10 top security enhancements in Windows Server 2019

Windows Server 2019 joins Windows 10 1809 in adding several key Windows security enhancements that the Server administrator will find that they cannot live without. Windows Server 2019 with desktop experience is the next Long-Term Servicing Branch (LTSB) release of the Windows server line. For those with on-premises needs, and those not comfortable with roles on GUI-less servers, it will be the Server version you choose to be the foundation of Remote Desktop Servers and Exchange 2019 among other roles and duties you choose for it.

While those of you familiar with Windows Server 2016 will find much familiarity with Server 2019, several security enhancements make Server 2019 a preferred choice. Below are the most significant of enhancements to security features or administrative features that will ease security-related tasks.

In-place upgrades

Unlike the Windows 10 platform, you need a license to upgrade to Server 2019 from Server 2016. In-place upgrades are fully supported to migrate from Server 2016 to Server 2019 with the exception of the Essentials role, which is no longer included in Server 2019.

Patching cadence

Windows Server 2019 and the Server with Desktop Experience option follows the patching cadence of Server 2016 in its long-term servicing branch process. It does not receive the semi-annual feature releases that the Windows 10 desktop receives. Rather it receives the security (or quality) patches on a monthly basis. Also released in October is Windows Server Core, which is a GUI-less option and obtains its updates on a regular six-month update cadence schedule. It’s recommended to pair Server Core with the new Windows Admin Center for managing the servers.

.NET updates

Along with Windows 10 1809, Windows Server 2019 will receive its .NET updates as a separate package able to be installed or removed independently from the Windows operating system. As noted on the .NET blog, it provides more flexibility for installing .NET Framework updates and allows Microsoft to be more responsive to critical customer needs with standalone .NET Framework patches. You can choose to then test and later install .NET updates independently to ensure compatibility with Exchange 2019 or another line of business applications.

Advanced Threat Protection (ATP)

One new addition is the ATP offering that was originally on Windows 10 now being brought to the Server platform. With the addition of an Azure Security Center Pay-As-You-Go license, you can now add forensic ability to track attackers and lateral movement on a server. Lateral movement attacks and the use of PowerShell to gain toeholds into the system are all tracked and logged for later analysis.

Windows Defender ATP Exploit Guard

Those who have already deployed Windows 10 are probably already familiar with the security enhancements that Windows Defender ATP brings to the operating system. On Server 2019, the host-intrusion prevention capabilities have been added to the server stack. Four parts of the Windows Defender Exploit Guard lock down the device against a wide variety of attack vectors behaviors.

• Attack Surface Reduction (ASR) is a set of controls to prevent malware from getting on the machine by blocking suspicious malicious files (specially crafted malicious Office files), scripts, lateral movement, ransomware behavior, and email-based threats.
• Network protection adds endpoint protection from web-based threats by blocking any outbound process on the device to untrusted hosts or IP addresses through Windows Defender SmartScreen.
• Ransomware protection is provided by Controlled Folder Access, which protects sensitive data from ransomware by blocking untrusted processes from accessing your protected folders. This can be edited and adjusted to add folders that you want to protect.
• Exploit Protection is a set of mitigations for vulnerability exploits that can be configured to protect your system and applications. This replaces the Enhanced Mitigation Experience Toolkit (EMET), which has now been deprecated.

Code Integrity policy released in Server 2016 was hard to deploy, thus Windows Defender Application Control now includes default Code Integrity policies, which will allow applications such as SQL Server to block known executables that can bypass code integrity.

Software-defined networking security enhancements

In Windows Server 2019, Software-defined networking has been enhanced to generate firewall logs that has the same taxonomy format as Azure Network Watcher. The Hyper-V host generates the logs that then can be analyzed with a variety of tools that support the log file format. Windows Server 2019 builds on Server 2016’s ability to lock down the security of your virtual networks by automatically applying access control lists (ACLs) to virtual machines (VMs) connected to virtual subnets and to the fabric. Server 2019 allows you to restrict access by adding ACLs to the logical subnets. With Server 2019, you can use virtual network encryption to prevent data theft and tampering while data is in transit.

Shielded VM improvements

When setting up secure branch offices using shielded VMs, you can ensure no loss of access to the Host Guardian Service by setting up fallback Host Guardian Service and offline mode. This ensures you can set up a second set of URLs as a backup for Hyper-V host to try if the primary Host Guardian Service server is unreachable.

Server 2019 adds support for VMConnect Enhanced Session Mode and PowerShell Direct to make it easier to troubleshoot shielded VMs. These features are automatically enabled when a shielded VM is placed on a Hyper-V host running Server 2019 or Windows Server Versions 1803 or later (Windows Server 2019 with desktop experience or Windows Server Core).

Linux support

In Azure, Linux is the most used platform. Windows Server 2019 fully supports running Ubuntu, Red Hat Enterprise Linux and SUSE Linux Enterprise Server inside shielded VMs. Microsoft is positioning itself as a protector of Linux, not a competitor. Recently they joined the Open Invention Network (OIN), a community dedicated to protecting Linux and other open source software programs from patent risk. By joining this project, Microsoft has given the Linux community permission to use 60,000 patents free of charge without risk of lawsuits.

HTTP/2 enhancements

Included in Server 2019 is enhancements for a faster and safer web. HTTP/2 is a major enhancement over the current HTTP technologies. Enhancements include better server-side cipher suites to support better negotiation for automatic mitigation of connection failures. It’s also easier to deploy these new suites in your environment.

HTTP/2 shares a single TCP connection to many requests to the same website. Under this sharing or multiplexing, only the first request incurs the round trips required to establish the connection. Following requests immediately send HTTP data to require no connection establishment.

Domains that are designed for HTTP/1.1 are not without benefit as well. Connection coalescing is added to mitigate sharding, and is enabled on both Edge and the HTTP server. With coalescing, subdomains hosted will end up sharing a single TCP connection if their certificate matches. Without this setting of coalescing, sites like 1.bing.com and 2.bing.com would require separate TCP connections.

Server 2019 automatically works to fix connection failures due to cipher negotiation. HTTP/2 requires at least version 1.2 of TLS while blacklisting lower cipher suites. This leads to broken connections and dropped negotiations. On current servers, until the cipher suite order is fixed connections will not work well. Several changes in Server 2019 ensure reconnections would be made.

As noted, these are the steps Microsoft took in Server 2019 to fix the issue:

Failure modes arise when the default SSL cipher suite ordering in Windows Server 2016 is changed incorrectly: if any of the cipher suites blacklisted by HTTP/2 appears before those allowed by HTTP/2, Firefox and Chrome abort the connection (as allowed, but not recommended by HTTP/2). Chrome shows ERR_SPDY_INADEQUATE_TRANSPORT_SECURITY, and Firefox, NS_ERROR_NET_INADEQUATE_SECURITY.

Even though correct ordering of the SSL cipher suites (as assured by the default ordering in Windows) avoids this problem, in Windows Server 2019 we have improved the robustness of the cipher suite negotiation mechanism to be impervious to the ordering of the SSL cipher suites. Of course, the list must still include cipher suites allowed by HTTP/2, but they no longer need to necessarily appear at the beginning of the list before any blacklisted ones.

This reduces the operational complexity of HTTP/2 deployment, enabling customers to more readily reap its benefits including the higher-grade cipher suites required by HTTP/2.

Congestion control

Finally, Server 2019 includes support for congestion control providers New-Reno, Compound TCP, Cubic and LEDBAT, with Cubic being the new default provider. Cubic is well suited for high bandwidth, high latency links whereas standard TCP performs poorly.

All these changes add up to giving server and web administrators more options to ensure security and safe storage and serving of data.