Windows Server

2022 Security
Table of contents

1. Protecting Credentials in Windows Server 5

1.1 Using the Protected Users Group 5

1.2 Using Account Preferences 6

1.3 Using Windows Defender Credential Guard 9

1.4 Using Local Administrator Password Solution (LAPS) 9

1.5 Using Active Directory Administrative Center (ADAC) 10

2. Auditing Windows Server 11

2.1. Event Logs 11

2.2. Audit Policy 12

2.3. Audit Collection Services (ACS) 14

2.4. Windows PowerShell Logging 14

3. Privileged Access Management in Windows Server 15

3.1. Delegation of Control Wizard 15

3.2. Privileged Access Workstation (PAW) 16

3.3. Just Enough Administration (JEA) 17

3.4. Strategies for Securing Domain Controllers 18

3.5. ESAE Forests 19

3.7. Microsoft Identity Manager (MIM) 20

3.8. Third-Party PAM Solutions 21

4. Protecting Data in Windows Server 22

4.1. File Server Resource Manager (FSRM) 22

4.2. Encrypting File System (EFS) 23

4.3. BitLocker 24

4.4. Server Message Block (SMB) 25

4.5. Failover Clustering 26

5. Mitigating Malware and Other Threats in Windows Server 27

5.1. Windows Security App 27

5.2. Device Guard 28

5.3. Control Flow Guard (CFG) 29

5.4. Secured-Core Server 29

5.5. Group Policy Software Restriction Policies (SRPs) 30

5.6. AppLocker 30

5.7. Security Compliance Toolkit (SCT) 31

5.8. Windows Update 31

5.9. Microsoft Defender for Servers 32

6. Securing Virtualization Environments in Windows Server 33

6.1. Guarded Fabric 33

6.2. Shielded VMs 35

7. Securing Application Development in Windows Server 36

7.1. Containers 36

7.2. Docker 37
 7.3. Nano Server 37

8. Securing Network Connections in Windows Server 38

8.1. Windows Firewall with Advanced 38

8.2. IPsec 39

8.3. Message Analyzer 40

8.4. HTTPS and TLS 1.3 40

8.5. DNS over HTTPS 41

8.6.Encrypted Networks 41

9. How Netwrix Can Help with Windows Server Hardening 42

About Netwrix 44
1. Protecting Credentials in Windows
Server
Credentials are the keys to an account. By harvesting credentials, attackers can enter your network, move laterally
and escalate their privileges to steal your data. Windows Server has several features for minimizing the chance
that attackers will be able to harvest credentials, including using the following:

▪ Protected Users group

▪ Account preferences
▪ Windows Defender Credential Guard
▪ Local Administrator Password Solution
▪ Active Directory Administrative Center (ADAC)

1.1 Using the Protected Users Group

Introduced with Windows Server 2012 R2, the Protected Users group enhances security for highly privileged
accounts. Note that this group is available only in Active Directory Domain Services (AD DS). Windows does not
cache the credentials of members of this group locally, so they are never left on workstations or servers for at-
tackers to harvest. In addition, less-secure authentication methods are disabled for group members, which helps
to block attackers from making use of credentials they do manage to compromise. One downside from the admin
usability perspective is that RDP sessions are limited to 4 hours.

User accounts that are members of the Protected Users group cannot:

▪ Use default credentials delegation

▪ Use Windows Digest
▪ Use NTLM
▪ Use Kerberos long-term keys
▪ Sign on offline
▪ Use NT LAN Manager (NTLM) for authentication
▪ Use DES for Kerberos pre-authentication
▪ Use RC4 cipher suites for Kerberos pre-authentication
▪ Be delegated using constrained delegation
▪ Be delegated using unconstrained delegation
▪ Renew user ticket-granting tickets (TGTs) past the initial 240-minute lifetime
5
1.2 Using Account Preferences

For user accounts that need less stringent protection, you can use the following security options, which are
available for any AD account:

ƒ Logon Hours — Specifies when users can use an account.

ƒ Logon Workstations — Limits the computers that the account can sign in to.

ƒ Smart card is required for interactive logon — Requires a smart card to be presented for the account to
sign in.

ƒ Password Never Expires — Absolves the account from the “Maximum password age” policy setting; don’t
configure this option for privileged accounts.

ƒ Account is sensitive and cannot be delegated — Ensures that trusted applications cannot forward the
account’s credentials to other services or computers on the network.

ƒ This account supports Kerberos AES 128-bit encryption — Allows Kerberos AES 128-bit encryption.

ƒ This account supports Kerberos AES 256-bit encryption — Allows Kerberos AES 256-bit encryption. Use
this option for privileged accounts.

ƒ Account expires — Specifies the end date for the account.

6
Computer Accounts

You also need to understand and manage the reach of computer accounts. When you join a computer to the
domain for the first time, Windows creates a computer account in Active Directory in the Computers container and
automatically assigns it a password. AD manages these passwords and updates them automatically every 30 days.

To manage the permissions of computer accounts and control which Group Policy objects (GPOs) are applied to
them, you can add them to groups and move them to different OUs.

You can also disable and reset computer accounts:

ƒ Disabling a computer account means that the computer cannot connect to the domain anymore. If you
disable a computer account and the computer is still operational, you’ll need to rejoin the computer to the
domain if you want the computer to regain domain membership.

ƒ Resetting a computer account removes the connection between the computer and the domain and then
re-adds it.

Predefined Local Accounts

Predefined local accounts are a special type of account that Windows services use to interact with the operating
system and resources on the network. These are sometimes used to run services.

There are three types of built-in local accounts:

ƒ Local system — The NT AUTHORITY\SYSTEM account has privileges equivalent to the local Administrators
group on the computer.

ƒ Local service — The NT AUTHORITY\LocalService account has privileges equivalent to the local Users group
on the computer.

ƒ Network service — The NT AUTHORITY\NetworkService account has privileges equivalent to the local Users
group on the computer.
To protect these accounts, update their passwords on a regular basis. This is a manual process if you use native tools.

7
Service Accounts and Related Non-Human Accounts

Most organizations use service accounts to run services or scheduled tasks. And many organizations have a need
for non-human accounts such as test, automation or emergency access accounts, that require elevated access to
servers, usually local administrative access.

A Group Managed Service Account (GMSA) is a special type of service account. A virtual account is the computer-
specific local equivalent of a GMSA. Active Directory automatically manages the passwords of these accounts, which
reduces risks to your organization, so they should be the preferred option when a service account is required.

All these accounts require protection similar to a privileged account. Recommendations include:

ƒ Use a long and complex password. Because the passwords are rarely, if ever, manually entered, you should
use a very long password, such as 30 characters, with complexity.

ƒ Vault the password in a secure location, such as a password vault.

ƒ Limit the accounts so that they can log on to only the specific servers they need to. For example, if you have
a service account for your database servers, then limit logons to the database servers only.

ƒ Always use constrained delegation if you need to use delegation with these accounts. Additionally, set up
monitoring and alerting to look for accounts with unconstrained delegation.

ƒ Use a naming convention and/or Active Directory attributes to ensure that you can identify all service
accounts and non-human accounts.

ƒ Track all non-human accounts in a central location, including details about account usage and account
owner with contact information.

ƒ Periodically have owners confirm that their accounts are still required and have the correct rights. In
addition, regularly find accounts that haven’t logged on for a long time, such as more than 90 days. However,
be aware that some accounts might be used less often, such as for annual disaster recovery testing.

8
1.3 Using Windows Defender Credential Guard

Introduced in Windows 10 and Windows Server 2016, Windows Defender Credential Guard helps protect creden-
tials from being harvested by malware. It uses two security methods:

▪ Virtualization-based security allows you to isolate secrets, such as cached credentials, so that only privileged
software can access them. Processes that use these secrets, along with the memory associated with those
processes, run in a separate operating system that is parallel to but independent of the host operating system.
This virtual operating system protects processes from attempts by any external software to read the data that
those processes store and use.

▪ Windows Defender Credential Guard also takes advantage of hardware security, including secure boot and
virtualization.

You can manage Windows Defender Credential Guard using Group Policy, Windows Management Instrumenta-
tion (WMI) or Windows PowerShell.

Windows Defender Credential Guard does not allow the use of the following authentication methods:

▪ Unconstrained Kerberos delegation

▪ NT LAN Manager version 1 (NTLMv1)
▪ Microsoft Challenge Handshake Authentication Protocol (MS-CHAPv2)
▪ Digest
▪ Credential Security Support Provider (CredSSP)
▪ Kerberos DES encryption

1.4 Using Local Administrator Password Solution (LAPS)

Microsoft LAPS provides a secure central repository for the passwords of all built-in local Administrator accounts
and automates proper management of those passwords. In particular, LAPS:

▪ Ensures that local Administrator passwords are unique on each computer

▪ Automatically changes all local Administrator passwords every 30 days
▪ Provides configurable permissions to control access to passwords
▪ Transmits passwords to the client in a secure, encrypted manner
9
1.5 Using Active Directory Administrative Center (ADAC)

ADAC enables you to search for Active Directory accounts that are ripe for takeover by attackers. You should
regularly look for the following types of accounts:

▪ User accounts with the “Password never expires” flag — The configuration of accounts with this setting
requires careful consideration. According to NIST recommendations, it can be acceptable to set passwords
to not expire, especially when Multi-Factor Authentication (MFA) is in place, aligning with broader Zero Trust
principles. Security measures often involve a balancing act. Note that the reason behind considering this
approach is to encourage users to choose strong and memorable passwords, which they can keep for an
extended period. Requiring frequent password changes can sometimes lead to users selecting weaker
passwords, as they struggle to remember them, ultimately reducing security.”

▪ Inactive user accounts — Inactive user accounts usually belong to a person who has left the organization.
The ADAC console enables you to find accounts that haven’t signed in for a specified number of days.

Deleting or disabling these user accounts prevents them from being misused by outside attackers or malicious insiders.

10
2. Auditing Windows Server
Continuously auditing the activity in your network is one of the most critical security best practices, since it helps
you notice potentially malicious activity early enough to take action to prevent data breaches, system downtime
and compliance failures.

2.1. Event Logs

Event logs record the activity on a particular computer. When you configure auditing properly, almost all events
that have security significance are logged. This makes event logs the first thing to look at during IT security
investigations.
Here are two important tips:

ƒ Configure the event log size to the maximum (4GB) to minimize the chance that events will be overwritten
because the log becomes full.

ƒ Archive your event logs so if you do detect an attack, you can look at older event logs to find out exactly
when and how attackers were able

11
Event Log Forwarding

You should also move event logs off your computers regularly because attackers often scrub event logs to escape
detection. Windows Server’s event log forwarding feature enables you to automatically forward events logs from
all your computers to a designated machine (the event collector) that stores them all securely.

There are two types of event subscriptions:

ƒ Source-initiated subscriptions allow you to define an event subscription on the event collector computer
without defining the source computers. Then you use Group Policy to control which source computers
forward events to the event collector.

ƒ Collector-initiated subscriptions allow you to create an event subscription that specifies the source
computers that will forward event logs.

2.2. Audit Policy

Audit policies enable you to record a variety of activities to the Windows security log. You then can examine
these auditing logs to identify issues that need further investigation. Auditing successful activities provides
documentation of changes so you can troubleshoot which changes led to a failure or a breach. Logging failed
attempts can spot malicious efforts to access enterprise resources.

Your auditing policy specifies the categories of security-related events that you want to audit. You can choose to
use with Basic or Advanced policy settings.

Basic Audit Policy

Here are the basic policy settings you can configure and what happens if you turn them on:

ƒ Audit account logon events — Creates an event when a user or computer attempts to use a Windows Server
Active Directory account to authenticate.

ƒ Audit account management — Audits events such as the creation, deletion or modification of a user, group
or computer account and the resetting of user passwords.

12
 ƒ Audit directory service access — Audits events that are specified in the system access control list, such as
changes to permissions.

ƒ Audit logon events — Creates an event when a user logs on to a computer interactively (locally) or over the
network (remotely).

ƒ Audit object access — Audits access to objects that have their own SACLs such as files, folders, registry keys
and printers.

ƒ Audit policy change — Audits changes to user rights assignment policies, audit policies and trust policies.

ƒ Audit privilege use — Audits attempts to use privilege. You can choose whether to audit successful attempts,
failed attempts or both.

ƒ Audit process tracking — Audits process-related events, such as process creation, process termination,
handle duplication and indirect object access.

ƒ Audit system events — Audits system restarts and shutdowns, as well as changes that affect the system or
security logs.

Advanced Audit Policy

Since Windows Server 2008 R2, administrators can audit more specific events using advanced audit policy settings
in the following categories:

ƒ Account Logon — Audits the validation of credentials and other Kerberos-specific authentication and ticket
operation events.

ƒ Account Management — Audits the modification of user accounts, computer accounts, group membership
changes, as well as password change events.

ƒ Detailed Tracking — Audits encryption events, Windows process creation and termination events, and
remote procedure call (RPC) events.

ƒ DS Access — Tracks access to AD, AD changes and replication.

ƒ Logon/Logoff — Audits standard logon and logoff events.

ƒ Object Access — Audits access to AD, the registry, applications and file storage.

ƒ Policy Change — Tracks changes to policy settings.

13
 ƒ Privilege Use — Audits privilege use attempts.

ƒ System — Audits changes to the state of the security subsystem.

ƒ Global Object Access Auditing — Controls the SACL settings for all objects on one or more computers.

To learn more, read these Windows audit policy best practices.

2.3. Audit Collection Services (ACS)

Audit Collection Services is an agent-based utility in Windows Server that simplifies security auditing and log
analysis. By default, when an audit policy is implemented on a Windows-based computer, that computer
automatically saves all events generated by the audit policy to its local security log. Using ACS, organizations can
consolidate all those individual security logs to a central database, and then filter and analyze the events using the
data analysis and reporting tools in SQL Server.

2.4. Windows PowerShell Logging

Administrators can use Windows PowerShell to enable or disable logging at the Windows PowerShell
module level. By default, all logging in Windows PowerShell is disabled. You can enable it by setting the
LogPipelineExecutionDetails property to $true; to disable it again, set the property back to $false. To handle this
in an automated way, configure this logging using Group Policy and target all Windows computers, including client
computers and domain controllers.

You can also enable detailed tracking and analysis of the use of Windows PowerShell scripting on a system by
enabling detailed script tracing. In that case, Windows PowerShell logs all script blocks to the Event Tracing for
Windows (ETW) event log in the “Microsoft-Windows-PowerShell/Operational” path. Windows PowerShell logging
can often help find indicators of compromise (IOCs). Many organizations send their Windows event logs to third-
party solutions for reporting, analysis and alerting.

14
3. Privileged Access Management in
Windows Server
Access management involves assigning rights to accounts in accordance with the principle of least privilege; this
limits the damage the account owner can do, either intentionally or accidentally, and minimizes the reach of an
attacker who gains control of an account. It also involves monitoring those accounts for suspicious activity that
could indicate a threat.

Access management is important for all user accounts, but privileged accounts require special attention. Because
they are granted high levels of access to sensitive data and systems, they can do a great deal of damage if they
are compromised or misused. In addition, many compliance standards require organizations to maintain control
over privileged access.

Trying to provision and track these accounts manually is fraught with risk, so organizations need effective
privileged access management (PAM) tools.

3.1. Delegation of Control Wizard

One way to manage privileged access is to enable certain users to do perform specific administrative tasks without
giving them full administrative privileges. For instance, helpdesk personnel might be delegated the power to reset
user passwords but not create or delete accounts.

To help, Delegation of Control wizardenables you to delegate the following privileges:

ƒ Create, delete and manage user accounts

ƒ Reset user passwords and force password change at next logon

ƒ Read all user information

ƒ Create, delete and manage groups

ƒ Change group membership

15
 ƒ Manage Group Policy links

ƒ Generate Resultant Set of Policy (Planning) reports

ƒ Generate Resultant Set of Policy (Logging) reports

ƒ Create, delete and manage inetOrgPerson accounts

ƒ Reset inetOrgPerson passwords and force password change at next logon

ƒ Read all inetOrgPerson information

To learn more, read “Active Directory Delegated Permissions Best Practices.”

3.2. Privileged Access Workstation (PAW)

Another PAM best practice is to ensure that IT admins use their administrative accounts only on special secure
computers, called privileged access workstations (or secure administrative hosts). That way, their privileged
credentials are never left in memory on user machines, where they could be stolen by adversaries. They should
use their regular user credentials on other machines for tasks like browsing the internet and responding to email,
which increase the risk of a host being compromised.

Strictly speaking, a PAW does not have to be a separate physical device; for example, it is possible to use a laptop
as a PAW and run a virtual machine (VM) in the laptop’s hypervisor to be used for non-administrative tasks.

To secure a computer as a PAW, you should:

ƒ Ensure that only authorized users can sign into the host.

ƒ Use Device Guard and AppLocker policies to restrict application execution to trusted tools required for
administrative tasks.

ƒ Enable Windows Defender Credential Guard to help protect against credential theft.

ƒ Enable BitLocker to help protect the boot environment and the hard disk drives from tampering.

16
 ƒ Ensure that the PAW is blocked from accessing all external sites by the perimeter network firewall.

ƒ Configure sign-in restrictions for accounts that are used to perform administrative actions.

In addition, block Remote Desktop Protocol (RDP), Windows PowerShell and management console connections
from any computer that is not a PAW.

Jump Servers

You can use jump servers in conjunction with PAWs. A jump server is a special server that privileged users connect
to using Remote Desktop (rather than signing in locally to a PAW) when they need to perform administrative tasks.
You should configure jump servers in a manner similar to PAWs.

The key drawback of jump servers is that the computer that makes the connection to a jump server might be
compromised by malware because it is used to browse the internet, read email, open files and so on.

3.3. Just Enough Administration (JEA)

Microsoft JEA enables you to apply role-based access control (RBAC) principles through Windows PowerShell
remote sessions. Instead of using general roles that often grant users more permissions than they need to do
their jobs, you can use JEA to configure special Windows PowerShell endpoints that provide the functionality
necessary to perform a specific task: An authorized user can connect to the endpoint and use a specific set of
Windows PowerShell cmdlets, parameters and parameter values. The tasks are performed by a privileged virtual
account, rather than the user’s account.

Benefits of this approach include the following:

ƒ The user’s credentials are not stored on the remote system.

ƒ The user account used to connect to the endpoint does not need to be privileged.

ƒ The virtual account is limited to the system on which it is hosted.

ƒ The virtual account has local administrator privileges but can perform only the activities defined by JEA.

17
3.4. Strategies for Securing Domain Controllers

Domain controllers (DCs) are one of the most valuable targets on a network; an attacker who compromises a DC
has control of all domain identities. To secure your DCs, consider taking the following steps:

ƒ Deploy DCs on hardware that includes a Trusted Platform Module (TPM) chip, and configure all volumes with
BitLocker Drive Encryption.

ƒ Ensure that all DCs run the most recent version of the Windows Server operating system and have current
security updates.

ƒ Deploy DCs using the “Server Core” installation option rather than the “Server with a Desktop” option.

ƒ Keep physical DCs in dedicated secure racks that are separate from other servers.

ƒ For physical DCs, use Secured-core server (new in Windows Server 2022) to further enhance hardware security.

ƒ Run virtualized DCs either on separate virtualization hosts or as shielded virtual machines on a guarded fabric.

ƒ Apply secure baseline configurations to all DCs using a tool like MS Microsoft Security Compliance Toolkit.

ƒ Control the execution of executables and scripts on your DCs using tools like AppLocker and Device Guard.

ƒ Use the Group Policy assigned to the Domain Controllers OU to ensure that RDP connections can be made
only from jump servers and other PAWs.

ƒ Configure the perimeter firewall to block outbound connections from domain controllers to the internet.

ƒ For DCs deployed in Microsoft Azure IaaS, use a Windows Server Azure Edition image to enable hot patching
(installing patches without requiring a reboot).

18
3.5. ESAE Forests

Enhanced Security Administrative Environment (ESAE) is a legacy security strategy that recommended placing
privileged accounts in a special forest (often called a “red forest”) in order to make it easier to apply more
restrictive policies to protect them. For example, the accounts can be permitted to sign in only to specific hosts in
the production forest and required to use multifactor authentication (MFA).

Microsoft now recommends ESAE only for certain specific scenarios. Instead, most organizations are advised to
use Microsoft’s rapid modernization plan (RaMP), which provides guidance for implementing a modern Zero Trust
security strategy.

3.6. Just-in-Time (JIT) Administration

JIT administration is the strategy of granting privileges to users at the point when they need them to do a particular
task, and only for a limited amount of time, rather than permanently. One option for JIT administration is Azure
Active Directory (Azure AD) Privileged Identity Management (PIM), but many vendors have similar solutions.

JIT can be implemented either by granting the user’s existing account temporary membership in a security group
that has the required privileges, or by creating an ephemeral account with the necessary rights.

This approach can provide the following security benefits:

ƒ All accounts used by the IT team are standard user accounts.

ƒ All requests for privileged access are logged, which can reduce the likelihood of privilege misuse.

ƒ Privileges are temporary, which virtually eliminates the opportunity for account takeover.

ƒ Requests for access can be routed through an approval workflow to ensure privileged activity is authorized.

19
3.7. Microsoft Identity Manager (MIM)

Active Directory Domain Services (AD DS) allows you to create, modify and delete user accounts, but it provides
very few tools to automate lifecycle management of those accounts. MIM is an on-premises identity and access
management solution that helps fill that gap. It helps you manage users, credentials, policies and access. Note
that Microsoft is positioning Azure AD (now called Intra AD) as a cloud-based identity provider that can handle
many of the same tasks as MIM.

MIM offers the following functionality:

ƒ Self-service password reset — Users can reset their own passwords after they verify their identity.

ƒ Self-service account lockout remediation — Users can unlock their accounts by answering questions to
verify their identity.

ƒ Self-service user attribute management — Users can update certain of their own Active Directory attributes,
such as their phone numbers.

ƒ Active Directory user and group lifecycle management — MIM provides tools for managing groups and
users that go beyond the creation, modification and deletion functionality of AD DS.

ƒ Smart card and certificate lifecycle management — MIM provides tools for managing smart cards and
certificates, including certificate provisioning and renewal.

ƒ Role management and assignment — MIM helps you manage RBAC functionality.

ƒ Password synchronization across directories — You can synchronize passwords to other directories,
including Azure AD.

ƒ Privileged account management (PAM) — Admins can be assigned privileges on a temporary, rather than
permanent, basis.

ƒ Analytics and compliance reporting — You can analyze and report on all activity that MIM performs.

20
3.8. Third-Party PAM Solutions

Netwrix Privilege Secure is a comprehensive PAM solution that can complement or supplant Microsoft solutions
like MIM and LAPS. It empowers you to:

ƒ Replace risky standing privileged accounts with JIT, ephemeral accounts for specific tasks.

ƒ Alternatively, centralize access management for privileged accounts through integration with LAPS.

ƒ Discover and manage service accounts and other non-human accounts.

ƒ Enforce and audit the use of PAWs.

ƒ Secure domain controllers with granular access control.

ƒ Manage and audit access to jump servers.

ƒ Monitor and analyze privileged activity.

ƒ Manage access to multiple ESAE forests or dynamically adapt privileges.

21
4. Protecting Data in Windows Server
To ensure security, compliance and business continuity, organizations need to tightly control access to their data,
including data stored on file servers and user devices like workstations and laptops.

4.1. File Server Resource Manager (FSRM)

File servers often host a great deal of critical data. FSRM is a set of tools that help you understand, control and
manage that data. It offers:

▪ Quota management — You can set storage limits on volumes or folders.

▪ File screening — You can prevent specific file types from being stored on a volume or folder or be notified
when users store certain types of files.

▪ Storage reporting — You can report on information such as:

▪ Quota usage

▪ File screening activity

▪ Large, duplicate and unused files

▪ Files by owner, file group or specific file property

▪ Data classification — You can identify, categorize and manage files using a wide array of properties.

▪ File management — You can delete old files or move files to a specific location based on criteria like filename
or file type.

22
4.2. Encrypting File System (EFS)

EFS helps protect data from unauthorized access. For example, if an attacker steals a laptop that is not protected
by EFS, they may be able to bypass file security and access the data. But if a file is protected with EFS, they
cannot view its content unless they have the user’s credentials (name and password). Note that EFS is an older
file encryption solution, so it should be paired with additional security measures, such as smart card or biometric
authentication.

Here are the key facts to understand about EFS:

▪ Only authorized users can access encrypted files.

▪ EFS works at the file or folder level, so you can have encrypted and unencrypted files on the same volume.

▪ EFS is transparent to users and applications. When an authorized user opens an encrypted file, EFS decrypts
the content in the background and provides an unencrypted copy to the user, who can view or modify the file;
EFS saves any changes as encrypted data.

▪ You can use EFS to encrypt files locally or across the network.

▪ EFS can encrypt data at rest only; it does not encrypt data while it is being transmitted over the network.

▪ If your EFS private key is lost, you can use data recovery agents to recover data that was encrypted by any user.

▪ In File Explorer, encrypted files and folders appear by default in a different color than unencrypted files.

23
4.3. BitLocker

Like EFS, BitLocker helps protect data stored on devices that are lost or stolen. But while EFS encrypts data at the
file or folder level, BitLocker encrypts at the volume level. You can use the two technologies together.

BitLocker has the following features:

▪ BitLocker can be used for physical computers or virtual machines.

▪ BitLocker can encrypt an entire volume (whether it contains the Windows operating system or is a data
volume) or only the used parts of a volume.

▪ BitLocker can use a Trusted Platform Module (TPM) to protect the integrity of the Windows startup process.
In fact, enterprises often mandate the use of a TPM with BitLocker. You can do this by using Group Policy.

▪ BitLocker verifies that the required boot files have not been tampered with or modified.

▪ BitLocker can require additional authentication, such as a PIN or a USB startup key.

▪ You can configure a BitLocker-protected device to start automatically when it is connected to a trusted
company network, and to require a startup PIN otherwise.

▪ If a TPM fails or the password is lost, BitLocker provides a recovery mechanism (a 48-digit recovery key or
a recovery agent) to access the data. This recovery information can be stored in Active Directory, which is a
good practice to ensure recoverability.

▪ BitLocker protects the whole volume from offline attacks.

▪ BitLocker offers secure data disposal when you decommission a device.

24
4.4. Server Message Block (SMB)

Server Message Block (SMB) is a protocol for sharing files and folders. Because SMB commonly abused to exfiltrate
data, it’s important to follow security best practices for all servers that use SMB, including any Windows Server
machines being used as file servers.

These best practices include the following:

▪ Turn off file and folder sharing when not in use.

▪ Disable the SMB Server service when not in use.

▪ Disable old SMB protocol versions, such as 1.0 and 2.0.

▪ Block all inbound SMB traffic from the internet. This is often in place for organizations that block all traffic by
default; other organizations might need to specifically configure it. For sharing of files and folders over the
internet, you should use a file sharing service such as Dropbox or OneDrive.

▪ Block all outbound SMB traffic to the internet. While this best practice is less obvious than blocking inbound
SMB traffic, it is necessary to prevent users from connecting to file servers on the internet.

▪ Enforce least privilege on NTFS permissions. Users should not have “Full Control” and should not be able to
modify share permissions or NTFS permissions.

▪ Enforce least privilege on share permissions. Share permissions should match NTFS permissions or be more
restrictive.

▪ Use SMB encryption whenever all the clients support it. This gets your encryption and gets your SMB signing.

▪ Use the latest encryption available for your environment. Today, that is SMB AES-256 encryption using AES-
256-GCM and AES-256-CCM cryptographic suites. You can use Group Policy to configure the encryption
enterprise-wide.

▪ For Windows Server clusters, you can encrypt internal cluster communications when using Storage Spaces Direct.

25
4.5. Failover Clustering

When it comes to security, many administrators think about authentication, authorization, encryption and related
areas. But availability is a function of security too. Failover clustering, a feature of Windows Server, provides high
availability across a variety of workloads to maximize uptime. You can create a cluster of database servers or print
servers, as well as a variety of other services. However, some services, such as Active Directory Domain Services,
are not suited for failover clustering and instead rely on other methods for high availability.

Organizations often combine high availability within a site with site resiliency across sites, usually by locating the
sites in different regions to ensure that they are not susceptible to the same hurricane, earthquake or other disaster.

In Windows Server 2019, Microsoft introduced several features to enhance clustering and/or security:

▪ Azure-aware clusters — This feature includes automatic detection of deployment in Azure IaaS and can do
proactive failover.

▪ File share witness enhancements — This feature extends the use of a file share witness for scenarios with
bad internet access, lack of sight to a domain controller or lack of shared drives.

▪ Removal of NTLM authentication — Instead of the older and weaker NTLM protocol, clusters now use
Kerberos and certificate-based authentication.

26
5. Mitigating Malware and Other
Threats in Windows Server
Malware — computer viruses, worms, Trojan horses, ransomware, spyware and so on — is a serious threat to
organizations because it can damage devices and enable unauthorized parties to access the network remotely to
steal or encrypt sensitive information. Other threats include firmware attacks and exploiting vulnerabilities like
buffer overflows.

5.1. Windows Security App

The Windows Security app can help you identify and remove malware from a computer. Here is some of the
information and functionality it provides:

▪ Virus & threat protection — The app provides information about and access to antivirus settings and the
“Controlled folder access” feature of Windows Defender Exploit Guard.

▪ Device performance & health — The app provides information about drivers, storage space and Windows
Update.

▪ Firewall & network protection — It provides information about and access to firewall settings, including
Windows Defender Firewall settings.

▪ App & browser control — The app provides exploit-protection mitigations and access to Windows Defender
SmartScreen settings.

▪ Family options — The app provides access to parental controls and family settings.

27
5.2. Device Guard

Device Guard is a suite of security features introduced in Windows Server 2016. When you turn it on, the operating
system will run only the applications on a whitelist your organization defines, instead of trusting all apps except
those blocked by an antivirus or other security solution.

Device Guard uses virtualization-based security to isolate the code-integrity service from the Windows kernel.
Device Guard can block any software, even if an unauthorized user manages to take control of the operating
system. You can choose exactly what can run inside your environment by using a code-integrity policy to protect
your environment.

Device Guard is not a single feature. It’s a combination of several features, such as:

▪ Virtual Secure Mode — A virtual shell that isolates the ISASS.exe process from the operating system, which
reduces the risk that malicious users will compromise your users’ domain credentials.

▪ Windows Defender Application Control — A Windows component that provides a rules engine to help
ensure executable security. This feature was improved in Windows Server 2019 by providing default policies
that allow all Windows native files and Microsoft apps, simplifying the initial deployment.

▪ Virtual Secure Mode Protected Code Integrity — Moves the Kernel Mode Code Integrity (KMCI) and
Hypervisor Code Integrity (HVCI) components into virtual secure mode to harden them from attack.

▪ Platform and UEFI Secure Boot — Improves security by using signatures and measurements to help protect
boot-loader code and firmware from tampering.

28
5.3. Control Flow Guard (CFG)

CFG is a Windows Server feature that helps prevent memory corruption. It restricts where an application can execute
code, which makes it harder for hackers to execute their code by exploiting common vulnerabilities like buffer
overflows. It also monitors certain aspects of a program’s control flow to ensure that all indirect calls result in a jump
to legal targets, since hackers will supply uncommon input to a running program to make it perform unexpectedly.

5.4. Secured-Core Server

Modern sophisticated attacks are targeting the boot process and firmware because operating system protection
is getting more difficult to bypass. However, typical anti-virus and anti-malware solutions have little or no visibility
into firmware, which leaves your systems vulnerable to firmware-level attacks.

To help, Microsoft introduced secured-core server in Windows Server 2022. Machines certified as secure-core
servers come with security mitigations built into their hardware, firmware and operating system. For example,
they must have Boot DMA protection and a the System Guard Secure Launch boot process.

A secured-core server must have a Trusted Platform Module (TPM) 2 chip, which facilitates strong security controls,
such as attestation-based workflows as part of a Zero Trust security strategy. This and other features make
secure-core servers especially helpful for organizations with high security needs, such as financial organizations
and government agencies.

29
5.5. Group Policy Software Restriction Policies (SRPs)

One of the best ways to block malware is be implementing a software whitelist. Group Policy enables you to apply
software restriction policies across your environment.

To define which applications are permitted to run on client devices or servers, administrators create rules using the
following criteria:

▪ Hash — The cryptographic fingerprint of the file.

▪ Certificate — A software publisher certificate that signs a file digitally.

▪ Path — The local or Universal Naming Convention (UNC) path to where the file is stored.

▪ Zone — The security zone assigned to a network location that you specify, such as the Internet zone.

5.6. AppLocker

AppLocker is another way to control which applications can run. You can apply AppLocker through Group Policy
to computer objects in an organizational unit (OU). You also can apply individual AppLocker rules to specific users
or groups, and monitor the application of those rules.

For example, you can leverage AppLocker to both whitelist and blacklist applications within an organization. This
means you can prevent anyone in the organization from running specific software, such as applications deemed
dangerous, distracting, or replaced by newer versions, by adding them to the blacklist. You can also limit the use
of certain applications to only the specific departments that need them.

You can configure AppLocker in GPMC at “Computer Configuration\Policies\Windows Settings\Security Settings\

Application Control Policies”.

30
5.7. Security Compliance Toolkit (SCT)

SCT is a set of free Microsoft tools that help administrators establish secure baseline configurations for their
servers and apply them to all applicable machines, such as all application servers or all file servers. You can
download Microsoft-recommended security configuration baselines; test, edit and store them; and apply them to
your servers, regardless of whether they are local, remote or in the cloud.

The main features of SCT include:

▪ Policy Analyzer — Enables you to analyze and compare sets of Group Policy objects.

▪ Local Group Policy Object (LGPO) — Helps automate management of local Group Policy, including importing
settings from Group Policy backups, registry policy files, security templates and advanced-auditing backup
CSV files that the Policy Analyzer generates.

5.8. Windows Update

Studies show that one of the best ways to protect your servers from threats is to simply apply software and
hardware updates promptly using Windows Update. One key reason is that when a patch is released, malicious
actors often reverse-engineer it to find the vulnerability it addresses, and then use that knowledge to attack
organizations that have yet to apply the patch.

Here are the key best practices for patching:

▪ High-security organizations should install patches the same day they come out for critical systems or systems
exposed to the internet.

▪ Automate patch management to simplify the process of installing patches across your entire environment.

▪ Ensure you can find unpatched systems.

▪ Consider using the “Server Core” installation option to reduce the number of patches and be able to take
advantage of improvements to Windows Update rollback.

▪ Consider using Azure Automanage, which helps you deploy patches sooner by enabling patching of VMs
without a reboot.
31
5.9. Microsoft Defender for Servers

Microsoft has been expanding its Defender product across a variety of workloads. Specific to Windows Server is
Microsoft Defender for Servers, which is part of the Microsoft Defender for Cloud offering. This tool is quite useful
for hybrid organizations because it offers a single pane to manage your entire IT environment.

There are two primary plans: Plan 1 is the base offering; Plan 2 offers everything that Plan 1 does and more.

Key security features of Microsoft Defender for Servers include:

▪ Anti-malware

▪ Anti-virus

▪ Reporting

▪ Threat analytics (Plan 2 only)

▪ Advanced hunting (Plan 2 only)

32
6. Securing Virtualization Environments
in Windows Server
Administrator accounts work differently in virtualized environments than they do in physical ones. In a physical
environment, administrative roles (such as storage administrator, network administrator, backup operator and
virtualization-host administrator) have limited or isolated rights. In contrast, in a virtual infrastructure, each of
these roles with permissions to manage the physical infrastructure might have an inappropriate level of access
to the virtual infrastructure. For example, in physical environments, Windows administrators often don’t have
access to domain controllers. In a virtual environment, if the Windows administrators manage the virtualization
environment, they might have access to the backend disks of the DCs, which increases risk.

6.1. Guarded Fabric

In Windows Server 2016, Microsoft introduced an improved Hyper-V security model designed to help protect
hosts and their VMs from malicious software that might be inside them. Because a VM is just a file, you need to
protect it from attacks from the storage system or network while it is being backed up.

Fabric is the infrastructure elements that enable the creation and management of VMs and associated services.
These elements can include software, servers, network and storage components, host groups, the VMM library,
networking, and even non-Hyper-V virtual hosts.

Guarded fabric is a fabric that can manage and run shielded VMs (explained below). In fact, guarded fabrics can
run three types of VMs:

▪ A normal VM that offers no protection beyond that of earlier versions of Hyper-V

▪ An encryption-supported VM whose protections can be configured by a fabric admin

▪ A shielded VM whose protections are switched on and cannot be disabled by a fabric admin

33
Host Guardian Service (HGS)

HGS is the centerpiece of the guarded fabric solution. It is responsible for ensuring that Hyper-V hosts in the fabric
are known to the hoster or enterprise and that they run trusted software.

Specifically, HGS is a server role introduced in Windows Server 2016 that provides the Attestation Service and Key
Protection Service (KPS) that enable Hyper-V to run shielded VMs. A Hyper-V host becomes a guarded host as soon
as the Attestation Service affirmatively validates its identity and configuration. KPS provides the transport key that
is needed to unlock and run shielded VMs.

HGS supports two different attestation modes for a guarded fabric:

▪ Admin-trusted attestation (Active Directory based) — Admin-trusted attestation is intended to support

existing host hardware where TPM 2.0 is not available. It requires relatively few configuration steps and is
compatible with common server hardware.

▪ TPM-trusted attestation (hardware based) — TPM-trusted attestation offers stronger protection but
requires more configuration steps. The host’s hardware and firmware must include TPM 2.0 and UEFI 2.3.1
with Secure Boot enabled. This mode is recommended in high-security environments.

34
6.2. Shielded VMs

To help protect a fabric against compromise, you can deploy shielded virtual machines. A shielded VM is a
generation 2 VM that has a virtual TPM, is encrypted by using BitLocker Drive Encryption, and can run only on
healthy and approved hosts in the fabric.

HGS manages the keys used to start up shielded VMs. Without HGS, a Hyper-V host cannot power on a shielded
VM because it cannot decrypt it. HGS will not provide the keys to a Hyper-V host until that host has been measured
and is considered healthy. New to shielded VMs with Windows Server 2019 is the ability to run on VMs with
intermittent connectivity to the Host Guardian Service.

Here are three examples that illustrate how shielded VMs help protect against attacks:

▪ There is less risk if a malicious employee steals a shielded VM’s .vhd files because those files are encrypted.

▪ HGS will not release keys to hosts with debuggers attached.

▪ A malicious employee who attempts to move a shielded VM to an untrusted host will discover that the new
host will not be recognized. Trusted hosts are added to HGS by means of identifiers unique to their TPMs and
are protected even if they are moved to another HGS.

35
7. Securing Application Development in
Windows Server
You can improve the security of your application development infrastructure by reducing the size and scope of
application and compute resources. One way to do this is to containerize workloads.

7.1. Containers

Containers enable you to isolate workloads from each other and the OS. From the app’s perspective, a container
appears to be a complete, isolated Windows OS with its own file system, devices and configuration. Containers
are like VMs in that they run an OS, they support a file system, and you can access them across a network similar
to any other physical machine or VM. However, containers do not need all the processes and services that an OS
on a VM might use.

Because containers are virtual environments that share the kernel of the host OS but provide user space isolation,
they provide an ideal environment in which an app can run without affecting the rest of the user mode components
of the OS and without the other user mode components affecting the app.

Containers also provide a standardized environment for development, test and production teams. Using containers,
developers can create and test apps quickly in an isolated environment while using only a few OS resources.

Windows Server supports two types of containers:

▪ Windows Server containers — These containers provide app isolation through the process and namespace
isolation technology. Windows Server containers share the OS kernel with the container host and with all
other containers that run on the host.

▪ Hyper-V containers — These containers expand on the isolation that Windows Server containers provide by
running each container in a highly optimized VM.

Using containers has multiple benefits. Even if a container is compromised by an attacker, it will be difficult for
the attacker to access the host OS. The reduced OS size means that you must maintain fewer operating-system
components, which results in fewer security risks. The reduced OS size also helps improves scalability.
36
7.2. Docker

To run an application workload in a container, you must use Docker. Docker is a collection of open-source tools and
cloud-based services that provide a common model for packaging (containerizing) app code into a standardized
unit for software development. This standardized unit, or Docker container, is software that is wrapped in a
complete file system that includes everything it needs to run, which can include code, runtime, system tools,
system libraries and anything else you can install on a server.

You must download Docker separately; it is not part of the Windows Server installation media.

7.3. Nano Server

An installation option introduced in Windows Server 2016, Microsoft Nano Server is a lightweight operating system
tailored for use with virtualized container instances. There is no UI; you must manage Nano Server remotely
using PowerShell, but this PowerShell differs from the standard one. As of Windows Server 2019, Nano Server
is available only as a container-based OS image, and you must run it as a container in a container host such as
Docker. You can troubleshoot Nano containers using Docker and run them in IoT Core.

A Nano Server instance cannot function as an Active Directory domain controller. It does not support the following
features:

▪ Group Policy
▪ Network interface card teaming
▪ Virtual host bus adapters
▪ Proxy server access to the internet
▪ System Center Configuration Manager
▪ System Center Data Protection Manager

Nano Server supports the following roles:

▪ File Services Hyper-V

▪ IIS
▪ DNS Server

37
8. Securing Network Connections in
Windows Server
Securing your IT infrastructure also requires protecting against network-related security threats. Windows Server
offers several network security features to help.

8.1. Windows Firewall with Advanced Security

Windows Firewall with Advanced Security blocks unauthorized network traffic flowing into or out of a local device
by providing host-based, two-way network traffic filtering. You can either manually configure Windows Firewall
with Advanced Security on each server or use Group Policy to centrally configure the firewall rules.

While the old Windows Firewall allowed you to configure only a single set of inbound and outbound rules (a
profile), Windows Firewall with Advanced Security includes three profiles (Domain, Private and Public), so you
can apply the appropriate rules to each server based on its connection to the network. These profiles are tightly
connected to three network profiles in the Network and Sharing Center:

▪ Domain networks — Networks at a workplace that are attached to a domain.

▪ Private networks — Networks at home or at work where you trust the people and devices on the network.
When private networks are selected, network discovery is turned on but file and printer sharing is turned off.

▪ Guest or public networks — Networks in public places. Network discovery, file sharing and printer sharing
are all turned off.

You can configure the following options for each of the three network profiles:

▪ Firewall State — You can turn the firewall on or off independently for each profile.

▪ Inbound Connections — You can block connections that do not match any active firewall rules (this is the
default), block all connections regardless of inbound rule specifications, or allow inbound connections that do
not match an active firewall rule.

38
 ▪ Outbound Connections — You can allow connections that do not match any active firewall rules (this is the
default) or block outbound connections that do not match an active firewall rule.

▪ Protected Network Connections — You can select the connections (for example, the Local Area Connection)
that you want Windows Firewall to help protect.

▪ Settings — You can configure display notifications and unicast responses, and merge rules that are distributed
through Group Policy.

▪ Logging — You can configure and enable logging.

▪ IPsec Settings — You can configure the default values for IPsec configuration (described below).

8.2. IPsec

Connecting to the internet exposes an organization to many types of security threats, from malware to drive-by
downloads to social engineering attacks. IPsec is a set of industry-standard, cryptography-based services and
protocols that can help to protect data in transit through a network by providing authentication, integrity checking
and encryption. IPsec protects all protocols in the TCP/IP protocol suite except Address Resolution Protocol (ARP).

The design of IPsec helps it provide much better security than protection methods such as Transport Layer
Security (TLS) and Secure Shell (SSH), which provide only partial protection. Network administrators who use IPsec
do not have to configure security for individual programs because all network traffic between the specified hosts
is protected when they use IPsec. One of the most common uses of IPsec is a site-to-site VPN.

Key facts to know include the following:

▪ IPsec offers mutual authentication before and during communications.

▪ IPsec forces both parties to identify themselves during the communication process.

▪ IPsec enables confidentiality through IP traffic encryption and digital packet authentication.

39
8.3. Message Analyzer

You can use Message Analyzer to capture, display and analyze protocol messaging traffic, events and other system
or application messages. Message Analyzer enables you to save and reload captures, aggregate saved captures,
and analyze data from current and saved trace files. When Message Analyzer performs network captures, it limits
irrelevant data, and exposes issues and hidden information that is critical for quick analysis. It accomplishes this
by enabling you to remove lower-level details so you can perform analysis on higher-layer data of interest.

You can use Message Analyzer in a variety of scenarios:

▪ Capturing network traffic for security review

▪ Troubleshooting application issues

▪ Troubleshooting network and firewall configuration issues

8.4. HTTPS and TLS 1.3

As of Windows Server 2022, HTTPS and TLS 1.3 are enabled by default. This is a big deal because administrators
have had to manually deal with older HTTPS and TLS settings as new versions were introduced. Accordingly,
moving to Windows Server 2022 as your server OS standard brings significant security benefits.

40
8.5. DNS over HTTPS

Starting with Windows Server 2022, the built-in DNS client supports DNS over HTTPS (DoH). This means that your
DNS queries are encrypted and sent over HTTPS, which protects them from being visible to anything between
your network and the authoritative DNS server. For example, your internet service provider (ISP) sits between
your network and the authoritative DNS server and can capture (and even record) all your standard DNS queries.
To avoid this, you can configure the client to support only DoH.

However, there is a downside: If the DNS server you are communicating with doesn’t support DoH, then name
resolution won’t function. Accordingly, as part of your planning, you should check whether your upstream
DNS provider (such as your ISP) supports DNS over HTTPS. In a less demanding security environment, you can
alternatively configure a “best effort” approach whereby your server will prefer DoH but will fall back to standard
and unencrypted DNS queries if necessary.

8.6. Encrypted Networks

Starting with Windows Server 2019, you can configure subnets for encryption; then, all VMs within the subnet will
have network traffic encrypted while communicating within the subnet. This is specific to the Software Defined
Networking (SDN) for Windows Server, which you must deploy to get this feature. If you have a large Hyper-V
environment, you should consider this.

Alternatively, you can encrypt traffic using IPsec without needing Windows Server 2019.

41
9. How Netwrix Can Help with Windows
Server Hardening
Netwrix Change Tracker simplifies Windows Server hardening and configuration management. It provides detailed
guidance for establishing a hardened baseline configuration, and uses system and file integrity monitoring (FIM)
technology to analyze configuration settings and pinpoint vulnerabilities and errors.

Then it help you maintain those secure configurations by monitoring and alerting on suspicious changes to:

▪ Filesystem
▪ Registry
▪ Windows Security and Audit policy
▪ Installed software
▪ Local user groups and accounts
▪ Open network ports
▪ Service states and running processes

Any drift from the hardened configuration can be corrected immediately, while any unexpected change can be
promptly investigated to prevent security breaches and downtime. Integration with your overall security system
can be provided, either as a component of a third-party managed security service or using an in-house approach

Conclusion

Windows Server offers a lot of functionality to help you protect your IT environment. You can use some or all of
them. In particular, it’s smart to take advantage of Group Managed Service Accounts, Windows Defender, LAPS,
privileged access workstations, BitLocker, shielded VMs, Windows Firewall and IPsec because they can improve IT
security dramatically with relatively little effort. Using these Windows Server features can greatly enhance security
during network communications and help you block man-in-the-middle (MITM), replay, hijacking, distributed
denial-of-service (DDoS) and other attacks.

42
Harden Windows Server
Configurations with
Netwrix Change Tracker
ƒ Quickly establish strong Windows Server configurations
with hardened configuration templates.

ƒ Promptly spot and correct configuration drift.

ƒ Avoid breaches and downtime with targeted alerts on

risky changes to server configurations.

ƒ Increase confidence in your security posture with

comprehensive information on security status.

ƒ Pass compliance audits with ease using 250+ CIS

certified reports covering NIST, PCI DSS, CMMC, STIG
and NERC CIP.

Download Free 20-Day Trial

About Netwrix
Netwrix makes data security easy. Since 2006, Netwrix solutions have been simplifying the lives of security
professionals by enabling them to identify and protect sensitive data to reduce the risk of a breach, and to detect,
respond to and recover from attacks, limiting their impact. More than 13,000 organizations worldwide rely on
Netwrix solutions to strengthen their security and compliance posture across all three primary attack vectors:
data, identity and infrastructure.

For more information, visit www.netwrix.com

Next Steps

Free trial — Set up Netwrix in your own test environment: netwrix.com/freetrial

In-Browser Demo — Take an interactive product demo in your browser: netwrix.com/browser_demo

Live Demo — Take a product tour with a Netwrix expert: netwrix.com/livedemo

Request Quote — Receive pricing information: netwrix.com/buy

CORPORATE HEADQUARTER: PHONES: OTHER LOCATIONS: SOCIAL:

6160 Warren Parkway, Suite 1-949-407-5125 Spain: +34 911 982608

100 Frisco, TX, US 75034 Toll-free (USA): 888-638-9749 Netherlands: +31 858 887 804
Sweden: +46 8 525 03487
Switzerland: +41 43 508 3472
5 New Street Square, London +44 (0) 203 588 3023 France: +33 9 75 18 11 19 netwrix.com/social
EC4A 3TW Germany: +49 711 899 89 187
Hong Kong: +852 5808 1306
Italy: +39 02 947 53539