How to manage Windows Server in an air-gapped environment

Why and when to use an air-gapped environment

The air-gapped environment can be either physical or logical. Both types of air gaps provide a high level of security and isolation for the workload and data, but they also have different benefits and disadvantages.

A physical air gap completely disconnects the network from any other network by removing or disabling all physical connections, such as cables, wireless adapters or routers.

A logical air gap separates the network from any other network by using software and/or hardware devices, such as firewalls, routers or gateways, that deny or filter most of the network traffic.

A physical air gap offers the strongest protection against a range of threats, from ransomware to unintended side effects of an OS update, by preventing access to the network remotely or through the internet.

However, physical air gaps bring operational drawbacks, such as the difficulty and higher cost of maintaining and updating the network, as well as the lack of scalability and flexibility. The physical isolation does not guarantee protection from multiple threats, such as malicious insiders, environmental risks from water or fire, rogue devices or human error.

A logical air gap offers more convenience and efficiency. This arrangement allows some controlled and authorized traffic to pass through the network for patching, updating or monitoring purposes. However, logical air gaps have several shortcomings, such as the possibility of misconfiguration or bypassing of the network devices, vulnerability to sophisticated or targeted attacks, and dependence on the reliability and security of the network devices.

Organizations should consider the following factors when deciding whether and how to use an air-gapped environment for their workload and data:

• The nature and value of the workload and data, as well as the potential impact and likelihood of a security breach.
• The regulatory and compliance requirements and standards that apply to the workload and data, as well as the penalties and consequences of noncompliance.
• The available resources and capabilities, such as the budget, staff, equipment and expertise, to implement and maintain the air-gapped environment.
• The operational and business needs and objectives, such as the performance, availability, scalability and flexibility of the workload and data.

However, the air gap alone does not ensure the backup data's security and reliability. The immutability of the backups, which means that the data cannot be changed or altered once written, is critical. Immutability preserves data integrity by preventing tampering, manipulation or corruption after the backup is created. Immutability offers faster and easier recovery after a disaster or a data breach, as the data can be restored to its original and consistent state.

Organizations can implement immutability with write once, read many (WORM) storage devices, such as optical discs or tapes, or with software-based options, such as encryption, locking or versioning, to prevent unauthorized or unwanted changes to the data.

Hardening security on and around the air-gapped workload

The first step to secure the workload and data in an air-gapped environment is to apply the principle of least privilege, which means granting only the minimum level of access and permissions required for each user, role and resource. Start with physical security measures -- locks, cameras and biometric authentication -- to prevent unauthorized physical access to the air-gapped network.

To enforce the principle of least privilege, use tools such as identity and access management systems, role-based access control frameworks and multifactor authentication (MFA). Combining these technologies enforces this principle and manages digital user identities and access policies to protect the air-gapped environment.

When patching and upgrading the air-gapped system, use a secure offline method, such as a removable media device, to transfer the patches and updates from a trusted source. Establish a stringent change control process. After system updates, audit the environment to check for inadvertent changes, such as allowing network traffic or enabling services. Audits may also be required to ensure compliance with security standards and regulations.

For logical air gaps, restrict and secure the ports and connections used by the workload and data in the air-gapped environment. Only allow the necessary inbound and outbound traffic, and block any unnecessary or malicious traffic. Use firewalls, network security groups and VPNs to control and encrypt the network traffic and protect data in transit. Also, use encryption and key management to protect data at rest, both on-premises and on removable media devices.

How to build secure air-gapped environments for Windows Server

There are several approaches for Microsoft admins tasked with implementing Windows Server for air-gapped environments.

One recommendation is to use the Server Core installation option. Server Core is considered more secure than a standard Windows Server deployment because it installs only necessary components for server functionality. This smaller codebase reduces the likelihood of vulnerabilities or exploitation.

Server Core offers the IT staff several advantages:

• It requires minimal effort to secure and reduces the risk of misconfiguration due to human error.
• Server Core requires less maintenance due to fewer patches being required and increases performance due to less resource usage.

A Server Core deployment is relatively more secure, but it requires more time to install and configure to a level that is able to run necessary services, such as backup software.

While a standard Windows Server deployment is more user-friendly, it requires additional work to review and configure the OS using native tools and features to reach a comparable security level as Server Core.

Some examples that may help guide in building, maintaining and monitoring these systems are the following:

• Windows Firewall with Advanced Security can be used in logically air-gapped networks to restrict all unnecessary communications. By default, Windows Firewall allows all outbound connections and blocks all inbound connections. For added security, consider blocking all outbound connections and adding rules for required services. However, many computer protocols, such as TCP/IP, require two-way communication to function. So, be cautious, and thoroughly test with outbound blocking.
• AD can harden access requirements and reduce the number of users or services that can authenticate to these air-gapped servers. Grouping servers within organizational units enables the use of unique Group Policy Objects (GPOs) that enforce security rules, reestablish changes to configuration baselines and audit access. For non-domain-joined machines, properly configure Local User Accounts, and implement security settings through Local Computer GPO.
• Use Windows Defender to monitor for malware that could be introduced via removable media.
• Use Windows Event Viewer to analyze event logs to monitor for unauthorized access attempts.
• After establishing a secure baseline OS running state, use Desired State Configuration to save Microsoft Operations Framework (MOF) files to preserve the server configuration. The MOF files serve as a template that can be used to restore the server's secure baseline state or deploy additional servers with identical security configurations to ensure standardization across the air-gapped environment.
• Consider using Hyper-V to virtualize servers for an additional layer of isolation by creating servers without virtual network interface cards that can only be accessed through their physical hypervisor.

How to determine the air-gapped network configuration

Air-gapped networks are often used for server backup environments because they provide an extra layer of protection against data loss, corruption or theft. By isolating the backup data from the internet and external networks, air-gapped networks can prevent cyberattacks, malware, ransomware and other threats that could compromise the availability and integrity of the data. Air-gapped networks can also protect the backup data from accidental or intentional deletion, modification or overwriting by unauthorized or malicious users or processes.

To deploy Windows Server into an air-gapped network, an administrator needs to follow these steps:

1. Decide whether to deploy a physical or logically air-gapped network.
2. Choose a suitable location for the air-gapped network, such as a locked room or a secure facility, and ensure that it has limited -- or no -- wireless or physical connections to other networks.
3. Select the hardware and software components for the air-gapped network -- servers, storage devices, routers, switches and firewalls -- and ensure all are fully patched. Be sure Windows Server and other OSes are free of malware. Disable unnecessary services and features.
4. In logically gapped networks, use routers and firewalls to disable all unnecessary ports and traffic. In some instances, this may be using hardware or software firewalls to disable all traffic except from the IP address of a backup server.
5. Transfer the data to be backed up to the air-gapped network using secure methods, such as removable media, and verify the integrity and authenticity of the data. Verify the integrity and authenticity of the patches and updates before applying them, using tools such as digital signatures, checksums or hashes.
6. Monitor and maintain the air-gapped network. While physically air-gapped environments with limited services may theoretically require less frequent patching, stay on top of updates for surrounding equipment and logically gapped networks. Also, enforce access control, utilize data encryption and perform regular audits.

Options for secure backup and recovery using air-gapped networks

Even with the best security practices, the workload and data in the air-gapped environment may still be lost or damaged due to human error, hardware failure, natural disaster or cyberattack. Therefore, it is crucial to have a comprehensive backup and recovery strategy that ensures the availability and integrity of your data and systems.

Immutable backups cannot be modified, deleted or encrypted. They provide protection against ransomware attacks, accidental deletion or malicious tampering. They also help with compliance and audit requirements. However, an air-gapped environment needs a secure and offline method, such as a removable media device, to create and access these backups.

Immutability can be achieved through use of one or a combination of these methods:

• WORM backup. This solution creates a nonerasable copy of your data on media such as CDs, DVDs or magnetic tapes. WORM is primarily used for long-term archiving of sensitive data.
• Continuous data protection. CDP continuously backs up data to provide up-to-date restoration of data changes. It copies changes made in primary storage to backup storage automatically, ensuring the most recent state of data is always available.
• Time-based snapshots. These are taken at specific intervals using a delta algorithm, recording only the changes that occurred since the last backup. This method is ideal for systems with many VMs and facilitates quick data restoration.
• Use of multiple authorities. Enhance security beyond MFA by distributing authentication across multiple authorized people. This practice further reduces the risk of access due to malice or error. Implementation can consist of several hardware or software authenticators, requiring two or more keys presented in less than 30 seconds.

Best practices for air-gapped Windows Server management

The following guidelines can help organizations set up the proper foundation for an air-gapped network to keep sensitive data safe from threats, while maintaining operational efficiency:

• Document the settings and procedures for each data source, such as the frequency, retention period and destination of the backups. This ensures consistency and compliance across the IT team and facilitates data recovery in case of a disaster.
• Document the configuration and security policies for the Windows Server environments used in air-gapped networks, such as the firewall rules, encryption methods and user access controls. This maintains the integrity and confidentiality of the data and prevents unauthorized or malicious breach attempts.
• Use consistent naming conventions and formats for the time-based snapshots, such as including the date, time and source of the backup. This helps to identify and locate the most relevant snapshot for data restoration and avoid confusion or duplication.
• Use consistent naming conventions and formats for the Windows Server environments used in air-gapped networks, such as including the network name, server name and role. This distinguishes the environments and their purposes and avoids misconfiguration or misuse.
• Define and communicate the roles and responsibilities of the multiple authorities with access to the backup storage and the authentication keys to establish accountability and trust among the IT team and prevent unauthorized or accidental access to the data. Similarly, define and communicate the roles and responsibilities of the multiple authorities with access to Windows Server deployments used in air-gapped networks, such as the network administrators, server administrators and application administrators. This helps to coordinate the tasks and operations among the IT team and prevent conflicts or errors.