Microsoft has released Windows 2019 Server and it is generally available , this has been shared on my previous blog post Windows Server 2019 Released General Availability. Microsoft is always trying to improve or introduce new security features with new releases , and with server 2019 they have included great built-in security functionality to help organizations address an “expect breach” model of security management. Windows server 2019 is achieving functionalities to prevent security compromises inside core of datacenter .
Already Microsoft introduced new security features with Windows Server 2016 and Windows 10 , credential guard that allows Windows to place these hashed credentials into a protected set of memory that is not exposed to the operating system.It does this by leveraging Hyper-V technology to run the operating system and then protect the cached credentials from residing in the guest OS by forming a virtual security bubble that allows protected and secure processes to reside outside of the context that would be accessible by an attacker .
With Windows Server 2019 Microsoft has extended and enhanced the security features , Let’s check what are new security features available with Server 2019 .
New Security Features in Windows Server 2019
Microsoft has elevated the security stance even further with new mechanisms found in Windows Server 2019. Windows Server 2019 contains the following new or enhanced features when compared to Windows Server 2016.
- New Shielded VM Improvements
- Device Guard Policy Updates without Reboot
- Kernel Control Flow Guard (CFG)
- System Guard Runtime Monitor
- Virtual Network Encryption
- Windows Defender ATP Agent Included OOB
New Shielded VM Improvements
There are new Shielded VM improvements in relation to simpler Host Key Attestation. Interestingly, Microsoft is deprecating Active Directory mode attestation in Windows Server 2019 in favor of the host key attestation process. The host key attestation mode provides basically the same functionality in regards to attestation with Active Directory but is even simpler to configure.
To use this first create a security group and add your Hyper-V hosts that will run shielded VMs. Restart your hosts to allow the group membership to update. Get the SID for the security group by using PowerShell. Then, again using PowerShell, register the SID of the security group with HGS.
- Create a security group
- Get the SID using the Get-ADGroup cmdlet
- Register the SID with HGS – Add-HgsAttestationHostGroup cmdlet
Device Guard Policy Updates without Reboot
Previously, device guard policy updates required a reboot to take effect. However, now with Windows Server 2019, these device guard policy updates are applied without a reboot and new default policies ship out of the box.
Kernel Control Flow Guard (CFG)
You may remember that Control Flow Guard or CFG provides built-in platform security designed to prevent intentional memory corruption vulnerabilities by placing restrictions on where an application can execute code. This makes it much more difficult for malicious software to simply execute arbitrary code trying to take advantage of vulnerabilities. With Windows Server 2019, this functionality has been extended to include support for kernel-mode CFG as well, which further strengthens the capabilities of CFG protecting Windows Server against malicious code.
System Guard Runtime Monitor
System Guard Runtime Monitor is a “watch the watchers” of sorts that provides a system-wide alert process to ensure that the other security mechanisms employed on the system are running as expected. A large part of security is gaining effective visibility when something is not right. The System Guard Runtime Monitor allows emitting health assertions that can also be consumed by third-parties to act on.
Virtual Network Encryption
Microsoft has been steadily improving their SDN offering and virtual network capabilities with the Hyper-V platform. With Shielded VMs, Microsoft introduced a mechanism that allowed data at rest to be secured. However, what about data that is in-flight? Network traffic egressing from a VM host can be snooped on and/or manipulated by anyone who has access to the physical network infrastructure servicing the VM host.
New with Windows Server 2019 is the ability to have encrypted subnets that allows for encrypting network traffic as it crosses over the wire. This helps to greatly bolster security with Microsoft’s network virtualization platform, allowing data to be encrypted in the full circle, both at-rest and in-flight.
Windows Defender ATP Agent Included OOB
Windows Defender Advanced Threat Protection or ATP is the latest and greatest deep platform sensors and response actions provided by Microsoft. It gives visibility to memory and kernel level attacker activities and abilities to take actions on compromised machines in response to incidents such as remote collection of additional forensic data, remediation of malicious files, terminating malicious processes etc.
In addition to downloading the Windows Server 2019 ISO, you can also try the new features through the following ways: