Windows Server 2016

Protect your infrastructure with Windows Server 2016 Security

Built-in layers of securitySoftware-defined datacenterCloud-ready application platform

Windows Server + System Center session guide: aka.ms/WS2016Ignite

BRK2146

Dean Wells Jane YanWindows Server Windows Server

Protect your infrastructure with Windows Server 2016 SecurityDean Wells Jane YanWindows Server Windows Server

BRK2146

… perhaps it’s obvious but why does all this matter?

First: context refresher

Modern Security Threats

”There are two kinds of big companies, those who’ve been hacked, and those who don’t know they’ve been hacked.”

James Comey, Director FBI

Source: McKinsey, Ponemon Institute, Verizon

CYBER THREATS ARE A MATERIAL RISK TO YOUR BUSINESS

Impact of lost productivity and

growth

Average cost of a data breach (15% YoY

increase)

$3.0 TRILLION $4 MILLIONCorporate liability

coverage.

$500 MILLION

“Cyber security is a CEO issue.” - M C K I N S E Y

Cybercrime: State of the UnionCybercrime costs US economy up to $140B annually, report saysLos Angeles Times [2014]

How hackers allegedly stole “unlimited” amounts of cash from banks in just a few hours

Ars Technica [2014]

The biggest cyberthreat to companies could come from the inside

Cnet[2015]

Cyberattacks on the rise against US corporations

New York Times [2014]

Espionage malware infects rafts of governments, industries around the worldArs Technica [2014]

Forget carjacking, soon it will be carhacking

The Sydney Morning Herald [2014]

Ransomware, 0days, malware, scams... all are up, says Symantec

The Register [April 2016]

Variety of motivations

2

Increasing incidents1

Increasing risk3

Breaches cost a lot

of money

(Average $4M based on Ponemon Institute)

Customers pay for your service

You pay customers compensation to keep them using your service

Productivity

Employees efficiently perform the majority of work activities using a desktop computer

Employees waste hours a day running back and forth to a fax machine(assuming you still have one)

Overspending Reflex

Appropriately sized & dedicated IT Security team

IT Security team exponentially increases in size and remediation efforts require new and expensive products

$$

$$

$$

$$

$$

$$

$$

$$

$$

$$

$ $$

$

$

Cyber security: hidden costs of a breachBefore After

Industry Reputation

Industry credibility, positive reputation, customer confidence

Corporate secrets are secret

Loss of credibility, embarrassing information exposed, customer’s lose faith

Corporate secrets are public knowledge; potential loss of competitive advantage

RansomwareHBI/MBI assets available forday-to-day business operations

Assets encrypted and key business IT services rendered useless

Customer trust Customers happy to trust you with their PII

Customers reluctant to share informationwith you

Before After

Cyber security: hidden costs of a breach

Attack timeline

24–48 hours

Mean dwell time 150+ days

(varies by industry)

First host compromise

d

Domain admin compromised

Attack discovere

d

Attacker undetected (data exfiltration)

Research & preparation

Attackers find any weakness &

target information on any device or

service

Attackers often target Active Directory and

admins to gain access to business

assets

You may be under attack (or

already compromised) and unaware

Anatomy of an attack

Malicious Attachment ExecutionBrowser or Doc Exploit Execution

Stolen Credential Use

Internet Service Compromise

Kernel-mode MalwareKernel Exploits

Pass-the-Hash

Malicious Attachment DeliveryBrowser or Doc Exploit

DeliveryPhishing Attacks

ATTACK

ESPIONAGE, LOSS OF IPDATA THEFT RANSOMLOST PRODUCTIVITYBUSINESS DISRUPTION

ENTER

ESTABLISH

EXPAND

ENDGAME

NETWORK

DEVICE

USER

What do most attacks have in-common?Insiderattacks

Phishing attacks

Fabricattacks

Pass-the-hash(PtH) attacks

Stolencredentials

Central risk: Administrator privilegesStolen admincredentials

Insiderattacks

Phishing attacks

Fabricattacks

These privileged accounts have the keys to the kingdom; we gave them those keys decades ago

But now, those administrators’ privileges are being compromised through social engineering, bribery, coercion, private initiatives, etc.

Most attack-types seek out & exploit privileged accounts

Administrative Privileges

1. Compromised privileged accounts

2. Unpatched vulnerabilities3. Phishing attacks4. Malware infections

5. Compromised fabric exposes guest VMs

6. Easy to modify or copy VM without notice

7. Can’t protect VMs with gates, walls, locks, etc.

8. VMs can’t leverage H/W security (e.g. TPMs)

Attack vectorsAttack the applications and infrastructure

Attack the virtualization fabric itself

Ongoing focus & innovation on preventative

measures; block known attacks & known malware

Protect

Comprehensive monitoring tools to help you spot

abnormalities and respond to attacks faster

Detect

Leading response and recovery technologies plus deep consulting expertise

Respond

Isolate OS components & secrets; limit admin. privileges; rigorously measure host health

Isolate

Windows Server Security Posture

– Security isn’t a bolt-on; it’s an architectural principle –

Protect credentials and privileged access

Windows Server 2016

Challenging to protect credentials

Ben Mary Jake Admin Domain admin

Typical administrator

Capa

bilit

y

Time

Social engineering leads to credential theftMost attacks seek out and leverage administrative credentials (PtH or Pass-the-hash)Administrative credentials often inadvertently provide more privilege than strictly necessary… and for an unlimited time

Windows Server 2016 approach

Ben Mary Jake Admin Domain admin

JEA and JIT administration

Capa

bilit

y

Time

Just Enough Administration (JEA) limits administrative privileges to the bare-minimum required set of actions (limited in space)Just in Time Administration (JIT) provides privileged access upon request through a workflow that is audited and limited in time

Capability and time

needed

JIT + JEA

Demonstrations

Windows Server 2016 approach

Ben Mary Jake Admin Domain admin

JEA and JIT administration

Capa

bilit

y

Time

Just Enough Administration (JEA) limits administrative privileges to the bare-minimum required set of actions (limited in space)Just in Time Administration (JIT) provides privileged access upon request through a workflow that is audited and limited in timeCredential Guard prevents Pass the Hash and Pass the Ticket attacks by protecting stored credentials and credential artifacts using Virtualization based Security (VBS)

Capability and time

needed

Credential Guard

Demonstration

Windows Server 2016 approach

Ben Mary Jake Admin Domain admin

JEA and JIT administration

Capa

bilit

y

Time

Just Enough Administration (JEA) limits administrative privileges to the bare-minimum required set of actions (limited in space)Just in Time Administration (JIT) provides privileged access upon request through a workflow that is audited and limited in timeCredential Guard prevents Pass the Hash and Pass the Ticket attacks by protecting stored credentials and credential artifacts using Virtualization based Security (VBS)Remote Credential Guard works in conjunction with Credential Guard for RDP sessions providing SSO over RDP while eliminating the need for credentials to be passed to the host

Capability and time

needed

Remote Credential Guard

Demonstration

Active Directory Access Path (ADAP)Scans environment and constructs a map of all administrators across all machinesEnables analysis of potential attack paths throughout entire domainReal-world case: scan revealed > 2,000 Domain Admins Root-cause: unnecessary/unknown group nestingPost-remediation: 20 domain admins

• some servers found with 187,000 unintentional administrators

• existing breach re-enabling & exploiting disabled accounts

• ADAP revealed privilege map

Protecting Active Directory and Admin privilegeshttp://aka.ms/privsec

1. Separate Admin account for admin tasks

3. Unique Local Admin Passwords for Workstationshttp://Aka.ms/LAPS

2. Privileged Access Workstations (PAWs) Phase 1 - Active Directory adminshttp://Aka.ms/CyberPAW

4. Unique Local Admin Passwords for Servershttp://Aka.ms/LAPS

2-4 weeks 1-3 months 6+ monthsFirst response to the most frequently used attack techniques

2. Time-bound privileges (no permanent admins)http://aka.ms/PAM http://aka.ms/AzurePIM

1. Privileged Access Workstations (PAWs) Phases 2 and 3 –All Admins and additional hardening (Credential Guard, RDP Restricted Admin, etc.)http://aka.ms/CyberPAW

4. Just Enough Admin (JEA) for DC Maintenancehttp://aka.ms/JEA

9872521

6. Attack Detectionhttp://aka.ms/ata

5. Lower attack surface of Domain and DCs http://aka.ms/HardenAD

Build visibility and control of administrator activity, increase protection against typical follow-up attacks

3. Multi-factor for elevation

Protecting Active Directory and Admin privilegeshttp://aka.ms/privsec

2-4 weeks 1-3 months 6+ months

2. Smartcard or Passport Authentication for all adminshttp://aka.ms/Passport

1. Modernize Roles and Delegation Model

3. Admin Forest for Active Directory administratorshttp://aka.ms/ESAE

5. Shielded VMs for virtual DCs (Server 2016 Hyper-V Fabric)http://aka.ms/shieldedvms

4. Code Integrity Policy for DCs (Server 2016)

Move to proactive security posture

Protecting Active Directory and Admin privilegeshttp://aka.ms/privsec

2-4 weeks 1-3 months 6+ months

Move to a proactive security posture2-4 weeks 1-3 months 6+ months

DC Host Attacks

Credential Theft & Abuse

Attacker Stealth

AD Attacks

Attack

Detect Attacks

Harden DC configuration

Reduce DC Agent attack surface

Prevent Escalation

Prevent Lateral Traversal

Increase Privilege Usage Visibility

Assign Least Privilege

Defense

Protect applications and data in any cloud

Windows Server 2016

Protecting the OSDefend against new exploits and block attacks without impacting legitimate

workloads

Control Flow Guard

Windows Defender

Device Guard

Control Flow Guard (CFG)

Helps prevent attacks that use memory corruption vulnerabilities CFG places controls on how an otherwise-trusted application executes codeProvides defenses against exploits such as buffer overflows

Helps ensure that trusted binaries execute as intended

Windows Defender

Deep integration with Windows security systemsAnti-tampering (protecting critical dependent OS Services)Registry hardening; “file-less” malwareActively protects against malware without impacting workloads

In-box anti-malware that is Server-workload aware

Windows Defender

Demonstration

Device Guard

Windows can be locked down to run ONLY trusted binariesUntrusted binaries, such as malware, are unable to runProtects kernel mode processes and drivers from zero-day attacks as well as vulnerabilities through the use of HVCICode Integrity policies can be signed and protected against malicious administrators

Hardware Rooted Code Integrity

Device Guard

Demonstration

Respond more intelligently with log analytics integration

Windows Server 2016

Challenge: turn log files into operational insights

In order to better detect threats the OS needs to provide additional auditing or event logging information

Security Information and Event Management (SIEM) systems are only as intelligent as the information provided from the OS

Windows Server 2016 approach

Enhanced Auditing and Event Logs Log new audit events to better detect malicious behavior by providing more detailed information to security operation centersSIEM systems such as Operations Management Suite (OMS) can take advantage of this information to provide intelligence reports on potential breaches in the datacenter environment

Protect applications with just enough OS

Windows Server 2016

CONTAINER CONTAINER CONTAINER CONTAINER CONTAINER

Developers are making use of new packaging and deployment tools such as containersContainers share the same kernel which limits isolation and exposes compliance and regulatory risksLower the risk by providing only the components required by application to run

Shared Hardware (Hypervisor Isolation)

VM VM VM VM VM

Shared Kernel (User Mode Isolation)

Challenges in protecting new apps

Hyper-V CONTAINER

Hyper-V CONTAINER

Hyper-V CONTAINER

Hyper-V CONTAINER

Hyper-V CONTAINER

Hyper-V Containers Provide hypervisor isolation for each container with no additional coding requirementsAlign with regulatory requirements for PCI and PII dataNano Server Reduce the attack surface by deploying a minimal “just enough” server footprint

Shared Hardware (Hypervisor Isolation)

VM VM VM VM VM

Shared Platform (Hypervisor Isolation)

Windows Server 2016 approach

Protect the virtualization fabric

Windows Server 2016

Software Defined Networking (SDN) & Micro-segmentation

Windows Server 2016

Virtual Network – “MyNetwork”Application at risk!Phishing for secrets

Tier 2Subnet2

192.168.2.0/24

Tier 1Subnet1

192.168.1.0/24

Tier 3Subnet3

192.168.3.0/24Active

Directory

VM

File Server

2

VM

File Server

1

VM

Outbound NAT 10.127.132.5

Internal VIP 10.127.132.4

Web

Server 1

VM Web

Server 2

VM

Public VIP 10.127.132.6

Virtual Network – “MyNetwork”Application at risk!The attack

Tier 2Subnet2

192.168.2.0/24

Tier 1Subnet1

192.168.1.0/24

Tier 3Subnet3

192.168.3.0/24Active

Directory

VM

File Server

2

VM

File Server

1

VM

Outbound NAT 10.127.132.5

Private VIP 10.127.132.4

Web

Server 1

VM Web

Server 2

VM

Public VIP 10.127.132.6N

NN

NN

Virtual Network – “MyNetwork”Dynamic SecurityMicro-segmentation

Tier 2Subnet2

192.168.2.0/24

Tier 1Subnet1

192.168.1.0/24

Tier 3Subnet3

192.168.3.0/24Active

Directory

VM

File Server

2

VM

File Server

1

VM

Outbound NAT 10.127.132.5

Internal VIP 10.127.132.4

Web

Server 1

VM Web

Server 2

VM

Public VIP 10.127.132.6

Virtual Network – “MyNetwork”Dynamic SecurityUsing the distributed firewall

Tier 2Subnet2

192.168.2.0/24

Tier 1Subnet1

192.168.1.0/24

Tier 3Subnet3

192.168.3.0/24Active

Directory

VM

File Server

2

VM

File Server

1

VM

Outbound NAT 10.127.132.5

Internal VIP 10.127.132.4

Web

Server 1

VM Web

Server 2

VM

Public VIP 10.127.132.6

NSG

Virtual Network – “MyNetwork”Dynamic SecurityVirtual Appliances

Tier 2Subnet2

192.168.2.0/24File

Server 1

VM File Server

2

VM

Tier 1Subnet1

192.168.1.0/24

Tier 3Subnet3

192.168.3.0/24Active

Directory

VM

Outbound NAT 10.127.132.5Virtual Applianc

e

VMInternal VIP 10.127.132.4

Web

Server 1

VM Web

Server 2

VM

Public VIP 10.127.132.6

NSG

Protect the virtualization fabric

Windows Server 2016

Protect the Virtualization Fabric

Windows Server 2016

Hypervisor

Fabric

Storage

Host OS CustomerGuest VM

Attackers target virtual machinesAny compromised or malicious fabric administrators can access guest virtual machinesHealth of hosts not taken into account before running VMs

Tenant’s VMs are exposed to storage and network attacks

Customer

Fabric

Hypervisor

Virtual Machines can’t take advantage of hardware-rooted security capabilities such as TPMs

Guest VM

Healthy host?

Contrast: Bare Metal vs. Regular VM vs. Shielded VMSHIELDED VMUse BitLocker to encrypt the disk and state of virtual machines protecting secrets from compromised admins & malwareHOST GUARDIAN SERVICE Attests to host health releasing the keys required to boot or migrate a Shielded VM only to healthy hostsGENERATION 2 VM Supports virtualized equivalents of hardware security technologies (e.g. TPMs) enabling BitLocker encryption for Shielded VMs

*Configuration dependent

HYPER-V

Virtual machine

HYPER-V

Shieldedvirtual machine

COMPUTER ROOMBUILDING PERIMETER

Physical machine

ServerAdministratorStorageadministratorNetworkadministratorBackupoperatorVirtualization-hostadministratorVirtual machineadministrator

ü

û ü ü

üüüüü

ûûûû û

ûûûû *

Decryption keys: controlled by external system

Guest VM ShieldedVM

H Y P E R -V H O S T 1

+ K E Y P R O T E C T I O N+ H E A LT H A T T E S TA T I O N

HOST GUARD IAN SERV ICE (HGS)W

IND

OW

S SERVER

2016 H

YPER-V H

OSTS

Guest VM

GUARDED FABRICGuest VM

Guest VM Guest VM

H Y P E R -V H O S T 2

Guest VMGuest VM

Guest VM Guest VM

H Y P E R -V H O S T 3

Guest VMGuest VM

Why certainly, I know you & I must say you’re looking very healthy today!

Virtual Secure Mode

Virtual Secure Mode

Virtual Secure Mode

Please, guv’na, can I ‘ave some more keys?

Shielded Virtual Machines

Demonstration

Summary & Compliance Mapping

Windows Server 2016

UNPARALLELED SECURITY• least vulnerable OS 4 years in

a row

2012 2013 2014 20150

50

100

150

200

250

300

350

400

450

500

221

277

233

430

9273

40

156

Linux Kernel Windows Server

Reported Vulnerabilities

Snapshot: our track record + 2016 innovationsBuilt-in security mechanismsPrivileged Identity ManagementCredential Guard / Remote Credential

GuardControl Flow GuardDefenderDevice Guard (Code Integrity +++)Enhanced auditing JEA

Virtualization-based Security (VBS)Windows Server 2016 introduces a new level of security with hardware-rooted Virtualization Based Security (VBS) that enables us to protect the OS from compromised administrators whether running on bare metal or a virtual machine.

HOST SECURITY Hyper-V based fabricProtecting virtual machines Shielded VMs (Server 2012 + R2, 2016 guests) Virtual TPM for generation 2 VMs Host Guardian Service attests to host health Secure boot for Windows and Linux

Hyper-V platform Nano-based Hyper-V host Virtualization Based Security (VBS)

Secure containers Hyper-V containers Containers hosted in a Shielded VM

GUEST SECURITY Secure on any fabricPrivileged Identity Credential Guard/Remote Credential Guard Just In Time administration (JIT) Just Enough Administration (JEA)

Threat resistance Control Flow Guard (CFG) Code Integrity (Device Guard) Built-in anti-malware Nano Server reduces attack surface

Threat detection Enhanced threat detection

Windows Server 2016: a different pivot

Hyper-V Shielded VMs compliance mapping whitepaper

JEA and JIT compliance mapping whitepaper

Device Guard compliance mapping whitepaper

Credential Guard compliance mapping whitepaper

Windows Defender compliance mapping whitepaper

Quick note on compliance: Windows Server 20163rd-party assessment of compliance mappings across various security-related offerings in the Windows Server 2016 wave

Example: Shielded VM Compliance MappingISO 27001: 2013 PCI DSS 3.2 FedRAMP; NIST 800-53 Revision

4

Enforcing Separation of Duties

A.6.1.2– Segregation of duties 

6.4.2 – Separation of duties between test and production environments

AC-5 – Separation of Duties

Implementation of Least Privilege Access

and Partitioning Tenant Functionality

A.9.2.3 – Management of privileged access rightsA.12.1.4 – Separation of development, testing, and operational environments

6.4.1 – Test and Production Environment Separation7.2 – User access control on need-to-know basis7.2.3 – Default “deny-all” setting

AC-6 – Least PrivilegeAC-6 (10) – Prohibit Non-PrivilegedUsers from Executing Privileged FunctionsSC-2 – Application Partitioning

Protecting Information Stored in Shared

ResourcesNone 

8.7 – Restricted access to databases containing cardholder data 

SC-4 – Information in Shared Resources

Protection of Data at Rest

A.8.2.3 – Media Access 

3.4 – Verifying stored PAN is unreadable 3.4.1 – Disk encryption usage and access control6.5.3 – Insecure cryptographic storage

SC-28 – Protection of Information at RestSC-28(1) – Protection of Information at Rest

Security Function Verification and

Integrity MonitoringNone 11.5 – Change-detection mechanism

deploymentSI-6 – Security Function VerificationSI-7 – Software, Firmware, and Information Integrity

Windows Server 2016 Windows Server + System Center

session guide: aka.ms/WS2016Ignite

Related sessions(some from earlier this week)

1 BRK2152: Explore Windows Server 2016 security

2 BRK2145: Secure privileged access from active attacks

3 BRK3124: Dive into Shielded VMs with Windows Server 2016 Hyper-V

4 BRK3126: Discover Shielded VMs and learn about real world deployments

A. Security and Assurance documentationhttps://technet.microsoft.com/en-us/library/mt130644.aspx

B. Demo videos, e.g. MS Mechanics on Shielded VMshttps://youtu.be/Vp5E1-4Ks8E

C. Datacenter/Private Cloud Security Bloghttps://blogs.technet.microsoft.com/datacentersecurity

D. Compliance mappingPreliminary mappings contained in this and other related decks

E. Securing Privileged Access guidancehttp://aka.ms/privsec

F. Microsoft Virtual Academy online courseshttps://mva.microsoft.com/

Resources & next steps…

From your PC or Tablet visit MyIgnite at http://myignite.microsoft.com

From your phone download and use the Ignite Mobile App by scanning the QR code above or visiting https://aka.ms/ignite.mobileapp

Please evaluate this sessionYour feedback is important to us!

If you have additional questions, please feel free to ask them now… thanks for listening!

Q&A

© 2016 Microsoft Corporation. All rights reserved.