This Microsoft E-Book gives you an overview about security in Windows 11 with in different layers of security.
Different Security Layers in Windows 11
Be aware of all the Microsoft security features in Windows 11 and download the free Microsoft Windows 11 Security Book here
Windows Admin Center is a customer-deployed, browser-based app for managing servers, clusters, hyper-converged infrastructure, and Windows PCs. It comes at no additional cost beyond Windows and is ready to use in production. Learn more aboutĀ Windows Admin Center.
Benefits
Languages
Chinese (Simplified), Chinese (Traditional), Czech, Dutch (Netherlands), English, French, German, Hungarian, Italian, Japanese, Korean, Polish, Portuguese (Brazil), Portuguese (Portugal), Russian, Spanish, Swedish (Sweden), Turkish
In the following step-by-step guide I will deploy Windows Server 2022 Insider Build 25099 Core Edition with Windows Admin Center tool together with some great features for managing Windows Servers in a secure hybrid way with Microsoft Azure Cloud services. Like Azure Defender for Cloud, Azure Backup Vault, Azure Monitor, Security and more.
So I have Windows Admin Center 2110.2 installed and I have a Windows Server 2022 Hyper-V Server for my Virtual Machines in my MVPLAB Domain.
Now we will deploy the new Windows Server 2022 Insider Preview Build 25099.
In WAC on my Hypervisor in Virtual Machines
When you explore and open your Hyper-V Host and go to Virtual Machines, you can Click on Add and then on New for Creating your Windows Server Insider VM.
Create a New Windows Server Insider VM called StormTrooper01
Here you can configure your new Windows Server 2022 Insider VM with the following :
I Created a New 70GB OS Disk
and I want to Install the New Windows Server Insider OS from ISO.
Click on Browse
Here you Browse Default on your Hyper-V Host and select the ISO.
When the Windows Server ISO is selected you can hit Create
We get the Notification that the virtual machine is successfully created.
Only the Virtual Machine is now made with your specs and visible on the Hyper-V Host.
Select the New Virtual Machine (StormTrooper01) click on Power and hit Start.
After you started the VM, you can double click on it and go to Connect.
Click on Connect to the Virtual Machine.
Now you are on the console via VM Connect.
Click on Install Now
We are installing Windows Server 2022 Insider Core edition, because we have WAC š
Installing Windows Server 2022 Insider Core Preview Build 25099 via Windows Admin Center
Create New Administrator Password.
And here we have Sconfig of the Windows Server 2022 Core.
via Virtual Machine Connect.
Now we can add and connect the New Virtual Machine with Windows Server 2022 Insider Preview Build in Windows Admin Center via IP-Address.
The Next step is to join the Windows Server 2022 Insider to my Domain MVPLAB.
Click on the Top on Edit Computer ID
Click on Domain and type your domain name.
Click op Next
Add your administrator account for joining the server
Reboot the VM.
Windows Server 2022 Insider Preview Core edition is domain joined.
Now we have the New Microsoft Windows Server 2022 Insider Preview Build 25099 running in Windows Admin Center, we can use all the tooling provided by WAC also in a Azure Hybrid way. Think about Azure Defender for Cloud, Azure Monitor. In Microsoft Windows Admin Center we also have a topic Azure Hybrid Center :
Here you see all the Azure Hybrid benefit features for your Windows Server 2022 Insider.
Microsoft Azure and the Windows Admin Center Team made the wizards customer friendly and easy to get those Azure Hybrid services for your Windows Server.
When you have your Server running, you want to make backups and Monitoring your Server for management. And after that you want to be in control of your security of your new Server. In the following steps you see some examples on the same Windows Server 2022 Insider Preview Build:
Click on Azure Backup
Select your Azure Subscription and the Azure Backup Vault.
Select your data and make the schedule.
Enter the Encryption passphrase and Apply.
Here you have Azure Backup Vault working together with WAC.
Click op Microsoft Defender for Cloud
Click on Setup
Add the right Azure Subscription and Workspace
Click on Setup.
Configuring Azure Defender for Cloud agent and Subscription.
Azure Defender for Cloud in Windows Admin Center on your Windows Server 2022 Insider Preview Build.
In Windows Admin Center there is also a Security tab for the Windows Server.
Here you can see your Secured-Core status
Here you can see if your system is supported for this security features š
Enable the supported features and Restart de Virtual Machine.
And here you see my status overview.
Further more you can manage RBAC in Windows Admin Center when you have to work with different kind of users.
You can find RBAC in settings.
Windows Server Insider Core edition and Windows Admin Center are working better together! You have all the tools you need to startup your Windows Server and
manage it with WAC. Windows Admin Center is getting better and better to manage your Hybrid Datacenter and keep you as an Administrator in Control!
So is how I manage my MVPLAB but also for Production workloads I use Windows Admin Center and the Azure Portal together. With Microsoft Azure Arc Services
Azure Hybrid becomes your solution where Windows Admin Center can Support you with making Azure Stack HCI Clusters with Azure Kubernetes for your DevOps environment.
Azure Arc for Hybrid Cloud Management.
In my last blogpost I wrote about Azure Arc enabled Kubernetes and Container Insights with Alerting and Actions
In the following steps I will install some containers (Pods) on my Azure Arc enabled Kubernetes so I have some data to work with in my MVP LAB. I did that with Microsoft Visual Studio Code and with Helm predefined templates. Install the VSCode and install the Kubernetes extension, more information here
In the following steps we install DAPR and Redis on the Azure Arc enabled Kubernetes.
When you open your Kubernetes Cluster
Click then on Helm Repos
There you see Dapr repo.
Click on version 1.6.0.
Right click on version 1.6.0
Click on Install.
Dapr is installed by default on the Azure Arc enabled Kubernetes.
Type in Powershell :
dapr status -k
You will see the running pods of Dapr.
Dapr Dashboard is running
Important: This is running in a test environment and is now http.
For production you have to make it save!
Azure Arc Services and Azure Defender for Containers will help you with that.
Installing Redis in the same way.
Kubectl get pods
You will see the running Dapr and Redis pods.
Now we have installed two products on the Azure Arc enabled Kubernetes Cluster by default, but security is not in place based on best practices. For Dapr you have security best practices to follow andĀ Security for Redis.
But next to these security best practices from the software vendor, we also have Microsoft Azure Arc Security (Preview) on this kubernetes Cluster active. In the following steps you will see Security rules, Fixes and Azure Policies for Azure Arc Kubernetes to make your environment more secure and compliant.
Click on your Azure Arc enabled Kubernetes Cluster
This is my Dockkube.
Click then on Security (preview)
Here you see that I don’t have Azure Policy active to be compliant
on my Azure Arc enabled Kubernetes Cluster.
A lot of security issues are managed by policies.
Click on View Additional recommendations in Defender for Cloud
See Related recommendation (17)
Here you see all the dependent policies for your Azure Arc enabled Kubernetes Cluster.
Select your Azure Arc Enabled Kubernetes Cluster (Dockkube)
Click on Fix
Confirm and click on Fix 1 resource.
Remediation in progress.
Remediation Successful.
It can take some minutes to see your resources in the Healthy state.
Just refresh š
In Azure Policy you will see how Compliant you are with your
Azure Arc enabled Kubernetes.
Click on the ASC compliance.
Here you see the 10 Policies that are not Compliant.
Select a policy which is not compliant like here
Kubernetes Cluster containers should only use allowed images
Click on Details
Here you see the Component ID’s on my Azure Arc enabled Kubernetes Cluster
which are not compliant on this policy š
See the Tab bar, you are now on Component Compliance
Click on Policies tab
Dubbel click on the policy.
From here you can Assign the policy to your Azure Arc enabled Kubernetes Cluster.
See the TAB bar for deploying this policy.
Set your Managed Identity for deploying your policy.
Here you can read more how Remediation security works
Enable Microsoft Defender for Containers
Azure Policy built-in definitions for Azure Arc-enabled Kubernetes
Understand Azure Policy for Kubernetes clusters
Overview of Microsoft Defender for Containers
Defender Plans for Azure Arc Enabled Kubernetes Clusters (Preview)
I have set these.
(Security Recommendations can take some time)
Security (preview) on your Azure Arc enabled Kubernetes Cluster
Here you get the Remediation steps to do and the Information.
There is information link to Mitre ATT&CK site.
And more information via a link to the Kubernetes site:
Resource Management for Pods and Containers
A New example and you can see the Affected Components
on my Azure Arc enabled Kubernetes Cluster Dockkube.
When you work in a DevOps way with Kubernetes containers and microservices, you want them as secure as possible. With application security and best practices from the software vendors. Security monitoring and compliance are important to keep you in control and to keep your environment safe. With Azure Arc enabled Kubernetes you get Azure Defender for Containers and Azure policy for security compliance to your Kubernetes Cluster.
Important: This is still in preview and should not be used in production environment yet until Microsoft makes it General Available for the world. Now you can test it in your test environment like me in my MVPLAB.
The Server Message Block (SMB) Protocol is a network file sharing protocol, and as implemented in Microsoft Windows is known as Microsoft SMB Protocol. The set of message packets that defines a particular version of the protocol is called a dialect. The Common Internet File System (CIFS) Protocol is a dialect of SMB. Both SMB and CIFS are also available on VMS, several versions of Unix, and other operating systems.
Here you can see the versions of MS-CIFS and download free white papers
Today SMBv1 is a not save protocol and will be used by hackers for man in the middle attacks to compromise your data and systems. SMBv1 is a weak protocol and should not be used in your environment. There are still a lot of Windows Servers 2012 R2 in the world running in datacenters with SMBv1 by Default enabled. To make your Windows Server more secure, you can disable SMBv1 protocol via a Group Policy Object (GPO).
In the following steps we will disable SMBv1 on Windows Servers via GPO.
Open Group Policy Management in your Domain.
Click on Group Policy Object with your right mouse button.
Click on New.
Give your policy a Name.
I made also an temporary Exception policy.
Right click on your new Policy Object.
Click on Edit.
Go to Computer Configuration => Preferences => Windows Settings
Click on Registry.
Click on New and then on Registry Item.
Here you have to add the following Registry Properties:
Set these settings.
Set Path: HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
Click on Apply for these Registry settings.
SMBv1 Disable setting is set in the Policy Object.
This is the path where we push the policy via GPO.
Here we Link the Existing GPO to the OU with the Windows Server 2012 R2
to disable SMBv1 Protocol.
Select your new Policy to disable SMBv1 Protocol.
We have now Linked the new GPO to Disable SMBv1
GPUpdate /force on your Server to disable SMBv1
To get the new GPO active on your Server.
Policy Update successfully.
GPResult /r to see the results.
Get-SmbServerConfiguration | Select EnableSMB1Protocol
or
Get-SmbServerConfiguration
You can still as a administrator enable SMBv1 on your Server with :
Set-SmbServerConfiguration -EnableSMB1Protocol $true
When the Server gets a reboot, SMBv1 will be disabled by GPO again.
When you have maintenance window for updates for example, you can un-install the SMBv1 Feature in Server Manager. This procedure needs a restart of the Windows Server.
Go to Server Manager remove features.
Click on Remove Roles and Features.
Remove the mark at SMB 1.0/CIFS File Sharing Support Feature.
Click on Remove.
Click on Close and Reboot the Server
Now SMBv1 protocol on the Windows Server is disabled and will use a higher version of SMB like version 2.x or 3.x.
More Microsoft information can be found here on Docs.
SMB over QUIC introduces an alternative to the TCP network transport, providing secure, reliable connectivity to edge file servers over untrusted networks like the Internet. QUIC is an IETF-standardized protocol with many benefits when compared with TCP:
SMB over QUIC offers an “SMB VPN” for telecommuters, mobile device users, and high security organizations. The server certificate creates a TLS 1.3-encrypted tunnel over the internet-friendly UDP port 443 instead of the legacy TCP port 445. All SMB traffic, including authentication and authorization within the tunnel is never exposed to the underlying network. SMB behaves normally within the QUIC tunnel, meaning the user experience doesn’t change. SMB features like multichannel, signing, compression, continuous availability, directory leasing, and so on, work normally.
Client Server Handshake and Data transfer differences.
Here you find a Great blogpost of Ned Pyle
SMB over QUIC: Files Without the VPN
When you still have Windows Servers running with SMBv1 by default enabled, for security you should disable SMBv1 protocol as soon as possible! Otherwise you make it easy for hackers to compromise your data with man in the middle attacks. In Windows Server 2019 and higher SMBv1 is disabled by default. Have a look at SMB over QUIC in your test environment and learn how secure it is and how it works for your security and data.
Hope you started year 2022 in Good Health in a difficult pandemic time.
Starting 2022 by asking yourself, how is your Security by Design doing in 2022
Your Security is one of the most important aspects of any architecture for your Business.
It provides confidentiality, integrity, and availability assurances against attacks and abuse of your valuable data and systems. Losing these assurances can negatively impact your business operations and revenue, and your organization’s reputation.
Here you find Awesome information about Applying security principles to your architecture to protect against attacks on your data and systems:
Microsoft Architecture and Security Docs
Here you find more information about NIST Cybersecurity Framework
The Microsoft Cybersecurity Reference Architectures (MCRA) describe Microsoftās cybersecurity capabilities. These References and diagrams can support you with implementing Security by design.
Microsoft Defender for Cloud
Microsoft Defender for Cloud (formerly known as Azure Security Center) community repository. This repository contains:
Security and Learning is a ongoing process, I always say Learning on the Job š is important to keep Up-to-Date every day of the week. Microsoft Tech Community platform and Microsoft Learning can support you to get the knowledge.
Become a Microsoft Defender for Cloud Ninja here
Microsoft and the community has a lot of good security information to start with for your Data and Systems to keep your business solution as save as possible. Here they write New blogposts for the community about Defender for Cloud
Keep in Mind “Security is only as strong as the weakest component in the Chain”
So keep your Security up-to-date and do assessments on vulnerabilities to keep your data and systems secure. Monitoring => Alerting => Remediation is 24/7/365 Process with Security people in the business.
Secured-core ā recommended for the most sensitive systems and industries like financial, healthcare, and government agencies. Builds on the previous layers and leverages advanced processor capabilities to provide protection from firmware attacks.
In Windows Admin Center Security you can Configure Secured-Core :
Secured-Core in Windows Admin Center 21.10
You can activate 6 secured-Core feature :
You now can simply activate the Security Feature.
Needs a Reboot
Hypervisor Enforced Code Integrity (HVCI) is enabled.
More information about Secured-Core Features
The Microsoft Security Configuration Toolkit enables enterprise security administrators to effectively manage their enterpriseās Group Policy Objects (GPOs).Ā Using the toolkit, administrators can compare their current GPOs with Microsoft-recommended GPO baselines or other baselines, edit them, store them in GPO backup file format, and apply them via a domain controller or inject them directly into testbed hosts to test their effects.Ā For more information, seeĀ Windows Security Baselines.
Baseline security policies for Windows Server 2022.
Here we have some new Windows Server 2022 security features :
You can read more information on these topics on Microsoft Docs
In the following steps you will see some of the security features of Microsoft Windows Server 2022.
When your Windows Server 2022 is running on a Hypervisor like Hyper-V, you can set Memory integrity under Windows Security to ON.
This prevents attacks from inserting malicious code into high security processes. When you set this security feature on, the Server needs a reboot to activate.
Memory Integrity needs a reboot.
Windows Security Notifications.
By default Virus & Threat protection notification is active, when you want notifications about Microsoft defender firewall blocking a new application, you have to turn this feature on and select the firewalls.
In Windows security we have also ransomware protection.Ā
Protect your files against threats like ransomware, and see how to restore files in case of an attack.
You can do this by Controlled folder access.
Protect files, folders and memory on your Server from unauthorized changes by software.
Protected folders.
New in Windows Server 2022 is Tamper protection in Windows Security.
This Prevents others from tampering with important security features.
This was all Microsoft Windows Server 2022 security in the VM, but how about your Windows Server 2022 Hyper-V Hypervisors?
Hypervisor-protected Code Integrity (HVCI) is aĀ virtualization based securityĀ (VBS) feature available in Windows. In the Windows Device Security settings, HVCI is referred to as Memory Integrity.
HVCI and VBS improve the threat model of Windows and provide stronger protections against malware trying to exploit the Windows Kernel. VBS leverages the Windows Hypervisor to create an isolated virtual environment that becomes the root of trust of the OS that assumes the kernel can be compromised. HVCI is a critical component that protects and hardens this virtual environment by running kernel mode code integrity within it and restricting kernel memory allocations that could be used to compromise the system.
SeeĀ Virtualization Based Security System Resource ProtectionsĀ for more details on these protections.
Here you find a great video with a session of Jeff Woolsey Principal Program Manager at Microsoft. It’s all about What’s new in Windows Server 2022.
Start with Microsoft Windows Server 2022 today and make your test environment to play with Windows Server 2022 and Security.
Make your core business application solution more secure then ever, and let a ethical hacker do pen tests on your solution.
When you have security by default in your architectural designs, and test your Windows Server 2022 for production workloads it makes a big different to keep your environment and solution safe. And when you monitor your Windows Server 2022 solution pro-active with Azure Monitor, Azure Security Center, Azure Defender like this with Azure Arc enabled Servers
This keeps you in Control on Security by design for your business.
Join Microsoft and the Community November 2ā4, 2021 to explore the latest tools, training sessions, technical expertise, networking opportunities, and more. You can register here
Here you find some great MSIgnite guidance on Microsoft Tech Community :
Of course you can make your own schedule from the session catalog here
Microsoft Build 2021 Global virtual event
I Hope everyone had a Great Microsoft Build 2021 Online Conference this week. Microsoft announced a lot of new features and Hybrid Cloud Solutions at Build 2021 š If you missed this Awesome Build 2021 event, you can watch the highlights on demand here.
Microsoft also launched MSBuild Book of News 2021
Build 2021 Resources: Build consistent hybrid and multicloud applications with Azure Arc
DevOps and developers are increasingly using microservices-based architectures with containerized applications for agility and flexibility. Azure Arc extends the single control plane from Azure to enable you to build apps consistently across hybrid and multi-cloud environments. With this information I was thinking, can I connect Microsoft Azure Arc Services to my Surface Book 3 with Windows 10 Preview Insiders Build 21390 and Docker for Windows with Kubernetes Cluster 1.19.7 active?
IMPORTANT: The following step-by-step guide is for testing purpose only.
First you need to have Docker for Windows 10.
Your Windows machine must meet the following requirements to successfully install Docker Desktop.
Here you can download Docker Desktop for Windows
With docker desktop for Windows you can switch between Windows Containers and Linux Containers. When you want to have a Kubernetes Cluster on your Windows 10 device active you have to switch to Linux Containers in the taskbar like this :
It’s now active for Linux Containers. (Default)
Right Click on the Docker tray icon and go to Settings.
Then go to Kubernetes to enable your Cluster locally on your Windows 10 Device.
When you apply it take some minutes for the installation.
When you see the Kubernetes icon on green, then your Cluster is running.
When you do a lot of DevOps work you use Microsoft Visual Studio Code for Free, because here you can see your Kubernetes Cluster and try your own code or Apps.
Kubernetes Cluster is running locally on your Windows 10 device.
The next step is to install the Microsoft Azure Arc agent on your Windows 10 device.
Login in your Azure Subscription, if you don’t have one you can start here
Search for Azure Arc in your subscription.
Click on Servers and Click on Add.
Click on add a Single Server.
Click on Generate Script.
Prerequisites for the Azure Arc Agent.
Select your Azure Subscription and Resource Group
Choose your Region.
Operating System is Windows. ( your Windows10 device)
Click on Next.
You can add your TAG here.
More information about Azure Tags
Here you can download the Installation script or do a Copy of the Azure Arc Agent.
Open PowerShell ISE in Administrator mode.
Paste the Azure Arc Agent PowerShell Script.
Click on run.
When you see this message open your browser and go to
https://microsoft.com/devicelogin
Copy the Code in the last rule of PowerShell here and click on Next.
Enter your Azure Subscription account here and click on Next.
Connection is made with Azure you can close this screen.
Azure Arc Agent is connect with your Windows 10 Device.
Here you see my Azure Arc Enabled Machine.
Now your Windows 10 device, my Surface Book 3 is connected with Microsoft Azure Arc Services.
The last step is to register your kubernetes Cluster with Microsoft Azure Arc Services.
Click on kubernetes Clusters on the left.
Click on Register a Kubernetes Cluster with Azure Arc.
The prerequisites to add your Kubernetes Cluster to Azure Arc
Select your Azure Subscription
Select your Resource Group
Give your Cluster a Name in Azure
Select Region.
Are you behind a Proxy Server? Yes or No
Here you can add your TAG to the Kubernetes Cluster.
The Next step is to run the Script, you can do that with PowerShell or Bash. I Did this via Azure CLI and with Helm 3.
Microsoft Azure CLI active with Helm 3
Copy the Bash commando into your Azure CLI like here.
This operation might take a couple of minutes.
Done, the Kubernetes Cluster is added to Azure Arc.
Dockkube was successfully connected to Azure.
Kubernetes Cluster with Azure Arc
Now you Have connected your Kubernetes Cluster to Azure Arc Services, you can start exploring the extensions :
Kubernetes Cluster – Azure Arc extensions
You can work with GitOps on your Kubernetes Cluster via Azure Arc Services
More Features like Security, Monitoring, Automation :
Features for Kubernetes in Azure Arc Services.
Here you see in Visual Studio Code your Azure-Arc Helm Release.
“Learn how to write once and run anywhere using your preferred cloud-native application services. Ensure governance, compliance and security for your deployments, all through a single pane of glass management experience in Azure.”
With Microsoft Azure Arc Services you bring Azure Cloud Technology anywhere for your Apps, Containers, microservices.
I Hope this is a first start for exploring and testing your Hybrid Cloud solution. Wish you a lot of fun and happy coding š
Cloud and Datacenter Management Blog 