/Insights

Windows Server Top Security Recommendations

The prominence of cybercrime has every IT professional on alert, so keeping data safe is priority number one. IBM’s Cost of a Data Breach Report 2021 provided research into over 500 data breaches studied worldwide and found that the average cost of a data breach is $4.25 million. What’s more, the average time for respondents to identify and contain that breach is 287 days. The amount of damage possibly done within that time is staggering. Out of the 17 studied countries worldwide, the United States was monetarily most impacted — the average cost of a data breach in America was $9.05 million. So, how can you protect your business from an attack? We’ll look at some ways you can harden your security stance in Windows Server 2022.

Secured-Core Server

Secured-core server is a bundle of security measures within Server 2022 that helps to proactively disrupt and defend against ways that attackers may exploit a system. Its features work at the bottom layers of the technology stack and within a system’s most privileged areas. It is built on three key pillars:

  1. Simplified security

    Certified OEM hardware for Secured-core server is a feature that ensures that the hardware, firmware, and drivers meet the requirements for Secured-core server capabilities. Be sure to enable these capabilities by configuring Windows Server systems in the Windows Admin Center.

  2. Preventative defense

    Enabling Secured-core functionality allows you to proactively guard your system by enabling advanced security features at the lowest layers of the technology stack. This helps shield the most privileged areas of the system. A great advantage of this feature is that it occurs without the need for additional monitoring by IT and SecOps teams.

  3. Advanced protection

    This helps add more protection through hardware root-of-trust, Secure Boot with Dynamic Root of Trust for Measurement (DRTM), System Guard with Kernel Direct Memory Access (DMA) protection, virtualized-based security (VBS), and hypervisor-based code integrity (HVCI).

Implement a Privileged Access Workstation

To further strengthen your security within Server 2022, Microsoft recommends using a privileged access workstation (PAW) that is dedicated to sensitive servers. It must also not be used for reading emails, accessing the internet, or performing other everyday online tasks since these activities increase the risk of a security breach. A restricted-access PAW should enable Windows Defender Credential Guard and use BitLocker Drive Encryption. It should also block RDP, PowerShell, and other tools for management not configured as a PAW.

Download the Microsoft Security Compliance Toolkit (SCT)

The Security Compliance Toolkit (SCT) is a set of security configuration analysis tools. It includes a Policy Analyzer tool, a Local Group Policy Object (LGPO) tool, a GPO to Policy Rules tool, and a Set Object Security tool. The SCT can be downloaded from Microsoft to help system administrators better manage their Group Policy Objects (GPOs) by allowing security administrators to edit, analyze, test, and download security configuration baselines. These baselines are stored in GPO backup file format and then applied individually through local policy or broadly with Active Directory.

Secure Domain Controllers

Secure domain controllers store controls and credentials about users who may access a domain’s resources, ensuring that only authorized users can access restricted resources. Because domain controllers contain sensitive account information, they are especially attractive to hackers. To further protect domain controllers, it is recommended to use BitLocker Drive Encryption and TPM device, implement the Windows Defender Device Guard and Window Defender Guard hardware readiness tool and opt for Server Core installations instead of the Desktop Experience. In addition, if domain controllers are run as virtual machines, they should run on separate virtualized hosts.


Trusted Tech Team is an accredited Microsoft CSP Direct Bill Partner, carrying multiple Solutions Partner designations and the now-legacy Microsoft Gold Partner competency. Based in Irvine, California, we report trends affecting IT pros everywhere.

If your organization uses Microsoft 365 or Azure, you may be eligible to receive a complimentary savings report from a Trusted Tech Team Licensing Engineer. Click here to schedule a consultation with our team now to learn how much you can save today.

Subscribe to the Trusted Tech Team Blog

Get the latest posts delivered right to your inbox

Trusted Tech Team

Trusted Tech Team

Your source for all things tech

Read More