Windows Server 2019 New Security Features

Microsoft has released Windows 2019 Server and it is generally available  , this has been shared on my previous blog post Windows Server 2019 Released General Availability. Microsoft is always trying to improve or introduce new security features with new releases , and with server 2019  they have included great built-in security functionality to help organizations address an “expect breach” model of security management.  Windows  server 2019 is achieving functionalities to prevent security compromises inside core of datacenter .

Windows 2019 New Security Features

Already Microsoft introduced new security features with Windows Server 2016 and Windows 10 , credential guard that allows Windows to place these hashed credentials into a protected set of memory that is not exposed to the operating system.It does this by leveraging Hyper-V technology to run the operating system and then protect the cached credentials from residing in the guest OS by forming a virtual security bubble that allows protected and secure processes to reside outside of the context that would be accessible by an attacker .

Reference :-  virtualization-based security and Credential Guard 

With Windows Server 2019 Microsoft has extended and enhanced the security features , Let’s check what are new security features available  with  Server 2019  .

New Security Features in Windows Server 2019

Microsoft has elevated the security stance even further with new mechanisms found in Windows Server 2019. Windows Server 2019 contains the following new or enhanced features when compared to Windows Server 2016.

  • New Shielded VM Improvements
  • Device Guard Policy Updates without Reboot
  • Kernel Control Flow Guard (CFG)
  • System Guard Runtime Monitor
  • Virtual Network Encryption
  • Windows Defender ATP Agent Included OOB

New Shielded VM Improvements

There are new Shielded VM improvements in relation to simpler Host Key Attestation. Interestingly, Microsoft is deprecating Active Directory mode attestation in Windows Server 2019 in favor of the host key attestation process. The host key attestation mode provides basically the same functionality in regards to attestation with Active Directory but is even simpler to configure.

To use this  first create a security group and add your Hyper-V hosts that will run shielded VMs. Restart your hosts to allow the group membership to update. Get the SID for the security group by using PowerShell. Then, again using PowerShell, register the SID of the security group with HGS.

  • Create a security group
  • Get the SID using the Get-ADGroup cmdlet
  • Register the SID with HGS – Add-HgsAttestationHostGroup cmdlet


Device Guard Policy Updates without Reboot

Previously, device guard policy updates required a reboot to take effect. However, now with Windows Server 2019, these device guard policy updates are applied without a reboot and new default policies ship out of the box.

Kernel Control Flow Guard (CFG)

You may remember that Control Flow Guard or CFG provides built-in platform security designed to prevent intentional memory corruption vulnerabilities by placing restrictions on where an application can execute code. This makes it much more difficult for malicious software to simply execute arbitrary code trying to take advantage of vulnerabilities. With Windows Server 2019, this functionality has been extended to include support for kernel-mode CFG as well, which further strengthens the capabilities of CFG protecting Windows Server against malicious code.

System Guard Runtime Monitor

System Guard Runtime Monitor is a “watch the watchers” of sorts that provides a system-wide alert process to ensure that the other security mechanisms employed on the system are running as expected. A large part of security is gaining effective visibility when something is not right. The System Guard Runtime Monitor allows emitting health assertions that can also be consumed by third-parties to act on.

Virtual Network Encryption

Microsoft has been steadily improving their SDN offering and virtual network capabilities with the Hyper-V platform. With Shielded VMs, Microsoft introduced a mechanism that allowed data at rest to be secured. However, what about data that is in-flight? Network traffic egressing from a VM host can be snooped on and/or manipulated by anyone who has access to the physical network infrastructure servicing the VM host.

New with Windows Server 2019 is the ability to have encrypted subnets that allows for encrypting network traffic as it crosses over the wire. This helps to greatly bolster security with Microsoft’s network virtualization platform, allowing data to be encrypted in the full circle, both at-rest and in-flight.

Windows Defender ATP Agent Included OOB

Windows Defender Advanced Threat Protection or ATP is the latest and greatest deep platform sensors and response actions provided by Microsoft. It gives visibility to memory and kernel level attacker activities and abilities to take actions on compromised machines in response to incidents such as remote collection of additional forensic data, remediation of malicious files, terminating malicious processes etc.

Download Windows Server 2019 Now

In addition to downloading the Windows Server 2019 ISO, you can also try the new features through the following ways:

  • Try it in Azure: Azure provides a great way to test Windows Server 2019 with pre-built images.
  • Microsoft Hands-on Labs: Skip the setup work and log into our free Hands-on Labs for a real-world environment along with step-by-step guidance to help you try the new features.