Free Windows Server 2025 Security Advice Book
Windows Server 2025 introduces a suite of new and enhanced security features tailored to tackle modern threats across on-premises, hybrid, and cloud environments. Microsoft has just published a new Windows Server 2025 Security Advice book that you should download and read. For those responsible for Windows Server security in enterprise environments, this document is a technical roadmap for understanding the depth of protection now embedded in Windows Server. Here's an overview of what you can find in the document: System Hardening and Baselines A detailed breakdown of security baselines in Windows Server 2025 explains how to achieve compliance with standards like the CIS Benchmark and DISA STIG. It walks through deploying the baseline across the system lifecycle, leveraging tools like PowerShell and OSConfig. This section is invaluable for those who need to balance security requirements with system performance and compatibility. Credential Protection and Application Control The document provides a technical overview of how virtualization-based security (VBS) isolates sensitive credentials, along with insights on application control using Windows Defender. Advanced policies for application control are discussed in a way that shows how to tailor security to fit specific organizational needs, especially useful for environments where sensitive data and high trust levels are involved. Silicon-Assisted Security Innovations An explanation of the Secured-Core Server functionality that leverage hardware-based protections like TPM 2.0, Dynamic Root of Trust Measurement (DRTM), and memory integrity checks. The document explains how these components protect against increasingly sophisticated firmware and supply chain attacks. Operational Security and Continuous Monitoring The document demonstrates how to set up continuous monitoring, drift protection, and hybrid infrastructure management. IT professionals will appreciate the step-by-step guidance on implementing real-time security baselines and alerts, which are crucial for environments requiring high availability and fast incident response. Workload Security for Virtual Machines and Containers The document covers security enhancements specifically for virtualized environments. New virtual machine options, such as Secure Boot on Generation 2 VMs and workload monitoring through Microsoft Defender for Cloud, are explained in detail, helping admins understand how these features support integrity and compliance in virtualized setups. Enhanced Network Security with Micro-Segmentation A thorough section on Software Defined Networking (SDN) and Network Security Groups (NSGs) details how to implement micro-segmentation and enforce network isolation policies. This provides a foundation for reducing lateral movement risks. Advanced Compliance and Threat Detection The document covers **Microsoft Sentinel** integration, showing how security alerts from Defender for Cloud can feed into Sentinel for unified threat detection and incident management. Access the Windows Server 2025 Security Advice book. [Link Fixed, 5 Feb 2025]Step-by-Step Guide : How to use Temporary Access Pass (TAP) with internal guest users
Passwords are fundamentally weak and vulnerable to being compromised. Even enhancing a password only delays an attack; it does not render it unbreakable. Multi-Factor Authentication (MFA) offers more security but still depends on passwords. This is why passwordless authentication is a more secure and convenient alternative. Source : https://learn.microsoft.com/entra/identity/authentication/media/concept-authentication-passwordless/passwordless-convenience-security.png Microsoft Entra ID supports password less authentication natively. It supports six different password less authentication options. Windows Hello for Business Platform Credential for macOS Platform single sign-on (PSSO) for macOS with smart card authentication Microsoft Authenticator Passkeys (FIDO2) Certificate-based authentication Based on the organisation's requirements, they can select the most convenient options. However, the initial setup requires a method to authenticate the user before onboarding other passwordless authentication methods. For this, we can use: 1) Existing Microsoft MFA methods 2) Temporary Access pass (TAP) A Temporary Access Pass (TAP) is a time-limited passcode that can be configured for single use or multiple sign-ins. Organisations not only have internal users to manage but also guest users. Until now, the TAP method was only available for internal users, and guest users were not permitted to use this method. This makes sense because if guest users also need to use passwordless authentication, it should occur in their home tenant. But now Entra ID supports TAP for “Internal Guest” users. Internal Guests Guest users are typically categorised as user accounts that exist in a remote tenant. However, some organisations prefer to use user accounts in their own directory but with guest-level access. This is typically for contractors, suppliers, vendors, etc. These are known as 'internal guest accounts'. Such accounts were also used for guest users in the past when B2B collaboration wasn't in place. In this demo I am going to demonstrate how to use TAP with internal Guest user. Enable TAP as Authentication method Before we configure TAP for user we need to make sure TAP is enabled as authentication method. To do that, Log in to the Entra portal as an Authentication Policy Administrator or higher. Navigate to Protection > Authentication methods > Policies. Click on Temporary Access Pass Ensure it is enabled and the target is defined. If not, make the necessary changes and click Save. Create TAP for Internal Guest User I already have an internal guest user for this task. As you can see below, the user type is Guest, but the user is still part of the same tenant. To create TAP, Click on the selected user from the Entra ID users list to go to user properties. Next, Click on Authentication methods Then Click on + Add authentication method From the drop-down, select the Temporary Access Pass method. In the settings window, make the adjustments based on the requirements and then click on Add. It will create TAP as expected. Testing To verify the configuration, I am attempting to log in as the test user. This is the user's very first login. As expected, the initial login prompts for the TAP. After a successful login, it allows me to configure the account with passwordless authentication. As we can see, the TAP for the internal guest feature is working as expected.Step-By-Step: Enabling Advanced Security Audit Policy via Directory Services Access
Active Directory is one of the more impactful services within an organization. Even small changes in Organization’s AD can cause a major business impact. Preventing any unauthorized access and unplanned changes in an AD environment should be top of mind for any system administrator. Would you have enough information to answer questions such as what has changed should changes or unauthorized access happen within your AD environment?
