Windows Server 2016 versus Previous versions - Feature Comparison: Security



This feature comparison article compares selected feature (security) of Microsoft Windows Server 2008 R2, Windows Server 2012 R2, and Windows Server 2016.


Windows Server 2016 delivers layers of protection that help address emerging threats and meet your compliance needs, making Windows Server 2016 an active participant in your security defenses. These include the new Shielded Virtual Machine feature that protects VMs from attacks and compromised administrators in the underlying fabric, extensive threat resistance components built into the Windows Server 2016 operating system and enhanced auditing events that will help security systems detect malicious activity.


 - Shielded Virtual Machines and Guarded Fabric help provide hosting service providers and private cloud operators the ability to offer their tenants a hosted environment where protection of tenant virtual machine data is strengthened against threats from compromised storage, network and host administrators, and malware.

- Credential Guard helps prevent pass the hash attacks by utilizing virtualization-based security to credential artifacts from administrators.. Credential Guard offers better protection against advanced persistent threats by protecting credentials on the system from being stolen by a compromised administrator or malware.
Credential Guard can also be enabled on Remote Desktop Services servers and Virtual Desktop Infrastructure so that the credentials for users connecting to their sessions are protected.

- Remote Credential Guard helps you protect your credentials over a Remote Desktop connection by redirecting the Kerberos requests back to the device that's requesting the connection. It also provides single sign on experiences for Remote Desktop sessions. If the target device is compromised, your credentials are not exposed because both credential and credential derivatives are never sent to the target device.

- Device Guard uses Virtualization Based Security to ensure that only allowed binaries can be run on the system. If the app or driver isn’t trusted, it can’t run.
Device Guard can also help protect Remote Desktop Services to lock down what applications can run within the user sessions.

- AppLocker can help you protect the digital assets within your organization, reduce the threat of malicious software being introduced into your environment, and improve the management of application control and the maintenance of application control policies. AppLocker and Device Guard can be used in tandem to provide a wide set of software restriction policies that meets your operational needs.

- Control Flow Guard (CFG) protects against an attacker corrupting the control flow of a process by changing the addresses of indirect calls. Windows user mode components are created with Control Flow Guard built-in and vendors can also include Control Flow Guard in their binaries using Visual Studio 2015.

- Windows Defender is malware protection that actively protects Windows Server 2016 against known malware and can regularly update antimalware definitions through Windows Update. Windows Defender is optimized to run on Windows Server supporting the various server roles and is integrated with PowerShell for malware scanning.

- Distributed firewall and microsegmentation - The distributed firewall is a network layer, 5-tuple (protocol, source and destination port numbers, source and destination IP addresses), stateful, multi-tenant firewall. When deployed and offered as a service by the service provider, tenant administrators can install and configure firewall policies to help protect their virtual networks from unwanted traffic originating from Internet and intranet networks—this process is known as microsegmentation.

- Host Guardian Service is a new role in Windows Server 2016 that enables Shielded Virtual Machines and Guarded Fabric.
Guarded Fabric: Shielded VMs can only run on Guarded hosts. These hosts need to pass an attestation check to make sure they are locked down and comply with the policy that enables Shielded VMs to run on them. This functionality is implemented through a Host Guardian Service deployed in the environment which will store the keys required for approved Hyper-V hosts that can prove their health to run Shielded VMs.

- Device Health Attestation Service - For Windows 10-based devices, Microsoft introduces a new public API that will allow Mobile Device Management (MDM) software to access a remote attestation service called Windows Health Attestation Service. A health attestation result, in addition to other elements, can be used to allow or deny access to networks, apps, or services, based on whether devices prove to be healthy.

Windows Server 2016 Feature Comparison

- Privileged Access: Just Enough Administration - Administrators should only be able to perform their role and nothing more. For example: A file server administrator can restart services, but should not be able to browse the data on the server.
Just Enough Administration (JEA) provides a role based access platform through PowerShell. It allows specific users to perform specific adminstrative tasks on servers without giving them administrator rights.
JEA is built into Windows Server 2016 and you can also use WMF 5.0 to take advantage of JEA on Windows Server 2008 R2 and higher.

Windows Server 2016 Feature Comparison

- Privileged Access: Just-in-Time Administration - The concept of Just-in-Time Administration helps transform administration privileges from perpetual administration to time-based administration. When a user needs to be an administrator, they go through a workflow that is fully audited and provides them with administration privilege for a limited time by adding them to a time-based security group and automatically removing them after that period of time has passed.
The deployment of Just-in-Time Administration includes creating an isolated administration forest, where the controlled administrator accounts will be managed.

Windows Server 2016 Feature Comparison

- Virtualization Based Security (VBS) is a new protected environment that provides isolation from the running operating system so that secrets and control can be protected from compromised administrators or malware. VBS is used by Device Guard to protect kernel code, Credential Guard for credential isolation and Shielded VMs for the virtual TPM implementation.

Windows Server 2016 Feature Comparison

- Virtual TPM: Trusted Platform Module - Implemented in Windows Server 2016 Hyper-V, a Generation 2 virtual machine (Windows Server 2012 and later) can now have its own Virtual TPM so that it can use it as a secure crypto-processor chip. The virtual TPM is a new synthetic device that provides TPM 2.0 functionality.
Virtual TPM does not require a physical TPM to be available on the Hyper-V host, and its state is tied to the VM itself rather than the physical host it was first created on so that it can move with the VM. VMs with a virtual TPM can run on a guarded fabric.
The Shielded VM functionality uses the Virtual TPM for BitLocker encryption.
Client machines running on Virtual Desktop Infrastructure can now use a vTPM as well.

Windows Server 2016 Feature Comparison

- Windows BitLocker drive encryption provides better data protection for your computer, by encrypting all data stored on the Windows operating system volume and/or data drives.

- Security improvements to SMB 3.1.1 include pre-authentication integrity and SMB encryption improvements.
Pre-authentication integrity provides improved protection from a man-in-the-middle attacker tampering with SMB’s connection establishment and authentication messages. Pre-Auth integrity verifies all the “negotiate” and “session setup” exchanges used by SMB with a strong cryptographic hash (SHA-512). If your client and your server establish an SMB 3.1.1 session, you can be sure that no one has tampered with the connection and session properties.
SMB 3.1.1 offers a mechanism to negotiate the crypto algorithm per connection, with options for AES-128-CCM and AES-128-GCM.


- Dynamic Access Control -  Apply data governance across your file servers to control who can access information and to audit who has accessed information. Dynamic Access Control lets you:
• Identify data by using automatic and manual classification of files. For example, you could tag data in file servers across the organization.
• Control access to files by applying safety net policies that use central access policies. For example, you could define who can access health information within the organization.
• Audit access to files by using central audit policies for compliance reporting and forensic analysis. For example, you could identify who accessed highly sensitive information.
• Apply Rights Management Services (RMS) protection by using automatic RMS encryption for sensitive Microsoft Office documents. For example, you could configure RMS to encrypt all documents that contain Health Insurance Portability and Accountability Act (HIPAA) information.

- AD Rights Management Services - provides information protection for your sensitive information. By using Active Directory Rights Management Services (AD RMS) and the AD RMS client, you can augment an organization's security strategy by protecting information through persistent usage policies, which remain with the information, no matter where it is moved. You can use AD RMS to help prevent sensitive information—such as financial reports, product specifications, customer data, and confidential e-mail messages—from intentionally or accidentally getting into the wrong hands.


- Azure Rights Management (RMS) connector lets you quickly enable existing on-premises servers to use their Information Rights Management (IRM) functionality with the cloud-based Microsoft Rights Management service (Azure RMS).

Windows Server 2016 Feature Comparison

- Enhanced auditing for threat detection - Based on the Microsoft internal security operation center, Windows Server 2016 includes targeted auditing to better detect malicious behavior. These include auditing access to kernel and sensitive processes as well as new data in the logon events. These events can then be streamed to threat detection systems such as the Microsoft Operations Management Suite to alert on malicious behavior.
PowerShell 5.1 security features - There are several new security features included in PowerShell 5.1. These include: Script block logging, Antimalware Integration, Constrained PowerShell and transcript logging.
PowerShell 5.1 is also available for install on previous operating systems starting from Windows Server 2008 R2 and on.

Windows Server 2016 Feature Comparison