SysAdminMagazine

Hardening
Windows Server
Security

#39
 SysAdmin Magazine August 2018

SysAdmin Contents
Magazine

03 Hackers, Go Away! 5 Ways to Protect User and Admin

39 August ‘18 Credentials in Windows Server

№
06 3 Key Hyper-V Security Features in Windows Server

08 Top 5 Auditing Techniques for Windows Server You Should

SysAdmin Magazine is a free
Start Using Now
source of knowledge for IT Pros
who are eager to keep a tight
grip on network security and do 11 Securing Privileged Access with ESAE Model
the job faster.
14 Free Tool of the Month: Netwrix Auditor for Windows Server

15 [How- to]: How to Get Local Users

The Sysadmin Magazine team

sysadmin.magazine@netwrix.com

2
 SysAdmin Magazine August 2018

Credentials are the keys to an account. By harvesting Use Kerberos long-term keys

credentials, attackers can enter your network, move Sign on offline

laterally and escalate their privileges to steal your data. Use NT LAN Manager (NTLM) for authentication

Windows Server 2016 has several features for minimizing Use DES for Kerberos pre-authentication

the chance that attackers will be able to harvest Use RC4 cipher suites for Kerberos pre-authentication

credentials. Be delegated privileges using constrained delegation

Be delegated privileges using unconstrained

Jeff Melnick delegation

Renew user ticket-granting tickets (TGTs) past the

Using the Protected Users initial 240-minute lifetime
IT Security Expert, Blogger
Group
Putting users, especially highly privileged users,

in the “Protected Users” group helps you protect Using Account Preferences
against compromise of their credentials by disabling

Hackers, Go Away!
USER ACCOUNTS
authentication options that are less secure. For example,

Windows does not cache the credentials of members of Logon Hours — Enables you to specify when users

5 Ways to Protect this group locally, so they are never left on workstations can use an account.

User and Admin

for attackers to harvest. In addition, user accounts that Logon Workstations — Enables you to limit the

are members of this group cannot: computers the account can sign in to.

Credentials in Use default credentials delegation

Password Never Expires — Absolves the account

from the “Maximum password age” policy setting;

Windows Server
Use Windows Digest
don’t configure this option for privileged accounts.
Use NTLM

3

Smart card is required for interactive logon —
Requires a smart card to be presented for the account
to sign in.
Account is sensitive and cannot be delegated —
Ensures that trusted applications cannot forward the
account’s credentials to other services or computers
on the network.
This account supports Kerberos AES 128-
bit encryption — Allows Kerberos AES 128-bit
encryption.
This account supports Kerberos AES 256-
bit encryption — Allows Kerberos AES 128-bit
encryption.
Account expires — Enables you to specify an end
date for the account.
COMPUTER ACCOUNTS
In addition to controlling user accounts, you also need to
understand and manage the reach of computer and service
accounts. When you join a computer to the domain for the
first time, Windows creates a computer account in Active
Directory in the “Computers” container and automatically
4
assigns it a password. AD manages these passwords and
updates them automatically every 30 days.
To manage the permissions of computer accounts and
control which Group Policies are applied to them, you can
add them to groups and move them to different OUs. You
can also disable and reset computer accounts:
Disabling a computer account means that the
computer cannot connect to the domain anymore. If
you delete a computer account and the computer is
still operational, you’ll need to rejoin the computer
to the domain if you want it to regain domain
membership.
Resetting a computer account removes the
connection between the computer and the domain.
SERVICE ACCOUNTS
Service accounts are a special type of account that Windows
services use to interact with the operating system and
resources on the network. (It’s also possible to create user
accounts and configure them to run as service accounts, but
that is not convenient.)
SysAdmin Magazine August 2018
There are three types of built-in service accounts:
Local system — The NT AUTHORITY\SYSTEM account
has privileges equivalent to the local Administrators
group on the computer.
Local service — The NT AUTHORITY\LocalService
account has privileges equivalent to the local Users
group on the computer.
Network service — The NT AUTHORITY\
NetworkService account has privileges equivalent to
the local Users group on the computer.
To protect these accounts, ensure a sysadmin updates their
passwords on a regular basis. This is a manual process if you
use native tools.
GROUP MANAGED SERVICE ACCOUNTS AND VIRTUAL
ACCOUNTS
A Group Managed Service Account is a special type of service
account; AD automatically updates the passwords of these
accounts. A virtual account is the computer-specific local
equivalent of a Group Managed Service Account.
 SysAdmin Magazine August 2018

Using Windows Defender You can manage Windows Defender Credential assigns it a password. AD manages these passwords and

Credential Guard Guard using Group Policy, Windows Management updates them automatically every 30 days.

Instrumentation (WMI), or Windows PowerShell.

How to be a good system administrator? It requires To manage the permissions of computer accounts and

more than technical knowledge of Windows or Linux Windows Defender Credential Guard does not allow the control which Group Policies are applied to them, you can

Windows Defender Credential Guard is a new technology use of: add them to groups and move them to different OUs. You

in Windows 10 and Windows Server 2016 that helps to can also disable and reset computer accounts:
Unconstrained Kerberos delegation
protect credentials from attackers who try to harvest
NT LAN Manager version 1 (NTLMv1) User accounts whose passwords never expire — You
them by using malware. Windows Defender Credential
Microsoft Challenge Handshake Authentication should avoid configuring accounts with fixed passwords
Guard uses virtualization-based security that allows you
Protocol (MS-CHAPv2) because they are less secure than accounts with passwords
to isolate secrets, such as cached credentials, so that only
Digest that users have to update periodically.
privileged software can access them.
Credential Security Support Provider (CredSSP)

Kerberos DES encryption Inactive user accounts — Inactive user accounts usually
In virtualization-based security, the specific processes
belong to a person who has left the organization. The Active
that use credentials or data, and the memory associated
Directory Administrative Center console enables you to find
with those processes, run in a separate operating system
accounts that haven’t signed in for a specified number of days.
parallel with, but independent of, the host operating
Using the Active Directory
system. This virtual operating system protects processes Deleting or disabling these user accounts prevents them from

from attempts by any external software to read the data

Administrative Center being misused by outside attackers or malicious insiders.

that those processes store and use. Windows Defender

The Active Directory Administrative Center enables you to
Credential Guard takes advantage of hardware security,
search your Active Directory for accounts that are ripe for As you can see, Windows Server 2016 offers a lot of to
including secure boot and virtualization.
takeover by attackers. In particular, you should regularly look help you protect credentials in your environment. You

for the following types of accounts: can use some or all of them.

5
 SysAdmin Magazine August 2018

Administrator accounts work differently in virtualized or network while it is being backed up.

environments than they do in physical ones. In particular, Guarded fabrics can run three types of VMs:

in a physical environment, administrative roles, such

A normal VM that offers no protection above and
as storage administrator, network administrator,
beyond that of earlier versions of Hyper-V
backup operator, and virtualization-host administrator,

have limited or isolated rights. In contrast, in a virtual An encryption-supported VM whose protections can

infrastructure, each of these roles with permissions be configured by a fabric admin

Ryan Brooks to manage the physical infrastructure might have an

inappropriate level of access to the virtual infrastructure.

A shielded VM whose protections are switched on and

cannot be disabled by a fabric admin

Product Evangelist You can mitigate this risk by using a guarded fabric.

Guarded fabric is a collective term used to describe a

fabric of Microsoft Hyper-V hosts and their Host Guardian

Service (HGS) that can manage and run shielded virtual Host Guardian Service
machines (VMs).
HGS is the centerpiece of the guarded fabric solution.

It is responsible for ensuring that Hyper-V hosts in the

fabric are known to the hoster or enterprise and running

Guarded Fabric trusted software.

3 Key Hyper-V Security In Windows Server 2016, Microsoft introduced an

improved Hyper-V security model designed to help

Specifically, HGS is a new server role introduced in

Features in Windows
Windows Server 2016 That provides the Attestation
protect hosts and their VMs from malicious software that
Service and Key Protection Service (KPS) that enable

Server
might be inside them. Because a VM is just a file, you
Hyper-V to run shielded VMs. A Hyper-V host becomes
need to protect it from attacks from the storage system

6
 SysAdmin Magazine August 2018

a guarded host as soon as the Attestation Service Shielded VMs A malicious employee who attempts to move a shielded

affirmatively validates its identity and configuration. KPS VM to an untrusted host will discover that the new host

provides the transport key that is needed to unlock and To help protect a fabric against compromise, Windows will not be recognized. Trusted hosts are added to HGS

run shielded VMs. Server 2016 with Hyper-V introduced shielded virtual by means of identifiers unique to their TPMs and are

machines. A shielded VM is a generation 2 VM that has protected even if they are moved to another HGS.

HGS supports two different attestation modes for a a virtual TPM, is encrypted by using BitLocker Drive

guarded fabric: Encryption, and can run only on healthy and approved

hosts in the fabric.

Admin-trusted attestation (Active Directory based).

Admin-trusted attestation is intended to support

HGS manages the keys used to start up shielded VMs.
existing host hardware where TPM 2.0 is not available.
Without HGS, a Hyper-V host cannot power on a shielded
It requires relatively few configuration steps and is
VM because it cannot decrypt it. HGS will not provide the
compatible with commonplace server hardware.
keys to a Hyper-V host until that host has been measured

TPM-trusted attestation (hardware based). TPM- and is considered healthy.

trusted attestation offers the strongest possible

protection, but also requires more configuration steps. Here are three examples that illustrate how shielded VMs

The host’s hardware and firmware must include TPM help protect against attacks:

2.0 and UEFI 2.3.1 with Secure Boot enabled.

There is less risk if a malicious employee steals

a shielded VM’s .vhd files because those files are

encrypted.

7
 SysAdmin Magazine August 2018

Continuously auditing the activity in your network is one Event Log Forwarding
of the most critical security best practice, since it helps
You should also move event logs off your computers
you notice potentially malicious activity early enough to
regularly, because attackers often scrub event logs to
take action and prevent data breaches, system downtime
escape detection. Windows Server’s event log forwarding
and compliance failures. Here are the top ways to audit
feature enables you to automatically forward events logs
activity in Windows Server 2016.
from all your computers to a designated machine (the

event collector) that stores them all securely. There are

Adam Stetson two types of event subscriptions:

Event Logs and Event Log
Systems Engineer, Security Expert Source-initiated subscriptions allow you to define

Event logs record the activity on a particular computer. an event subscription on the event collector computer

When you configure auditing properly, almost all events without defining the source computers. Then you

that have security significance are logged. This makes use Group Policy to control which source computers

event logs the first thing to look at during IT security forward events to the event collector.

investigations. Here are two important tips:

Collector-initiated subscriptions allow you to

Configure the event log size to the maximum (4GB) to create an event subscription that specifies the source

Top 5 Auditing minimize the chance that events will be overwritten

because the log becomes full.

computers that will forward event logs.

Techniques for Archive your event logs, so if you do detect an attack,

Windows Server You you can look at older event logs to find out exactly

when and how attackers were able to compromise the

Should Start Using Now system.

8

Auditing and Advanced
Auditing
Auditing policies enable you to record a variety of
activities to the Windows security log. You then can
examine these auditing logs to identify issues that
need further investigation. Auditing successful activities
provides documentation of changes so you can
troubleshoot which changes led to a failure or a breach.
Logging failed attempts can spot malicious hackers or
unauthorized users to access enterprise resources.
Your auditing policy specifies the categories of security-
related events that you want to audit. Here are the basic
policy settings you can configure and what happens if you
turn them on:
Audit account logon events — Creates an event when
a user or computer attempts to use a Windows Server
Active Directory account to authenticate.
Audit account management — Audits events such as
the creation, deletion or modification of a user, group or
computer account and the resetting of user passwords.
9
Audit directory service access — Audits events that
are specified in the system access control list, such as
permissions.
Audit logon events — Creates an event when a user
logs on to a computer interactively (locally) or over the
network (remotely).
Audit object access — Audits access to objects such as
files, folders, registry keys and printers that have their
own SACLs.
Audit policy change — Audits changes to user rights
assignment policies, audit policies and trust policies.
Audit privilege use — Audits attempts to use
permissions or user rights. You can choose whether to
audit successful attempts, failed attempts or both.
Audit process tracking — Audits process-related
events, such as process creation, process termination,
handle duplication and indirect object access.
Audit system events — Audits system restarts and
shutdowns, and changes that affect the system or
security logs.
SysAdmin Magazine August 2018
Advanced Audit Policy
Since Windows Server 2008 R2, administrators can audit
more specific events using advanced audit policy settings
in the following categories:
Account Logon — These settings control auditing of
the validation of credentials and other Kerberos-specific
authentication and ticket operation events.
Account Management — These policy settings are
related to the modification of user accounts, computer
accounts and groups, and the logging of password
change events.
Detailed Tracking — These settings control the
auditing of encryption events, Windows process
creation and termination events, and remote procedure
call (RPC) events.
DS Access — These policy settings determine whether
to track access to AD, AD changes and replication.
Logon/Logoff — This group of settings control auditing
of standard logon and logoff events.

Object Access — These settings cover access to AD, the
registry, applications and file storage.
Policy Change — These settings control tracking of
changes to policy settings.
Privilege Use — These settings determine whether
to audit privilege use attempts within the Windows
environment.
System. These settings are used to audit changes to the
state of the security subsystem.
Global Object Access Auditing. These settings are for
controlling the SACL settings for all objects on one or
more computers.
You can learn how to properly configure Windows Server
auditing by reading Windows Server Auditing Quick
Reference Guide.
Audit Collection Services
Windows Server provides a tool for pulling security logs
from servers running Windows Server to a centralized
10
location in order to simplify security auditing and log
analysis — Audit Collection Services (ACS). ACS is an
agent-based utility that aggregates the logs into a
Microsoft SQL Server database.
By default, when an audit policy is implemented on a
Windows-based computer, that computer automatically
saves all events generated by the audit policy to its local
security log. Using ACS, organizations can consolidate all
those individual security logs into a centrally managed
database, and then filter and analyze the events using the
data analysis and reporting tools in Microsoft SQL Server.
Windows PowerShell Logging
Administrators can use Windows PowerShell to
enable or disable logging at the Windows PowerShell
module level. By default, all logging in Windows
PowerShell is disabled. You can enable it by setting the
“LogPipelineExecutionDetails” property to “$true”; to
disable it again, set the property back to “$false”.
Windows PowerShell also offers a detailed script tracing
SysAdmin Magazine August 2018
feature that makes it possible to enable detailed tracking
and analysis of the use of Windows PowerShell scripting
on a system. If you enable detailed script tracing,
Windows PowerShell logs all script blocks to the Event
Tracing for Windows (ETW) event log in the “Microsoft-
Windows-PowerShell/Operational” path.
Summary
Enabling auditing Windows Server 2016 is critical for
investigating security incidents, troubleshooting issues
and optimizing the IT environment. Be sure to configure
it according to best practices to reduce volume of useless
log data.
Third-party tools can improve the quality of auditing
and automate many auditing tasks. For example,
Netwrix Auditor for Windows Server delivers complete
visibility into what’s going on in your Windows Server
environment.
 SysAdmin Magazine August 2018

Ensuring that systems are patched and that defense-in- Analyzing Security
depth security protections are working effectively, top Dependencies
the list of concerns for IT departments. But despite these

efforts, security breaches are still on the rise because But failing to grant privileges just before access is

operational issues are commonly ignored. required, and for a limited time, isn’t the only mister

meaner. The clean source principle states that a system

Russell Smith Best practice dictates that privileged AD groups should

remain empty most of the time. In practice, that

can be dependent on a higher trust system but not on

a lower trust system. If IT staff log in to their notebooks,

means groups like Domain Administrators, BUILT-IN\ which they use for everyday tasks like browsing the
Security Expert, IT consultant
Administrators, and Enterprise Administrators, should Internet and reading email, with domain admin rights,

only be populated when an approved change is being then the clean source principle has been broken because

applied to Active Directory. But the reality is that many the security of users’ accounts rely on the security of the

organizations issue IT staff with accounts that are devices they log in to.

members of one of the above groups, or members of

other privileged AD groups. Compromised devices put the accounts of users that log

in at risk. Hackers often target user workstations with

In this blog post, we’ll talk about a tiered administration the aim of getting access to privileged Active Directory

model which ESAE is based on to smarter restructure accounts. Once a hacker has access to a domain-joined

Secure Privileged the assigning processes of privileged access in your

organization.
device, credentials can be harvested to get access to

other devices on the network, eventually leading to a

Access with ESAE domain controller.

Model
11
 SysAdmin Magazine August 2018

machines (VMs) on the PCs. The VMs can be used or indirect administrative control of the AD forest,

Hackers often target user perform everyday computing tasks. But deploying VMs should be categorized as tier 0. These objects can

for managing domain controllers breaks the clean source manage assets across all three tiers but can only log in
workstations with the aim of principle because the security of the VMs is dependent on interactively to tier 0 assets, which again means that
getting access to privileged the host. domain administrators should never log in interactively

Active Directory accounts to end-user devices.

Separation of Administration Domain member servers, applications, systems that

Because security dependencies can endanger the According to the ESAE host sensitive business data, and accounts used

domain, domain admin accounts should be used

Microsoft Model to manage these systems, are categorized as tier 1

only to log in to domain controllers or devices that objects. Tier 1 user accounts can access and manage

are configured to the same level of trust as domain As part of the Active Directory Enhanced Security tier 1 objects. Tier 1 user accounts can access tier 0

controllers. To achieve this goal, set up PCs that are Administrative Environment (ESAE) model or the objects using the network logon type but cannot log

specially configured for the purposes of managing so-called Red Forest in Active Directory, Microsoft in to tier 0 devices interactively. They can manage tier

domain controllers. Jump servers also break the clean recommends using tiered administration to create 1 and tier 2 objects but can only log in interactively to

source principle because they are dependent on the zones that separate administration of high-risk end- tier 1 devices.

security of the device from where remote desktop user devices and critical business systems. AD objects,

sessions are initiated. including user accounts and computers, should be

categorized into three tiers. With tier 0 representing

If budgets are tight or you don’t want to deploy devices the highest level of trust, and tier 2 the lowest.

specifically for managing domain controllers, another

option is to configure IT staffers’ PCs to the same level Domain administrator accounts, privileged AD groups,

as your domain controllers and deploy guest virtual domain controllers, and domains that have direct

12
 SysAdmin Magazine August 2018

Privileged Access
Tier 0
Same Tier Logon Management
Admin
Forest/Domain Admins Workstation Domain Controllers
Higher Tier Logon
Organizations need to be much more stringent with how

administrative privileges are assigned to users, where

Tier 1 those privileges are used, and what they are used for.
Lower Tier Logon
Lateral movement across networks can be prevented
Admin
Server Admins Workstation Servers by implementing security best practices, such as not

Blocked using the same local administrator password on every

Tier 2 device, not using domain admin accounts to log in to

end-user devices, and categorizing assets using a tiered

Only as required
Admin Workstations by role
Workstation Admins Workstation administration model.

Figure 1 (Image Credit: Microsoft)

The ESAE based on the tiered administration model isn’t

difficult to implement with some planning. It’s not only

Tier 2 is reserved for end-user PCs and notebooks.
In addition to end-users, IT helpdesk staff are also
categorized as tier 2 objects and can perform network
logons to devices in all tiers but are limited to managing
tier 2 devices. Similarly, tier 2 users can also log in
interactively to tier 2 devices.
To help enforce the tiered model, security controls like
important to consider the privileges assigned to users,
the Protected Users group can be used to prevent users
but also whether they are using those privileges to
with domain admin privileges logging in to tier 0 devices.
access or manage resources. And if you can’t implement
Other security controls, like authentication policies
automated JIT administration, set up a manual process
and silos can provide more granular control. For more
for managing access to privileged AD groups.
information on how to use the Protected Users group,

see Add Sensitive User Accounts to the Active Directory

Protected Users Group on the Netwrix blog.

13
 SysAdmin Magazine August 2018

The free edition of Netwrix Auditor for Windows It tracks changes to your Windows Server configuration,

Server delivers visibility into what’s happening in your such as the installation of software and hardware, and

Tool of the Month Windows-based server infrastructure. changes to services, network settings and scheduled tasks.

Netwrix Auditor for Windows Server

Free Community Edition Activity Summary

Netwrix Auditor
Added 1
Removed 1
Modified 1

for Windows Action Object type What Item Where When

Server
Modified Local Audit Local Audit Policies\Object Access\File System ws1 ws1 4/17/2017
Policy 4:37:32 AM
Failure audit disabled

Removed Logical Disk System Information\Components\Storage\ ws1 ws1 4/17/2017

Download Free Tool Logical Disks\A: 4:38:59 AM

Added Network System Information\Components\Network\ ws1 ws1 4/17/2017

Adapter Adapter Configuration\[00000013] vmxnet3 4:41:54 AM
Ethernet Adapter
DHCP Enabled: "Yes"
DHCP Server: "255.255.255.255"
IP Address: "169.254.78.14, fe80::c04b:977a:6237:4e0e"
MAC Address: "00:0C:29:16:86:A0"

This message was sent by Netwrix Auditor from au-srv-fin.enterprise.com.

14
 SysAdmin Magazine August 2018

How-to for IT Pro 3. Open the file produced by the script in MS Excel.

How to Get Local Users

1. Create a file containing the computer list.

2. Open the Powershell ISE → Run the following

script, adjusting the file name and path for the

export:

$computers = Get-Content -Path C:\data\com-

puters.txt Get-WmiObject -ComputerName $com-
puters -Class Win32_UserAccount -Filter “Lo-
Learn an alternative way to get local users

calAccount=’True’” |
Select PSComputername, Name, Status, Disab-
led, AccountType, Lockout, PasswordRequired,
PasswordChangeable, SID | Export-csv C:\
data\local_users.csv -NoTypeInformation

15
 [Recorded Webinar]

Top 12 Events to Monitor in the

Windows Server Security Log
In this webinar Randy Franklin Smith, an internationally recognized expert on the security
and control of Windows, highlights the 12 most important things to monitor in the Security Log
of your Windows servers:

Audit policy changes Local account enumeration Failed logon attempts

User right assignments Logon right changes Any attempt to logon as local
Administrator
Local account authentication Local group membership changes
policy changes Firewall policy change
New software installed
Local user account changes New device attached

Watch Now

Corporate Headquarters: Phone: 1-949-407-5125 Copyright © Netwrix Corporation. All rights reserved. Netwrix is trademark of Netwrix Corporation and/or
300 Spectrum Center Drive, Toll-free: 888-638-9749 one or more of its subsidiaries and may be registered in the U.S. Patent and Trademark Office and in other
Suite 200 Irvine, CA 92618 EMEA: +44 (0) 203-318-02 countries. All other trademarks and registered trademarks are the property of their respective owners.