WS-011 Windows

Server 2019
Administration

© Copyright Microsoft Corporation. All rights reserved.

Module 8: Windows
Server security
Module Overview

This module describes how securing your servers is the key to securing your entire on-
premises environment
 Lessons:
o Lesson 1: Credentials and privileged access protection in Windows Server

o Lesson 2: Hardening Windows Server

o Lesson 3: JEA in Windows Server

o Lesson 4: Securing and analyzing SMB traffic

o Lesson 5: Windows Server update management

Lesson 1: Credentials
and privileged access
protection in Windows
Server
Lesson 1 overview

This lesson describes how to secure Windows Server.

It includes properly configurating user accounts and ensuring accounts
have only the privileges needed to perform necessary tasks
 Topics:
o Configure user rights

o Protected users and groups, authentication policies, and authentication-policy silos

o What is Windows Defender Credential Guard?

o Windows Defender Credential Guard requirements

o Configure Windows Defender Credential Guard

o NTLM blocking

o Locate problematic accounts

o Demonstration: Locate problematic accounts

Configure user rights (1 of 3)

 Follow principle of least privilege

 Use separate user accounts for daily tasks and administrative tasks
 Assign user rights to the account in Active Directory or with Group Policy Object (GPO)
Configure user rights (2 of 3)

User rights assignment Function

policy
Access Credential Manager as a trusted Used by Credential Manager during backup and restore. You should not assign this privilege to
caller user accounts.
Access this computer from the network Determines which users and groups can connect to the computer from the network. This does
not affect RDS.
Act as part of the operating system Allows a process to impersonate a user without authentication. You typically would assign the
LocalSystem account to processes that require this privilege.

Add workstations to domain Allows you to join workstations to the domain.

Adjust memory quotas for a process Determines which security principals can adjust the maximum amount of memory assigned to a
process.
Allow log on locally Determines which users can sign in locally to a computer. Alter this policy on privileged access
workstations to remove members of the Users group as a way of limiting which accounts can
sign into a computer. By default, any authenticated user can sign in to any workstation or server
except for a domain controller, which is limited to members of certain groups.

Allow log on through Remote Desktop Determines which users and groups can sign in remotely by using Microsoft Remote Desktop.
Services
Back up files and directories Gives permission to back up files, directories, registry, and other objects to which the user
normally would not have permission. Assigning this right gives indirect access to all data on a
computer. This is because the person that has the right can back that data up, and then recover
it in an environment over which they have complete control.
Configure user rights (3 of 3)

Configure additional settings to increase privileged account security:

 Logon Hours
 Logon Workstations
 Smart card is required for interactive logon
 Account is sensitive and cannot be delegated
 Account Expires

Do not enable the following settings, as these decrease security:

 Do not require Kerberos preauthentication
 Password Never Expires
 Use only Kerberos Data Encryption Standard (DES) encryption types for this account
Protected users, authentication policies, and authentication-policy silos
(1 of 3)
 Provides a method of protecting highly privileged accounts
 Authentication policies specify settings that mitigate exposure to credential theft
 Authentication policy silos allow administrators to define a relationship between the User,
Computer, and managed service accounts
Protected users, authentication policies, and authentication-policy
silos (2 of 3)
Workstation protections:
 User credentials are not cached locally
 Credential Security Support Provider protocol (CredSSP) will not cache user credentials
 Windows Digest will not cache user credentials
 NTLM will not cache user credentials
 Kerberos will not create Data Encryption Standard (DES) or RC4 keys, or cache credentials
or long-term keys
 The user can no longer sign in offline

Domain controllers have additional protections

Protected users, authentication policies, and authentication-policy
silos (3 of 3)
Authentication policies:
 Configure user’s TGT lifetime
 Restrict which devices the user can sign in to
 Set criteria that the devices need to meet for signing in

Authentication policy silos:

 Adds configuration restrictions to Protected Users group
 Each account belongs to only one Authentication policy silo
 Used to restrict access to servers and other claims-aware resources
What is Windows Defender Credential Guard?

 Windows Defender Credential Guard uses virtualization-based security to isolate secrets

such as cached credentials
 Mitigates Pass-the-Hash or Pass-the-Ticket attacks
 Utilizes hardware security, including secure boot and virtualization
 Isolates credentials within a virtualized container
Windows Defender Credential Guard requirements

Windows Defender Credential Guard requires:

 Windows 10 Enterprise, Windows 10 Education, Windows 10 IoT Enterprise, or Windows
Server 2016 or later
 64-bit CPU
 CPU virtualization extensions plus extended page tables (Intel VT-x or AMD-V)
 Trusted Platform Module (TPM) 1.2 or 2.0
 Unified Extensible Firmware Interface (UEFI) firmware version 2.3.1.c or later
 UEFI secure boot
 UEFI secure firmware update

Supports Hyper-V VMs on:

 Windows Server 2016 or later Microsoft Hyper-V host with IOMMU
 Gen 2 VM with TPM enabled and running supported OS
Configure Windows Defender Credential Guard

Enable Credential Guard:

 Using Group Policy
 Enable virtualization-based security and update the registry
 Use the Windows Defender Device Guard and Windows Defender Credential Guard
hardware readiness tool:
DG_Readiness_Tool.ps1 -Enable -AutoReboot
Disable Credential Guard:
 Disable Group Policy (if enabled without UEFI Lock)
 Update registry (and delete Extensible Firmware Interface (EFI) variables if needed)
 Use the Windows Defender Device Guard and Windows Defender Credential Guard
hardware readiness tool
 Disable Hyper-V
NTLM blocking

Use Group Policy

Prior to blocking the use of NTLM, audit how it is currently being used
Block NTLM by configuring Network security:
 Restrict under NTLM authentication under
Computer Configuration\Windows Settings\Security Settings\Local Policies\
Security Options
Locate problematic accounts

Where possible, organizations should avoid accounts with passwords that never expire
Organizations should disable accounts where no sign in has occurred for more than 90 days
Using PowerShell:
 Get-ADUser -Filter {Enabled -eq $true -and PasswordNeverExpires -eq $true}
 Get-ADUser -Filter {LastLogonTimeStamp -lt (Get-Date).Adddays(-(90))-and
enabled -eq $true} -Properties LastLogonTimeStamp
Demonstration:
Locate
problematic
accounts
 Use PowerShell to locate problematic
accounts
Lesson 1: Test your knowledge

Refer to the Student Guide for lesson-review questions

Lesson 2: Hardening
Windows Server
Lesson 2 overview

This lesson describes how making the servers and devices secure, or hardened, is another
integral part of securing your Windows Server environment
 Topics:
 What is Local Administrator Password Solution?
 How LAPS works
 Configure and manage passwords using LAPS
o Demonstration: Configure and deploy LAPS

o Limit administrative access to secure hosts

o Secure domain controllers

o Overview of the Security Compliance Toolkit

What is Local Administrator Password Solution? (1 of 2)

Local Administrator Password Solution (LAPS) is a tool that helps secure servers by:
 Ensuring local Administrator passwords are unique on each computer that LAPS
manages
 Changing local Administrator passwords regularly to a random value
 Storing local administrator passwords and secrets securely within Active Directory
Domain Services (AD DS)
 Controlling access to passwords and secrets with configurable permissions
 Transmitting LAPS-retrieved passwords to the client in a secure encrypted manner
What is Local Administrator Password Solution? (2 of 2)

LAPS prerequisites:
 LAPS works with any domain-member x86 or x64 Windows client or Windows Server
computer
 Requires Windows Server 2003 or later Active Directory Domain functional level
 You must extend the Active Directory schema to use LAPS
 Install LAPS client on managed computers
 Requires Microsoft .NET Framework 4.0 and Windows PowerShell 2.0 or later
How LAPS works

LAPS determines if the password of the local Administrator account has expired
If the password has expired, LAPS performs the following steps:
 Changes the local Administrator password to a new random value
 Transmits the new password and expiration date to AD DS, where it is stored in a special
confidential attribute associated with the computer account of the computer
Configure and manage passwords by using LAPS

Add computer accounts to an organizational unit (OU) and enable the OU to use LAPS by
using Windows PowerShell
Configure password properties using Group Policy:
 Password complexity
 Password length
 Password expiration

View passwords by using Windows PowerShell, Active Directory Users and Computers, or the
LAPS UI app
Demonstration:
Configure and
deploy LAPS
 Learn how to configure and deploy LAPS
Limit administrative access to secure hosts (1 of 3)

Do not use a computer that is used for daily tasks such as internet browsing and answering
email, for administrative tasks
Perform administrative tasks only on secure hosts (privileged access workstations):
 Minimize the chance of a compromised workstation being used for administrative tasks
 Limit the possibility of lateral movement through credential harvesting
Limit administrative access to secure hosts (2 of 3)

Privileged access workstations (PAWs) configuration:

 Only authorized users can sign in
 Credential Guard is enabled
 BitLocker Drive Encryption is enabled
 Application execution is restricted by using Device Guard policies
 Access to all external sites is blocked by the perimeter network firewall
 Includes all the tools needed for administrative tasks
 Limits physical access
Limit administrative access to secure hosts (3 of 3)

Jump servers:
 Are also known as bastion hosts
 Are configured similarly to a PAW
 Are only accessed remotely
 Do not guarantee the security of the workstation used to connect from
Secure domain controllers

 Run the most recent version of Windows Server and apply all security updates
 Use the Server Core installation option
 Keep in dedicated, secure racks
 Deploy physical domain controllers on hardware with Trusted Platform Module (TPM), and
use BitLocker
 Use read-only domain controllers (RODCs) where security is not assured
 Run virtualized domain controllers as shielded virtual machines (VMs)
 Use AppLocker and Device Guard to control the execution of executables and scripts
 Limit inbound Remote Desktop Protocol (RDP) connections to jump servers and PAWs
 Configure the perimeter firewall to block traffic from domain controllers
Overview of the Security Compliance Toolkit

The SCT helps you:

 Analyze your current security configuration against security configuration baselines
 Compare GPO settings to settings that Microsoft recommends

The SCT consists of:

 Security baselines
 Policy Analyzer tool
 Local Group Policy Object tool

Security baselines align closely to Center for Internet Security Level 1 benchmark
Lesson 2: Test your knowledge

Refer to the Student Guide for lesson-review questions

Lesson 3: JEA in Windows
Server
Lesson 3 overview

This lesson describes JEA. It allows you to apply RBAC and the least privilege principle to
Windows PowerShell remote sessions
 Topics:
o What is JEA?

o JEA limitations

o Role capability files

o Session configuration files

o JEA endpoints

o Connect to a JEA endpoint

o Demonstration: Connect to a JEA endpoint

What is JEA?

JEA:
 Provides RBAC to Windows PowerShell remoting
 Specially configured endpoints limit access so that a user can only use a defined set of
Windows PowerShell cmdlets, parameters, and parameter values
 Performs actions by using a special local virtual account
 Supported natively on Windows Server 2016 and later and Windows 10 version 1511
and later
JEA limitations

Not suitable for tasks where the problem and solution are not clearly defined:
 Setup requires understanding precisely which cmdlets, parameters, aliases, and values are
needed in order to perform specific tasks
JEA only works with Windows PowerShell sessions, and does not work with management
consoles or other remote administration tools
Role capability files

 Role capability files allow you to specify what administrators can do in a Windows
PowerShell session
 Anything that is not explicitly allowed in a role capability file or a session configuration file is
not allowed
 You can create a new blank role capability file by using the New-PSRoleCapabilityFile
cmdlet
 Role capability files use the .psrc extension
Session configuration files

 Session configuration files determine which actions can be performed in a JEA session and
which security principals perform those actions
 Create new session configuration files by using the New-PSSessionConfigurationFile
cmdlet
 Use the .pssc file extension
JEA endpoints

 Connect to JEA endpoints to perform administrative tasks

 Configuration is determined by a session configuration file that links security groups
and role capability files
 A server can have multiple JEA endpoints
 Create JEA endpoints by using the Register-PSSessionConfiguration cmdlet:
Register-PSSessionConfiguration -Name DNSOps -Path DNSOps.pssc
Connect to a JEA endpoint

Interactive connection:
Enter-PSSession -ComputerName <computername>
-ConfigurationName <endpoint name>
Implicit remoting:
$DNSOpssession = New-PSSession -ComputerName 'MyServer' -
ConfigurationName 'DNSOps’
Import-PSSession -Session $DNSOpssession -Prefix 'DNSOps’
Get-DNSOpsCommand
Programmatic:
 Same as for other PowerShell endpoints
Demonstration:
Connect to a JEA
endpoint
 Review a connection made to a JEA
endpoint
 Verify that the session is limited to
specific commands
Lesson 3: Test your knowledge

Refer to the Student Guide for lesson-review questions

Lesson 4: Securing and
analyzing SMB traffic
Lesson 4 overview

This lesson describes SMB protocol. It is a network protocol primarily used for file sharing.
Whenever sensitive data is moved by using the SMB protocol, encryption is important.

 Topics:
 What is SMB 3.1.1 protocol security?
 SMB 3.1.1 encryption requirements
 Configuring SMB encryption on SMB shares
 Disable SMB 1.0
o Demonstration: Disable SMB 1.0 and configure SMB encryption on shares
What is SMB 3.1.1 protocol security?

SMB 3.0 provides for encryption of Server Message Block (SMB) traffic
SMB 3.1.1 adds:
 Preauthentication integrity
 Preauthentication that digitally hashes and signs the negotiate and session setup
messages. Tampering with messages results in a failed connection
 Additional security improvements such as AES-GCM-128 encryption

SMB 3.1.1.c adds:

 Even more security improvements, including support for write-through to disk
SMB 3.1.1 encryption requirements

Both host and client must support SMB 3.1.1

Preauthentication is not compatible with some older network equipment
Communication with an older OS will use an earlier version of SMB:
 SMB 3.02: Windows 8.1 and Windows Server 2012 R2
 SMB 3.0: Windows 8 and Windows Server 2012
Configure SMB encryption on SMB shares

Use Windows PowerShell to enable encrypted SMB:

 For an existing file share:
Set-SmbShare –Name <sharename> -EncryptData $true
 To encrypt all sharing on a file server:
Set-SmbServerConfiguration –EncryptData $true
 To create a new SMB file share and enable SMB encryption simultaneously:
New-SmbShare –Name <sharename> -Path <pathname> –EncryptData $true
Disable SMB 1.0

You can disable SMB 1.0 support by using Windows PowerShell:

 To disable SMB 1.0:
Set-SmbServerConfiguration –EnableSMB1Protocol $false
 To uninstall SMB 1.0:
Remove-WindowsFeature FS-SMB1
Demonstration:
Disable SMB 1.0,
and configure
SMB encryption
on shares
 Disable SMB 1.x on Windows Server
 Configure a share for SMB encryption
Lesson 4: Test your knowledge

Refer to the Student Guide for lesson-review questions

Lesson 5: Windows
Server update
management
Lesson 5 overview

This lesson describes WSUS.

It provides infrastructure to download, test, and approve updates which help block attacks
 Topics:
o Overview of Windows Update

o What is WSUS?

o WSUS server deployment options

o The WSUS update management process

o Azure Update Management

Overview of Windows Update

 Windows Update is a Microsoft service that provides updates for Microsoft software
 Orchestrator on devices scans for and downloads updates
 Clients and servers can be configured to get updates from the Windows Update Services
server
What is WSUS? (1 of 2)

WSUS provides an infrastructure for managing updates for Windows devices

WSUS allows you to:
 Choose the updates you want to download
 Test updates before broad deployment
 Choose which devices get updates and when they receive them
 Track status of updates
What is WSUS? (2 of 2)

Prerequisites:
 1.4 gigahertz (GHz) or faster x64 processor
 2 gigabytes (GB) of random-access memory (RAM) or greater (above that needed for other
roles)
 10 GB or greater
 100 megabits per second (Mbps) or greater network adapter
 .NET Framework 4.0
 Access to Temp folders
 Local Administrator group member
 Microsoft Report Viewer Runtime 2012
 Windows Internal Database or Microsoft SQL Server
WSUS server deployment options

WSUS implementation:
 Single server
 Multiple servers
 Disconnected servers

WSUS hierarchies:
 Autonomous mode
 Replica mode

WSUS database:
 Windows Internal Database
 SQL Server database
The WSUS update management process

Four phases:
1. Assess
o Choose topology

o Choose type of updates to deploy

2. Identify
o Choose specific updates

3. Evaluate and plan

o Test updates before broad deployment

4. Deploy
o Deploy the updates

o Track status
Azure Update Management

 Part of Azure Automation

 Free cloud-based service
 Can manage updates on Azure and non-Azure servers, including those on premises
 Requires download of Log Analytics agent
Lesson 5: Test your knowledge

Refer to the Student Guide for lesson-review questions

Instructor-led lab:
Configuring
security in
Windows Server
 Configuring Windows Defender Credential
Guard
 Locating problematic accounts
 Implementing LAPS
Lab: Monitoring and troubleshooting Windows Server

 Exercise 1: Configuring Windows Defender Credential Guard

 Exercise 2: Locating problematic accounts
 Exercise 3: Implementing LAPS

Sign-in information for the exercises:

 Virtual machines:
o WS-011T00A-SEA-DC1

o WS-011T00A-SEA-ADM1

o WS-011T00A-SEA-SVR1

 User name: Contoso\Administrator

 Password: Pa55w.rd
Lab Scenario

Contoso Corporation is a medical research company with about 5,000 employees worldwide.
It has specific needs for ensuring that their medical data and records remain private. The
company has a headquarters location and multiple worldwide sites. Contoso has recently
deployed a Windows Server and Windows client infrastructure.

You have been asked to implement improvements in the server security configuration.
Lab-review questions

1. How do you manage local administrator account passwords in your organization?

2. What is the name of the tool that you can use to enable Credential Guard?
3. When a computer is configured to use LAPS, Which Windows PowerShell cmdlet do you
use to retrieve the local Administrator password from AD DS?
Lab-review answers

1. How do you manage local administrator account passwords in your organization?

 Answers will vary. Some students will indicate that their organizations have no te
chnology in place. Other students will have a solution, including some who use L
APS.
2. What is the name of the tool that you can use to enable Credential Guard?
 The tool that you can use to enable Credential Guard is called the Hypervisor-
Protected Code Integrity and Windows Defender Credential Guard hard
ware readiness tool.
3. Which Windows PowerShell cmdlet do you use to retrieve the local Administrator
password from AD DS when a computer is configured to use LAPS?
 You use the Get-
AdmPwdPasswordcmdlet to retrieve the local Administrator password
from AD DS when a computer is configured to use LAPS.
Module-review questions

1. What should an organization do before it institutes NTLM blocking?

2. Which Windows PowerShell cmdlet do you use to configure a specific OU so that
computers within that OU can use LAPS?
3. Which SMB version is negotiated by Windows Server 2019 when communicating with
Windows Server 2012 R2?
Module-review answers

1. What should an organization do before it institutes NTLM blocking?

1. Audit NTLM usage
2. Configure the Restrict NTLM: NTLM Authentication Group Policy
3. Enable Kerberos authentication

2. Which Windows PowerShell cmdlet do you use to configure a specific OU so that

computers within that OU can use LAPS?
Set-AdmPwdComputerSelfPermission

3. Which SMB version is negotiated by Windows Server 2019 when communicating with
Windows Server 2012 R2?
SMB 3.02
Thank you.

© Copyright Microsoft Corporation. All rights reserved.