Azure security boss tells sysadmins to harden up and properly harden Windows Server Windows Server admins keep making mistakes that let criminals into their boxes, according to Microsoft's lead security architect for Azure management Lee Holmes. Redmond therefore wants you to harden up by using PowerShell's Just Enough Administration. “In running Just Enough Administration, the idea is that admins are your …
I can't comment on all the mentioned features, but I know for example telnet (mentioned) isn't installed by default (even the client isn't available). Rdp I'm guessing requires the Terminal services role which you are only going to enable if you need it. A lot of these things get switched on in initial configuration and then gets forgotten about or even finds its way onto the master vm image until something gets pwned. That said, whilst we're on the topic of leaving unnecessary software not running, can you have a chat with your buddies working in telemetry?
You may also find that the staff member setting up the base server will be different to the one which comes along putting additional components on for whatever system is being used e.g. IIS.
Honestly having reviewed what happened within our own organisation I doubt it would have mattered what server they were setting up, they'd have botched something up anyway as they simply don't communicate effectively and it would eventually have become frustration as Admin A enabled tons of shit to get Admin B to stop hassling him/her.
If stuff *should* be off then why the fuck isn't that the default then Microsoft?
Because hunting down the name of a service, setting it to Manual or Automatic, and then starting it is too hard for the average Windows Cleaner and Surface Expert? Apparently, according to no other than Slurp!
If stuff *should* be off then why the fuck isn't that the default then Microsoft?
I'd take one step back and ask why Microsoft itself is a default. Yes, I know it will prompt all the usual statements that "if X was as popular it would have as many issues" (long disproved by statistics, and certainly by Linux server deployment at such trivially sized outfits as Google), but the fact remains - the common element between world's longest list of security problems is Microsoft, closely followed by Adobe.
But hey, we won't talk about that, because that would actually address the core issue instead of making more and more budget available to IT..
I know this will give the Redmond marketing team some work in getting everyone to downvote me (I hope we can hit triple digits), but it doesn't change the facts. Microsoft software is still not suitable for an online world.
This is rich coming from the company that puts 2x Xbox related services, downloaded maps broker, geolocation service to name a few, on by default in a standard server 2016 build, then publish articles saying you should disable them.
They really need to start practicing what they preach.
It would be great if the reality of just in time and just enough administration was workable in anything below megacorp enterprise. Not sure many of my customers will pay for another couple of server licenses or Azure VMs or whatever for a pair of administrative domain controllers, plus the cost of managing them, protecting them, backing them up etc.
Anyway, just about any MS article you read with instructions to perform some administrative task, such as migrating a server role, they tell you you need domain admin.
Mr Splodge, you do understand that Just Enough Administration and JIT require no additional hardware, software or licencing on Server 2016, right? You also understand that on Server 2008R2 through 2012R2, the only additional requirement is PowerShell Version 5... Which you should have already. If you don't, it's part of the windows management framework 5.
'Language modes are also a big issue. NoLanguage mode is the only safe language mode'
So, PowerShell is safe as long as you disable all its functions.
Windows is using the AOL business model of dumbing down its product to get wider appeal, at least for the home user product base. (Fortunately, they aren't carpet bombing us with CD's)
Is this carrying over to the commercial product side? Or, do they undumb server and other non-residential products?
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
