Why you should not enable Credential Guard on Domain Controllers?

Credential guard protects the credential derivatives like NTLM hash and Kerberos tickets; this TechNet article has a very detailed explanation as well as deployment guidelines. There was a recent change in this article to call out the following: Warning Enabling Credential Guard on domain controllers is not supported. The domain controller hosts authentication services which…


Use Windows Server 2016 to secure a jump server

When talking to customers about the security features in Windows Server 2016, a common question keeps coming up, how do I secure my jump server? Recently, I worked with a Microsoft internal team to deploy Windows Server 2016 on their jump server; I thought it is a good use case to share. Why is it…


Windows Server 2016 security auditing

Windows Server 2016 includes new audit events to help with early detection of malicious activity in your datacenter. You can find the complete list of the events from this reference paper, and new events in Windows Server 2016 here under the Security auditing section. In this blog post, I would like to highlight a few…


Windows Server 2016 security sessions at Microsoft Ignite 2016

If you’re going to Ignite next week, you don’t want to miss the Windows Server 2016 security sessions we prepared for you! Check out this blog post on the Hybrid Cloud blog that also feature some great videos created by our Program Managers! In addition, check out this webpage on which you can list all…


Overview of Device Guard in Windows Server 2016

With thousands of new malware released every day, it may not be sufficient to only use signature-based detection to fight against malware. Device Guard on Windows Server 2016 changes from a mode where apps are trusted unless blocked by an antivirus or other security solution, to a mode where the operating system trusts only apps…


Step by Step: Shielding existing VMs without VMM

Continuing on the topic of Shielded VMs from my last blog on creating shielded VMs, this blogpost will share my learnings from validating the scenario. This blogpost doesn’t dive deep in terminologies which are fully explained in the Shielded VM deployment guide. A side note, System Center VMM has built-in functionality to support shielding existing VMs to make the process…


Reduce the number of admins on your servers with Just Enough Administration

Least Privilege As part of your information security strategy, you are probably familiar with the principle of least privilege. The concept itself is simple — give your IT staff and end-users as few permissions as necessary to get their jobs done. This helps shrink your attack surface and limit exposure when attackers compromise user credentials through phishing, key logging, or…

0

Host Guardian Service – AD-based vs. TPM-based attestation

[This post is authored by Dean Wells, Principal Program Manager for the Windows Server Security Product Team] Overview The Host Guardian Service (HGS) is a new role in Windows Server 2016 that provides health attestation and key protection/release services for Hyper-V hosts running Shielded VMs. This blog describes the differences between HGS’ two mutually-exclusive attestation…


Step-by-step: Quick reference guide to deploying guarded hosts

My original blog post on the topic of deploying Shielded VMs without VMM included the instructions to deploy guarded hosts.  Based on feedback around keeping the blog posts short and scenario-focused, I split the content into 2. This blog serves as a quick reference to deploy guarded hosts. Once again, I highly recommend you read…


Step by Step – Shielded VM Recovery

Shielded VMs protect the data and state of a Virtual Machine against inspection, theft and tampering from malware and datacenter administrators and they do so both at rest and in-flight. One of the ways we achieve is to block the features in Hyper-V that are there for an administrator’s convenience, e.g. we block console access…