XELANED
DE|EN
Get in touch

Hardening

Baselines implemented consistently

Hardening and securing Microsoft products in the cloud and on-premises. Focus: typical attack scenarios, common vulnerabilities, and an implementation-ready approach – including Microsoft tooling.

Hardening‑Workflow

  • Baseline
    Target configuration (policies, baselines, RBAC)
  • Drift
    Detect deviations (CSPM, config audits)
  • Enforcement
    technical enforcement (Policy/GPO/MDM)
  • Evidence
    Logging, reports, exceptions with rationale
Security BaselinesAzure PolicyZero Trust

Goal: hardening as a program with measurable security levels and usable audit evidence – not a one-time measure

  • Outcome
    Baseline + exception register + continuous compliance
  • Risikohebel
    Identity/privileged access, Tier-0 protection, logging & response capability
  • Evidence
    Policies/reports/runbooks instead of PowerPoint
GovernanceLoggingAzure Monitor

Cloud: tenant and Azure hardening

ControlTechnical implementationEvidence / proof
CA Baseline (MFA, device compliant, geo/risk)Conditional Access policies incl. named locations, risk-based CA (if licensed), break-glass accounts excludedPolicy Export, Sign‑in Logs, MFA Registration Reports
Phishing-resistente MFAFIDO2/passkeys, Authenticator number matching, enable CAEAuthentication Methods Report, Sign‑in Details
PIM for all privileged rolesJIT-Activation, Approval/Justification, MFA on activation, AlertingPIM Audit Logs, Role Assignments, Access Reviews
Disable legacy authBlock legacy protocols, SMTP Auth only if justified; enforce modern authCA Policy, Sign‑in Logs (legacy), Message trace
Privileged Access WorkstationsAdmin access only from hardened admin devices / separate accountsDevice Compliance, CA device filter, Inventory
Azure Landing Zone / GuardrailsManagement Groups, RBAC‑Model, Network Hub/Spoke, Blueprint/ALZMG Tree, RBAC Exports, Architecture Decision Records
Azure Policy (Policy as Code)Baseline initiatives, Deny/DeployIfNotExists, CI/CD for policiesPolicy Compliance Reports, Repo/PR Evidence
Secrets & Keys zentralKey Vault, RBAC, Private Endpoints, RotationKV Access Policies/RBAC, Diagnostic Logs
Logging verpflichtendDiagnostic settings: Entra, Azure Activity, Defender, Key Vault, Storage, NetworkLog Analytics/Sentinel Tables, Data Ingestion Summary
Defender for Cloud / Defender XDRSecure Score, Vulnerability Mgmt, Attack Path Analysis (if available), Alert routingSecure Score Reports, Incidents, Recommendations Exports

Attack scenarios and vulnerabilities

Token theft / consent phishing

Conditional Access
MFA/phishing-resistant, session controls, risk-based policies

Misconfiguration in Azure (CSPM findings)

Landing‑Zone‑Guardrails
Management Groups, Standard‑Policies, Naming/Tagging

Insufficient logging and retention

Logging blueprint
Sources, parsers, normalization, KQL standards
Retention‑Tiering
Hot/Warm/Archive, cost models

Data exfiltration via collaboration

Externes Sharing „by design“
B2B settings, access reviews, CA for guests

On-premises: AD, server and endpoint hardening

ControlTechnical implementationEvidence / proof
Tier‑Modell (0/1/2)Separate admin accounts, jump/PAW, admin separation by criticalityAD Gruppenstruktur, GPO Export, Admin Logons
LAPS / Local Admin ControlsWindows LAPS, no identical local admin passwords, rotationLAPS Policies, Event Logs, Compliance Report
NTLM/SMB HardeningRestrict NTLM, SMB signing, disable SMBv1, prioritize KerberosSecurity Baseline Report, GPO Export
Protected Users / Authentication SilosSchutz gegen Credential Delegation; restriktive Logon‑RightsAD Objektkonfiguration, DC Security Logs
Kerberos HardeningsAES-only where possible, minimize delegation, planned krbtgt rotationAD Settings, Change Records
Patch and vulnerability programRing model, maintenance windows, EOL tracking, regular scansPatch Reports, Scanner Findings + Remediation Tickets
ASR/EDR BaselineDefender for Endpoint, ASR rules, Tamper ProtectionMDE Baseline Compliance, Alerts/Incidents
WDAC / App Control (where suitable)Allowlisting for critical systems (Tier-0/servers)Policy Deployment Evidence, Block Events
Credential Guard / LSASS protectionVirtualization‑based Security, Protected Process Light (PPL)Device Compliance, Event Logs
Immutable backup/recoveryOffline/immutable backups, regular restore tests, separate adminsRestore test protocols, Backup Logs, RTO/RPO

Attack scenarios and vulnerabilities

Credential Theft → Lateral Movement → Domain Dominance

Typical: admin credentials on workstations, missing tiering, insecure service accounts.
  • AD tiering (Tier 0/1/2), admin path strictly separated
  • PAW / Privileged Access Workstations, jump hosts, no internet use
  • LAPS/Windows LAPS, Kerberos hardening, delegation hygiene

Insecure default configuration (servers/clients)

Missing baselines, local admin rights, excessive attack surface (macros, script hosts, SMB settings).
  • Microsoft Security Baselines / Security Compliance Toolkit
  • Attack Surface Reduction, Controlled Folder Access (where possible)
  • WDAC / App Control, PowerShell logging, TLS hardening

Patch gaps on internet-exposed systems

Patch runbook
Maintenance windows, pre-checks, rollback, monitoring
Reduce exposure
Reverse proxy, network segments, MFA gateways

Domain controllers & Tier-0 assets

Tier-0 must be operated as a separate security zone – including dedicated monitoring and recovery procedures.
  • DC hardening, backup/restore (System State), and regular DR tests
  • MDI sensors, event forwarding, centralized alerting
  • Separation of duties and strict change control

Hardening as a program – not a one-time project

Controls by layer

  • Identity: CA baseline, PIM/JIT, admin tiering, disable legacy auth
  • Device/server: baselines, ASR/WDAC, LAPS, Credential Guard
  • Cloud: landing zones, policy, RBAC, private endpoints, Key Vault
  • Data: labels, DLP, retention, eDiscovery/audit
  • Detection: use-case catalog, log source list, alert tuning, SOAR runbooks
Zero TrustSecurity BaselinesPurview

Approach for exceptions

  • Exception register: rationale, risk, compensation, expiration date
  • Technical compensation: additional detection, stricter monitoring rules
  • Review: monthly exception reviews with CISO/SOC/platform
  • Evidence: decision record + ticket + relevant logs/reports
The goal is a controlled deviation – not a silent erosion of the baseline.
GovernanceLoggingConditional Access

Example playbooks

Entra / Identity

  • CA baseline (MFA, device compliance, risk-based)
  • PIM roles + approval flow
  • Break-glass tests & alerting

Endpoint/Server

  • Security baselines + drift reports
  • ASR/Attack Surface Reduction in wave rollout
  • Local admin rights via LAPS

Cloud Governance

  • Policy initiative sets (CIS-oriented)
  • Privileged access for Azure resources
  • Log retention + cost model

Validation & Continuous Compliance

Hardening is only effective if deviations are detected and remediated. That is why a continuous “check-fix-prove” cycle is required: measure → remediate → prove.
  • Measure: Secure Score/compliance trends, policy compliance, TVM findings, coverage
  • Remediate: defined owners, change windows, rollback plan
  • Prove: evidence artifacts + review record
Azure MonitorSentinelAzure Policy

What would you like to do now?

XELANED specialists are available at any time for the next steps. Together, we prioritize topics, clarify dependencies, and choose an approach that fits your environment both technically and organizationally.

Project planning

We discuss scope and dependencies and create a robust implementation plan.
Get in touch