Security-hardening Windows Server

Home Forums General Chat MJF Chat Security-hardening Windows Server

Tagged: 

This topic contains 3 replies, has 4 voices, and was last updated by Brad Sams Brad Sams 1 day, 10 hours ago.

Viewing 4 posts - 1 through 4 (of 4 total)
  • Author
    Posts
  • Mary Jo Foley
    Mary Jo Foley
    Moderator
    #620543

    Our next MJFChat, scheduled for Monday, August 19, is between me and Orin Thomas, Microsoft Principal Cloud Operations Advocate. We’re going to talk all about ways IT pros can security-harden Windows Server.

    What questions do you have for Orin about security-hardening Windows Server? Any issues you’ve hit in trying to do this inside your own organization? No question is too big or too trivial. I’ll be chatting with him on August 19, and will ask some of your best questions directly to him. Just add your questions below and maybe you’ll be mentioned during our next audio chat.

    Avatar
    morbrosit
    Participant
    #620577

    Best practice to allow for remote access (PowerShell/PSExec)?

    Avatar
    Ivan
    Participant
    #620659

    Q1. Security hardening implies is done at inception of a server. Other than DSC (which is difficult to implement and maintain) how else should we look at maintaining the security configuration throughout its lifetime?

    Q2. Are there guides or baselines that should be applied to the majority of servers?

    Q3. security hardening is difficult to maintain operationally, as it really should be done at the application, OS, network and identity layer. This complexity can lead to potentials for misconfiguration. Do you have any suggestions or practices to help streamline this process?

    Regards, Ivan, Sydney Australia.

    Brad Sams
    Brad Sams
    Keymaster
    #620769

    You can find an audio version of the conversation, here.

    Mary Jo Foley:                 00:00                   Hi, you’re listening to Petri.com MJFChat show. I Am Mary Jo Foley, Aka your Petri.com community magnet. I’m here to interview industry experts about various topics that you, our readers and listeners want to know about. Today’s MJFChat is going to be about security hardening windows server. My guest today is Orin Thomas, Microsoft principle cloud operations advocate. Thanks for joining us Orin.

    Orin Thomas:                   00:36                   Yeah. It’s great to be here.

    Mary Jo Foley:                 00:36                   It’s bright and early for you and it’s the end of our day here. Where are you located again?

    Orin Thomas:                   00:44                   I live in Melbourne, Australia. So at the moment it’s winter not that we get really big winters in Australia. No, I’m a about half a day ahead or 18 hours or something like that of the US so we get Monday morning earlier, but we get Friday afternoon faster as well.

    Orin Thomas:                   01:04                   Nice. I think I would go with your way of doing it. I really do. So we’re going to talk about windows server and as you noted, Windows Server ships in a mostly “mostly” secure configuration, but Microsoft does have to balance security with backwards compatibility. You have a bunch of ideas about things IT Pros can do to tighten the security of Windows Server deployment, things like hardening accounts and authorizations, secure administration and hardening Windows Server from its default deployment configuration.

    That was hard to say. But first before we get into all your good ideas, we asked some of the Petri.com readers if they thought Windows Derver was secure from the get go. I want to read to you some of the things that we heard back through Twitter and various social channels. So Brian Reed said, is it secure out of the box? Yes. If it’s deployed standalone, maybe if it’s deployed in AD with careful GPO settings, nowhere domain and other GPO settings are a mess. Tthen somebody else, Paul Pryor said if you throw in some app locker rules and control user right assignments with GPO, and lockdown unused services, it’s ready to rock. But also be sure to use Windows Server core. What do you think of these kinds of comments? Do you agree that this is the way IT Pros should be thinking about Windows Server?

    Orin Thomas:                   02:40                   Yes and no. I think that one of the key things is with anything, how you configure something will determine how secure it is. Now when I agree with that statement that it’s mostly secure out of the box. There’s always a balance between backwards compatibility and compatibility with people’s environments and compatibility with people’s applications.

    You can actually take windows server far, far further. So there is two sets of third party guidance that are really worth looking at if you’re really into locking down Windows Server. So one of them is STIG which is a security technical implementation guide, which I think is published by the US military. And that’s basically a set of recommendations where they go through almost every setting that you can go and configure. And then also there’s the center for Internet security is also got a security hardening, set of guidelines for windows server.

    Orin Thomas:                   03:45                   So coming back to those comments, you can make windows server very hard when it comes to a domain deployment or a standalone deployment and there is much further that you can go than just for example, App Lock rules, App Lock is actually an older technology and we’ve actually got better technologies that are available for Windows Server where that sort of application white listing. Application white listing is an awesome way of approaching security.

    It Is enforced more at the hardware layer and that you’re verifying, you know, the integrity of the applicational, how you’re identifying the application at something a bit. App Lock is sort of an older technology. I think it’s almost a decade old or a bit older now, but you know, if you go with Windows Defender Application Control, you’ll actually get a much more robust control over what runs. But the, the trick with any hardening is I say it’s no point protecting a $1,000 diamond with a $20,000 safe. So you always have to be commensurate with how you harden your environment and you can go all out and go and apply every security recommendation that might be sitting in the STIG or in the center for Internet security benchmark.

    But it might be that nothing can run on your server. So you have to balance what your threat is against how locked down do you want to make the server. Windows Server can be very, very, very, very tightened and locked down. It’s very difficult to compromise if appropriately configured.

    Mary Jo Foley:                 05:25                   Hm. Do you think everybody should think of this, that way? In other words, do you think, you brought up the dollar analogy, but like should everyone want to lock it down to its maximum point or how do you gauge whether you should or shouldn’t do that?

    Orin Thomas:                   05:40                   One of the things that we see is a big challenge and we can see that just with the number of computer servers out there that are still running 2008 or 2008 R2. Take a lot of simple things that people can do, that they’re not doing before we start worrying about some of these really complicated things. Some of which I’ll talk about with you today.

    I mean the best thing that people can do for example, for their domain environment is just make sure that they’re running Windows Server 2019 on their domain controllers. You always want your domain controllers to be the most recent version of the operating system. And then you know, as a general guide, you want everything to be the most recent version. There’s going to be scenarios where you can’t do it for application compatibility reasons, but we also know that the vast majority of windows server workloads have file servers and then domain controllers and then infrastructure servers.

    Orin Thomas:                   06:38                   And then when it comes to application servers, they’re a bit further down the list in terms of common workloads. So if people just went and upgraded their domain controls and file servers, that’s a really simple thing without worrying about going into a whole set of checklists. And you know, let’s start with the, the easy, the low hanging fruit before we get to, you know, the more challenging bit of doing our application whitelisting where you have to know everything that’s running, which is a really great thing to do. But again, in terms of bang for your buck, you get on the lightest version.

    Mary Jo Foley:                 07:17                   Yup. Yup. That’s just like the get go, right? Like start there, move from there.

    Orin Thomas:                   07:22                   One thing that, um, you know, there is always a security argument, uh, the running the latest version. Why? Because it’s got all of, you know, the wisdom or everything that’s, you know, been dealt with before in theory. By the time the new version is released, all of that sort of baked into the operating system. You’re not sitting there going, well, I’ve got to go and apply all of these updates and that’ll certainly hardened us over, but we know much more when we were releasing a product today than we knew when we released an earlier version of a product.

    Mary Jo Foley:                 07:52                   Yep, that’s right. One of the readers on Petri, Ivan asked, whether these kind of guides or baselines should be applied to the majority of servers and then also asked,, security hardening. Here’s what he said. Security hardening is difficult to maintain operationally as it really should be done at the application OS network and identity layer. And this makes it very complex and leads to pitfalls of misconfiguration. So he’s asking are there actually practices to streamline this process? So I think these two things are related basically.

    Orin Thomas:                   08:34                   When you’re looking at a file server, that’s generally a bit easier. So if you can categorize servers or if you can categorize workloads, you’ve probably then got a general set of things that you can do. But depending on how far that you want to go on, again, this comes back to this thing I was saying. If people wanted to just do the basics, that’s not particularly complicated. You can go in and handcraft a security configuration, which is obviously fairly time-intensive, but most people aren’t anywhere near that. I mean most people security posture isn’t that great. I was once teaching some people that were responsible for information security for the Australian government and they were going out to government departments and they had a set of guidelines for how things should be configured.

    Orin Thomas:                   09:34                   And things were so far from where they were that even if they just got the basics right, they’d be doing a lot better than where you’re getting all the complex things right. There’s a tendency when we’re thinking about security for people to try and get everything perfect. It would be great if we were in that position, but most people actually need to get themselves just up to scratch before they start worrying about getting perfect. So it is difficult to maintain operationally. It’s a matter of making sure that you document everything, you work out what works. And one of the other things that you should never do is you should never start with one of these baselines.

    The security hardening guides and then turn everything on at once because you’ll do that. And what you’ll find is that suddenly things won’t work and you won’t know which particular security control you’ve implemented that might’ve caused the compatibility issue. So you need to be incremental about it. And obviously if you’re being incremental about it, you’re actually taking more time. Time is money, then you’ve got to come back to that. I’ve got a hardened commensurate with what my threat is. If you’re running the local kindergartens file server, that’s a very different threat model too. If you’re running , you know, authentication for a bank or something like that.

    Mary Jo Foley:                 10:55                   Yeah, for sure. So do you actually advocate that people do things like you do with windows updates in other words have rings and pilot testing the same way they do? Or is there another approach to doing that?

    Orin Thomas:                   11:10                   You should always cast an update before you put it into production. I was teaching some students once and one worked at an international merchant bank and he came back with something that I found to be completely fascinating and I don’t advocate this at all, but it’s a funny story. He said that they didn’t test updates before they put them into production.

    And I went, what’s the logic in that? And he said, well we worked out the number of personnel hours who were spending each month testing up those before putting them into production. But we also then worked out that with our ability to roll back, we going to spend less hours rolling back a problem, problematic, uptight than we were actually spending testing updates in production. So that worked out some sort of cost benefit analysis and said it’s costing US x dollars to test updates every month given the lack of, you know, absolutely show stopping updates that there are, it’s going to cost us a fraction of x to not test them. I don’t recommend that, but it is an interesting view on the process.

    Mary Jo Foley:                 12:23                   It is. That’s kind of a weird way of thinking, but I see where he’s coming from and thinking that.

    Orin Thomas:                   12:34                   I wouldn’t do it, but with what you’d get from a bunch of accountants who said, well, it’s costing us x dollars to test. We’re just better off having the occasional disaster because it will be cheaper than all of the testings.

    Mary Jo Foley:                 12:50                   Yikes. Yeah, exactly.

    Orin Thomas:                   12:52                   But again, different horses for different courses.

    Mary Jo Foley:                 12:55                   Exactly. I like that. W start when you’re advising it pros, how do you actually start talking to them about this beyond what we’ve already said here? I mean, do you actually have a checklist to say, go down the checklist, ere’s what you should do, a, B, c, d, and what, what are those? If you have those points?

    Orin Thomas:                   13:17                   So where I usually start is I’ll start with a set of easy wins and my, my first one is the, just make sure that you’ve upgraded your domain controllers and things like that. Then I start talking about, okay, let’s look at your virtualization fabric because this is one that people don’t think about so much. And with Windows Server 2016 and 2019, there’s a really cool thing called guarded fabrics and shielded VMs because what people haven’t sort of sat there and thought about is they’re sitting there worrying about demining dominance.

    When someone gets to mine, I’d be nexus in the mind, but by don’t think about virtualization dominance where someone actually gets control of the virtualization fabric. Because if you’re controlling all of your virtualization servers, you can just pick up any VM that’s running on that, export it, and then you’ve got access to the entire box.

    Orin Thomas:                   14:03                   It’s the ability of basically being able to scale, you know, in the old days of walking into a server room and taking a server out, if you can steal a VM, it’s sort of the same. So with windows as of 2016 and 2019 you have the ability to really lock down that virtualization fabric so that each virtualization host is running in a known, protected configuration. And then in each virtual machine that’s running on that host is fully encrypted. So that if someone did try to export it, all of that, they’re protected data that by can’t read. Cause one of the attacks that’s happened is that people have sort of gone, oh, I’m gonna go and mount the hard drive of all the virtual hard disk of that domain controller, get access to the active directory database running offline attack against. Then I’ve got complete access to the environment.

    Orin Thomas:                   14:51                   So one thing I talk to people about is think about the security virtualization fabric. Cause a lot of people are running everything virtualized. You’ve got to make sure that that’s hardened. The next one I talk about is obviously application whitelisting. Go and look at what applications you’re allowing to run on a server and then make sure that you’re only allowing unknown set of applications to run. For the most part, you’re only running a limited sort of workloads. And if you think about for example, we see all the time in the news ransomware, problems where a file servers become had a cryptolocker infection on it. Well there’s things such as windows defender, application guard, which will provide controlled folder access, which you can turn it on and one allow unauthorized processes to go and run on specific folders.

    Orin Thomas:                   15:44                   For example, a cryptolocker infection running against a path that hosts all of an organization’s files. So again, you could turn something like that on. And again, that requires that you have a more recent version of the operating system. Then things like securing your administration. A big recommendation is that you use what’s called a privileged access workstation.

    Now privileged access workstation is a specially configured computer that you only perform administration tasks from that specially configured computer and the things are locked down so that you can only do what you meant to do on it. It’s not your sort of your daily driver computer where you’re reading your email and surfing the web. It’s a completely locked down environment that’s got its own application. White listing rules applied and then you can figure your servers so that they can only be managed from one of these hardened workstations.

    Orin Thomas:                   16:40                   So what you’re trying to do is you’re trying to avoid this sort of attack or the sort of compromise where someone compromises administrator workstation. And through compromising that workstation, they then gain access to, you know, the production servers. And one of the things I tell people at conferences is you shouldn’t be doing admin tasks from the laptop that you take to a conference. You should actually be doing that from a very specifically hardened workstation, a privileged access workstation.

    Mary Jo Foley:                 17:09                   So this is a perfect time, I think to interrupt you for a moment with a question from another reader, Morbrosit asked best practices for allowing remote access using Powershell PS Exec.

    Orin Thomas:                   17:25                   So part of that would be to make sure that you’re locking down all of your servers, so that they can only be accessed from known host. You shouldn’t have it so that you can remotely powershell to your domain controllers from any computer on your network, you should say.

    Orin Thomas:                   17:44                   Right? I can only get in from the specifically hardened workstations and that will improve security. Security is about improvement. There’s no perfect solution. But what you can do as you can make it increasingly difficult for an attacker, for example, if they’ve compromised your network to move about that network.

    There’s a thing called assume breach, which is that you design your security around the idea that you’ve already been compromised and so that you’re trying to limit what an attacker could do if they, for example, compromised a specific machine. Okay. If they’ve compromised that machine, how would we limit what they could do from that machine that they’ve compromised?

    Mary Jo Foley:                 18:25                   That’s interesting. One other thing that may be partially related from Ivan. He was saying other than DFC, which I’m assuming is desired state configuration, which is difficult to implement and maintain. How else can we look at maintaining the security configuration throughout its lifetime?

    Orin Thomas:                   18:49                   So there is, I’m trying to remember, a security compliance toolkit. Now the security compliance toolkit is a sort of the newer version of an older tool that allows you to sort of go and check the security configuration of a server against a specific baseline. So one of the things that you can do is you can come up with these baselines and then run these tools to check how well a particular server meet set baseline. Now there’s a certain amount that you can do with DSC.

    There’s a certain amount that you can do with puppet and chef, but there’s sometimes there’s a lot of getting out and you know, walking when it comes to doing bits and pieces of this, of this configuration, and because each workload may be slightly different in what its requirements are, it may be that you have to handcraft a few of these things. So there’s no simple solution where you can just point a product at any workload and it’ll automatically configure. Understanding the workload and the requirements of that workload in terms of what you can and you can’t do.

    Mary Jo Foley:                 19:52                   Okay. Sorry, I interrupted you. Go forward. Go forward.

    Orin Thomas:                   19:58                   Okay. One of the other ones I was going to bring up one more when we were talking about Powershell. Of course there’s just enough administration which is a technology that really limits what can be done with power within a powershell session. So not only would you turn around and say, I’m going to limit where this session can come from, I can limit what can be done within the session. So for example, someone would log in with an account that has DNS permissioned and only DNS permissions.

    And one of the other things you want to do is you sort of want to d leverage administrator accounts. One of the other things that occurs out there is that people have these accounts that can go and do everything. And of course, if an account that can go into everything is compromised, that means that the attacker can go into everything.

    Orin Thomas:                   20:43                   Whereas if you have an account that’s really limited in what it can do, maybe all it can do is, you know, add some DNS records. If that account’s compromised, it really limits the scope of what an attacker can do. Locking down admin accounts within Windows Server 2016 and 2019, for example, a little thing that you can do is there’s a group called the protected users group and if you add an account to this user group, it lights up all of these little security fixtures. It just disables case logins.

    It disables NTLM for that account and it’ll improve the security of that account in a little way. More broadly, you’d might want to disable NTLM on your network if you can. Then you’ve got features like Credential Guard, which again, is sort of a mitigation to sort of a pass the hash attacks, to those at the texts that might work with mimic caps, which is a way of sort of going in and attacking cache credentials.

    Orin Thomas:                   21:49                   And then another one that’s a really easy win is a thing called local administrator password solution. And what LAPS does is it makes sure that there’s a unique local administrator account password on each computer that is enrolled within LAPS. One of the things that happens in a lot of environments is that there’s a common local admin password on every computer in the environment.

    And an attacker only needs to get that password once and then they can log on to any computer as an admin. And I’ve seen out in out in the real world where even people who are just standard normal, like accountants have you know, shoulder surfed when the it person’s come to do some work and logged in with the local admin account and they’ve written that account password down and then shared it so that when the IT people aren’t around and they want to do something to their machines, they just log in with a local admin account because it’s using a common password right across the organization. So if you’re using a local administrator password solution, you’ve got a unique password on each machine so that sort of thing cannot occur.

    Mary Jo Foley:                 23:02                   That’s a good one for sure. Okay.Let’s see. Any other kinda checklist items you think , you’ve already brought up a bunch of good ones, but any other checklist items that it might not readily occur to some people or things that sound really simple, but you see many people not doing them.

    Orin Thomas:                   23:23                   Network isolation’s fairly good. Again, that comes down to that idea I was talking about where your limiting who can or which hosts can open an admin connection. One the ones that is commonly recommended is for example, blocking critical servers from communicating in any way the Internet. The question is why does your domain controller need to be able to get to the Internet?

    And it probably doesn’t because if you’ve got your update process so that you’re deploying updates through something like windows server update services, then your deploying updates locally and there’s no need for that server to go and communicate directly with the Internet. Now again, it’s not a perfect solution, but what you’re doing is you’re stopping someone from signing onto that server and then maybe accessing tools or downloading tools from the internet that they shouldn’t.

    Orin Thomas:                   24:18                   And again that is sort of one way of sort of minimizing problems that can occur. So isolate things from communicating with things that they simply do not need to communicate with and you generally, your domain controllers are not going to need to communicate with the Internet. There’s a lot of organizations that are just like, oh, I’m not worried about anything occurring in terms of where someone might use a domain controller to access something remotely.

    Well generally they’re not going to need to as someone in one of the readers suggested running server core. And it’s really surprising when I go and ask people at conferences, I say how many people are running server core? And you’ll only see a fraction of the hands go up. And there’s still a perception that server core is a difficult thing to use with the new windows admin center and the functionality that’s coming into windows admin center server core is a much more easy thing to administer.

    Orin Thomas:                   25:21                   And for the most part, if you think again of what roles do servers generally host things like domain controllers and file servers. They certainly don’t need a Gilly on them. By putting server core on, you’re reducing your attack footprint. It’s very difficult for someone who gets onto that server to open a browser and download something. They can still do stuff through powershell and obviously the command line environment. But again, server core first in terms of deploying a server and then only not deploy server core if there’s a really, really good reason not to. And if you’re installing windows server, you already know that by default it tells you to go and deploy server core.

    Mary Jo Foley:                 26:04                   Right. I’m glad you brought up Windows Admin center known also as Project Honolulu because I think we should talk a little bit about that more because I feel like people have heard about it but maybe don’t quite understand how much that’s gonna make their life easier.

    Orin Thomas:                   26:23                   It is. One of the things is anybody who’s obviously running around on servers knows that the vast majority of the admin tools that you use to manage a server, in some cases 20 years old consoles that have been around in some form or another since sort of windows 2000.

    And we’ve seen things such as um, sort of some of the newer consoles like Active Directory Administrative Center, which probably came around in about Windows Server 2012 ish type time from, we’ve seen some consoles that have attempted to do something, but what windows admin center represents is it represents a concerted effort to put all of the graphical administration tools that you need for a server into sort of an easily updatable we interface. So any new feature of Windows Server isn’t going to get its own sort of MMC or Microsoft Management Consults snapping anymore.

    Orin Thomas:                   27:23                   It’s all going to be anything new. Any new functionality is going to be surfaced in Windows Admin Center or Powershell. One of the nice things about Windows Admin Center is when you do something, there is often a show me the powershell does this button that’ll actually give you the code that you could, if you just want it to run the code, you could go and use it.

    So it’s got add ins, it will automatically update the add ins. So for example, there’s a feature in Windows Server 2019 called storage migration service by which our good friend Ned Pyle is responsible for. When you install windows admin center to managed storage migration service, cause that’s the way that you manage it. If there’s any updates to storage migration services, functionality, windows admin center, we’ll automatically say, oh by the way, this module has got updated. You click on the update and then it’ll improve your console for you.

    Orin Thomas:                   28:17                   So going forward at the moment windows admin center is very in certain areas it of excellent tool like storage, migration services. That’s obviously how you go and manage it. There’s other things that you’d still go back in for example with Active Directory you’d go back and use active directory users and computers.

    Cause you can only do basic tasks in windows admin center at the moment. However, given the rapid iterations that are going on with it, it’s not unreasonable to assume that in a couple of years you will have moved away completely from using those Microsoft management consoles because all of the functionality that you need will be within windows admin center and that you can use that to centrally manage a lot of servers in the way that it’s really difficult to do with some of those older tools.

    Mary Jo Foley:                 29:05                   Okay. That’s good. Thanks for the shout out on that. I feel like we haven’t talked about that a lot on these MJFChats, but whenever I bring it up on Twitter, people are super excited like you said, because it’s revving all the time and there’s always new features being added.

    Orin Thomas:                   29:21                   It is. It’s one of those things that like when I’m doing ignite tour, it’s one of those, I do a little theater session on what’s new in windows server and it’s one of the things that I bring up and it’s like, you really should go and look at this. It’s really cool and it’s getting cooler all the time. I mean, I know now that I’m a Microsoft employee that a bit like blowing our own trumpet, but, even when a MVP, it’s a really, really, really cool feature. And I know that there’s a lot of people out there that are always sort of sitting there going, look, I can probably figure out the Powershell to do this, but it’s going to take me a while and I’ve only got a certain amount of time, so I’m just going to default to using a gooey tool.

    Orin Thomas:                   30:03                   This helps you in both ways. It allows you to do something through the Gooey so that you’ve still got those guard rails and stopping you from doing, you know, there’s also the worry when you’re using powershell that you might accidentally summon a demon or something like that by using the one command. So this is giving you the guard rails, but it’ll also show you the powershell so that if you did want to go in and script something, you’re going, oh, okay, well that’s what that looks like. I can then again, make that transition and start to do it from the command line. Should I say oh neat. But it’s, it can be installed just on your, on your workstation at, it has its own little mini web server. You can install it, you can use it to manage the stuff that’s running in the cloud or you can use it to manage a whole collection of servers.

    Orin Thomas:                   30:48                   So you only need to install it once or you can have different instances of it and then you just go and connect through. And the other thing it’s got is it’s got really good integration with Azure so that for example, things such as as your file sync, which is a really cool technology that allows you to basically start tearing your file servers and putting old data up to the cloud. Again, you can set all of that up from windows admin center just for with a couple of clicks because it goes and connects your Azure account to this particular instance. And then you can go and hook that in very easily.

    Mary Jo Foley:                 31:27                   Cool. Very cool. Sorry, I think I got a little off topic there,but still related. So before we close out, just to reiterate, any resources that you want to call out for people on the topic of hardening windows server.

    Orin Thomas:                   31:45                   So the big one I would call out is I recommend that people go and look at the center for Internet security baseline and also go and look for the security technical implementation guide or the STIGS. It’s worth reading through them. Now, some of them are very long, very complicated documents, but what you’ll see is you’ll see in some cases discussions about here’s a particular feature you might not have thought of or a registry setting that you might not have thought of.

    This is what it does. And then you can figure out whether or not that’s appropriate for you. Going through and looking at all of the features and all of the things and all the recommendations that exist within those baselines. And then thinking about them, you’ll actually learn a lot about the process rather than, you know, just looking at someone’s, this is the top 10 list of things that you can do. I mean it’d be great you did the top 10 but you probably want to go further. And I know that in my own education about all of the security features that are available, going through those very extensive baselines, I went, Oh wow, okay. I didn’t know that I could do that. Or oh okay, I understand why I could do that. Or I can understand what that, that would stop me from doing if I did it, I could turn that feature on. But it would cause all of these problems.

    Mary Jo Foley:                 33:06                   Hmm. Any Microsoft Learn courses or anything? Or any course that you would recommend and you can even include your own if you would like.

    Orin Thomas:                   33:16                   Well. So there is a Microsoft official curriculum course, which is I think it’s 744 which is hardening. I think it’s hardening a Windows Server Environment. And in my current, which is a Windows Server 2016 inside out and in the updated Windows Server 2019 inside out, which comes out early next year in the updated version, I’ve actually added an additional chapter on just hardening Windows Server so that one doesn’t come out until early next year. But again, this is a topic that people are really interested in. So it’s one of those ones that I’m covering there at the moment. We don’t at the moment have something on Microsoft Learn specifically about hardening Window Server, but our hope is, especially with the team on part of that, we’ll be able to get that sort of content in there at some stage.

    Mary Jo Foley:                 34:08                   Nice. All right, well we are out of time, but I just want to say thanks again for coming on and talking about this topic. I know it’s something a lot of our listeners and readers care a lot about, so thanks Orin for that. Thank you very much, and for all of you other regular listeners out there, we’re going to be back in a couple of weeks with our next guest, so be be sure to watch for that. I’ll be posting the information on petri.com and that will be your signal listeners to send in some questions. All you have to do is go to the MJF chat area in the forums on Petri and submit questions right there and in regards to this chat with Orin, look for the audio and the full transcript of it as with all of our chats in the next few days. Thanks again.

    • This reply was modified 1 day, 9 hours ago by Brad Sams Brad Sams.
Viewing 4 posts - 1 through 4 (of 4 total)

You must be logged in to reply to this topic.

Register for this Petri Webinar!

Want to Make Your Backup Storage Unlimited & Ready for the Cloud? – Free Thurrott Premium Account with Webinar Registration!

Tuesday, August 27, 2019 @ 1:00 pm EDT

A Scale-Out Backup storage infrastructure is a must-have technology for your backups. In this webinar, join expert Rick Vanover for a look on what real-world problems are solved by the Scale-Out Backup Repository.

Register Now

Sponsored By