Understanding Windows Server management tools

There are many tools available for Windows Server that are useful for both managing and securing the infrastructure. Management technologies were traditionally developed for on-premises deployments, but now, with cloud-based SaaS offerings, it seems the available solutions are growing exponentially. Microsoft offers solutions for enterprise-grade management through its System Center suite of tools such as Operations Manager (SCOM) and Configuration Manager (SCCM). There are also third-party paid solutions from companies such as ConnectWise, SolarWinds, and CA Technologies, to name a few. Each offers a different feature set, depending on your management needs and varying price points. In this section, we will review the more common built-in tools available in Windows Server, including Server Manager, Event Viewer, and Windows Server update services for patch management. Then, we will discuss Windows Admin Center and how it can be used to help transition workloads into the Azure cloud.

Introducing Server Manager

Server Manager was introduced in Server 2008. It provides a centralized management tool for servers and can support up to 100 remote servers. The number of remote servers will vary, depending on their workload system performance of the server running it. Server Manager can also be installed on a workstation computer with Remote Server Administration Tools (RSAT). To remotely manage servers, remote management must be enabled through Server Manager or with PowerShell. This is enabled by default in Windows 2012 and later. A list of tasks that can be completed through Server Manager include the following:

• Create, edit, or add custom server groups or pools of servers and clusters.
• Install, uninstall, or make changes to roles and features on both the local and remote servers.
• Open management tools such as Computer Management, Windows PowerShell, Registry Editor, and other MMC tools.
• Start and stop services, identify events, and collect performance data for analysis.
• Restart servers.
• Export settings to be imported on another system.

To add remote servers to Server Manager from the Dashboard view, right-click All Servers and choose Add Servers. Once servers have been added, all the roles that are capable of being managed will be added to the left-hand column. These roles are now available for management from a centralized point. Creating a server group will create a link on the left column for quick access to different sets of servers. The following screenshot shows the MyServers server group:

Figure 3.7 – A custom server group named MyServers, useful for quick access

Server Manager is a great place to view events, services, and performance from a single application. Events can be viewed and configured from every page except the dashboard. Certain event logs such as application logs are selected by default and include Critical, Error, and Warning severity levels, but they can be customized to fit your needs. The thumbnail alerts can be configured to include other events, and different severities can be included in alert highlighting. Only critical events are highlighted by default.

Using the Best Practices Analyzer (BPA)

The Best Practices Analyzer (BPA) tool is used to help reduce vulnerabilities by scanning the configured roles and comparing your configurations to what experts believe to be best practice guidelines. BPA can be executed from Server Manager as well as through Windows PowerShell. After the scan completes, the results can be viewed. These show whether a role is compliant with these best practices. The summary outlines the problem in detail, as well as list the impact and resolution steps. This can be seen in the following screenshot:

Fig 3.8 – Results from a BPA scan on Windows Server 2016 showing misconfigurations

For more information, please go to https://docs.microsoft.com/en-us/windows-server/administration/server-manager/run-best-practices-analyzer-scans-and-manage-scan-results.

Next, we'll look at using Event Viewer and examine common event IDs.

Looking at Event Viewer

Event Viewer is used to view log files from applications, including security and system-related events. Events are separated into error, warning, and informational events, which can also be useful for troubleshooting performance issues. PowerShell can be used to query events and Event Viewer can be used to view logs from remote computers. Event Viewer can be opened by using Windows Search and typing in Event Viewer. Once opened, to view logs from a remote computer, right-click on Event Viewer (local) at the top of the tree and choose Connect to Another Computer….

Event Viewer can also be used for automating actions. Using Attach a Task to this Event action, a basic scheduled task can be created and run based on a specific event.

Tip

Event Viewer is very important for monitoring Windows events from a security perspective. Security professionals should pay close attention to sources from login activities, application crashes, network firewall rule changes, clearing of event logs, audit policy changes, and group policy changes.

Security-specific logs can be found in Windows Logs > Security. The following screenshot shows Event ID 4624, which indicates a successful logon. This Event ID contains a lot of information, including the Logon Type, account information, and network information about the user who has logged on:

Figure 3.9 – Event 4624, successful logon in Event Viewer

There are common security events to look for under Windows Logs > Security that could indicate an attacker attempting to grant access rights or access the system. While these event IDs are normal and typically do not indicate an attack, in the event a compromise was recognized, they are useful to mention and can help build a picture around the attack's timing and provide additional details during analysis:

• 4625: Audit Failure Logon
• 4624: Audit Success Logon
• 4648: Login with explicit credentials
• 4735: Security-Enabled local group was changed
• 4728, 4732, and 4756: Member added to a security group
• 4740: Account Lockout
• 1102:Log Clear may indicate an evasive tactic by an attacker

Event ID 4624 includes a logon type field, which is useful for identifying how an account has logged into the system. The following table demonstrates the different logon types that are associated with Event ID 4624:

Figure 3.10 – Logon types for Event ID 4624

Windows Defender Event Viewer logs are useful for security monitoring and can be found under Applications and Services Log > Microsoft > Windows > Windows Defender. Interesting event IDs, including those for canceling or pausing malware protection scans, could indicate a malicious actor, prevalence of malware, or warrant further investigation.

Important note

Further reading on Windows Defender antivirus event IDs can be found at https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus.

From an operational perspective, especially when a security operations center (SOC) needs to monitor many systems, looking at Event IDs on servers inpidually isn't the most effective method. It is recommended to incorporate a security information and event management (SIEM) solution to better track and analyze event logs. Examples of a SIEM solution include Microsoft's security monitoring tools such as Azure Sentinel, Defender Advanced Threat Protection, Cloud App Security, and Azure Security Center or third-party tools such as Splunk, which can be used for log repositories and analysis. We'll cover SIEM tools and security monitoring in more detail in Chapter 11, Security Monitoring and Reporting, and Chapter 12, Security Operations.

Next, let's look at how to leverage Windows Server Update Services to manage security updates and patch vulnerabilities in the operating system.

Using Windows Server Update Services

Windows Server Update Services (WSUS) is used to keep standard security patch levels across your servers. In some instances, maintaining the same patch level is critical for applications to run, and relying on the standalone Windows Updates service doesn't suffice for this level of control. WSUS allows you to approve updates and choose when to deploy them. In a simple WSUS architecture, the WSUS downstream server talks to the Microsoft Update upstream server to act as the intermediary. Using a centralized console allows administrators to download critical updates, security patches, rollups, service packs, feature packs, Microsoft product updates, and antivirus definition files. Computers can be grouped together and targeted for a deployment.

For most deployments, WSUS requires minimal processing power on the host computer to operate and a single WSUS instance can host upward of 100,000 clients. For environments greater than 100,000 clients, multiple WSUS servers can be deployed by using a load balancer frontend. A single SQL server database will need to be deployed and shared by each WSUS instance if you're using a single centralized WSUS management solution to serve multiple locations and branch offices.

From a firewall perspective, clients connect to WSUS over HTTP/TCP port 8530. It is recommended to secure communications by deploying a custom SSL for clients to connect HTTPS/TCP over port 8531. IIS is required if you wish to use WSUS in both scenarios:

Figure 3.11 – List of security updates available for approval in the WSUS management console

Windows Defender Antivirus is the AV solution built into Windows 10 and Windows Server 2016 and later. If you're using WSUS, definition updates need to be scoped and downloaded from Microsoft Updates. Administering definition updates works similarly to Windows Updates and will require approval before your endpoints receive them. Consider creating automatic approvals for antivirus definition updates to ease the administrative overhead required to manage WSUS. Automatic Approvals allow you to automatically approve the installation for new updates for specified groups of systems.

WSUS can also deploy third-party updates for commonly used software such as Adobe Reader. Combining WSUS with a Configuration Manager software update point allows you to create a third-party software update catalog. Here, you can subscribe to a partner catalog that's connected to various software vendors that have partnered with Microsoft for releasing updates to their products. We will cover Configuration Manager in more detail in Chapter 4, End User Device Management, and Chapter 8, Administration and Remote Management. WSUS can be enhanced further by leveraging a cloud solution called Azure Automation Update Management. Update Management can manage updates for Windows and Linux systems hosted in Azure and on-premises directly with the Azure portal. This service supports Windows server downward to 2008 R2 and will be covered in more detail later in this chapter and in Chapter 10, Keeping Your Windows Server Secure.

As discussed in Chapter 1, Fundamentals of Windows Security, here are some helpful links for staying up to date on security updates:

• Microsoft Security Update Guide: https://portal.msrc.microsoft.com/en-us/security-guidance.

  Patch Tuesday Dashboard: https://patchtuesdaydashboard.com/.

• Information about CVE: https://cve.mitre.org/about/index.html.

In the next section, we will look at Windows Admin Center, a recently released tool that can help manage your servers.

Introducing Windows Admin Center

Windows Admin Center was released in April 2018 and provides an alternative to classic MMC and other remote management tools. Windows Admin Center is a browser-based tool that can be installed on Windows 10 or Windows Server 2016+. It supports the management of servers down to 2008R2 but may have limited functionality. No agents are required, and the UI frontend is fully built on WMI with PowerShell over WinRM to execute operations. To support down-level servers, Windows Management Framework (WMF) 5.1 is required. More information, including how to install MSI, can be downloaded from https://aka.ms/WindowsAdminCenter.

Tip

Windows Admin Center runs in HTML 5 and requires Microsoft Edge or Google Chrome browser to run on Windows Server. It cannot be installed directly on a domain controller.

Windows Admin Center's tools include Active Directory, DHCP, DNS, Firewall, Remote Desktop, Roles and Features, Scheduled Tasks, and Updates, to name a few. Many more features are available through extensions, including support for third-party developers.

Windows Admin Center can be used to manage on-premises and IaaS servers. It is included for free with your Windows Server license. A real piece of added value is that it allows you to shift on-premises workloads to Azure directly from the UI. With the appropriate tenant details and permissions, you can deploy and configure the Azure services directly through Windows Admin Center without having to open the Azure portal.

The Azure services available through Windows Admin Center include the following:

• Azure Site Recovery
• Azure Backup
• Azure File Sync
• Azure Monitor
• Azure Update Management
• Azure Active Directory Authentication

Windows Admin Center can be fully integrated with Azure Active Directory for authentication and supports MFA. The following screenshot shows the overview pane of Windows Admin Center:

Fig 3.12 – Overview page of Windows Admin Center in Google Chrome

Next, let's look at Azure services that are useful for managing Windows Server environments.