HAROLD BAELE MICROSOFT CLOUD TECHNICAL CONSULTANT MICROSOFT CERTIFIED TRAINER. New protection capabilities in Windows Server 2016

Transcription

1 HAROLD BAELE MICROSOFT CLOUD TECHNICAL CONSULTANT MICROSOFT CERTIFIED TRAINER New protection capabilities in Windows Server 2016

2 HAROLD BAELE MICROSOFT CLOUD TECHNICAL CONSULTANT AND MICROSOFT CERTIFIED Trainer since 2000 on Operating Systems, Networking, AD Exchange Office 365 PowerShell Azure IAAS Consultant since 2016 Azure IAAS Office 365 since 2015 in a Hybrid Cloud context ModernBiz - PPE s CSP Workshops

3 Security is a top priority for IT Increasing incidents Multiple motivations Bigger risk

4 Breaches cost a lot of money (Average $4M based on Ponemon Institute) Customers pay for your services Before $ $ $ $ After You pay customers compensation to keep them using your services Productivity Employees efficiently perform work activities Employees waste hours a day using manual processes $ Overspending Reflex Appropriately sized & dedicated IT Security team IT Security team exponentially increases in size and remediation efforts require new and expensive products

5 Attack timeline First host compromised Domain admin compromised Attack discovered hours Mean dwell time 150+ days (varies by industry)

6 Example attack scenario

7 Hard lessons The network is no longer the security perimeter (it hasn t been for some time) Entry we can t stop this from happening Identity is the (new) security perimeter People will be fooled, bribed, blackmailed, etc. Eliminating human error isn t possible Insider-attacks are a big problem Compliance is very important Prevention methods aren t always technical or architectural Phishing works and will continue to do so Anomalous activity monitoring helps in detection; limit access through identity management & isolation But compliance and security are not the same thing: compliant!= secure Many will be operational and that will impose some level of additional operational friction security has a price $$$

8 Managed privileged identities Secure virtualization Secure the OS

9 Help protect credentials and privileged access

10 Challenges in protecting credentials Social engineering leads to credential theft Most attacks involve gathering credentials (Pass-the-Hash attacks) Ben Mary Jake Admin Typical administrator Domain admin Administrative credentials typically provide unnecessary extra rights for unlimited time Capability Time

11 Helping protect privileged credentials Just Enough Administration (JEA) Just in Time Administration (JIT) Ben Mary Jake Admin JEA and JIT administration Domain admin Covered by Anthony Van Den Bossche in Identity: driving enterprise Mobility and Security Capability Capability and time needed Time

12 Helping protect privileged credentials Just Enough Administration (JEA) Just in Time Administration (JIT) Ben Mary Jake Admin Domain admin Credential Guard JEA and JIT administration Capability Capability and time needed Time

13 Helping protect privileged credentials Just Enough Administration (JEA) Just in Time Administration (JIT) Ben Mary Jake Admin Domain admin Credential Guard JEA and JIT administration Remote Credential Guard Capability Capability and time needed Time

14 VIRTUALISATION BASED SECURITY Credential process is doubled and running in Isolated User Mode Drivers or other kernel processes can access memory addresses where credentials hashes are stored LSALSO.exe is running in a separate zone, container based on virtualisation

15 ENABLING CREDENTIAL GUARD Using registry key Using Group Policy Using DISM (offline image servicing) 1. Add the virtualization-based security features by using Programs and Features 2. HKEY_LOCAL_MACHINE\System\ CurrentControlSet\Control\LSA\ LsaCfgFlags DWORD value = 1 (with UEFI lock) or 2 (without UEFI lock) 1. dism /image:<wim file name> /Enable- Feature /FeatureName:Microsoft-Hyper- V-Hypervisor 2. dism /image:<wim file name> /Enable- Feature /FeatureName:IsolatedUserMode

16 REQUIREMENTS WINDOWS 10 Windows 10 Enterprise Active Directory (any forest or domain level) UEFI firmware or higher Secure firmware update process Secure Boot Intel VT-x or AMD-V Intel VT-d or AMD-Vi I/O memory management unit Second Level Address Translation 64-bit CPU TPM 2.0

17 REQUIREMENTS SERVER 2016 Active Directory (any forest or domain level) UEFI firmware or higher Secure firmware update process Secure Boot Cannot be a domain controller

18 REQUIREMENTS FOR VIRTUAL MACHINES The Hyper-V host must have an IOMMU, input output memory management unit (IOMMU) is a memory management unit (MMU) that connects a direct-memory-access capable (DMA-capable) I/O bus to the main memory Host and guest must be running Windows Server 2016 or Windows 10 version The Hyper-V virtual machine must be Generation 2, have an enabled virtual TPM

19 USING HASHES & IMPLEMENTING CREDENTIAL GUARD MimiKatz Preparations: No antivirus running NewAdmin is domain administrator On Client local share with localadmin credentials created On client share for NewUser accessible only CMD with admin credentials GEN2DC NWTRADERS.LOCAL SECURESRV1 Using hash to connect to connect /24 Credential guard implemented using GPO W2016VM Win10VM

20 REMOTE CREDENTIAL GUARD No hash on remote session SSO with SSO One Identity checked at every connection aka Single Sign On Previous Identity check re-used aka Seamless Sign On

21 CONSIDERATIONS FOR REMOTE CREDENTIAL GUARD Active Directory Directory Services only. Remote Desktop Gateway is not compatible with RCG. No use of saved credentials. Needs the same domain or trusted domains. Forcing it: mstsc /remoteguard

22 LOGGING ON WITH REMOTE CREDENTIAL GUARD Preparation: GPO with remote credential guard From Gen2DC, RDP to Win10VM with current credentials

23 YOU ENABLED CREDENTIAL GUARD. WHAT CREDENTIALS ARE STILL IN THE OPEN? Software that manages credentials outside of Windows feature protection Local accounts and Microsoft Accounts The Directory database running on Windows Server 2016 domain controllers Credential input pipelines, such as Windows Server 2016 servers running Remote Desktop Gateway Key loggers Physical attacks Attacker with malware on the PC using the privileges associated with any credential Third-party security packages Digest and CredSSP credentials Supplied credentials for NTLM authentication are not protected Stored credentials

24 DISABLE CREDENTIAL (DEVICE) GUARD FROM OUTSIDE THE VM Credential guard and device guard rely on Virtualization Based Security From the host, you can disable this for a virtual machine: Set-VMSecurity -VMName <VMName> -VirtualizationBasedSecurityOptOut $true

25 Secure virtualization

26 Challenges protecting virtual machines Any compromised or malicious fabric administrators can access guest virtual machines. Health of hosts not taken into account before running VMs. Tenant s VMs are exposed to storage and network attacks. Virtual machines can t take advantage of hardwarerooted security capabilities such as TPMs.

27 Helping protect virtual machines Shielded Virtual Machines Use BitLocker to encrypt the disk and state of virtual machines protecting secrets from compromised admins and malware. Building perimeter Computer room Hyper-V Hyper-V Host Guardian Service Attests to host health releasing the keys required to boot or migrate a Shielded VM only to healthy hosts. Generation 2 VMs Supports virtualized equivalents of hardware security technologies (e.g., TPMs) enabling BitLocker encryption for Shielded Virtual Machines. Physical machine Virtual machine Shielded virtual machine ` *

28 Demonstration video Shielded VMs

29 GUARDED FABRIC Shielded VM Virtual Secure Mode HYPER- V HOST 1 Hello, I m HOST1, can I have some keys, please? HOST GUARDIAN SERVICE (HGS) WINDOWS SERVER 2016 HYPER- V HOSTS HYPER- V HOST 2 Virtual Secure Mode Virtual Secure Mode HYPER- V HOST 3 Why certainly, I know you & I must say you re looking very healthy today! + KEY PROTECTION + HEALTH ATTESTATION

30 GUARDED FABRIC Shielded VM HOST GUARDIAN SERVICE (HGS) WINDOWS SERVER 2016 HYPER- V HOSTS HYPER- V HOST 1 HYPER- V HOST 2 Virtual Secure Mode Virtual Secure Mode Virtual Secure Mode HYPER- V HOST 3 OK, so I m healthy then! Can I have the keys now? Sure, your certificate of health authorizes me to release keys to you for 8 hours + KEY PROTECTION + HEALTH ATTESTATION

31 Shielded VMs Multiple levels of security

32 Shielded VMs Host Guardian Service

33 Shielded VMs Attestation mode types Attestation mode you choose for hosts Host assurances TPM-trusted attestation: Offers the strongest possible protections but also requires more configuration steps. Host hardware and firmware must include TPM 2.0 and UEFI with secure boot enabled. Admin-trusted attestation: Intended to support existing host hardware where TPM 2.0 is not available. Requires fewer configuration steps and is compatible with commonplace server hardware. Guarded hosts that can run shielded VMs are approved based on their TPM identity, measured boot sequence and code integrity policies so that you can ensure that these hosts are only running approved code. Guarded hosts that can run shielded VMs are approved by the Host Guardian Service based on membership in a designated Active Directory Domain Services (AD DS) security group.

34 Shielded VMs Trusted apps on trusted Hosts

35 Shielded VMs Trusted hardware check

36 Shielded VMs VHD protection using trusted VHD image

37 Shielded VMs shielding data

38 Shielded VMs - guardian

39