Review: Microsoft Windows Server 2016 steps up security, cloud support

Shielded virtual machines

Shielded virtual machine technology means only the VM administrator role has access to the virtual machine itself so you can upload the VM to a hosting provider you do not necessarily trust. It literally prevents VMs from walking out the door, even if you are a full administrator, because at rest, a shielded virtual machine is no more than an encrypted blob.

When Hyper-V attempts to turn on the shielded VM, the VM looks for its home fabric -- the host fabric it has been specifically configured to trust -- and if it doesn't find that trusted fabric, the blob doesn't get decrypted and the VM simply does not run. This feature requires servers with TPMs, because that's where tokens and keys to secure and unlock keys are stored. TPMs are Trusted Platform Modules, a little hardware dongle attached to a mainboard within the computer that stores encryption information securely.

The shielded VM also requires a companion Host Guardian Service, which measures and hashes the entire boot process for servers to ensure it is consistent from one boot to another, preventing malware from inserting itself into a previously trusted system.

The shielded VM looks at the code integrity of the virtual machine and the fabric so that only the processes that have been whitelisted can run. The service attests to overall host fabric health, and only when it is satisfied does it release the keys required to decrypt and boot (or migrate) a shielded VM. As you can see, shielded VMs essentially solve the problem of the rogue admin in the context of virtualized infrastructure.

To create a shielded VM, you create shielding data first, which essentially is an encrypted lump of secrets created on a trusted workstation. It consists of administrative credentials, RDP credentials, and a volume signature catalog that prevents putting malware in the template disk from which future secure shielded VMs are created. This helps validate that the template has not been modified since creation.

As you would expect from Windows, there's a wizard for all of that, both the creation of the shielding data as well as the protected template disk.

Once the shielded virtual machine is created, it's protected primarily by BitLocker encryption. And with Generation 2 virtual machines -- a requirement to use the shielding technology --Hyper-V actually carves out a virtual TPM outside of the hypervisor's accessible area in which to secure and release encryption keys. The shielded VM's virtual TPM has no relationship with the host's physical hardware TPM, since the virtual TPM has to be able to move with the virtual machine in the event of a live migration.

Some notes on this:

You have to use RDP to connect to a shielded VM because the shielded VM has its console support ripped out so that the fabric administrator can't access the virtual machine via the host keyboard and mouse. This means the shielded VM will need to be accessible to the network at all times. If it falls off the network for some odd reason, there is a process by which you create a nested virtual machine that is unshielded and run some scripts to "dock" the broken shielded VM so that you can connect to the unshielded VM and "tunnel" through to the shielded VM. But it's a clunky solution and needs a lot of work to make it administrator friendly.

You have to buy the Datacenter edition of Windows Server 2016 to make shielded VMs work. There is no mechanism to do this in standard edition. Further, Nano Server is supported as a shielded VM and actually is the recommended way to deploy this per Microsoft.

The only operating systems that can operate within shielded virtual machines are Windows 8, Windows Server 2012, Windows Server 2012 R2 and Windows Server 2016. This is actually because you have to have a Generation 2 virtual machine to make all of this work. Whether Microsoft plans to backport this to earlier versions of Windows is unclear.

Protecting credentials and privileged access

Windows Server 2016 introduces a number of features, aside from shielded virtual machines, that are design to further protect identities -- especially administrative credentials. There is Credential Guard, which prevents pass-the-hash and pass-the-ticket attacks by protecting stored credentials through virtualization-based security. There is also Remote Credential Guard, which does essentially the same thing through RDP, using single sign-on. Thirdly, to protect the OS on-premises or in the cloud, Device Guard measures permitted binaries to ensure that only whitelisted executables can be run -- not just after Windows is booted, but right from the moment the OS is started.

Finally, there are features within PowerShell and supported by Windows Server 2016 called Just Enough Administration and Just in Time Administration, which shrinks down operationally who has what privileges for what time. The JITJEA (pronounced jit-gee-ah) combination provides privileged access through a workflow that is audited and limited in time, so it is literally enough privilege to do your job only for the time it takes to do that sensitive job. Then, you revert to being a regular user.

Additionally, Microsoft finally got with the program and added anti-malware (Windows Defender) to Windows Server 2016. Instead of putting a 'dumb' program like Symantec or Trend on your servers and teaching it to stop scanning mailbox stores and so on, you can now choose to rely on Windows Defender and its preprogrammed notions of server workloads for anti-malware protection.

The verdict on breach resistance

It is clear to me that Microsoft has done a great deal of thinking and weaving together strategies for securing all layers of the Windows Server ecosystem, from the host to the identity to the network to the cloud fabric. Shielded virtual machines is a feature that will be worth the price of admission to many organizations ignoring everything else in the product. There is some really good work here.

The last word

There is a lot in Windows Server 2016; many things have changed from Windows Server 2012, the last major refresh of the operating system. I've covered the high points in this review, but there is more I haven't discussed, including cluster improvements, Windows Server and Hyper-V containers, the improvements made so that Linux runs as a first class citizen as a Hyper-V guest, and more. They've been busy up in Redmond, and there is a ton of value in this release from a technical point of view. This is the best release of Windows Server to date, by a pretty wide margin, too, I would say.

Of course, the value proposition to you is going to depend obviously on how much it costs to get your company licensed. As I've written on Computerworld previously, Windows Server is now licensed per core and the huge price increases publicized late last year are effective today.

For big hybrid cloud shops with enterprise licensing agreements already in place, moving up to Windows Server 2016 is a no-brainer. For financial companies and those with very real and big security concerns, the shielded virtual machines feature of the operating system might make it a Must Buy, with all of the other enhancements becoming icing on the cake.

For smaller businesses, the very modest changes to the Essentials roles and the rest of the upgrades in 2016 do not represent a hugely compelling upgrade, especially for the money. For medium business, the number crunching is really important: Can you save money dumping an old storage area network and deploying Storage Spaces Direct? (Probably.) Are you moving workloads to the cloud? Do you have the resources to deploy SDN? Yes to any of those questions and you're living in a world where you would be materially better off with Windows Server 2016.

Ultimately, Microsoft has done a solid job of listening to customers, driving innovation in a product that gets torture-tested across a huge public cloud service daily, and putting that technology in a form that is flexible enough to fit a variety of operations. There are tools in this release to save you time and money and improve your security posture without a lot of work.

Windows Server 2016 is recommended.