CyberClub

In January 2002, Bill Gates sent an infamous email to all of his employees indicating that Microsoft had decided to put security henceforth first and foremost after several headline events pushed the company to reconsider how it built software.

Gates told employees that Microsoft would need to develop technologies and policies to help businesses better manage ever-larger networks of PCs, servers, and other intelligent devices and reassure customers that their critical business systems were safe from harm.

“Systems will have to become self-managing and inherently resilient,” Gates wrote. “We need to prepare now for the kind of software that will make this happen, and we must be the kind of company that people can rely on to deliver it.”

Windows would add a firewall to its operating system while facing the fallout from viruses such as Code Red, Nimda, SQL Slammer, and Blaster.

Fast-forward to 2024 and current Microsoft boss Satya Nadella is facing a similar challenge. After several years of newsworthy security issues, the mandate appears to be seeing a slight change in focus. According to the head of the company whose software runs the lion’s share of business workstations globally, the choice between building security and doing anything else is clear: “Do security.”

Legacy systems will no longer be part of Microsoft’s focus

“In some cases, this will mean prioritizing security above other things we do, such as releasing new features or providing ongoing support for legacy systems,” Nadella said in a May 2024 blog post.

“This is key to advancing both our platform quality and capability such that we can protect the digital estates of our customers and build a safer world for all.”

The message is that Microsoft’s priority is no longer ensuring that legacy technology will be accepted and allowed to continue to be acceptable in a modern network. So, if you are a firm that relies on a traditional active directory, my recommendation is to take action on planned phaseouts and changes to ensure that you aren’t impacted by future Microsoft mandates.

Investigate your NTLM dependencies now

Microsoft has indicated that NTLM needs to be phased out and is beginning to communicate that the protocol needs to be disabled, as it can be abused and used to gain more access to a firm’s resources, through several vulnerabilities:

NTLM supports Weak password hashing, which makes it susceptible to attacks.

NTLM uses outdated cryptography, such as the use of the RC4 cipher, and thus can be exploited.

The protocol’s lack of salting makes it vulnerable to brute-force attacks.

Ensure you assign resources in your firm now to identify how dependent you are on NTLM. Ensure team members are aware of resources and webinars on the topic.

Ensure SMBv1 is disabled

For those still using traditional Active Directory, there are several technologies and protocols that need to be removed sooner rather than later. The use and support of SMB v1 is another example of this. Once again ensure that your IT staff is actively reviewing for dependencies.

If you have not already disabled SMBv1 through group policy, review the guidance to disable it in your network as soon as you can. Download the latest ADMX file to your group policy store and review the settings under Computer ConfigurationAdministrative Templates. These are custom templates that need to be downloaded separately and installed in the group policy store.

Enforce LDAP signing

Next you’ll want to review and ensure that LDAP signing is mandated in your network. Ensuring that the communication is signed ensures that Adversary-in-the-Middle (AiTM) can’t read the credentials and harvest the information.

Hardening Kerberos

Finally, you’ll want to devote resources to hardening and enforcing AES for Kerberos and reducing RC4 encryption for Kerberos in your network. Using RC4 in your network ensures that your network is reliant on an older technology which is weak and susceptible to roasting attacks.

Server 2025 changes

I’d also recommend that you review the future changes coming to Server 2025. For example, Server 2025 will support Kerberos AES SHA256 and SHA384. The Kerberos protocol implementation is updated to support stronger encryption and signing mechanisms with support for RFC 8009 by adding SHA-256 and SHA-384. In Server 2025 RC4 is deprecated and moved to the do-not-use cipher list.

Server 2025 will also support 32k Database page size, increased from the 8k limit that Windows has supported since Windows 2000.

Additional security enhancements include the following:

Improved algorithms for Name/Sid Lookups — Local Security Authority (LSA) Name and Sid lookup forwarding between machine accounts no longer uses the legacy Netlogon secure channel. Kerberos authentication and DC Locator algorithm are used instead. To maintain compatibility with legacy operating systems, it’s still possible to use the Netlogon secure channel as a fallback option.

Improved security for confidential attributes — DCs and AD LDS instances only allow LDAP add, search, and modify operations involving confidential attributes when the connection is encrypted.

Improved security for default machine account passwords — AD now uses randomly generated default computer account passwords. Windows 2025 DCs block setting computer account passwords to the default password of the computer account name.

In Server 2025, LDAP will be encrypted by default

In addition, regarding the earlier LDAP and SMB discussions, in Server 2025 LDAP will be encrypted by default. In addition, the server platform will enforce outbound SMB encryption and block NTLM. Ensure you are spending time evaluating and planning your future server structures.

Finally, if you haven’t reviewed the various resources from Microsoft to the Center for Internet Security to NIST, there are many organizations that provide guidance and security baselines to assist you in hardening and strengthening your existing network. But don’t stop with mere guidance, ensure that you are using tools such as Ping Castle or Purple Knight to review your existing network.

It’s important that you ensure your firm is using the resources you already have in place to secure your infrastructure from current threats. But looking at these lower-hanging fruit security changes should also ensure that you are one step ahead of Microsoft’s security changes and potential mandates.