It looks like the latest version of Microsoft’s venerable Windows Server operating system has upped its game in the security department.
There’s no question that when it comes to security, Microsoft Windows Server 2019 has come a long way since the first days of this venerable platform, when my then-10-year-old daughter was able to hack the server password file. As far as I’m concerned, the most important thing that Microsoft has learned since then is that security has to be there from the very beginning; it can’t be an add-on or afterthought.
What’s equally important is that Microsoft has changed its thinking about security, realizing that there are some things you simply can’t prevent, which means you need to find other ways to stop them from becoming security holes. A good example is the company’s thinking about security perimeter and access.
Now, in a series of company publications, the Microsoft’s server team admits that you can no longer think that of the network as the local security perimeter. Modern networks span traditional network boundaries because they increasingly rely on hybrid technologies, like Infrastructure-as-a-Service (IaaS) and cloud application services. By realizing this, the company acknowledges that, if bad guys want to get inside your network, then they’re probably going to get in. This means you need to find new ways, such as identity, to stop them from gaining advantage with that entry.
Likewise, the company acknowledges that phishing and social engineering have become good enough that there will always be some risk of a breach from those attacks. That people will likely be fooled or otherwise compelled to give up their log-in credentials at some point means you need to design in a way to minimize damage from that vector and prevent credential reuse. That means re-thinking the concept of access and realizing that you’ll probably need to step beyond using tried-and-true methods that involve easy-to-steal credentials like usernames and passwords.
Using a Multi-Layered Security Approach
But there’s a lot more to security than credentials, which is why Microsoft designed in a multi-layered approach to security. Some of the security features that are part of Microsoft Windows Server 2019 (See Site for Details at Microsoft Store) are laid out in a “What’s New in Windows Server 2019” document. Some of the high points include Windows Defender Advanced Threat Protection (ATP), which is much more than just an anti-malware package.
While Windows Defender ATP will guard against malware, it’s also a multi-layer protection system that can stop malware in its tracks by watching for changes throughout Windows Server. This includes exploit protection, attack surface reduction, real-time monitoring, and automated responses to attacks. The server’s ATP is also capable of integrating with Azure ATP and Office 365 ATP. The result is that Windows Defender ATP provides intrusion detection and prevention capabilities in addition to basic endpoint protection and anti-malware services.
Meanwhile, knowing that you can’t always keep intruders out of your network, Windows Server 2019 also protects the data and the communications contained in the server and in the links between machines, whether they’re real or virtual. For example, Windows Server 2019 supports containers for Windows and Linux as well as shielded VMs for both OSes. There’s also a secure console connection for both.
Windows Server 2019’s support for software defined networking also brings a new security feature to the OS, encrypted subnets. Encryption can be enabled when subnets are used for communications between VMs, which prevents an intruder with access to the physical network from gaining access to the information carried on the network. This capability is built into the OS, and only needs to be enabled with a checkbox.
The software-defined networking (SDN) firewall in Windows Server 2019 now supports firewall auditing, so when you enable an SDN firewall, any flow processed by the firewall rules can have logging enabled and subsequently recorded.
Introducing Real-Time Protections
Some real-time protections include Kernel Control Flow Guard, System Guard Runtime Monitor and improved Device Guard policy updates. The Kernel Control Flow Guard helps prevent malware from executing malicious code where it can take advantage of vulnerabilities. This extends the capabilities of the previous Control Flow Guard.
The System Guard Runtime Monitor is a capability that checks the operations of other security capabilities that among other things, can confirm that reports that security software is running properly are true. This helps protect against the efforts of some attackers and malware writers to subvert some security software by generating health messages that aren’t actually true.
Device Guard Policy Updates now allows policy updates to take place without rebooting the server, eliminating a significant reason for postponing such updates.
An important update for using VMs is the ability to run the Host Guardian Service (HGS) on machines that are only connected to the HGS intermittently.
Managing Privileged Identities
According to Dean Wells, Principal Program Manager for Windows Server, managing privileged identities is critical to the security of Windows Server 2019. As he explains in a Windows Server Blog post, Microsoft is aiming to manage privileged identities, secure the OS, and secure fabric virtualization using virtualization-based security.
“These guiding principles and areas of focus help us ensure that we not only provide reactive mitigation to what are sadly becoming commonplace threats, but that we also build in proactive measures that prevent attacks from ever starting in the first place. Stated succinctly, security isn’t a bolt-on, it’s an architectural principle,” Wells wrote.
What’s important is that Windows Server 2019 is designed to be highly secure. This doesn’t mean that the OS won’t be attacked nor does it mean that some attacks won’t succeed. But what it does mean is that successful attacks may be limited in how successful they actually are, and that the OS provides a way to discover and stop those attacks. These are critically important capabilities in today’s security environment.