This article focused on how to restrict application execution based on certain set of rules. While writing the post, it struck me that AppLocker is just one of the whole plethora of security features available in Windows Server. There’s a lot more to security than just that. So I figured limiting myself to one post covering a single feature wouldn’t do justice to the other equally good or even better features that we may have overlooked.
There is a very popular saying that goes like this: “You’re only as strong as your weakest link.” This axiom fits perfectly when we talk about security. It doesn’t matter how secure your overall infrastructure is, but if there’s even one part that is not at par with the security standards, then chances are that it will be exploited.
So having a holistic picture of all security features is extremely important to connect all the dots together and design such a secure environment, which has a lesser risk of penetration. Because, we all know that no system can be 100% secure, but we can only strive to make it as secure as possible.
A renowned method in the IT industry for planning a strategic approach towards security is through the use of threat modeling. This involves thinking like an attacker, evaluating ways different exploits to break-in and then fixing them to reduce the surface area of attack to the least possible amount.
Although an IT infrastructure encompasses a whole bunch of devices, our focus for now will be on security from a server OS perspective. You’ll get an overview on my favorite pick of security features in Windows Server 2012 R2 and few popular Microsoft tools in this post. Where applicable, I’ve also linked to relevant articles on the Petri IT Knowledgebase that dive into those features in greater detail.
There are several different features that provide more than one type of security benefit, but for simplicity I’ll put these features into categories that its primary capability serves.
Authentication and Authorization
Active Directory Domain Services
This is the most popular and well-known identity and access control mechanism based on LDAP that’s used across Microsoft infrastructures. It helps you centralize the administration of all user accounts instead of having to do them individually on each machine. It leverages the Kerberos v5 protocol for authentication.
This is used for policy-based management of users and computers in your environment. It is used to configure policies for both users and computers centrally and apply those across your domain.
Active Directory Certificate Services
This is used for internal certificate based authentication of servers and clients and for encryption of data moving over the network. These are typically used when you want to avoid spending funds on certificates purchased from external CAs because the services run within the organization and are not exposed to outside customers or set up PKI.
Active Directory Rights Management Services
This is Microsoft’s Information Rights Management (IRM) solution for the enterprise who want to keep a tight control over what can be done with their data. Users cannot access data unless a connection to the RMS server is established and an end-user license associated to the content is obtained allowing only authorized users to access it.
Typically applicable to scenarios where a single form of authentication like a set of ID and password is not enough. Using smartcards in combination with ID and password provides a two-factor authentication for added security, provided the hardware has a provision for it.
Network Policy Server
This is Microsoft’s implementation of RADIUS and proxy server, which is used to authenticate clients before they connect to the network, enforce policies on connection requests, and implement client health enforcement using Network Access Protection. It also facilitates auto-remediation in case a client does not comply with the security standards.
Windows Firewall with Advanced Security
This is the built-in firewall that ships with all Windows operating systems. Opening port 1433 for SQL or blocking an application from accessing network resources, this is where you get all that done if you’re not using a third-party firewall.
Dynamic Access Control
This is one of the latest features and a really handy one. This feature dynamically applies security permissions on files depending upon how sensitive or critical the file is. This is especially helpful where a confidential document may have mixed with other files in a folder that is accessible by a lot of people.
This is probably the most commonly and widely used method to control a user’s access to file and folder resources on the file system.
Encrypting File System (EFS): This is an encryption method used to encrypt individual files and folders. As opposed to NTFS Permissions, this does not work on administrative privilege levels. This works on an ownership basis where if a user has encrypted a file, an administrator cannot access it even if he has higher privilege unless the user explicitly grants permission.
This is also an encryption technology but as opposed to file and folder based EFS, BitLocker encrypts the entire volume. Enterprises use MBAM for keeping data on roaming devices secure and BitLocker To Go to keep data on removable devices secure.
Microsoft Security Tools
Security Configuration Wizard
This wizard is used to streamline all security related configuration across various components of the operating system. It provides support to create, edit, apply, or revert security policies encompassing server roles, services, network configuration, registry, and security auditing. This ensures that the server only exposes those endpoints that are necessary for it to function and thereby reduce the attack surface. This is not a separate tool, as it’s built into the operating system.
Enhanced Mitigation Experience Toolkit (EMET)
This tool is used to discover and fix common software vulnerabilities and exploits. It’s easy to deploy, use and scan for legacy as well as new software without having access to the application’s source code. You can also have granular options to configure it and have it take mitigation steps for an exploitable process.
IT Administrators are a bit laxed when it comes to disposing off old hardware. The old hardware may be of no use anymore, but the data in the disks might. This tool securely deletes data on the disk by performing multiple write operations on the disk rendering the existing data irrecoverable under any circumstances.
Security Compliance Manager (SCM)
This is perhaps the most sophisticated tool out of all in this category. It has built-in policies and configuration based on the best practices of the industry. The baselines included with it help IT pros manage drift-in configuration and reduce the security threats in the environment.