Netherlands: Software

Introductie Windows Server 2016

Issue link: http://hub-nl.insight.com/i/692748

Contents of this Issue

Navigation

Page 128 of 173

119 C H A P T E R 5 | Security Figure 5-4: Medium-term goal plan The figure shows six separate areas: 1. Extend PAWs to all administrators and provide additional hardening such as Credential Guard and RDP Restricted Admin. For more information, go to http://aka.ms/CyberPAW, where this is shown in Phases 2 and 3. 2. Establish time-bound privileges (no permanent administrators). For more information, go to http://aka.ms/AzurePIM. 3. Create multifactor elevation. For more information, go to http://aka.ms/PAM. 4. Provide JEA for domain controller maintenance. For more information, go to http://aka.ms/JEA. 5. Lower the attack surface of domains and domain controllers. For more information, go to http://aka.ms/HardenAD. 6. Implement Attack Detection for your servers and domain controllers. For more information, go to http://aka.ms/ata. Long-term plan The long-term goals (see Figure 5-5) detail the final parts to date in an ever-evolving strategy. Securing your environment never stops. Therefore, this strategy will need to be reviewed and adapted over time, but it will provide you with a basis to begin and grow. As with software development, you should apply a lifecycle with regard to how you control access to resources. Your approach should be based the latest principles and JEA. Following on from this, all administrators should be issued strong authentication mechanisms such as SmartCard or Passport Authentication. To really enhance protection, you can implement a secure forest that is isolated from a traditional user forest. Here, you can store the most secure systems in the environment and be fully isolated from the production network. The next section is to implement code integrity, which will ensure that only authorized code can be run on the systems. Finally, you can use Shielded VMs. In this case, you can begin by focusing on domain controllers so that an attacker can't inspect a VM and copy it from the drives, or carry out a host attack to gain access to the VM.

Articles in this issue

Links on this page

Archives of this issue

view archives of Netherlands: Software - Introductie Windows Server 2016