This content is part of the Essential Guide: A guide to Microsoft Windows Server 2016

Essential Guide

Browse Sections

Five vital Windows 2016 security updates

Windows Server 2016 will include updates that will affect authentication options, account restrictions, Web protection and more.

Windows Server 2016 is almost here. The preview, dubbed the Windows Server Technical Preview, is available now with the final release slated for early next 2016. Regardless of your current plans for Windows 2016, it's good to think about how these changes and improvements could affect security for enterprise setups.

Whenever Microsoft releases a new operating system (OS), think about how the company addresses security differently and how the new OS can be broken. Beginning with Windows Server 2008 R2, the server OS has continued to be resilient out of the box. But there are five forthcoming security changes for Windows 2016 that will interest enterprise Windows Server admins and security professionals.

Windows Server 2016 security changes

  1. There's a strong authentication option through Microsoft Passport that relies on public and private key pairs in Azure, onsite public key management and Trusted Platform Module chips on the endpoints. There are also additional improvements for Active Directory Federation Services and Azure Active Directory involving Lightweight Directory Access Protocol, access control policies and single sign-on.
  2. A feature called Just Enough Administration -- a PowerShell tool introduced in 2014 -- will also be available. JEA gives admins the option to place more granular restrictions on specific tasks to help ward off "Snowden" types of situations.
  3. Windows Server 2016 supports HTTP/2 via Internet Information Server 10.0, which includes denial of service protection and includes features such as header compression, protocol block sizes and flow control. This won't fix underlying application layer flaws, such as SQL injection and weak login mechanisms, but it's a necessary step for successful Web protection.
  4. Windows Defender is installed and enabled out of the box, even in the non-graphical user interface (GUI) version of the OS. I often see servers with no antimalware protection and the negative consequences.
  5. The telnet server is not included. Microsoft realized that people will still use an inherently vulnerable service because that's what they know and it's there. Given how prevalent telnet is across most network environments I see today, I suspect the service and its flaws won't go away anytime soon. But at least Microsoft is doing its part to help fix the fixable issues.

There are also a number of resiliency benefits outside of security in Windows Server 2016. These involve features for disaster recovery, VMs, network interface card fault tolerance and storage Quality of Service nearly all organizations and use cases can benefit from. These features in Windows 2016 won't make your network environment inherently compliant or secure, but they'll certainly provide you with another leg up on achieving those goals.

Now that you have an idea about the security changes in Windows Server 2016, begin thinking about how current and future projects may benefit from using these features. I've only seen rare instances of Windows Server 2012 usage in the enterprise. Perhaps the stigma of the Metro GUI is passing and Windows 2016 will be the next big thing. Or, it may provide a good upgrade path for many Windows 2003 Server installations that still exist.

About the author:
Kevin Beaver is an information security consultant, expert witness and professional speaker with Atlanta-based Principle Logic, LLC. With over 26 years of experience in the industry, Beaver specializes in performing independent security assessments revolving around information risk management. He has authored/co-authored 12 books on information security including Hacking For Dummies and The Practical Guide to HIPAA Privacy and Security Alliance. In addition, he's the creator of the Security On Wheels information security audio booksand blog providing security learning for IT professionals on the go. Beaver can be reached at and you can follow him on Twitter, watch him on YouTube and connect with him on LinkedIn.

Next Steps

Make the case for Windows Server 2016

Windows Server 2016 Hyper-V features

No containers in Windows Server 2016 preview 2

Windows Server 2016 backup issues could impact organizations"

Dig Deeper on Windows Server troubleshooting