This document discusses security priorities and features in Windows Server 2016. It notes that IT teams are pulled between supporting business agility/innovation and providing secure resources. Security threats are a top IT priority due to increasing incidents and multiple motivations for attacks. Windows Server 2016 includes features like shielded virtual machines, credential guard, and device guard to help protect identities, virtual machines, the operating system, and privileged access. These features aim to provide security while still supporting innovation.

2. Emre Aydın | Microsoft MVP | 16 Years Exp.
Senior Solution Consultant | Master Trainer | Author & Speaker

3. IT is being pulled in two directions
Support business agility
and innovation
Provide secure,
controlled IT resources
*Source: Gartner Group, 2016

4. Security
threats
Datacenter
efficiency
Supporting
innovation

5. Datacenter
efficiency
Supporting
innovation
Security is top IT priority
Security
threats

6. Increasing
incidents
Multiple
motivations
Bigger risk
Why security is a top IT priority

7. Why security is a top IT priority

8. Attack timeline
24–48 hours
More than 200 days
(varies by industry)
First host
compromised
Domain admin
compromised
Attack
discovered

9. Datacenter
efficiency
Supporting
innovation
Protect identity
Help secure virtual machines
Add built-in layers of security
Security
threats

10. Typical administrator
Protecting privileged credentials
Ben Mary Jake Admin
Domain
admin
Just Enough and Just in Time administration
Capability
Time
Credential Guard
Prevents Pass-the-Hash and Pass-the-Ticket attacks
by protecting stored credentials through
virtualization-based security.
Remote Credential Guard
Works in conjunction with Credential Guard
for RDP sessions to deliver Single Sign-On (SSO),
eliminating the need to pass credentials to the RDP host.
Just Enough Administration
Limits administrative privileges to the bare-minimum
required set of actions (limited in space).
Just-in-Time Administration
Provides privileged access through a workflow
that is audited and limited in time.
Capability and
time needed

11. Challenges protecting virtual machines
Virtual machines are easy to
modify and copy.
Multiple fabric administrators
typically have access.
Any compromised or
malicious fabric
administrators can access
guest virtual machines.

12. Features to help protect virtual machines
Shielded Virtual Machines
Use BitLocker to encrypt the disk and state
of virtual machines protecting secrets from
compromised admins and malware.
Host Guardian Service
Attests to host health releasing the keys
required to boot or migrate a Shielded
VM only to healthy hosts.
Generation 2 VMs
Supports virtualized equivalents of
hardware security technologies (e.g., TPMs)
enabling BitLocker encryption for Shielded
Virtual Machines.
Hyper-V
Virtual machine
Computer room
Building perimeter
Physical machine
Hyper-V
Shielded virtual
machine

*
 
 
 
 
 
 
  
`

13. Shielded Virtual Machines
Works with Host Guardian Service
Cloud/Datacenter
Hyper-V Host 1
Hypervisor
Guest VMGuest VM Guest VMHost OS
Hyper-V Host 2
Hypervisor
Guest VMGuest VMHost OS
Hyper-V Host 3
Hypervisor
Guest VMGuest VMHost OS
Key Protection
Host Guardian Service

14. Shielded Virtual Machines
Works with Host Guardian Service
Cloud/Datacenter
Hyper-V Host 1
Hypervisor
Guest VMGuest VM Guest VMHost OS
Hyper-V Host 2
Hypervisor
Guest VMGuest VMHost OS
Hyper-V Host 3
Hypervisor
Guest VMGuest VMHost OS
Key Protection
Host Guardian Service
healthy
Key release criteria
TPM-mode)
1. Known physical machines
2. Trusted Hyper-V instance
3. CI-compliant configuration

15. Challenges in protecting the OS
New exploits can attack the OS
boot-path all the way up through
applications.
Known and unknown threats need
to be blocked without impacting
legitimate workloads.

16. Help protect the OS and applications
On-premises or in any cloud
Device Guard
Ensure that only permitted binaries can be
executed from the moment the OS is booted.
Windows Defender
Actively protects from known malware
without impacting workloads.
Control Flow Guard
Protects against unknown vulnerabilities
by helping prevent memory corruption
attacks.

17. Help protect Active Directory, admin privileges
6+ months1-3 months
First response to the most frequently used attack techniques.
Separate Admin
account for
admin tasks
1 Privileged Access Workstations (PAWs)
Phase 1 – Active Directory admins
http://Aka.ms/CyberPAW
2
Unique Local Admin Passwords
for Workstations http://Aka.ms/LAPS
3 Unique Local Admin Passwords
for Servers http://Aka.ms/LAPS
4

18. Help protect Active Directory, admin privileges
6+ months2-4 weeks
Build visibility and control of administrator activity, increase protection against typical follow-up attacks.
Privileged Access Workstations (PAWs)
Phases 2 and 3 – All Admins and additional hardening
(Credential Guard, RDP Restricted Admin, etc.)
http://aka.ms/CyberPAW
1 Just Enough Admin (JEA)
for DC Maintenance
http://aka.ms/JEA
4 Lower attack surface of
Domain and DCs
http://aka.ms/HardenAD
5
Time-bound privileges (no permanent admins)
http://aka.ms/PAM; http://aka.ms/AzurePIM
2 Attack Detection
http://aka.ms/ata
6Multi-factor
for elevation
3
9872521

19. Help protect Active Directory, admin privileges
http://aka.ms/privsec
1-3 months2-4 weeks
Build visibility and control of administrator activity, increase protection against typical follow-up attacks.
Privileged Access Workstations (PAWs)
Phases 2 and 3 – All Admins and additional hardening
(Credential Guard, RDP Restricted Admin, etc.)
http://aka.ms/CyberPAW
2 Admin Forest for Active
Directory administrators
http://aka.ms/ESAE
3 Device Guard
Policy for DCs
(Server 2016)
4
Modernize Roles and
Delegation Model
1 Shielded VMs for virtual DCs (Server 2016 Hyper-V Fabric)
http://aka.ms/shieldedvms
5

20. Windows Server 2016 security summary
Virtualization Fabric
Protecting virtual machines
Shielded VMs (Server 2012, 2016 guests)
Virtual TPM for Generation 2 VMs
Guarded fabric attesting to host health
Secure boot for Windows and Linux
Hyper-V platform
Nano based Hyper-V host
Virtualization-based security
Distributed networking firewall
Secure containers
Hyper-V containers
Containers hosted in a Shielded VM
Infrastructure and applications
Privileged identity
Credential Guard
Remote Credential Guard
Just In Time administration
Just Enough administration
Threat resistance
Control Flow Guard
Device Guard
Built in anti-malware
Threat detection
Enhanced threat detection

21. © 2016 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market
conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.
MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.