Adding a Link to the Chain of Zero Trust Assurance for Enterprises Using Microsoft Server

By Matthew Vulpis, Content Contributor  |  April 15, 2021

Server operating system, also called Server OS, is a software layer on top of which other software programs, or applications, can run on the server hardware. The Server OS traditionally facilitates Web server, mail server, file server, database server, application server, and print server.

There are two major types of Server OS; open-source, dominated by Linux, and closed source, dominated by Microsoft and its Windows Server Operating System software.

Red Hat (News - Alert) is the leading provider of open-source Linux Server OS, with steady growth over the last decade, while Microsoft remains the leader based on the number of servers running Microsoft (News - Alert) OS.

With the increases in digital transformation driven by applications across the board (whether human collaboration like voice, messaging, video conferencing, and more), and the move to the cloud with XaaS models, Server OS is a growth market for Linux, Microsoft, and others, including Apple (News - Alert)'s iOS and products from IBM and other tech giants.

According to T4, an analytics firm, the market for Server Operating System shipments grew by 10% in 2019, with nearly 11-million-unit shipments worldwide. The market for Server OS was expected to reach 12 billion shipments in 2020, with steady CAGR anticipated over many years to come.

Enterprises, government agencies, and other organizations are tasked with protecting servers from adversaries who can profit greatly when they can successfully hack into the data that is stored and processed on these servers – or when they can tunnel into the server and shut it down or hold it for ransom.

Microsoft provides certain layers of security of intermediary devices, which is a critical component of securing privileged access.

As written in a Microsoft blog, "Intermediaries add links to the chain of Zero Trust assurance for the user or administrator's end-to-end session, so they must sustain (or improve) the Zero Trust security assurances in the session. Examples of intermediaries include virtual private networks (VPNs), jump servers, virtual desktop infrastructure (VDI), as well as application publishing through access proxies."

Attackers frequently target intermediaries to steal credentials stored on them, get network remote access, and exploit devices that have not been fully secured.  

Intermediaries vary in purpose and technology but typically provide remote access (enabling access to systems on enterprise networks from the Internet) and session security (providing protection for individual sessions).

When IT and cybersecurity teams fail to manage each device (including employees' personal devices) or allow devices to be managed by third-party service providers or vendors, massive damage can occur – financially, reputationally, and operationally.

Ensuring security from the device to the network, to the cloud-based service, or other resource is high on the list of must-haves, especially given the volume and velocity of cyberattacks in 2020 during the global pandemic.

Virtual Private Networks (VPNs) and Remote Desktops used to support work-from-home models are a playground for adversaries, as they are exposed to the Internet to provide remote access, and the maintenance of these systems is often neglected. Remember: attackers only need access to one unpatched service for an attack.

Third-party Privileged Access Management (PAM) services are frequently hosted on-premises or as a VM on Infrastructure as a Service (IaaS), and it has been proven over, and over that a single compromised credential may allow attackers to access services and entire systems remotely and cause havoc, including shutting operations down.

Attackers can impersonate device identity and obliterate Zero Trust mechanisms if a device is required for authentication and/or is used by an attacker to gather intelligence. They can steal account credentials and even elevate privileges to access their ultimate goal, quietly infiltrating before conducting a second or even third-stage attack.

PAM solutions often store the credentials for privileged accounts, and when those solutions are weak or weakly implemented, they ironically are the most lucrative targets, given their "run of the data" and systems privileged administrators are charged to protect.

Microsoft considers intermediaries as a link in the Zero Trust chain, "that presents an interface to users/devices and then enables access to the next interface. The security controls must address inbound connections, security of the intermediary device/application/service itself, and (if applicable) provide Zero Trust security signals for the next interface."

We asked Ali Gomulu, Solutions Architect at Ironsphere, a digital access management security company, about the integration of an intermediary or PAM provider, and he noted that "Modern PAM solutions are designed to increase security assurances for sensitive accounts that would be covered by specialized or privileged profiles, mainly senior IT administrators. Security is, of course, essential, but it is the simplification and automation within a Zero Trust approach that makes it operationally possible to manage intermediary services when protecting Microsoft servers."

Ironsphere ensures control and protection of Microsoft servers, with privileged access security capabilities based on a man-in-the-middle architecture to prevent credential theft of super-user accounts.

"Data in motion is a high-value target for professional cyber attackers," Gomulu said. "Man-in-the-middle cyberattacks allow attackers to secretly intercept communications, but with the right software, they can be prevented. Attackers use MitM attacks to steal login credentials or personal information, to steal secrets, to spy on operations, or to corrupt data. There are many flavors of these attacks, which is why it is imperative for enterprises using any Server OS to add the all-important intermediary layer."

Though MitM can be protected against with encryption, successful attackers today are more sophisticated than ever. For example, they reroute traffic to phishing sites designed to look legitimate or pass on traffic to its intended destination after it has been recorded, making detection difficult, which partially explains the phenomenon of enterprises not knowing for months that they even have been victimized. Because attackers may be silently observing or re-encrypting intercepted traffic to its intended source once recorded or edited, it can be a difficult attack to spot.

"Direct Access (News - Alert) refers to the accidental or intentional access attempts from users' computers to remote hosts/servers directly, instead of going through an intermediary, like Ironsphere," Gomulu explained.  

Privileged user, direct access management, can be approached in 4 different ways:

1.            Changing the owner of the privileged credentials (from users to the platform)

2.            Blocking direct access at the network level

3.            Detecting and responding to direct access attempts

4.            Deploying Access Control Agents on Hosts/Servers

"These options can be used individually or combined in a single deployment," Gomulu said. "This decision will be primarily driven by the nature of the infrastructure and the desired level of control/security. Our recommended approach is to isolate all privileged sessions and establish them through an intermediary like ours, eliminating user direct access to remote hosts/servers. If an organization has special edge cases or exceptional use cases, where direct access of privileged users cannot be monitored or eliminated, Access Control Agents can be deployed as a complementary capability to centrally manage privileged user direct access."

Gomulu is seeing tremendous demand as more digital services are expanding, and remote working has risen to a new level. "While we are seeing a very bright light at the end of the COVID-19 tunnel, we are also seeing higher percentages of employees working full time from home or at least a few days a week from home. Whatever the mix, it is essential that every device be protected, and a Zero Trust approach, with Zero Touch features – meaning much more automation and intelligence – is a must-have."




Edited by Maurice Nagle