Zero Trust Principles Applied to Windows Server

Zero Trust is a security model built on three core principles: verify explicitly (always authenticate and authorize based on all available data points), use least privilege access (limit user rights to the minimum required for the task), and assume breach (design as if an attacker is already inside the network). The traditional perimeter security model — where everything inside the network is trusted — fails against modern threats like insider attacks, phishing-based credential theft, and lateral movement after initial compromise.

On Windows Server 2022, Zero Trust is not a single product or setting — it is a posture achieved by layering multiple controls: a hardened OS baseline, strict firewall rules that default to deny, identity-based access with MFA enforcement, just-in-time privilege elevation, automated local credential rotation, application execution control, and continuous monitoring. This guide covers each layer in detail with specific configurations for Windows Server 2022.

Windows Server 2022 Hardening Baseline

Microsoft publishes security baselines for Windows Server via the Microsoft Security Compliance Toolkit (SCT). These baselines are pre-configured GPO backups that apply hundreds of security settings aligned with Microsoft’s recommendations and the CIS (Center for Internet Security) Benchmark for Windows Server 2022.

Download the Security Compliance Toolkit from the Microsoft Download Center. The download includes LGPO.exe (for applying policies without a domain) and a set of GPO backup folders for Windows Server 2022 Member Server and Domain Controller. Import the baseline GPO into your domain:

Import-GPO -BackupGpoName "MSFT Windows Server 2022 - Member Server" `
           -Path "C:SCTWindows Server 2022 Security BaselineGPOs" `
           -TargetName "WS2022 Security Baseline" `
           -CreateIfNeeded

Link the GPO to your Servers OU:

New-GPLink -Name "WS2022 Security Baseline" -Target "OU=Servers,DC=yourdomain,DC=com" -Enforced Yes

Key settings in the baseline include: SMBv1 disabled, NTLMv1 disabled, RC4 Kerberos encryption disabled, LM hash storage disabled, anonymous enumeration blocked, WDigest authentication disabled (prevents cleartext passwords in LSASS memory), and minimum TLS version set to 1.2.

After applying the baseline, test application compatibility — some legacy applications depend on NTLMv1 or SMBv1 and will break. Identify these with:

Get-WinEvent -LogName "Microsoft-Windows-SMBServer/Security" | Where-Object { $_.Id -eq 2 }

Micro-Segmentation with Windows Defender Firewall

Traditional network firewall rules protect the perimeter but allow unchecked lateral movement once an attacker is inside. Micro-segmentation applies firewall rules at the individual host level, restricting which servers can communicate with which other servers, even on the same VLAN. Windows Defender Firewall with Advanced Security is the mechanism for host-based micro-segmentation on Windows Server 2022.

The Zero Trust firewall stance starts with a default-deny inbound policy and then explicitly permits only required traffic. Configure this via GPO (Computer Configuration > Windows Settings > Security Settings > Windows Defender Firewall with Advanced Security) or PowerShell. Set the default inbound action to Block:

Set-NetFirewallProfile -Profile Domain,Private,Public -DefaultInboundAction Block -DefaultOutboundAction Allow

Then create explicit allow rules for required services. For a web server that needs HTTP/HTTPS from specific source IPs only:

New-NetFirewallRule -DisplayName "Allow HTTP from Load Balancer" `
    -Direction Inbound `
    -Protocol TCP `
    -LocalPort 80 `
    -RemoteAddress "10.0.1.50" `
    -Action Allow

New-NetFirewallRule -DisplayName "Allow HTTPS from Load Balancer" `
    -Direction Inbound `
    -Protocol TCP `
    -LocalPort 443 `
    -RemoteAddress "10.0.1.50" `
    -Action Allow

For RDP management access, restrict it to the jump server IP only:

New-NetFirewallRule -DisplayName "Allow RDP from Jump Server Only" `
    -Direction Inbound `
    -Protocol TCP `
    -LocalPort 3389 `
    -RemoteAddress "10.0.100.10" `
    -Action Allow

To deploy these firewall rules via GPO to all servers in an OU, create the rules in the GPO’s Windows Firewall section rather than via PowerShell directly on each server. Use GPO’s Computer Configuration > Windows Settings > Security Settings > Windows Defender Firewall with Advanced Security > Inbound Rules to define them centrally.

For more granular service-to-service segmentation where you need rules based on user identity rather than just IP, Windows Defender Firewall supports connection security rules with authentication exemptions using IPsec — requiring that a connection be authenticated with Kerberos or certificate before the firewall allows it through.

Identity-Based Access and MFA Enforcement

Zero Trust requires that every access request be authenticated with strong credentials, not just a password. For administrative access to Windows Server 2022, enforce MFA through Azure AD Conditional Access (for hybrid environments) or Windows Hello for Business with a PIN/biometric factor.

For domain-joined servers managed via Windows Admin Center authenticated through Azure AD, Conditional Access policies can require MFA for all WAC sign-ins. In the Azure portal, create a Conditional Access policy targeting the Windows Admin Center application ID and requiring MFA as a grant control.

For interactive and RDP-based logins, Smart Card enforcement is the on-premises MFA equivalent. Enable Smart Card required logon for all privileged accounts:

Set-ADUser -Identity "adm0-jsmith" -SmartcardLogonRequired $true

This sets the UF_SMARTCARD_REQUIRED flag on the account in AD, requiring a smart card (or virtual smart card) for interactive logon. Password-based authentication is blocked at the DC level for these accounts.

For Windows Hello for Business as an MFA replacement for smart cards, deploy it via Intune or Group Policy and require it for all admin sign-ins on PAWs. The credentials are stored in the TPM chip and require biometric or PIN in addition to the public/private key challenge.

Just-in-Time Access with Privileged Identity Management

Just-in-Time (JIT) access means privileged rights are not assigned permanently but are granted for a limited time window when needed and revoked automatically afterward. This minimizes the window of opportunity for attackers — even if credentials are stolen, they may have no privileges by the time the attacker uses them.

For cloud-connected environments, Azure AD Privileged Identity Management (PIM) provides JIT for Azure RBAC and Azure AD roles. On-premises, Microsoft Identity Manager (MIM) with the Privileged Access Management (PAM) feature provides JIT for Active Directory groups.

With MIM PAM, a user requests elevation to a privileged group (e.g., Domain Admins) for a specified time period. MIM adds the user’s account to the shadow group in the bastion forest for that duration, and the membership expires automatically via the Kerberos TGT TTL and shadow group membership TTL.

A simpler on-premises JIT approach without MIM uses a PowerShell script with a time-limited group membership using the Active Directory Privileged Access Management feature (requires forest functional level 2016):

Add-ADGroupMember -Identity "Server-Admins" -Members "adm1-jsmith" `
    -MemberTimeToLive (New-TimeSpan -Hours 2)

After 2 hours, AD automatically removes jsmith from Server-Admins. The domain controller must be Windows Server 2016 or later for time-limited group membership to work.

Local Administrator Password Solution (LAPS)

A critical Zero Trust control is ensuring that local administrator passwords are unique per machine and rotated automatically. Without LAPS, organizations often set the same local admin password on all servers — one compromised machine exposes all others via pass-the-hash with the local admin hash.

Windows Server 2022 includes Windows LAPS (built-in, not the legacy LAPS MSI). Enable Windows LAPS via Group Policy and configure it to store passwords in Active Directory (or Azure AD for hybrid scenarios).

Enable the Windows LAPS policy via GPO: Computer Configuration > Administrative Templates > System > LAPS. Set Backup directory to Active Directory, configure the password complexity, length (minimum 14 characters), and maximum age (30 days is common).

After GPO applies, LAPS generates a random password for the built-in Administrator account and stores it as an attribute on the computer object in AD. To retrieve a server’s local admin password:

Get-LapsADPassword -Identity "SERVER01" -AsPlainText

Only accounts that have been delegated Read permission on the ms-LAPS-Password attribute in AD can retrieve it. Grant that permission to your Tier 1 admins only, not to all Domain Admins or help desk staff.

Set-LapsADComputerSelfPermission -Identity "OU=Servers,DC=yourdomain,DC=com"
Set-LapsADAuditing -Identity "OU=Servers,DC=yourdomain,DC=com" -AuditType Success

Credential Guard

Windows Defender Credential Guard uses virtualization-based security (VBS) to isolate LSASS (Local Security Authority Subsystem Service) in a separate, hardware-protected container. This prevents tools like Mimikatz from extracting NTLM password hashes and Kerberos tickets from memory, even if an attacker has SYSTEM-level access on the machine.

Enable Credential Guard on Windows Server 2022 via Group Policy: Computer Configuration > Administrative Templates > System > Device Guard > Turn On Virtualization Based Security. Set it to Enabled, with Credential Guard Configuration set to Enabled with UEFI lock (which makes it harder to disable without changing UEFI settings).

Or enable via PowerShell:

Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V-All -NoRestart
Set-ItemProperty -Path "HKLM:SYSTEMCurrentControlSetControlDeviceGuard" -Name "EnableVirtualizationBasedSecurity" -Value 1
Set-ItemProperty -Path "HKLM:SYSTEMCurrentControlSetControlDeviceGuard" -Name "RequirePlatformSecurityFeatures" -Value 1
Set-ItemProperty -Path "HKLM:SYSTEMCurrentControlSetControlLsa" -Name "LsaCfgFlags" -Value 1

A reboot is required. Verify Credential Guard is running after reboot:

Get-CimInstance -ClassName Win32_DeviceGuard -Namespace rootMicrosoftWindowsDeviceGuard | Select-Object SecurityServicesRunning

A value of 1 in SecurityServicesRunning indicates Credential Guard is active. Note: Credential Guard is not compatible with servers running Hyper-V nested virtualization, some VPN clients, or environments where NTLM to remote hosts is required from the protected machine.

Application Control with WDAC and AppLocker

Zero Trust requires that only authorized applications execute on servers. Windows Defender Application Control (WDAC) is the modern, kernel-enforced application whitelisting solution in Windows Server 2022. AppLocker is an older, user-mode alternative still supported but less tamper-resistant.

WDAC policies are XML files that define allow and deny rules based on file hash, publisher certificate, file path, or package family name. Create a base policy using the built-in wizard in the WDAC Policy Wizard tool, or generate one from PowerShell:

New-CIPolicy -Level Publisher -Fallback Hash -FilePath "C:wdacbase-policy.xml" -UserPEs
ConvertFrom-CIPolicy -XmlFilePath "C:wdacbase-policy.xml" -BinaryFilePath "C:wdacbase-policy.bin"

Deploy the compiled binary policy to a server via GPO or direct copy:

Copy-Item "C:wdacbase-policy.bin" -Destination "C:WindowsSystem32CodeIntegritySiPolicy.p7b"
Invoke-CimMethod -Namespace rootMicrosoftWindowsCI -ClassName PS_UpdateAndCompareCIPolicy -MethodName Update -Arguments @{FilePath="C:wdacbase-policy.bin"}

Start in audit mode (policy is enforced in logging only — blocked applications are logged but allowed) before switching to enforce mode. This gives you time to identify legitimate applications that would be blocked.

Check the WDAC audit log for blocked-would-be applications:

Get-WinEvent -LogName "Microsoft-Windows-CodeIntegrity/Operational" | Where-Object { $_.Id -eq 3076 }

Monitoring with Microsoft Defender for Servers

Microsoft Defender for Servers (part of Microsoft Defender for Cloud) provides cloud-based threat detection, vulnerability assessment, and behavioral monitoring for Windows Server 2022. When enabled, it deploys a monitoring agent (MDE — Microsoft Defender for Endpoint) to the server and streams security signals to the Microsoft cloud for analysis.

Enable Defender for Servers in the Azure portal under Microsoft Defender for Cloud > Environment Settings > your subscription. Select Defender for Servers Plan 2 for the full feature set including file integrity monitoring, just-in-time VM access, and network hardening recommendations.

After enrollment, check that the MDE sensor is active on the server:

Get-Service -Name "Sense" | Select-Object Status, StartType
Get-MpComputerStatus | Select-Object AMServiceEnabled, AntispywareEnabled, RealTimeProtectionEnabled

Defender for Servers generates security alerts in the Azure portal when it detects anomalous behavior such as unusual process creation, suspicious PowerShell execution, credential dumping attempts, lateral movement indicators, and network scanning activity. Configure alert notifications and integrate with Microsoft Sentinel for SIEM correlation.

Network Segmentation with VLANs and Firewall Rules

Beyond host-based firewall rules, network-level segmentation using VLANs and perimeter firewall rules is a complementary Zero Trust control. Place Tier 0 systems (domain controllers, AD Connect servers) in a dedicated VLAN with ACLs that block all access except from Tier 0 PAWs and required inter-DC replication traffic. Place Tier 1 servers in separate server VLANs, isolated from the workstation VLAN.

Required ports for AD communication that must be allowed between tiers (for authentication and management):

# From Servers to Domain Controllers (required for domain operations)
TCP 88   - Kerberos
TCP 135  - RPC endpoint mapper
TCP 389  - LDAP
TCP 445  - SMB (for GPO processing)
TCP 464  - Kerberos password change
TCP 636  - LDAPS
TCP 3268 - Global Catalog
TCP 49152-65535 - RPC dynamic ports (restrict with RPC static ports via registry)

Restrict RPC to a static port range to make firewall rules predictable:

Set-ItemProperty -Path "HKLM:SYSTEMCurrentControlSetServicesNTDSParameters" -Name "TCP/IP Port" -Value 38901
Set-ItemProperty -Path "HKLM:SYSTEMCurrentControlSetServicesNetlogonParameters" -Name "DCTcpipPort" -Value 38902

After setting static ports, update your perimeter firewall to allow only these specific ports between the server VLAN and the DC VLAN, rather than the full dynamic range.

Summary

Implementing Zero Trust on Windows Server 2022 is a layered effort. The foundation is a hardened OS baseline from Microsoft’s Security Compliance Toolkit. On top of that, micro-segmentation via Windows Defender Firewall restricts lateral movement. Identity controls — Smart Card/MFA enforcement, JIT access via time-limited group memberships, and LAPS for unique local credentials — eliminate the high-value credential pools attackers target. Credential Guard protects the credential material that does exist in memory. WDAC restricts execution to only authorized binaries. And Defender for Servers plus SIEM integration provides the continuous monitoring required to detect what controls may have failed. Each layer independently raises the cost of attack; together they create a posture that matches the Zero Trust principle of assuming breach while making actual breach significantly harder.