windows server 2016: what's new with security? does shielded vms give us? • opengl 4.4 and...
TRANSCRIPT
![Page 1: Windows Server 2016: What's New with Security? DOES SHIELDED VMS GIVE US? • OpenGL 4.4 and OpenCL 1.1 RemoteFX support • RemoteFX support in Windows Server 2016 guest • Larger](https://reader031.vdocuments.us/reader031/viewer/2022021818/5aa78ca27f8b9aee748c3570/html5/thumbnails/1.jpg)
WINDOWS SERVER 2016: WHAT'S NEW WITH SECURITY?
Rich LillyCloud & Datacenter EvangelistNetrix LLC
Twitter: @RichLillyhttp://www.acloudabove.com
https://www.linkedin.com/in/rich04
![Page 2: Windows Server 2016: What's New with Security? DOES SHIELDED VMS GIVE US? • OpenGL 4.4 and OpenCL 1.1 RemoteFX support • RemoteFX support in Windows Server 2016 guest • Larger](https://reader031.vdocuments.us/reader031/viewer/2022021818/5aa78ca27f8b9aee748c3570/html5/thumbnails/2.jpg)
AGENDA
SecurityNano ServerContainersStorageNetworking
ClusteringHyper-VRemote Desktop ServicesPowerShellActive Directory
![Page 3: Windows Server 2016: What's New with Security? DOES SHIELDED VMS GIVE US? • OpenGL 4.4 and OpenCL 1.1 RemoteFX support • RemoteFX support in Windows Server 2016 guest • Larger](https://reader031.vdocuments.us/reader031/viewer/2022021818/5aa78ca27f8b9aee748c3570/html5/thumbnails/3.jpg)
PRICING/SKUS• Core-based licensing model (no longer Proc)
• Differences between Standard/DatacenterLocks and Limits Windows Server 2016 Standard Windows Server 2016 DatacenterCan be used as virtualization guest
Yes; 2 virtual machines, plus one Hyper-V host per license
Yes; unlimited virtual machines, plus one Hyper-V host per license
Windows Server roles available
Windows Server 2016 Standard Windows Server 2016 Datacenter
Hyper-V Yes Yes; including Shielded Virtual MachinesNetwork Controller No Yes
Windows Server Features installable with Server Manager (or PowerShell)
Windows Server 2016 Standard Windows Server 2016 Datacenter
Containers Yes (Windows containers unlimited; Hyper-V containers up to 2)
Yes (all container types unlimited)
Host Guardian Hyper-V Support No YesStorage Replica No Yes
Features available generally Windows Server 2016 Standard Windows Server 2016 DatacenterSoftware-defined Networking No YesStorage Spaces Direct No Yes
![Page 4: Windows Server 2016: What's New with Security? DOES SHIELDED VMS GIVE US? • OpenGL 4.4 and OpenCL 1.1 RemoteFX support • RemoteFX support in Windows Server 2016 guest • Larger](https://reader031.vdocuments.us/reader031/viewer/2022021818/5aa78ca27f8b9aee748c3570/html5/thumbnails/4.jpg)
![Page 5: Windows Server 2016: What's New with Security? DOES SHIELDED VMS GIVE US? • OpenGL 4.4 and OpenCL 1.1 RemoteFX support • RemoteFX support in Windows Server 2016 guest • Larger](https://reader031.vdocuments.us/reader031/viewer/2022021818/5aa78ca27f8b9aee748c3570/html5/thumbnails/5.jpg)
Source: McKinsey, Ponemon Institute, Verizon
CYBER THREATS ARE A MATERIAL R ISK TO YOUR BUSINESS
Impact of lost productivity and growth
Average cost of a data breach (15% YoY increase)
$3.0 TRILL ION $4 MILL ION
Corporate liability coverage.
$500 MILL ION
![Page 6: Windows Server 2016: What's New with Security? DOES SHIELDED VMS GIVE US? • OpenGL 4.4 and OpenCL 1.1 RemoteFX support • RemoteFX support in Windows Server 2016 guest • Larger](https://reader031.vdocuments.us/reader031/viewer/2022021818/5aa78ca27f8b9aee748c3570/html5/thumbnails/6.jpg)
WANNACRYWell, does it?
In the case of WannaCry, disabling SMB v1 (Server Message Block) it is key to prevent or stop the spread. SMB1 is a 30 years old protocol that is enabled on every version of Windows Server (that should not be used by any application or service).
If you still have applications using SMB1 our strong recommendation is to work towards deprecating the use of it in your environment. Think of using Automation to help here! Think PowerShell, DSC, Azure Automation, Chef, etc
SMB1
![Page 7: Windows Server 2016: What's New with Security? DOES SHIELDED VMS GIVE US? • OpenGL 4.4 and OpenCL 1.1 RemoteFX support • RemoteFX support in Windows Server 2016 guest • Larger](https://reader031.vdocuments.us/reader031/viewer/2022021818/5aa78ca27f8b9aee748c3570/html5/thumbnails/7.jpg)
Breaches cost a lot of money
(Average $4M based on Ponemon Institute)
Customers pay for your service
You pay customers compensation to keep them using your service
Productivity
Employees efficiently perform the majority of work activities using a desktop computer
Employees waste hours a day running back and forth to a fax machine(assuming you still have one)
Overspending ReflexAppropriately sized & dedicated IT Security team
IT Security team exponentially increases in size and remediation efforts require new and expensive products
$ $$
$
$
![Page 8: Windows Server 2016: What's New with Security? DOES SHIELDED VMS GIVE US? • OpenGL 4.4 and OpenCL 1.1 RemoteFX support • RemoteFX support in Windows Server 2016 guest • Larger](https://reader031.vdocuments.us/reader031/viewer/2022021818/5aa78ca27f8b9aee748c3570/html5/thumbnails/8.jpg)
Industry Reputation
Industry credibility, positive reputation, customer confidence
Corporate secrets are secret
Loss of credibility, embarrassing information exposed, customer’s lose faith
Corporate secrets are public knowledge; potential loss of competitive advantage
Ransomware
HBI/MBI assets available forday-to-day business operations
Assets encrypted and key business IT services rendered useless
Customer trust Customers happy to trust you with their PII
Customers reluctant to share informationwith you
![Page 9: Windows Server 2016: What's New with Security? DOES SHIELDED VMS GIVE US? • OpenGL 4.4 and OpenCL 1.1 RemoteFX support • RemoteFX support in Windows Server 2016 guest • Larger](https://reader031.vdocuments.us/reader031/viewer/2022021818/5aa78ca27f8b9aee748c3570/html5/thumbnails/9.jpg)
SUMMARY OF THE HIGH-LEVEL ATTACK TYPES
Attack applications and infrastructure
Attack the virtualization fabric itself
![Page 10: Windows Server 2016: What's New with Security? DOES SHIELDED VMS GIVE US? • OpenGL 4.4 and OpenCL 1.1 RemoteFX support • RemoteFX support in Windows Server 2016 guest • Larger](https://reader031.vdocuments.us/reader031/viewer/2022021818/5aa78ca27f8b9aee748c3570/html5/thumbnails/10.jpg)
ATTACK TIMELINE
24–48 hours Mean dwell time 150+ days(varies by industry)
First host compromised
Domain admin compromised
Attack discovered
![Page 11: Windows Server 2016: What's New with Security? DOES SHIELDED VMS GIVE US? • OpenGL 4.4 and OpenCL 1.1 RemoteFX support • RemoteFX support in Windows Server 2016 guest • Larger](https://reader031.vdocuments.us/reader031/viewer/2022021818/5aa78ca27f8b9aee748c3570/html5/thumbnails/11.jpg)
WHAT DO MOST ATTACKS HAVE IN-COMMON?
Insiderattacks
Phishing attacks
Fabricattacks
Pass-the-hash(PtH) attacks
Stolencredentials
![Page 12: Windows Server 2016: What's New with Security? DOES SHIELDED VMS GIVE US? • OpenGL 4.4 and OpenCL 1.1 RemoteFX support • RemoteFX support in Windows Server 2016 guest • Larger](https://reader031.vdocuments.us/reader031/viewer/2022021818/5aa78ca27f8b9aee748c3570/html5/thumbnails/12.jpg)
Stolen admincredentials
Insiderattacks
Phishing attacks
Fabricattacks
These privileged accounts have the keys to the kingdom; we gave them those keys decades ago
But now, those administrators’ privileges are being compromised through social engineering, bribery, coercion, private initiatives, etc.
Administrative Privileges
![Page 13: Windows Server 2016: What's New with Security? DOES SHIELDED VMS GIVE US? • OpenGL 4.4 and OpenCL 1.1 RemoteFX support • RemoteFX support in Windows Server 2016 guest • Larger](https://reader031.vdocuments.us/reader031/viewer/2022021818/5aa78ca27f8b9aee748c3570/html5/thumbnails/13.jpg)
P E R S O N A L C O M P U T E R : admin privileges in a single system can compromise all assets within it
V I RT U A L I Z AT I O N : admin on the host can compromise all guests
P R I VAT E / P U B L I C C L O U D : admin in the fabric can compromise all guests
CENTRAL RISK: ADMINISTRATOR PRIVILEGESPATH: 1. ENTRY 2. LATERAL TRAVERSAL 3. ELEVATION 4. EXPLOITATION
![Page 14: Windows Server 2016: What's New with Security? DOES SHIELDED VMS GIVE US? • OpenGL 4.4 and OpenCL 1.1 RemoteFX support • RemoteFX support in Windows Server 2016 guest • Larger](https://reader031.vdocuments.us/reader031/viewer/2022021818/5aa78ca27f8b9aee748c3570/html5/thumbnails/14.jpg)
HELPING PREVENT ABUSE OF PRIVILEGED CREDSHTTP://AKA.MS/PRIVSEC
Privileged credentials must be controlled/managed
Use of privileged credentials requires approval; approval supports extensible workflows
Grant privilege as needed and for a limited time
Limit the value of credentials(Constrain use of privileges in time and space)
Bind credentials to specific devices
Protect credential artifacts to limit replay attacks
![Page 15: Windows Server 2016: What's New with Security? DOES SHIELDED VMS GIVE US? • OpenGL 4.4 and OpenCL 1.1 RemoteFX support • RemoteFX support in Windows Server 2016 guest • Larger](https://reader031.vdocuments.us/reader031/viewer/2022021818/5aa78ca27f8b9aee748c3570/html5/thumbnails/15.jpg)
HARD LESSONS…
The network is no longer the security perimeter (it hasn’t been for some time)
Identity is the (new) security perimeter
Entry—we can’t stop this from happening People will be fooled, bribed, blackmailed, etc.
Eliminating human error isn’t possible Phishing works and will continue to do so
Insider-attacks are a big problem Anomalous activity monitoring helps in detection; limit access through identity management & isolation
Compliance is very important But compliance and security are not the same thing: compliant != secure
Prevention methods aren’t always technical or architectural
Many will be operational and that will impose some level of additional operational friction—security has a price $$$
![Page 16: Windows Server 2016: What's New with Security? DOES SHIELDED VMS GIVE US? • OpenGL 4.4 and OpenCL 1.1 RemoteFX support • RemoteFX support in Windows Server 2016 guest • Larger](https://reader031.vdocuments.us/reader031/viewer/2022021818/5aa78ca27f8b9aee748c3570/html5/thumbnails/16.jpg)
• This is at the core of everything in Windows Server 2016• “Assume breach” is a fundamental tenant in todays IT world• Technologies for both personas of Windows Server 2016
SECURITY
Shielded VMs and Host Guardian ServiceVM Security
Virtualization Based Security(code integrity, credential guard)
Hyper-V ContainersNano
Control Flow GuardDevice Guard
Credential Guard and Remote Credential GuardPrivileged Identity Management, JEA and JIT
Enhanced LoggingBuilt-in Anti-Malware
Nano
![Page 17: Windows Server 2016: What's New with Security? DOES SHIELDED VMS GIVE US? • OpenGL 4.4 and OpenCL 1.1 RemoteFX support • RemoteFX support in Windows Server 2016 guest • Larger](https://reader031.vdocuments.us/reader031/viewer/2022021818/5aa78ca27f8b9aee748c3570/html5/thumbnails/17.jpg)
Ongoing focus & innovation on preventative measures; block
known attacks & known malware
1. Protect
Comprehensive monitoring tools to help you spot abnormalities and respond to attacks faster
2. Detect
Leading response and recovery technologies plus deep
consulting expertise
3. Respond
Isolate OS components & secrets; limit admin. privileges; rigorously measure host health
4. Isolate
Security Posture
– Security isn’t a bolt-on;
![Page 18: Windows Server 2016: What's New with Security? DOES SHIELDED VMS GIVE US? • OpenGL 4.4 and OpenCL 1.1 RemoteFX support • RemoteFX support in Windows Server 2016 guest • Larger](https://reader031.vdocuments.us/reader031/viewer/2022021818/5aa78ca27f8b9aee748c3570/html5/thumbnails/18.jpg)
2. Secure the OS1. Managed privileged identities
3. Secure virtualization
4 CORE PRINCIPLES; 3 BROAD BUCKETS
Protect Respond
Detect Isolate
![Page 19: Windows Server 2016: What's New with Security? DOES SHIELDED VMS GIVE US? • OpenGL 4.4 and OpenCL 1.1 RemoteFX support • RemoteFX support in Windows Server 2016 guest • Larger](https://reader031.vdocuments.us/reader031/viewer/2022021818/5aa78ca27f8b9aee748c3570/html5/thumbnails/19.jpg)
1. Managed privileged identities
WHAT DO WE NEED TO SECURE AND HOW?4 CORE PRINCIPLES; 3 BROAD BUCKETS
Protect Respond
Detect Isolate
![Page 20: Windows Server 2016: What's New with Security? DOES SHIELDED VMS GIVE US? • OpenGL 4.4 and OpenCL 1.1 RemoteFX support • RemoteFX support in Windows Server 2016 guest • Larger](https://reader031.vdocuments.us/reader031/viewer/2022021818/5aa78ca27f8b9aee748c3570/html5/thumbnails/20.jpg)
INITIATIVES TO ADDRESS EMERGING THREATS WITH WINDOWS SERVER 2016AND/OR WINDOWS 10
Manage privileged identities
Prevent credential theft
![Page 21: Windows Server 2016: What's New with Security? DOES SHIELDED VMS GIVE US? • OpenGL 4.4 and OpenCL 1.1 RemoteFX support • RemoteFX support in Windows Server 2016 guest • Larger](https://reader031.vdocuments.us/reader031/viewer/2022021818/5aa78ca27f8b9aee748c3570/html5/thumbnails/21.jpg)
2. Secure the OS
WHAT DO WE NEED TO SECURE AND HOW?4 CORE PRINCIPLES; 3 BROAD BUCKETS
1. Managed privileged identities
Protect Respond
Detect Isolate
![Page 22: Windows Server 2016: What's New with Security? DOES SHIELDED VMS GIVE US? • OpenGL 4.4 and OpenCL 1.1 RemoteFX support • RemoteFX support in Windows Server 2016 guest • Larger](https://reader031.vdocuments.us/reader031/viewer/2022021818/5aa78ca27f8b9aee748c3570/html5/thumbnails/22.jpg)
INITIATIVES TO ADDRESS EMERGING THREATS WITH WINDOWS SERVER 2016 AND/OR WINDOWS 10
Secure the OS: host & guest
Host Integrity Guest Integrity
Manage privileged identities
Prevent credential theft
![Page 23: Windows Server 2016: What's New with Security? DOES SHIELDED VMS GIVE US? • OpenGL 4.4 and OpenCL 1.1 RemoteFX support • RemoteFX support in Windows Server 2016 guest • Larger](https://reader031.vdocuments.us/reader031/viewer/2022021818/5aa78ca27f8b9aee748c3570/html5/thumbnails/23.jpg)
3. Secure virtualization
WHAT DO WE NEED TO SECURE AND HOW?4 CORE PRINCIPLES; 3 BROAD BUCKETS
2. Secure the OS1. Managed privileged identities
Protect Respond
Detect Isolate
![Page 24: Windows Server 2016: What's New with Security? DOES SHIELDED VMS GIVE US? • OpenGL 4.4 and OpenCL 1.1 RemoteFX support • RemoteFX support in Windows Server 2016 guest • Larger](https://reader031.vdocuments.us/reader031/viewer/2022021818/5aa78ca27f8b9aee748c3570/html5/thumbnails/24.jpg)
INITIATIVES TO ADDRESS EMERGING THREATS WITH WINDOWS SERVER 2016 AND/OR WINDOWS 10
Secure the OS: host & guest
Host Integrity Guest Integrity
Manage privileged identities
Prevent credential theft
Secure virtualization
![Page 25: Windows Server 2016: What's New with Security? DOES SHIELDED VMS GIVE US? • OpenGL 4.4 and OpenCL 1.1 RemoteFX support • RemoteFX support in Windows Server 2016 guest • Larger](https://reader031.vdocuments.us/reader031/viewer/2022021818/5aa78ca27f8b9aee748c3570/html5/thumbnails/25.jpg)
MONITORING/DETECTION THROUGH ENHANCED AUDITING + LOG & BEHAVIORAL ANALYSIS
Secure the OS: host & guest
Host Integrity Guest Integrity
Manage privileged identities
Prevent credential theft
Secure virtualization
Monitoring/Detection
Secure the OS: host & guest
Host Integrity Guest Integrity
Manage privileged identities
Prevent credential theft
Secure virtualization
![Page 26: Windows Server 2016: What's New with Security? DOES SHIELDED VMS GIVE US? • OpenGL 4.4 and OpenCL 1.1 RemoteFX support • RemoteFX support in Windows Server 2016 guest • Larger](https://reader031.vdocuments.us/reader031/viewer/2022021818/5aa78ca27f8b9aee748c3570/html5/thumbnails/26.jpg)
![Page 27: Windows Server 2016: What's New with Security? DOES SHIELDED VMS GIVE US? • OpenGL 4.4 and OpenCL 1.1 RemoteFX support • RemoteFX support in Windows Server 2016 guest • Larger](https://reader031.vdocuments.us/reader031/viewer/2022021818/5aa78ca27f8b9aee748c3570/html5/thumbnails/27.jpg)
CONFIGURATION LEVELS
Desktop Experience
Graphical Shell
Management Tools
MinShell
Windows Server withDesktop Experience
MinShell
Windows Server Core
Minimal OS
Nano Server
![Page 28: Windows Server 2016: What's New with Security? DOES SHIELDED VMS GIVE US? • OpenGL 4.4 and OpenCL 1.1 RemoteFX support • RemoteFX support in Windows Server 2016 guest • Larger](https://reader031.vdocuments.us/reader031/viewer/2022021818/5aa78ca27f8b9aee748c3570/html5/thumbnails/28.jpg)
• Smallest ever footprint– 93 percent lower VHD size– Very fast deployment and reboots
• Focus on two key scenarios– Born-in-the-cloud applications– Cloud platform - Hyper-V and Scale-
out File Servers• Not installed in traditional manner• Enables the new cloud era!• Managed through familiar and new
ways
NANO SERVER
![Page 29: Windows Server 2016: What's New with Security? DOES SHIELDED VMS GIVE US? • OpenGL 4.4 and OpenCL 1.1 RemoteFX support • RemoteFX support in Windows Server 2016 guest • Larger](https://reader031.vdocuments.us/reader031/viewer/2022021818/5aa78ca27f8b9aee748c3570/html5/thumbnails/29.jpg)
• Windows Server 2016 utilizes Cumulative Updates like Windows 10
• Only need the latest Cumulative Update to bring an install to the latest patch version
• Removes the challenge of every customer deploying their own combinations of patches that were not tested
• Security updates will still be delivered on an “as needed” basis
CUMULATIVE UPDATES AND WINDOWS
![Page 30: Windows Server 2016: What's New with Security? DOES SHIELDED VMS GIVE US? • OpenGL 4.4 and OpenCL 1.1 RemoteFX support • RemoteFX support in Windows Server 2016 guest • Larger](https://reader031.vdocuments.us/reader031/viewer/2022021818/5aa78ca27f8b9aee748c3570/html5/thumbnails/30.jpg)
![Page 31: Windows Server 2016: What's New with Security? DOES SHIELDED VMS GIVE US? • OpenGL 4.4 and OpenCL 1.1 RemoteFX support • RemoteFX support in Windows Server 2016 guest • Larger](https://reader031.vdocuments.us/reader031/viewer/2022021818/5aa78ca27f8b9aee748c3570/html5/thumbnails/31.jpg)
• Most people have struggled to deploy a custom application to production environment. Why?
• Containers solves this by enabling applications and libraries to run in their own containers which have dependencies
• Very fast deployment and high density• Share an OS instance with user mode isolation• Can be managed with Docker CLI or PowerShell (uses
Docker REST API)
CONTAINERS
![Page 32: Windows Server 2016: What's New with Security? DOES SHIELDED VMS GIVE US? • OpenGL 4.4 and OpenCL 1.1 RemoteFX support • RemoteFX support in Windows Server 2016 guest • Larger](https://reader031.vdocuments.us/reader031/viewer/2022021818/5aa78ca27f8b9aee748c3570/html5/thumbnails/32.jpg)
CONTAINERS
Host OS
Host OS Kernel
User Mode
Binaries/Libraries
Container App 1
Container App 2
Binaries/Libraries
Container App 3
Container App 4
Container App 5Docker Pull App 1
App 1
Host OS
Bins/Libs
Dependency
Dependency
![Page 33: Windows Server 2016: What's New with Security? DOES SHIELDED VMS GIVE US? • OpenGL 4.4 and OpenCL 1.1 RemoteFX support • RemoteFX support in Windows Server 2016 guest • Larger](https://reader031.vdocuments.us/reader031/viewer/2022021818/5aa78ca27f8b9aee748c3570/html5/thumbnails/33.jpg)
WINDOWS VS HYPER-V CONTAINERS
Host OS Host OS Kernel
User Mode
Binaries/Libraries
Container App 1
Container App 2
Binaries/Libraries
Container App 3
Container App 4
Container App 5
Base Image 1 Kernel
User Mode
Bins/Libs
Container App 6
Hyper-V VM
Base Image 2 Kernel
User Mode
Bins/Libs
Container App 7
Hyper-V VM
Windows Containers Hyper-V Containers
![Page 34: Windows Server 2016: What's New with Security? DOES SHIELDED VMS GIVE US? • OpenGL 4.4 and OpenCL 1.1 RemoteFX support • RemoteFX support in Windows Server 2016 guest • Larger](https://reader031.vdocuments.us/reader031/viewer/2022021818/5aa78ca27f8b9aee748c3570/html5/thumbnails/34.jpg)
![Page 35: Windows Server 2016: What's New with Security? DOES SHIELDED VMS GIVE US? • OpenGL 4.4 and OpenCL 1.1 RemoteFX support • RemoteFX support in Windows Server 2016 guest • Larger](https://reader031.vdocuments.us/reader031/viewer/2022021818/5aa78ca27f8b9aee748c3570/html5/thumbnails/35.jpg)
STORAGE
• Focus on two features– Storage Spaces Direct– Storage Replica
• Features in Datacenter SKU only• Other improvements include storage QoS,
deduplication and more ReFS
![Page 36: Windows Server 2016: What's New with Security? DOES SHIELDED VMS GIVE US? • OpenGL 4.4 and OpenCL 1.1 RemoteFX support • RemoteFX support in Windows Server 2016 guest • Larger](https://reader031.vdocuments.us/reader031/viewer/2022021818/5aa78ca27f8b9aee748c3570/html5/thumbnails/36.jpg)
• Aggregates internal disksor connected via externalstorage enclosure
• Creates a storage pool usedby cluster as CSV
• Formatted with ReFS for mixed resiliency and can house Hyper-V or used as SoFS
• Can mix NVMe, SSD and HDD to enable tiering
• Resiliency across nodes
STORAGE SPACES DIRECT
SAS SAS SAS SAS
Cluster
SMB3
![Page 37: Windows Server 2016: What's New with Security? DOES SHIELDED VMS GIVE US? • OpenGL 4.4 and OpenCL 1.1 RemoteFX support • RemoteFX support in Windows Server 2016 guest • Larger](https://reader031.vdocuments.us/reader031/viewer/2022021818/5aa78ca27f8b9aee748c3570/html5/thumbnails/37.jpg)
• Block-level replication between stand-alone or clustered servers
• Synchronous (preferred) or asynchronous
• Replication via SMB 3• Features such as BitLocker,
deduplication continue to work since this is block-level
• Example scenarios:– Stretched cluster, cluster-to-cluster replication, server-to-server
replication
STORAGE REPLICA
Data Log Data Log
![Page 38: Windows Server 2016: What's New with Security? DOES SHIELDED VMS GIVE US? • OpenGL 4.4 and OpenCL 1.1 RemoteFX support • RemoteFX support in Windows Server 2016 guest • Larger](https://reader031.vdocuments.us/reader031/viewer/2022021818/5aa78ca27f8b9aee748c3570/html5/thumbnails/38.jpg)
![Page 39: Windows Server 2016: What's New with Security? DOES SHIELDED VMS GIVE US? • OpenGL 4.4 and OpenCL 1.1 RemoteFX support • RemoteFX support in Windows Server 2016 guest • Larger](https://reader031.vdocuments.us/reader031/viewer/2022021818/5aa78ca27f8b9aee748c3570/html5/thumbnails/39.jpg)
• Major changes with Network Virtualization– Network Controller part of Windows Server now and Azure inspired– Network function virtualization to hold various feature capabilities
• Multi-tenant Gateway• Software Load Balancer and separate MUX to handle incoming requests
to better scale• Multi-tenant firewall
• Enables network virtualization without SCVMM• Manageable via PowerShell, Azure Stack or SCVMM• Broad SDN support
NETWORKING
![Page 40: Windows Server 2016: What's New with Security? DOES SHIELDED VMS GIVE US? • OpenGL 4.4 and OpenCL 1.1 RemoteFX support • RemoteFX support in Windows Server 2016 guest • Larger](https://reader031.vdocuments.us/reader031/viewer/2022021818/5aa78ca27f8b9aee748c3570/html5/thumbnails/40.jpg)
Physical Network
SDN CAN HELP INCREASE SECURITY
DDoSProtection
FirewallACLs
VMFirewall
VM GuestVirtual
NetworkIsolation
DFW &NSG
VirtualAppliances
SDN
![Page 41: Windows Server 2016: What's New with Security? DOES SHIELDED VMS GIVE US? • OpenGL 4.4 and OpenCL 1.1 RemoteFX support • RemoteFX support in Windows Server 2016 guest • Larger](https://reader031.vdocuments.us/reader031/viewer/2022021818/5aa78ca27f8b9aee748c3570/html5/thumbnails/41.jpg)
![Page 42: Windows Server 2016: What's New with Security? DOES SHIELDED VMS GIVE US? • OpenGL 4.4 and OpenCL 1.1 RemoteFX support • RemoteFX support in Windows Server 2016 guest • Larger](https://reader031.vdocuments.us/reader031/viewer/2022021818/5aa78ca27f8b9aee748c3570/html5/thumbnails/42.jpg)
• The assumption that clustering would be built on quality hardware is not applicable in many deployments today
• Windows Server 2016 takes step to protect against transitory network, storage and compute problems
• Domain boundaries gone• Easier to get to 2016
– Node removed from cluster– Installed with 2016 and added back into mixed mode cluster– Once all nodes are 2016 flip a switch to move to 2016 native
CLUSTERING
![Page 43: Windows Server 2016: What's New with Security? DOES SHIELDED VMS GIVE US? • OpenGL 4.4 and OpenCL 1.1 RemoteFX support • RemoteFX support in Windows Server 2016 guest • Larger](https://reader031.vdocuments.us/reader031/viewer/2022021818/5aa78ca27f8b9aee748c3570/html5/thumbnails/43.jpg)
• Enables an Azure Storage account to be used as the witness
• Enables stretched clusters without requiring a 3rd site• Create clusters in Azure• Means witness can be:
– Disk– File share– Azure storage account
TO THE CLOUD
![Page 44: Windows Server 2016: What's New with Security? DOES SHIELDED VMS GIVE US? • OpenGL 4.4 and OpenCL 1.1 RemoteFX support • RemoteFX support in Windows Server 2016 guest • Larger](https://reader031.vdocuments.us/reader031/viewer/2022021818/5aa78ca27f8b9aee748c3570/html5/thumbnails/44.jpg)
• New Compute Resiliency enables VMs to continue running even if a node falls out of cluster membership
• Customizable tolerance• VM moves to a Paused-Critical state and waits for storage
to recovery without losing any session state if storage lost• Less flapping for nodes falling in and out of cluster• If a node ungracefully leaves 3 times in an hour the VMs
are drained and it is quarantined• Can rejoin after 2 hours
COMPUTE AND STORAGE RESILIENCY
![Page 45: Windows Server 2016: What's New with Security? DOES SHIELDED VMS GIVE US? • OpenGL 4.4 and OpenCL 1.1 RemoteFX support • RemoteFX support in Windows Server 2016 guest • Larger](https://reader031.vdocuments.us/reader031/viewer/2022021818/5aa78ca27f8b9aee748c3570/html5/thumbnails/45.jpg)
![Page 46: Windows Server 2016: What's New with Security? DOES SHIELDED VMS GIVE US? • OpenGL 4.4 and OpenCL 1.1 RemoteFX support • RemoteFX support in Windows Server 2016 guest • Larger](https://reader031.vdocuments.us/reader031/viewer/2022021818/5aa78ca27f8b9aee748c3570/html5/thumbnails/46.jpg)
• Nested virtualization• New Hyper-V VMCX binary format• Production checkpoints that leverages backup technologies for app-
consistent• Hot-add/remove memory to Gen 1/2 and NICs to Generation 2 VMs• PowerShell Direct• Linux Secure Boot• Virtualized TPM (vTPM) for Generation 2 VMs• Management Improvements• Hyper-V IC’s updated via Windows Update• Discrete Device Assignment
HYPER-V
![Page 47: Windows Server 2016: What's New with Security? DOES SHIELDED VMS GIVE US? • OpenGL 4.4 and OpenCL 1.1 RemoteFX support • RemoteFX support in Windows Server 2016 guest • Larger](https://reader031.vdocuments.us/reader031/viewer/2022021818/5aa78ca27f8b9aee748c3570/html5/thumbnails/47.jpg)
• Provides protection for shielded VMs from all levels of administrator (datacenter, storage, network etc.)
• Uses TPM 2.0 or AD attestation used by attestation service• Hyper-V host requests a key from the Host Guardian
Service and only if healthy will get the key and store in the VSM to access the VM
• Requirements:– Generation 2 VMs (UEFI firmware, Secure Boot, vTPM 2.0)– Windows Server 2012 and above guest OS
SHIELDED VMS
![Page 48: Windows Server 2016: What's New with Security? DOES SHIELDED VMS GIVE US? • OpenGL 4.4 and OpenCL 1.1 RemoteFX support • RemoteFX support in Windows Server 2016 guest • Larger](https://reader031.vdocuments.us/reader031/viewer/2022021818/5aa78ca27f8b9aee748c3570/html5/thumbnails/48.jpg)
• BitLocker encrypted disks• Live Migration traffic encrypted• Hardened VMWP• Existing Windows Server 2012 and
above workloads can be used• Only real usability difference is
no console access• Provides compliance for
environmentsrequiring machines to be encrypted
WHAT DOES SHIELDED VMS GIVE US?
![Page 49: Windows Server 2016: What's New with Security? DOES SHIELDED VMS GIVE US? • OpenGL 4.4 and OpenCL 1.1 RemoteFX support • RemoteFX support in Windows Server 2016 guest • Larger](https://reader031.vdocuments.us/reader031/viewer/2022021818/5aa78ca27f8b9aee748c3570/html5/thumbnails/49.jpg)
![Page 50: Windows Server 2016: What's New with Security? DOES SHIELDED VMS GIVE US? • OpenGL 4.4 and OpenCL 1.1 RemoteFX support • RemoteFX support in Windows Server 2016 guest • Larger](https://reader031.vdocuments.us/reader031/viewer/2022021818/5aa78ca27f8b9aee748c3570/html5/thumbnails/50.jpg)
• OpenGL 4.4 and OpenCL 1.1 RemoteFX support• RemoteFX support in Windows Server 2016 guest• Larger amounts of dedicated memory per VM (1 GB from
256 MB in 2012 R2)• Generation 2 VM support for VDI• Personal session desktops, i.e. specific RDSH per user• MultiPoint a role of Windows Server 2016• Pen remoting support (instead of pen acting like a mouse)• Remote Credential Guard
REMOTE DESKTOP SERVICES
![Page 51: Windows Server 2016: What's New with Security? DOES SHIELDED VMS GIVE US? • OpenGL 4.4 and OpenCL 1.1 RemoteFX support • RemoteFX support in Windows Server 2016 guest • Larger](https://reader031.vdocuments.us/reader031/viewer/2022021818/5aa78ca27f8b9aee748c3570/html5/thumbnails/51.jpg)
![Page 52: Windows Server 2016: What's New with Security? DOES SHIELDED VMS GIVE US? • OpenGL 4.4 and OpenCL 1.1 RemoteFX support • RemoteFX support in Windows Server 2016 guest • Larger](https://reader031.vdocuments.us/reader031/viewer/2022021818/5aa78ca27f8b9aee748c3570/html5/thumbnails/52.jpg)
POWERSHELL PROGRESSION
Version Server Key FeatureMonad Manifesto Server 2000 Vision and prototype
PowerShell 1.0 Server 2008 .Net CmdletsPowerShell 2.0 Server 2008 R2 RemotingPowerShell 3.0 Server 2012 CoveragePowerShell 4.0 Server 2012 R2 Desired State ConfigPowerShell 5.0 Server 2016 DevOps
![Page 53: Windows Server 2016: What's New with Security? DOES SHIELDED VMS GIVE US? • OpenGL 4.4 and OpenCL 1.1 RemoteFX support • RemoteFX support in Windows Server 2016 guest • Larger](https://reader031.vdocuments.us/reader031/viewer/2022021818/5aa78ca27f8b9aee748c3570/html5/thumbnails/53.jpg)
• PowerShell is at the center of management and interfacing with Windows and the entire IT ecosystem
• PowerShell has continued to evolve with huge numbers of cmdlets, workflows, desired state configuration and more
• PowerShell 5 continues this constant innovation with:– Huge number of new cmdlets across entire range of actions– Integration with Internet based software packages with
PackageManagement module– New DSC capabilities including running as set of credentials, just
enough administration– ISE color coding extends to PowerShell console
POWERSHELL 5
![Page 54: Windows Server 2016: What's New with Security? DOES SHIELDED VMS GIVE US? • OpenGL 4.4 and OpenCL 1.1 RemoteFX support • RemoteFX support in Windows Server 2016 guest • Larger](https://reader031.vdocuments.us/reader031/viewer/2022021818/5aa78ca27f8b9aee748c3570/html5/thumbnails/54.jpg)
![Page 55: Windows Server 2016: What's New with Security? DOES SHIELDED VMS GIVE US? • OpenGL 4.4 and OpenCL 1.1 RemoteFX support • RemoteFX support in Windows Server 2016 guest • Larger](https://reader031.vdocuments.us/reader031/viewer/2022021818/5aa78ca27f8b9aee748c3570/html5/thumbnails/55.jpg)
• Privileged identity management (PIM) to mitigate credential theft using a bastion forest– Utilizes Microsoft Identity Manager (MIM)– New workflows for administrative privilege access
• Time-bound memberships– Kerberos ticket lifetimes restricted to time of lowest time-
bound membership• Remember Azure AD Join for Windows 10 corp
devices
ACTIVE DIRECTORY
![Page 56: Windows Server 2016: What's New with Security? DOES SHIELDED VMS GIVE US? • OpenGL 4.4 and OpenCL 1.1 RemoteFX support • RemoteFX support in Windows Server 2016 guest • Larger](https://reader031.vdocuments.us/reader031/viewer/2022021818/5aa78ca27f8b9aee748c3570/html5/thumbnails/56.jpg)
PIM EXAMPLE
![Page 57: Windows Server 2016: What's New with Security? DOES SHIELDED VMS GIVE US? • OpenGL 4.4 and OpenCL 1.1 RemoteFX support • RemoteFX support in Windows Server 2016 guest • Larger](https://reader031.vdocuments.us/reader031/viewer/2022021818/5aa78ca27f8b9aee748c3570/html5/thumbnails/57.jpg)