Windows Server 2016 Security Better protection begins at the OS
1 Contents
Getting out in front of cyber attacks 3 How attacks work 3 Windows Server 2016: Active defense and compliance 4
Protect credentials and limit administrator privileges 5 Credential Guard 5 Remote Credential Guard 5 Just Enough and Just-in-Time Administration 5
Secure OS to run your applications and infrastructure 7 Device Guard 7 Control Flow Guard 7 Windows Defender 8 Enhanced security auditing 8
Secure virtualization 8 Shielded Virtual Machines 8 Host Guardian Service 10 Distributed network firewall using software-defined networking 10
Security for developers 11 Hyper-V containers 11 Nano Server 12
Conclusion 12
Windows Server 2016 Security: Better protection begins at the OS 3 Most attackers use malware toolkits – available – available toolkits malware use Most attackers file servers or locks employees out of their systems. their of out employees locks or servers file worry need to don’t even The attackers about network.staying hidden on the and creating roadblocks that prevent attackers that prevent roadblocks and creating once inside. By making making any progress from it incredibly difficult to compromise administrator are or exploit vulnerabilities, attackers credentials to two, or day a just not weeks, spend to forced also They resources. internal access to gain broad search, noise during their extended a lot of make spotting the chance of giving IT a much better corporate before responding activity and malicious can be compromised. resources How attacks workHow attacks your gain access to – to on the internet anyone to network. attempt Once inside, they immediately which credentials, administrator compromise to that point, 48 hours. At them 24 to typically takes in hand, credentials with domain administrator insystem any nearly access to rein free have they using valid Because they are infrastructure. your for months before can operate they credentials, being discovered.
In a typical breach, attackers compromise domain admin credentials within 48 hours, giving them nearly unlimited access giving them nearly unlimited access domain admin credentials within 48 hours, compromise In a typical breach, attackers for months without discovery. and the ability to operate to internal systems Ransomware is another emerging threat used toused threat emerging another is Ransomware If we know all of this, why are attackers still so attackers this, why are know all of If we n today’s business environment, cyber attacksenvironment, business n today’s for companies occurrence become a normal have of all sizes, across all industries. The attacker profile profile attacker The industries. all across sizes, all of and now actors, independent beyond has grown and terror states, crime, nation includes organized not only go after the biggest These groups groups. for the biggest information steal to companies payoff, they are also intent. or other malicious businesses for profit focused interruptingon disrupt business for financial gain. Attackers rely swift attacks that hold create to on human error data hostage. It might start,anfor example, when email,an in URL malicious a on clicks employee traverses that quickly malware which downloads encrypts and the network the organization’s all of successful? The issue is that most organizationsmost that is issue The successful? building stresses that model security on a rely guys the bad keep defenses to infrastructure out, rather than finding them once they’re inside. devices mobile numbers of ever-growing With available along with readily workers, and remote whether of no longer a matter it’s toolkits, malware “assume but when. Adopting an be breached, you’ll spend to defense allows IT security teams breach” more time and effort on detecting breach activity
Getting out in front of cyber attacks cyber of in front out Getting I
Windows Server 2016 Security: Better protection begins at the OS 4
. FedRAMP non-security functions privileges users executing privileged functions executing functions CM-5 – Access restrictions for change CM-5 – Access restrictions access enforcement CM-5 (1) – Automated / operational CM-5 (5) – Limit production AC-2 – Account management audit actions AC-2 (4) – Automated schemes AC-2 (7) Account role-based AC-2 (12) – Account monitoring AC-3 – Access enforcement duties of AC-5 – Separation AC-6 – Least privilege security AC-6 (1) – Authorize access to AC-6 (2) – Non-privileged access for AC-6 (5) – Privileged accounts privileged functions AC-6 (9) – Auditing use of non-privileged users from AC-6 (10) – Prohibit AU-2 – Audit events privileged AU-9 (4) – Audit access by subset of AU-12 – Audit generation Improved protection of vulnerable infrastructure vulnerable of protection Improved - organi gives OS security through and credentials attackers of get out in front zations a way to It also supports they can cause damage. before and industry government with compliance - regula SOX, ISO data, such as HIPAA, tions for protecting security Using built-in 27001, PCI, and FedRAMP. Servercomponents, Windows 2016 can now for certificationrequirements address help directly access privi- such as managing these regulations, and resources, data in shared leges, protecting that given security auditing. This is not surprising, Server and Windows both these regulations 2016 that the cyber threats combat to designed are security. corporate undermine
ISO 27001:2013 provisioning privileged access rights restriction code source program networks and network networks requirement of access of requirement development, testing, and testing, development, operational environments duties services and operator logs and operator control A.12.4.1 – Event logging A.12.4.1 – Event A.12.4.3 – Administrator A.9.2.2 – User access A.9.2.3 – Management of A.9.4.1 – Information access to A.9.4.5 – Access control of A.12.1.4 – Separation A.9.1.2 – Access to A.9.1.2 – Access to A.9.1 – Business A.6.1.2 – Segregation of of A.6.1.2 – Segregation
PCI DSS 3.2 Implementing Microsoft Identity Management Features for ISO 27001, PCI, and FedRAMP Privileged Windows Server 2016 helps organizations meet many government and industry compliance regulations. For example, regulations. For example, and industry compliance government meet many 2016 helps organizations Server Windows the Just Enough and Just-in-Time Administration features in Windows Server 2016 fulfill all support, 2016 compliance Server information on Windows For detailed requirements out of the box. ofFedRAMP compliance the above PCI, ISO, and see Windows ServerWindows defend to 2016 was designed least privileges job function and classification need-to-know basis need-to-know privileges individual root between test and production and production test between needs job-based to restricted environments environments all access to data all access to function and classification access privileges accounts 6.4.2 – Separation of duties of 6.4.2 – Separation data access and cardholder 10.2.2 – Logging actions by 10.2.5 – User changes logging user 12.5.4 – Administer and control 12.5.5 – Monitor 7.1.3 – Assigning access to job 7.1.3 – Assigning access to of approval Documented – 7.1.4 on 7.2 – User access control 7.2.2 – Assigning privileges to setting“deny-all” Default – 7.2.3 7.1 – System components 7.1 – System role access needs Define – 7.1.1 on 7.1.2 – User ID access based Windows Server 2016: Active defense and compliance defense and Active 2016: Server Windows server the methods against infrastructures data and interrupt compromise use to attackers inserting credentials, business: stealing malware serversinto and targeting applications, and virtualizationat protections New vulnerabilities. OS, and virtualization layers work the identity, and isolate toolkits attacker disrupt standard to the server making targets, vulnerable OS an participant in its own defense. The securityactive Server in Windows features 2016 also help slow by the network within progress down attacker and alerting credentials administrator protecting if an So even malicious activity. to administrators environment, gains a foothold in your attacker the any further. can’t move attacker
Windows Server 2016 Security: Better protection begins at the OS 5
While protecting against Pass-the-Hash or against Pass-the-Hash protecting While accounts are many administrator too Today, Windows ServerWindows 10 Anni- and Windows 2016 Server Windows Guard, Credential Remote With Just Enough and Just-in- Time Administration attacks is important, administra- Pass-the-Ticket means,other by stolen be still can credentials tor employ- engineering, disgruntled social including in addition to Therefore, force. ees, and brute also as much as possible, you isolating credentials administrator-level of limit the reach want a way to compromised. privileges in case they are of only one area if they have even over-privileged, administrator, For example, a DNS responsibility. a very privileges to set of who requires narrow servers,manage DNS domain granted often is privileges. In addition, because theseadmin-level is no there for perpetuity, granted are credentials limit on how long they can be used. Every account with unnecessary privileges domain admin-level seeking to attackers to exposure your increases minimize the surface To credentials. compromise Remote Credential Guard Guard Credential Remote for users credentials versaryalso protect Update connections. Previously, desktop with remote Services Desktop would using Remote anyone their local machine and then be log on to to have log on again when they performed to a required Thismachine. target their to connection remote target the to credentials pass would login second or Pass-the-Hash machine, exposing them to attacks. Pass-the-Ticket for Remote 2016 implements single sign-on to sessions, eliminating the requirement Desktop it Instead, and password. username your re-enter used already that you’ve the credentials leverages yourBecause machine. local your to on log to targetthe to passed be to need not do credentials tickets hashes or Kerberos machine, the password can’t be copied.
ecause attackers typically access sensitive ecause attackers administrator compromised data through If an attacker does gain access to a system, a system, to does gain access If an attacker Credential Guard uses virtualization-baseduses Guard Credential Windows ServerWindows - 2016 includes the same tech credentials, securing administrator identities is securing administrator credentials, identity blocking attacks. In many ways, to key when it comes to perimeter has become the new - privi your If and data. defending infrastructure keep can you then secure, are credentials leged your inside if they are even – at bay attackers network. Windows Server them from prevent helps 2016 as a launching point for furtherusing that system box.that from credentials the copying by intrusions can be limited In addition, privileged credentials a compromise help prevent in time and scope to attack. a widespread into turning from system data or steal even higher privileged admin even or steal data system credentials. - pre information, credential isolate to security from tickets hashes or Kerberos password venting new isolated It uses an entirely being intercepted. iswhich process, (LSA) Authority Security Local system.operating the of rest the to accessible not signed are LSA isolated the by used binaries All with certificates that arevalidated before launch- making environment, ing them in the protected ineffective. completely attacks type Pass-the-Hash Credential Guard Guard Credential credentials protect to 10 in Windows used nology or Pass-the- via Pass-the-Hash being stolen from attacks. A common scenario for these type Ticket they who does not realize attacks is that a user, on their machine, has an issue with malware have calls the helpdesk for assistance. and their system The first thing the helpdesk admin does – either machine the into log to is – personin or remotely then copies malware The wrong. what’s see to use to tries and immediately those credentials them against any system it can find to access administrator privileges administrator Protect credentials and limit and credentials Protect B
Windows Server 2016 Security: Better protection begins at the OS 6 Time Just Enough and Just-in-Time Administration and time Just Enough and Just-in-Time Administration reduce the the reduce Just Enough and Just-in-Time Administration area for theft surface attack of admin credentials. Imagine this scenario if the DNS admin’s admin’s if the DNS Imagine this scenario
Capability Required capability identity before granting the requested privileges. the requested granting identity before provide privileges those DNS Once granted, specific a for DNS for role PowerShell the to access time span. First, credentials the since stolen. were credentials them, the attached to privileges admin no have the gain access to be able to wouldn’t attacker any serverDNS make – to – or any other systems privileges request to tried changes. If the attacker authentication second-factor server, for the DNS would ask them to confirm their identity. Since it admin’s DNS the has attacker the that likely isn’t This fail. would phone, authentication mobile and the system, out of attacker lock the would also alert that the credentials the IT organization might be compromised. Time Typical administrator While Windows Server 2016 makes it much easier to implement credential security, security, Windows Server While credential implement Note: to it much easier 2016 makes protect ServerWindows deployed to not yet steps have that organizations 2016 can take even for security improve organizations help to guidance together has put Microsoft themselves. guidance step-by-step This Server. Windows versions of on previous – even today credentials can be accessed at https://aka.ms/privsec. Admin privileges that are too broad and have no time time no have and broad too are that privileges Admin of exposure for attackers window limit create a large for credentials. searching Using Just Enough Administration and Just-in- Using Just Enough Capability area for attack,area the only provide want to you the do to needs admin an that rights of set specific to time needed of only for the window job – and it.complete can request administrators Time Administration, the specific privileges they need administrator, a DNS For time required. window of for the exact Just enable to using PowerShell for example, a limited create lets you Enough Administration for DNS available that are commands set of needs administrator management. If the DNS servers,her of one to update an she make to using DNS manage access to request would request The Manager 2016. Identity Microsoft workflow can include approval an process such which could call authentication, as two-factor the administrator’s mobile phone to confirm her
Windows Server 2016 Security: Better protection begins at the OS 7 -
Windows Server 2016 also includes built-in ServerWindows 2016 also includes built-in by JOP attacks prevents Guard Flow Control an important provides Guard Flow Control Control Flow Guard Flow Guard Control memory against some classes of protection cor servers your is important,ruption attacks. Patching could malware is always a chance that but there that has not for a vulnerability be developed yet been identified. Someof the most common are methods for exploiting these vulnerabilities a running data to unusual or extreme provide to can exploit a example, an attacker For program. bufferoverflow vulnerability providingby more the and overrun than expected a program input to hold a response. reserved to area by the program memory adjacent corrupt can This mightthat calls program the When a function pointer. hold an unin- it can then jump to this function, through tended location specified bythe attacker. These jump-orientedknown as also are attacks of type (JOP) attacks. programming on what application restrictions tight placing call indirect – especially executed can be code security checksinstructions. It adds lightweight functions in the application identifyto the set of an calls. When for indirect targets valid that are application runs, it verifies that these indirect call check Guard Flow If the Control valid. are targets Serverruntime, Windows fails at immediately 2016 thatexploit any breaking program, the terminates address. call an invalid indirectly to attempts aIf Guard. Device to protection of layer additional it application has been compromised, white-listed Guard, Device by run unchecked be able to would see would screening Guard Device the because con- is and signed been application has the that Guard Flow Control But because trusted. sidered can identify in whether the application is executing attack the non-viable order, a non-predetermined, appli- the compromised fail, preventing would these protections running. Together, cation from malware inject to attackers for difficult very it make Server running on Windows software into 2016.
reventing reventing cyber threats also requires finding seek to and attacks that and blocking malware Windows Server Windows to Guard Device includes 2016 adminis- Server, Windows In earlier versions of ensure that only trusted software can be run on the software trusted that only ensure it can Using virtualization-based security, server. based limit what binaries can run on the system If anything other policy. on the organization’s than the specified binaries triesto run,Windows Server so attempt 2016 blocks it and logs the failed has been a can see that there that administrators is also integrated Guard Device breach. potential can authorize which so that you with PowerShell system. scripts can run on your enforcement code integrity could bypass trators by simply deleting the policy from the code file. With Windows Server 2016, you can configure a so that organization policy that is signed by your only a person with access to the certificate that if Even signed the policy can change the policy. can’tthey credentials, stolen using is attacker the have unless they Guard Device around work the machine – a veryphysical access to unlikely delete manages to if the attacker scenario. Even effect. take to reboot a require would it policy, the doesit that realize would system the reboot, On not have the specifiedrequired policy andwould boot. to refuse Device Guard Device Guard
infrastructure Secure OS to run your applications and applications your run to OS Secure
gain control by subverting operatinggain control the standard can If attackers infrastructure. your practices of run application to or system get an operating they non-viable way, in a non-predetermined, malicious take to using that system likely are actions. Windows Server layers of 2016 provides running attackers that block external protection vulnerabilities. or exploiting software malicious in role an active takes The operating system by and applications infrastructure protecting alerting a activity that indicates to administrators has been breached. system P
Windows Server 2016 Security: Better protection begins at the OS 8
Audit Group Membership: toAudit Group Allows you membership in information audit the group generated are Events user’sa token. login enumerated memberships are when group login session the where or queried on the PC was created. audit to Allows you Audit PnP Activity: device external an detects when plug and play PnP events contain malware. which could – track down changes in system can be used to are IDs vendor hardware A list of hardware. included in the event. The same things that make virtualThe same things that make machines so on the fabric can administrator A compromised • • ServerWindows easily with 2016 integrates Shielded Virtual Machines also make and replicate, backup, migrate, easy to A virtual machine modifythem easier to and copy. is just a file, so it is not protected on the network, Another issue or elsewhere. in backups, in storage, a – whether they are is that fabric administrators – administrator a network or administrator storage all the virtual access to have machines. virtual data across in compromised easily result do is use the has to machines. All the attacker VM whatever copy to credentials compromised files they likeonto a USB drive and walk it outof the those where organization, VM files can be run security features in one location, making it easier location, making in one security features may what systems determine to for administrators be at risk. include: categories event New management (SIEM) security incident event Operations Manage- such as Microsoft systems, the (OMS), which can incorporate ment Suite reports intelligence on potential into information by provided information depth of The breaches. to teams the enhanced auditing enables security more breaches potential identify to respond and quickly and effectively. -
nterprises today virtualize today nterprises everything can,they - Direc Active to SQL Serverfrom SharePoint to Windows ServerWindows alerts 2016 actively administra- Windows Server Windows industry-the includes 2016 used shells such as Power attackers In the past, Windows ServerWindows 2016 fundamentally changes Secure virtualization Secure Enhanced security auditingsecurity Enhanced with enhanced attempts breach potential to tors detailed more security auditing that provides attack which can be used for faster information, from analysis. It logs events and forensic detection and other Guard, Device Guard, Flow Control Shell to launch malicious binaryShell to code. In Windows with is now integrated Server 2016, PowerShell before scan for malware to Defender Windows launching the code. Windows DefenderWindows Windows of capabilities detection leading, active Windows block known malware. to Defender Guard with Device hand-in-hand works Defender codemalicious prevent to Guard Flow Control and servers. on your being installed any kind from of does on by default – the administrator It is turned start any action for it to take working.not need to support is also optimized to Defender Windows serverthe various Server Windows in roles 2016.
tory Virtual Controllers. Domain machines (VMs) manage, service, deploy, it easier to simply make itwhen But infrastructure. your automate and virtualization compromised security, comes to that is a new attack vector become fabrics have defend against – until now. to hard virtualization. secure can enterprises how includesIt to organizations allow that technologies multiple virtualcreate machines that will run only on their the from isolated completely own fabric, which are only with thehosts they run on, and will interact that you network on your VMs or other systems define as safe. E
Windows Server 2016 Security: Better protection begins at the OS 9 * Shielded HYPER-V virtual machine Should have and don’t have access Shouldn’t have and don’t have access Shouldn’t have and have access *Configuration dependent You can shield Generation 2 virtual2 Generation shield can You Note: Servermachines, including Windows 2012 ServerR2, Windows 2012, and Windows 8 – Windows 10. the VM will run only on approved hosts in the hosts in run only on approved the VM will virtualization if an even This means that fabric. a as in the case of the host, compromises attacker be wouldn’t the attacker malicious administrator, individual VM. This access the data in any able to – combined with the Host Guardian protection never Service protection of VMs a level – brings - VM admin Only the designated available. before a Shielded Virtual has access to istrator Machine, with administrator access by hackers preventing credentials.
HYPER-V Virtual machine Physical machine COMPUTER ROOM BUILDING PERIMETER Server Administrator Storage Administrator Network Administrator Backup Operator Virtualization-host Administrator Virtual machine Administrator Should have and don’t have access Shouldn’t have and don’t have access Shouldn’t have and have access Should have and don’t have access Shouldn’t have and don’t have access Shouldn’t *Configuration dependent Shielded VMs reduce attack surface area by limiting access to designated VM administrators. limiting access area by surface attack Shielded VMs reduce Shielded Virtual Machines are created usingShielded Virtual created Machines are Windows Server Shielded 2016 introduces Virtual Machines to help protect against scenarios Virtual help protect to Machines Shielded Virtual the one just described. like a virtualMachines include which TPM device, the to apply BitLocker to organizations enables virtual only on they run and ensure machines - against compro help protect hosts to trusted network,mised storage, and host administrators. Generation 2 VMs, which support Unified- Exten sible InterfaceFirmware (UEFI) and firmware have virtualTPM. Once encrypted using BitLocker, on any other system. If any one of those stolenthose of one any If system. other any on Directory Active an controller, domain VMs were view the could easily the attacker for example, force brute available and use readily content in the Active crack the passwords to techniques giving them accessDirectory ultimately database, everythingto infrastructure. within your else
Windows Server 2016 Security: Better protection begins at the OS 10 - on hosts that are memberson hosts that are With group. the security of is no this method, there to complex measurement ensure that the host that machine ensure group and the Host Guardian Host Guardian and the group Service is configured to Shielded Virtual run Machines to allow with. hasn’t been tampered
However, you do eliminate the possibility of of possibility the do eliminate you However, Windows Windows Server 2016 software-defined net applied anywhere across your virtual your across networkapplied anywhere infrastructure, isolating VM-to-VM traffic, VM-to- neces- where traffic VM-to-Internet or traffic, host sary that may have – either for individual systems across or programmatically been compromised multiple subnets. or route to also enable you capabilities working mirror incoming traffic to non-Microsoft virtual choose to could For example, you appliances. send all of your email traffic through a Barracuda - pro filtering spam additional for virtualappliance additionalin layer easily to you allows This tection. or in the cloud. security both on-premises using Admin-trusted attestation, which may be may which attestation, using Admin-trusted your is not in use in 2.0 hardware desirable if TPM model is easy to This attestation organization. a security simply placed into Hosts are deploy. unencryptedUSBon door the out walking VMs drives, because the VM files would not designatedany machine other than those in the run on TPM 2.0 hardware, have do not yet If you group. can startyou and attestation with Admin-trusted when your attestation hardware-trusted to switch is upgraded. hardware
- until security health is until security assured. Host Guardian Service Host Guardian for holds the keys VirtualShielded Machines them and will not release One way to improve protection in highly in protection improve One way to The software-defined networking(SDN) in Alongside Shielded VMs, the Host Guardian Shielded VMs, the Alongside ways that two are There virtualized segment the network is to environments specific the to only talk to VMs allows that way a in example, if your For function. to required systems thewith connect to need doesn’t application Internet, you can partition it off, eliminating those attackers. external from as targets systems ServerWindows net- 2016 includes a distributed to dynamically create you that allows firewall work applica- your the security policies that can protect inside or outside attacks coming from tions from a network. This distributed network firewall adds isolate to security by enabling you your layers to be can applications in the network.your Policies networking Distributed network firewall using software-defined using software-defined firewall network Distributed mation required by the Host Guardian Service by the Host Guardian tomation required host has not been tampered the Hyper-V ensure of the alternative have with. IT organizations Host Guardian Service Service Guardian Host Service a component for creating is an essential virtualization tosecure attest Its job is to fabric. it will allow host before a Hyper-V the health of a Shielded Virtual Machine to that host. to migrate boot or to for Shielded It holds the keys Virtual and will not Machines them until the securityrelease health is assured. hosts Hyper-V can require you the Host Guardian to attest to Service. The first, and This solution attestation. is hardware-trusted most secure, Virtual Shielded that your are Machines requires 2.0 chips and TPM running on hosts that have provide to is required hardware 2.3.1. This UEFI infor integrity kernel OS and boot measured the
Windows Server 2016 Security: Better protection begins at the OS 11 Container Container Container Container Container Container Windows ServerWindows also enables developers and Hyper-V containers help ensure containers containers help ensure Hyper-V Hyper-V containers Isolation plus performance Windows Server containers Windows Server Maximum speed and density write once, deploy anywhere model. The only model. The anywhere deploy once, write difference is that at run time,you chooseto run This will add the Hyper-V container. as a Hyper-V container with the appropriate your isolation to IT security goals. your achieve isolation to Directory Active provide to administrators IT containers containersthat so to identity fullycan without resources network in access to participate within the or secrets credentials store needing to container itself. can’t affect the host or other containers running a in container each isolating on that host by each highly optimized virtual machine. This way, isthat kernel the of instance own its has container can run you As a result, host. with the shared not as many containers as want you without affecting the host or other containers on the same system. applications faster, cheaper, applications and cheaper, faster, more effectively. ServerWindows security of helps add a layer 2016 and developers tothat enables IT administrators identities for isolation and provide proper ensure applications.
Container Container Container Container
Container Container
Hyper-V Hyper-V encapsulates the container and OS kernel, preventing the container from affecting the host or other containers, versa. and vice Windows Windows Server 2016 is the first and only - devel for streamlining great Containers are Hyper-V containers Isolation plus performance Windows Server containers Maximum speed and density n addition to protecting your infrastructure, infrastructure, your protecting to n addition Windows Server developers 2016 also helps operating system to offer this security boundary containersbetween and hosts, enabling customers - devel application their of security the ensure to – especially infrastructure opment and production those in industries with strict regulatory and com- - news for devel great The pliance requirements. containers doesn’t opers is that using Hyper-V model at all. Hyper-V change the development in exactly the same way created containers are as Windows Server containers, using the same Hyper-V containers containers Hyper-V opment and increasing application not containers typical are however, VMs, Unlike efficiency.
fully isolated. Instead, container technology shares technology container Instead, fully isolated. containers. among all running This the host kernel another one container impacting in may result container or the host itself. Security for developers developers for Security
- devel their application security into incorporate not previously in ways that were opment process - devel that technologies many are There possible. that they can deliver ensure to opers today use I
Windows Server 2016 Security: Better protection begins at the OS 12 - - These identity, OS, and virtualizationand OS, - protec identity, These Server Windows With serverthe 2016, OS tions enable you to better protect your datacenter your protect better to tions enable you running Windows Serverany cloud, as a VM in compromise to attackers limit the ability of and unde- and remain malware, launch credentials, network. in your when deployedtected Likewise, as a Hyper-V host, Windows Server 2016 offers virtualizationsecurity assurance for your - environ Shielded Virtualments through Machines and capabilities. firewall distributed participant in its own defense. becomes an active Nano Server works great as a Hyper-V host, stor ServerNano Hyper-V a as great works age host for Scale-out file server,DNS server, or Server In addition, Nano functions server. IIS web forbeautifully as a platform modern distributed those that apps, including and cloud-based architec containers and microservices leverage that has very By using a platform tures.. few points attack, of intosecurity building developersare up. the ground their applications from
he server- a strate sits at system operating infrastructure, in an organization’s gic layer IT organizations and developers alike can can developers and alike organizations IT affording new opportunities create to layers of anddata steal could that attacks from protection help protect to business. Working your interrupt OS, and virtualization layers, Windows the identity, Server- attack vec 2016 helps block the common systems: your gain illicit access to to used tors and a compromised malware, credentials, stolen virtualization reducing addition to In fabric. business risk, the security components built into ServerWindows compliance 2016 help address industryand government for key requirements security regulations. © 2016 Microsoft Corporation. All rights reserved. This document is for informational purposes only. Microsoft makes no warranties express or makes no warranties express Microsoft Corporation. All rights reserved.© 2016 Microsoft purposes only. This document is for informational here. presented to the information implied, with respect Take the next step. Take at www.microsoft.com/windowsserver2016 more Learn Conclusion
Nano Server ServerNano benefitfrom Nano Server, a lightweightminimizes the attack surfacelation option that instal- used with physical be servers,can It virtualarea. containerslogin local has no but and machines, and supports andonly 64-bit applications, tools, agents. Since supported serveroptional and roles organizations Server, outside Nano live features install.don’t they what on resources expend don’t T