On-Premise Infrastructure Security Guide

Contents

On-Premise Infrastructure in 2026
Active Directory Security
Privileged Access Workstations and Jump Hosts
Patch Management for On-Premise Systems
Network Security for On-Premise
Physical Security

On-Premise Infrastructure in 2026

On-premise infrastructure is not obsolete. Many businesses have valid reasons for keeping servers on-site: latency requirements, software licensing constraints, regulated data localisation, or capital equipment already deployed.

What has changed is the attack surface. On-premise servers that are directly internet-accessible, running end-of-life software, or managed without proper privileged access controls are among the most compromised infrastructure in existence.

The most dangerous on-premise configuration in 2026: Windows Server 2008/2012 (end of support), RDP exposed to the internet, shared admin credentials, no audit logging. This combination is actively targeted 24 hours a day.

Active Directory Security

AD Tiering Model

The Tier Model separates admin accounts into three tiers to prevent credential theft from spreading:

Tier	Controls	Admin Accounts
Tier 0	Domain Controllers, AD admin tools	Tier 0 admin accounts only — no daily use
Tier 1	Member servers (file, app, email)	Tier 1 server admin accounts
Tier 2	Workstations	Tier 2 desktop support accounts

Critical AD hygiene

✓Audit Admin group membership — who is in Domain Admins? Review monthly

✓Disable and clean up stale user and computer accounts — disable accounts 30 days post-departure

✓Remove users from Domain Admins who don't require it — use delegated permissions instead

✓Enable AD audit logging — logon events, privilege use, object access

✓Protect Domain Controller tier — DCs should never browse the internet or run standard applications

Privileged Access Workstations and Jump Hosts

Admin tasks performed from a compromised workstation expose admin credentials to the attacker. Privileged Access Workstations (PAWs) or Jump Hosts create an isolated, hardened environment for admin activity.

Jump host configuration

✓Dedicated server or VM — not a general-purpose server running other workloads

✓No internet browsing from the jump host

✓Access only from within the corporate network or via VPN — not directly from the internet

✓RDP to servers only from the jump host — not from user workstations

✓MFA required to access the jump host

✓All admin sessions logged — keystroke logging or session recording for regulated environments

Local admin passwords

✓Microsoft LAPS (Local Administrator Password Solution) — randomise and manage local admin passwords on all workstations and servers

✓LAPS passwords stored in Active Directory, retrievable only by authorised accounts

✓Eliminates lateral movement via shared local admin credentials

Patch Management for On-Premise Systems

End-of-life operating systems

✓Windows Server 2008/2012 — out of mainstream support. Patch Tuesday updates no longer released. Must be migrated or isolated

✓Windows Server 2019/2022 — current, receive regular updates

✓Windows 10 — end of support October 2025. Windows 11 required for continued patch support

Patch deployment

✓WSUS (Windows Server Update Services) — for environments without Microsoft cloud integration

✓Azure Arc + Azure Update Manager — manage on-premise server patching from Azure portal

✓SCCM / Microsoft Endpoint Configuration Manager — for larger environments

✓Monthly patching schedule — test patches in staging, deploy to production within 7 days

✓Emergency patch procedure — critical vulnerabilities (CVSS 9+) patched within 48 hours

An unpatched server running an internet-accessible service is a matter of 'when', not 'if'. Attackers actively scan for known vulnerable services within hours of patch disclosure.

Network Security for On-Premise

Firewall and edge security

✓Dedicated hardware firewall (Fortinet, Palo Alto, Cisco, SonicWall) — not just Windows Firewall

✓Default deny inbound from internet — only explicitly required ports open

✓No RDP (3389) directly to the internet — use VPN or Azure Bastion

✓IDS/IPS capability — detect and block known attack patterns at the network level

✓Logging — all firewall events to SIEM

Network segmentation

✓Server VLAN isolated from user workstations

✓Management VLAN for network devices and admin access — only accessible from jump host

✓Guest Wi-Fi completely isolated — no access to internal resources

✓POS/payment systems on isolated segment if applicable

VPN for remote access

✓Site-to-site VPN for branch offices

✓User VPN with MFA for remote access — not split tunnel where possible

✓Consider migrating user remote access to Zero Trust Network Access (ZTNA) / Entra Private Access

Physical Security

✓Server room or rack access logged — badge access with audit trail

✓Server room CCTV — recorded, minimum 30-day retention

✓Environmental monitoring — temperature and humidity alerts

✓UPS (Uninterruptible Power Supply) for all servers and network gear

✓Cable management — labelled, documented, locked patch panels where possible

✓Hardware disposal — secure wipe or physical destruction of decommissioned drives

De4sec On-Premise Security Assessment

Infrastructure Audit

Physical visit and remote assessment of all on-premise infrastructure. Identify EOL systems, network gaps, AD vulnerabilities.

Remediation Implementation

Patch management, AD hardening, PAW/jump host deployment, firewall configuration.

Hybrid Management

Azure Arc integration for unified management and monitoring of on-premise and cloud systems.

// NEXT STEP

Ready to implement this?

De4sec provides hands-on implementation. Book a free discovery call — we assess your environment at no cost.

Book a Free Discovery Call →de4sec.technology

© 2026 DE4SEC TECHNOLOGY. ALL RIGHTS RESERVED.