Upload
ngokhanh
View
222
Download
0
Embed Size (px)
Citation preview
Windows Server 2016
Protect your infrastructure with Windows Server 2016 Security
Built-in layers of securitySoftware-defined datacenterCloud-ready application platform
Windows Server + System Center session guide: aka.ms/WS2016Ignite
BRK2146
Dean Wells Jane YanWindows Server Windows Server
Protect your infrastructure with Windows Server 2016 SecurityDean Wells Jane YanWindows Server Windows Server
BRK2146
… perhaps it’s obvious but why does all this matter?
First: context refresher
Modern Security Threats
”There are two kinds of big companies, those who’ve been hacked, and those who don’t know they’ve been hacked.”
James Comey, Director FBI
Source: McKinsey, Ponemon Institute, Verizon
CYBER THREATS ARE A MATERIAL RISK TO YOUR BUSINESS
Impact of lost productivity and
growth
Average cost of a data breach (15% YoY
increase)
$3.0 TRILLION $4 MILLIONCorporate liability
coverage.
$500 MILLION
“Cyber security is a CEO issue.” - M C K I N S E Y
Cybercrime: State of the UnionCybercrime costs US economy up to $140B annually, report saysLos Angeles Times [2014]
How hackers allegedly stole “unlimited” amounts of cash from banks in just a few hours
Ars Technica [2014]
The biggest cyberthreat to companies could come from the inside
Cnet[2015]
Cyberattacks on the rise against US corporations
New York Times [2014]
Espionage malware infects rafts of governments, industries around the worldArs Technica [2014]
Forget carjacking, soon it will be carhacking
The Sydney Morning Herald [2014]
Ransomware, 0days, malware, scams... all are up, says Symantec
The Register [April 2016]
Variety of motivations
2
Increasing incidents1
Increasing risk3
Breaches cost a lot
of money
(Average $4M based on Ponemon Institute)
Customers pay for your service
You pay customers compensation to keep them using your service
Productivity
Employees efficiently perform the majority of work activities using a desktop computer
Employees waste hours a day running back and forth to a fax machine(assuming you still have one)
Overspending Reflex
Appropriately sized & dedicated IT Security team
IT Security team exponentially increases in size and remediation efforts require new and expensive products
$$
$$
$$
$$
$$
$$
$$
$$
$$
$$
$ $$
$
$
Cyber security: hidden costs of a breachBefore After
Industry Reputation
Industry credibility, positive reputation, customer confidence
Corporate secrets are secret
Loss of credibility, embarrassing information exposed, customer’s lose faith
Corporate secrets are public knowledge; potential loss of competitive advantage
RansomwareHBI/MBI assets available forday-to-day business operations
Assets encrypted and key business IT services rendered useless
Customer trust Customers happy to trust you with their PII
Customers reluctant to share informationwith you
Before After
Cyber security: hidden costs of a breach
Attack timeline
24–48 hours
Mean dwell time 150+ days
(varies by industry)
First host compromise
d
Domain admin compromised
Attack discovere
d
Attacker undetected (data exfiltration)
Research & preparation
Attackers find any weakness &
target information on any device or
service
Attackers often target Active Directory and
admins to gain access to business
assets
You may be under attack (or
already compromised) and unaware
Anatomy of an attack
Malicious Attachment ExecutionBrowser or Doc Exploit Execution
Stolen Credential Use
Internet Service Compromise
Kernel-mode MalwareKernel Exploits
Pass-the-Hash
Malicious Attachment DeliveryBrowser or Doc Exploit
DeliveryPhishing Attacks
ATTACK
ESPIONAGE, LOSS OF IPDATA THEFT RANSOMLOST PRODUCTIVITYBUSINESS DISRUPTION
ENTER
ESTABLISH
EXPAND
ENDGAME
NETWORK
DEVICE
USER
What do most attacks have in-common?Insiderattacks
Phishing attacks
Fabricattacks
Pass-the-hash(PtH) attacks
Stolencredentials
Central risk: Administrator privilegesStolen admincredentials
Insiderattacks
Phishing attacks
Fabricattacks
These privileged accounts have the keys to the kingdom; we gave them those keys decades ago
But now, those administrators’ privileges are being compromised through social engineering, bribery, coercion, private initiatives, etc.
Most attack-types seek out & exploit privileged accounts
Administrative Privileges
1. Compromised privileged accounts
2. Unpatched vulnerabilities3. Phishing attacks4. Malware infections
5. Compromised fabric exposes guest VMs
6. Easy to modify or copy VM without notice
7. Can’t protect VMs with gates, walls, locks, etc.
8. VMs can’t leverage H/W security (e.g. TPMs)
Attack vectorsAttack the applications and infrastructure
Attack the virtualization fabric itself
Ongoing focus & innovation on preventative
measures; block known attacks & known malware
Protect
Comprehensive monitoring tools to help you spot
abnormalities and respond to attacks faster
Detect
Leading response and recovery technologies plus deep consulting expertise
Respond
Isolate OS components & secrets; limit admin. privileges; rigorously measure host health
Isolate
Windows Server Security Posture
– Security isn’t a bolt-on; it’s an architectural principle –
Protect credentials and privileged access
Windows Server 2016
Challenging to protect credentials
Ben Mary Jake Admin Domain admin
Typical administrator
Capa
bilit
y
Time
Social engineering leads to credential theftMost attacks seek out and leverage administrative credentials (PtH or Pass-the-hash)Administrative credentials often inadvertently provide more privilege than strictly necessary… and for an unlimited time
Windows Server 2016 approach
Ben Mary Jake Admin Domain admin
JEA and JIT administration
Capa
bilit
y
Time
Just Enough Administration (JEA) limits administrative privileges to the bare-minimum required set of actions (limited in space)Just in Time Administration (JIT) provides privileged access upon request through a workflow that is audited and limited in time
Capability and time
needed
JIT + JEA
Demonstrations
Windows Server 2016 approach
Ben Mary Jake Admin Domain admin
JEA and JIT administration
Capa
bilit
y
Time
Just Enough Administration (JEA) limits administrative privileges to the bare-minimum required set of actions (limited in space)Just in Time Administration (JIT) provides privileged access upon request through a workflow that is audited and limited in timeCredential Guard prevents Pass the Hash and Pass the Ticket attacks by protecting stored credentials and credential artifacts using Virtualization based Security (VBS)
Capability and time
needed
Credential Guard
Demonstration
Windows Server 2016 approach
Ben Mary Jake Admin Domain admin
JEA and JIT administration
Capa
bilit
y
Time
Just Enough Administration (JEA) limits administrative privileges to the bare-minimum required set of actions (limited in space)Just in Time Administration (JIT) provides privileged access upon request through a workflow that is audited and limited in timeCredential Guard prevents Pass the Hash and Pass the Ticket attacks by protecting stored credentials and credential artifacts using Virtualization based Security (VBS)Remote Credential Guard works in conjunction with Credential Guard for RDP sessions providing SSO over RDP while eliminating the need for credentials to be passed to the host
Capability and time
needed
Remote Credential Guard
Demonstration
Active Directory Access Path (ADAP)Scans environment and constructs a map of all administrators across all machinesEnables analysis of potential attack paths throughout entire domainReal-world case: scan revealed > 2,000 Domain Admins Root-cause: unnecessary/unknown group nestingPost-remediation: 20 domain admins
• some servers found with 187,000 unintentional administrators
• existing breach re-enabling & exploiting disabled accounts
• ADAP revealed privilege map
Protecting Active Directory and Admin privilegeshttp://aka.ms/privsec
1. Separate Admin account for admin tasks
3. Unique Local Admin Passwords for Workstationshttp://Aka.ms/LAPS
2. Privileged Access Workstations (PAWs) Phase 1 - Active Directory adminshttp://Aka.ms/CyberPAW
4. Unique Local Admin Passwords for Servershttp://Aka.ms/LAPS
2-4 weeks 1-3 months 6+ monthsFirst response to the most frequently used attack techniques
2. Time-bound privileges (no permanent admins)http://aka.ms/PAM http://aka.ms/AzurePIM
1. Privileged Access Workstations (PAWs) Phases 2 and 3 –All Admins and additional hardening (Credential Guard, RDP Restricted Admin, etc.)http://aka.ms/CyberPAW
4. Just Enough Admin (JEA) for DC Maintenancehttp://aka.ms/JEA
9872521
6. Attack Detectionhttp://aka.ms/ata
5. Lower attack surface of Domain and DCs http://aka.ms/HardenAD
Build visibility and control of administrator activity, increase protection against typical follow-up attacks
3. Multi-factor for elevation
Protecting Active Directory and Admin privilegeshttp://aka.ms/privsec
2-4 weeks 1-3 months 6+ months
2. Smartcard or Passport Authentication for all adminshttp://aka.ms/Passport
1. Modernize Roles and Delegation Model
3. Admin Forest for Active Directory administratorshttp://aka.ms/ESAE
5. Shielded VMs for virtual DCs (Server 2016 Hyper-V Fabric)http://aka.ms/shieldedvms
4. Code Integrity Policy for DCs (Server 2016)
Move to proactive security posture
Protecting Active Directory and Admin privilegeshttp://aka.ms/privsec
2-4 weeks 1-3 months 6+ months
Move to a proactive security posture2-4 weeks 1-3 months 6+ months
DC Host Attacks
Credential Theft & Abuse
Attacker Stealth
AD Attacks
Attack
Detect Attacks
Harden DC configuration
Reduce DC Agent attack surface
Prevent Escalation
Prevent Lateral Traversal
Increase Privilege Usage Visibility
Assign Least Privilege
Defense
Protect applications and data in any cloud
Windows Server 2016
Protecting the OSDefend against new exploits and block attacks without impacting legitimate
workloads
Control Flow Guard
Windows Defender
Device Guard
Control Flow Guard (CFG)
Helps prevent attacks that use memory corruption vulnerabilities CFG places controls on how an otherwise-trusted application executes codeProvides defenses against exploits such as buffer overflows
Helps ensure that trusted binaries execute as intended
Windows Defender
Deep integration with Windows security systemsAnti-tampering (protecting critical dependent OS Services)Registry hardening; “file-less” malwareActively protects against malware without impacting workloads
In-box anti-malware that is Server-workload aware
Windows Defender
Demonstration
Device Guard
Windows can be locked down to run ONLY trusted binariesUntrusted binaries, such as malware, are unable to runProtects kernel mode processes and drivers from zero-day attacks as well as vulnerabilities through the use of HVCICode Integrity policies can be signed and protected against malicious administrators
Hardware Rooted Code Integrity
Device Guard
Demonstration
Respond more intelligently with log analytics integration
Windows Server 2016
Challenge: turn log files into operational insights
In order to better detect threats the OS needs to provide additional auditing or event logging information
Security Information and Event Management (SIEM) systems are only as intelligent as the information provided from the OS
Windows Server 2016 approach
Enhanced Auditing and Event Logs Log new audit events to better detect malicious behavior by providing more detailed information to security operation centersSIEM systems such as Operations Management Suite (OMS) can take advantage of this information to provide intelligence reports on potential breaches in the datacenter environment
Protect applications with just enough OS
Windows Server 2016
CONTAINER CONTAINER CONTAINER CONTAINER CONTAINER
Developers are making use of new packaging and deployment tools such as containersContainers share the same kernel which limits isolation and exposes compliance and regulatory risksLower the risk by providing only the components required by application to run
Shared Hardware (Hypervisor Isolation)
VM VM VM VM VM
Shared Kernel (User Mode Isolation)
Challenges in protecting new apps
Hyper-V CONTAINER
Hyper-V CONTAINER
Hyper-V CONTAINER
Hyper-V CONTAINER
Hyper-V CONTAINER
Hyper-V Containers Provide hypervisor isolation for each container with no additional coding requirementsAlign with regulatory requirements for PCI and PII dataNano Server Reduce the attack surface by deploying a minimal “just enough” server footprint
Shared Hardware (Hypervisor Isolation)
VM VM VM VM VM
Shared Platform (Hypervisor Isolation)
Windows Server 2016 approach
Protect the virtualization fabric
Windows Server 2016
Software Defined Networking (SDN) & Micro-segmentation
Windows Server 2016
Virtual Network – “MyNetwork”Application at risk!Phishing for secrets
Tier 2Subnet2
192.168.2.0/24
Tier 1Subnet1
192.168.1.0/24
Tier 3Subnet3
192.168.3.0/24Active
Directory
VM
File Server
2
VM
File Server
1
VM
Outbound NAT 10.127.132.5
Internal VIP 10.127.132.4
Web
Server 1
VM Web
Server 2
VM
Public VIP 10.127.132.6
Virtual Network – “MyNetwork”Application at risk!The attack
Tier 2Subnet2
192.168.2.0/24
Tier 1Subnet1
192.168.1.0/24
Tier 3Subnet3
192.168.3.0/24Active
Directory
VM
File Server
2
VM
File Server
1
VM
Outbound NAT 10.127.132.5
Private VIP 10.127.132.4
Web
Server 1
VM Web
Server 2
VM
Public VIP 10.127.132.6N
NN
NN
Virtual Network – “MyNetwork”Dynamic SecurityMicro-segmentation
Tier 2Subnet2
192.168.2.0/24
Tier 1Subnet1
192.168.1.0/24
Tier 3Subnet3
192.168.3.0/24Active
Directory
VM
File Server
2
VM
File Server
1
VM
Outbound NAT 10.127.132.5
Internal VIP 10.127.132.4
Web
Server 1
VM Web
Server 2
VM
Public VIP 10.127.132.6
Virtual Network – “MyNetwork”Dynamic SecurityUsing the distributed firewall
Tier 2Subnet2
192.168.2.0/24
Tier 1Subnet1
192.168.1.0/24
Tier 3Subnet3
192.168.3.0/24Active
Directory
VM
File Server
2
VM
File Server
1
VM
Outbound NAT 10.127.132.5
Internal VIP 10.127.132.4
Web
Server 1
VM Web
Server 2
VM
Public VIP 10.127.132.6
NSG
Virtual Network – “MyNetwork”Dynamic SecurityVirtual Appliances
Tier 2Subnet2
192.168.2.0/24File
Server 1
VM File Server
2
VM
Tier 1Subnet1
192.168.1.0/24
Tier 3Subnet3
192.168.3.0/24Active
Directory
VM
Outbound NAT 10.127.132.5Virtual Applianc
e
VMInternal VIP 10.127.132.4
Web
Server 1
VM Web
Server 2
VM
Public VIP 10.127.132.6
NSG
Protect the virtualization fabric
Windows Server 2016
Protect the Virtualization Fabric
Windows Server 2016
Hypervisor
Fabric
Storage
Host OS CustomerGuest VM
Attackers target virtual machinesAny compromised or malicious fabric administrators can access guest virtual machinesHealth of hosts not taken into account before running VMs
Tenant’s VMs are exposed to storage and network attacks
Customer
Fabric
Hypervisor
Virtual Machines can’t take advantage of hardware-rooted security capabilities such as TPMs
Guest VM
Healthy host?
Contrast: Bare Metal vs. Regular VM vs. Shielded VMSHIELDED VMUse BitLocker to encrypt the disk and state of virtual machines protecting secrets from compromised admins & malwareHOST GUARDIAN SERVICE Attests to host health releasing the keys required to boot or migrate a Shielded VM only to healthy hostsGENERATION 2 VM Supports virtualized equivalents of hardware security technologies (e.g. TPMs) enabling BitLocker encryption for Shielded VMs
*Configuration dependent
HYPER-V
Virtual machine
HYPER-V
Shieldedvirtual machine
COMPUTER ROOMBUILDING PERIMETER
Physical machine
ServerAdministratorStorageadministratorNetworkadministratorBackupoperatorVirtualization-hostadministratorVirtual machineadministrator
ü
û ü ü
üüüüü
ûûûû û
ûûûû *
Decryption keys: controlled by external system
Guest VM ShieldedVM
H Y P E R -V H O S T 1
+ K E Y P R O T E C T I O N+ H E A LT H A T T E S TA T I O N
HOST GUARD IAN SERV ICE (HGS)W
IND
OW
S SERVER
2016 H
YPER-V H
OSTS
Guest VM
GUARDED FABRICGuest VM
Guest VM Guest VM
H Y P E R -V H O S T 2
Guest VMGuest VM
Guest VM Guest VM
H Y P E R -V H O S T 3
Guest VMGuest VM
Why certainly, I know you & I must say you’re looking very healthy today!
Virtual Secure Mode
Virtual Secure Mode
Virtual Secure Mode
Please, guv’na, can I ‘ave some more keys?
Shielded Virtual Machines
Demonstration
Summary & Compliance Mapping
Windows Server 2016
UNPARALLELED SECURITY• least vulnerable OS 4 years in
a row
2012 2013 2014 20150
50
100
150
200
250
300
350
400
450
500
221
277
233
430
9273
40
156
Linux Kernel Windows Server
Reported Vulnerabilities
Snapshot: our track record + 2016 innovationsBuilt-in security mechanismsPrivileged Identity ManagementCredential Guard / Remote Credential
GuardControl Flow GuardDefenderDevice Guard (Code Integrity +++)Enhanced auditing JEA
Virtualization-based Security (VBS)Windows Server 2016 introduces a new level of security with hardware-rooted Virtualization Based Security (VBS) that enables us to protect the OS from compromised administrators whether running on bare metal or a virtual machine.
HOST SECURITY Hyper-V based fabricProtecting virtual machines Shielded VMs (Server 2012 + R2, 2016 guests) Virtual TPM for generation 2 VMs Host Guardian Service attests to host health Secure boot for Windows and Linux
Hyper-V platform Nano-based Hyper-V host Virtualization Based Security (VBS)
Secure containers Hyper-V containers Containers hosted in a Shielded VM
GUEST SECURITY Secure on any fabricPrivileged Identity Credential Guard/Remote Credential Guard Just In Time administration (JIT) Just Enough Administration (JEA)
Threat resistance Control Flow Guard (CFG) Code Integrity (Device Guard) Built-in anti-malware Nano Server reduces attack surface
Threat detection Enhanced threat detection
Windows Server 2016: a different pivot
Hyper-V Shielded VMs compliance mapping whitepaper
JEA and JIT compliance mapping whitepaper
Device Guard compliance mapping whitepaper
Credential Guard compliance mapping whitepaper
Windows Defender compliance mapping whitepaper
Quick note on compliance: Windows Server 20163rd-party assessment of compliance mappings across various security-related offerings in the Windows Server 2016 wave
Example: Shielded VM Compliance MappingISO 27001: 2013 PCI DSS 3.2 FedRAMP; NIST 800-53 Revision
4
Enforcing Separation of Duties
A.6.1.2– Segregation of duties
6.4.2 – Separation of duties between test and production environments
AC-5 – Separation of Duties
Implementation of Least Privilege Access
and Partitioning Tenant Functionality
A.9.2.3 – Management of privileged access rightsA.12.1.4 – Separation of development, testing, and operational environments
6.4.1 – Test and Production Environment Separation7.2 – User access control on need-to-know basis7.2.3 – Default “deny-all” setting
AC-6 – Least PrivilegeAC-6 (10) – Prohibit Non-PrivilegedUsers from Executing Privileged FunctionsSC-2 – Application Partitioning
Protecting Information Stored in Shared
ResourcesNone
8.7 – Restricted access to databases containing cardholder data
SC-4 – Information in Shared Resources
Protection of Data at Rest
A.8.2.3 – Media Access
3.4 – Verifying stored PAN is unreadable 3.4.1 – Disk encryption usage and access control6.5.3 – Insecure cryptographic storage
SC-28 – Protection of Information at RestSC-28(1) – Protection of Information at Rest
Security Function Verification and
Integrity MonitoringNone 11.5 – Change-detection mechanism
deploymentSI-6 – Security Function VerificationSI-7 – Software, Firmware, and Information Integrity
Windows Server 2016 Windows Server + System Center
session guide: aka.ms/WS2016Ignite
Related sessions(some from earlier this week)
1 BRK2152: Explore Windows Server 2016 security
2 BRK2145: Secure privileged access from active attacks
3 BRK3124: Dive into Shielded VMs with Windows Server 2016 Hyper-V
4 BRK3126: Discover Shielded VMs and learn about real world deployments
A. Security and Assurance documentationhttps://technet.microsoft.com/en-us/library/mt130644.aspx
B. Demo videos, e.g. MS Mechanics on Shielded VMshttps://youtu.be/Vp5E1-4Ks8E
C. Datacenter/Private Cloud Security Bloghttps://blogs.technet.microsoft.com/datacentersecurity
D. Compliance mappingPreliminary mappings contained in this and other related decks
E. Securing Privileged Access guidancehttp://aka.ms/privsec
F. Microsoft Virtual Academy online courseshttps://mva.microsoft.com/
Resources & next steps…
From your PC or Tablet visit MyIgnite at http://myignite.microsoft.com
From your phone download and use the Ignite Mobile App by scanning the QR code above or visiting https://aka.ms/ignite.mobileapp
Please evaluate this sessionYour feedback is important to us!
If you have additional questions, please feel free to ask them now… thanks for listening!
Q&A
© 2016 Microsoft Corporation. All rights reserved.