Call us: (407) 567-0096
Open a ticket
Chat with us
USA flag German flag Spanish flag
BLOG Published on 2016/11/27 by Asitha De Silva in Tech-Tips

Windows Server 2016 - Whats New

Microsoft Windows server 2016 is released in this September at the Ignite Conference in Atlanta. It’s now generally available to customers, Volume licensing customer can download from licensing portal. As like the previous releases Microsoft has bundled many new exciting innovations with the release. From this post let’s discuss on what are these major changes and improvements.


Why windows server 2016?


With the cloud first mobile first journey, Microsoft always encourage their customers to move their workloads to Azure. Then why release server 2016? Not all environments can benefit from public cloud. There are scenarios which still need to depend on the On-premise infrastructure and private cloud environments. For these environments Server 2016 will provide cloud inspired technologies while building new security trends.



New features of Windows server 2016 


Shielded Virtual machines

Virtualization is in top of the peak, whole datacenters are getting virtualized and put into service providers or public clouds. No more servers, no more wires hanging out in work places. But how about the security of VM’s, the administrator who manage the Hypervisor have the control over the virtual machines. In example someone can copy the Virtual machine and mount in some other place.


Shielded VM concept address these issues. It can only run on a fabric that designed as owners of that virtual machine. Shielded VM use Virtual TPM technology, we can add virtual Trusted Platform Module to a VM. And we can encrypt the VM using bit locker or any other protection. Shielded VM’s comes in top of that. Hyper-V host does not have access to the shielded VM. So it is protected from the host management activities. Also there an external service called Host Guarding service. It will monitor the health of the Hyper-V host. When some sort of a malicious activity running in the host, host guardian service will pick it up and prevent shielded VM’s start. 

Containers

In simple words we can define container is Operating system Virtualization. In fact it’s not completely OS sharing, each container share the OS kernel. In example each container have their own view of the file system, and the registry. You can deploy application in containers to improve process isolation, performance, security, and scalability.


Windows containers having two deferent types 

  • Windows Server Containers – provide application isolation through process and namespace isolation technology. A Windows Server container shares a kernel with the container host and all containers running on the host
  • Hyper-V Containers – expand on the isolation provided by Windows Server Containers by running each container in a highly optimized virtual machine. In this configuration the kernel of the container host is not shared with the Hyper-V Containers.

With server 2016 Microsoft introduce Docker technology with containers, Docker is an Open source engine that automates the deployment of any application as a portable. With Docker integration, containers can be created, packaged and managed using their toolset. Also containers can be managed using PowerShell.


Security for credentials


Windows server 2016 introduce new security features to protect administration credentials, Helping guard administrator credentials from Pass-the-Hash attacks by using Credential Guard and Remote Credential Guard. Limiting administrator privileges with Just-In-Time Administration and Just Enough Administration.

  • Credential Guard
    When user login to a computer, some hash value of that credential is stored in the memory of the OS. Attacker can use this hash to gain the privileges of that logon credentials. And if this a domain admin, attacker have all the rights needed. But with Credential Guard service, these hash values are being encrypted and protected from unauthorized use. Credential guard can be easily enabled or deployed by group policy in server 2016 either on-prem or cloud. 

  • Remote Credential Guard
    With remote credential guard, when you login to a remote desktop session the credentials are not send to the remote server. So there is no hash in the memory to explorer. It also provides single sign on experiences for Remote Desktop sessions. If the target device is compromised, your credentials are not exposed because both credential and credential derivatives are never sent to the target device


  • Just-Enough and Just-In-Time Administration
    This is a role base security feature in PowerShell which will help reduce how many administrators in your environment and what they can do with those privileges. With JEA, a non-administrator is able to run specific commands, scripts, and executables as if they were an administrator on the machine and all their actions are fully logged.


  • Device Guard 
    Device guard use virtualization based security to isolate the code integrity service from the windows kernel. It can block any unwanted software running in the system. It protect software running in Kernel mode and User mode. In kernel mode Device Guard ensures the drivers are, at the very least, signed by a known signature or you can further restrict the drivers by whitelisting them in the policy. Under the user mode you can create Code Integrity (CI) policies which defines what’s trusted and authorized to run on individual servers

Software define networking

Software Defined Networking (SDN) provides a method to centrally configure and manage physical and virtual network devices such as routers, switches, and gateways in your datacenter. Virtual network elements such as Hyper-V Virtual Switch, Hyper-V Network Virtualization, and RAS Gateway are designed to be integral elements of your SDN infrastructure


SDN allows you to dynamically manage your datacenter network to provide an automated, centralized way to meet the requirements of your applications and workloads. Software defined networking provides the following capabilities.

  • The ability to abstract your applications and workloads from the underlying physical network
  • The ability to centrally define and control policies that govern both physical and virtual networks, including traffic flow between these two network types.
  • The ability to implement network policies in a consistent manner at scale, even as you deploy new workloads or move workloads across virtual or physical networks


Software define storage with Storage Spaces Direct

Windows Server 2016 includes new features and enhancements for software-defined storage, with Storage Spaces Direct enables building highly available and scalable storage using servers with local storage. It simplifies the deployment and management of software-defined storage systems and unlocks use of new classes of disk devices, such as SATA SSD and NVMe disk devices, that were previously not possible with clustered Storage Spaces with shared disks


PowerShell 5

Server 2016 comes with PowerShell 5.0 and Windows Management Framework 5.1. PowerShell 5 comes with several new features, including new cmdlets for managing local users and groups, as well as a new Get-ComputerInfo cmdlet which can dump detailed information on the system


https://msdn.microsoft.com/en-us/powershell/scripting/whats-new/what-s-new-in-windows-powershell-50


Remote Desktop Services 2016

With server 2016 Microsoft introduce Remote desktop services 2016. Which has significant improvements in app compatibilities, performance and user experiences. In example the new connection broker can handle massive load of concurrent connections. Also for high availability, no need to use HA in SQL.  Now you can use an Azure SQL DB for their Remote Desktop Connection Broker, making it both easier and less expensive to set up a resilient virtual desktop environment. These are some of new improvements.

  • Support for OpenGL Applications
  • Enabling RDS in the cloud
  • Support for Gen 2 VMs
  • Windows Multipoint services (WMS)
  • Remote pen input enhancements
  • Performance improvements 

There are lists of improvements which comes with server 2016 which is not covered in this document such as what are the active directory improvements, Identity management, time server improvements, WAP, ADFS. From my next posts i will go deeper with these features on real life scenarios and how to implement server 2016 with Microsoft best practices.


Hope this post is useful

Cheers

Asitha De Silva


References

Microsoft Technet

Microsoft ignite 2016 content


Channel9.msdn.com













Asitha De Silva

Consultant Cloud Solutions

Expert in architecting and implementing cloud-based infrastructure solutions.

Popular
Volume Activation Management Tool 3.1 – Implementing and Activating
By  Asitha De Silva  -   2015/12/13
Windows File Server 2016 | Map Network Drive for Users and Group Drive using GPO
By  Asitha De Silva  -   2017/12/28
Multiple Password Policies for Domain Users
By  Asitha De Silva  -   2019/11/16
Newsletter

To keep up with the news and updates related to our products, make sure to subscribe to our newsletter!

Copyright © 2024 Terminalworks. All Rights Reserved

This website uses cookies to improve user experience. By using our website you consent to all cookies in accordance with our Cookie Policy. Privacy details