There is arguably no hotter topic in information technology today than security. Security is discussed at basically all levels of infrastructure and network topologies up the entire OSI layer stack. Vendors today are struggling to keep up with the security demands needed by customers in their environments. There is nothing more central to most infrastructure today than the operating system.
Microsoft Windows Server is a staple in the enterprise datacenter and with Hyper-V hypervisor gaining traction in many spaces, it is becoming a major player in the virtualization space. Windows Server 2019 is set to be released later this year and contains some really great new security features that build on top of newer technologies that Microsoft introduced in Windows Server 2016 and Windows 10.
Table of Contents
- Methods of Compromise and Attack
- New Security Features in Windows Server 2019
- New Shielded VM Improvements
- Device Guard Policy Updates without Reboot
- Kernel Control Flow Guard (CFG)
- System Guard Runtime Monitor
- Virtual Network Encryption
- Windows Defender ATP Agent Included OOB
- Concluding Thoughts
In this post, we will take a look at New Security Features found in Windows Server 2019 and how these build on top of current capabilities and take those a step further.
Methods of Compromise and Attack
There is perhaps not a more damaging event that can happen for a business today than to make headlines with having sensitive data breached. Attackers are getting more and more sophisticated in how they breach environments. However, the same old tried and true mechanisms still work too well unfortunately. These include browser scripts that can target vulnerabilities as well as the very archaic but still effective phishing emails.
While phishing is truly a traditional means of attack, it is frustratingly effective. Attackers are getting better at making phishing emails appear legitimate and from legitimate sources. All it takes is an unsuspecting user and a vulnerability to be exploited to place an organization in a severely compromised position.
One of the extremely common ways that attackers can move laterally and even vertically through a network is by capturing cached credentials. This is often known as the “pass-the-hash” attack. In legacy versions of Windows, cached credentials get stored away on the system without a great deal of protection.
Using tools that are readily available out on the Internet, an attacker can fairly easily dump the cached credentials from a workstation and use these to potentially gain access to sensitive infrastructure. If an attacker happens on to a workstation that has cached credentials of a domain administrator or a SQL DBA, this is the “Holy Grail” of credentials that allows unlimited access to the entire backend system, whether it be Active Directory or SQL Servers.
Microsoft has increasingly realized with each version of Windows Server that administrative privileges are a really bad thing for an attacker to be able to take possession of for obvious reasons. With Windows Server 2016 and Windows 10, Microsoft has introduced a mechanism called credential guard that allows Windows to place these hashed credentials into a protected set of memory that is not exposed to the operating system.
It does this by leveraging Hyper-V technology to run the operating system and then protect the cached credentials from residing in the guest OS by forming a virtual security bubble that allows protected and secure processes to reside outside of the context that would be accessible by an attacker. Microsoft also refers to this functionality as virtualization-based security. For a better understanding of this functionality, take a look at this official blog post from Microsoft.
With Windows Server 2019, Microsoft has extended the security features contained in the Windows Server operating system and the mechanisms that were introduced in Windows Server 2016. Let’s look at specifically at these new capabilities.
New Security Features in Windows Server 2019
Microsoft has elevated the security stance even further with new mechanisms found in Windows Server 2019. Windows Server 2019 contains the following new or enhanced features when compared to Windows Server 2016.
- New Shielded VM Improvements
- Device Guard Policy Updates without Reboot
- Kernel Control Flow Guard (CFG)
- System Guard Runtime Monitor
- Virtual Network Encryption
- Windows Defender ATP Agent Included OOB
New Shielded VM Improvements
With Windows Server 2019, there are new Shielded VM improvements in relation to simpler Host Key Attestation. Interestingly, Microsoft is deprecating Active Directory mode attestation in Windows Server 2019 in favor of the host key attestation process. The host key attestation mode provides basically the same functionality in regards to attestation with Active Directory but is even simpler to configure.
Let’s outline the process to use this new method: To utilize the new process, first create a security group and add your Hyper-V hosts that will run shielded VMs. Restart your hosts to allow the group membership to update. Get the SID for the security group by using PowerShell. Then, again using PowerShell, register the SID of the security group with HGS.
- Create a security group
- Get the SID using the Get-ADGroup cmdlet
- Register the SID with HGS – Add-HgsAttestationHostGroup cmdlet
Device Guard Policy Updates without Reboot
Previously, device guard policy updates required a reboot to take effect. However, now with Windows Server 2019, these device guard policy updates are applied without a reboot and new default policies ship out of the box.
Kernel Control Flow Guard (CFG)
You may remember that Control Flow Guard or CFG provides built-in platform security designed to prevent intentional memory corruption vulnerabilities by placing restrictions on where an application can execute code. This makes it much more difficult for malicious software to simply execute arbitrary code trying to take advantage of vulnerabilities. With Windows Server 2019, this functionality has been extended to include support for kernel-mode CFG as well, which further strengthens the capabilities of CFG protecting Windows Server against malicious code.
System Guard Runtime Monitor
System Guard Runtime Monitor is a “watch the watchers” of sorts that provides a system-wide alert process to ensure that the other security mechanisms employed on the system are running as expected. A large part of security is gaining effective visibility when something is not right. The System Guard Runtime Monitor allows emitting health assertions that can also be consumed by third-parties to act on.
Virtual Network Encryption
Microsoft has been steadily improving their SDN offering and virtual network capabilities with the Hyper-V platform. With Shielded VMs, Microsoft introduced a mechanism that allowed data at rest to be secured. However, what about data that is in-flight? Network traffic egressing from a VM host can be snooped on and/or manipulated by anyone who has access to the physical network infrastructure servicing the VM host.
New with Windows Server 2019 is the ability to have encrypted subnets that allows for encrypting network traffic as it crosses over the wire. This helps to greatly bolster security with Microsoft’s network virtualization platform, allowing data to be encrypted in the full circle, both at-rest and in-flight.
Windows Defender ATP Agent Included OOB
Windows Defender Advanced Threat Protection or ATP is the latest and greatest deep platform sensors and response actions provided by Microsoft. It gives visibility to memory and kernel level attacker activities and abilities to take actions on compromised machines in response to incidents such as remote collection of additional forensic data, remediating malicious files, terminating malicious processes, etc. All of this functionality now with Windows Server 2019 is included by default in the box.
Concluding Thoughts
Security is no longer an afterthought for organizations today who want to be successful in protecting business-critical systems and data. Security has to be something organizations think about as part of the design of any system moving forward. Every aspect of infrastructure needs to be part of the overall security ecosystem. This includes the operating system. Microsoft’s Windows Server operating system today powers a good majority of enterprise data centers. With each new Windows Server release, Microsoft has shown strong commitment in providing the capabilities and tools businesses need to bolster their overall security posture. This is no exception with Windows Server 2019.
Microsoft’s newest operating system builds upon new features and functionality that were introduced in Windows Server 2016 and takes those several steps further. What is really great about the new Windows Server 2019 operating system is that Microsoft has taken strides to make security easier with many of the features being included in the box and easily taken advantage of with simple cmdlets and more intuitive processes.
Related Posts:
Windows Server 2019 High-Availability and Disaster Recovery Features
Windows Server 2019 Storage Spaces Direct Best Practices
Install and Configure Hyper-V in Windows Server 2019
Automating Windows Server 2019 Package Management with PowerShell
Follow our Twitter and Facebook feeds for new releases, updates, insightful posts and more.