protect your infrastructure with windows server 2016 · pdf filebuild visibility and control...
TRANSCRIPT
Defend your Virtual Infrastructure with Windows Server 2016 Security
Richard TimmeringPremier Field Engineer
… perhaps it’s obvious but why does all this matter?
First: context refresher
”There are two kinds of big companies, those who’ve been hacked, and those who don’t know they’ve been hacked.”
Source: McKinsey, Ponemon Institute, Verizon
CYBER THREATS ARE A MATERIAL RISK TO YOUR BUSINESS
Impact of lost productivity and growth
Average cost of a data breach (15% YoY increase)
$3.0 TRILL ION $4 MILL ION
Corporate liability coverage.
$500 MILL ION
“ .”- M C K I N S E Y
Breaches cost a lot
of money
(Average $4M based
on Ponemon Institute)
Customers pay
for your service
You pay customers
compensation to
keep them using
your service
Productivity
Employees efficiently
perform the majority
of work activities
using a desktop
computer
Employees waste hours
a day running back and
forth to a fax machine(assuming you still have
one)
Overspending Reflex
Appropriately sized
& dedicated
IT Security team
IT Security team exponentially
increases in size and remediation
efforts require new
and expensive
products
$ $$
$
$
Industry Reputation
Industry credibility, positive
reputation, customer confidence
Corporate secrets
are secret
Loss of credibility, embarrassing
information exposed, customer’s
lose faith
Corporate secrets are public
knowledge; potential loss of
competitive advantage
Ransomware
HBI/MBI assets available for
day-to-day business
operations
Assets encrypted and key business
IT services rendered
useless
Customer trustCustomers happy to trust
you with their PII
Customers reluctant
to share information
with you
Attack
24–48 hours Mean dwell time 150+ days(varies by industry)
First host compromised
Domain admin compromised
Attack discovered
attack
Malicious Attachment Execution
Browser or Doc Exploit Execution
Stolen Credential Use
Internet Service Compromise
Kernel-mode Malware
Kernel Exploits
Pass-the-Hash
Malicious Attachment Delivery
Browser or Doc Exploit Delivery
Phishing Attacks
ESPIONAGE, LOSS OF IPDATA THEFT RANSOMLOST PRODUCTIVITYBUSINESS DISRUPTION
ENTER
ESTABLISH
EXPAND
ENDGAME
NETWORK
DEVICE
USER
in-common?
Insiderattacks
Phishing attacks
Fabricattacks
Pass-the-hash(PtH) attacks
Stolencredentials
Stolen admincredentials
Insiderattacks
Phishing attacks
Fabricattacks
These privileged accounts have the keys to the kingdom; we gave them those keys decades ago
But now, those administrators’ privileges are being compromised through social engineering, bribery, coercion, private initiatives, etc.
Administrative Privileges
Attack
Attack the applications and infrastructure
Attack the virtualization fabric itself
Ongoing focus & innovation on
preventative measures; block
known attacks & known malware
Protect
Comprehensive monitoring
tools to help you spot
abnormalities and respond to
attacks faster
Detect
Leading response and recovery
technologies plus deep
consulting expertise
Respond
Isolate OS components &
secrets; limit admin. privileges;
rigorously measure host health
Isolate
Security Posture
– Security isn’t a bolt-on;
Protect credentials and privileged access
Windows Server 2016
Ben Mary Jake AdminDomain admin
Typical administrator
Cap
ab
ilit
y
Time
Social engineering leads to credential theft
Most attacks seek out and leverage administrative credentials (PtH or Pass-the-hash)
Administrative credentials often inadvertently provide more privilege than strictly necessary… and for an unlimited time
Ben Mary Jake AdminDomain admin
JEA and JIT administration
Cap
ab
ilit
y
Time
Just Enough Administration (JEA)
Just in Time Administration (JIT)
Capability and time needed
Ben Mary Jake AdminDomain admin
JEA and JIT administration
Cap
ab
ilit
y
Time
Just Enough Administration (JEA)
Just in Time Administration (JIT)
Credential Guard
Capability and time needed
Ben Mary Jake AdminDomain admin
JEA and JIT administration
Cap
ab
ilit
y
Time
Just Enough Administration (JEA)
Just in Time Administration (JIT)
Credential Guard
Remote Credential Guard Capability and time needed
Real-world case:
Root-cause:
Post-remediation:
Protecting Active Directory http://aka.ms/privsec
1. Separate Admin account for admin tasks
3. Unique Local Admin Passwords
for Workstationshttp://Aka.ms/LAPS
2. Privileged Access Workstations (PAWs) Phase 1 - Active Directory adminshttp://Aka.ms/CyberPAW
4. Unique Local Admin
Passwords for Servershttp://Aka.ms/LAPS
2-4 weeks 1-3 months 6+ months
First response to the most frequently used attack techniques
2. Time-bound privileges (no permanent admins)http://aka.ms/PAM http://aka.ms/AzurePIM
1. Privileged Access Workstations (PAWs) Phases 2 and 3 –All Admins and additional hardening
(Credential Guard, RDP Restricted Admin, etc.)http://aka.ms/CyberPAW
4. Just Enough Admin (JEA)
for DC Maintenancehttp://aka.ms/JEA
9872521
6. Attack Detectionhttp://aka.ms/ata
5. Lower attack surface
of Domain and DCs http://aka.ms/HardenAD
Build visibility and control of administrator activity, increase protection against typical follow-up attacks
3. Multi-factor for elevation
Protecting Active Directoryhttp://aka.ms/privsec
2-4 weeks 1-3 months 6+ months
2. Smartcard or Passport
Authentication for all adminshttp://aka.ms/Passport
1. Modernize Roles and
Delegation Model
3. Admin Forest for Active
Directory administratorshttp://aka.ms/ESAE
5. Shielded VMs for
virtual DCs (Server 2016
Hyper-V Fabric)http://aka.ms/shieldedvms
4. Code Integrity
Policy for DCs
(Server 2016)
Move to proactive security posture
Protecting Active Directory http://aka.ms/privsec
2-4 weeks 1-3 months 6+ months
proactive security posture2-4 weeks 1-3 months 6+ monthsAttack
Detect Attacks
Harden DC configuration
Reduce DC Agent attack surface
Prevent Escalation
Prevent Lateral Traversal
Increase Privilege Usage Visibility
Assign Least Privilege
Defense
Protect applications and data in any cloud
Windows Server 2016
Protecting the OSDefend against new exploits and block attacks without impacting legitimate workloads
Control Flow Guard
Windows Defender
Device Guard
Control Flow Guard (CFG)
Helps prevent attacks that use memory corruption vulnerabilities
CFG places controls on how an otherwise-trusted application executes code
Provides defenses against exploits such as buffer overflows
Helps ensure that trusted binaries execute as intended
Windows Defender
Deep integration with Windows security systems
Anti-tampering (protecting critical dependent OS Services)
Registry hardening; “file-less” malware
Actively protects against malware without impacting workloads
In-box anti-malware that is Server-workload aware
Device Guard
Windows can be locked down to run ONLY trusted binaries
Untrusted binaries, such as malware, are unable to run
Protects kernel mode processes and drivers from zero-day attacks as well as vulnerabilities through the use of HVCI
Code Integrity policies can be signed and protected against malicious administrators
Hardware Rooted Code Integrity
Respond more intelligently with log analytics integration
Windows Server 2016
operational insights
Windows Server 2016
Enhanced Auditing and Event Logs
Protect applications with just enough OS
Windows Server 2016
CONTAINER CONTAINER CONTAINER CONTAINER CONTAINER
VM VM VM VM VM
protecting new apps
Hyper-V CONTAINER
Hyper-V CONTAINER
Hyper-V CONTAINER
Hyper-V CONTAINER
Hyper-V CONTAINER
Hyper-V Containers
Nano Server
VM VM VM VM VM
Windows Server 2016
Protect the virtualization fabric
Windows Server 2016
Software Defined Networking (SDN) & Micro-segmentation
Windows Server 2016
Phishing for secrets
The attack
N
N
N
N
N
Micro-segmentation
Using the distributed firewall
Virtual Appliances
Protect the virtualization fabric
Windows Server 2016
Protect the Virtualization Fabric
Windows Server 2016
virtual machines
Contrast:
SHIELDED VM
HOST GUARDIAN SERVICE
GENERATION 2 VM
✓
✓ ✓
✓
✓
✓
✓
✓
Security Assurance Goals
Encryption of data, both at-rest & in-flight▪
▪
Fabric admins locked out▪
▪
Attestation of host health required▪
NOTE: Shielding is not intended as a defense against DoS attacks
two modes of shielding
Shielded▪
▪
Encryption Supported▪
▪
▪
▪
NOTE: a VM’s shielding type is dictated/configured by the Shielding Data from which the shielded VM is born
who’s it for?
As a Hoster
As a Tenant
As an Enterprise
deployment scenarios
Enterprise private cloud
Public cloud: general hoster/tenant
Branch office
Compliance
Decryption keys: controlled by external system
Guest VM Shielded
VM
H Y P E R - V H O S T 1
+ K E Y P R O T E C T I O N
+ H E A L T H A T T E S T A T I O N
H O S T G U A R D I A N
S E R V I C E ( H G S )WIN
DO
WS
SE
RV
ER
20
16
HY
PE
R-
V H
OS
TS
Guest VM
GUARDED FABRIC
Guest VM
Guest VM Guest VM
H Y P E R - V H O S T 2
Guest VMGuest VM
Guest VM Guest VM
H Y P E R - V H O S T 3
Guest VMGuest VM
Why certainly, I know you & I must say you’re looking very healthy today!
Virtual Secure Mode
Virtual Secure Mode
Virtual Secure Mode
Please, guv’na, can I ‘ave some
more keys?
Attestation Modes
TPM-trusted
Complex setup/configuration▪ Register each Hyper-V host’s TPM (EKpub) with the
guardian service
▪ Baseline CI policy for each different hardware SKU
▪ Optional: Deploy HSM and use HSM-backed certificates
Specific host hardware required▪ Needs to support TPM v2.0 and UEFI 2.3.1
Highest levels of assurance▪ Fabric-admin untrusted
▪ Trust rooted in hardware
▪ Compliance with code-integrity policy required for key-
release (attestation)
RECOMMENDED STEADY-STATE
Admin-trusted
Simplified Setup/Configuration▪ Setup an Active Directory trust + register group
▪ Authorize a Hyper-V host to run shielded VMs by
adding it to the Active Directory group
Leveraging Existing H/W ▪ H/W needs to support Hyper-V on Windows Server
2016
Weaker levels of assurance▪ Fabric-admin is trusted
▪ No hardware-rooted trust or measured-boot
▪ No enforced code-integrity
INITIAL ADOPTION SIMPLIFIER
: TPM-trusted attestation
Trusted
Boot
Code
Integrity
Trusted
Boot
Code
IntegrityUEFI UEFI
All measurements valid?Guarded
Host
Shielded VM
Host Guardian Service
Attestation: validates the health of the host (boot and CI measurements)
: admin-trusted attestation
Trusted
Boot
Code
Integrity
Trusted
Boot
Code
IntegrityUEFI UEFI
Guarded
Host
Shielded VM
Host Guardian Service
Attestation: no boot measurements or code-integrity policies are taken into account
Correct AD group?
Shielded Virtual Machines
Demonstration
a few Spotlights
Generation 2 VMs onlyLeveraging virtual EFI, Secure boot, virtual TPM
Hyper-V Host: Windows Server 2016Guarded host requires Windows Server 2016 Datacenter edition
Shielded Guest VM OS supportWindows 8 / Windows Server 2012 or newer
vTPM not tied to physical TPMPermits VM mobility, e.g. Live Migration
restricting admin access
Capabilities that might expose VM state unavailable
Several virtual devices are removed
Requirements:
Host Guardian Service
Guarded hosts
Optional: Fabric Management
1. Setup Guarded Fabric…
a) Deploy and configure Host Guardian Service
b) Upgrade Hyper-V hosts and fabric manager
c) Configure Hyper-V hosts as guarded
1. get TPM’s endorsement key -> add to HGSNB: this task is performed once on each and every fabric Hyper-V host
2. get TPM’s baseline measurements -> add to HGSNB: this task is performed once for each type of server hardware
3. create code-integrity policy -> add to HGSNB: this task is performed once for each type of server hardware
4. Configure attestation and key protections endpoints
d) Run guarded fabric diagnostics
2. Create shielded VM fabric artifacts…
a) Prepare template disks for use by shielded VMs
b) Create shielded templates
4. Deploy/manage/maintain shielded VMs…
a) Create new shielded VMs on guarded fabric
b) Obtain/maintain BitLocker recovery keys per shielded VM
c) Troubleshoot failed shielded VMs as necessary
3. Create shielded VM tenant artifacts…
a) Obtain guardian key(s) from guarded fabric(s)
b) Create/obtain owner keys to protect your shielded VMs
c) Obtain volume signatures for trusted template disks
d) Create shielding data and upload to guarded fabric(s)
e) Ongoing management tasks (keys and misc. artifacts):
1. Maintain/protect owner keys
2. Maintain trusted volume signature catalogs
PHASE 1: HOSTER / I.T. staff…
PHASE 2: HOSTER / Fabric administrators…
PHASE 3: TENANT / I.T. Security staff…
PHASE 4: TENANT / VM owners…
Details:
build a PoC?
Minimalist (using nested virtualization)
More representative of production deployment
Summary & Compliance Mapping
Windows Server 2016
UNPARALLELED SECURITY
• least vulnerable OS 4 years in a row
221
277
233
430
9273
40
156
0
50
100
150
200
250
300
350
400
450
500
2012 2013 2014 2015
Linux Kernel Windows Server
Reported Vulnerabilities
our track record + 2016 innovations
Built-in security mechanisms
Virtualization-based Security (VBS)
HOST SECURITY Hyper-V based fabric
✓ Nano-based Hyper-V host
GUEST SECURITY Secure on any fabric
a different pivot
• Hyper-V Shielded VMs compliance mapping whitepaper
• JEA and JIT compliance mapping whitepaper
• Device Guard compliance mapping whitepaper
• Credential Guard compliance mapping whitepaper
• Windows Defender compliance mapping whitepaper
3rd-party assessment of compliance mappings across various security-related offerings in the Windows Server 2016 wave
Shielded VM Compliance Mapping
ISO 27001: 2013 PCI DSS 3.2 FedRAMP; NIST 800-53 Revision 4
Enforcing Separation of
Duties
A.6.1.2– Segregation of duties 6.4.2 – Separation of duties between test
and production environmentsAC-5 – Separation of Duties
Implementation of
Least Privilege Access
and Partitioning Tenant
Functionality
A.9.2.3 – Management of
privileged access rights
A.12.1.4 – Separation of
development, testing, and
operational environments
6.4.1 – Test and Production Environment
Separation
7.2 – User access control on need-to-
know basis
7.2.3 – Default “deny-all” setting
AC-6 – Least Privilege
AC-6 (10) – Prohibit Non-Privileged
Users from Executing Privileged
Functions
SC-2 – Application Partitioning
Protecting Information
Stored in Shared
Resources
None8.7 – Restricted access to databases
containing cardholder data SC-4 – Information in Shared Resources
Protection of Data at
Rest
A.8.2.3 – Media Access
3.4 – Verifying stored PAN is unreadable
3.4.1 – Disk encryption usage and access
control
6.5.3 – Insecure cryptographic storage
SC-28 – Protection of Information at Rest
SC-28(1) – Protection of Information at
Rest
Security Function
Verification and
Integrity Monitoring
None11.5 – Change-detection mechanism
deployment
SI-6 – Security Function Verification
SI-7 – Software, Firmware, and
Information Integrity
https://technet.microsoft.com/en-us/library/mt130644.aspx
https://youtu.be/Vp5E1-4Ks8E
https://blogs.technet.microsoft.com/datacentersecurity
Preliminary mappings contained in this and other related decks
http://aka.ms/privsec
https://mva.microsoft.com/
Resources