Windows Server Summit | Security

09.01.2026 Last updated : 19.01.2026 Mein Avatar für die Krähe mit Hut. Man sieht eine Krähe mit einem Doktorhut.Krähe mit Hut

Microsoft isn't doing anything for local infrastructures anymore. Everything is supposed to be moved to the cloud.

Admittedly, classic Windows Server functions and products are gradually being phased out in favor of Azure and Microsoft 365 services. However, Microsoft now seems to have realized that the truth lies somewhere in the middle—namely, hybrid infrastructure.

Accordingly, the main focus has been on security in order to be prepared for threats in the local environment for years to come.

Harden security and build resiliency with Windows Server 2025

Integrated security baselines

Whereas previously basic security policies had to be downloaded from the Download Center and imported into Active Directory (or applied locally via LGPO), this can now be done much more quickly!

Microsoft has integrated the policies natively into the operating system and provided an additional command line tool that allows the policies to be activated quickly and easily based on categories.

The great thing about this is that, whereas it was sometimes very difficult to reverse individual policies on standalone servers when necessary, the new approach makes this much easier. The technology is based on the familiar MDM/CSP approach used by Intune.

Incidentally, the policies are over 90% compliant with the CIS (Center for Internet Security) recommendations. And anyone who has ever dealt with these knows that they can be very restrictive. 😇

App Control for Business

Formerly known as Windows Defender Application Control (WDAC) and included since Windows Server 2016. This feature allows you to regulate the execution of classic and modern apps, which represents a further development compared to AppLocker. Microsoft recommends using ACfB as a rule and supplementing it with AppLocker for specific requirements as needed.

Secured-core Server

The Secured-core Server is a special offering from hardware manufacturers, similar to Azure Stack or Azure Local. The hardware manufacturer uses standard security hardware to pre-provision a hardened Windows Server installation on the hardware and keep it up to date. With this offering, the customer purchases a product that is always state-of-the-art and does not require dozens of updates.

Technologies used: Secure Boot, TPM 2.0, Boot DMA Protection, DRTM, VBS, HVCI

VBS Enclave

The VBS Enclave is a function based on virtualization-based security. It allows confidential parts of an application to be isolated in a special virtualized area. This function is therefore particularly interesting for application developers.

Securing Active Directory

Windows Server 2025 also brings a number of changes in the area of Active Directory and user account management. For example, there is now an account lockout policy for local accounts that is enabled by default. This means that you can now lock yourself out of your own server if you are careless! But security clearly takes precedence here.

LDAP signing

LDAP signing is now enabled by default in Windows Server 2025. Accordingly, every company should check for itself whether LDAPS and channel binding are also enforced by default, as this also significantly improves security.

Kein NetBIOS mehr für Domänencontroller-Ermittlung

NetBIOS is a fairly old protocol that is still partially active for compatibility reasons, but should be disabled across the board. Microsoft is taking a first step by disabling domain controller discovery via NetBIOS. This requires the use of DNS.

LAPS

The automated management for local administrator accounts (Local Administrator Password Solution, LAPS) is getting some useful additions:

  • Automatic account management (activation/deactivation/renaming/randomization of administrator accounts)
  • Passphrase support (combining randomly selected terms to form a password instead of cryptic and difficult-to-read passwords; e.g., BicyclePrinterSession)
  • Improved readability for cryptic passwords by removing similar-looking characters (e.g., l/I/1, O/Q/0/o, etc.)
  • Image rollback protection (prevention of defective and therefore unusable passwords)

Common mistakes

Interestingly, Microsoft has also pointed out some mistakes that repeatedly occur in environments. Only a few will be highlighted here (the rest can be viewed in the video):

  • ms-DS-MachineAccountQuota = 10; By default, normal users are also allowed to add computers to the domain. This should be prevented by adjusting the default domain controller policy on the one hand and by modifying the above setting (= 0) on the other.
  • Leaving the domain/forest functional level at an older version; there is no longer any reason to fear that this will irreversibly destroy anything. It is now even possible to roll back to 2008 R2 if necessary. However, you are depriving yourself of important and useful functions if you do not raise the level as part of a DC upgrade. So: raise it!
  • Rolling back group policy settings; A common practice (also used by me) is to set settings that are no longer to be applied to “Not Configured.” However, according to Microsoft, the correct way is to set the opposite (i.e., from “Enabled” to ‘Disabled’ and vice versa). The reason for this is that with “Not Configured,” the registry value remains on the system and is simply ignored.

Eliminate NTLM

Microsoft has been advising against the use of NTLM since 2010. As attacks on this protocol are now on the rise, Microsoft wants to actively encourage users to disable NTLM and no longer allow any exceptions. However, this may not be possible in all cases. Developers are advised to always use “Negotiate” as the authentication method in their applications so that the application can respond dynamically to relevant changes in Active Directory.

Delegated managed service accounts (dMSA)

Typically, ordinary user accounts are still used today to provide service accounts for applications and services. The disadvantages (manual password changes, including maintenance windows for this) are well known, which is why Microsoft introduced the new “(group) managed service account” or (g)MSA type with Server 2008 R2 and 2012 R2.

The advantages are obvious:

  • The password is automatically managed by Active Directory and exchanged with the user system.
  • The exchange takes place seamlessly; no restart of a service, application, etc. is necessary.

However, gMSAs have the disadvantage that they can only be used for specific purposes (services, scheduled tasks, IIS application pools), as you cannot log in interactively with such an account. In addition, the password of a gMSA can be stolen.

With the new dMSA type, Microsoft is now combining the properties of MSA and gMSA and adding further security features to ideally enable the replacement of both traditional service accounts and gMSA:

  • Use Credential Guard to bind authentication to the user system
  • dMSAs are explicitly intended for use with a specific server/application (gMSAs can be used for multiple servers/applications in parallel)

You can switch to the new account type from a traditional account (not gMSA) using PowerShell and a special migration process. However, only Windows Server 2025 can be used as the target system.


Additional information

Official videos:
Harden security and build resiliency with Windows Server 2025 - Windows Server Summit
Securing Active Directory - Windows Server Summit

Overview of all articles: Windows Server Summit in a nutshell


Liked this article? Share it!

Categories
Hybrid infrastructure
Tags
Previous article
Windows Server Summit | Azure Arc - the "Intune for Servers"
09.01.2026
Next article
Windows Server Summit | Azure File Sync - the "OneDrive for Servers"
09.01.2026