Windows Server 2025

Investing in your success with Windows Server

Try today

Advanced multilayered security 

In an era where cybersecurity is of utmost importance (see the Microsoft Digital Defense Report 2024 and the Microsoft Threat Intelligence Healthcare Ransomware Report), Windows Server 2025 stands out with a suite of security features designed to safeguard your data and infrastructure. Here are a few key capabilities: 

• Active Directory (AD): The gold standard for identity and authentication only gets better with new security capabilities to help fortify your environment against evolving threats with greater scalability and improvements in protocols, encryption, hardening, and new cryptographic support. 

• File services/server message block (SMB) hardening: Windows Server 2025 includes SMB over QUIC to enable secure access to file shares over the internet. SMB security also adds hardened firewall defaults, brute force attack prevention, and protections for man in the middle attacks, relay attacks, and spoofing attacks. 

• Delegate Managed Service Accounts (dMSA): Unlike traditional service accounts, dMSAs don’t require manual password management since AD automatically takes care of it. With dMSAs, specific permissions can be delegated to access resources in the domain, which reduces security risks and provides better visibility and logs of service account activity. 

These advanced security features make Windows Server 2025 a robust and secure platform for your IT infrastructure that you should begin evaluating immediately.

Cloud agility anywhere

Windows Server 2025 introduces several advanced hybrid cloud capabilities designed to enhance operational flexibility and connectivity across various environments. Key features include: 

• Hotpatching enabled by Azure Arc: Customers operating fully in the cloud have inherent modern security advantages like automatic software updates and back-up and recovery.  Now we’re bringing some of those capabilities to Windows Server 2025 for on-premises customers with a new hotpatching subscription service, enabled by Azure Arc. With hotpatching, customers will experience fewer reboots and minimal disruption to operations. Hotpatching delivers security updates for Azure Arc-enabled Windows Server 2025 Standard or Datacenter running on physical machines, virtual machines, on-premises, or multicloud servers. Hotpatching, currently in preview, will require a monthly subscription. The hotpatching feature remains no additional cost for Windows Server Datacenter Azure Edition virtual machines.

• Easy Azure Arc onboarding: Windows Server 2025 brings Azure’s powerful capabilities directly into your datacenter through Azure Arc. This integration simplifies the onboarding process to Azure’s hybrid features and enhances operational flexibility, allowing you to manage and secure your hybrid and multicloud environments more effectively. 

• Software-defined network (SDN) multisite features: The software-defined network (SDN) multisite features offer native L2 and L3 connectivity for seamless workload migration across various locations, coupled with unified network policy management. 

• Unified network policy management: This capability allows for centralized management of network policies, making it easier to maintain consistent security and performance standards across your hybrid cloud environment.

These hybrid cloud capabilities make Windows Server 2025 an ideal choice for organizations looking to optimize their IT infrastructure and leverage the benefits of both on-premises and cloud environments.

AI, performance, and scale 

Windows Server 2025 is designed to handle the most demanding workloads, including AI and machine learning. Here are some key capabilities: 

• Hyper-V, AI, and machine learning: With built-in support for GPU partitioning and the ability to process large data sets across distributed environments, Windows Server 2025 offers a high-performance platform for both traditional applications and advanced AI workloads with live migration and high availability. 

• NVMe storage performance: Windows Server 2025 delivers up to 60% more storage IOPs performance compared to Windows Server 2022 on identical systems. (Based on 4K randread using Diskpsd 2.2 with Kioxia CM7 SSd) 

• Storage Spaces Direct and storage flexibility: Windows Server supports a wide range of storage solutions such as local, NAS, and SAN for decades and continues to this day. Windows Server 2025 delivers more storage innovation with Native ReFS deduplication and compression, thinly provisioned Storage Spaces, and Storage Replica Compression now available in all editions of Windows Server 2025.

• Hyper-V performance and scale: Windows Server 2025 introduces massive performance and scalability improvements that come from Azure. Windows Server 2025 Hyper-V virtual machine maximums: 
  • Maximum memory per VM: 240 Terabytes* — (10x previous) 
  • Maximum virtual processors per VM: 2048 VPs* — (~8.5x previous) 

*Requires Generation 2 VMs

Windows Server 2025 delivers major advancements across the board for Hyper-V, GPU integration, Storage Spaces Direct (software defined storage), software-defined networking, and clustering. These improvements make Windows Server 2025 an excellent option for organizations looking for a virtualization solution and for organizations looking to leverage AI and machine learning while maintaining high performance and scalability.

System Center 2025 is available now

By delivering System Center 2025 concurrently with Windows Server 2025, management of Windows Server at scale is available immediately. This allows organizations to make the most of new Windows Server features. Designed to enhance agility, performance, and security, this release is set to enhance how organizations optimize their infrastructure and virtualized software-defined datacenters. We encourage you to visit the System Center 2025 post learn more. 

Microsoft Ignite 2024

We look forward to meeting you in person and sharing these and other Windows Server 2025 features in our sessions and at our booth at Microsoft Ignite in Chicago, November 19-21. For those of you who can’t make it, many sessions, including our Windows Server breakout titled Windows Server 2025: New Ways to gain cloud agility and security, will be available for online viewing. 

We are also excited to bring new features to customers on existing Windows Server versions like 2016, 2019, 2022, as well as 2025. Windows Server Software Assurance or active subscription customers can access Azure management tools like Azure Update Manager, Azure Policy Guest Configuration, Disaster Recovery, Change Tracking and Inventory, and more, with access to many features coming at no additional cost**. Tune into Microsoft Ignite where we will show more demos and information on how to access these new offerings.

Additional Windows Server resources

• Try Windows Server 2025 today
• Windows Server documentation
• Learn more about what’s new in Windows Server 2025
• Microsoft Certified: Windows Server Hybrid Administrator Associate 
• Administer Active Directory Domain Services

Notes

1. ** Note: compute and storage may incur additional fees. 

The post Windows Server 2025 now generally available, with advanced security, improved performance, and cloud agility  appeared first on Microsoft Windows Server Blog.

However, as many organizations like yours are eager to innovate with AI for various use cases, it is also very important, if not more, to have a solid IT foundation that can support that ambitious AI vision—from a cost, performance, and security perspective. The last thing companies want is to make a big investment in AI and machine learning initiatives too soon, without the bandwidth, guardrails, or necessary performance in place to support it.

At the heart of your IT estate lies strategic investments you have in business-critical workloads like Windows Server and SQL Server that are and have been the foundation of many organizations for more than 30 years now. The question then becomes—how do you modernize these foundational technologies to make you ready to leverage the full power of AI, that will allow you to adopt AI in a secure, responsible way and gain an edge over the competition?

Catch up on sessions from Microsoft Ignite

Whether you missed some of the sessions at Ignite or just want a recap of all things Windows Server and SQL Server, we’ve got you covered. In this blog, we’re going to showcase the main Ignite sessions for Windows Server and SQL Server, where we had various announcements, demos, and customer testimonials.

Windows Server

What’s New in Windows Server v.Next: In this session, we provide a preview of what’s coming next for Windows Server, a platform that enables IT professionals and developers to modernize their applications and enable hybrid use cases. The topics covered were Active Directory, File Server, Storage, Hyper-V, Security, and more.

Do more with Windows Server and SQL Server on Azure: This session highlights how you can reap more technical and business benefits by running Windows Server and SQL Server on Microsoft Azure. You’ll learn how Azure provides optimal cost benefits, performance, and security for these workloads. Get tips and demos on how to extend Azure innovations to your hybrid and multi-cloud environments with Azure Arc.

Migrate to Innovate: Be AI-ready, secure, and optimize operations: This is an immersive session for IT practitioners on how to migrate to Azure. We highlighted practical steps, demos, and guidance on how migrating to Azure can accelerate the impact of AI in your organization. We then highlighted how you can enhance security and optimize operations once in the cloud and take the first step into Azure with Azure Migrate.

Learn Live: Upgrade and migrate Windows Server IaaS virtual machines: In this online session, you can learn to migrate a workload running in Windows Server to an infrastructure as a service (IaaS) virtual machine and to Windows Server 2022 by using Windows Server migration tools or the Storage Migration Service.

SQL Server

Get superior price and performance with Azure cloud-scale databases: In this session, you can learn how to improve performance with the latest capabilities for Azure SQL Databases, Azure Database for PostgreSQL, and SQL Server enabled by Azure Arc for hybrid and multi-cloud. You’ll learn how customers enabled ongoing innovation by migrating to Azure Database for MySQL. This session will cover tactical ways to get the most from your applications with the databases that are easy to use, deliver unmatched price and performance, support open-source, and enable transformative AI technologies.

Accelerate your SQL migration with Azure Data Migration Service: In this demo, you’ll see how the new Azure Data Migration Service along with Azure Migrate can accelerate your SQL modernization journey. We will showcase Azure Data Migration Service streamlined capabilities for readiness assessment, SKU recommendations based on workload rightsizing, and online and offline data migration across Portal, Azure Data Studio, PowerShell, and command-line interface (CLI) experiences that you need for your SQL Server migration journey to Azure from on-premises.

Migrate to innovate: Modernize your data on Azure SQL Managed Instance: In this session, you can watch new performance enhancements in action and experience the ease of online migration to Azure SQL Managed Instance using the link feature. See how you can continue to modernize on Azure through Microsoft Fabric integration and connections to other Azure services.

Bring enhanced manageability to SQL Server anywhere with Azure Arc: Join this discussion to discover how connecting your SQL Servers to Azure can enhance your management, security, and governance capabilities with live demos. SQL Server enabled by Azure Arc is a hybrid cloud solution that allows you to manage, secure, and govern your SQL Server estate running anywhere from Azure. Our experts will also explore different options for deploying Azure Arc to your SQL Servers at scale.

Next steps to modernize Windows Server and SQL Server

Ready to take the next step in modernizing your Windows Server and SQL Server? Here are some quick resources to get started:

1. Upgrade to the latest versions of Windows Server to take advantage of the latest capabilities. Learn more about Windows Server 2022 and SQL Server 2022.
2. Looking to migrate to Azure? Take the first step with Azure Migrate and Modernize, our offering that has programs, offers, support, free tooling, and expert guidance to confidently migrate to Azure.
3. Join the discussion on our Windows Server Tech Community and SQL Server Tech Community.

¹ ITProToday, Microsoft Ignite 2023 Envisions AI as an Everyday Reality, November 16, 2023.

The post Windows Server and SQL Server at Microsoft Ignite 2023 appeared first on Microsoft Windows Server Blog.

Azure Hybrid Benefit expansion

As customers are increasing cloud adoption to run virtual machine (VM)–based and containerized applications, they also need to keep some workloads on-premises. At Microsoft, we are committed to meeting customers where they are. Azure Hybrid Benefit is a program that enables customers to reduce the costs of running workloads in the cloud. At Microsoft Ignite, we’re introducing new additions to Azure Hybrid Benefit to bring the value of Azure to where customers are.

As part of our updates, customers with Windows Server Software Assurance or a Cloud Solution Provider subscription will be able to use Azure Kubernetes Service (AKS) on Windows Server and Azure Stack HCI in their own datacenters or edge infrastructure at no additional cost. This will enable customers to containerize their applications and deploy them on Azure or on-premises consistently by maximizing business value with a managed Kubernetes service in their own environments.

For customers looking to modernize their environment, we are also introducing a new benefit for Windows Server Datacenter Software Assurance customers to use Azure Stack HCI at no additional cost.¹ With this, customers can modernize their existing datacenter and edge infrastructure to run their VM and container-based workloads on modern infrastructure with industry-leading price performance and built-in connectivity to Azure. Learn more about Azure Hybrid Benefit for AKS and Azure Stack HCI.

More flexibility to run Windows Server

On October 1, 2022, we implemented several updates to outsourcing and hosting terms for customers and partners globally. Among these is the Flexible Virtualization Benefit, which allows customers with Software Assurance or subscription licenses to run their own licensed software, including Windows Server, on other cloud providers’ infrastructure—dedicated or multitenant.² Additionally, customers can also license Windows Server on a VM basis.

Windows Server customers have been increasingly leveraging Windows containers to modernize their applications. However, we heard from a few of our customers and application vendors that needed the ability to distribute a complete containerized application directly to their end users. Starting today, customers will be able to redistribute Windows Container base images beyond their organization in accordance with the updated End-User Agreement License. Now, customers and application vendors across segments like medical, financial, manufacturing, or other air-gapped environments can more easily use Windows containers to modernize their applications. Learn more about the upcoming changes in our tech community blog.

Modernize for end of support

With all the added benefits and flexibility mentioned above, there is no better time to modernize than now. This is especially true if you are running Windows Server 2012/R2, which is reaching end of support next year on October 10, 2023. We have several options to keep your Windows Server 2012/R2 workloads protected:

• Migrate to Azure and run securely with up to three years of free Extended Security Updates. This includes all Azure destinations such as Azure Virtual Machines, Azure Dedicated Host, Azure VMware Solution, and the Azure Stack portfolio.
• Upgrade to Windows Server 2022 to get the latest innovation in security and application modernization.
• Deploy extended security updates on-premises. Customers that cannot meet the end of support deadline and have Software Assurance or subscription licenses under an enterprise agreement enrollment, and cannot migrate their Windows Server to Azure, will have the option to buy Extended Security Updates.

Start migrating and modernizing your Windows Server workloads

No matter where you are in your migration and modernization journey, we are committed to supporting you at every step. Here are some resources to get started today:  

• Learn more about the unique capabilities and cost-savings available when running Windows Server on Azure.
• Learn more about your options for Windows Server and SQL Server 2012/R2 end of support.
• Migrate and modernize with confidence through the Azure Migration and Modernization Program.

¹_{Currently only available for Windows Server Datacenter licenses with Software Assurance purchased through Enterprise Agreements. Customers can only use Windows Server or Azure Stack HCI. Customers will have 180 days of concurrent use rights to move to Azure Stack HCI.}

²_{Note that these changes exclude what we term Listed Providers: Alibaba, Amazon Web Services, Google, and Microsoft. Customers that want to use a Listed Provider for outsourcing can acquire licenses directly from the Listed Provider.}

³_{Note: In alignment with the servicing model for Windows 7 and Windows 8.1 (link to blog), the Windows Server 2012 and 2012 R2 ESU program will only include Monthly Rollup packages; Security Only update packages will not be provided.}

The post Maximize your Windows Server investments with new benefits and more flexibility appeared first on Microsoft Windows Server Blog.

Ever since its release in 2018, Windows Admin Center has become the solution for managing Windows Server infrastructure running on-premises. It has grown to provide dozens of experiences that make remote investigation and remediation of your servers as easy as possible. Today, we are extending the same tooling to your cloud infrastructure with the general availability of Windows Admin Center for Azure Virtual Machines. Let’s dive into the new features.

Why use Windows Admin Center in Azure

Simplicity and convenience

Windows Admin Center in Azure unlocks incredible capabilities for the Azure portal by providing you with an interface to manage your Windows Server Virtual Machines. By default, the Azure portal provides a singular view for virtual machine management and the essential elements to manage your infrastructure. With the addition of Windows Admin Center, we have supplemented this great experience with additional capabilities such as an enhanced view of virtual machine usage, performance monitoring, viewing of events, and much more. We expect this to reduce the need for you to remote desktop into your virtual machine for administration, simplifying your experience as you deploy and maintain virtual machines with or without a graphical user interface (GUI).

Secure, passwordless authentication

Unlike Windows Admin Center on-premises, Windows Admin Center in Azure features single sign-on using Azure Active Directory (Azure AD) authentication to bring you an end-to-end identity experience in the Azure portal. Regardless of whether your virtual machine is on-premises Active Directory joined, Azure AD joined, or not joined to any domain, Windows Admin Center and Azure AD provide a single sign-on experience. Just add your Azure AD identity to the Windows Admin Center Administrator Login Azure role-based access control (RBAC) role and get access to the full suite of management capabilities that we provide in the Azure Portal. Read more about how this exciting capability reduces the reliance on local administrator accounts when managing Windows Server machines in Azure.

Performant

Users expect a fast, reliable, and personalized experience when managing their infrastructure. Windows Admin Center in Azure leverages cloud-native services such as Azure Front Door, a content delivery network (CDN) that rapidly delivers content and brings you an unmatched server management performance in the Azure Portal. Compared to Windows Admin Center on-premises, the Azure experience is about two and a half times faster, by delivering its static content from the cloud, while keeping your server’s data secure within your network.

Get started with Windows Admin Center

Windows Admin Center in Azure is available to all Windows Server customers on Azure running Windows Server 2016 or higher in the public cloud. Create a new virtual machine today or deploy Windows Admin Center on your existing infrastructure. You can begin managing your virtual machines in Azure using Windows Admin Center by navigating to the Windows Admin Center blade under Settings in the Virtual Machine Azure portal UI.

Windows Admin Center in Azure is also available in preview for managing Windows Server Azure Arc–enabled servers and Azure Stack HCI clusters.

Follow us at Microsoft Ignite and stay tuned for more exciting capabilities coming soon to Windows Admin Center in Azure.

The post Windows Admin Center for Azure Virtual Machines is now generally available appeared first on Microsoft Windows Server Blog.

But you may ask “Why is Microsoft working with Linux and open source?”, or “What’s Microsoft’s plan going forward?”, or “What does ‘Microsoft ♥ Linux’ mean for me as a customer?”

At the core, “Microsoft ♥ Linux” is driven by what we’ve heard from you as customers.  You run workloads on Windows.  You run workloads on Linux.   You run these workloads in your on-premises datacenters, hosted at service providers, and in public clouds.  You just want it all to work, and to work together regardless of the operating system.  We hear you, and understand that your world is heterogeneous.  Bottom line, this is a business opportunity for Microsoft to offer heterogeneous support — both Windows and Linux workloads – on-premises and in a public cloud.  Microsoft can add real value in a heterogeneous cloud.

It may come as a surprise, but Microsoft has been working with Linux for a number of years.  System Center Operations Manager has offered Linux and UNIX monitoring since 2009.   Drivers for running Linux guests on Hyper-V became widely available for a number of distros in 2010, and we even have drivers for running FreeBSD guests on Hyper-V.  Microsoft Azure offered Linux VMs on “day 1” of the Azure IaaS general availability in 2013.

We’ve built a significant customer base that is using Linux with Microsoft products.  Several hundred thousand Linux and UNIX servers in production usage today are managed by System Center, with the largest customers managing nearly 10,000 Linux servers. Customers such as Ancestry.com, Equifax, the United Kingdom government FCO Services, and Europcar operate Microsoft clouds on-premises running Hyper-V and System Center with many VMs running Linux.  More than 20% of the VMs in Azure IaaS are running Linux.  Azure is offering the HDInsight (Hadoop) service running on Linux in addition to running on Windows.  And if you look more broadly, Microsoft offers key productivity software such as Office365, Skype, and RDP clients on Linux-based and BSD-based client operating systems such as iOS, Android, and Mac OS X.

What does this all add up to?  Working with Linux isn’t new at Microsoft.  In fact, Linux is already a sizable commitment for Microsoft that is now getting a higher public profile.  We see executing on that commitment as a critical part of what we offer customers.

Linux in your datacenter

Microsoft is making huge investments in the foundational cloud technologies that are described in other entries in this blog series:  Compute, Networking, and Storage.  These investments are informed by our experience with the hyper-scale Azure public cloud.  They are also independent of the guest operating system, so they work for both Windows and Linux.  Great features like storage quality-of-service, network virtualization, and super-fast live migration using RDMA work for Linux just like they work for Windows.  In the product development teams, when we envision and design new capabilities for the cloud foundation, we ask “How does this work for Windows?” and we ask “How does this work for Linux?”   As a result, the Microsoft offering for on-premises datacenters is fundamentally heterogeneous, able to run Windows and Linux guests in a unified fashion.

Of course, some capabilities require the cooperation of the guest OS.  For these capabilities, Microsoft developers write the Linux device driver code for Hyper-V and participate in the Linux community to get the code into the upstream Linux kernel at kernel.org.  Then we engage with distro vendors like Red Hat, Canonical, Oracle, and SUSE to enable full support on Hyper-V for these distros that you are probably running.  As a result, Linux runs great on Hyper-V!

We also invest in the management layer.  We are announcing that the first version of Powershell Desired State Configuration (DSC) for Linux is now available. With DSC for Linux, you can do consistent configuration management across Windows and Linux.  On Linux you can install packages, configure files, create users & groups, and set up services.   DSC for Linux is also an open source project, available on GitHub.

Our enterprise management functionality in System Center Operations Manager, Configuration Manager, Virtual Machine Manager, and Data Protection Manager manages Linux right alongside Windows so that you can have a single systems management infrastructure for your heterogeneous datacenter.   We’ve taken System Center management beyond just the Linux operating system, and into open source middleware such as Tomcat, JBoss, Apache Web Server, and MySQL.  Also, we have extended our hybrid services to include Linux — for example, Azure Site Recovery between on-premises datacenters (or service providers) and Azure.

Linux in Microsoft Azure

As we’re doing for the on-premises datacenter, Microsoft is making huge investments in the Azure public cloud.  Again, our goal is that everything in Azure works for Linux VMs just like it works for Windows VMs.  Capabilities like the huge “G” series VM sizes, Premium Storage, and Azure Backup for VMs are available for both Windows and Linux, as is a range of extensions for custom scripting, regaining access, and OS patching.  Some capabilities, such as integration with Docker, Chef, and other open source projects, are available to you on Linux before they are available on Windows.

Azure offers a range of enterprise-ready Linux distros in Azure:  SUSE Linux Enterprise Server, openSUSE, Ubuntu Linux, Oracle Linux, and Core OS, as well as community distro such as CentOS.  Or you can upload your own custom Linux image.

If you are consuming Azure services, you want flexibility to access those services from a Windows computer, or from a Linux or Mac OS X computer.  For starters, you’ve probably used the Azure portal, which is an HTML5 web application that works in browsers running on Windows as well as browsers on Linux and Mac OS X.  But as your usage progresses, you may want to integrate Azure into your operational processes.  On Windows, Powershell is the primary scripting and automation interface.   For Linux and Mac OS X (and Windows), Azure offers a node.js-based package of commands for scripting and automating the full lifecycle of Azure services.

In Azure datacenters, Microsoft personnel are now operating PaaS services based on Linux as well as services based on Windows.  The HDInsight (Hadoop) service is the first to be available on Linux, and it makes good business sense for other services using “born on Linux” open source projects to just run on Linux rather than being ported to Windows.  Internal tools for monitoring, diagnosing, patching, and meeting compliance requirements have been extended to include these Linux-based services.

Summary

Microsoft is doing a lot of work with Linux – for on-premises datacenters and services providers, as well as in the Azure public cloud.  We know you run workloads on both Windows and Linux.  We’ve made running and managing Linux workloads a fundamental part of our product offering so that the result is well integrated and just works.  Go to www.microsoft.com/open to learn more about the investments we’re making.  Remember, “Microsoft ♥ Linux”!

The post Microsoft Loves Linux appeared first on Microsoft Windows Server Blog.

The actors and their motives have changed – A few years back, the Microsoft Trustworthy Computing group published an internal position paper that predicted a shift in the security attack profile and sophistication of actors and called out the need to develop technologies and solutions to address Advanced Persistent Threats (APT) and insider attacks. This prompted major efforts across many areas in the company, ranging from the Microsoft Azure public cloud to Windows 10 and the various Server teams.

In parallel, the ongoing landscape shifts have a profound effect on security: virtualization, the large-scale cloud computing model, and the public cloud, which introduces a trust boundary between the tenant and the service provider. The security and operations of the Microsoft Azure cloud is an ongoing source of great innovations that we can draw from to help deliver security that addresses this new world.

This post is intended to provide you with insight into our efforts to improve the security in datacenters, private cloud and hosting environment.

At Ignite 2015 we have a set of sessions that will go into the details of our investments and roadmap. First and foremost: “Platform Vision & Strategy (5 of 7): Security and Assurance Overview (May. 5, 3:15pm-4:30pm)” Security and Assurance 5 minute overview by Microsoft’s Technical Fellow, Anders Vinberg

Principles for security and assurance solutions

Throughout our work in the security and assurance area we established a few key guiding principles

• Assume breach, analyze the environment to determine how an attack may propagate and make changes to contain any compromise.
• Embrace the cloud landscape shifts and cloud consistency to enable security in large scale virtualized environments.
• Protect existing environments without requiring major upgrades and re-architecture of your datacenter or hosting infrastructure.

Before moving on, a note about Compliance and Security/Assurance. Many of you reading this blog work in companies that need to adhere to one or more sets of compliance regulations. While being compliant does not mean that you’re guaranteed to be secure, adopting and implementing breach resistant security mechanisms may greatly contribute to your compliance stance.

Datacenter and cloud security

The security experts tell us that most of the recent attacks use compromised administrator credentials. We know that social engineering works, people can be fooled; and bribery works; and we have insider attacks. But there are things we can do if we adopt an “Assume Breach” mindset as we approach security controls.

Adopting this new mindset requires us to look at what a breached system or compromised account mean to the environment, how we can limit the breach impact, make it detectable and have the ability to respond. This approach works well in combination with the traditional security stance of preventing attacks and keeping the bad guys out.

Our current initiatives fall in three buckets:

• Protecting Virtual Machines (Workloads) from attacks through the private cloud or service provider fabric
• Privileged Access Management to address threats that result from compromised administrator credentials
• Threat and malicious behavior detection

Protecting Virtual Machines (Workloads) from fabric attacks

The virtualization landscape shift has a profound effect on security as it introduces a new trust boundary between the tenant and the datacenter admin/service provider (hoster)

To put it plainly, if a datacenter administrator account is compromised, then all the virtual machines (Workloads) running in that datacenter are accessible to the attacker who is then able to both access  sensitive information and inject malicious executables. This is true for anyone that has administrator access to the storage, network, backup and physical machines on the fabric as well as the fabric managers.

To protect the workload from fabric attacks, we have introduced something we call a “trust plane”. This is analogous to the management plane that is used to manage the workloads and the fabric. The trust plane is separate, it is isolated from the fabric and the management plane, and administrators do not have access to the trust plane.

At the heart of the trust plane is a new technology called: “Virtual Secure Mode” (VSM): we use the hypervisor and the hardware to create a space that is entirely separate from the rest of the system. Inside VSM there are only specific binaries and information that are not accessible or controlled by the administrator. No software can be introduced, nobody can get admin privileges and it is not connected to the network. In VSM, we can execute and store security critical operations like secure key management and protecting the integrity of the system.

With this Trust Plane, we can now use cryptographic technology to protect virtual machines and their data files and databases.

In Windows Server 2016 we are introducing “Shielded Virtual Machines” (Shielded VM) to achieve isolation between the fabric/host and the Virtual Machine. This capability will be available for on-premises private clouds and service providers (hosters).

While Shielded VMs look just like any other Virtual Machine to the fabric management tools, they are:

• Encrypted (using BitLocker) on storage and on the wire
• Can only be executed on hosts that are appropriately configured (verified by remote attestation)
• Not accessible to fabric, storage, network administrators and are hardened (based on configuration) against malicious host administrator access.

This allows you to achieve a high level of assurance for all the workloads that you’re virtualizing and in addition, enable you to virtualize sensitive workloads such as domain controllers, which were traditionally kept on physical machines.

It’s a simple concept, but we also took a lot of care to make sure we have a practical solution that does not require a re-architecture of the fabric; so we also made Shielded VMs integrate well with the current operational model of the entire lifecycle of a VM: Shielded VMs can be paused and stored and restarted and migrated, and there is disaster recovery and backup and many other things.

Ignite 2015 session: Harden the Fabric: Protecting Tenant Secrets in Hyper-V (Wednesday, May 6th 03:15PM – 04:30PM)

Privileged Access Management

Workloads are also exposed to other threats through administrator account compromise.

When analyzing the numerous breaches over the past few years, one quickly concludes that no matter what method was used to breach the environment, the attackers proceed to compromising administrator credentials so that they can integrate, control and hide inside the environment.

Privileged Access Management is another aspect of the “Assume Breach” mindset: in addition to working to prevent breach, we also contain the potential damage of a breach.

There are many benefits and aspects of Privileged Access Management but from an “Assume Breach” perspective”. Privileged Access Management enables key capabilities including:

• By default – no one has privileged access
• When someone needs to perform administrative actions, they request to be an administrator (“Check out”) for a set period of time by going through an approval process that can range from automatic, to multi-factor authentication and manual approval. We use the term “Just In Time” administration (JIT) to describe this functionality.
• When granted administrative privilege, the user can only perform certain tasks, and they are not full administrators on the server they are managing. We use the term “Just Enough Administration” (JEA) to describe this functionality.
• Everything is logged from the request workflow to the administrative operations performed on the servers, so that it is easier to monitor and detect malicious behavior.

We have been using JIT and JEA technologies in our Azure and Office 365 cloud operations and are now very excited to introduce these as public solutions targeted at protecting your existing environments.

We are releasing “Just In Time” capabilities (and much more) in the upcoming Microsoft Identity Manager (MIM) 2016 which is already available in public preview.

We have also published the xJEA PowerShell module for “Just Enough Administration” and will soon follow up with an update integrated into the Windows Management Framework.

Both the JIT and JEA solutions focus on ease of adoption so that you can plug these into your existing infrastructure to help you control and monitor privilege access.

Ignite 2015 sessions:

• Protecting Windows and Microsoft Azure Active Directory with Privileged Access Management (Thursday, May 7th, 5:00 PM – 6:15 PM)
• JEA: A PowerShell Toolkit to Secure a Post-Snowden World (May. 7, 9:00am-10:15am)

Threat detection

And this brings us to the detection and forensics. We know that the attackers are clever, and they learn and adapt. So detection is essential, and we can now use the power of the cloud to do that. We can collect information from many sources, fabrics and VMs in both private and public clouds, as well as anti-malware systems, our cyber-crime unit, industry partnerships, government sources and others.

This provides vast amounts of data, and we can put all this data in the cloud and use Big Data and Machine Learning technologies for analysis.

Again, we have been using these techniques internally for some time, but now we’ll make it available as services to our customers. This is a rapidly evolving area, we continually learn and this is one of the advantages of delivering this functionality as a service: as we learn, we can improve the service on a continual basis.

There are two very exciting offerings that we are delivering in this area in the immediate future:

The “Microsoft Advanced Threat Analytics” is an on-premises product that use Active Directory network traffic and SIEM data to discover and alert on potential threats. Since it uses targeted Active Directory data, Microsoft ATA is able to achieve high accuracy in identifying and alerting on malicious behavior as it happens and map the impact potential impact of the attacker.

The Microsoft Operations Management Suite (OMS) Security and Audit solution processes security logs and firewall events from on-premises and cloud environments to analyze and detect malicious behavior. Using this Security and Audit solution, an IT Pro is able to review suspicious behavior and decide whether further investigation is required by a security analyst. If so, the analyst can then use the query capabilities of the tool for a more thorough investigation.

Ignite 2015 sessions:

• Security Threat Analysis using Microsoft Azure Operational Insights (May. 7, 1:30pm-2:45pm)
• How to Protect Your Corporate Resources from Advanced Attacks (Tuesday, May 5th, 10:45 AM – 12:00 PM)

Don’t forget the fundamentals

The way a breach spreads is that attackers inside your network use known vulnerabilities to take control over servers and then harvest administrator credentials in order to spread across your environment.

To help you with the fundamentals, we have built “system update assessment” to discover which systems need to be patched and “malware assessment” into the Microsoft Operations Management Suite (OMS) so that you can discover and take action on patching and securing servers in your environment. We have also worked to include Windows Server Antimalware, which is enabled by default, in Windows Server 2016.

In summary

To address the evolving security threat landscape and shifts driven by cloud computing, we have combined the “Assume Breach” mindset with the experience of running a public cloud to deliver a set of solutions and technologies to provide protection for existing environments, while keeping in mind consistency across clouds.

These include protecting your virtual machines, privileged access management and detection and analysis services.

These solutions focus not only on security but also on being practical and easy to adopt into your current environment.

Security is an ongoing journey and we are committed to continuing our efforts to help customers protect their environments.

The post Protecting your datacenter and cloud from emerging threats appeared first on Microsoft Windows Server Blog.

With Windows Server 2016 there are three core areas we are focusing on in the world of cloud and virtualization:

• Providing a platform for next-gen cloud applications
• Ensuring you can protect your datacenter assets from emerging threats
• Continuing to deliver a cloud platform that is perfect for your mission critical workloads

Let’s dig into each of these areas for a moment

Providing a platform for next-gen cloud applications

Virtualization has been amazing technology for the datacenter, enabling efficiencies and cost savings through increased density and decoupling workloads from physical server hardware.   However, we believe that we have only just started on the journey of unlocking the capabilities of cloud computing.  Once you start running applications that were “designed for the cloud” on a fabric that was “designed for the cloud” you start to enable entirely new levels of efficiency and functionality.

Two big investments that we have made in this area are:

Hyper-V on Nano Server

Running Hyper-V on Nano Server, a highly focused and small footprint version of Windows Server, brings many benefits to your cloud environment.  Physical servers are quicker and easier to deploy, they need less patching and carry less configuration state.  This makes it incredibly easy to build true scalable cloud deployments.

Windows Server Containers

Containers are an exciting new technology for building, testing and deploying applications.  Applications are fueling the innovation in today’s cloud-mobile world, and developers hold the keys to the power of those applications. The more streamlined and efficient the process for developers to build and deliver their applications, the faster that more powerful applications can reach the business. This however, has to work across both the developers, and IT who hold the keys when it comes to the infrastructure that the applications will run on.

For the developers, containers unlock huge gains in productivity, and freedom – the ability to build an application, package within a container, and deploy, knowing that wherever you deploy that container, it will run without modification, whether that is on-premises, in a service provider’s datacenter, or in the public cloud, using services such as Microsoft Azure.  These containers don’t have to be deployed independently – developers can model complex multi-tier applications, with each tier packaged within a container, and these can be distributed across IaaS and PaaS models, again, increasing the overall surface area that the developer can aim for when releasing their application. This powerful abstraction of microservices provides developers with incredible potential to deliver applications more rapidly than ever before.  They can’t however, do it without the Operations’ team support.

On the Operations side, they benefit considerably by being able to gain ever higher levels of consolidation for applications and workloads than even virtualization could provide, and in addition, they can put in place a platform that can rapidly scale up and down to meet the changing needs of the business. This standardized platform is easier to manage, yet provides the developers with a consistent environment into which they can simple provide their app, and hit ‘run’.

Ensuring you can protect your datacenter assets from emerging threats

When it comes to datacenter security, one of the key design pillars of Hyper-v is to make virtual machine security on par with the physical machine security. If a physical machine is completely locked down and a hacker cannot gain access through a vulnerability, short of walking in to the datacenter and removing that physical server, it’s safe to assume that particular physical server is secure.

However, any seized or infected host that has been compromised by an attack, now puts the virtual machines at significant risk, as VMs can be copied from storage, over the network.

The flexibility of virtualization also poses a challenge in itself. For instance, without any form of hardware-based verification, which is rare in today’s x86 physical server space, there’s no way to identify legitimate hosts, which have or haven’t been compromised. This means a VM can, in essence, run anywhere.

So what is Microsoft’s approach to protecting virtual machines?

First, by utilizing the power of hardware-rooted technologies, we enable a new Virtual Secure Mode. This protects access to the processes and memory of the virtual machine, from the host itself, completely separating the guest OS, from host administrators. Host administrators cannot access guest VM secrets and can’t run arbitrary kernel mode code.

By implementing a new Windows Server role, the Host Guardian Service, it enables administrators to identify legitimate hosts, and certifies them to run protected virtual machines, known as Shielded VMs.

Finally, by integrating with the underlying hardware, we enable a new virtualized trusted platform module, or vTPM, that, when exposed inside the virtual machine, enables the guest operating system to take advantage of native encryption features such as BitLocker, protecting the valuable information within that shielded virtual machine. Features such as Live Migration still continue to work, and, the traffic is also encrypted, ensuring that even when moving virtual workloads around the environment, the data remains secure and encrypted.

Continuing to deliver a cloud platform that is perfect for your mission critical workloads

Third, and in many ways, most importantly we have been investing in continuing to improve the capabilities of Hyper-V as a great platform for your mission critical applications.  There are a number of capacities that we have focused on

Workload Availability

Across the entirety of Hyper-V we have looked for opportunities to reduce and remove times when virtualized workloads are offline, both planned and unplanned.  Here is a sample of some of the features and capabilities that increase your workload availability:

• Rolling Cluster UpgradeWith Windows Server 2016, we’re building on Cross Version Live Migration from Windows Server 2012 R2 and taking it to the next level.  You can now upgrade a Windows Server 2012 R2 cluster to Windows Server 2016 with zero downtime, zero extra hardware requirements, and guaranteed availability throughout the process.  You can read more about this technology here: https://technet.microsoft.com/en-us/library/dn850430.aspx
• Online resize of virtual machine memoryBuilding on our great feature of Dynamic Memory, you can now resize memory for virtual machines even when they are configured to use static memory.
• Hot add / remove of virtual network adaptersIt is now possible to add and remove network adapters from Generation 2 virtual machines without needing to turn them off first.
• Online resize support for Shared VHDX filesNeed to add more storage capacity to a virtualized cluster?  This is now easy to do while your critical virtualized application continues to run.
• And more…

Guaranteed Performance

In Windows Server 2012 R2, we introduced Storage Quality of Service which provided the ability to set hard caps on a per virtual disk basis per host. It’s a good solution for noisy neighbors on the same host and is dynamically configurable. This was a necessary and important step to what we’re delivering in Windows Server 2016, namely, cluster-wide Storage QoS with comprehensive monitoring and flexible and customizable policies. You can set policies at a granular level based on your business needs such as: per VM, per virtual disk, per service or per tenant. At a high level, it looks like this:

Manageable

We have also been working hard on ensuring that Hyper-V and Hyper-V virtual machines are easy to manage and troubleshoot.  Two big investments in this area are:

• Full support for alternate credentials in Hyper-V Manager and Hyper-V PowerShell.To help people manage Hyper-V in secure environments – you can now provide alternate credentials when connecting to remote servers.  This avoids the situation where administrators and needlessly using powerful credentials for non-essential tasks.
• PowerShell Direct to virtual machineYou can now run PowerShell commands directly in virtual machines from the host environment, provided you have the credentials for the guest operating system, with no need for extra configuration – or even network connectivity.  This allows for very powerful automation and orchestration of virtual machines.

As you can see, we’ve been busy and we look forward to your feedback with the Windows Server 2016 Technical Preview 2 and again, our sincere thanks.

The post Enterprise-grade virtualization and next-gen app platform appeared first on Microsoft Windows Server Blog.

Compute and Virtualization: Simplified upgrades, new installment options, and increased resilience, helping you ensure the stability of the infrastructure without limiting agility.

1. Rolling upgrades for Hyper-V and scale-out file server clusters for faster adoption of new operating systems
2. Functionality for hot add and remove memory and NIC, reducing downtime
3. Virtual machine compute resiliency, so that virtual machines continue running even if the compute cluster fabric service fails
4. Nano Server, a deeply refactored version of Windows Server with a small footprint and remotely managed installation, optimized for the cloud and a DevOps workflow

Networking: Continued investment to make networking as flexible and cost-effective as possible while ensuring high performance.

1. Converged NIC across tenant and RDMA traffic to optimize costs, enabling high performance and network fault tolerance with only 2 NICs instead of 4
2. PacketDirect on 40G to optimize performance

Storage: Expanding capabilities in software-defined storage with an emphasis on resilience, reduced cost, and increased control.

1. Virtual Machine Storage Path resiliency, enabling virtual machines to pause and restart gracefully in response to either transient or permanent storage path failures
2. Storage Spaces Direct to enable aggregation of Storage Spaces across multiple servers, pushing the cost of storage down while allowing for increased scale out
3. Storage quality of service (QoS) for more control and predictable performance
4. Storage Replica, giving you synchronous storage replication for affordable business continuity and disaster recovery strategies

Security and Assurance: Protecting against today’s threats with a “zero-trust” approach to security that is rooted in the hardware.

1. New Host Guardian Service, part of a trust and isolation boundary between the cloud infrastructure and guest OS layers
2. Just Enough Administration to reduce the risk of security breaches by allowing users to perform only specific tasks

Management: Ongoing advances to simplify server management and increase consistency in approach.

1. PowerShell Desired State Configuration (DSC) for easier, consistent and faster deployment and updates.
2. PowerShell Package Manager  for unified package management and deployment
3. Windows Management Framework 5.0 April Preview and DSC Resource Kit  (available online simultaneously with TP2)

And much more, including new features for IIS, RDS, and AD such as:

1. Conditional access control in AD FS, allows requiring a device compliant with policies to access resources
2. Support for application authentication with OpenID Connect and OAuth, making it easier to build mobile enterprise applications
3. Full OpenGL support with RDS for VDI scenarios
4. Server-side support for HTTP/2 including header compression, connection multiplexing and server push.

So what’s the next step? Check out the Windows Server 2016 Technical Preview 2 here, and start learning more about what’s new and notable.

Please note that this is pre-released software; features and functionality may differ in the final release.

The post What’s new in Windows Server 2016 Technical Preview 2 appeared first on Microsoft Windows Server Blog.