Management, compliance & auditing

How to ensure Windows Server is GDPR-compliant

Introduction

The General Data Protection Regulation (GDPR), an EU law regulating the processing of personal data, came into force on May 25th, 2018. Organizations who breach the GDPR may be subject to fines of up to 20 million euros or 4% of their annual global revenue turnover. Taking into account the importance of the GDPR and the severe sanctions, Microsoft has put forth new efforts to ensure compliance with the new law.

According to Brad Smith, Microsoft's president, Microsoft used the services of more than 1,600 of its engineers to meet the requirements of the GDPR. The result of this hard work is a comprehensive portfolio of tools helping individuals and organizations to adhere to the GDPR.

In this article, we will focus only on tools for Windows Server. These tools can be grouped into two broad categories: tools aiming to facilitate the compliance with the GDPR’s requirement to implement adequate information security measures, and tools facilitating the compliance with the GDPR’s requirement to notify personal data breaches to the data protection authorities.

Implementing adequate information security measures

Below, we’ll briefly examine eleven tools that can be regarded as adequate information security measures within the meaning of the GDPR: Control Flow Guard, distributed network firewall relying on software-defined networking, enhanced security auditing, Host Guardian service, Just-in-Time Admin (JIT) and Just Enough Admin (JEA), Shielded Virtual Machines, Virtual Machine Trusted Platform Module, Windows Defender Antivirus, Windows Defender Credential Guard, Windows Defender Device Guard and Windows Defender Remote Credential Guard.

Control Flow Guard

Control Flow Guard prevents jump-oriented programming (JOP) attacks by limiting the execution of certain application code. JOP attacks modify jumps and other control-flow-modifying instructions, thus allowing the program to jump to a location defined by the attacker.

Distributed network firewall relying on software-defined networking

The software-defined networking (SDN) in Windows Server 2016 includes a distributed network firewall, allowing system administrators to create and implement security policies protecting applications from internal and external attacks.

The distributed network firewall can be used for isolating applications in a network. For example, system administrators may decide to isolate an application from the Internet, thus reducing the chance of an external attack on that application.

Enhanced security auditing

Windows Server 2016 allows system administrators to audit information from various security tools (e.g., Control Flow Guard and Windows Defender Guard). The “Audit Group Membership” functionality provides for auditing group membership information in a user’s login token, while the “Audit PnP Activity” enables security administrators to conduct audits in cases there are external devices containing malware.

Host Guardian service

The main task of the Host Guardian service is to evaluate the status of a Hyper-V host prior to enabling a Shielded Virtual Machine to migrate to that host or to boot. Hyper-V is a hypervisor that is able to create virtual machines on x86-64 Windows systems.

Just-in-Time Admin (JIT) and Just Enough Admin (JEA)

Strong passwords alone do not provide sufficient protection against cyberattacks. This is because hackers may use social engineering techniques to get access to those passwords. Also, former or current employees may intentionally or unintentionally release passwords to third parties, thus putting the systems of their employers at risk. Just-in-Time Admin (JIT) and Just Enough Admin (JEA) enable administrators to request specific privileges for a specific period of time. This makes sure that once the privileges are not needed, they will not be able to be used by malicious parties.

Shielded Virtual Machines

Windows Server 2016 includes the Shielded Virtual Machines functionality, which makes sure that virtual machines operate on trusted hosts. The Shielded Virtual Machines functionality is based on Generation 2 Virtual Machines which offer performance improvements (e.g., faster boot-ups) over the previous virtual machine format.

Virtual Machine Trusted Platform Module

The Trusted Platform Module (TPM) supported by Windows Server 2016 enables system administrators to support powerful security technologies (e.g., BitLocker® Drive Encryption) on virtual machines.

Windows Defender Antivirus

Windows Defender Antivirus (AV) is an antivirus functionality for Windows Server 2016 which works with Control Flow Guard and Windows Defender Device Guard. It is automatically activated, and the administrator does not need to activate it manually.

Windows Defender Credential Guard

Windows Defender Credential Guard isolates credential information and prevents the interception of such information. Windows Defender Credential Guard relies on virtualization-based security, secure boot and a Trusted Platform Module (TPM) 2.0.

Windows Defender Device Guard

Windows Defender Device Guard ensures the execution of trusted software only. If there is an attempt to execute software that is not trusted, Windows Defender Device Guard will block it and log the unsuccessful attempt. This allows security administrators to investigate the potential security breach.

Windows Defender Remote Credential Guard

Windows Defender Remote Credential Guard protects the credentials of users using remote desktop connections. More specifically, it includes a single sign-on for remote desktop sessions, thus avoiding the need to re-enter usernames and passwords.

Notifying the data protection authorities of personal data breaches

GDPR obliges entities responsible for processing personal data to inform data protection authorities about personal data breaches without undue delay and, where feasible, no later than 72 hours after having become aware of them. This obligation does not apply to cases where the personal data breaches are unlikely to pose risks to the rights and freedoms of individuals. Any notifications made after the expiration of the aforementioned 72-hour time period should be accompanied by an explanation of the reasons for the delay.

Windows Server includes tools that help organizations to detect security breaches, enabling them to comply with the GDPR’s breach notification obligations. Below, we discuss three such tools: Intelligent Security Graph, Windows Defender Advanced Threat Protection (ATP) and Microsoft Advanced Threat Analytics (ATA).

Intelligent Security Graph

Microsoft collects intelligence from billions of data points, including but not limited to 1 billion customers in both business and consumer segments, 14 billion daily authentications and 35 billion messages scanned on a monthly basis. All this information is presented to users of the Intelligent Security Graph (a part of Microsoft Graph) in an easy-to-understand way. Microsoft Graph is a developer platform connecting multiple devices and services.

By providing users of Windows Server with threat intelligence through the Intelligent Security Graph, Microsoft ensures that they will be able to quickly identify security threats and, if necessary, report them to the data protection authorities in accordance with the GDPR.

Windows Defender Advanced Threat Protection

Windows Defender Advanced Threat Protection (ATP) allows users of Windows Server to identify, examine and reply to sophisticated attacks. It is a cloud-powered solution that does not require additional deployments and infrastructure. Furthermore, Windows ATP exchanges signals with the Microsoft Intelligent Security Graph. Thus, by using Windows ATP, organizations willing to comply with the GDPR can quickly identify, examine and address data breaches.

Microsoft Advanced Threat Analytics (ATA)

Microsoft ATA is a security product that is able to capture and parse data traffic and create behavior profiles of network users and other entities. Such behavior profiles allow users to detect information about security vulnerabilities. For example, Microsoft ATA enables security administrators to detect password sharing and anomalous logins, allowing them to discover security threats and complying with the GDPR data breach notification obligations.

Conclusion

Open-source software (e.g., Linux) is considered by many to be more secure than proprietary software due to its flexibility, transparency and interoperability. This means that many security administrators believe open-source software to be better suited for ensuring GDPR compliance. However, Microsoft has made its Windows Server operating systems competitive with open-source software by implementing a large number of advanced functionalities, allowing security administrators to protect the personal data of their clients and quickly discover information security breaches.

Sources

1. Jacobson, E., Bernat, A., Williams, W., Miller, B., ‘Detecting Code Reuse Attacks with a Model of Conformant Program Execution’, in: ‘Engineering Secure Software and Systems: 6th International Symposium, ESSoS 2014, Munich, Germany, February 26-28, 2014. Proceedings’, Jürjens, J. (ed.), Piessens, F. (ed.), Bielova, N. (ed.), Springer 2014.
2. Microsoft Steps Up to GDPR and Releases Compliance Tools, Redmond Magazine
3. Beginning your General Data Protection Regulation (GDPR) journey for Windows Server, Windows IT Pro Center
4. What is Advanced Threat Analytics?, Microsoft Docs
5. GDPR requirements loom for Windows Server admins, TechTarget
6. Windows resources to help support your GDPR compliance, Windows Blogs
7. Windows Defender Advanced Threat Protection, Microsoft
8. Intel hatches plan to knock out potent ROP attacks at chip level, ZDNet