back to article Azure security boss tells sysadmins to harden up and properly harden Windows Server

Windows Server admins keep making mistakes that let criminals into their boxes, according to Microsoft's lead security architect for Azure management Lee Holmes. Redmond therefore wants you to harden up by using PowerShell's Just Enough Administration. “In running Just Enough Administration, the idea is that admins are your …

  1. Your alien overlord - fear me

    If stuff *should* be off then why the fuck isn't that the default then Microsoft?

    1. Adam 1

      I can't comment on all the mentioned features, but I know for example telnet (mentioned) isn't installed by default (even the client isn't available). Rdp I'm guessing requires the Terminal services role which you are only going to enable if you need it. A lot of these things get switched on in initial configuration and then gets forgotten about or even finds its way onto the master vm image until something gets pwned. That said, whilst we're on the topic of leaving unnecessary software not running, can you have a chat with your buddies working in telemetry?

      1. Anonymous Coward
        Anonymous Coward

        You may also find that the staff member setting up the base server will be different to the one which comes along putting additional components on for whatever system is being used e.g. IIS.

        Honestly having reviewed what happened within our own organisation I doubt it would have mattered what server they were setting up, they'd have botched something up anyway as they simply don't communicate effectively and it would eventually have become frustration as Admin A enabled tons of shit to get Admin B to stop hassling him/her.

    2. LDS Silver badge
      Devil

      Because they don't know what will stop working if they disable them by default... so they let you enjoy it.

    3. Hans 1
      Joke

      If stuff *should* be off then why the fuck isn't that the default then Microsoft?

      Because hunting down the name of a service, setting it to Manual or Automatic, and then starting it is too hard for the average Windows Cleaner and Surface Expert? Apparently, according to no other than Slurp!

      1. AMBxx Silver badge

        We've come a long way though. Remember when IIS was introduced - it was enabled by default, with no security and a web interface for admin.

        Then there was SQL Server listening on Port 80.

    4. Anonymous Coward
      Anonymous Coward

      If stuff *should* be off then why the fuck isn't that the default then Microsoft?

      I'd take one step back and ask why Microsoft itself is a default. Yes, I know it will prompt all the usual statements that "if X was as popular it would have as many issues" (long disproved by statistics, and certainly by Linux server deployment at such trivially sized outfits as Google), but the fact remains - the common element between world's longest list of security problems is Microsoft, closely followed by Adobe.

      But hey, we won't talk about that, because that would actually address the core issue instead of making more and more budget available to IT..

      I know this will give the Redmond marketing team some work in getting everyone to downvote me (I hope we can hit triple digits), but it doesn't change the facts. Microsoft software is still not suitable for an online world.

    5. TheVogon

      "If stuff *should* be off then why the fuck isn't that the default then Microsoft?"

      It is.

  2. bombastic bob Silver badge
    Devil

    Captain Obvious says...

    "Windows Server admins keep making mistakes that let criminals target the OS"

    Ya think? Of course, they're less to blame than HAVING! THEM! ENABLED! BY! DEFAULT! IN! THE! FIRST! PLACE! but at least someone's paying attention now... we hope.

  3. mr_splodge

    Rich

    This is rich coming from the company that puts 2x Xbox related services, downloaded maps broker, geolocation service to name a few, on by default in a standard server 2016 build, then publish articles saying you should disable them.

    They really need to start practicing what they preach.

    It would be great if the reality of just in time and just enough administration was workable in anything below megacorp enterprise. Not sure many of my customers will pay for another couple of server licenses or Azure VMs or whatever for a pair of administrative domain controllers, plus the cost of managing them, protecting them, backing them up etc.

    Anyway, just about any MS article you read with instructions to perform some administrative task, such as migrating a server role, they tell you you need domain admin.

    1. Liamkemp

      Re: Rich

      Mr Splodge, you do understand that Just Enough Administration and JIT require no additional hardware, software or licencing on Server 2016, right? You also understand that on Server 2008R2 through 2012R2, the only additional requirement is PowerShell Version 5... Which you should have already. If you don't, it's part of the windows management framework 5.

      1. mr_splodge

        Re: Rich

        Really, explain this then https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material#ESAE_BM

        1. TheVogon

          Re: Rich

          "explain this then"

          That's an advanced AD forest design. And nothing much to do with JEA or JIT.

    2. TheVogon

      Re: Rich

      "2x Xbox related services, downloaded maps broker, geolocation service to name a few, on by default in a standard server 2016 build"

      None of those are enabled or even installed on a default install.

  4. FlamingDeath Silver badge

    Die Microsoft!

    Die Microsoft! fucking DIE

    1. phuzz Silver badge

      Re: Die Microsoft!

      You could have gone for a joke along the lines of "You know what you should turn off to secure Windows? The server", but no, you went straight for the swearing.

  5. Sil

    Do you really think admins for other OSes are magically better and do less security-related mistakes ?

  6. wyatt

    I'm sorry, leaving Telnet available? Wow.. they must be poor administrators if they're doing that. As @Adam 1 says, it isn't installed as default so that's something that has been done on purpose.

  7. Anonymous Coward
    Facepalm

    PowerShell and NoLanguage mode

    'Language modes are also a big issue. NoLanguage mode is the only safe language mode'

    So, PowerShell is safe as long as you disable all its functions.

    What is a language mode?

  8. jMcPhee

    Tough Balance

    Windows is using the AOL business model of dumbing down its product to get wider appeal, at least for the home user product base. (Fortunately, they aren't carpet bombing us with CD's)

    Is this carrying over to the commercial product side? Or, do they undumb server and other non-residential products?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021