How to boost your Windows Server 2016 security
As the threat of cyber crime to UK businesses continues to rise, now’s the time to take advantage of Windows Server 2016’s new security features.
By Alex Bennett, Firebrand Training
Alex works for Firebrand Training, a Microsoft Gold Learning Partner. He has worked in the IT training and certification industry for the past 3 years. He writes regularly about Windows Server, Microsoft Azure and IT security.
In 2015, CEO of IBM Ginni Rometty said that ‘Cyber crime is the greatest threat to every company in the world’. Two years later and it’s hard to doubt her view. Cyber crime continues its terrifying growth in 2017, with costs for businesses hurtling towards £4.9 trillion a year.
Security has always stood at the centre of Windows Server. With the release of Windows Server 2016, users now have access to a host of new cyber security features, giving you a head start in protecting your business.
So, if you’re already working on boosting your Windows Server 2016 security – or haven’t started yet – now’s the time. Here’s how to make the most of these powerful new features and prevent your business from becoming the next Tesco Bank.
1. Secure your servers against phishing
Networks are historically seen as the primary attack surface. Today, the route into organisations is nearly always through their staff.
Hackers are getting more effective at using stolen credentials, logins and information acquired through phishing and social engineering to infiltrate UK businesses.
Attackers won’t just target your administrator account. Any login can be used to move sideways through your systems with techniques like ‘pass the ticket’ or ‘pass the hash’ – used extensively in the largest data breach in history.
Credential Guard on Windows Server 2016 uses virtualisation-based security to isolate secrets so that only privileged system software can access them. Credential Guard works to prevent these attacks by protecting NLTM password hashes and Kerberos Ticket-Granting-Tickets (TGTs).
Your computers will need to meet hardware, firmware and software requirements before you can deploy Credential Guard. If some of your older machines aren’t compliant, you can still roll Credential Guard out in phases, planned alongside any upcoming hardware purchases.
More information - including detailed hardware and software requirements - can be found here.
2. Detect and defeat ongoing attacks
Two thirds of UK businesses were targeted by cyber criminals in 2016. This means that for the majority of us, getting hacked is a matter of ‘when’ not ‘if’. If attackers have infiltrated your systems, you can now make it more difficult for them to abuse admin privileges.
Make the most of Just In Time and Just Enough administrationtools to reduce the risk of attacks targeting users with perpetual admin rights. By monitoring privileged groups and restricting the time users have admin privileges, these features will allow you to restrict the potentially unlimited admin privileges to a set of minimum actions. Find out how to implement them here.
Windows Server 2016 users can also implement Advanced Threat Analytics (ATA) to help defend against ongoing and future attacks. ATA tracks information from multiple data sources to follow the behaviour of users and entities in your organisation whilst creating a behavioural profile about them.
ATA can receive events and logs from:
- SIEM Integration
- Windows Event Forwarding (WEF)
ATA will enable you to detect suspicious activities on your network across the three different phases of an attack:
- Reconnaissance – attackers gather information on how the environment is built, including assets and entities
- Lateral Movement Cycle – an attacker spreads their attack surface inside a network
- Domain dominance (persistence) – an attacker captures information that enables them to continue their hack using various sets of entry points, credentials, and techniques
ATA detects these activities and displays the information in the ATA Console. You’ll see actionable information on a simple attack timeline, which gives you and your team the time you need to respond.
For more information on Advanced Threat Analytics, take a look at this documentation.
3. Deploy shielded virtual machines
Virtual machines have made it easier to deploy, manage, service and automate infrastructure. But, as Jeff Woolsey - Principal Program Manager for Windows Server – states: ‘virtualisation also requires us to think differently about the security of our virtualised infrastructure and applications.’
Virtualisation means your applications and its dependencies are now encapsulated into a few files running across multiple virtual machines.
‘They’re easier to live migrate, backup, replicate, but it also means that we’ve made it easier to modify or even copy entire workloads off the network or onto a USB stick and walk out the door with your crown jewel’ writes Woolsey.
If you’re responsible for virtualisation, you need to protect your VMs from compromised administrator accounts.
And with the addition of Shielded VMs in Windows Server 2016, you can do just that. This is achieved by encrypting disk and state of virtual machines, meaning only VM or tenant admins can access them.
Get more information on Shielded VMs for Windows Server 2016, including how to deploy them, on the TechNet library.
4. Achieve a Windows Server 2016 certification
Microsoft courses - and their accompanying certifications - are invaluable for upskilling you or your team. To get the most out of new technology like Windows Server 2016, you’ll need to learn how to use it effectively.
For those experienced with networking, servers and virtualisation, the MCSA: Windows Server 2016 certification is a good place to start. It’s designed for IT professionals who administer Windows Server 2016 and work with networks that are configured as Windows Server domain-based environments.
To achieve the MCSA: Windows Server 2016 certification, you’ll need to pass three exams:
- Exam 70-740: Installation, Storage, and Compute with Windows Server 2016
- Exam 70-741: Networking with Windows Server 2016
- Exam 70-742: Identity with Windows Server 2016
Microsoft recommend you prepare for the exams by completing the relevant MOC (Microsoft Official Curriculum) courses:
- MOC 20740: Installation, Storage, and Compute with Windows Server 2016
- MOC 20741: Networking with Windows Server 2016
- MOC 20742: Identity with Windows Server 2016
If you already hold an MCSA: Windows Server 2012 or MCSA: Windows Server 2008 certification you can upgrade by passing just one exam - 70-743: Upgrade Your Skills to MCSA: Windows Server 2016.
Or if you’re already a seasoned Windows Server 2016 administrator, kick-start your security initiatives with the new Securing Windows Server 2016 course.
You’ll be taught methods and technologies for hardening server environments and securing your infrastructure. You’ll also learn how to protect your organisation’s valuable administrative credentials and rights by:
- Mitigating malware threats
- Securing your virtualisation platform
- Using new deployment options like Nano Server and containers
- Boosting network security
This course also covers the aforementioned security features: Credential Guard, Just In Time/Just Enough Administration and Advanced Threat Analytics.
Get tangible proof of your Windows Server 2016 security knowledge by taking exam 70-744 Securing Windows Server 2016 (currently in beta). Pass it now you and you’ll receive full credit 8-12 weeks after the beta period has ended.
5. Make the most of the TechNet library
Familiarise yourself with Windows Server 2016’s comprehensive security features without leaving the office.
TechNet is one of the best free resources, acting as a central portal for everything Microsoft. As well as a comprehensive introduction to the technology, you also have access to a technical documentation library, the latest software patches and system updates, forums and blogs (like this one!).
Access the Windows Server 2016 directory here.