points out. One of the most notable is that it\u2019s a single point of failure.\u201cNo one has done squat about the problem that it\u2019s a single point of attack even we've known about this for decades. If I get into your virtualization host, I have access to all 50 or more VMs that you\u2019re running; it's a catastrophe. It\u2019s a whole bunch of systems that are encapsulated in a nice easy file for me to steal. I can copy a VM onto a USB stick and run it anywhere, because the VM doesn\u2019t know what is valid hardware and fabric and what is not. And any local admin can undo anything the guest can do to protect itself. Anything you do to encrypt the VM, I can undo, by definition. Any seized or infected host admins can access guest VMs. If I can get your credentials, if I can harvest your virtual domain controller, then we're done; I own the keys to your kingdom.\u201d\u201cVirtual machines,\u201d Snover says, \u201care awesome in terms of agility, but not so much in terms of the security profile. In the original model with physical servers, who had access to that? The answer was the server admins; the storage admin didn\u2019t, the network admin didn\u2019t. But with VMs, all of a sudden a lot more people in a lot more different roles have access to the device and are able to copy it and look at the data. This is a real challenge especially in hosting environments where a bunch of those people are from different companies. We designed shielded VMs with this in mind so now only the virtual machine admin has access to it and shielded VMs can be by hosters you don't necessarily trust.\u201dThe new shielded VMs in Windows Server 2016 are encrypted by BootLocker, and only run on a hardware fabric where the new Host Guardian Service (HGS) attests to the health of the host before it releases the keys you need to run (or migrate) the VMs. \u201cThe aim is to give a virtual machine the ability to defend itself from admins and hosts, from online and offline inspections, because the data in encrypted both at rest and in flight,\u201d says Woolsey. \u201cAnd they can only run on a host whose binaries, boot path and kernel all measure as healthy.\u201d\u201cThe data and the state of shielded VMs is protected against inspection theft and tampering from malware and data center admins, fabric admins, storage admins, virtualization admins. You can separate the domain admins from the IaaS admins. Shielded VMs can only run on attested fabrics that are designated as the owners of shielded virtual machines, which protects against rogue local admins.\u201d\u201cWe're making sure if a VM walks out the door, even if you're a full admin, it's an encrypted blob. If I\u2019m a shielded VM, if this is not my fabric, I don't turn on, I can't be live migrated. And the admin can\u2019t view memory contents when the VM is running; they can't fire up a debugger because the Host Guardian Service would see it.\u201dWoolsey says that shielded VMs are useful in a range of scenarios: \u201cHosters can leverage this for their tenants. Enterprises finally get strong separation of duty. It\u2019s also useful in the branch office. Today, if you want to run sensitive workloads in a branch office you just don't because the server is going to be sitting under the receptionist's desk; now you could.\u201dEncrypting VMs could also help with inadvertent data leakage when server drives are removed. \u201cThey\u2019re supposed to be recycled or destroyed but very often it doesn\u2019t happen. If those drives are going out the side door, you want to make sure the data is protected.\u201dThere are three parts to shielded VMs:A Virtual Secure Mode uses hardware virtualization to protect the VM from the local admin (that\u2019s the same technology Windows 10 and Windows Server 2016 use to protect login credentials). \u201cIf I'm the local admin, I can look at everything in memory,\u201d says Woolsey. \u201cWith Virtual Secure Mode we create a tiny enclave off to the side of the Windows kernel and the only thing it does is talk to the Host Guardian Service, so you can't see it in the context of the kernel or the local admin.\u201d That means the local admin can\u2019t snoop through memory to find the credentials for encrypted VMs.Host Guardian Service \u201cis a critical piece of infrastructure that you run in a locked cage with two padlocks and a camera pointing at it. It runs in a separate domain and it doesn\u2019t share trust with anything else inside your infrastructure,\u201d says Woolsey. All it does is attest to the physical fabric your VMs run on. \u201cIt measures the boot process for the servers in the fabric, making sure no malware has got in and nothing has been contaminated in the boot process. It also monitors code integrity so that only processes that have been allowed can run.\u201dA virtual trusted platform module (vTPM) used by the VMs that is not tied to the physical TPM of the server because that would stop you migrating the VM. But you do need TPMs in your servers to make this work. \u201cI\u2019ve been very pointed with our server partners for some time that they need to be shipping servers with TPMs,\u201d says Snover. \u201cWe\u2019re going to be very hard core on that.\u201dYou also need to be using \u2018generation 2\u2019 VMs, and you can only currently protect virtual machines whose host operating system is Windows 8, Windows Server 2012 or newer. Windows 7 and Windows Server 2008 R2 can\u2019t be shielded. Microsoft is working with the Linux community to shield Linux VMs; that might become possible by the middle of 2017, Wells suggests.Attackers and insidersWoolsey adds that government agencies like the U.S. departments of State and Defense and the U.K. Ministry of Defence are planning to adopt shielded VMs. \u201cWhen we do Common Criteria, one of the questions we always get asked is \u2018what have you done about the rogue admin?\u2019 We\u2019ve always said that we know about the issue but it\u2019s hard to address. We\u2019ve been looking at it for both Azure and Windows Server, and this is how we\u2019re solving the rogue admin problem.\u201dAttackers target administrators in phishing attacks to get access and without shielded VMs they can extract VMs and run them on their own hardware. But equally, an unhappy employee with admin access might take a copy of a VM. \u201cThis is the Snowden mitigation,\u201d he suggests.There are other security improvements in Windows Server 2016, from Active Directory support for containers so you don\u2019t have to manage certificates for them independently, to restrictions on what code can be run. \u201cIt\u2019s about protecting the host OS, so I can be sure that what it\u2019s running is what I intended it to,\u201d says Snover.Device Guard is a new type of code integrity that limits what binaries can run. \u201cIt\u2019s no longer just applying to the user, it can now protect itself against admin abuse,\u201d explains Wells. If an admin tampers with code integrity policy and reboots a server, it will deliberately blue screen. That\u2019s based on customer feedback, he says. \u201cThey\u2019re making the call that a box contains sensitive workloads or data [and] would rather lose the workload than potentially lose the data.\u201d Wells recommends deploying Device Guard in audit mode to see what will be affected.Control Flow Guard also restricts what application code can be executed to protect against memory-corruption attacks and return-oriented programming. It\u2019s a technology from Windows 10, and Windows Server 2016 adds another client feature \u2014 Windows Defender anti-malware.\u201cThe problem is when you install anti-malware on a server, there are some additional optimizations need for Hyper-V that [third-party tools] don't do,\u201d explains Woolsey. \u201cThat leads to some weird technology support calls and really weird performance. They didn't take into account roles and services. Now you get anti-malware out of the box; it understands server workloads and it\u2019s optimized for the scale-out file server role.\u201dSoftware-defined networking in Windows Server 2016 includes network security groups and a distributed firewall that can put virtual security appliances inside the network. \u201cIf I have a firewall blocking access into my data center, it\u2019s simply too far away from the mission-critical workloads,\u201d says Microsoft principal lead program manager Ravi Rao.\u201cOnce the attackers get in, they wreak havoc. Now I can restrict security on my front end servers, so only the internet can talk to the front tier and it can\u2019t talk to any other tiers, and the other tiers can only talk to each other and not to the internet,\u201d Rao says. \u201cEven if someone attacks your front end and even takes it out with a vulnerability, they can\u2019t perform lateral attacks. And you can dynamically segment your network to meet changing security needs.\u201dThe new Nano Server deployment option for Windows Server 2016 also improves security; with no graphical interface and fewer components and services, it has a much smaller attack surface than even Server Core. Snover calls it \u201cjust enough OS.\u201dSwitching to Nano Server to run Hyper-V, clustering, IIS, DNS, scale-out file servers and any workloads that run in .NET Core and ASP.NET Core will reduce the number of vulnerabilities that will affect your servers \u2014 and the amount of patching you have to do. Given how many successful attacks use vulnerabilities for which there are patches, patching continues to be an issue.Nano Server will also be the logical way to switch to containers and cloud-style app development, and it\u2019s the basis of Microsoft\u2019s hybrid cloud Azure Stack offering. If you\u2019re ready to move to this new way of working, Nano Server gives you a secure basis. But Windows Server 2016 has so many security improvements for the way businesses use servers today that address the key methods of attack businesses face today, that it\u2019s a significant upgrade.