Security baseline concepts - Windows Server Tutorial

- [Instructor] Let's talk about Windows Server 2025 Security Baseline. So what is a security baseline? Security baseline is a predefined set of configuration that are applied specifically for security. So these are scenario-based. So for example, if your server is a domain controller, there are specific sets of configuration that you need to apply to secure your domain controller. So for example, you need to limit the access from network. You need to limit the users who can access the domain controller or the files that are stored in domain controller, who can actually remotely connect to a domain controller and so forth. And again, these settings will be somewhat different than a member server and also server which is not part of the domain, but rather a workgroup. That is why these baseline security settings are scenario-based. So these security settings are also basically enable us to apply lot of the compliance-related settings that are set forth by CIS Benchmark or NIST guideline. This is important because depending on your organization and its compliance requirement, it is possible that you have to abide by one of these guidelines. It is also possible that this is not imposed on the organization, but just to maintain a cohesive, secure environment, these are adopted by the organization. Nevertheless, it enables us to stay within compliance as far as security configuration is concerned. Last but not the least, having all these security configuration in a baseline format enables us to automate the settings. So for example, it can be used using the PowerShell module called OSConfig. So you can have PowerShell script that you run in every domain controller or every member server. If you want to take it a step further, you can have a group policy that runs this OSConfig partial script on all the servers and any other devices, that is you're trying to apply settings using the baseline. Last but not the least, if you are basically Azure ARC enabled or if you have set up your virtual servers in Azure, you can use Azure policy to apply this security baseline. So the biggest benefit of having a security baseline is that you can apply all these major security settings at once. So just to give you an example, something that we'll see in our demo is that actually a member server, for example, has over 300 security settings that it needs to have for it to be secure and compliant. So just imagine going in 300 different settings to apply those settings. Instead, what you have to do is just apply the baseline and all of your settings are in place. Now, you can have the same baseline that you're going to apply to all your member servers or all your domain controllers. This way, you don't really have to keep track of, okay, these member servers are, you know, in this location, what were the security settings? Or if this is in a different application environment, should it be different security settings? No, you can maintain just one cohesive standard for all your member servers, or it can be other devices as well as security baseline is available for your workstations as well. It also enables you to be compliant with Microsoft recommendation, as well as industry standards that we talked about, and it can be implemented in a scalable manner. That is the best part of having a security baseline. As you include more and more servers in your environment, you just apply the security baseline to make sure that it is secure. Now keep in mind that you might be thinking that, well, I have certain applications that require specific security settings, or I want to test my application in a test environment. I do not apply all these security settings that is going to interfere with my test. These security settings can be modified. So you can apply all the security settings and then go to specific settings to modify depending on your application requirement. We will take a look at how to modify settings in our demo, but keep in mind, don't modify settings to the extent that it puts your server security in jeopardy. So what is new about Windows Server 2025 baseline? So here are some of the few highlights of the 2025 baseline. So 2025 baseline has a scenario called Secured-Core. So this is basically for Secured-Core server. Using this baseline, you can enforce secure boot, signed boot chain, as well as UEFI MAT settings. So we will talk a little bit more about Secured-Core server, but I would also encourage you to go to learn.microsoft.com to read the details about it. The baseline also basically enforces TLS 1.2 or above, SMB 3.0 or above, and the Kerberos AES encryption. There's also credential protection, such as LSASS protection using these baseline settings. And also last but not the least, all the account and password-related policies that are recommended by Microsoft are basically enforced by this baseline. So how does it all work? We will take a look at it in the demo, but it utilizes the OSConfig PowerShell module to enforce this baseline. So there are a couple of different additional baseline scenarios that we haven't talked about. First is Windows Defender antivirus. So the scenario for Windows Defender Antivirus, when you apply this, all the settings related to Windows Defender will be applied. So what you'll do in a normal situation is that, let's just say you have a member server. First, you're going to apply the baseline for the member server, and then you're going to apply the Windows Defender one just to make sure that all the Windows Defender settings are applied. There's also another scenario called Secured-Core. So let's talk about what is Secured-Core. Secured-Core is a specific type of server which has a collection of capabilities that are built into the hardware or firmware or the driver. So basically these type of servers are secured from the hardware perspective. Oftentimes, when we are thinking about securing a server or a device, we are thinking about how to secure the device from someone signing in or someone executing a code that they're not supposed to execute. These are all software-based security settings. Even though these are all software-based security settings, these are critical and important and that is what we do with our baseline and also other different security protocols. However, one of the most more secure way of securing a server will be hardware-based, and that is where Secured-Core comes to play. It has a hardware-based trusted root that uses the UEFI Secure Boot, and that actually makes this server secure at a kernel level. So basically what that really means is that oftentimes, you also hear about, you know, root kit type of server hijacking, Secured-Core server actually protects from that. And what Windows Server 2025 baseline has is that when you have a Secured-Core server and you run the baseline for Secured-Core with a scenario called Secured-Core, those settings basically are applied all at once. In conclusion, this was a brief introduction to Windows Server 2025 Security Baseline. We'll go more in depth in our detailed demo. I'll show you how to install the OSConfig. And using the OSConfig commands from PowerShell, we'll apply security baseline. And then I'll also show it to you how to review the security settings before and after applying the baseline so that you can see it for yourself what the security baseline has done.