The Secure Score Trap

Secure Score is a useful starting point — it measures your security posture against Microsoft’s recommendations and gives a percentage that’s easy for leadership to latch onto. The problem is that it’s a compliance checklist, not a threat model. A subscription can have a 90% Secure Score and still have misconfigured network security groups, overprivileged managed identities, or unmonitored storage accounts full of sensitive data. Score gaming is easy; genuine security improvement takes more work.

Use Secure Score as a prioritization tool, not a goal. Filter recommendations by severity and impact. Focus on “High” severity findings first — these represent genuine attack vectors, not stylistic preferences. Pay particular attention to the Identity and Access recommendations: disabling legacy authentication protocols, enabling MFA for all users, and removing unused service principals are consistently high-impact, low-complexity wins that significantly reduce your real attack surface.

Workload Protections That Actually Matter

Defender for Cloud’s paid Workload Protection Plans extend protection to specific resource types: servers (via Defender for Servers), SQL databases, Kubernetes clusters, App Service, Storage accounts, Key Vault, and more. Defender for Servers is often the highest-value plan — it enables just-in-time VM access, adaptive application controls, file integrity monitoring, and integrates with Microsoft Defender for Endpoint for EDR capability on Azure VMs.

Defender for Storage is frequently overlooked but deserves attention. It monitors blob, file, and queue storage for anomalous access patterns — things like unusual geographic access, access from Tor exit nodes, or malware uploads detected via hash reputation. Defender for Key Vault detects unusual access patterns to your secrets, keys, and certificates and can alert on potentially compromised service principals trying to exfiltrate credentials.

Just-in-Time VM Access

Just-in-time (JIT) VM access is one of Defender for Cloud’s most practically useful features. Instead of leaving RDP (port 3389) or SSH (port 22) open to the internet or your entire corporate network, JIT locks down management ports and only opens them on-demand for a specific source IP and time window. The access request goes through Azure RBAC, creates an NSG rule, and automatically reverts after the time window expires. This dramatically reduces your exposure to brute-force and credential stuffing attacks.

Enabling JIT is straightforward from the Defender for Cloud portal or via the Azure CLI. For organizations managing many VMs, you can deploy JIT policy via Azure Policy to ensure all new VMs automatically get the protection. Note that JIT requires Defender for Servers Plan 2. The audit trail — who requested access, from where, and when — feeds into your SIEM via Azure Monitor, giving you a complete record of privileged management access.

# Enable JIT VM access via Azure CLI
# Requires Defender for Servers Plan 2

# Define JIT policy for a VM (RDP on 3389, SSH on 22)
$jitPolicy = @{
    "kind" = "Basic"
    "properties" = @{
        "virtualMachines" = @(
            @{
                "id" = "/subscriptions/SUB-ID/resourceGroups/RG-NAME/providers/Microsoft.Compute/virtualMachines/VM-NAME"
                "ports" = @(
                    @{ "number" = 3389; "protocol" = "TCP"; "allowedSourceAddressPrefix" = "*"; "maxRequestAccessDuration" = "PT3H" },
                    @{ "number" = 22;   "protocol" = "TCP"; "allowedSourceAddressPrefix" = "*"; "maxRequestAccessDuration" = "PT3H" }
                )
            }
        )
    }
}

# Apply via portal: Defender for Cloud > Workload protections > Just-in-time VM access > Configure

Connecting Defender to Microsoft Sentinel

Defender for Cloud’s alerts become significantly more powerful when correlated with other signals in Microsoft Sentinel. Enabling the Defender for Cloud data connector in Sentinel streams all alerts, security recommendations, and regulatory compliance assessments into Sentinel’s Log Analytics workspace. From there, Sentinel’s analytics rules can correlate a Defender alert with Azure AD sign-in anomalies, network flow data, and endpoint telemetry to surface attacks that span multiple signal types.

Sentinel’s playbooks (Azure Logic Apps) allow automated response to Defender alerts. A common workflow: when Defender detects a brute-force attack on a VM, a playbook automatically triggers JIT to revoke current access, posts a Teams notification to the security team, creates an incident in ServiceNow, and runs a diagnostic script on the VM to capture in-memory forensics. Building these automation chains transforms Defender from a passive alert system into an active response platform.

The post Microsoft Defender for Cloud: Moving Beyond the Dashboard appeared first on InfoTech Ninja.

Secured-Core Server: Hardware-Backed Security

Secured-core server is Microsoft’s initiative to leverage modern hardware security features for defense against firmware attacks and privileged code execution. It builds on Dynamic Root of Trust for Measurement (DRTM), which uses the CPU’s built-in security features to establish a trusted boot measurement chain independently of firmware — making it significantly harder for bootkit malware to persist across reboots. Hypervisor-Protected Code Integrity (HVCI) runs the kernel code integrity checks inside a VBS (Virtualization Based Security) hypervisor, protecting against kernel-mode rootkits.

Secured-core server requires compatible hardware — processors with DRTM support (Intel TXT or AMD SKINIT), UEFI firmware, TPM 2.0, and virtualization extensions. Most server hardware shipping in the last three to four years meets these requirements. For organizations running highly sensitive workloads — financial systems, healthcare data, government infrastructure — secured-core provides a meaningful hardware-backed security baseline that software controls alone cannot replicate.

SMB Compression and AES-256 Encryption

Windows Server 2022 introduces SMB compression, which compresses file data in transit between client and server. For workloads transferring compressible data (log files, databases during backup, Office documents) over high-latency or bandwidth-constrained links, compression can dramatically reduce transfer time and network utilization. It’s enabled per-share or globally via PowerShell, and negotiated dynamically between client and server — if either side doesn’t support it, the transfer falls back to uncompressed without error.

On the encryption side, Server 2022 adds AES-256-GCM and AES-256-CCM cipher suites for SMB 3.1.1 encryption. For environments with compliance requirements mandating 256-bit encryption for data in transit, this closes a gap without requiring a third-party file transfer solution. Enable it via PowerShell: Set-SmbServerConfiguration -EncryptionCiphers AES_256_GCM. Note that AES-256 does carry a higher CPU overhead than AES-128 — test performance in your environment before enforcing it cluster-wide.

Storage Spaces Direct: What Changed?

Storage Spaces Direct (S2D) in Server 2022 brings Nested Resiliency improvements and ReFS enhancements. Nested resiliency — first introduced in 2019 — allows two-node S2D clusters to survive a full node failure plus a drive failure simultaneously, which standard two-way mirroring cannot handle. Server 2022 expands nested resiliency support and adds better tooling for managing the resiliency tier.

ReFS (Resilient File System) improvements in 2022 include faster mirror-accelerated parity writes and improved block cloning performance — particularly relevant for Hyper-V environments where differencing disk operations and checkpoint handling benefit significantly. For administrators running S2D-based Hyper-V clusters, upgrading the cluster OS to 2022 can deliver measurable I/O improvements for checkpoint-heavy workloads without any hardware changes.

Upgrade Decision: WS2019 to WS2022

Windows Server 2019 reaches end of mainstream support in January 2024 and end of extended support in January 2029 — so there’s no immediate compliance pressure driving a 2022 upgrade if you’re still on 2019. The upgrade justification comes down to whether the specific 2022 capabilities address real gaps in your environment. If you’re running secured-core-capable hardware and handle sensitive data, the firmware-level security improvements are compelling. If you run large Hyper-V S2D clusters, the ReFS and nested resiliency improvements have direct operational value.

In-place upgrade from Server 2019 to 2022 is supported and generally smooth for standalone servers, though Microsoft and most practitioners recommend a fresh deployment with application migration for production workloads — particularly domain controllers and SQL servers. For Hyper-V clusters, a rolling cluster upgrade (upgrading nodes one at a time while VMs continue running on remaining nodes) works well and minimizes downtime. Test your applications and roles in a non-production environment before committing production systems to the upgrade.

The post Windows Server 2022 Core Features Every Admin Needs to Know appeared first on InfoTech Ninja.