Despite the efforts of IT administrators, security vendors, and even the mainstream media, computer security’s weakest link remains the person sitting in front of the console. The daily reports on malware and ransomware attacks all make it clear that there remains a major problem in securing your IT infrastructure: The end user.

Phishing attacks and spearphishing have become more sophisticated, with attackers focusing on targets that have elevated privileges on corporate networks, carefully preparing fake emails after studying their target business and determining the best way to get their targeted individual to allow them access. These are now the preferred attack vector for sophisticated attackers. Combining these social engineering attacks with common security flaws in devices, services, and unpatched servers gives the well prepared attacker plenty of avenues for their nefarious activities.

phish web 357x681
– DCD / Fay Marney

Sneaky attackers

These attackers are nothing if not patient; research from Microsoft showed that the average network penetration lasted for more than 200 days before it was discovered by the victim, yet the timeline from the first host being compromised to a domain admin being compromised was no more than 48 hours.

Most commonly, the compromise is done using a Pass the Hash attack, a technique discovered in 1997 and which can be used against any system that uses Lan Manager (LM) or NT Lan Manager (NTLM) authentication, regardless of the operating system using them.

Attempts by system vendors to remove LM and NTLM authentication from their operating systems have failed because of the large number of applications and services that require its availability for proper operation. Pass-the-ticket attacks, discovered in 2014, allow similar types of compromises using a forged Kerebos key distribution center and work on Windows Server 2000 and newer. 

Once an attacker has gotten administrative credentials, they retain them for as long as that account exists, and since admin account routines have far more access than necessary for the user to do their job, attackers get elevated levels of access for as long as necessary to move up the chain or find valuable information to steal.

New defenses

Windows Server 2016, recently delivered by Microsoft, represents a bid to gain more share from Linux in the data center, with improvements to security, including shielded virtual machines.

Microsoft has taken the approach that security is not an add-on. It needs to be built into the operating system from the ground up and should be the default configuration.

The new OS includes four technologies designed to prevent compromised credentials giving an attacker unlimited access. Credential Guard, Remote Credential Guard, Just Enough Administration and Just-in-time Administration (see box) combine to provide privilege access management (PAM), which limits the ability of as attacker to compromise a Windows Server environment. It makes use of capabilities added to the Active Directory Domain Services and the Microsoft Identity Manager. Along with protecting AD environments from attack it can also be used to regain control overt a compromised directory service.

Finally, and while it might seem a bit belated, Windows Server 2016 also adds the Windows Defender antivirus / anti-malware protection that has long been available in Windows client software. When directly asked why it took so long for Defender to make its way to the server platform Microsoft’s response was a simple - “customers weren’t asking for it.”


Most enterprises have made major investments in enterprise-wide anti-virus/malware solutions, so the absence of a built in feature to provide this protection was rarely missed. However, it is now available by default and provides instant protection against potential threats, limiting yet another potential window of vulnerability.

Windows Defender generally runs headless, and should the administrator choose to use and administer the software it requires management via Windows PowerShell, Group Policy, or WMI. Some specific SKUs of Server 2016 will include the interface. To disable Windows Defender, in order to install the corporate standard AV/AM software or for any other reason, it is necessary to uninstall the application which can be done by using the Remove Roles and Features Wizard.

Microsoft has taken the approach that security is not an add-on. It needs to be built into the operating system from the ground up and should be the default configuration. Rather than IT administrators needing to enable security capabilities, those services need to always be present. Some, like Credential Guard, need to be the standard mode of operation for both client and server, while other capabilities need to be easily accessible and available to IT to implement so the IT department can be assured that these enhanced security features don’t make line-of-business applications run slowly or cause problems.

phish web 357x681
– DCD / Fay Marney

Be consistent

Server administration policies need to present a consistent model that prevents any administrator from being able to infect, crash, or destroy corporate servers or data. By maintaining a very granular level of control across all common server administration activities a combination of the latest technologies and up to date administrative polices can prevent or mitigated the vast majority of security problems that plague the corporate world today.

All of these technologies can be remotely deployed and managed on all of the appropriate servers in your data centers and clients in your enterprise. Properly implementing the technology along with making sure the correct security policies are in place will provide the strongest defense against the huge number of malicious threats against your enterprise.

This article appeared in the November issue of DatacenterDynamics magazine