26 March 2015

Windows 8.1 / Server 2012 R2 represent a quantum leap for users and companies in terms of security. Important new security features like

• Restricted Admin mode for remote desktop connections,
• LSA Protection,
• Protected users group and
• the removal of clear text credentials from the lsass process

make an attacker’s life harder. Compared to Windows 8.1 / Server 2012 R2 the last Windows versions are inherently insecure.

Therefore it’s truely confusing when IT groups give users the advice to migrate from Windows 2003 Server to Windows 2008 Server for operational reasons. In the past weeks I often heard terrifying statements like ‘If you prefer to be the guinea pig, go for version 2012’. From a security point of view this is a catastrophe.

With update KB2871997 Microsoft backported some of the new security features to Windows 7/8/Server 2008 R2. For a very good overview please see Sean Metcalf’s report published on Active Directory Security.

Unfortunately the most important features, Restricted Admin Server mode and LSA protection, were not backported. Protection for Windows 7 is better with the update, but Windows 2008 Server is still relatively simple to attack.

With that, the recommendation is to migrate to Windows 2012 R2 Server, provided that the application vendor gives support for this version.

I strongly recommend to enforce Restricted Admin Server mode to protect the administrator credentials.

Have a good day.