Securing Your Servers with Windows Defender, AppLocker, SCT and More

Malware — computer viruses, worms, Trojan horses, ransomware, spyware and so one — is a continuous threat to organizations because it can damage devices and enable unauthorized parties to access the network remotely to collect and transmit sensitive information. Windows Server 2016 includes the following tools and features to help mitigate the threat of malware:

  • Windows Defender Security Center App
  • Windows Defender Device Guard
  • Control Flow Guard
  • Software Restriction Policies (SRPs)
  • AppLocker
  • Security Compliance Toolkit

Windows Defender Security Center App

The Windows Defender Server 2016 Security Center app can help you identify and remove malware from computers and other devices in your environment. Here is some of the information and functionality it provides:

  • Virus & threat protection. Includes information about and access to antivirus settings and the Controlled folder access feature of Windows Defender Exploit Guard.
  • Device performance & health. Provides information about drivers, storage space and Windows Update.
  • Firewall & network protection. Includes information about and access to firewall settings, including Windows Defender Firewall settings.
  • App & browser control. Includes exploit-protection mitigations and Windows Defender SmartScreen settings.
  • Family options. Includes access to parental controls and family settings.

Windows Defender Device Guard

Windows Defender Device Guard is a suite of security features introduced in Windows Server 2016. When you turn it on, instead of trusting all apps except those blocked by an antivirus or other security solution, the operating system will run only the applications on a whitelist your organization defines.

Windows Defender Device Guard uses virtualization-based security to isolate the code-integrity service from the Windows kernel. Windows Defender Device Guard can block any software, even if an unauthorized user manages to take control of the operating system. You can choose exactly what can run inside your environment by using a code-integrity policy to protect your environment.

Windows Defender Device Guard is not a single feature. It’s a combination of several features, such as:

  • Virtual Secure Mode. A virtual shell that isolates the ISASS.exe process from the operating system, which reduces the risk that malicious users will compromise your users’ domain credentials
  • Windows Defender Application Control. A Windows component that provides a rules engine to help ensure executable security
  • Virtual Secure Mode Protected Code Integrity. Moves the Kernel Mode Code Integrity (KMCI) and Hypervisor Code Integrity (HVCI) components into virtual secure mode to harden them from attack.
  • Platform and UEFI Secure Boot. Secure Boot provides a high-value security benefit by using signatures and measurements to help protect boot-loader code and firmware from tampering.

Control Flow Guard

CFG is a platform security feature that helps prevent memory-corruption vulnerabilities. CFG places restrictions on where an application can execute code, which makes it harder for malicious hackers to execute subjective code through common vulnerabilities, such as buffer overflows. CFG monitors and checks certain aspects of a program’s control flow, including where execution changes from straight sequential instruction. The technology that supports CFG ensures that all indirect calls result in a jump to legal targets. Malicious hackers will supply uncommon input to a running program to make it perform unexpectedly.

Software Restriction Policies (SRPs)

One of the best ways to help block malicious software and other cyber threats is to limit or restrict the software that can run in an enterprise environment.

One option is to use SRPs, which enable administrators to create rules that specify which applications can run on client devices. Rules are based on one of the following criteria:

  • Hash. The cryptographic fingerprint of the file
  • Certificate. A software publisher certificate that signs a file digitally
  • Path. The local or Universal Naming Convention (UNC) path to where the file is stored
  • Zone. The internet zone

AppLocker

AppLocker is another way to control which applications users can run. You can apply AppLocker through Group Policy to computer objects within an organizational unit (OU). You also can apply individual AppLocker rules to individual Active Directory Domain Services (AD DS) users or groups. AppLocker also contains options that you can use to monitor or audit the application of rules.

For example, you can use AppLocker to restrict software that:

  • You do not want anyone to use in your company.
  • Employees don’t use or that you have replaced with a newer version.
  • Your company no longer supports.
  • Software that only specific departments should use.

You can configure the settings for AppLocker at the following location in GPMC: “Computer Configuration\Policies\Windows Settings\Security Settings\Application Control Policies”.

Security Compliance Toolkit (SCT)

To help protect against security threats, organizations must have well-designed security policies that cover most organizational and IT-related components. Security policies should establish a baseline for a server’s fundamental security and then ensure that baseline is applied to all servers.

SCT is a set of free Microsoft tools that administrators can use to help secure the computers in their environment, regardless of whether the computers reside locally, remotely or in the cloud. You can download Microsoft-recommended security configuration baselines; test, edit and store them; and apply them to your servers. You can also compare your current GPOs with the baselines.

The main features of SCT include:

  • Policy Analyzer. Enables you to analyze and compare sets of Group Policy objects (GPOs)
  • Local Group Policy Object Utility. Helps automate management of local Group Policy, including importing settings from Group Policy backups, registry policy files, security templates, and advanced-auditing backup CSV files that the Policy Analyzer generates