Security and Assurance

Security and compliance in datacenters, private cloud and hosting environments.

How can we help address your security and compliance needs in your server environment?

(thinking…)

Enter your idea and we'll search to see if someone has already suggested it.

If a similar idea already exists, you can support and comment on it.

If it doesn't exist, you can post your idea so others can support it.

Enter your idea and we'll search to see if someone has already suggested it.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. RDCMan doesn't expose an option for Restricted Admin

    This might not be the most optimal place for this request, but it somewhat fits and I can't seem to find anywhere more suitable, plus RDCMan is an official Microsoft tool...

    Remote Desktop Connection Manager (RDCMan) doesn't currently seem to expose the RDP Restricted Admin option.

    This feature is great for secure remote server administration when you can't use PowerShell remoting - many such cases still exist!

    It's probably not a huge task either, the GUI just needs a checkbox for the feature which is already implemented elsewhere.

    1 vote
    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      I agree to the terms of service
      Signed in as (Sign out)

      We’ll send you updates on this idea

      0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
    • Allow Windows Server 2016 to support disabling SMBv1 _and_ Server SPN target name validation

      https://social.technet.microsoft.com/Forums/windowsserver/en-US/d520f2d4-4847-403d-bab6-1b33251a761c/issue-disabling-smbv1-and-windows-server-2016?forum=winserversecurity
      On Server 2016, disabling (removing) SMBv1 and having Microsoft network server: Server SPN target name validation level = Required from client (2) are currently not “working together”, yet it works on the other Windows operating systems just fine.

      To recreate this:
      1) Test with a Domain-joined Windows Server 2016 box
      2) Remove-WindowsFeature FS-SMB1 on the Windows Server 2016 box
      3) GPO set or reghack on the Windows Server 2016 box: Server SPN target name validation level = Required from client (2)
      4) Reboot the Windows Server 2016

      Domain Admins are now unable to connect to the \\Server2016\C$ default share…

      2 votes
      Sign in
      Check!
      (thinking…)
      Reset
      or sign in with
      • facebook
      • google
        Password icon
        I agree to the terms of service
        Signed in as (Sign out)

        We’ll send you updates on this idea

        0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
      • ADFS Management Console missing from RSAT

        As Windows Server 2016 Core no longer supports Minimal UI I setup a management server for remote management. Installed all the management tools, but not there is no MMC for ADFS.

        4 votes
        Sign in
        Check!
        (thinking…)
        Reset
        or sign in with
        • facebook
        • google
          Password icon
          I agree to the terms of service
          Signed in as (Sign out)

          We’ll send you updates on this idea

          1 comment  ·  Management tools  ·  Flag idea as inappropriate…  ·  Admin →
        • import-pfxcertificate needs to support legacy private key storage format

          When using Import-PFXCertificate to import PFXs that contain a private key the private key appears to be stored using CNG "Microsoft Software Key Storage Provider" instead of the legacy format "Microsoft Enhanced Cryptographic Provider v1.0"

          Most Microsoft products can't read this format.

          The PS-Drive Provider "Certificate" can't even read keys in this format.

          It would be helpful to update the CMDLet to support CNG, however, as pointed out in this article: https://www.sysadmins.lv/blog-en/retrieve-cng-key-container-name-and-unique-name.aspx - almost no .NET apps use CNG because it has only been accessible via native APIs.

          Without being able to force the key storage format to the older…

          2 votes
          Sign in
          Check!
          (thinking…)
          Reset
          or sign in with
          • facebook
          • google
            Password icon
            I agree to the terms of service
            Signed in as (Sign out)

            We’ll send you updates on this idea

            0 comments  ·  Certificates and CA  ·  Flag idea as inappropriate…  ·  Admin →
          • Add ECDSA Platform Crypto Provider

            Now that TPM 2.0 supports EC, the Platform Crypto Provider should support it.

            1 vote
            Sign in
            Check!
            (thinking…)
            Reset
            or sign in with
            • facebook
            • google
              Password icon
              I agree to the terms of service
              Signed in as (Sign out)

              We’ll send you updates on this idea

              2 comments  ·  Certificates and CA  ·  Flag idea as inappropriate…  ·  Admin →
            • Enhance the password complexity requirements

              Give the possibility for admins to increase the numbers of character set combinations. Currently it is 3, but we would like to make it 4 and we can't. We are "forced" to invest in an external party creating custom password filters - from what I am reading in TechNet forums.

              4 votes
              Sign in
              Check!
              (thinking…)
              Reset
              or sign in with
              • facebook
              • google
                Password icon
                I agree to the terms of service
                Signed in as (Sign out)

                We’ll send you updates on this idea

                0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
              • Disable Insecure Cipher Suites and Protocols BY DEFAULT

                SCHannel in Windows Server 2016 TP5 still has RC4 Ciphers and even SSLv3 enabled by default. Which is a complete joke from a security standpoint. If Microsoft doesn't want their server do be insecure by default disable those like every other major vendor has done.

                5 votes
                Sign in
                Check!
                (thinking…)
                Reset
                or sign in with
                • facebook
                • google
                  Password icon
                  I agree to the terms of service
                  Signed in as (Sign out)

                  We’ll send you updates on this idea

                  0 comments  ·  SSL/TLS/Schannel  ·  Flag idea as inappropriate…  ·  Admin →
                • Remove Windows Defender from default install

                  1) Windows Defender causes the installation of a lab setup to be 4x slower: https://github.com/Microsoft/ws2016lab/wiki

                  2) Please don't even get me started on how wrong you are doing if you need to put an antivirus solution IN A SERVER. (WTF Microsoft?!)

                  3) Obligatory xkcd reference: https://xkcd.com/463/

                  2 votes
                  Sign in
                  Check!
                  (thinking…)
                  Reset
                  or sign in with
                  • facebook
                  • google
                    Password icon
                    I agree to the terms of service
                    Signed in as (Sign out)

                    We’ll send you updates on this idea

                    2 comments  ·  Misc  ·  Flag idea as inappropriate…  ·  Admin →
                  • Add an option to require administrative password reset to honor password history

                    Windows supports two password APIs, change and reset. The change API honors password history, preventing users from re-using recent previous passwords. The reset API ignores password history and allows an administrator or e.g. help desk, to re-use a recent previous password. Add an option in Active Directory to force the reset API to also honor password history. The default should be that this option is disabled, an administrator CAN use a recent password, so it matches expected / current behavior. For Active Directory, this option should be available in the default domain policy and also in each password settings object…

                    2 votes
                    Sign in
                    Check!
                    (thinking…)
                    Reset
                    or sign in with
                    • facebook
                    • google
                      Password icon
                      I agree to the terms of service
                      Signed in as (Sign out)

                      We’ll send you updates on this idea

                      0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
                    • Create a Developers Built-In Group

                      Create a built-in group "Developers" on Windows Server (and domain controllers) and restrict the activity of those users to compile, debug and run their applications. If the developers computer gets compromised then the damage is limited. Unfortunately the effort to restrict "developer" accounts is too error prone.

                      Following the convention of least privilege, application developers need not be a full blown administrators on their development machines. For example, they don't need to mange users, groups, memberships or even be able to make changes that effect everyone on the host. They do need the ability to compile and debug their software.

                      5 votes
                      Sign in
                      Check!
                      (thinking…)
                      Reset
                      or sign in with
                      • facebook
                      • google
                        Password icon
                        I agree to the terms of service
                        Signed in as (Sign out)

                        We’ll send you updates on this idea

                        0 comments  ·  Authorization  ·  Flag idea as inappropriate…  ·  Admin →
                      • Fix secedit in nano server

                        secedit is broken in nano server (checked both TP3 and TP4) and it simply doesn't work. I have asked about it @nano server forum as well without any response so far.
                        https://social.technet.microsoft.com/Forums/windowsserver/en-US/894a3a8f-64f4-4605-b1ff-9698a53814db/issues-running-secedit-on-nano-server?forum=NanoServer

                        There is absolutely no way to harden a nano server once it is deployed. can it be fixed? or is there new way to work with local security policy on nano server that I am unaware of?

                        1 vote
                        Sign in
                        Check!
                        (thinking…)
                        Reset
                        or sign in with
                        • facebook
                        • google
                          Password icon
                          I agree to the terms of service
                          Signed in as (Sign out)

                          We’ll send you updates on this idea

                          3 comments  ·  Management tools  ·  Flag idea as inappropriate…  ·  Admin →
                        • PGP for Office2016/17, Exchange 2016 & Server 2016

                          MIT Key Server:
                          http://pgp.mit.edu:11371/
                          (users public PGP database)

                          Eg:
                          Mailvelope
                          http://www.mailvelope.com/

                          MICROSOFT
                          Please make all your Microsoft products easy to work with PGP.
                          external server to external server can use DKIM for PGP keys.
                          and allow your products to work with legit key servers like MIT. make your own key server, if you want to, but share/sync the info back to MIT server(like PGP-DNS).
                          allow sharing of key servers data, like mirror/sync
                          allow key servers to use DKIM keys to communicate to external servers.

                          Thanks.

                          6 votes
                          Sign in
                          Check!
                          (thinking…)
                          Reset
                          or sign in with
                          • facebook
                          • google
                            Password icon
                            I agree to the terms of service
                            Signed in as (Sign out)

                            We’ll send you updates on this idea

                            0 comments  ·  Misc  ·  Flag idea as inappropriate…  ·  Admin →
                          • Rebuild Certificate Authority

                            The whole CA management interface feels so overdue. i know the whole certificate thing wasnt built by microsoft and it pushed into the marked real fast (relatively speaking) so a solution had to be realized quick. The whole topic is very clumsy and involves so many manual steps that it gives lots of admins around the globe headaches. It is also very hard to learn and master due to the wrong tools i think.

                            The certification management in exchange control panel 2013 seems a step in the right direction. I cant really tell you what to do, but im sure…

                            7 votes
                            Sign in
                            Check!
                            (thinking…)
                            Reset
                            or sign in with
                            • facebook
                            • google
                              Password icon
                              I agree to the terms of service
                              Signed in as (Sign out)

                              We’ll send you updates on this idea

                              3 comments  ·  Certificates and CA  ·  Flag idea as inappropriate…  ·  Admin →
                            • Provide native PowerShell cmdlets for managing local security policy

                              There is no way to either view or manage local security policy using PowerShell. It is possible to install a utility such as secedit.exe and make calls out to it, but this should be functionality that resides within native PowerShell cmdlets.
                              This would greatly ease server management, and in particular allow for viewing settings that would otherwise not be available to people without using a GUI tool.

                              7 votes
                              Sign in
                              Check!
                              (thinking…)
                              Reset
                              or sign in with
                              • facebook
                              • google
                                Password icon
                                I agree to the terms of service
                                Signed in as (Sign out)

                                We’ll send you updates on this idea

                                1 comment  ·  Management tools  ·  Flag idea as inappropriate…  ·  Admin →
                              • Make a SUDO equivalent for elevating to an Administrator without runas.

                                Runas works OK, but SUDO on Linux works well for allowing administrators to elevate for a one time only commands.

                                11 votes
                                Sign in
                                Check!
                                (thinking…)
                                Reset
                                or sign in with
                                • facebook
                                • google
                                  Password icon
                                  I agree to the terms of service
                                  Signed in as (Sign out)

                                  We’ll send you updates on this idea

                                  4 comments  ·  Management tools  ·  Flag idea as inappropriate…  ·  Admin →
                                • Make Saved Passwords a Thing of the Past (OAuth)

                                  All throughout windows, it is very common to have to enter and save passwords, and, what's worse, when a password is changed, you have to try to remember everywhere that it was set.

                                  A good example is inside of an Active Directory environment where you have Services that run under a specific user. If you change the user's password, then you have to go to each server and update the password.

                                  I suggest that features like this be re-architected to take advantage of OAuth (or a similar technology) very similar to how Facebook and Twitter let you Authorize Apps.. I…

                                  9 votes
                                  Sign in
                                  Check!
                                  (thinking…)
                                  Reset
                                  or sign in with
                                  • facebook
                                  • google
                                    Password icon
                                    I agree to the terms of service
                                    Signed in as (Sign out)

                                    We’ll send you updates on this idea

                                    2 comments  ·  OAUTH  ·  Flag idea as inappropriate…  ·  Admin →
                                  • IIS Remote management as current identity aka windows integrated authentication

                                    IIS Remote management currently does not allow to authenticate with the "current user", which should be possible with Kerberos.
                                    This leads to the problem, that we are not able to use smartcard authentication against IIS Remote management.

                                    10 votes
                                    Sign in
                                    Check!
                                    (thinking…)
                                    Reset
                                    or sign in with
                                    • facebook
                                    • google
                                      Password icon
                                      I agree to the terms of service
                                      Signed in as (Sign out)

                                      We’ll send you updates on this idea

                                      0 comments  ·  Smartcard  ·  Flag idea as inappropriate…  ·  Admin →
                                    • Provide easy to use PowerShell cmdlets for managing File and folder permissions (ACLs)

                                      PowerShell Get-Acl and Set-Acl (to set permissions on folders/files) currently in Windows Server are extremely hard to use and do not offer nearly the same level of functionality in older commands like ICACLS.EXE. It would be great if you could manage ACLs for folders and files using an easier to use set of PowerShell cmdlets, like we can do with SMB shares. Something like Get-ItemAccess, Grant-ItemAccess, Revoke-ItemAccess, Deny-ItemAccess and Remove-ItemAccess would be great!

                                      41 votes
                                      Sign in
                                      Check!
                                      (thinking…)
                                      Reset
                                      or sign in with
                                      • facebook
                                      • google
                                        Password icon
                                        I agree to the terms of service
                                        Signed in as (Sign out)

                                        We’ll send you updates on this idea

                                        0 comments  ·  Management tools  ·  Flag idea as inappropriate…  ·  Admin →
                                      • Enhance Dynamic Access Control (DAC)

                                        Don't let Dynamic Access Control (DAC) wither on the vine from lack of enhancements! Add a library of PowerShell classifiers in FSRM. Make the installation of PDF and Office file iFilter DLLs a feature that is easy to install with Server Manager. Get more third-party DLP vendors on board. Include DAC features in Office 365, SharePoint 2016 and Exchange. Integrate DAC and RMS into a single easy-to-manage system. At a minimum, make some public confirmations that you are not going to let DAC die a slow death!

                                        13 votes
                                        Sign in
                                        Check!
                                        (thinking…)
                                        Reset
                                        or sign in with
                                        • facebook
                                        • google
                                          Password icon
                                          I agree to the terms of service
                                          Signed in as (Sign out)

                                          We’ll send you updates on this idea

                                          3 comments  ·  Dynamic Access Control (DAC)  ·  Flag idea as inappropriate…  ·  Admin →
                                        • Default administrator give back full control

                                          The current setting of the Default admin that can't do primary task is a big pain for test and web environments. I don't want an extra account just to change antimallware or test a website that is running on the server.

                                          Deligation and limiting is fine but give the option to give the build-in administrator full control but not as default.

                                          6 votes
                                          Sign in
                                          Check!
                                          (thinking…)
                                          Reset
                                          or sign in with
                                          • facebook
                                          • google
                                            Password icon
                                            I agree to the terms of service
                                            Signed in as (Sign out)

                                            We’ll send you updates on this idea

                                            3 comments  ·  Authorization  ·  Flag idea as inappropriate…  ·  Admin →
                                          ← Previous 1
                                          • Don't see your idea?

                                          Feedback and Knowledge Base