Tag: Windows Server 2016

The top 10 features of Windows Server 2016

Windows Server 2016 as compared to the previous version focuses more on cloud and virtualization. The top 10 features of 2016 version are as follows:

1. Windows Nano Server

Nano Server is a pared down headless version (no local login) of Windows Server. Nano Server will have a 93% smaller VHD size, 92% fewer critical bulletins and 80% fewer required reboots. Nano Server is a Windows Server installation options and it’s completely headless – there’s no GUI and no command prompt. Nano Server is designed to run Hyper-V, Hyper-V cluster, and Scale-Out File Servers (SOFSs) and cloud service applications.

2. Windows Server Containers and Hyper-V Containers

The next biggest change in Windows Server 2016 will be support for containers. Containers enable you to isolate your applications from the underlying OS improving the deployment and reliability of those applications. Windows Server 2016 will provide two kinds of native containers: Windows Server Containers and Hyper-V Containers.  Windows Server Containers are isolated from each other, but they run directly on the Windows Server 2016 OS. Hyper-V Containers provide enhanced isolation by running the containers from a Hyper-V VM.

FB-Server-2016-2-1200x600

3. Docker Support

Docker is an open-source engine that’s used for building, running and managing containers. Docker containers were originally built for Linux but the next version of Windows Server will provide built-in support for the Docker engine as well. A new open-source Docker engine project has been built for Windows Server with Microsoft participating as an active open source community member. You can use Docker to manage Windows Server and Hyper-V Containers.

4. Rolling upgrades for Hyper-V and Storage clusters

One of the biggest new changes for Hyper-V in Windows Server 2016 is rolling upgrades for Hyper-V clusters. The new rolling upgrades feature allows you to add a new Windows Server 2016 node to a Hyper-V cluster with nodes that are running Windows Server 2012 R2. The cluster will continue to run at the Windows Server 2012 R2 functional level until all of the cluster nodes have been upgraded to Windows Server 2016. When the cluster has mixed level nodes the management must be done from Windows Server 2016 or Windows 10. New VMs on a mixed cluster will be compatible with the Windows Server 2012 R2 feature set.

5. Hot add & remove of virtual memory network adapters

Another great new feature in Windows Server 2016 Hyper-V is the ability to add and remove the virtual memory and virtual network adapters while the virtual machine is running. In previous releases, you need to use dynamic memory to change the minimum and maximum RAM settings of a VM that is running. Windows Server 2016 enables you to change the allocated RAM while the VM is active even if the VM is using static memory. Likewise, you add and remove network adapters while VM is running.

6. Nested virtualization

Added primarily for the new container support, Windows Server 2016’s nested virtualization capabilities will also be a handy addition for training and lab scenarios. With this new feature, you are no longer limited to running the Hyper-V role on a physical server. Nested virtualization enables you to run Hyper-V within a Hyper-V virtual machine.

7. PowerShell Direct

PowerShell is a great management automation tool but it can be complicated to get it to run remotely against your VMs. You need to worry about security policies, firewall configurations, and your host networking configuration. PowerShell Direct enables you to run PowerShell commands in the guest OS of a VM without needing to go through the network layers. Like VMConnect (the remote console support provided by the Hyper-V Manager) it requires zero configuration it connects directly to the guest VM and all you need are authentication credentials for the VM’s guest OS.

8. Linux Secure Boot

Another new feature in Windows Server 2016 Hyper-V is the ability to enable secure boot for VMs with Linux guest operating systems. Secure Boot is a feature of the UEFI firmware specification incorporated in Generation 2 VMs that protects the VM’s hardware kernel mode code from being attacked by rootkits and other boot-time malware. Previously, Generation 2 VMs supported Secure Boot for Windows 8/8.1 and Windows Server 2012 VMs but not VM’s running Linux.

9. New Host Guardian Service and Shielded VMs

The Host Guardian Service is a new role in Windows Server 2016 that enables shielded virtual machines and protects the data on them from unauthorized access – even from Hyper-V administrators. Shielded VMs can be created using the Azure Management Pack Portal. Standard VMs can also be converted to Shielded VMs. With Shielded VMs Hyper-V virtual disks can be encrypted with BitLocker.

10. Storage Spaces Direct

Windows Server 2016 also has a number of storage system improvements one of the most important is the new Storage Spaces Direct feature. Storage Spaces Direct is the evolution of the previous Storage Spaces technology found in Windows Server 2012 R2. Windows Server 2016 Storage Spaces Direct allows a cluster to access JBOD storage in an external enclosure like Windows Server 2012 R2 or it can also allow access to JBOD and SAS disks that are internal to the cluster nodes. Like the previous release, Store Spaces form the basis for Storage Pools and they support both SSD and HDD disks and data tiering.

Source: itprotoday

Stop using the insecure SMBv1/SMB1 protocol

The recent WannaCry ransomware outbreak spread because of a vulnerability in one of the internet’s most ancient networking protocols, Server Message Block version 1 (aka SMBv1 / SMB 1).

Barry Feigenbaum originally designed SMB at IBM. Microsoft has made considerable modifications to the most commonly used version. Microsoft merged the SMB protocol with the LAN Manager product.

The original SMB1 protocol is nearly 30 years old, and like much of the software made in the 80’s, it was designed for the world that no longer exists. The world without malicious actors, without vast sets of important data, without near-universal computer usage. Frankly, its naivete is staggering when viewed through modern eyes.

The Server Message Block, or SMB, protocol is a file sharing protocol that allows operating systems and applications to read and write data to a system. It also allows a system to request services from a server.

This is the protocol mainly used for providing shared access to files, printers, and serial ports and miscellaneous communications between nodes on a network.

In computer networkingServer Message Block (SMB), one version of which was also known as Common Internet File System (CIFS) operates as an application-layer network protocol.

There have been numerous vulnerabilities tied to the use of Windows SMB v1, including remote code execution and denial-of-service exploits. These two vulnerabilities can leave a system crippled, or allow attackers to compromise a system using this vulnerable protocol.

Protocol Version Windows OS
SMB 1 Windows 2000, Windows 2003, Windows XP
SMB 2 Windows Server 2008 and Windows Vista SP1
SMB 2.1 Windows Server 2008 R2 and Windows 7
SMB 3.0 Windows Server 2012 and Windows 8
SMB 3.0.2 Windows Server 2012 R2 and Windows 8.1
SMB 3.1.1 Windows Server 2016 and Windows 10

SMB 1 protocol permits man-in-the-middle exploits and it “isn’t safe” to use. An attacker can use SMB 2 to pull information from the insecure SMB 1 protocol if it exists in a network.

The nasty bit is that no matter how you secure all these things if 
your clients use SMB1, then a man-in-the-middle can tell your client
to ignore all the above. All they need to do is block SMB2+ on 
themselves and answer to your server's name or IP.Your client will 
happily derp away on SMB1 and share all its darkest secrets unless
you required encryption on that share to prevent SMB1 in the first 
place. This is not theoretical-- we've seen it.

                 ~ Ned Pyle, a Principal Program Manager, Microsoft

 

How to remove SMB V1 /SMB 1 in Windows OS?

Windows 8.1 and Windows 10:

Method-1: Open Control Panel (just start typing Control in the search box to find its shortcut quickly). Click Programs, and then click Turn Windows features on or off (under the Programs heading). Or

Start –> Run –> Type appwiz.cpl –> press enter –> Click Turn Windows features on or off

Clear the check box for SMB 1.0/CIFS File Sharing Support, as shown here. That’s it; you’re protected.

SMB1

Method-2:  open a Windows PowerShell prompt with administrative privileges. In the Windows 10 Creators Update, version 1703, right-click the Start button and choose Windows PowerShell (Admin) from the Quick Link menu.) If you’re running an earlier Windows 10 version, enter Windows PowerShell in the search box, then right-click the Windows PowerShell shortcut and click Run as administrator. From that elevated PowerShell prompt, type the following command:

Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol

Press Enter and you’re done.

Note You must restart the computer after you make these changes.

Windows 2012 R2, and Windows Server 2016:

Method-1: Launch Server Manager from Command Line.

Press the Windows key + R to open the Run box, or open the Command Prompt. Type ServerManager and press Enter.

Run

Or Launch Server Manager from Taskbar

Task bar

On Server, the Server Manager approach:

image495

Method-2: On Server, the PowerShell approach (Remove-WindowsFeature FS-SMB1):

Remove-WindowsFeature Name FS-SMB1

image496

On legacy operating systems:

When using operating systems older than Windows 8.1 and Windows Server 2012 R2, you can’t remove SMB1 – but you can disable it.

Windows 8 and Windows Server 2012:

Windows 8 and Windows Server 2012 introduce the new Set-SMBServerConfiguration Windows PowerShell cmdlet. The cmdlet enables you to enable or disable the SMBv1, SMBv2, and SMBv3 protocols on the server component. (A cmdlet is a lightweight command that is used in the Windows PowerShell environment.)

  • To disable SMBv1 on the SMB server, run the following cmdlet:

Set-SmbServerConfiguration -EnableSMB1Protocol $false

  •  To enable SMBv1 on the SMB server, run the following cmdlet:

Set-SmbServerConfiguration -EnableSMB1Protocol $true

 Windows Server 2008 R2 and Windows Server 2008:

To enable or disable SMB protocols on an SMB Server that is running Windows 7, Windows Server 2008 R2, Windows Vista, or Windows Server 2008, use Windows PowerShell or Registry Editor.

Windows PowerShell 2.0 or a later version of PowerShell

  • To disable SMBv1 on the SMB server, run the following cmdlet:

Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” SMB1 -Type DWORD -Value 0 -Force

  • To enable SMBv1 on the SMB server, run the following cmdlet:

Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” SMB1 -Type DWORD -Value 1 -Force

 Note You must restart the computer after you make these changes.

Registry Editor:

Important

This article contains information about how to modify the registry. Make sure that you back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to backup, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:  322756 How to backup and restore the registry in Windows

To enable or disable SMBv1 on the SMB server, configure the following registry key:

Registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\ParametersRegistry entry: SMB1
REG_DWORD: 0 = Disabled
REG_DWORD: 1 = Enabled
Default: 1 = Enabled

Windows Vista, Windows 7, and Windows 8:

  • To disable SMBv1 on the SMB client, run the following commands:

sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi
sc.exe config mrxsmb10 start= disabled

  • To enable SMBv1 on the SMB client, run the following commands:

sc.exe config lanmanworkstation depend= bowser/mrxsmb10/mrxsmb20/nsi
sc.exe config mrxsmb10 start= auto

Source: Microsoftzdnettechnet.microsoftredmondmagtop-password, techtargetwindowsitpro