We are still in an on-premises world, as Microsoft has recently acknowledged. The company announced an increase in its security bug bounty for on-premises Exchange, SharePoint, and other Office servers. Some of the most concerning recent attacks to on-premises servers have not been against Windows or web servers but rather SharePoint and especially Exchange servers.
Security researchers have long complained that Exchange on-premises servers received too little financial award to find security issues. This came to a head in March 2021 when the Hafnium attack targeted Exchange on-premises servers. The attack was so impactful that even the U.S. federal government reached out and “patched” impacted Exchange servers.
ProxyLogon and ProxyShell were discovered by Orange Tsai, who presented on the Exchange bugs at BlackHat. He said that Microsoft was not incentivizing researchers to look into these important legacy products. Clearly, Microsoft got the message as they are now including these products in their bug bounty program.
Many legacy servers are still in the mix, including Windows Server 2012 R2 and Windows Server 2016. They may not be all physical machines. If you are like me, most of your servers are HyperV servers of various roles and ages. For Server 2012 R2, you need to be planning now for its ultimate demise on October 10, 2023. Plan now for upgrading to either a newer operating system or converting the services and roles on that server to something on a cloud platform. Always keep in mind that a platform’s services and roles may make sense in a location other than where it’s at now.
On-premises features of Microsoft Defender for Servers
Microsoft also knows that we still have quite a few resources still on traditional servers and not in Azure or other cloud services. Case in point is Microsoft Defender for Servers, which just went to general availability as of April 11, 2022. It brings the Microsoft Defender for Endpoint on Windows Server 2019 down to these older platforms of Server 2012 R2 and Server 2016. The deployment allows you to use Group Policy, PowerShell commands and Microsoft Endpoint Configuration Manager to manage the deployment.
If you use Microsoft Defender for Endpoint, you may already have seen alerts in its console that those machines that are not protected.
Susan BradleyDefender for Servers identifies those areas that may be at risk for attack. It is designed to identify the following risks and improve recommendations:
- Initial access: Servers are often the first point of entry for motivated attackers. The ability to monitor signs of entry via publicly facing, vulnerable services is critical.
- Credential access: Servers often contain sensitive credentials in memory from administrator maintenance or other activities. Enhanced memory protections help identify potential credential theft activities.
- Lateral movement: Improved user logon activity allows better mapping of attempted movement across the network to or from servers.
- Defense evasion: Improved hardening via tampering protection provides security controls the best chance of preventing ransomware’s most harmful effects on high value assets, such as servers.
If you currently use a third-party antivirus solution, you may need to take additional actions to integrate Defender for Servers. Defender is typically disabled when a third-party antivirus is installed.
Two new licenses are offered for Defender for Servers. Microsoft Defender for Servers Plan 2, formerly Defender for Servers, and Microsoft Defender for Servers Plan 1, including support for Defender for Endpoint only. As Microsoft notes, “Microsoft Defender for Servers Plan 2 continues to provide, complete protections from threats and vulnerabilities to your cloud and on-premises workloads, Microsoft Defender for Servers Plan 1 provides endpoint protection only, powered by Microsoft Defender for Endpoint and natively integrated with Defender for Cloud.”
One thing you will note when you onboard servers to the service is that servers are often just as “chatty” as workstations. One of the features of Defender is a “timeline” that showcases what is going on with the system. Often it can showcase unusual actions before they start.
Susan BradleyMicrosoft Defender for Servers on AWS and GCP
If you deploy servers in Amazon Web Services (AWS) or Google Cloud Platform (GCP), you can use Defender for Servers to protect and analyze servers anywhere and monitor the servers from the same console. It also provides recommendations to better harden and and defend servers. For example, in the recommendations section it identifies recommendations that each platform can support.
The recommendations are often ones that we overlook on older devices—for example, setting Remote Desktop security level to TLS. This provides more protection to the remote connection. To follow the recommended changes, set the following adjustments in the registry:
Option 1
Set the following Group Policy to the value: SSL (TLS 1.0):
Computer ConfigurationAdministrative TemplatesWindows ComponentsRemote Desktop ServicesRemote Desktop Session HostSecurityRequire use of specific security layer for remote (RDP) connections
Option 2
Set the following registry value to the REG_DWORD value of “2”:
HKLMSYSTEMCurrentControlSetControlTerminal ServerWinStationsRDP-TcpSecurityLayer
Another Defender recommendation is a setting to Enable Local Security Authority protection. Set the following registry value to “1”:
HKLMSYSTEMCurrentControlSetControlLsaRunAsPPL
Server message block (SMB) file sharing is an older platform that exposes the network to attackers using known collision attacks to gain access. Defender for Servers flags those servers that are still using insecure and legacy communication profiles.
The recommendation is to disable SMBv1 support, which may prevent access to file or print sharing resources with systems or devices that only support SMBv1. SMBv1 is a legacy protocol that uses the MD5 algorithm as part of SMB. MD5 is known to be vulnerable to attacks such as collision and pre-image attacks as well as not being FIPS compliant.
We will have on-premises for quite a few years in the future. Use these resources to better protect yourself and your network to ensure you are protected from attackers that know we have these servers as well.
Copyright © 2022 IDG Communications, Inc.
