As cyber threats become increasingly sophisticated and the consequences of incidents more devastating, ensuring the security of network infrastructure is paramount. Microsoft offers a cutting-edge solution in the form of the Windows Server 2025 Standard operating system, which includes a comprehensive suite of advanced security features.
New Active Directory Capabilities in Windows Server 2025
The Active Directory service has received several important security updates. By default, all LDAP connections are now encrypted, providing robust protection for confidential object attributes against interception. The Kerberos authentication protocol now supports stronger encryption and signature algorithms, such as AES, SHA256, and SHA384.
Additionally, password policies for Active Directory machine accounts have been strengthened:
- Strong passwords are randomly generated by default;
- The ability to reset a machine account password to its default value is blocked;
- Outdated, insecure password change methods via SAM RPC are disabled on domain controllers.
Improvements in the SMB Protocol
The Server Message Block (SMB) protocol, widely used for providing access to file resources and printers in Windows networks, has also undergone significant security enhancements in Windows Server 2025.
Group Policies for Encryption and Digital Signatures
- Mandatory encryption and signatures: Administrators can centrally require mandatory encryption and digital signatures for all SMB traffic.
- Security benefits: This ensures that data transmitted over the network using SMB is securely protected against interception, modification, and impersonation.
- Auditing tools: Windows Server 2025 provides tools to record access attempts by clients and servers that do not support SMB encryption and signing, facilitating monitoring and identification of non-compliant systems.
Integration with the QUIC Transport Protocol
- Secure file transfer: SMB protocol now integrates with the QUIC transport protocol, operating over UDP.
- Port 443 usage: This enables secure and low-latency file transfer over the internet using port 443.
- Hybrid and distributed environments: Significantly simplifies access to file resources in hybrid and distributed environments.
- Preserved advantages: Maintains benefits such as resumable transfer, deduplication, and caching, with added security through encryption at the transport layer.
Firewall-Based Client Access Control Mechanism
- Access control policies: Administrators can configure policies to restrict the ability to connect to file shares and printers from specific subnets, segments, or external networks.
- Unauthorized access prevention: Helps prevent unauthorized access to sensitive data from outside the organization’s security perimeter.
Blocking of Outdated Authentication Schemes
- NTLM authentication scheme: Windows Server 2025 allows for the complete blocking of the use of outdated and insecure NTLM authentication schemes on SMB clients.
- Modern protocols recommendation: Recommends using modern protocols such as Kerberos or OAuth, which provide higher security and resilience against network-level attacks.
The combination of these improvements enables robust protection of file resources and prevents many common attack vectors associated with misconfiguration or the use of insecure authentication and data transfer protocols.
Credential Guard and Key Protection through Virtualization (VBS)
Starting with Windows Server 2025, Credential Guard technology is enabled by default on systems that support hardware virtualization. It protects user credentials and other secrets from theft by isolating them in a secure memory partition using the hypervisor.
Virtualization is also used to protect cryptographic keys through the VBS Key Protection feature. Keys never leave the isolated VBS environment, and operations with them are performed without exposing the keys themselves. At the same time, the private part of the key is encrypted using TPM, which binds it to a specific device.
Improvements in Windows LAPS
Microsoft’s solution for managing local administrator passwords, Windows LAPS, has received significant improvements. It now supports fully automated management of local accounts, including creation, renaming, enabling, and disabling.
The PostAuthenticationActions functionality has been expanded with the option to terminate all remaining processes after changing the local administrator password and logging out of the system.
This eliminates the possibility of access using a previously compromised password.
Furthermore, dictionaries can now be used to generate passwords and passphrases for local administrators. These allow for the creation of easily readable and memorable yet sufficiently strong secrets.
Other Security Innovations
The updated Windows Defender in the 2025 edition offers enhanced threat detection and response capabilities. New security policies and compliance templates have been introduced, facilitating the configuration of the operating system in accordance with standards and best practices.
Windows Server 2025 integrates closely with other Microsoft security products and services. This allows for detecting suspicious activity using Microsoft Defender for Identity, quickly responding to incidents through Microsoft Sentinel, and applying unified policies using Microsoft Intune.
Conclusion
Windows Server 2025 is a powerful platform for building a reliable and secure network infrastructure. Numerous security improvements in areas such as Active Directory, SMB, credential protection, and local administrator management enable effective defense against modern cyber threats.
However, simply installing Windows Server 2025 is not sufficient to ensure truly robust protection. A comprehensive approach is required, combining the use of modern security tools, security event monitoring, user training, and continuous improvement of applied measures and policies.