Security: The Problem

Posted April 25th, 2017 in Security

Cyber attacks are commonplace in today's business world. Learn how to improve your business' network security.

Attackers are no longer rogue individuals but include organized crime, nation states, and terror groups. These groups attack companies for profit, holding data for ransom.

Employees may allow a breach to their companies' networks innocuously through accessing URLs in unfamiliar emails. When an employee clicks on a URL, malware is downloaded that quickly travels through the company's network and encrypts the organization's file servers or locks an employee from their computer. Once the hackers are inside the network, "they immediately attempt to compromise administrator credentials, which typically takes them 24 to 48 hours." (Microsoft, 3) With this information the hackers can roam free for months on a company's network without being detected.

The Enhancements

New Layers of Protection Protect from Security Breaches

Adopting an "assume breach" strategy is the most effective defence. This strategy allows IT departments to spend more time and effort on detecting malicious behaviour and creating ways to prevent attackers from making any progress once inside the network.  The Operating System for Windows Server 2016 has been infused with the following five enhancements to increase security and prevent breaches.

  • Credential Guard
  • Device Guard
  • Windows Defender
  • Shielded Virtual Machines
  • Identity Management

What is Credential Guard?

Credential Guard prevents a hacker from reading a hashed password or Kerberos session ticket from the server.  When a user logs into a Windows Server, the operating system issues a session ticket and stores a hashed value of the password in memory. Without the enhancement of Credential Guard, it would be possible for a hacker to enter the hashed password and login. The good news is that Credential Guard takes that session ticket and runs it in a mini-virtual machine that only certain processes can access. Therefore, a request for the hashed password or session ticket would have to pass through that protected process.

What is Device Guard?

Device Guard is analogous to "whitelisting email." Whitelisting an email address means you list an email address in anti-spam software, effectively allowing the email address to be marked as safe, and allowing delivery of email from the whitelisted email address. The corollary of this is "blacklisting." That means, if an email address or program is blacklisted, then it is blocked from sending email to an email in-box or from executing a specific program. Device Guard turns that model around by only allowing software to run that has been specifically signed by Microsoft with a digital certificate effectively whitelisting the software.

What is Windows Defender?

Windows Defender is Microsoft's anti-virus software. The only change here is that Microsoft has removed the graphical interface. Now users can only update policies using the Windows Powershell. Windows Powershell, is a command line tool in Windows designed for advanced users. the idea is that only advanced users could change the settings of the anti-virus software.

What are Shielded Virtual Machines?

Microsoft has taken steps to allow only certain Server Administrators to take actions on virtual machines. This added security policy removes the long-standing practice of giving people with the Administrator password full reign to do what they want on the server. This enhancement has also stopped the ability of copying virtual machines and running them on another host.  This is a terrific enhancement because a virtual machine is simply a file. If a hacker can copy that file, they in effect have the company's entire system. By disallowing this copy the file becomes useless.

What is Identity Management?

Users usually login to Windows using Active Directory (AD). AD is the system that stores userids and passwords. This enhancement relates both to AD and TPM key attestation. TPM key attestation forces a user, who wishes to login to a server to prove their identity by using a security certificate. This feature is useful for storing the private key for a user account, on a physical smart card. If a smart card is used for login purposes, TPM will disable the keyboard login feature. Therefore, a hacker cannot use a user's login account, since the hacker is not in possession of the physical smart card. This feature is not completely new, but the difference is the added protection for the private key. Secondly, additional support for Lightweight Directory Access Protocol (LDAP) has been added.  LDAP, is an Internet protocol that email and other programs use to look up information from a server. This is what many businesses use to store userids and passwords. The additional support comes via multi-factor authentication, device compliance, user identity, and group membership. These requirements can be set on a per-application basis, making it easy to require enhanced security for sensitive business applications, or simplify requirements for applications that don't need the heightened levels of security.


Microsoft is serious about security and the enhancements in Windows Server 2016 prove that.  If your organization has not considered upgrading to Windows Server 2016 because you believe that your company is not big enough, remember, Cyber attacks are commonplace in today's business world.  Attackers are no longer rogue individuals but include organized crime, nation states, and terror groups.  Any of whom could hold your company's data for ransom.  With Windows Server 2016 security breaches can be prevented.

Learn More about working with Reis


Subscribe to Email Updates

Recent Posts

Posts by Topic

See all