Overview of Changes and New Security Features in Windows Server 2025

The release of Windows Server 2025 marks a significant milestone in Microsoft's server operating system evolution. Launched on November 1, 2024, this Long-Term Servicing Channel (LTSC) release brings a comprehensive suite of security enhancements, improved hybrid cloud capabilities, and notable performance optimizations. Whether you're a seasoned IT administrator or planning your organization's infrastructure upgrade, the new features in this release deserve your attention.

TL;DR: Key takeaways

  • Security first: Major security improvements include built-in OpenSSH support, enhanced Active Directory protection with mandatory LDAP encryption, and Credential Guard enabled by default.
  • Modern management: The new Windows Terminal integration and enhanced OpenSSH support make remote server management more efficient and secure than ever.
  • Better protection: Advanced security features like VBS Enclaves, Hypervisor-Enforced Paging Translation, and improved LAPS functionality provide multiple layers of defense against modern threats.
  • Performance boost: Significant improvements in networking, storage, and GPU virtualization enhance overall system performance and resource utilization.
  • Cloud-ready: Built-in Azure Arc integration and enhanced Software-Defined Networking make hybrid cloud deployment more straightforward.
  • Extended support: With support until October 10, 2034, organizations can confidently plan their long-term infrastructure strategy around this release.

The emphasis on security, along with meaningful performance improvements and cloud integration capabilities, makes Windows Server 2025 a compelling upgrade for organizations of all sizes.

OpenSSH: A secure alternative to WinRM

Traditionally, WinRM (Windows Remote Management) has been used for remote management in Windows environments. However, WinRM relies on proprietary protocols and often requires complex configuration for secure communication.

OpenSSH (Open Secure Shell) is an open-source suite of tools that provides secure encrypted communication over a network, making it a robust alternative to WinRM. In earlier versions of Windows Server, OpenSSH required manual installation.

Windows Server 2025 now includes the OpenSSH server-side component by default, simplifying deployment and management. This means that administrators can easily enable secure remote access to servers without additional configuration steps.

The Server Manager UI in Windows Server 2025 also offers a straightforward, one-click option to enable or disable the sshd.exe service, further simplifying OpenSSH management. Additionally, administrators can control access by adding users to the "OpenSSH Users" group, ensuring that only authorized personnel can remotely manage the servers

Windows Terminal: A powerful tool for remote management

The Windows Terminal application, a modern and versatile command-line interface, is now available in Windows Server 2025. This powerful tool enhances the remote management experience by providing a unified interface for interacting with various command-line shells and tools, including PowerShell, CMD, and WSL (Windows Subsystem for Linux).

The Windows Terminal offers a number of features that improve productivity and efficiency, including:

  • Multiple tabs and panes: Users can open multiple command-line sessions in separate tabs or panes within a single window, streamlining multitasking and improving workflow.
  • Customizable themes and profiles:  The Windows Terminal allows users to customize the appearance of the interface by choosing from various themes and creating profiles for different shells and tools, enhancing usability and personalization.

Security improvements

Here is an overview of key changes with a focus on the latest security features:

  • Enhanced Active Directory security: Windows Server 2025 introduces several updates to Active Directory that enhance security:
    • LDAP encryption: All LDAP connections are now encrypted by default, protecting sensitive directory data from eavesdropping and tampering during transmission.
    • TLS 1.3 support: LDAP over TLS connections now support TLS 1.3, the latest and most secure version of the TLS protocol.
    • Stronger default machine account passwords: Active Directory now uses randomly generated passwords for machine accounts, improving security by making brute-force attacks more difficult.
    • Protecting confidential attributes: DCs now require encrypted connections when handling operations involving confidential attributes, adding an extra layer of protection for this sensitive data.
    • Kerberos PKINIT cryptographic agility: It now supports more algorithms for enhanced security.
    • Legacy SAM RPC password change behavior: Secure protocols are preferred, with legacy methods blocked for remote calls.
  • SMB security enhancements: Several significant security improvements have been made to Server Message Block (SMB) in Windows Server 2025:
    • SMB signing required by default: SMB signing is now mandatory for all outbound connections, protecting data integrity and preventing man-in-the-middle attacks.
    • NTLM blocking: The SMB client now supports NTLM blocking for outbound connections, preventing the use of this older, less secure authentication protocol.
    • SMB authentication rate limiter: This feature limits the number of authentication attempts within a given time period, helping to prevent brute-force attacks against SMB servers.
  • Windows Local Administrator Password Solution (LAPS) enhancements: Several improvements have shipped:
    • Automatic account management: Simplifies creation and management of local administrator accounts, including options for randomized account names
    • Image rollback detection: New system to detect and fix password mismatches caused by image rollbacks using a GUID-based verification system
    • Passphrase support: Introduces more memorable passphrases (like "EatYummyCaramelCandy") instead of complex passwords, with built-in word lists and configurable length
    • Improved password readability: New complexity setting excludes commonly confused characters (like "1" and "I") while maintaining security requirements
    • Process termination support: New ability to automatically terminate processes running under the LAPS-managed account after password resets
  • Credential Guard enabled by default: Credential Guard provides significantly better protection against credential theft attacks, such as Pass-the-Hash or Pass-the-Ticket, by isolating secrets in a virtualized container that the OS itself can't access. With Windows Server 2025, Credential Guard is enabled by default on compatible hardware. This reinforces a critical security layer for protecting sensitive credentials within your server environment.
  • Hypervisor-Enforced Paging Translation (HVPT): HVPT is a powerful hardware-assisted security feature that enforces the integrity of linear address translations. This technology acts as a safeguard against write-what-where attacks (a type of attack in which malicious code attempts to write arbitrary data to arbitrary memory locations), which can be leveraged to compromise system security. By ensuring that only authorized memory modifications occur, HVPT helps prevent privilege escalation and data corruption, bolstering the overall security posture of Windows Server 2025.
  • VBS enclaves: VBS enclaves take advantage of virtualization-based security to create isolated execution environments within the server's memory space. This isolation prevents untrusted code from accessing sensitive data or interfering with the operation of security-critical applications. Even if an attacker gains control of the host application or the operating system, the sensitive data within the VBS enclave remains protected, significantly reducing the impact of potential security breaches.
  • VBS key protection: This feature employs VBS to provide enhanced protection for cryptographic keys. Sensitive cryptographic keys used for encryption, authentication, and other security-sensitive operations are stored and used within the secure, isolated environment provided by VBS. This isolation prevents malicious software or unauthorized users from accessing or compromising these keys, ensuring the confidentiality and integrity of sensitive data.

Find and fix the security risks that pose the biggest threat to your business.

Other notable improvements in Windows Server 2025:

  • Performance Enhancements:
    • Networking: Accelerated Networking simplifies SR-IOV management for VMs, using a high-performance data path to reduce latency and CPU utilization.
    • Dev drive: Optimized storage volume for developer workloads using ReFS.
    • NVMe optimization: Improved NVMe performance for SSDs, increasing IOPS and decreasing CPU utilization.
    • GPU virtualization: GPU Partitioning allows sharing physical GPUs with multiple VMs.
  • Hybrid cloud integration:
    • Azure Arc integration: The Azure Arc setup is installed by default, simplifying the process of adding servers to Azure for hybrid management.
    • Software-Defined Networking (SDN): The new server includes enhancements to SDN capabilities.
  • Active Directory enhancements:
    • 32k database page size improves scalability and performance.
    • NUMA support improves performance by utilizing CPUs in all processor groups.

The future of Windows Server on ARM

While the official sources don't offer a definitive outlook on the future of Windows Server on ARM, they do provide glimpses into its potential and some of the challenges it faces:

  • Availability of ARM64 builds: Microsoft has released preview builds of Windows Server 2025 for ARM64 architecture. This demonstrates Microsoft's commitment to exploring and developing the ARM platform for server applications.
  • Performance reports: Users report positive experiences with the performance of the ARM64 version of Windows Server 2025, even in virtualized environments on Apple Silicon Macs. This suggests that ARM-based servers could potentially offer competitive performance levels.
  • Potential benefits: The inherent advantages of ARM architecture, such as energy efficiency and lower heat output, align well with the growing demand for sustainable and cost-effective server solutions. These benefits could make ARM-based servers attractive for specific use cases, such as edge computing or high-density deployments.

Challenges and uncertainties:

  • Limited hardware availability: A significant barrier to widespread adoption of Windows Server on ARM is the lack of readily available server-grade hardware. It's still early days, and broader hardware ecosystem development is crucial.
  • Software compatibility: The x86/x64 architecture has dominated the server market for decades, resulting in a vast ecosystem of server applications optimized for those platforms.  While Windows Server on ARM can utilize x86 emulation, native ARM support for critical server applications will be essential for seamless adoption.
  • Market acceptance: The success of Windows Server on ARM will depend on market acceptance from businesses and organizations.  Factors like cost, performance, reliability, and the availability of skilled IT professionals familiar with ARM-based server environments will influence adoption rates.

The outlook for running Windows Server on ARM is optimistic. While challenges exist, the potential benefits and Microsoft's commitment to the platform suggest that ARM-based servers could become a more significant part of the server landscape in the future. However, it's too early to definitively say when or if Windows Server on ARM will reach mainstream adoption.

Secure Windows Server 2025 with Mondoo

Mondoo continuously evaluates the security of your business-critical assets, including the new Windows Server 2025.

  • Configure wisely: Identify Windows Server 2025 misconfigurations
  • Beat the bad guys: Learn about and fix vulnerabilities in your Windows servers before attackers take advantage
  • Be confident: Always know the security posture of your Windows servers

Mondoo is a unified platform that prioritizes the security issues that are most important to fix. Instead of drowning you in a fire-hose stream of low-risk and irrelevant findings, Mondoo reveals the security problems that are most critical within the context of your unique infrastructure. Mondoo integrates with your project management or ticketing system to seamlessly track security fixes with your everyday workflow.

Identify your most important security issues. Fix them. Get started right now.

Christoph Hartmann

Christoph Hartmann, co-founder and CTO at Mondoo, wants to make the world more secure. He’s long been a leader in security engineering and DevOps, creating widely adopted solutions like Dev-Sec.io and InSpec. For fun, he builds everything from custom operating systems to autonomous Lego Mindstorm robots.

You might also like

Releases
Mondoo November 2024 Release Highlights
Releases
Mondoo October 2024 Release Highlights
Releases
Mondoo September 2024 Release Highlights