Security by Design is increasingly becoming the mainstream development approach to ensure security of software systems. Security architectural design decisions are based on well-known security tactics, and patterns defined as reusable techniques for achieving specific quality concerns. In the following steps we will make a security baseline for Windows Servers with different tools.
1.Microsoft Security Compliance Toolkit
The Microsoft Security Configuration Toolkit enables enterprise security administrators to effectively manage their enterprise’s Group Policy Objects (GPOs). Using the toolkit, administrators can compare their current GPOs with Microsoft-recommended GPO baselines or other baselines, edit them, store them in GPO backup file format, and apply them via a domain controller or inject them directly into testbed hosts to test their effects. A security baseline is a group of Microsoft-recommended configuration settings that explains their security impact. These settings are based on feedback from Microsoft security engineering teams, product groups, partners, and customers. A lot of hacks are based on registry settings, so that’s why Windows Server Security Baseline is important.
You can download the Microsoft Security Compliance Toolkit here
2. Windows Defender Firewall with Advanced Security
Windows Defender Firewall with Advanced Security is an important part of a layered security model. By providing host-based, two-way network traffic filtering for a device, Windows Defender Firewall blocks unauthorized network traffic flowing into or out of the local device. Windows Defender Firewall also works with Network Awareness so that it can apply security settings appropriate to the types of networks to which the device is connected. Windows Defender Firewall and Internet Protocol Security (IPsec) configuration settings are integrated into a single Microsoft Management Console (MMC) named Windows Defender Firewall, so Windows Defender Firewall is also an important part of your network’s isolation strategy. So set only the firewall ports you need end to end.
Windows Security Setting Firewall & Network Protection
Select Advanced settings
Windows Defender Firewall Advanced settings
Set only active what you need!
3. Windows Defender Security Virus & Threat Protection
Schedule a Full Scan in the Night for Threats
and Set the Windows Security options.
Keep your Defender and Virus definition files up-to-date.
4. Windows Updates
When your Windows Server is ready for production, you have to keep it Up-to-Date with Windows Updates. It’s not only the Windows Security patches, but all the software that’s running on your Server. One software leak is enough for a hacker to compromise your Server.
Have a look at the Microsoft Update Catalog
Lot of Companies are using Microsoft WSUS Services or Microsoft Endpoint Configuration Manager to deploy the software Life cycle Management Security updates to Servers to keep them secure as possible. These are not only Microsoft Security Updates but also from third party Software vendors, like adobe, Google, etc.
5. Security Monitoring and Remediation
This Cycle is important for Security!
IT departments have multiple teams with different disciplines, so when the Windows Server is ready
for the Administrator it goes to the Application Admin in a different IT Team. They will install the Application software and maybe
some software connections with other Servers by a third IT Team. To get in control of those security steps is important, because when a IT Consultant of a third party vendor is installing old legacy software you will have hacker leaks again and that’s making your Server vulnerable. Here is where Azure Security Center and Azure Defender will support you in monitoring and remediation of security issues.
It doesn’t matter where your Windows Server is installed, in Azure Cloud or On-premises in your datacenter, it can connect securely via internet for monitoring the Server. When it’s on-premises you can install the Microsoft Arc agent
Microsoft Azure Arc Connected Machine Agent.
Azure Arc enabled Server from On-premises
When the Microsoft Azure Arc Agent is installed on the Server, you can use these Azure Services for example :
- Azure Update Management
- Azure Monitoring
- Azure Security Center with Azure Defender
- Azure Policies for Compliance
- Change Tracking and Inventory
- Automation of Tasks
These Microsoft Azure features are supporting you to keep your Server as safe as possible and your security Up-to-Date.
From here you can add the Windows Server to Microsoft Azure Security Center with the right log analytics workspace.
Microsoft Azure Security Center Recommendations
Remediate Security Configurations on the Arc enabled Server
Remediation of Vulnerabilities on your Windows Server (Arc Enabled)
Azure Defender is a built-in tool that provides threat protection for workloads running in Azure, on premises, and in other clouds. Integrated with Azure Security Center, Azure Defender protects your hybrid data, cloud-native services, and servers and integrates with your existing security workflows, such as SIEM solutions and vast Microsoft threat intelligence, to streamline threat mitigation.
Workflow of Azure Defender for Vulnerability Scanning.
When Azure Security Center and Azure Defender are installed, you can do a Vulnerability Assessment on your Azure Arc enabled Server which is on-premises datacenter before your Windows Server is going in Production.
Vulnerabilities after Assessment on Windows Server with Arc enabled with remediation
This happens a lot when there is third party software installed on the Server.
To get a list of your high security vulnerabilities, you can use the Azure Resource Graph explorer.
Azure Resource Graph Explorer
Here you can download your high risks into a CSV or Pin to a Dashboard.
6. Compliance and Security Policies
Learn how Microsoft products and services help your organization meet regulatory compliance standards.
When you have to manage a lot of Windows Servers or Linux Servers, you want them compliant with the right security policies.
Here you find all the Microsoft Compliance Offerings
Regulatory Compliance of your environment.
With Azure Security Policy you can configure your Compliance.
in the following steps you will see an Sample alert :
Sample Alerts with Mitre ATT&CK Tactics
Take Action on the Security Alert.
Mitigate the Threat
Prevent future attacks
Trigger automated response
Suppress similar Alerts.
Security by Design Conclusion
Before you begin with deploying Windows Servers in your datacenter or in the Azure Cloud, it’s good to make a High Level design with your security set for the right compliance of your new Windows Server. You can use all the security On-Premises for Windows Server but with Azure Security Center, Azure Monitor, Azure Arc Services, Azure Defender you get all the security Insights and remediation options when a vulnerability is discovered. Windows Server and Azure Security Center is better together for Security Management.
If you want to keep your Windows Servers secure as possible, you need to keep doing these steps above. Continuous Monitoring and remediate vulnerabilities is a on-going process for SecOps and Administrators. Make it hackers difficult to add ransomware on your Servers. One more important IT Service, is your Backup / Disaster Recovery solution. This should be secure from hackers and from ransomware encryption. I always say think of this rule :
Microsoft Azure Security Center on GitHub
Overview of the Azure Security Benchmark (V2)
Become an Azure Security Center Ninja
Azure Security Center in the Field by Yuri Diogenes
Introduction to Azure Defender
Join the Microsoft Azure Monitor & Security for Hybrid IT Community Group on LinkedIn