Windows Server 2016 delivering Secure IaaS Microsegmentation


One of the primary objectives as a hoster is to provide secure, reliable and resilient virtualization services to your customers. While Hyper-V has a proven track record of delivering on all these values at hyper-scale, in datacenters globally, Windows Server 2016 takes this technology to the next level.

As one of the primary technology investment areas, Windows Server introduces an industry standards based virtualization and control of software-level abstraction to the network traffic, breaking the data center into logical elements and managing these with high-level IT security policies. This helps to isolate access and limit lateral movement of malicious activity if traditional perimeter security is breached Microsegmentation is a security technology that in some ways, the keys are the same as for any data center network strategy, such as understanding traffic flow. But its policy-based nature adds additional considerations for a manageable deployment.

The following sections explain these capabilities and also enumerate considerations that the Hosting Service Provider (HSP) Operations Administrator has to keep in mind while implementing this offer.

Operational Overview

A Microsegmented fabric consists of 'Network Controller' (NC), which is also a Windows 2016 Server role that is installed on one or more hosts within your fabric. The Network Controller provides a centralized, programmable point of automation to manage, configure, monitor, and troubleshoot virtual and physical network infrastructure in your datacenter. Using Network Controller, you can automate the configuration of network infrastructure instead of performing manual configuration of network devices and services.

The second element of the Microsegmented fabic, are the Hyper-V hosts that are to be enabled with Software Defined Networking (SDN) functions. Using a networking filter in the Hypervisor Virtual Switch all traffic passing from the virtual machines can be processed as normal transit traffic or exposed to sophisticated software based techniques to encapsulate the traffic to establish segmentation, and enable a number of enhanced network experiences, including filtering (Firewalling), resulting in a very granular, yet centrally controlled experience.

Operational Considerations

Starting with an approach to implement security rules and policies using a zero-trust approach (a complete lockdown of communications). We should follow the zero-trust principles throughout the microsegmentation deployment, resulting in communication across the network only been allowed selectively. This is the best practice to ensure application connectivity and security.

As data centers are transforming from islands of hardware each serving one business application to a flat, shared grid of compute resources, the networks connecting them are also changing. This leads to loss of natural network segments that protected systems from lateral movement of threats inside the data center. So, it should be no surprise that the need for microsegmentation would be any less necessary. With microsegmentation you're not only able to segment a network, but you're able to segment within a segment of your network down to individual system level – think of it like an Inception version of segmentation. Here an administrator can logically carve the network to control the traffic and assets within these smaller boundaries.

Tackling this challenge has usually involved sizeable investments in network virtualization infrastructure. Windows Server 2016, the Software Defined Networking stack handles this right out of the box, permitting you to manage and orchestrate logical server groupings, combined with automating firewall changes on protected systems delivering microsegmentation within your network without purchasing any additional hardware.

This implies:

  • You don't have to make coarse-grained network changes, install additional firewalls, or make an additional capital expenditure to achieve microsegmentation within your network.
  • The architecture of your network doesn't change and you won't need additional resources to manage the devices.
  • You get the flexibility and agility to make changes that isolate your network into zones that would previously require a network device to complete.

Because you are now able to dramatically reduce the network attack surface of the systems by taking system segmentation to a level of granularity not feasible before you can now achieve deeper and improved security within your network. This technology also helps with passing your compliance from a network standpoint. When security is done right, compliance comes naturally.

With microsegmentation you'll be able to define zones in your network that follow best practices and assist with keeping the standards of the compliance you're regulated against. If there's an audit finding due to segmentation in your network, you'll be able to quickly adjust the rule sets by applying microsegmentation to the issue. Here you won't need to make a major network change, buy new hardware, re-IP your assets, or create outages due to segmentation occurring on your network gear.

Microsegmentation is a shift in thinking when it comes to segmentation. It's creates opportunities for better security, compliance and improved flexibility in your network.

  1. Windows 2016 Network Controller

The diagram below depicts the Network Controller hosted as a highly available and scalable server role, providing one application programming interface (API) that allows Network Controller to communicate with the network, and a second API that allows you to communicate with Network Controller.

The role of each API from the Network Controller communication perspective is as follows:

  • Southbound API: With the Southbound API, Network Controller can discover network devices, detect service configurations, and gather all the information you need about the network. In addition, the Southbound API gives Network Controller a pathway to send information to the network infrastructure, such as configuration changes that you have made.
  • Northbound API: Allows you to configure, monitor, troubleshoot, and deploy new devices on the network by using Windows PowerShell, the Representational State Transfer (REST) API, or a management application with a graphical user interface, such as System Center Virtual Machine Manager and Open vSwitch

You can deploy Network Controller in both domain and non-domain environments. In domain environments, Network Controller authenticates users and network devices by using Kerberos; in non-domain environments, you must deploy certificates for authentication.

Using Windows PowerShell, the Representational State Transfer (REST) API, or a management application, you can use Network Controller to manage the following physical and virtual network infrastructure.

  • Hyper-V VMs and virtual switches
  • Physical network switches
  • Physical network routers
  • Firewall software
  • VPN Gateways, including Remote Access Service (RAS) Multitenant Gateways
  • Load Balancers

Virtual Machine Workload Protection

When using microsegmentation for security you're able to reduce the attack surface within your network and limit what attackers can exploit. Using software-based segmentation as an overlay, on top of your current network, allows for a more flexible design with segmentation being used across the datacenter. This also allows for workload segmentation within layer 2 that would normally take a choke point to have filtered. Using segmentation that doesn't require static IP addresses allows for automation of security with the added benefit of allowing your architecture to continue being scalable and flexible.

Zero Trust Zones

Security is normally laid out to achieve filtering at choke points placed strategically throughout the network generally forcing traffic northbound for security filtering. This approach typically results in additional routing hops, the potential for a traffic bottleneck and scenarios of missed traffic that isn't within range of filtering by devices placed further north in your network stack. Normally, this segmentation is accomplished by layer 2 VLANs, with potentially large numbers of devices connected to any single segment.

Using software based microsegmentation allows administrators to orchestrate the native firewalls already built in on all servers and cloud workloads they're looking to add additional security and segmentation to, without having to rely on old-school networking architecture to hold them back. Windows Server 2016 Virtual Network Filter, deployed by default to every host is ready to protect all workloads, centrally configured trough the Southbound API of the Network Controlled, based solely on requests issued by administrators to create custom filtering policies on a granular level trough the Network Controllers Northbound API. No longer do you need a choke point device to have traffic sent towards to make these security decisions for you. As the firewalling is done on the workload itself, it allows filtering to be as granular and as close to the target system as possible.

With these policies in place we have an opportunity to protect against any malicious traffic hidden in the east-west traffic passing through the network. Currently, unless you have implemented spans gathering data from the layer 2 VLANs which segment this traffic, or have a filter passing traffic to a special device this potential for malicious data would be invisible.

The objective we now strive to implement is the creation of zero-trust zones, which Forrester describes as a zone that's "never trusted, always verified" and means that today any traffic in your network has the potential to be malicious. Creating these zones in your network means that you must segment your traffic to only what's needed between hosts. This also means that what is allowed through the policy should be filtered in case the traffic is malicious in nature. As an example, application servers on a VLAN typically have no need to speak to each other. In many cases these systems are speaking directly to web tier and database tier and potentially backup servers. In today's network if all these application servers are on the same VLAN they have the unfettered ability to communicate with each other, even if they don't have a need to. This is how attackers can pivot through a network after compromising one host. With zero trust zones an administrator can lock down how these applications servers communicate and push policy to enforce it. When this is done, even though servers are on the same VLAN they won't be able to speak to each other. This is creating zero trust in your network.

Example Scenario

Contoso Inc. is looking to deliver secure IaaS services to its customer base, enabling new offerings for customers where data security and regulatory restrictions are of paramount importance.

The new offering will complement the existing IaaS options, by added two additional classes of protection, Encryption and Shielding.

The solution will support the following capabilities

  • Familiar IaaS Deployment experience
  • Protection Information will be provided by the tenant as an encrypted file
  • Tenant can select the protection level for their Virtual Machines
  • Existing Virtual Machines can be 'Protected'

Deployment configurations

The following configurations listed below will be deployed using Windows Server 2016 to provision the Secure IaaS example environment

  • Hyper-V Host
  • Guest Workload

Lab Requirements

To successfully execute the scenarios in the next sections the following requirements needs to be met:

  • Virtual or Physical Servers; for High Availability, a 3-node physical cluster is recommended.
  • Windows Server 2016 Datacenter

Setup Microsegmented Fabric

Install the Network Controller server role

You can use this procedure to install the Network Controller server role on a physical of virtual machine. Membership in Administrators, or equivalent, is the minimum required to perform this procedure.

To install Network Controller by using Windows PowerShell, type the following commands at a Windows PowerShell prompt.

Install-WindowsFeature -Name NetworkController –IncludeManagementTools

Installation of Network Controller requires that you restart the computer. To do so, type the following command, and then press ENTER.


Configure the Network Controller cluster

The Network Controller cluster provides high availability and scalability to the Network Controller application, which you can configure after creating the cluster, and which is hosted on top of the cluster.

You can create a Network Controller cluster by creating a node object and then configuring the cluster.

Create a node object

You need to create a node object for each computer or VM that is a member of the Network Controller cluster.

As we consider the configuration, we should pay attention to identify the failure domain for the server that you are adding to the cluster. Premitting us to identify the servers that might experience failure at the same time within the cluster, possibly due to shared physical dependencies such as power and networking sources. Fault domains typically represent hierarchies that are related to these shared dependencies, with more servers likely to fail together from a higher point in the fault domain tree. During runtime, Network Controller considers the fault domains in the cluster and attempts to spread out the Network Controller services so that they are in separate fault domains. This process helps ensure, in case of failure of any one fault domain, that the availability of that service and its state is not compromised.

To create a node object, we will use the New-NetworkControllerObject command, and provide a subset of paramaters to define our configuration as follows:

  • Name: Specifies the friendly name of the server that you want to add to the cluster Server
  • Server: Specifies the host name, Fully Qualified Domain Name (FQDN), or IP address of the server that you want to add to the cluster. For domain-joined computers, FQDN is required.
  • FaultDomain: Specified in a hierarchical format. For example "Fd:/DC1/Rack1/Host1", where DC1 is the datacenter name, Rack1 is the rack name and Host1 is the name of the host where the node is placed.
  • RestInterface: Specifies the name of the interface on the node where the Representational State Transfer (REST) communication is terminated. This Network Controller interface receives Northbound API requests from the network's management layer.
  • NodeCertificate: Identifies the certificate that Network Controller uses for computer authentication. The certificate is required if you use certificate-based authentication for communication within the cluster; the certificate is also used for encryption of traffic between Network Controller services. The certificate subject name must be same as the DNS name of the node.

New-NetworkControllerNodeObject –Name <string> -Server <String> -FaultDomain <string>-RestInterface <string> [-NodeCertificate <X509Certificate2>]

Configure the cluster

To configure the cluster, we will leverage the Install-NetworkControllerCluster command, and a set of parameters defining our environment.

Prior to executing this command, especially in a production environment we should deploy a certificate to each of the nodes which will be participating in the cluster, with the purpose of encrypting passwords. Each of these appropriate nodes will require that the same certificate is present to be successfully utilized. Without this certificate, credentials will be stored in clear text.

The following table provides descriptions for each parameter of the Install-NetworkControllerCluster command.

  • ClusterAuthentication: This parameter specifies the authentication type that is used for securing the communication between nodes and is also used for encryption of traffic between Network Controller services. The supported values are 'Kerberos, 'X509' and 'None'.
    • Kerberos authentication uses domain accounts and can only be used if the Network Controller nodes are domain joined.
    • X509-based authentication, you must provide a certificate in the NetworkControllerNode object. In addition, you must manually provision the certificate before you run this command.
  • ManagementSecurityGroup: Specifies the name of the security group that contains users that are allowed to run the management cmdlets from a remote computer. This is only applicable if ClusterAuthentication is 'Kerberos'. You must specify a domain security group and not a security group on the local computer.
  • Node: The list of Network Controller nodes that you created by using the New-NetworkControllerNodeObject command.
  • DiagnosticLogLocation: The share location where the diagnostic logs are periodically uploaded. If you do not specify a value for this parameter, the logs are stored locally on each node.
  • LogLocationCredential: Specifies the credentials that are required for accessing the share location where the logs are stored.
  • CredentialEncryptionCertificate: Identifies the certificate that Network Controller uses to encrypt the credentials that are used to access Network Controller binaries and the 'LogLocationCredential', if specified.

Install-NetworkControllerCluster –Node <NetworkControllerNode[]> –ClusterAuthentication <ClusterAuthentication> [-ManagementSecurityGroup <string>][-DiagnosticLogLocation <string>][-LogLocationCredential <PSCredential>] [-CredentialEncryptionCertificate <X509Certificate2>][-Credential <PSCredential>][-CertificateThumbprint <String> ] [-UseSSL][-ComputerName <string>]

Configure the Network Controller application

To configure the Network Controller application, The Install-NetworkController command will be utilized. Again, depending on our implementation, we must ensure that we identify the parameter that are appropriate for our deployment.

  • ClientAuthentication: Specifies the authentication type that is used for securing the communication between REST and Network Controller. The supported values are 'Kerberos', 'X509' and 'None'.
    • Kerberos authentication uses domain accounts and can only be used if the Network Controller nodes are domain joined.
    • X509-based authentication, you must provide a certificate in the NetworkControllerNode object. In addition, you must manually provision the certificate before you run this command.
  • Node: The Node parameter specifies the list of Network Controller nodes that you created by using the New-NetworkControllerNodeObjectcommand.
  • ClientCertificateThumbprint: This parameter is required only when you are using certificate-based authentication for Network Controller clients. TheClientCertificateThumbprint parameter specifies the thumbprint of the certificate that is enrolled to clients on the Northbound layer.
  • ServerCertificate: Specifies the certificate that Network Controller uses to prove its identity to clients. The server certificate must include the Server Authentication purpose in Enhanced Key Usage extensions, and must be issued to Network Controller by a CA that is trusted by clients.
  • RESTIPAddress: This parameter must be specified for all multiple-node Network Controller deployments when all of the nodes are on the same subnet. If nodes are on different subnets, you must use the RestName parameter instead of using RESTIPAddress, single node deployments do not require this paramater.
    • You do not need to specify a value for RESTIPAddress with a single node deployment of Network Controller.
    • For multiple-node deployments, the RESTIPAddress parameter specifies the IP address of the REST endpoint in CIDR notation. For example,
    • The Subject Name value of ServerCertificate must resolve to the value of the RESTIPAddress parameter.
  • RestName: Used only for multiple-node deployments which have nodes that are on different subnets. The RestName parameter specifies the FQDN for the Network Controller cluster.
  • ClientSecurityGroup: Specifies the name of the Active Directory security group whose members are Network Controller clients. This parameter is required only if you use Kerberos authentication for ClientAuthentication. The security group must contain the accounts from which the REST APIs are accessed, and you must create the security group and add members before running this command.

Install-NetworkController –Node <NetworkControllerNode[]> –ClientAuthentication <ClientAuthentication> [-ClientCertificateThumbprint <string[]>] [-ClientSecurityGroup <string>] -ServerCertificate <X509Certificate2> [-RESTIPAddress <String>] [-RESTName <String>] [-Credential <PSCredential>][-CertificateThumbprint <String> ] [-UseSSL]

After you complete the configuration of the Network Controller application, your deployment of Network Controller is complete.

Network Controller deployment validation

To validate your Network Controller deployment, you can add a credential to the Network Controller and then retrieve the credential.

If you are using Kerberos as the ClientAuthentication mechanism, membership in the ClientSecurityGroup that you created is the minimum required to perform this procedure.

To validate deployment of Network Controller

On a client computer, if you are using Kerberos as the ClientAuthentication mechanism, log on with a user account that is a member of yourClientSecurityGroup.

Open Windows PowerShell, type the following commands to add a credential to Network Controller

$cred=New-Object Microsoft.Windows.Networkcontroller.credentialproperties




New-NetworkControllerCredential -ConnectionUri https://networkcontroller -Properties $cred –ResourceId cred1

To retrieve the credential that you added to Network Controller.

$netProperties = Get-NetworkControllerCredential -ConnectionUri https://networkcontroller -ResourceId cred1

Review the command output, which should be similar to the following example output.


Tags :

ResourceRef : /credentials/cred1

CreatedTime : 1/1/0001 12:00:00 AM

InstanceId : e16ffe62-a701-4d31-915e-7234d4bc5a18

Etag : W/"1ec59631-607f-4d3e-ac78-94b0822f3a9d"

ResourceMetadata :

ResourceId : cred1

Properties : Microsoft.Windows.NetworkController.CredentialProperties

We can also inspect the output of the command by using the dot operator to list the properties of the credentials. ,


Additional Windows PowerShell commands for Network Controller

After you deploy Network Controller, you can use Windows PowerShell commands to manage and modify your deployment.


PowerShell Command Structure

Modify Network Controller cluster settings

Set-NetworkControllerCluster [-ManagementSecurityGroup <string>][-Credential <PSCredential>] [-computerName <string>][-CertificateThumbprint <String> ] [-UseSSL]

Modify Network Controller application settings

Set-NetworkController [–ClientAuthentication <ClientAuthentication>] [-Credential <PSCredential>] [-ClientCertificateThumbprint <string[]>] [-ClientSecurityGroup <string>] [-ServerCertificate <X509Certificate2>] [-RestIPAddress <String>] [-ComputerName <String>][-CertificateThumbprint <String> ] [-UseSSL]

Modify Network Controller node settings

Set-NetworkControllerNode -Name <string> > [-RestInterface <string>] [-NodeCertificate <X509Certificate2>] [-Credential <PSCredential>] [-ComputerName <string>][-CertificateThumbprint <String> ] [-UseSSL

Modify Network Controller diagnostic settings

Set-NetworkControllerDiagnostic [-LogScope <string>] [-DiagnosticLogLocation <string>] [-LogLocationCredential <PSCredential>] [-UseLocalLogLocation] >] [-LogLevel <loglevel>][-LogSizeLimitInMBs <uint32>] [-LogTimeLimitInDays <uint32>] [-Credential <PSCredential>] [-ComputerName <string>][-CertificateThumbprint <String> ] [-UseSSL]

Remove the Network Controller application

Uninstall-NetworkController    Uninstall-NetworkController [-Credential <PSCredential>][-ComputerName <string>] [-CertificateThumbprint <String> ] [-UseSSL]

Remove the Network Controller cluster

Uninstall-NetworkControllerCluster [-Credential <PSCredential>][-ComputerName <string>][-CertificateThumbprint <String> ] [-UseSSL]

Add a node to the Network Controller cluster

Add-NetworkControllerNode -FaultDomain <String> -Name <String> -RestInterface <String> -Server <String> [-CertificateThumbprint <String> ] [-ComputerName <String> ] [-Credential <PSCredential> ] [-Force] [-NodeCertificate <X509Certificate2> ] [-PassThru] [-UseSsl]

Disable a Network Controller cluster node

Disable-NetworkControllerNode -Name <String> [-CertificateThumbprint <String> ] [-ComputerName <String> ] [-Credential <PSCredential> ] [-PassThru] [-UseSsl]

Enable a Network Controller cluster node

Enable-NetworkControllerNode -Name <String> [-CertificateThumbprint <String> ] [-ComputerName <String> ] [-Credential <PSCredential> ] [-PassThru] [-UseSsl

Remove a Network Controller node from a cluster

Remove-NetworkControllerNode [-CertificateThumbprint <String> ] [-ComputerName <String> ] [-Credential <PSCredential> ] [-Force] [-Name <String> ] [-PassThru] [-UseSsl]

Sample Network Controller configuration script

The following sample configuration script shows how to create a multi-node Network Controller cluster and install the Network Controller application. In addition, the $cert variable selects a certificate from the local computer certificates store that matches the subject name string ""..

$a = New-NetworkControllerNodeObject –Name Node1 -Server -FaultDomain fd:/rack1/host1 -RestInterface Internal

$b = New-NetworkControllerNodeObject –Name Node2 -Server -FaultDomain fd:/rack1/host2 -RestInterface Internal

$c = New-NetworkControllerNodeObject –Name Node3 -Server -FaultDomain fd:/rack1/host3 -RestInterface Internal

$cert= get-item Cert:\LocalMachine\My | get-ChildItem | where {$_.Subject -imatch "" }

Install-NetworkControllerCluster –Node @($a,$b,$c) –ClusterAuthentication Kerberos -DiagnosticLogLocation \\share\Diagnostics ManagementSecurityGroup Contoso\NCManagementAdmins -CredentialEncryptionCertificate $cert

Install-NetworkController –Node @($a,$b,$c) –ClientAuthentication Kerberos -ClientSecurityGroup Contoso\NCRESTClients -ServerCertificate $cert –RestIpAddress