Archive

Archive for the ‘Preview’ Category

Windows Server 2025 Security Baseline Preview

September 30, 2024 Leave a comment

With Windows Server 2025 getting closer and closer to GA, Microsoft recently announced Windows Server 2025 Security Baseline Preview (beginning with build 26296 -> register as insider -> download).

With new security baseline for Windows Servers we got some major changes in security management:

  • apply baselines for individual machines:
    • PowerShell cmdlets (available in Microsoft.OSConfig)
    • Windows Admin Center (WAC)
  • apply and monitor baselines at-scale:
    • Azure Policy and Azure Automanage Machine Configuration

The WAC, Azure Policy and Azure Automanage Machine Configuration experiences will be released soon to the Windows Insider Program and will only work with Windows Server 2025.

At the core of new security baseline is Microsoft.OSConfig PowerShell Desired State Configuration (DSC) module. (There is also Linux version with similar name and capabilities: Azure OSConfig.) Because we are going to be using DSC to apply security defaults, those settings that we want to enforce will be automatically protected from any drift (DSC also enables us to use declarative model for system configuration management – we define the end state and the DSC module knows how to get there.)

Current version (0.1.201) of Microsoft.OSConfig DSC module has four functions that we can use:

  • Get-OSConfigMetadata
  • Get-OSConfigDesiredConfiguration
  • Remove-OSConfigDesiredConfiguration
  • Set-OSConfigDesiredConfiguration

and three aliases (that we probably shouldn’t be using):

  • osc-get
  • osc-remove
  • osc-set

To apply security defaults we get to choose from four baseline scenarios:

  • AppControl
  • Defender\Antivirus (48 settings)
  • SecuredCore (3 settings -> UEFI MAT, Secure Boot, Signed Boot Chain​)
  • SecurityBaseline (329 settings -> Account and password policies​, Credentials Protections, Protocol defaults, Security Policies and Security Options,…)

CSV files (report) with details for above scenarios are available on GitHub.

Peeking into SD subfolder of the current version of Microsoft.OSConfig DSC module reveals few more details about the supported scenarios:

  • AppControl
  • AppControl_AzureStackHCI_DefaultPolicy_Audit
  • AppControl_AzureStackHCI_DefaultPolicy_Enforce
  • AppControl_WS2025_AppBlockList_Audit
  • AppControl_WS2025_AppBlockList_Enforce
  • AppControl_WS2025_DefaultPolicy_Audit
  • AppControl_WS2025_DefaultPolicy_Enforce
  • Defender_Antivirus
  • SecuredCore
  • SecuredCoreState
  • SecurityBaseline_AzureStackHCI
  • SecurityBaseline_AzureWindowsBaseline
  • SecurityBaseline_WS2025_DomainController
  • SecurityBaseline_WS2025_MemberServer
  • SecurityBaseline_WS2025_WorkgroupMember

After we install the prerequisites:
Install-PackageProvider NuGet, PowerShellGet -Force
we can install OSConfig module:
Install-Module -Name Microsoft.OSConfig -AllowPrerelease -Scope AllUsers -Repository PSGallery -Force
Get-Module -ListAvailable -Name Microsoft.OSConfig

To apply the Security Baseline via PowerShell cmdlets we have to run Set-OSConfigDesiredConfiguration (to apply new configuration, we have to restart the device):

  • On domain-joined device:
    Set-OSConfigDesiredConfiguration -Scenario SecurityBaseline\WS2025\MemberServer -Default
  • On workgroup device:
    Set-OSConfigDesiredConfiguration -Scenario SecurityBaseline\WS2025\WorkgroupMember -Default
  • On domain controller device:
    Set-OSConfigDesiredConfiguration -Scenario SecurityBaseline/WS2025/DomainController -Default
  • For Secured-core configuration:
    Set-OSConfigDesiredConfiguration -Scenario SecuredCore -Default
  • For Defender Antivirus configuration:
    Set-OSConfigDesiredConfiguration -Scenario Defender\Antivirus -Default

Set-OSConfigDesiredConfiguration cmdlet includes few additional nice-to-have parameters that we can use when we apply security baseline:

  • Setting & Value -> custom value for specific setting
  • Setting & Default -> use the default value of the setting
  • Version -> apply specific version (current module has one version per scenario)

If we want to customize specific setting in the basline, we can run:
Set-OSConfigDesiredConfiguration -Scenario SecurityBaseline\WS2025\MemberServer -Name AuditDetailedFileShare -Value 3
or
Set-OSConfigDesiredConfiguration -Scenario SecurityBaseline\WS2025\MemberServer -Name RemoteDesktopServicesDoNotAllowDriveRedirection -Value 0

Verify custom setting:
Get-OSConfigDesiredConfiguration -Scenario SecurityBaseline\WS2025\MemberServer -Name AuditDetailedFileShare
or
Get-OSConfigDesiredConfiguration -Scenario SecurityBaseline\WS2025\MemberServer -Name RemoteDesktopServicesDoNotAllowDriveRedirection

To view the compliance of the applied Security Baseline we can use:
Get-OSConfigDesiredConfiguration -Scenario SecuredCoreState

More info including impact and some known issues are available in the official anouncement.

Categories: Azure, Microsoft, Preview, Security, Windows, Windows Admin Center, Windows Server, Windows Server 2025 Tags: , ,

Windows Server 2025 – preview build 26080

March 18, 2024 Leave a comment

Last week on 13th of March Microsoft announced (RSS) new preview release of Windows Server 2025 (Windows Server Long-Term Servicing Channel (LTSC), build 26080). This preview build contains both the Desktop Experience and Server Core installation options for Datacenter and Standard editions, Annual Channel for Container Host and Azure Edition (for VM evaluation only):

To download evaluation (build 26080 will expire after September 15, 2024) version of new Windows Server 2025, go to Windows Insider Preview Downloads. To download preview Server versions, you need to be a member of the Windows Insider program. If you are not yet an insider, you can register for free here.

Besides English (US) version, you can also test server in few other languages:

Two of the most interesting changes in this new release are:
Win32-OpenSSH server component is now installed by default,
winget in Windows Server with Desktop Experience.

Starting in Windows Server 2025 the Win32-OpenSSH server side component (SSHD) will ship installed by default and if/when needed, it just needs to be enabled/disabled:

By default, when SSH is enabled, it will allow inbound connection on private networks (only) on the default TCP port 22. New local group “OpenSSH Users” can be used to allow remote connectivity for non-admin users.

Enable command that is executed in the background:
Get-Service -Name sshd | Set-Service -StartupType Automatic -PassThru | Start-Service

Disable command that is executed in the bckground:
Get-Service -Name sshd | Set-Service -StartupType Manual -PassThru | Stop-Service -Force

To customize default SSH config, you can edit file “C:\ProgramData\ssh\sshd_config”.

Some of the defaults:
AllowGroups administrators “openssh users”
HostKey PROGRAMDATA/ssh/ssh_host…
AuthorizedKeysFile .ssh/authorized_keys
Match Group administrators
AuthorizedKeysFile PROGRAMDATA/ssh/administrators_authorized_keys

Winget (Windows Package Manager) is command-line tool originally available on Windows 11 and modern versions of Windows 10. It allows admins and users to manage (install, uninstall, upgrade,…) locally installed applications. Winget is designed to help you quickly and easily discover and install custom software packages (by default from two sources: winget and msstore, with support for more).
Until you start managing applications with a solution like AppLocker, you might want to use GPO to disable winget.

If you want to test matching version of Windows Client, you can also download Windows 11 Insider Preview Build 26080:

Since Windows 11 Insider Preview Build 26052 you can natively run sudo on Windows 11, you just need to enable it:

Unlike winget, for this one I do hope it gets added to Windows Server at some point…

More info:
Announcing Windows Server Preview Build 26080
Introducing Sudo for Windows

Categories: Download, Preview, Windows, Windows Server, Windows Server 2025 Tags: , , ,