This year on the Microsoft Ignite conference Microsoft announced the modern
replacement for MMC and ServerManager.
It is called Honolulu: https://docs.microsoft.com/en-us/windows-server/manage/honolulu/honolulu
Also Microsoft ranted about Admins using RDP for Administration. "It was never designed for it. Those admins should read the documentation. It states, it allows two channels only for emergency administration. But that problem will fix itself, as we discontinue the gui on servers. Also if you want to Administer GPOs for Windows 10 clients you have to do that form a Windows 10 client, as some settings are not available on a Server-Type OS."
Also Microsoft once again urges Admins not to use Jump hosts, but instead Implement PAW (aka. SAW).
PAW (Privileged Admin Workstation) or SAW (Secure Admin Workstation) is an advanced security concept for admins.
It's key features are:
- Isolated Environments, day-to-day stuff like e-mail or webbrowser don't have access to privileged sessions or applications. In fact they don't know that those exist at all.
- Does not need special hardware, it only needs a Computer with an TPM and uefi (and even those are not mandatory, but highly recommended)
At minimum two OSes running in parallel, recommended is one per tier.
Credential Guard enabled
- Windows Defender Application Guard enabled
Other things to consider:
- Tier 0 Admins should be blocked access to Tier 1 and Tier 2 *¹
- Tier 1 Admins should be blocked access to Tier 0 and Tier 2 *¹
- Tier 2 (Workstation) Admins should be blocked access to Tier 0 and Tier 1 *¹
- Only PAW/SAW allow local logon for Admins, but Applocker blocks Windows Logon for admins, so only UAC elevation works (windows hello with fingerprint for elevation, recommended).
- LAPS should be installed everywhere
- Recommended Applocker Rules Video 01:15:40 (only about 12 Rules)
Use IPSec, every client and every server should communicate over IPSec, so
having physical access to the network is non compromising (works for
everything after Windows 2000).
Use Exploit Guard (former EMET)
- IPSec with ESP and AH (IPv6) and IPSec with ESP for IPv4 if there is (or could be) a NAT
- Use Device Guard for single purpose machines like ATMs, except if admins are bored (as high administrative effort is required)
- Look at ESAE
- Look at Protected Accounts
- Disable RDP. Only use Remote Administration through WinRM (PowerShell), as that does not allow Credential Theft
- Disable NTLM authentication for Shared folders (access by IP-Address), as NTLM makes Credential Theft easy.
- Enable SMB Encryption (or IPSec), as requests can be intercepted otherwise.
- Maybe add PIN auth to bitlocker in addition to TPM
- Restrict outgoing Connections (also the destinations) using Windows Firewall (through GPO recommended)
- Use Kerberos
Block Internet Access from Secure context, that requires:
- Having an internal WSUS
- Having an KMS for Windows (Re-)Aktivaton
- Having an internal PowerShell Help-Server, to update PowerShell command help *²
- Having an internal PowerShell Script and Modules repository *²
- Use TOTP (RFC6238) for your APS.NET Core stuff 2nd video at 17:31
- Don't use SMS or E-Mail for Two Factor auth
Summary Talk about Security concerns
- Mastering the lions PAW: How to build a privileged access workstation | BRK3286
- Security and identity in ASP.NET Core | BRK3283
*¹: (Deny: "Access to computer from the network", "logon as a batch job", "log on as a service", "log on locally", "log on through terminal services")
*²: Recommended for administrative support, by me.