Credential Guard lab companion

If you have heard about Credential Guard in Windows Server 2016 (and in Windows 10), but do not have an environment to try it out, here is a lab environment we built for you to play. Lab access The link will lead you to a sign up page, after that, you will see the following…


Leverage PowerShell Just Enough Administration for your Helpdesk

[Today’s guest post was authored by Dan Cuomo based on a real-world application of JEA] Hi Folks — Platforms PFE Dan Cuomo here to talk about one method to enable the use of Just Enough Administration for your helpdesk administrators. If you’re security conscious, you’re no doubt in a constant struggle to try and lower the…

2

Rest easy with regulatory compliance in Windows Server 2016

[This blog post was originally published at: https://blogs.technet.microsoft.com/hybridcloud/2017/04/11/rest-easy-with-regulatory-compliance-in-windows-server-2016/] Last month we learned that Windows Server 2016 has achieved Common Criteria certification for the General Purpose OS protection profile. This international standard is especially important for our customers in the public sector, where Common Criteria certification is highly recommended or even required. That’s why Microsoft has…


Shielded VMs – additional considerations when running a guarded fabric

So you’ve deployed a guarded fabric and your VMs are running happily.  Having now reached that perfect steady state, let’s have a look at the operational and administrative differences relative to a regular fabric.  The purpose of this blog isn’t to exhaustively walk you through some mundane day-to-day set of administrative or operational duties, rather, I…

1

Shielded VMs: A conceptual review of the components and steps necessary to deploy a guarded fabric

[This post was authored by Dean Wells, Principal Program Manager on the Windows Server team] If you’re anything like me, you probably find it immensely helpful having an end-to-end conceptual view of what you’re doing before actually doing it–that’s the purpose of this blog. Deploying a guarded fabric involves several new concepts so, in this…

0

Step by Step: Creating a JEA endpoint for DNS management

Just Enough Administration (JEA) provides a way for administrators to delegate certain admin tasks to non-administrators using PowerShell. Unlike some of the other built-in delegation solutions in Windows, JEA is not tied to a particular product or service. You can create custom roles in JEA that allow users to manage any software on the system….

0

Join Host Guardian Servers to an existing bastion forest

Shielded VM prevents unauthorized access from the host. To achieve this security assurance, there must be a role separation between the fabric admins (who manage the Guarded Hosts) and the HGS admins (who manage the Host Guardian Servers). By default, when you install the first HGS server, it will create its own forest, this will…


Why you should not enable Credential Guard on Domain Controllers?

Credential guard protects the credential derivatives like NTLM hash and Kerberos tickets; this TechNet article has a very detailed explanation as well as deployment guidelines. There was a recent change in this article to call out the following: Warning Enabling Credential Guard on domain controllers is not supported. The domain controller hosts authentication services which…


Use Windows Server 2016 to secure a jump server

When talking to customers about the security features in Windows Server 2016, a common question keeps coming up, how do I secure my jump server? Recently, I worked with a Microsoft internal team to deploy Windows Server 2016 on their jump server; I thought it is a good use case to share. Why is it…


Windows Server 2016 security auditing for enhanced threat detection

Windows Server 2016 includes new audit events to help with early detection of malicious activity in your datacenter. You can find the complete list of the events from this reference paper, and new events in Windows Server 2016 here under the Security auditing section. In this blog post, I would like to highlight a few…