How and where do you evaluate Windows Server vNext?

MVP

Due to a feedback by @dhessel in another thread, the question of this topic came into my mind. 

 

 

Would you like to talk and share details how you evaluate Windows Server? 

Here's my part. 

 

Security:

I never considered security issues in Windows Server vNext by since this preview and not for production. As it's preview Code there could be security issues that don't get discovered and published as CVE even though the base might be quite similar to Windows 11 preview. 

 

How I do it:

Personally evaluate it on my PC, not Server Hardware, with the OS being installed on a seperate NVMe next to my Windows Pro W11 23H2 and Insider Windows builds at home. So I am using the multi-boot ability of Windows bootmgr. 

 

Two more NVMe provide the storage for Hyper-V. I used to do Storage Spaces but this wasn't stable due to (ReFS) changes in preview in the last years so I use them single again. 

 

 

Before I've upgraded my mainboard I hadn't enough NVMe ports but then found a great solution. Sabrent NVMe PCI-E card, which offers at least one NVMe Port in a PCI-E x16 slot. 

 

I am using Hyper-V and mslab / Dell GEOS as foundation for Azure Stack HCI and our Microsoft Partner Visual Studio subscription licenses.

 

While Windows Server vNext is the Hyper-V base for the nested environment. Then also guest VMs using a mix of Windows Server 2022, Windows Server 2022 Azure Edition, and Windows Server vNext.

Older for testing Edge scenarios or Migration, ESU etc. 

 

How about you? 

1 Reply

quote: "I never considered security issues in Windows Server vNext by since this preview and not for production. As it's preview Code there could be security issues that don't get discovered and published as CVE even though the base might be quite similar to Windows 11 preview"

 

This is a double edged sword; you can argue that using test builds of any software or OS can make you safer than others, given that you know what you're doing, because mainstream exploits from APT's are developed for versions that most users are on: this is also amplified by security fixes usually being sent to test version users, to be softly tested or just due to it being in master of its codebase early, ahead of the vulnerability disclosure and patch. Or when security improvements are long lead, by putting a wrench in the foundation of some components, for example to secure against entire classes of attacks.

 

Of course, some individuals and corporations can also be specifically targeted, for which their environment and versions of whatever is to be attacked is mapped out, but it's not like the attacker has access to Windows OS source code to easily spot newly added shortcomings anyways; more likely than the test build being of any help to their attack, is that they are in a knownledge debt towards the things changed in said build, having to do more effort or having to make changes to un-break their method of attack as it wasn't seen in the mainstream targeted crowds yet.

 

As with any deployment of Windows Server, main or preview, it's crucial to harden the system for its specific role and scenario's, so that automated bots and exploit scanners/pentest before hack attempt will reach the lowest amount of services possible, as each one may have recently incorporated a design flaw leading to vulnerabilities. The danger from known insecure protocols and that Windows is never secure out of the box is higher than any flaky code added here. All around, as long the sysop knows what they are doing, they should be safe, and for the reasons i mentioned may even be safer than without insider.

 

Final thing i'd like to mention is that as long a new build arrives on the Thurdsday or Friday after the Microsoft monthly patch tuesday (second tuesday of any month), it should incorporate all CVE vulnerability patches, security fixes that MS released to main versions of either Windows Server or Windows 11, because insider preview builds are known to be based off of the master branch, as Microsoft words it "The latest code from our engineers". So, as long builds are on time, insider preview users, whether it be server or Win11, should be able to keep themselves safe in regards to known and patched vulnerabilities, as long the user also understands that this timing of Patch Tuesday it's more critical to decide on updating their OS than on other weekly build dates.