Select Page

Azure Cloud Security

Built-in Security Technologies

Secure fabric to protect your virtual machines and improve compliance.

Enhanced Security and Management Features

Secure your workloads with Windows Server 2016 and its enhanced security and management features in the fabric.

Use Shielded Virtual Machines to help secure applications only run on trusted fabrics. Limit administrator access to specific tasks with Just Enough Administration and specific time limits with Just-in-Time Administration.

Security technologies are built into the virtualization platform securing the basic building block of virtualized computing—the VM. Convert existing VMs to shielded VMs, including automated disk encryption.

Authorization & Authentication

  • Credential Guard uses virtualization-based security to help secure credential information.
  • Remote Credential Guard works in conjunction with Credential Guard for Remote Desktop Protocol (RDP) sessions to deliver Single Sign-On, eliminating the need to pass credentials to the RDP host.
  • Admins must create roles from outside the system, greatly reduced attack surface when compared to GUI Windows Server.
  • Hypervisor Manager communicates with remote hosts using the WS-MAN protocol, supporting CredSSP, Kerberos or NTLM authentication. Isolated secrets so only privileged system software can access them.


  • BitLocker uses a hardware or virtual Trusted Platform Module (TPM) chip to provide disk encryption for data and system volumes.
  • SMB encryption and signing protects against an attacker tampering with or eavesdropping on any packets.
  • Encryption for data at rest and in motion.
  • AES-128-GCM for twice the security and performance as AES-128-CCM.

Malware Protection

  • Isolate secrets so only privileged system software can access them.
  • Protection from malicious parties using a pass the hash attack for user credentials stored in memory.
  • Protection from a man-in-the-middle attack tampering with SMB’s connection establishment and authentication messages.
  • Windows Defender Antivirus on Windows Server 2016 automatically helps protect machines from malware while allowing legitimate applications to run.

Access Control

  • Dynamic Access Control enables administrators to apply access-control permissions and restrictions based on well-defined rules.
  • AppLocker provides policy-based access control management for applications.

Secure Boot

Protection From a Compromised Fabric

  • Shielded Virtual Machines make it harder for administrators and malware on the host to inspect, tamper with, or steal data from the state of a VM.
  • Include domain controllers and certificate servers in the shielded VM.
  • Securely troubleshoot and repair shielded VMs within a recovery environment on the fabric they normally run.
  • Uses BitLocker to encrypt disk and state of virtual machines.


  • Host Guardian Service helps ensure Hyper-V hosts running Shielded Virtual Machines are allowed and healthy hosts.
  • Shielded VMs run only on known, healthy hosts and data remains encrypted, even if a VM is accidentally leaked or stolen by a rogue administrator.
  • Device Guard helps ensure only authorized executables run on the machine.
  • Control Flow Guard helps protect against classes of memory corruption attacks.
  • Code integrity with Kernel Mode Code Integrity (KMCI) and User Mode Code Integrity (UMCI).

Code Signing

  • Restriction for drivers signed by a known signature (WHQL signed) and by whitelisting.
  • Ensure only trusted software runs on the server.
  • Encryption and virtual Trusted Platform Modules to ensure VMs only run on approved hosts and accessed only by authorized users.

Network Security

  • Dynamically segment network based on workload needs using distributed firewall and network security groups to apply rich policies within and across segments.
  • Windows Firewall Advanced Security allows granular firewall configuration
  • Layer enforcement by routing traffic to virtualized firewall appliances for even greater levels of security.


  • Built-in security components to help meet certification requirements, including SOX, ISO 27001, PCI DSS 3.2, and FedRAMP.
  • Enhanced auditing for threat detection provides better log information.