Windows Server 2019 Inside Out
Fair Use Commentary Text of Windows Server 2019 Inside Out Chapter 1
Chapter 1
Administration tools
Remote not local
Privileged Access Workstations
Windows Admin Center
Remote Server Administration Tools
PowerShell
Remote Desktop
SSH
You can use a variety of tools to manage Windows Server 2019. Some, such as PowerShell, the Microsoft Management Consoles, and Server Manager, are built in to the operating systems. You’ll need to download others, such as Windows Admin Center, for free from Microsoft’s website.
Microsoft’s general systems administration philosophy is that while you can do almost everything with a graphical console such as Windows Admin Center, Active Directory Administrative Center, or the Server Manager console, any task that you do repeatedly should be automated using Windows PowerShell. Microsoft best practice is that almost all administration tasks should be performed remotely rather than by signing in directly to the server and performing them locally.
In this chapter, we’ll look at how you can perform administration tasks remotely, what to consider when putting together your remote administration toolkit, and the various tools that you can use to remotely administer Windows Server 2019.
Remote not local
Windows Server is designed to be administered remotely rather than locally. This “remote first” philosophy shouldn’t come as a surprise to experienced administrators. The vast majority of Windows Server instances are running as virtual machines, either in datacenters or in the cloud, and we are long past the days where your primary method of switching between different servers that you were working on was by selecting different options on a KVM switch.
You need to be familiar with how to use your tools remotely. You should avoid signing in to each server individually using Remote Desktop and firing up the console that is relevant to the role or feature that you want to manage. You should also avoid using Remote Desktop to connect to a server just to run a PowerShell script.
The main reason you should avoid Remote Desktop is that it only allows you to interact with one server at a time. Consider the amount of time that it takes to perform a task, such as resetting the password of an unprivileged local user account on 100 different servers. If you were doing it using Remote Desktop, you’d have to connect to each server individually, change the password, sign off, and move on to the next server. If you were doing it by leveraging PowerShell’s remote functionality, you might be able to accomplish the same goal with a single script that you could write and execute in a fraction of the time.
Inside OUT
Automate where possible
Automate your tasks where possible and when it makes sense. Understand that you won’t be able to automate everything. Concentrate on automating what you can. In the long run, automation will reduce the amount of time that you spend on tasks that you know how to do. It will also allow you to spend more time figuring out how to perform those complex tasks you don’t know how to do or that resist automation.
Privileged Access Workstations
Servers are only as secure as the computers that you use to manage them. An increasing number of security incidents have occurred because a privileged user’s computer was infected with malware and that computer was then used to perform server administration tasks. Privileged Access Workstations (PAW) are specially configured computers that you use to perform remote administration tasks. The idea of a PAW is that you have a computer with a locked-down configuration that you only use to perform server administration tasks. You don’t use this computer to read your email or browse the Internet; you just use it to perform server administration tasks.
Consider configuring a PAW in the following way:
Configure Windows Defender Application Control (Device Guard) to allow only specifically authorized and digitally signed software to run on the computer.
Configure Credential Guard to protect credentials stored on the computer.
Use BitLocker to encrypt the computer’s storage and protect the boot environment.
The computer should not be used to browse the Internet or to check email. Server administrators should have completely separate computers to perform their other daily job tasks. Block Internet browsing on the PAW both locally and on the perimeter network firewall.
Block the PAW from accessing the Internet. Software updates should be obtained from a dedicated secure update server on the local network. External tools should be obtained from another computer and transferred to the PAW.
Server administrators should not sign in to the PAW using an account that has administrative privileges on the PAW. In Chapter 19, “Hardening Windows Server and Active Directory,” you’ll learn about using secure account forests to improve account security.
Only specific user accounts used by server administrators should be able to sign on to the PAW. Consider additional restrictions such as sign-in hours. Block privileged accounts from signing in to computers that are not PAWs or servers to be managed, such as the IT staff’s everyday work computers.
Configure servers to only accept administrator connections from PAWs. This can be done through Windows Defender Firewall with Advanced Security.
Use configuration-management tools to monitor the configuration of the PAW. Some organizations rebuild PAWs entirely every 24 hours to ensure that configurations are not altered. Use these tools to restrict local group membership and ensure that the PAW has all appropriate recent software updates applied.
Ensure that audit logs from PAWs are forwarded to a separate secure location.
Disable the use of unauthorized storage devices. For example, you can configure policies so that only USB storage devices that have a specific BitLocker organizational ID can be used with the computer.