Windows Server 2016 is almost here. The preview, dubbed the Windows Server Technical Preview, is available now with the final release slated for early next 2016. Regardless of your current plans for Windows 2016, it’s good to think about how these changes and improvements could affect security for enterprise setups.
Whenever Microsoft releases a new operating system (OS), think about how the company addresses security differently and how the new OS can be broken. Beginning with Windows Server 2008 R2, the server OS has continued to be resilient out of the box. But there are five forthcoming security changes for Windows 2016 that will interest enterprise Windows Server admins and security professionals.
1. There’s a strong authentication option through Microsoft Passport that relies on public and private key pairs in Azure, onsite public key management and Trusted Platform Module chips on the endpoints. There are also additional improvements for Active Directory Federation Services and Azure Active Directory involving Lightweight Directory Access Protocol, access control policies and single sign-on.
2. A feature called Just Enough Administration — a PowerShell tool introduced in 2014 — will also be available. JEA gives admins the option to place more granular restrictions on specific tasks to help ward off “Snowden” types of situations.
3. Windows Server 2016 supports HTTP/2 via Internet Information Server 10.0, which includes denial of service protection and includes features such as header compression, protocol block sizes and flow control. This won’t fix underlying application layer flaws, such as SQL injection and weak login mechanisms, but it’s a necessary step for successful Web protection.
4. Windows Defender is installed and enabled out of the box, even in the non-graphical user interface (GUI) version of the OS. I often see servers with no antimalware protection and the negative consequences.
5. The telnet server is not included. Microsoft realized that people will still use an inherently vulnerable service because that’s what they know and it’s there. Given how prevalent telnet is across most network environments I see today, I suspect the service and its flaws won’t go away anytime soon. But at least Microsoft is doing its part to help fix the fixable issues.
There are also a number of resiliency benefits outside of security in Windows Server 2016. These involve features for disaster recovery, VMs, network interface card fault tolerance and storage Quality of Service nearly all organizations and use cases can benefit from. These features in Windows 2016 won’t make your network environment inherently compliant or secure, but they’ll certainly provide you with another leg up on achieving those goals.
Now that you have an idea about the security changes in Windows Server 2016, begin thinking about how current and future projects may benefit from using these features. I’ve only seen rare instances of Windows Server 2012 usage in the enterprise. Perhaps the stigma of the Metro GUI is passing and Windows 2016 will be the next big thing. Or, it may provide a good upgrade path for many Windows 2003 Server installations that still exist.
To read the full article, please click here.