Embed Size (px)
Citation preview
Emre Aydın | Microsoft MVP | 16 Years Exp.Senior Solution Consultant | Master Trainer | Author & Speaker
IT is being pulled in two directions
Support business agility and innovation
Provide secure, controlled IT resources
*Source: Gartner Group, 2016
Security threats
Datacenterefficiency
Supporting innovation
Datacenter efficiency
Supporting innovation
Security is top IT priority
Security threats
Increasing incidents
Multiple motivations
Bigger risk
Why security is a top IT priority
Why security is a top IT priority
Attack timeline
24–48 hoursMore than 200 days (varies by industry)
First host compromised
Domain admin compromised
Attack discovered
Datacenter efficiency
Supporting innovation
Protect identity
Help secure virtual machines
Add built-in layers of security
Security threats
Typical administrator
Protecting privileged credentials
Ben Mary Jake AdminDomain admin
Just Enough and Just in Time administration
Cap
ab
ilit
y
Time
Credential Guard Prevents Pass-the-Hash and Pass-the-Ticket attacks by protecting stored credentials through virtualization-based security.
Remote Credential Guard Works in conjunction with Credential Guard for RDP sessions to deliver Single Sign-On (SSO), eliminating the need to pass credentials to the RDP host.
Just Enough AdministrationLimits administrative privileges to the bare-minimum required set of actions (limited in space).
Just-in-Time AdministrationProvides privileged access through a workflow that is audited and limited in time.
Capability and time needed
Challenges protecting virtual machines
Virtual machines are easy to modify and copy.
Multiple fabric administrators typically have access.
Any compromised or malicious fabric administrators can access guest virtual machines.
Features to help protect virtual machines
Shielded Virtual Machines Use BitLocker to encrypt the disk and state of virtual machines protecting secrets from compromised admins and malware.
Host Guardian Service Attests to host health releasing the keys required to boot or migrate a Shielded VM only to healthy hosts.
Generation 2 VMsSupports virtualized equivalents of hardware security technologies (e.g., TPMs) enabling BitLocker encryption for Shielded Virtual Machines.
Hyper-V
Virtual machine
Computer room
Building perimeter
Physical machine
Hyper-V
Shielded virtual machine
*
`
Shielded Virtual MachinesWorks with Host Guardian Service
Cloud/Datacenter
Hyper-V Host 1
Hypervisor
Guest VMGuest VM Guest VMHost OS
Hyper-V Host 2
Hypervisor
Guest VMGuest VMHost OS
Hyper-V Host 3
Hypervisor
Guest VMGuest VMHost OS
Key Protection
Host Guardian Service
Shielded Virtual MachinesWorks with Host Guardian Service
Cloud/Datacenter
Hyper-V Host 1
Hypervisor
Guest VMGuest VM Guest VMHost OS
Hyper-V Host 2
Hypervisor
Guest VMGuest VMHost OS
Hyper-V Host 3
Hypervisor
Guest VMGuest VMHost OS
Key Protection
Host Guardian Service
healthy
Key release criteria TPM-mode)
1. Known physical machines
2. Trusted Hyper-V instance
3. CI-compliant configuration
Challenges in protecting the OS
New exploits can attack the OS boot-path all the way up through applications.
Known and unknown threats need to be blocked without impacting legitimate workloads.
Help protect the OS and applicationsOn-premises or in any cloud
Device GuardEnsure that only permitted binaries can be executed from the moment the OS is booted.
Windows Defender Actively protects from known malware without impacting workloads.
Control Flow Guard Protects against unknown vulnerabilities by helping prevent memory corruption attacks.
Help protect Active Directory, admin privileges6+ months1-3 months
First response to the most frequently used attack techniques.
Separate Admin account for admin tasks
1 Privileged Access Workstations (PAWs) Phase 1 – Active Directory adminshttp://Aka.ms/CyberPAW
2
Unique Local Admin Passwords for Workstations http://Aka.ms/LAPS
3 Unique Local Admin Passwords for Servers http://Aka.ms/LAPS
4
Help protect Active Directory, admin privileges6+ months2-4 weeks
Build visibility and control of administrator activity, increase protection against typical follow-up attacks.
Privileged Access Workstations (PAWs) Phases 2 and 3 – All Admins and additional hardening (Credential Guard, RDP Restricted Admin, etc.)http://aka.ms/CyberPAW
1 Just Enough Admin (JEA) for DC Maintenancehttp://aka.ms/JEA
4 Lower attack surface of Domain and DCs http://aka.ms/HardenAD
5
Time-bound privileges (no permanent admins) http://aka.ms/PAM; http://aka.ms/AzurePIM
2 Attack Detectionhttp://aka.ms/ata
6Multi-factor for elevation
3
9872521
Help protect Active Directory, admin privileges http://aka.ms/privsec
1-3 months2-4 weeks
Build visibility and control of administrator activity, increase protection against typical follow-up attacks.
Privileged Access Workstations (PAWs) Phases 2 and 3 – All Admins and additional hardening (Credential Guard, RDP Restricted Admin, etc.)http://aka.ms/CyberPAW
2 Admin Forest for Active Directory administratorshttp://aka.ms/ESAE
3 Device Guard Policy for DCs (Server 2016)
4
Modernize Roles and Delegation Model
1 Shielded VMs for virtual DCs (Server 2016 Hyper-V Fabric)http://aka.ms/shieldedvms
5
Windows Server 2016 security summary Virtualization Fabric
Protecting virtual machines
Shielded VMs (Server 2012, 2016 guests)
Virtual TPM for Generation 2 VMs
Guarded fabric attesting to host health
Secure boot for Windows and Linux
Hyper-V platform
Nano based Hyper-V host
Virtualization-based security
Distributed networking firewall
Secure containers
Hyper-V containers
Containers hosted in a Shielded VM
Infrastructure and applications
Privileged identity
Credential Guard
Remote Credential Guard
Just In Time administration
Just Enough administration
Threat resistance
Control Flow Guard
Device Guard
Built in anti-malware
Threat detection
Enhanced threat detection
© 2016 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market
conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.
MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
