Hey Checkyourlogs Fans,

On January 8, 2026, I had the opportunity to present at the Calgary Windows Server and Azure Hybrid User Group at the Langdon Wildfire Pub, alongside Cristal Kawula, for a session titled:

“Red vs. Blue: Hardening Windows Server 2025 Through Adversarial Testing.”

This session focused on a topic that continues to matter more each year: how do we harden Windows Server environments in a way that actually withstands real-world attack pressure?

Not theoretical security. Not checklist-only security. Not “we enabled the setting, so we must be safe” security.

The goal was to look at Windows Server 2025 through both attacker and defender lenses and walk through the practical lessons that come from red and blue team engagements, including experiences working with Microsoft and enterprise environments where the stakes are high.

Why Red vs. Blue Matters

One of the key themes of the presentation was that defenders cannot rely only on best practices written in isolation. Hardening needs to be tested against the way attackers actually operate.

A red team looks for assumptions, shortcuts, gaps, misconfigurations, and weak operational habits. A blue team has to detect, contain, and respond while keeping the environment running. When those two perspectives meet, the result is a much clearer understanding of what works, what breaks, and what only looked good on paper.

Windows Server 2025 brings modern capabilities and stronger security opportunities, but the fundamentals still matter. Attackers do not always need exotic techniques. Often, they succeed by finding weak credentials, excessive permissions, poor segmentation, unmonitored administrative activity, legacy protocols, or overlooked configuration drift.

How Attackers Approach Modern Windows Server Environments

During the session, I walked through how attackers typically think when they land in or target a Windows Server environment.

They are usually looking for three things:

  1. Identity paths
    Who has access? Which accounts are overprivileged? Where are credentials stored, reused, cached, or exposed?
  2. Administrative control points
    Which systems manage other systems? Where are the management servers, jump boxes, deployment tools, backup platforms, and domain controllers?
  3. Lateral movement opportunities
    Can an attacker move from one server to another? Are there open shares, weak firewall rules, unnecessary services, or admin sessions that create a path forward?

The important lesson is that attackers rarely see the environment the same way administrators do. Admins often think in terms of servers, roles, applications, and uptime. Attackers think in terms of paths, privileges, trust relationships, and control.

That difference in perspective is exactly why adversarial testing is so valuable.

What Defenders Often Miss

A major part of the discussion centred on the defensive gaps that recur in real environments.

Some of the most common misses include:

  • Local administrator accounts that are not properly managed
  • Service accounts with excessive privilege
  • Inconsistent patching across server tiers
  • Legacy protocols still enabled because “something might need them.”
  • Weak separation between administrative and user activity
  • Incomplete logging or logs that are collected but never reviewed
  • Flat networks that allow unnecessary server-to-server communication
  • Backup and recovery systems that are treated as operational tools rather than high-value security targets
  • Security baselines that are applied once but not continuously validated

The recurring message was simple: hardening is not a one-time project. It is an ongoing discipline.

A server can be secure when deployed and then drift into risk months later due to troubleshooting changes, application exceptions, rushed deployments, or undocumented operational workarounds.

Defensive Techniques That Hold Up Under Pressure

The best defensive controls are those that continue to provide value even when an attacker is actively trying to bypass them.

In the session, we discussed practical hardening steps that defenders can begin applying immediately, including:

  • Enforce least privilege across administrative roles
  • Separate privileged administration from standard user activity
  • Use dedicated administrative workstations or hardened access paths
  • Reduce local administrator exposure
  • Apply and continuously validate security baselines
  • Disable unnecessary services and legacy protocols
  • Segment critical servers and restrict lateral movement paths
  • Monitor administrative activity, not just malware alerts
  • Protect domain controllers, backup systems, and management servers as Tier 0 assets
  • Enable strong auditing for identity, PowerShell, remote access, and privilege changes
  • Test recovery processes before an incident occurs
  • Review service accounts and remove unnecessary standing privileges
  • Treat hybrid identity and cloud-connected management paths as part of the server attack surface

One of the strongest takeaways was that defenders should not wait for a breach to discover whether their controls work. Test them. Challenge them. Validate them from the attacker’s perspective.

Windows Server 2025 Hardening Is About More Than Defaults

Modern Windows Server deployments provide a strong platform, but secure outcomes depend heavily on configuration, administration, monitoring, and operational discipline.

A default installation is only the starting point. Real hardening comes from asking better questions:

  • What can this server talk to?
  • Who can administer it?
  • What credentials touch it?
  • What would an attacker do after compromising it?
  • Would we see that activity?
  • Could we contain it quickly?
  • Can we recover cleanly?

Those questions move security from a compliance exercise to an operational reality.

The Value of Community Conversations

Presenting this topic at the Calgary Windows Server and Azure Hybrid User Group was a great reminder of how important technical communities are.

Events like this create space for honest conversations about what is actually happening in the field. They allow administrators, architects, consultants, defenders, and security practitioners to compare notes, challenge assumptions, and leave with practical ideas they can use right away.

The setting at the Langdon Wildfire Pub made it even better. It was informal, engaged, and full of the kind of real-world discussion that makes user groups so valuable.

A special thank you to Cristal Kawula for being part of the session and to everyone who attended, asked questions, and contributed to the conversation.

Final Thoughts

The biggest message from “Red vs. Blue: Hardening Windows Server 2025 Through Adversarial Testing” is this:

You cannot harden what you have not tested.

Security controls need to be challenged. Assumptions need to be validated. Administrative habits need to be reviewed. Logs need to be useful before an incident happens. Recovery plans need to be proven before they are needed.

Windows Server 2025 gives organizations a modern foundation, but the real security advantage comes from combining strong configuration, disciplined administration, continuous monitoring, and adversarial testing.

Attackers are already thinking in paths.

Defenders need to do the same.

Dave and Cristal