Windows | Active Directory Security 101

As Windows operating system users, we understand the importance of keeping our computers safe and secure. In this blog post, we will discuss various security topics related to Windows and explore the best practices for securing your computer.

First, we will focus on to “Active Directory Security”. Active Directory plays a crucial role in enterprise networks, and we will examine security strategies and best practices in this area.

We will then address fundamental network security topics such as “Windows DNS Security” and “Windows DHCP Security”. Ensuring the security of DNS and DHCP services is an important part of maintaining your network’s security.

Following that, we will delve into topics like “Windows Local Security Policy”, “Group Policy and UAC” focusing on local security policies and user access control. Well-configured security policies and access controls play a significant role in enhancing your computer’s security.

Additionally, we will discuss “Authentication and Authorization on Windows” helping you understand the authentication and authorization processes and their importance in computer security.

Our blog will also cover “Windows Update and Patch Management”. Managing Windows updates and patches is crucial for keeping your computer up-to-date and addressing security vulnerabilities.

Finally, we will explore topics like “Antivirus, Malware, and Threat Protection” and “Windows Event Viewer,” providing strategies for protecting your computer from viruses, malware, and other threats. You will also learn how to utilize the Windows log engine and analyze these logs.

In this blog post, we aim to provide a comprehensive overview of Windows security. Understanding and implementing these topics are essential for ensuring the security of your computer. Keep reading to learn more about Windows security!

Active Directory Security

Active Directory (AD) is a database-based directory service by Microsoft that simplifies the management of users, computers, and other network resources in large-scale networks. However, the security of these critical systems can be targeted by hackers and malicious software. Therefore, Active Directory Security encompasses measures taken to secure computer networks and protect the security of AD.

Some key points to consider in AD Security include:

1. Login Controls: Strong login controls should be used for authenticating and authorizing users within AD. This includes password policies, two-factor authentication, and access controls.
2. Authorization and Access Controls: It’s important to accurately define and control the levels of access users and groups have to resources within AD. The principle of least privilege applies here as well.
3. Security Policies: Establishing and enforcing strong security policies within AD is critical for preventing hackers and data breaches. These policies may include password complexity, session timeouts, and other restrictions on user accounts.
4. Monitoring and Logging: Monitoring changes within AD and maintaining logs is crucial. This helps detect potential security breaches and enables timely responses.
5. Update and Patch Management: Regularly updating and patching AD servers and components provides protection against known security vulnerabilities.

AD Security is a significant part of organizations’ information security strategies, and when configured correctly, it can enhance the security of your networks and prevent data breaches. For more information on this topic, seek guidance from security experts specialized in AD security.

Active Directory Domain Services Overview

Default Accounts

There are various user accounts that come by default from the Windows and Active Directory environment. Because they come with these default priviliges, they can often have more authority than they need.

Detecting these situations before a breach occurs and taking precautions is very important for system security.

Administrator and Guest Accounts

For example, Administrator and Guest accounts come by default in AD environments. The Administrator account is especially critical because it is the most privilige duser on the system. In order to prevent this, the Administrator account should be disable as soon as the AD environment is installed.

If various policies and settings have been made with the Administrator account, disabling it afterwards can seriously disrupt system operation. In order to avoid this situation, it is recommended to do these operations at the beginning.

Passwords for such priviliged accounts should be particularly COMPLEX.

This is not specific to the AD environment. The use of default accounts should be restricted in all environments, software and systems. If they must be used, this should be minimized and all forms of protection (complex passwords, MFA, etc.) should be put in place.

Security Groups

Just like with users, there are groups that come by default in the AD environment.

In an AD environment, Security Groups are special groups used to manage the access rights of users and objects (for example, resources such as file shares or printers). Security Groups facilitate access control by grouping users and objects so that they have similar privileges.

These groups have different mandates within themselves. The most priviliged group in AD environment is Enterprise Admins group. Users in this group can manage all domains, change schemas, manage policies, perform backup and recovery operations.

Enterprise Admins

As can be seen in the image above, the Administrator user is added to the Enterprise Admins group by default. As mentioned in the previous topic, this account comes by default.

Before assigning users to groups, a delegation exercise must be carried out. If the user is not an IT employee etc., privileges to the relevant user must be made through Delegation. The most important reason for this is that the priviliged group (for example Domain Admins) to which the user will be assigned has more rights. Since these rights will mostly not be needed by the user, a Delegation study is recommended.

As you can see in the image below, there are many groups that come by default in the AD environment. I am not going to explain what these groups do and what rights they have. For this I have shared a documentation for you below. You can get information by following here.

AD Default Groups and Users | Domain Admins Group

AD Builtin Groups

For example, you have assigned a user to the Backup Users group. If the credentials of that user are compromised, the attacker can obtain the databases via DC and read them in his own system and the whole system can be compromised.

Active Directory security groups

Using Multiple Accounts

Using multiple accounts is especially vital for privileged users.

For example, there is an employee named Mike who works as a System Administrator in XYZ company. Mike should use a separate, unprivileged account for his daily tasks (checking email, browsing, etc.). Because Mike can be hacked by an attacker during his daily work. It is important to minimize this possibility for all users. During system changes and critical business processes, Mike should switch to a more privileged account and continue to use it there. This can also provide great convenience in terms of log tracking.

If we summarize what has been explained here briefly in 3 points

1. Separation of Privileges
2. Restricting the Attack Surface
3. Data and System Security

Mike Paul and Mike Paul Daily Accounts

As can be seen in the image above, the user named Mike Paul is a member of the Domain Admins group, which is a privileged group. On the other hand, Mike Paul Daily is a member of the Domain Users group, which is an unauthorized group. By using the Mike Paul Daily account during his daily work, Mike will provide a great support in narrowing the attack surface.

Remember that the passwords for both accounts must be COMPLEX and distinct!

Audit Policy

Audit Policy is a security feature used to monitor and record user and system activities occurring in computer systems. This feature is of great importance in terms of cybersecurity and includes the following features:

1. Monitoring and Detection of Events: Audit Policy tracks and records events occurring in the system, allowing for the detection of security incidents and breaches. For example, failed login attempts, file or folder access events, and other activities can be monitored.
2. Prevention of Security Incidents: Effective use of Audit Policy helps prevent security vulnerabilities and incidents. Through monitoring and auditing, potential threats and attacks can be detected in advance, allowing for preventive measures to be taken.
3. Investigation and Analysis of Events: Audit Policy plays a critical role in investigating and analyzing security events. By examining the monitored events, details and impacts of attacks can be determined, leading to appropriate responses.
4. Meeting Compliance and Audit Needs: Many organizations are required to comply with specific standards and regulations (such as PCI DSS, HIPAA, GDPR, etc.). Audit Policy helps meet these compliance requirements by providing the necessary data for audits and ensuring adherence to security policies.
5. Enhancement of Security Awareness: Effective use of Audit Policy increases the security awareness of users and system administrators. Being informed about events occurring in computer systems enhances security awareness and measures.

Local Security Policy | Audit Policy

As can be seen in the image above, we need to go to the Local Security Policy section to activate the Audit Policy on our systems.

Group Policy Management | Audit Policy

If we want to activate Audit Policies for all servers, computers or a specific part in AD environments, we can do this through Group Policy Management.

I don’t want to make this too long for you. I have shared a general Audit Policy configuration below. You can configure Audit Policy on your systems based on these settings.

1. Account Logon
   — Ensure ‘Audit Credential Validation’ is set to ‘Success and Failure’
2. Account Management
   — Audit ‘Application Group Management’ is set to ‘Success and Failure’
   — Audit ‘Computer Account Management’ is set to ‘Success and Failure’
   — Audit ‘Other Account Management Events’ is set to ‘Success and Failure’
   — Audit ‘Security Group Management’ is set to ‘Success and Failure’
   — Audit ‘User Account Management’ is set to ‘Success and Failure’
3. Detailed Tracking
   — Audit ‘PNP Activity’ is set to ‘Success’
   — Audit ‘Process Creation’ is set to ‘Success’
4. Logon/Logoff
   — Audit ‘Account Lockout’ is set to ‘Success and Failure’
   — Audit ‘Group Membership’ is set to ‘Success’
   — Audit ‘Logoff’ is set to ‘Success’
   — Audit ‘Logon’ is set to ‘Success and Failure’
   — Audit ‘Other Logon/Logoff Events’ is set to ‘Success and Failure’
   — Audit ‘Special Logon’ is set to ‘Success’
5. Object Access
   — Audit ‘Removable Storage’ is set to ‘Success and Failure’
   — Policy Change
   — Audit ‘Audit Policy Change’ is set to ‘Success and Failure’
   — Audit ‘Authentication Policy Change’ is set to ‘Success’
   — Audit ‘Authorization Policy Change’ is set to ‘Success’
6. Privilege Use
   — Audit ‘Sensitive Privilege Use’ is set to ‘Success and Failure’
7. System
   — Audit ‘IPsec Driver’ is set to ‘Success and Failure’
   — Audit’ Other System Events’ is set to ‘Success and Failure’
   — Audit ‘Security State Change’ is set to ‘Success’
   — Audit ‘Security System Extension’ is set to ‘Success and Failure’
   — Audit ‘System Integrity is set to ‘Success and Failure’

As an example, I have activated Audit Policy for Account Logon in the image below.

Audit Policy | Account Logon

After enabling the Audit Policy, please perform their log tracking in an organized way. You can do this via a Log Server, Event Viewer or SIEM.

Audit Policy is a critical security measure for ensuring the security of computer systems and detecting security incidents. Its effective use strengthens organizations’ cybersecurity strategies and makes them more resilient against potential threats.

Local Administrator Password Solution (LAPS)

LAPS is a solution that enables automatic management of local administrator accounts for each computer in Active Directory. A client-side component installed on each computer generates a random password, updates the LAPS password in the associated Active Directory computer account, and sets the password locally. LAPS configuration is managed through Group Policy, providing values for password complexity, length, local account name for password changes, password change frequency, and more.

In scenarios where users need to log in to computers without domain credentials, password management can become complex and increase security risks. LAPS is designed to address such issues by assigning different and random passwords for each computer, reducing the risk associated with using a common local account.

While simplifying password management, LAPS strengthens customers’ defenses against cyberattacks. It particularly reduces risks associated with using the same administrative local account and password combination. LAPS securely stores the password of the computer’s local administrator account in a hidden attribute in the corresponding Active Directory object, allowing the computer to update its password data in Active Directory and granting read access to authorized users or groups, such as workstation helpdesk administrators.

For more information about LAPS, please see the related documentation.

Windows LAPS overview

Password Policy

Password Policies play a crucial role in ensuring the security of digital assets and sensitive information within an organization’s IT infrastructure. These policies define the requirements and guidelines for creating, managing, and using passwords effectively. With the increasing sophistication of cyber threats and the prevalence of data breaches, implementing strong password policies has become a fundamental aspect of cybersecurity.

A well-designed Password Policy addresses various aspects such as password complexity, length, expiration and history settings. By setting robust password requirements, organizations can significantly reduce the risk of unauthorized access and strengthen their overall security posture.

Group Policy Management | Password Policy

As you can see in the image above, Group Policy Mamagenent is used to create a password policy in Active Directory environments. When we come to the Password Policy section, we can perform various configurations of our password on the right side.

If you want to perform these settings on a single system, you can get support from the Local Security Policy section.

I won’t belabor this point, you can find many sources on the internet. I am leaving an article for you at the bottom, you can review it.

How to Set and Manage Active Directory Password Policy

Account Lockout Policy

Account Lockout Policy is an essential setting used to enhance security in computer systems. This policy automatically locks user accounts after a certain number of incorrect password attempts within a specified time period. It helps prevent malicious login attempts and ensures the security of accounts.

Properly configuring the Account Lockout Policy reduces security vulnerabilities and makes computer systems more secure. However, it can also impact user experience due to the risk of account lockouts. Therefore, it’s important to balance the policy’s settings and communicate effectively with users about it.

Group Policy Management | Account Lockout Policy

As you can see in the image above, Group Policy Mamagenent is used to create Account Lockout Policy in Active Directory environments. When we come to the Account Lockout Policy section, we can perform various configurations on the right side.

If you want to perform these settings on a single system, you can get support from the Local Security Policy section.

If we list a few benefits of creating an Account Lockout Policy:

1. Protection Against Brute Force Attacks
2. Protection Against Pass-the-Hash Attacks
3. Improve Account Security
4. Account Awareness

I won’t belabor this point, you can find many sources on the internet. I am leaving an article for you at the bottom, you can review it.

Account Lockout Policy | recommendation & best practices | ManageEngine Vulnerability Manager Plus

Secure Admin Workstation (SAW)

Secure Admin Workstation (SAW) is a security measure designed for users in security-focused roles such as network administrators or system administrators. SAW is a concept of a computer or workstation that allows these users to perform their tasks in a more secure manner.

The primary purpose of SAW is to enable users to access and manage sensitive information or systems while performing their daily tasks securely. To achieve this, SAW typically includes the following security features:

1. Physical Security: SAW is protected by physical access controls, meaning it is configured as an area or device accessible only by authorized users or personnel.
2. Network Security: SAW is supported by technologies such as firewalls and Virtual Private Networks (VPNs) to secure network connections, helping prevent external attacks and threats.
3. Application and Software Security: Applications and software running on SAW are regularly updated and monitored for security vulnerabilities and malicious software.
4. Operating System Security: The operating system used on SAW is continuously updated with security patches and updates, and security settings are configured appropriately.
5. Authentication and Authorization: Stronger authentication and authorization processes are implemented for SAW users, such as multi-factor authentication, to enhance security.
6. Logging and Monitoring: All activities on SAW are constantly monitored and logged using logging and monitoring tools, enabling the detection and prevention of potential security breaches.

SAW is designed to reduce security risks and provide a secure working environment for users performing critical tasks on systems, such as system administrators or network administrators.

The most important features required for SAW are; No internet access in an isolated environment, strong authentication, installing only the necessary applications and keeping them up to date.

In summary, SAW is a private computer system used only to perform administrative tasks with privileged accounts and provides an isolated environment for privileged operations.

Windows DNS Security

Windows DNS (Domain Name System) is a critical component used to translate IP addresses of computers on a network into domain names and to locate services on the network. DNS plays a crucial role in network security because if not configured correctly, it can become a target for malicious users and attackers.

Windows DNS Security refers to the measures taken to secure and protect DNS services on Windows operating systems. These measures are of critical importance for network security and may include:

1. Strong Authentication and Authorization: Windows DNS Servers should use strong authentication and authorization mechanisms. This prevents unauthorized access and enhances security.
2. Security Updates and Patches: Windows DNS Servers should be regularly updated with security updates and patches to address vulnerabilities.
3. Access Controls and Monitoring: Access controls and monitoring mechanisms should be in place to restrict and monitor access to DNS Servers. This detects and prevents unauthorized access.
4. Security Policies and Audits: Security policies should be defined and audited regularly for Windows DNS Servers. This ensures security standards are maintained and compliance is met.

DNS servers are mostly Domain Controllers.

DNS Zone transfer is the process of copying all DNS records from the primary DNS server (master) to secondary DNS servers (slave or backup). This process is commonly used for DNS backup and load balancing.

Attackers can perform Zone Transfer operations for many reasons. These can be reasons such as Information Gathering and Reconnaissance, Phishing, Network Mapping.

Zone Transfer types:

1. Full Zone Transfer (AXFR): This copies all the information for a zone from the primary DNS server to the backup DNS server. Such transfers usually occur when a zone is created for the first time or when the backup server is completely restarted
2. Incremental Zone Transfer (IXFR): This copies only changes to a zone from the primary DNS server to the backup DNS server. When a zone changes, the backup server only receives the changes, increasing efficiency and reducing network traffic.

We can make a few suggestions to avoid falling victim to Zone Transfer attacks.

Open the DNS Management Console. To do this, open “Server Manager”, then select the “Tools” menu and click on “DNS”. On the screen that opens, right-click on the relevant zone and click on “Properties”.

On the screen that opens, switch to the “Zone Transfers” tab and select “Allow zone transfers:” and select “Only to the following servers” to allow only specific IP addresses. Then click “Edit” and write the list of IP addresses to be allowed. (As seen in the screenshot below, the IP address 192.168.157.6 is allowed to make Zone Transfers).

DNS Manager | alisefer.local Properties | Zone Transfers | Allow Zone Transfers

DNSSEC, or Domain Name System Security Extensions, is a set of Internet Engineering Task Force (IETF) standards used to verify the integrity and authenticity of DNS queries and responses. Simply put, DNSSEC helps verify that the results of a DNS query have not been manipulated or altered.

DNSSEC actually determines whether a DNS response is authentic and whether it has been altered. It does this by digitally signing DNS responses and using this digital signature in the response to each DNS query.

To set this up; open the DNS Management Console. To do this, open “Server Manager”, then select the “Tools” menu and click on “DNS”. Right-click on the zone to apply and click on “DNSSEC” -> “Sign the Zone”.

DNS Manager | DNSSEC | Sign the Zone

When you have successfully completed the DNSSEC installation, you should get an output similar to the image below.

DNS Manager | DNSSEC | Sign the Zone

We should also constantly monitor our DNS servers. You need to make sure that the log records of your DNS servers are generated successfully. As you can see in the screenshot below, we want to see the logs of all events generated by our DNS server.

DNS Manager | Event Logging

For more information about DNS and Attacks, please see the following documentation.

Domain Name System (DNS)

What are DNS Attacks?

Windows DHCP Security

Windows DHCP (Dynamic Host Configuration Protocol) is a protocol that dynamically distributes IP addresses and other network configuration information to devices on a network. DHCP allows network administrators to manage and automate the configuration processes of network devices. However, it is important to configure and operate DHCP services securely as a misconfigured DHCP server can jeopardize network security.

Windows DHCP Security refers to the measures taken to secure and protect DHCP services on Windows operating systems. These measures are critical for network security and may include:

1. Authentication and Authorization: DHCP servers should distribute IP addresses and network configuration information only to authorized devices using authentication and authorization mechanisms. This prevents unauthorized access.
2. IP Address Scope Controls: DHCP servers should distribute IP addresses within defined IP address scopes and control external requests. This prevents IP address conflicts and resource depletion.
3. Attack Prevention Policies: DHCP servers should have security policies and measures in place to prevent attacks. This enhances the security of DHCP services.
4. Logging and Monitoring: Activities on DHCP servers should be logged and monitored using logging and monitoring tools. This is important for detecting and preventing potential security breaches.

MAC Filtering can be implemented through Media Access Control (MAC) addresses using DHCP on Windows Server. It is used to control whether devices with a specific MAC address receive an IP address.

To apply; After opening “Server Manager”, select “DHCP” from the “Tools” menu. On the DHCP Management screen, right click on “IPv4” -> “Filter” section, select “Allow” or “Deny” and select “New Filter”.

The “Allow” option in the filter type only grants IP addresses to certain MAC addresses, while the “Deny” option prevents certain MAC addresses from receiving IP addresses.

As can be seen in the image below, the MAC address AA-B3-B2-C7–38–0C has been added as Allow. This means that this DHCP server will only allocate an IP to MAC address AA-B3-B2-C7–38–0C.

DHCP | MAC Filter | Allow

As you can see in the image below, the MAC address AA-B3-B2-F2-B9–5A has been added as Deny. This means that this DHCP server will never allocate an IP to the device with MAC address AA-B3-B2-F2-B9–5A.

DHCP | MAC Filter | Deny

These configurations will not be activated unless we right click on Allow or Deny and “Enable”!

DHCP Server Authorization verifies that a DHCP server is registered and authorized in Active Directory. If a DHCP server is not authorized, the DHCP service is automatically stopped and this server cannot distribute IP addresses.

To authorize the DHCP server, open the DHCP console, right-click the DHCP server and click “Authorize”

DHCP | Authorize DHCP Server

I also get the “Unauthorize” option because it was previously authorized. You should also click on “Authorize” if this did not happen automatically!

The most important reason for doing this is to prevent Rogue DHCP Server Attacks. For Rogue DHCP detection, critical logs with ID 50 and above should be especially monitored.

For more information about Rogue DHCP Server Attack, please see the article below.

What is Rogue DHCP Server Attack? - GeeksforGeeks

Windows System Security

We have been covering Windows System Security since the beginning of this blog. The topics I will talk about here will be Local Security Policy, Group Policy and UAC. However, we have already mentioned the first two topics above. For this reason, I will not dwell on them too much and focus on UAC.

Local Security Policy is a tool used to manage security settings on a Windows computer. It can be accessed by typing secpol.msc. As we mentioned in the previous sections, here we can edit and apply policies such as Account Lockout and Password Policy.

Local Security Policy

Group Policy is a feature in Microsoft Windows operating systems that simplifies network and user management by providing centrally configured policies. This feature allows system administrators to define a set of policies and settings to manage the behavior of computers and users on the network. The primary purpose of Group Policy is to enhance the security, productivity, and management of computers and users on the network.

While Local Group Policy is active only on the computers where the policy is edited and applied, Group Policy Management can be accessed via DC to apply the relevant policies to users and computers in the entire domain.

We can access the Local Group Policy screen by typing gpedit.msc.

Local Group Policy Editor

From the tools in DC, we can access the Group Policy Management tab and access the screen that we will use to assign the relevant policies to users and computers in the whole domain.

Group Policy Management

UAC (User Account Control) is a security feature in Windows operating systems that allows users and applications to operate without administrator privileges. Essentially, UAC encourages users to work with standard user rights while requiring administrator approval for operations that require elevated privileges. This enhances computer security and prevents unintended changes.

Here are some key reasons why UAC is important:

1. Protection Against Malware: UAC prevents malware from causing harm to the system because malware finds it difficult to make changes without administrator privileges.
2. Reduced Errors and Mistakes: UAC prevents users from accidentally or unknowingly changing system settings, reducing the risk of damage to the computer.
3. Prevention of Exploitation: Since operations requiring elevated privileges need approval, unauthorized access to the system becomes more challenging, enhancing system security.
4. Privacy Protection: UAC prevents unauthorized access to users’ private and sensitive data, safeguarding their privacy.
5. Operating System Security: UAC enhances overall operating system security and provides defense against cyberattacks.

As can be seen in the image below, UAC can also be configured to cover the entire domain via Group Policy.

Group Policy Management Editor | UAC Policies

User Account Control Settings can also be accessed via the Control Panel. The settings made here will only affect the computer on which the settings are made!

User Account Control Settings

In summary, UAC is an important security mechanism in Windows operating systems that enables users to use their computers more securely.

If you are wondering how to bypass UAC, you can check the article below. Bypassing UAC is quite easy and can be done in non-complex ways. The reason for this is that Windows doesn’t actually release UAC for security!

UAC - User Account Control | HackTricks | HackTricks

Authentication and Authorization on Windows

Authentication and authorization are critical security topics in Windows operating systems. authentication involves the methods and mechanisms used to verify users’ identities, while authorization determines the access rights of authenticated users

There are different authentication methods within Windows systems:

• Kerberos: Kerberos is a network authentication protocol that uses tickets to authenticate users and services securely. It is widely used in Windows environments for mutual authentication and encrypted communication.
• NTLM (NT LAN Manager): NTLM is an older authentication protocol used in Windows environments. It provides authentication based on a challenge-response mechanism but lacks some of the security features of Kerberos.
• Digest Authentication: Digest Authentication is an HTTP authentication method that provides a more secure alternative to basic authentication by hashing the user’s credentials before sending them over the network.
• Smart Card Authentication: Smart Card authentication involves using a physical Smart Card with an embedded chip containing user credentials for authentication. This adds an extra layer of security as it requires physical possession of the Smart Card.
• Certificate-Based Authentication: Certificate-Based Authentication uses digital certificates to authenticate users and services. It relies on public-key infrastructure (PKI) to validate the authenticity of certificates.

There are different authorization methods within Windows systems:

• Access Control Lists (ACLs) and Access Control Entries (ACEs): ACLs are used to define permissions on resources such as files, folders, and network shares. ACEs are individual entries within an ACL that specify permissions for specific users or groups.
• Group Policies: Group Policies are configuration settings that allow administrators to control and manage the behavior of users and computers in a Windows environment. They are used to enforce security settings, application settings, and other policies across the network.

Kerberos Recommendations

• Time Synchronization : Kerberos uses time-based tokens. Failure to synchronize clocks can lead to authentication failures.
• Service Principal Names (SPN) Check : Ensure that SPNs are configured correctly and are unique.
• Using AES Encryption : Use AES instead of older encryption algorithms.

NTLM Recommendations

• Using NTLMv2: Force NTLMv2 instead of the old NTLMv1.
• Migrating to Kerberos: Use Kerberos instead of NTLM by upgrading or configuring legacy systems.

Digest Authentication Recommendations

• Strong Hash Algorithms : Choose stronger hashing algorithms instead of weak hashing algorithms like MD5.
• Use TLS : Use TLS for an extra layer of security during data transfer.

Smart Card Recommendations

• PIN Protection : Must require a PIN code as well as a smart card.
• Security of Card Readers : Limit physical access.

Certificate-Based Authentication Recommendations

• Certificate Revocation List (CRL) : Update and check the CRL regularly so that invalid certificates can be detected quickly.
• Private Key Protection : Ensure that private keys are stored securely.

Basic Recommendations

• Using SSL/TLS : Basic authentication sends plain text, so it should always be used with SSL/TLS.
• Using 2FA : For more security, use two-factor authentication (2FA).

Windows Update and Patch Management

Windows Update and Patch Management is of great importance from a cybersecurity perspective. Timely updates and patches enhance the security and resilience of systems, prevent potential attacks and malware, and safeguard data privacy. Therefore, focusing on update and patch management in the Windows environment is a fundamental step in establishing a secure IT infrastructure.

Windows comes with its own Windows Update tool to manage these processes. With the tool you can track and install updates. The image below shows a Windows Update screen. Many updates and patches have arrived on the device. These need to be done urgently.

Windows Update

If you want to monitor and apply updates to your servers in real time, you can take advantage of the WSUS tool that Windows provides for free. For more information about WSUS, please see the following document.

Windows Server Update Services (WSUS)

Get started with Windows Server Update Services (WSUS)

Always review updates before applying them! Because some updates may be at a level that can disrupt or even disrupt your daily workflow! For this, it is recommended that you prepare a test environment and try the updates here first!

Antivirus, Malware and Threat Protection

In general, this is a very broad topic that can be addressed for each device. However, this section will only look at the Windows side.

As you may be familiar, Windows uses Defender to protect end devices. Defender has a diverse and modular structure. If your device is not part of a corporate network, Defender can generally provide adequate protection to its users.

Windows Defender Dashboard

I don’t want to go into the modules that Windows Defender includes, but in general, it supports many protection methods such as Virus & Threat Protection, Ranwomware Protection, Application and Exploit Protection and Isolation.

Windows Firewall is a security software included in Microsoft Windows operating systems. Essentially, Windows Firewall protects your computer against external influences such as internet and network traffic. This software monitors your computer’s network connections and filters incoming and outgoing data packets. Windows Firewall protects your computer from malicious software, hacker attacks, and other online threats, while also allowing you to configure and customize security policies.

Windows Defender Firewall

Windows Firewall can also be controlled via Group Policy and subjected to various policies. However, remember that these measures are ABSOLUTELY not enough if you are working on a corporate network!

Microsoft Sentinel is Microsoft’s cloud-based Security Information and Event Management (SIEM) solution. Sentinel gathers information from a wide range of security data sources to help organizations detect, respond to, and learn from security threats. These sources include log files, telemetry data, application logs, and other security information. Using artificial intelligence and machine learning technologies, Sentinel can automatically detect and analyze security events, enabling organizations to respond faster and anticipate future threats.

Microsoft Sentinel | Incidents

Microsoft Sentinel is a cloud-based solution and does not come by default on Microsoft Windows systems! It is a paid solution.

For more information about Microsoft Sentinel, please see the document below.

What is Microsoft Sentinel?

UAC could have been added to this section, but I did not choose it because we covered it above.

Windows Event Viewer

Windows Event Viewer is a tool found in Microsoft Windows operating systems used to monitor and manage system, security, and application events. This tool records events that occur on your computer and displays details about these events. System administrators and security experts can use Event Viewer to track important system events, diagnose issues, and monitor system performance. Event Viewer also provides users with the ability to filter, search, and generate reports on events based on specific criteria, allowing for more effective event management.

Event Viewer | Windows Logs | Security

The use of Event Viewer is also of great importance during incident interventions. In corporate companies, a SIEM structure is generally used instead of examining these logs from individual systems.

Event Viewer contains various logs. Essentially, Event Viewer has three main categories:

Windows Logs:

• Application Log: Contains events related to applications. For example, application starts or stops.
• Security Log: Contains security-related events. For instance, user logins, failed login attempts, file and folder accesses.
• System Log: Contains events related to the system. For example, hardware errors, driver installations, system startups and shutdowns.

Applications and Services Logs:

• Under this category, logs created by different applications and services are found. For example, logs for services like Active Directory, DNS, DHCP, etc.

Subscriptions:

• In this section, you can create subscriptions for events and configure monitoring of events from remote computers.

For more basic information, please see the document below.

What Is a Windows Event Log? - IT Glossary | SolarWinds

In this blog post, we’ve covered fundamental aspects of Windows and Active Directory security. We delved into the importance of Active Directory, user and group management, security policies, authentication and authorization concepts in detail. Additionally, we discussed security measures such as Windows Update and Patch Management, antivirus and threat protection in the Windows environment.

Windows and Active Directory security pose fundamental challenges for modern businesses. Having a strong foundation of knowledge in this area helps organizations better protect against cyber threats and ensure data security.

We hope the topics covered in this series have been beneficial to you. We encourage you to further explore these topics and enhance your security strategies. Remember the importance of security awareness and staying updated. Stay safe!