Netherlands: Software

Introductie Windows Server 2016

Issue link:

Contents of this Issue


Page 121 of 173

112 C H A P T E R 5 | Security Windows Defender Windows Defender is included (and running) by default when you install Windows Server 2016 Technical Preview. Depending on the SKU of Windows Server 2016 Technical Preview that you choose to install, it might or might not have the GUI tools. If it doesn't have the GUI tools, you can install them via Windows PowerShell, as follows: Install-WindowsFeature -Name Windows-Defender-GUI If your organization has a company standard for malware technology, you can uninstall it by using Windows PowerShell, as well: Uninstall-WindowsFeature -Name Windows-Server-Antimalware Windows Defender receives updates via Windows Update. If your organization manages Windows Update via an update deployment tool, you need to ensure that you are downloading the updates to keep Windows Defender up to date with its definitions. You also can configure Windows Defender via Group Policy for central control and administration. Threat detection technologies No matter how much you try to secure an environment, you still need to perform audits to validate whether those measures are effective. In Windows Server 2016 Technical Preview, two new audit subcategories have been added to give greater insight into the events: Audit Group Membership This is part of the Logon/Logoff event category. The events in this subcategory are generated when group memberships are enumerated or queried on the PC where the sign-in session was created. Audit PNP Activity Found in the Detailed Tracking category, you can use the Audit PNP Activity subcategory to audit when plug-and-play detects an external device. Only Success audits are recorded for this category. Additional changes have been made in Windows Server 2016 Technical Preview that expose more information to help you identify and address threats quickly. The following table provides more information: Area Improvements Kernel Default Audit Policy In previous releases, the kernel depended on the LSA to retrieve information in some of its events. In Windows 10, the process creation events audit policy is automatically turned on until an actual audit policy is received from LSA. This results in better auditing of services that might start before LSA starts Default process Security ACL (SACL) to LSASS.exe A default process SACL was added to LSASS.exe to log processes attempting to access LSASS.exe. The SACL is L"S:(AU;SAFA;0x0010;;;WD)". You can turn this on under Advanced Audit Policy Configuration\Object Access\Audit Kernel Object. New fields in the sign-in event The sign-in event ID 4624 has been updated to include more verbose information to make them easier to analyze. The following fields have been added to event 4624: MachineLogon String: yes or no If the account that signed in to the PC is a computer account, this field will be yes; otherwise, the field is no.

Articles in this issue

Archives of this issue

view archives of Netherlands: Software - Introductie Windows Server 2016