Access-denied remediation, also known as access-denied assistance, allows us to set a predefined error message to be provided to a user that attempts to access a file or folder that they do not have permissions to. Rather than receiving a generic permission denied error, an administrator can instead customize the error message. We can perform access-denied remediation by both setting it up manually on a file server, or automatically for many file servers through group policy.
We can configure file access auditing in Windows Server 2016 so that events are logged every time a specified user or group successfully accesses or attempts and fails to access a specified file or folder. This post will show you how to configure file access auditing in Windows Server 2016.
We can configure file classification infrastructure (FCI) using File Server Resource Manager (FSRM) in Windows to classify different files based on various attributes. While files have the usual properties on them such as creation date and owner for example, we can use FCI to add our own custom properties to a file. This allows us to classify files in our environment automatically based on the contents of the file.
We can deploy security baseline configurations to domain and non-domain joined servers with Security Compliance Manager (SCM). This is done by first exporting the security baseline as a GPO, and then importing it either as group policy or local policy depending on whether or not the client is a member of an active directory domain.
We can configure file management tasks with File Server Resource Manager (FSRM) in Windows Server 2016 to perform various tasks on the file server for us.
For example we can configure scheduled tasks to to complete specific actions, such as expire files older than a certain date automatically and archive them, or encrypt files that match a specific criteria. We can also run custom scripts on a specific set of files to perform arbitrary actions as required.
In this example we’ll show you how to configure file management tasks in Windows Server 2016, however the steps are very similar to older versions of the Windows operating system.
Read more »
SMB 3.1.1 was added with Windows Server 2016 and Windows 10 operating systems. This post will cover the SMB 3.1.1 protocol security features that have been introduced, outlining why you would want to use them.
NT Lan Manager (NTLM) is a proprietary Microsoft security protocol for providing authentication in the Windows operating system. It’s quite old, and we can implement NTLM blocking to disable it, allowing us to increase overall security by instead moving to another protocol such as Kerberos. We’ll see how to do this in Windows Server 2016 using group policy in the examples here.
BitLocker and Secure Boot are important features for a secured Windows operating system to defend against boot and offline attacks. This post will show you how to enable BitLocker to use secure boot for platform and BCD integrity validation.
During the boot process BitLocker will check that the security sensitive boot configuration data (BCD) settings have not been changed since BitLocker was enabled, recovered, or resumed.
This post is part of our Microsoft 70-744 Securing Windows Server 2016 exam study guide series. For more related posts and information check out our full 70-744 study guide.
Instead of manually configuring the same Windows Firewall rules on many different servers, we can import and export Windows firewall settings to transfer them between different servers.
We can also import the firewall rule policy file into a Group Policy Object (GPO) to apply it automatically throughout a whole domain.
Security baselines are used as templates to control the security settings that apply to the Windows operating system or piece of Microsoft software. We can create, view, and import security baselines with Security Compliance Manager (SCM), allowing us to quickly modify various security specific settings which is what we’ll cover here.