How to Implement Zero Trust Architecture on Windows Server 2016

Introduction

Zero Trust Architecture on Windows Server 2016 applies the principle of “never trust, always verify” to every connection and access request. Using native Windows capabilities — Credential Guard, Windows Firewall, JIT access, and audit logging — administrators can implement strong Zero Trust controls without additional tooling.

Enabling Credential Guard

Protect NTLM hashes and Kerberos tickets from extraction using Credential Guard:

Set-ItemProperty -Path 'HKLM:SYSTEMCurrentControlSetControlDeviceGuard' `
    -Name EnableVirtualizationBasedSecurity -Value 1
Set-ItemProperty -Path 'HKLM:SYSTEMCurrentControlSetControlLsa' `
    -Name LsaCfgFlags -Value 1
# Verify after reboot
(Get-CimInstance -ClassName Win32_DeviceGuard -Namespace rootMicrosoftWindowsDeviceGuard).SecurityServicesRunning

Network Micro-Segmentation

Block all inbound traffic by default and only allow specific authorised connections:

Set-NetFirewallProfile -Profile Domain,Private,Public -DefaultInboundAction Block
New-NetFirewallRule -DisplayName 'Allow RDP from PAW only' `
    -Direction Inbound -Protocol TCP -LocalPort 3389 `
    -RemoteAddress '10.0.0.50/32' -Action Allow
New-NetFirewallRule -DisplayName 'Allow WinRM from Management' `
    -Direction Inbound -Protocol TCP -LocalPort 5985,5986 `
    -RemoteAddress '10.0.0.0/24' -Action Allow

Just-In-Time Access with AD PAM

Grant privileged access for a limited time rather than permanently:

Enable-ADOptionalFeature 'Privileged Access Management Feature' `
    -Scope ForestOrConfigurationSet -Target 'contoso.com'
Add-ADGroupMember -Identity 'Server Operators' -Members 't1-jsmith' `
    -MemberTimeToLive (New-TimeSpan -Hours 1)
Write-Host "JIT access granted for 1 hour"

Device Health Verification

Verify the security posture of devices before granting access:

Get-Tpm | Select-Object TpmPresent,TpmReady,TpmEnabled
Confirm-SecureBootUEFI
Get-BitLockerVolume | Select-Object MountPoint,ProtectionStatus,EncryptionPercentage

Continuous Audit Logging

Enable comprehensive security event logging as a detective Zero Trust control:

auditpol /set /subcategory:"Logon" /success:enable /failure:enable
auditpol /set /subcategory:"Sensitive Privilege Use" /success:enable /failure:enable
auditpol /set /subcategory:"Account Logon" /success:enable /failure:enable
# Monitor for anomalies
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4625} -MaxEvents 50 |
    Select-Object TimeCreated,@{N='User';E={$_.Properties[5].Value}},@{N='IP';E={$_.Properties[19].Value}}

Summary

Zero Trust on Windows Server 2016 uses Credential Guard, host-based micro-segmentation, just-in-time access, and comprehensive audit logging to verify every access request. These native Windows controls build a layered defence that limits attack surface and prevents lateral movement without requiring expensive third-party solutions.