Security for the Windows Server Admin

1/20/2021

It seems like I write a lot about security for LRS Education Services. Some of the topics have been the release of our updated NIST Cybersecurity Framework classes, security in technology trends, having fun using Kali Linux to play with hacker tools, assessing your cybersecurity, and dealing with the idea that antivirus might finally be dead.

But in this post, I’d like to talk about a class we offer that can help the Windows Server administrators. Many of you work in an environment where the majority, or at least a significant percentage, of your servers are running Windows.

When we talk about securing data, or access to that data, we need to consider where the data is stored and how it is accessed. Breaking it down, data is generally stored or a storage device (such as a SAN or NAS), on a server, or in the cloud. Much of the time the data on the SAN or NAS is accessed through a server, and the same is true of data in the cloud. The server may be physical or virtual, but it’s commonly part of the infrastructure for storing and or accessing the data.

Enter MS-20744

This class covers a broad range of security topics that apply to Windows Servers and, in some cases, to Windows 10. To start out we discuss the Assume Breach concept, which every sys admin, network admin, and security admin should make their default premise. From there we analyze different types of attacks, vectors, attack timeline, resource identification, and incident response. That’s just the first lesson! The goal is an initial flyover of security in general before digging into the Windows Server specifics.

Next, we move into using Windows Server tools and methods to detect breaches, and spend some time learning about, and playing with, some sweet tools from Sysinternals.com. You remember Sysinternals, right? They’re the company that Mark Russinovich and Bryce Cogswell started. Mark discovered back in 1996 that you could change two registry values in Windows NT 4.0 workstation, and it would act like Windows NT Server and allow Microsoft BackOffice products to be installed. Microsoft didn’t love him for that, but they could not deny that his company was creating dozens of free tools that system administrators used a LOT. Eventually Microsoft and Mark made up, and in 2006 Microsoft bought his company and brought him on board. He’s still there, updating and cranking out the tools, and they’re still free.

What Else Will You Learn?

Let me hit some highlights of other great content in the MS-20744 class.

  • How to automate the process of having unique and regularly expiring local administrator passwords
  • Protecting credentials
  • Using Privileged-Access-Workstations and Jump Servers
  • Securing PowerShell sessions and incorporating the principle of least privilege in PowerShell using Just Enough Administration (JEA)
  • Using MIM, JIT, and PAM (Don’t you know those acronyms? You can, they’re in Module 4.)
  • Advanced auditing
  • Advanced Threat Analytics (ATA)
  • Securing virtualization (this section is VERY cool if you have any interest in Hyper-V)
  • Understanding containers
  • BitLocker, IPSec, and other types of encryption in Windows
  • Network security threats
  • Windows Firewall with Advanced Security
  • Securing DNS and SMB
  • Updating Windows using WSUS

If you’re serious about some of the features, capabilities, tools, and techniques used to secure Windows Servers and Windows 10, I highly recommend checking out MS-20744 - Securing Windows Server 2016.

Just a note, what you learn in this class will also apply if you are migrating to Windows Server 2019 or using the Semi-Annual Channel versions of Windows Server. Speaking of Windows Server 2019, we recently started offering the class MS-WS-011T00 - Windows Server 2019 Administration for those who are already using Windows Server 2019 or looking to move in that direction. It’s a class that has received great ratings from students!

Troy Stoneking
Microsoft Certified Technical Trainer, Cybersecurity Assessor