Top Five reasons why Identity Admins should look at Windows Server Insider Preview Build 16237

Yesterday, Microsoft made Windows Server Insider Preview Build 16237 available to the Windows Insiders and Windows Insiders for Business programs. This is the first preview build of the Redstone 3 (RS3) release of Windows Server vNext.

I’ve looked at this release, and as an Identity Admin, I feel this build has a lot to offer.
I condensed a short list of the top five reasons to look at Windows Server Insider Preview Build 16237:

 

1. SMB1 is disabled, by default

Disabling version 1 of the Server Message Block (SMB) protocol is good news for security, because this version utilizes weak hashing algorithms and other vulnerabilities. Recently, a couple of these vulnerabilities were successfully exploited as part of WannaCry and Petya.

For Microsoft to disable SMB1 by default in Windows Server, therefore, helps, especially since the SMB protocol plays an important role in Active Directory.

However, it might end up being a catastrophe when you leverage certain products in your networking infrastructure. Looking at Windows Server Insider Preview Build 16237 early, provides plenty of time to move away from that stuff, including VMware vSphere 6.0 or at least provides an impact analyses.

Note:
aka.ms/stillneedssmb1 lists known SMB1-using products, that will be affected when SMB1 is disabled.

 

2. Improvements in time accuracy

When thinking Active Directory and Kerberos, you’re thinking time synchronization. In Windows Server Insider Preview 16237, Microsoft made the following improvements:

  • Pressing EU regulations in 2018 require strict time precision and traceability.  Win32tm improvements in Redstone 3 (RS3) support greater time accuracy, and jitter is removed from the measurements that calibrate the service.
  • New system event logging lets you archive time service data to support traceability compliance.
  • System center monitoring now includes a new rule that lets you detect when a device within the networking environment is out of compliance.

 

3. Improved Branch Office Connectivity

Looking at networking, Windows Server Insider Preview Build 16237 promises a 2x throughput improvement for TCP and UDP performance in low latency intra-datacenter scenarios.

Thinking of low-latency intra-datacenter connections, the need for Active Directory sites regularly pops up. With significant throughput improvements, Active Directory replication should work better with Windows Server Insider Preview Build 16237.

 

4. Shielded VMs for Linux

Shielded Virtual Machines allow Active Directory admins to retake ownership of virtual Active Directory Domain Controllers. The only way, of course, is to shut out virtualization admins and storage admins of management tasks. Except for starting and stopping your virtual Domain Controllers, this is exactly what the Shielded VM feature in Hyper-V offers in Windows Server 2016. With Windows Server Insider Preview Build 16237, the Shielded VMs functionality is expanded to Linux. Now even more services can be given back to the respective owners, like your SIEM and TSCM admins.

 

5. Continuous Innovation

This is the first public preview release of Windows Server, since Microsoft announced ìts departure from the long-term servicing channel (LTSC) model of Windows Server 2016 towards Semi-annual Channel releases.

While this allows for Microsoft to deliver continuous innovation, I feel IT departments should look early at new releases to assess their impact and benefits offered to the business. While it might feel like a good idea to stick with an LTSC-release of Windows Server for Active Directory Domain Controllers, for most organizations it might prove that semi-annual releases of Windows Server better align with System Center Current Branch and Azure Infrastructure-as-a-Service (IaaS).

On the other hand: Microsoft does not support in-place upgrades for Azure IaaS-based Virtual Machines and we don’t have guidance yet on whether this applies to Windows Server’s Semi-annual Channel, too.

 

Concluding

Windows Server Insider Preview 16237 offers a glimpse on the future of on-premises Active Directory and security. Looking at it early makes it easier to adopt the Semi-annual Channel changes coming to Windows Server vNext.

Further reading

Announcing Windows Server Insider Preview Build 16237 
First Windows Server Insider Preview build 16237 is out  
Windows Server Insider Preview 316237, here is what you need to know   
Microsoft releases first Windows Server Insider Preview, build 16237, here’s what’s new 
Here are the known issues in Windows Server Insider Preview build 16237 
Windows Server Insider Preview Build 16237

leave your comment