WS-011 Windows

Server 2019
Administration

© Copyright Microsoft Corporation. All rights reserved.

Module 8: Windows Server
security
Module overview

This module describes how securing your servers is the key to securing your entire on-premises

environment
 Lessons:
o Credentials and privileged access protection in Windows Server

o Hardening Windows Server

o JEA in Windows Server

o Securing and analyzing SMB traffic
o Windows Server update management
Lesson 1: Credentials and
privileged access protection
in Windows Server
Lesson 1 overview

This lesson describes how to secure Windows Server. It includes properly configurating user accounts and

ensuring accounts have only the privileges needed to perform necessary tasks
 Topics:
o Configure user rights

o Protected Users group, authentication policies, and authentication-policy silos

o What is Windows Defender Credential Guard?

o Windows Defender Credential Guard requirements
o Configure Windows Defender Credential Guard
o NTLM blocking
o Locate problematic accounts
o Demonstration: Locate problematic accounts
Configure user rights (1 of 3)

 Follow principle of least privilege

 Use separate user accounts for daily tasks and administrative tasks
 Assign user rights to the account in Active Directory or with Group Policy Object (GPO)
Configure user rights (2 of 3)

User rights assignment policy Function

Access Credential Manager as a trusted caller Used by Credential Manager during backup and restore. You should not assign this privilege to user accounts.

Access this computer from the network Determines which users and groups can connect to the computer from the network. This does not affect RDS.

Act as part of the operating system Allows a process to impersonate a user without authentication. You typically would assign the LocalSystem
account to processes that require this privilege.
Add workstations to domain Allows you to join workstations to the domain.

Adjust memory quotas for a process Determines which security principals can adjust the maximum amount of memory assigned to a process.

Allow log on locally Determines which users can sign in locally to a computer. Alter this policy on privileged access workstations to
remove members of the Users group as a way of limiting which accounts can sign into a computer. By default,
any authenticated user can sign in to any workstation or server except for a domain controller, which is limited
to members of certain groups.
Allow log on through Remote Desktop Services Determines which users and groups can sign in remotely by using Microsoft Remote Desktop.

Back up files and directories Gives permission to back up files, directories, registry, and other objects to which the user normally would not
have permission. Assigning this right gives indirect access to all data on a computer. This is because the
person that has the right can back that data up, and then recover it in an environment over which they have
complete control.
Configure user rights (3 of 3)

Configure additional settings to increase privileged account security:

 Logon Hours
 Logon Workstations
 Smart card is required for interactive logon
 Account is sensitive and cannot be delegated
 Account Expires
Do not enable the following settings, as these decrease security:
 Do not require Kerberos preauthentication
 Password Never Expires
 Use only Kerberos Data Encryption Standard (DES) encryption types for this account
Protected Users group, authentication policies, and authentication-policy silos
(1 of 3)
 Provides a method of protecting highly privileged accounts
 Authentication policies specify settings that mitigate exposure to credential theft
 Authentication policy silos allow administrators to define a relationship between the User, Computer, and
managed service accounts
Protected Users group, authentication policies, and authentication-policy silos
(2 of 3)
Workstation protections:
 User credentials are not cached locally
 Credential Security Support Provider protocol (CredSSP) will not cache user credentials
 Windows Digest will not cache user credentials
 NTLM will not cache user credentials
 Kerberos will not create Data Encryption Standard (DES) or RC4 keys, or cache credentials or long-term
keys
 The user can no longer sign in offline
Domain controllers have additional protections
Protected Users group, authentication policies, and authentication-policy silos
(3 of 3)
Authentication policies:
 Configure user’s TGT lifetime
 Restrict which devices the user can sign in to
 Set criteria that the devices need to meet for signing in
Authentication policy silos:
 Adds configuration restrictions to Protected Users group
 Each account belongs to only one Authentication policy silo
 Used to restrict access to servers and other claims-aware resources
What is Windows Defender Credential Guard?

 Windows Defender Credential Guard uses virtualization-based security to isolate secrets such as cached
credentials
 Mitigates Pass-the-Hash or Pass-the-Ticket attacks
 Utilizes hardware security, including secure boot and virtualization
 Isolates credentials within a virtualized container
Windows Defender Credential Guard requirements

Windows Defender Credential Guard requires:

 Windows 10 Enterprise, Windows 10 Education, Windows 10 IoT Enterprise, or Windows Server 2016 or
later
 64-bit CPU
 CPU virtualization extensions plus extended page tables (Intel VT-x or AMD-V)
 Trusted Platform Module (TPM) 1.2 or 2.0
 Unified Extensible Firmware Interface (UEFI) firmware version 2.3.1.c or later
 UEFI secure boot
 UEFI secure firmware update
Supports Hyper-V VMs on:
 Windows Server 2016 or later Microsoft Hyper-V host with IOMMU
 Gen 2 VM with TPM enabled and running supported OS
Configure Windows Defender Credential Guard

Enable Credential Guard:

 Using Group Policy
 Enable virtualization-based security and update the registry
 Use the Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness
tool:
DG_Readiness_Tool.ps1 -Enable -AutoReboot
Disable Credential Guard:
 Disable Group Policy (if enabled without UEFI Lock)
 Update registry (and delete Extensible Firmware Interface (EFI) variables if needed)
 Use the Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness
tool
 Disable Hyper-V
NTLM blocking

Use Group Policy

Prior to blocking the use of NTLM, audit how it is currently being used
Block NTLM by configuring Network security:
 Restrict under NTLM authentication under
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
Locate problematic accounts

Where possible, organizations should avoid accounts with passwords that never expire
Organizations should disable accounts where no sign in has occurred for more than 90 days
Using PowerShell:
 Get-ADUser -Filter {Enabled -eq $true -and PasswordNeverExpires -eq $true}
 Get-ADUser -Filter {LastLogonTimeStamp -lt (Get-Date).Adddays(-(90))-and enabled
-eq $true} -Properties LastLogonTimeStamp
Demonstration:
Locate problematic
accounts
 Use PowerShell to locate problematic
accounts
Lesson 1: Test your knowledge

Refer to the Student Guide for lesson-review questions

Lesson 2: Hardening
Windows Server
Lesson 2 overview

This lesson describes how making the servers and devices secure, or hardened, is another integral part of
securing your Windows Server environment
 Topics:
 What is Local Administrator Password Solution?
 How LAPS works
 Configure and manage passwords using LAPS
o Demonstration: Configure and deploy LAPS
o Limit administrative access to secure hosts
o Secure domain controllers
o Overview of the Security Compliance Toolkit
What is Local Administrator Password Solution? (1 of 2)

Local Administrator Password Solution (LAPS) is a tool that helps secure servers by:
 Ensuring local Administrator passwords are unique on each computer that LAPS manages
 Changing local Administrator passwords regularly to a random value
 Storing local administrator passwords and secrets securely within Active Directory Domain Services
(AD DS)
 Controlling access to passwords and secrets with configurable permissions
 Transmitting LAPS-retrieved passwords to the client in a secure encrypted manner
What is Local Administrator Password Solution? (2 of 2)

LAPS prerequisites:
 LAPS works with any domain-member x86 or x64 Windows client or Windows Server computer
 Requires Windows Server 2003 or later Active Directory Domain functional level
 You must extend the Active Directory schema to use LAPS
 Install LAPS client on managed computers
 Requires Microsoft .NET Framework 4.0 and Windows PowerShell 2.0 or later
How LAPS works

LAPS determines if the password of the local Administrator account has expired
If the password has expired, LAPS performs the following steps:
 Changes the local Administrator password to a new random value
 Transmits the new password and expiration date to AD DS, where it is stored in a special confidential
attribute associated with the computer account of the computer
Configure and manage passwords by using LAPS

Add computer accounts to an organizational unit (OU) and enable the OU to use LAPS by using Windows
PowerShell
Configure password properties using Group Policy:
 Password complexity
 Password length
 Password expiration
View passwords by using Windows PowerShell, Active Directory Users and Computers, or the LAPS UI app
Demonstration:
Configure and
deploy LAPS
 Learn how to configure and deploy LAPS
Limit administrative access to secure hosts (1 of 3)

Do not use a computer that is used for daily tasks such as internet browsing and answering email, for
administrative tasks
Perform administrative tasks only on secure hosts (privileged access workstations):
 Minimize the chance of a compromised workstation being used for administrative tasks
 Limit the possibility of lateral movement through credential harvesting
Limit administrative access to secure hosts (2 of 3)

Privileged access workstations (PAWs) configuration:

 Only authorized users can sign in
 Credential Guard is enabled
 BitLocker Drive Encryption is enabled
 Application execution is restricted by using Device Guard policies
 Access to all external sites is blocked by the perimeter network firewall
 Includes all the tools needed for administrative tasks
 Limits physical access
Limit administrative access to secure hosts (3 of 3)

Jump servers:
 Are also known as bastion hosts
 Are configured similarly to a PAW
 Are only accessed remotely
 Do not guarantee the security of the workstation used to connect from
Secure domain controllers

 Run the most recent version of Windows Server and apply all security updates
 Use the Server Core installation option
 Keep in dedicated, secure racks
 Deploy physical domain controllers on hardware with Trusted Platform Module (TPM), and use BitLocker
 Use read-only domain controllers (RODCs) where security is not assured
 Run virtualized domain controllers as shielded virtual machines (VMs)
 Use AppLocker and Device Guard to control the execution of executables and scripts
 Limit inbound Remote Desktop Protocol (RDP) connections to jump servers and PAWs
 Configure the perimeter firewall to block traffic from domain controllers
Overview of the Security Compliance Toolkit

The SCT helps you:

 Analyze your current security configuration against security configuration baselines
 Compare GPO settings to settings that Microsoft recommends
The SCT consists of:
 Security baselines
 Policy Analyzer tool
 Local Group Policy Object tool
Security baselines align closely to Center for Internet Security Level 1 benchmark
Lesson 2: Test your knowledge

Refer to the Student Guide for lesson-review questions

Lesson 3: JEA in Windows
Server
Lesson 3 overview

This lesson describes JEA. It allows you to apply RBAC and the least privilege principle to Windows
PowerShell remote sessions
 Topics:
o What is JEA?

o JEA limitations

o Role capability files

o Session configuration files
o JEA endpoints
o Connect to a JEA endpoint
o Demonstration: Connect to a JEA endpoint
What is JEA?

JEA:
 Provides RBAC to Windows PowerShell remoting
 Specially configured endpoints limit access so that a user can only use a defined set of Windows
PowerShell cmdlets, parameters, and parameter values
 Performs actions by using a special local virtual account
 Supported natively on Windows Server 2016 and later and Windows 10 version 1511 and later
JEA limitations

Not suitable for tasks where the problem and solution are not clearly defined:
 Setup requires understanding precisely which cmdlets, parameters, aliases, and values are needed in
order to perform specific tasks
JEA only works with Windows PowerShell sessions, and does not work with management consoles or other
remote administration tools
Role capability files

 Role capability files allow you to specify what administrators can do in a Windows PowerShell session
 Anything that is not explicitly allowed in a role capability file or a session configuration file is not allowed
 You can create a new blank role capability file by using the New-PSRoleCapabilityFile cmdlet
 Role capability files use the .psrc extension
Session configuration files

 Session configuration files determine which actions can be performed in a JEA session and which security
principals perform those actions
 Create new session configuration files by using the New-PSSessionConfigurationFile cmdlet
 Use the .pssc file extension
JEA endpoints

 Connect to JEA endpoints to perform administrative tasks

 Configuration is determined by a session configuration file that links security groups
and role capability files  
 A server can have multiple JEA endpoints
 Create JEA endpoints by using the Register-PSSessionConfiguration cmdlet:
Register-PSSessionConfiguration -Name DNSOps -Path DNSOps.pssc
Connect to a JEA endpoint

Interactive connection:
Enter-PSSession -ComputerName <computername>
-ConfigurationName <endpoint name>
Implicit remoting:
$DNSOpssession = New-PSSession -ComputerName 'MyServer' -ConfigurationName
'DNSOps’
Import-PSSession -Session $DNSOpssession -Prefix 'DNSOps’
Get-DNSOpsCommand
Programmatic:
 Same as for other PowerShell endpoints
Demonstration:
Connect to a JEA
endpoint
 Review a connection made to a JEA endpoint
 Verify that the session is limited to specific
commands
Lesson 3: Test your knowledge

Refer to the Student Guide for lesson-review questions

Lesson 4: Securing and
analyzing SMB traffic
Lesson 4 overview

This lesson describes SMB protocol. It is a network protocol primarily used for file sharing. Whenever
sensitive data is moved by using the SMB protocol, encryption is important.

 Topics:
 What is SMB 3.1.1 protocol security?
 SMB 3.1.1 encryption requirements
 Configure SMB encryption on SMB shares
 Disable SMB 1.0
o Demonstration: Disable SMB 1.0, and configure SMB encryption on shares
What is SMB 3.1.1 protocol security?

SMB 3.0 provides for encryption of Server Message Block (SMB) traffic
SMB 3.1.1 adds:
 Preauthentication integrity
 Preauthentication that digitally hashes and signs the negotiate and session setup messages. Tampering
with messages results in a failed connection
 Additional security improvements such as AES-GCM-128 encryption
SMB 3.1.1.c adds:
 Even more security improvements, including support for write-through to disk
SMB 3.1.1 encryption requirements

Both host and client must support SMB 3.1.1

Preauthentication is not compatible with some older network equipment
Communication with an older OS will use an earlier version of SMB:
 SMB 3.02: Windows 8.1 and Windows Server 2012 R2
 SMB 3.0: Windows 8 and Windows Server 2012
Configure SMB encryption on SMB shares

Use Windows PowerShell to enable encrypted SMB:

 For an existing file share:
Set-SmbShare –Name <sharename> -EncryptData $true
 To encrypt all sharing on a file server:
Set-SmbServerConfiguration –EncryptData $true
 To create a new SMB file share and enable SMB encryption simultaneously:
New-SmbShare –Name <sharename> -Path <pathname> –EncryptData $true
Disable SMB 1.0

You can disable SMB 1.0 support by using Windows PowerShell:

 To disable SMB 1.0:
Set-SmbServerConfiguration –EnableSMB1Protocol $false
 To uninstall SMB 1.0:
Remove-WindowsFeature FS-SMB1
Demonstration:
Disable SMB 1.0,
and configure SMB
encryption on
shares
 Disable SMB 1.x on Windows Server
 Configure a share for SMB encryption
Lesson 4: Test your knowledge

Refer to the Student Guide for lesson-review questions

Lesson 5: Windows Server
update management
Lesson 5 overview

This lesson describes WSUS. It provides infrastructure to download, test, and approve updates

which help block attacks
 Topics:
o Overview of Windows Update
o What is WSUS?
o WSUS server deployment options
o The WSUS update management process
o Azure Update Management
Overview of Windows Update

 Windows Update is a Microsoft service that provides updates for Microsoft software
 Orchestrator on devices scans for and downloads updates
 Clients and servers can be configured to get updates from the Windows Update Services server
What is WSUS? (1 of 2)

WSUS provides an infrastructure for managing updates for Windows devices

WSUS allows you to:
 Choose the updates you want to download
 Test updates before broad deployment
 Choose which devices get updates and when they receive them
 Track status of updates
What is WSUS? (2 of 2)

Prerequisites:
 1.4 gigahertz (GHz) or faster x64 processor
 2 gigabytes (GB) of random-access memory (RAM) or greater (above that needed for other roles)
 10 GB or greater
 100 megabits per second (Mbps) or greater network adapter
 .NET Framework 4.0
 Access to Temp folders
 Local Administrator group member
 Microsoft Report Viewer Runtime 2012
 Windows Internal Database or Microsoft SQL Server
WSUS server deployment options

WSUS implementation:
 Single server
 Multiple servers
 Disconnected servers
WSUS hierarchies:
 Autonomous mode
 Replica mode
WSUS database:
 Windows Internal Database
 SQL Server database
The WSUS update management process

Four phases:
1. Assess
o Choose topology

o Choose type of updates to deploy

2. Identify
o Choose specific updates
3. Evaluate and plan
o Test updates before broad deployment

4. Deploy
o Deploy the updates

o Track status
Azure Update Management

 Part of Azure Automation

 Free cloud-based service
 Can manage updates on Azure and non-Azure servers, including those on premises
 Requires download of Log Analytics agent
Lesson 5: Test your knowledge

Refer to the Student Guide for lesson-review questions

Instructor-led lab:
Configuring
security in Windows
Server
 Configuring Windows Defender Credential
Guard
 Locating problematic accounts
 Implementing LAPS
Lab: Monitoring and troubleshooting Windows Server

 Exercise 1: Configuring Windows Defender Credential Guard

 Exercise 2: Locating problematic accounts
 Exercise 3: Implementing LAPS
Sign-in information for the exercises:
 Virtual machines:
o WS-011T00A-SEA-DC1

o WS-011T00A-SEA-ADM1
o WS-011T00A-SEA-SVR1

 User name: Contoso\Administrator

 Password: Pa55w.rd
Lab Scenario

Contoso Pharmaceuticals is a medical research company with about 5,000 employees worldwide. It has
specific needs for ensuring that their medical data and records remain private. The company has a
headquarters location and multiple worldwide sites. Contoso has recently deployed a Windows Server and
Windows client infrastructure.

You have been asked to implement improvements in the server security configuration.
Lab-review questions

1. How do you manage local administrator account passwords in your organization?

2. What is the name of the tool that you can use to enable Credential Guard?
3. When a computer is configured to use LAPS, Which Windows PowerShell cmdlet do you use to retrieve
the local Administrator password from AD DS?
Lab-review answers

1. How do you manage local administrator account passwords in your organization?

 Answers will vary. Some students will indicate that their organizations have no technology in 
place. Other students will have a solution, including some who use LAPS.
2. What is the name of the tool that you can use to enable Credential Guard?
 The tool that you can use to enable Credential Guard is called the Hypervisor-
Protected Code Integrity and Windows Defender Credential Guard hardware readiness 
tool.
3. Which Windows PowerShell cmdlet do you use to retrieve the local Administrator password from
AD DS when a computer is configured to use LAPS?
 You use the Get-AdmPwdPasswordcmdlet to retrieve the local Administrator password 
from AD DS when a computer is configured to use LAPS.
Module-review questions (slide 1 of 2)

1. What should an organization do before it institutes NTLM blocking?

a. Audit NTLM usage
b. Configure the Restrict NTLM: NTLM Authentication Group Policy
c. Enable Kerberos authentication
2. Which Windows PowerShell cmdlet do you use to configure a specific OU so that computers within that
OU can use LAPS?
a. Disable-ADAccount
b. Update-AdmPwdADSchema
c. Get-AdmPwdPassword
d. Set-AdmPwdComputerSelfPermission
Module-review questions (slide 2 of 2)

3. Which SMB version is negotiated by Windows Server 2019 when communicating with Windows Server
2012 R2?
a. SMB 1.0
b. SMB 2.0
c. SMB 3.02
d. SMB 3.1.1
Module-review answers

1. What should an organization do before it institutes NTLM blocking?

a. Audit NTLM usage

2. Which Windows PowerShell cmdlet do you use to configure a specific OU so that computers within that
OU can use LAPS?
d. Set-AdmPwdComputerSelfPermission

3.Which SMB version is negotiated by Windows Server 2019 when communicating with Windows Server
2012 R2?
c. SMB 3.02 
References

For more information, refer to the following links:

 Implementing Least-Privilege Administrative Models
 Security considerations
 Securing Domain Controllers Against Attack
 Protected Users Security Group
 System Guard Secure Launch and SMM protection
 Overview of file sharing using the SMB 3 protocol in Windows Server
 Center for Internet Security (CIS) Benchmarks
Thank you.

© Copyright Microsoft Corporation. All rights reserved.