Your organization's SIEM generates a high-priority alert: a Windows Server 2022 file server that stores customer PII suddenly begins transferring several gigabytes of data to an unknown external IP address over TCP port 22. When you remotely log in, you discover an unauthorized OpenSSH service running under a domain service account and notice that the server's sshd_config file was modified within the last hour. According to widely accepted breach-response procedures for production servers, which immediate action should the administrator take to contain the incident while still preserving evidence for later forensic analysis?
Delete the compromised service account from Active Directory and force a domain-wide password reset.
Power the server down and restore the most recent full-system backup image.
Isolate the host by disconnecting its network interfaces (physically unplug the cable or detach the NIC from the virtual switch).
Install the latest OpenSSH security patches and restart the service to close the vulnerability.
The first technical goal after confirming a breach is containment. NIST guidance notes that deciding to "disconnect [a system] from a network" is an essential containment technique because it halts further damage and data loss yet leaves the operating system, memory, and log data intact for investigators. Physically or virtually isolating the affected server stops the exfiltration channel and prevents the attacker from pivoting to other hosts without altering critical evidence.
Applying patches or deleting accounts may close one avenue of attack, but the system stays online long enough for an intruder to change tactics or erase logs-and the remediation process itself overwrites evidence. Powering the server off and restoring from backup eliminates volatile artifacts and breaks the chain of custody, hindering forensic work. Therefore, immediately disconnecting the server from the network is the best containment step that balances stopping the breach with preserving data needed for a full investigation.