Microsoft continues to make improvements to one of its most important products: Windows Server 2016. Unlike Windows 10 which churns out updates on an aggressive schedule, Microsoft understands that server customers expect a stable product. IT won’t hesitate to delay server updates even when Microsoft bundles in new features. What this mean is that new releases of Windows Server include a long list of new features – among them, new Hyper-V Security updates.
Hyper-V Security Updates
Windows Server 2016 has been available since mid October of last year. The latest build, 1607 Windows Server 2016, arrived a few weeks ago. This release includes a number of updates to Active Directory Federation Services, Remote Desktop, and even a few PowerShell improvements. As you can imagine, virtualization in the form of Hyper-V continues to play a critical part in their server and data center strategy. It’s hard to believe that Hyper-V will turn ten years old next year. With that in mind, let’s take a look at the Hyper-V security improvements Microsoft has brought to Windows Server 2016.
Most admins think of Linux when they hear containers, especially the hot Docker-based ones. But this time around, Microsoft has worked closely with the Docker team to bring containers to Windows Server. See our article from last December for a primer on containers. In short, containers allow one to isolate applications and services in an easy-to-manage fashion. Microsoft has introduced two container implementations in Windows Server 2016:
Windows Server Container – This container may share common resources, run together on the same server and is intended for low-trust applications.
Hyper-V Container – This container is entirely isolated from other containers. It does not share resources and is intended for high-trust applications.
Another way to look at this is to consider the location where you want to deploy your container. If you deploy it in your own datacenter, Windows Server Container will work fine. But you’ll probably want to use Hyper-V container if you’re deploying your container to a public cloud. Containers are all the rage right now. Microsoft made a wise move to include these two versions. I’m sure over time we’ll see both mature and include more features.
Linux Secure Boot
Linux secure boot has been a long time coming to Windows Server, but we finally get it in 2016. Microsoft has genuinely embraced Linux since Satya Nadella took over the CEO reins. This feature is a big deal for admins spinning up Linux Gen 2 Hyper-V VMs because the Linux kernel drivers were not part of the trusted device store. This resulted in annoying firmware errors.
Secure boot is part of the Unified Firmware Interface (UEFI). Basically, it helps protect the server’s startup environment from rootkits and malware. Let’s be honest; it hasn’t always been a smooth ride. UEFI has had its share of issues and critics. But it’s made a lot of progress over the past 24 months. Admins can now deploy Linux VMs without blowing up the UEFI firmware with error messages. The only way around that until now, was to disable Secure Boot in the BIOS. Not exactly the safest option.
Windows Server 2016 still allows admins to set a min or max value for IOPS for virtual hard disks. But it also gives them the ability to create policies that manage IOPS they can then apply in aggregate across VMs or to individual VMs. The big news is that individual hosts can now set their own IOPS values. Windows Server 2016 also monitors this usage by providing details about how each application is using storage.
In practice, Storage QoS makes sure that a group of VMs is not monopolizing the available storage from other VMs that need it. QoS makes sure that each VM has the storage it needs. That will ensure better performance for all running VMs.
Storage Spaces Direct
Microsoft finally brought software-defined storage (SDS) to Windows Server 2012. Windows Server 2016 takes SDS to the next level with Storage Spaces Direct which allows you to pool all your local storage on each host and make it available as VM storage. It supports SAS, SATA, NVMe and SSDs.
This makes a lot of sense as admins add faster and more expensive NVMe and SSDs to servers. In the past, the unused capacity on these drives sat there until someone upgraded the drive. With companies like Samsung and Intel releasing larger capacity drives, the extra storage capacity can now be utilized across all VMs.
A lot of people are calling this new feature the most important one since Windows NT. Nano Server is a low resource, GUI-less, no local login server that includes only the functions you need. Microsoft claims Nano Server has a 92% smaller footprint than the GUI installation option. Here a few reasons you should consider using it:
- Fewer updates means fewer reboots
- Increased server security due to small attack surface
- Small size makes it easy to port across other servers
- Complete remote management (after initial configuration)
I’ve noticed a few reviewers getting carried away to the point of claiming that Nano Server doesn’t require any updates. While it won’t require as many as its GUI counterpart, Microsoft does release the occasional update for it. You will need to use PowerShell and WMI to install updates. See this article for more details on how to apply Windows Updates to Nano Server.
Backups and Checkpoints
By making change tracking a feature of in Hyper-V, Microsoft has made it easier for third-party backup vendors to support Hyper-V. This is a welcome change as previous versions of Windows Server relied solely on VSS. Production checkpoints in Windows Server 2016 will still use VSS inside the VM. When applied, the VM will be restored from a backup and reboot, instead of being restored to a running state. This will be a big help for production workloads that rely on frequent snapshots.
These are a few of the improvements Microsoft has made to Hyper-V security in Windows Server 2016. When I look over the list of new features, it’s clear that Microsoft put a lot of work into the virtualization, security and compute areas of Windows Server 2016. It’s not a coincidence that these features match up well with what Microsoft is doing with Azure. To be blunt, Microsoft wants Azure to be your server in the cloud. Only time will tell how Microsoft plans to differentiate each product. What we know today is that both products are essential to the success of Microsoft.