Not logged in » Login
Dec 17 2016

Windows Server 2016: New Release, Expanded Feature Sets (Part 2 of 3)


In our previous post we gave you an overview of the editions of Microsoft's cloud-oriented new server OS as well as the distinct installation options that exist for varying usage scenarios. Today, we'll talk about the most innovative central features in Windows Server 2016 Standard Edition – namely, Just Enough Administration/Just-in-Time Administration, Nested Virtualization, Containers, and an upgraded Windows Defender.

Just Enough Administration (JEA) and Just-in-Time Administration (JIT Administration)
JEA and its counterpart JIT Administration are technologies that help IT departments enforce their security policies by limiting server administrators' rights. The idea here is to enable organizations to proactively prevent insider hacks from ill-willed employees and mitigate the risks of privileged access to hardware and data that admins need to perform their tasks. To this end, JEA expands the capabilities of role-based access control models within the server OS: it implements a "management endpoint" – more precisely, a PowerShell session endpoint – on any server that specifies who can connect to it and whether it can be managed locally or remotely. Access rights are defined in a PowerShell Session Configuration file that lets security administrators map users and user groups to specific management roles, set up virtual accounts, and establish strict logging policies for any administrative action. Likewise, they may use Role Capability files to determine what exactly certain users and user groups can do; for instance, it's possible to restrict role capabilities to using a pre-defined set of cmdlets, functions and external programs or to apply generic role definitions such as "DNS admin" or "tier 1 helpdesk" where necessary. It's even possible to enable users to perform routine tasks, e.g. starting a server pool, without giving them any other administrative rights. JIT Administration serves as a complement to JEA and enables security administrators to assign users to privileged groups or roles for exactly the limited amount of time that is needed to perform specific tasks, thus substantially minimizing (if not eliminating) the risks connected with permanent or semi-permanent access rights.

Nested Virtualization
Nested Virtualization means that users of Windows Server 2016 can now run Hyper-V instances inside of a Hyper-V virtual machine. Effectively, this gives server admins the opportunity to virtualize one or more Hyper-V hosts. This can be helpful in test and lab environments, for example if they want to test multiple machine setups without deploying actual hardware, or if it's necessary to run Hyper-V Containers on a virtualized host. To get there, administrators first have to set up a physical Hyper-V host running Windows Server 2016, then create a virtual machine (VM) on this server, and finally install Hyper-V with configuration version 8.0 or higher within this VM. However, the use of nested virtualization is limited to very specific scenarios, because right now it does not support third-party virtualization platforms and is incompatible with the Dynamic Memory and Runtime Memory Resize features of Windows Server.

To make Windows Server more cloud- and mobile-friendly, the 2016 version introduces the new concept of Windows Containers. Containers are "isolated, resource controlled, and portable operating environment[s]" that basically provide sandboxes where applications can run "without affecting the rest of the system" and, in turn, without being affected by the system. In other words, they provide runtimes that help developers and admins to swiftly roll out new applications without having to undergo massive and prolonged tests. Windows Server 2016 supports two different container types: Windows Server Containers and Hyper-V Containers. Windows Server Containers use process and namespace isolation to achieve application isolation, but share a kernel with the container host and all containers running on the host. Hyper-V Containers expand the concept of isolation by deploying containers to optimized VMs that share nothing with their host. Both types of containers can fulfill functions that are largely identical with those of VMs, but without generating the same amount of overhead and complexity. They are therefore easier to deploy, manage and integrate into existing IT environments, thus helping organizations to become more agile and quickly respond to customer/user needs. The only limitation is that with Windows Server Standard, you only have two Hyper-V Containers available. For more details, please see Jose B. Rodriguez' introduction to Windows Containers at MSDN.

Windows Defender
As noted before, Windows Defender was first included in Windows Server 2012 R2. In the 2016 version, it's turned on by default, as is the UI on some SKUs. Windows Defender can be managed via WMI, PowerShell, or Group Policies; this includes management and installation options for malware definitions, which are delivered three times on each day of the week. These definitions also include automatic exclusions, which are applied in accordance with individual server roles and features installed via the default path. Automatic exclusions only occur when a process accesses certain files or folders during real-time protection scans, in order to ensure server performance; scheduled and full scans access all locations and data. Users who installed roles and features via a custom path or require manual control over the exclusions may opt out of automatic exclusions. For more details, please check out the corresponding TechNet article.

For more information about Windows Server 2016 and our related offerings, please check out our Windows Server microsite. Part 3 of this blog covers the most important improvements of the Datacenter Editions.

Carolin Hausmann


About the Author:

Carolin Hausmann

Marketing Specialist


Comments on this article

No comments yet.

Please Login to leave a comment.


Please login

Please log in with your Fujitsu Partner Account.


» Forgot password

Register now

If you do not have a Fujitsu Partner Account, please register for a new account.

» Register now