Windows Server 2019 – the big change has come
Dr. Mike Jankowski - Lorek CQURE: Cloud Solutions & Security Expert CQURE Academy: Trainer [email protected] www.cqureacademy.com www.cqure.pl
@MJL_PL @CQUREAcademy CONSULTING About CQURE
• CQURE is a well-established company present on the market for 10 years!
• Each CQURE Team Member has over 10 years of experience in the field of cybersecurity, some even more than 20.
• Our Experts were granted access to Source Code of Windows – privilege given to just a few entities in the world.
• We work all over the world and cooperate with small, medium and enterprise level companies, including governmental organizations. About CQURE
Warsaw Zug New York
Dubai About CQURE – Areas of Expertise
Knowledge Sharing CQURE Cyber Lab Security Services and Consulting (Trainings and Conferences) Research & Development About CQURE – Consulting Penetration Testing Vulnerability Assessment Security Consulting Social Engineering Tests Personal Data Protection Audits Hardening Reverse Engineering Red Teaming GDPR Audits Implementations Security Code Review Migrations Optimalization Configuration Review Forensics and Incident Handling Services About CQURE – CQURE Academy
Custom cybersecurity trainings for companies and teams
Delivered on-site all over the world
Pre-recorded or live webinars
Open trainings hosted by our Partners in 13 countries About CQURE – Appearances About Me
System, Software and Database Architect
• Systems – AD, ADFS, PKI • Databases – MS SQL, Oracle • .Net Developer • Messaging and Communications – Exchange • Secure Software Development and Integration Deep backgroud in designing, merging, integrating processes for Core Microsoft Infrastructure
Great experience in heterogeneous environment integrations
Datamining, Machine Learning and Artificial Intelligence enthusiast Presentation
. Please, say something about yourselves: . What do you do, and how it is related to attending this course . What do you want to achieve by attending this course . What is the most important for you in this course . What is your experience with: . Active Directory Management . VPN . Group Policy Objects . IPsec . Security experience . Azure . Networking . Powershell . PKI . Sysinternals
Security perimeters were simpler in the old world… but now threats and security have evolved… The world’s most valuable resource is no longer oil, but data
The Economist - May 6th 2017
http://www.economist.com/news/leaders/21721656-data-economy-demands-new-approach-antitrust-rules-worlds-most-valuable-resource Identity Embraces identity as primary security perimeter and protects identity systems, admins, and credentials as top priorities SECURE MODERN ENTERPRISE Apps and Data Aligns security investments with business priorities including identifying and securing communications, data, and applications
Infrastructure Operates on modern platform and uses cloud intelligence to Identity Apps Infrastructure Devices detect and remediate both vulnerabilities and attacks and Data Devices Accesses assets from trusted devices with hardware security Secure Platform (secure by design) assurances, great user experience, and advanced threat detection Office 365
Dynamics 365
Data Loss Protection Data Governance eDiscovery
SQL Encryption & Data Masking
+Monitor
Process memory: Virtual address spaces
Each user mode process has its own private memory space
Kernel-mode OS and kernel mode drivers code share a single virtual address space
Windows does not protect read/write memory being used by components running in kernel mode from other components runing in kernel mode.
Kernel mode code has complete access to whole system space memory. Kernel mode vs User mode
Kernel mode Code has complete and unrestricted access to underlaying hardware Code can execute any processor instruction and reference any memory address Used by most trusted functions of the operating system and hardware drivers Crash in kernel mode is catastrophic (“blue screen”) User mode Code has no ability to directly access hardware Hardware and memory access is done through the API Crashes in the user mode are recoverable – single proces is killed Virtual Secure Mode
Apps
Visor Visor
-
Hyper
Virtual TPM Virtual
Auth Service Auth
Local Security Security Local Code Integrity CodeIntegrity
Kernel Kernel Virtual Secure Mode (VSM) Windows Hypervisor
Hardware Pass-The-Hash Solution: Virtual Secure Mode
VSM uses Hyper-V powered secure execution environment to protect derived credentials – you can get things in but can’t get things out
Decouples NTLM hash from logon secret
Fully randomizes and manages full length NTLM hash to prevent brute force attack
Derived credentials that VSM protected LSA Service gives to Windows are non- replayable Credential Guard: What it is?
Credential Guard uses virtualization- based security to isolate secrets such as cached credentials
Mitigates pass-the-hash or pass- the-ticket attacks
Takes advantage of hardware security including secure boot and virtualization Credential Guard: Isolated User Mode
Once an attacker has administrative privileges on a machine, it's possible to pull from the memory space of the operating system With IUM, there's a boundary: Drivers can't get into the Local Security Authority Strict signing is enforced in the IUM Credentials are encrypted Credential Guard: Hardware requirements
Windows 10 Enterprise or Education editions Unified Extensible Firmware Interface (UEFI) 2.3.1 or greater Virtualization Extensions such as Intel VT-X, AMD-V and SLAT must be enabled x64 version of Windows IOMMU, such as Intel VT-d, AMD-Vi TPM 2.0 BIOS lockdown Credential Guard: On Virtual Machine
Credential Guard can also be deployed on virtual machine Virtual machine must fulfill following requirements: Generation 2 VM Enabled virtual TPM Running Windows 10 or Windows 2016 Credential Guard: Limitations
Enabling Credential Guard blocks: Kerberos DES encryption support Kerberos unconstrained delegation Extracting the Kerberos TGT NTLMv1 Applications will prompt and expose credentials to risk: Digest authentication Credential delegation MS-CHAPv2 Credential Guard: Without protection
Credential Guard does not protect: Local accounts Microsoft accounts AD database on domain controllers Against key loggers Credman When deployed in VM it protects against attacks inside VM, however not against attacks originating from host.
VSM Enabled Credential Guard Enabled Demo Credential Guard
Virtual smart cards: What it is? Smart cards are physical devices, which improves authentication security by requiring that users have their smart card to access the system Smart cards have three key properties that help maintain their security: Non-exportability Isolated cryptography Anti-hammering Problems with physical smart cards: Cost Additional technical support Possible loss Virtual smart cards: Versus traditional? Virtual smart cards function like physical smart cards, the difference is in the way how they protect private keys by using the TPM instead of smart card media Virtual smart cards have three key properties that help maintain their security: Non-exportability Isolated cryptography Anti-hammering They reduce problems associated with physical smart cards Virtual smart cards: Functionality
Virtual smart card is always inserted You cannot export virtual smart card to use it on other computer When user is using multiple computers, we need to create multiple virtual cards They reduce problems associated with physical smart cards Virtual smart cards: Security risks
Physical smart card is always near the user, thus the risk of theft is minimized Virtual smart cards is stored on computer that increases the risk of theft Providing faulty PIN with virtual smart card will not block the user it will only present time delay after providing faulty PIN However virtual smart cards are less likely to be lost Demo Virtual Smart Card
Ransomware: Types
Encryption Renders data unusable Can use symmetric or asymmetric encryption Deleting Attackers threatens to remove the data Locking Attacker creates login page or HTML page with false information Secure boot
Standard Boot
Secure Boot Application Whitelisting: Why?
Users can install and run non standard applications Unauthorized applications are threat to organization, because they can: contain malware cause problems with compliance increase help desk calls Reduce productivity Application Whitelisting: Possible solutions
Windows offers two solutions: AppLocker Device Guard Generally there are two ways too define allowed applications: Whitelisting (recommended) Blacklisting Applocker: Applocker Rules Applocker rules can be created for: Executable Installer Script DLL Applocker rules can be assigned to a security group or an individual user Rules can be defined based on: publisher name product name file name file version file path hash Applocker: Applocker Audit Mode
Test rules before enforcement Events are written to local audit log: Applications and Service Logs | Microsoft | Windows | AppLocker After all information is gathered adjust your rules and deploy in Enforcing mode Device Guard: Code Integrity Policies Windows DefenderApplication Control Device Guard used Code Integrity Policies to define allowed applications File rules policies can be defined using: Hash File Name Signed Version Publisher File Publisher Leaf Certificate PCA Certificate WHQL, WHQL Publisher, WHQL File Publisher Device Guard: What it is?
Device Guard is a combination of hardware and software that will ensure that only trusted applications can execute Device Guard is comprised of: Virtual Secure Mode Configurable Code Integrity VSM Protected Code Integrity: Kernel Mode Code Integrity User Mode Code Integrity Platform and UEFI Secure Boot Kernel mode and User mode Code Integrity
KMCI in Windows 10: Windows 10 drivers must be signed by Microsoft Strong driver publisher identity verification via Extended Validation (EV) certificates Enterprises can enforce Windows 10 driver requirements via Device Guard policy Signed Device Guard CI policy protects from local admin Signed policy stored in pre-OS secure variable Requires a newer signed policy to update – cannot be deleted by admin Becomes a “machine” level policy which means boot from media must be compliant Measured into the TPM and part of device health attestation
UEFI Secure Boot KMCI UMCI AppLocker
Windows Windows 3rd Party User mode code (apps, ROM/Fuses Bootloaders Native UEFI Kernel and OS Loader Drivers Drivers etc.) Device Guard: Audit Mode
Device Guard used Code Integrity Policies to define allowed applications You can generate policies from existing systems by using Windows PowerShell Device Guard defaults to the Audit Mode Use Windows PowerShell cmdlets to create a policy from the audit log and merge it with your initial policy You should enable enforcement after you verify the audit mode Device Guard: Beyond whitelisting
Device Guard helps also with preventing other attacks: Malware that gains access to the kernel (through VBS) DMA-based attacks (through VBS) Exposure to boot kits (through UEFI Secure Boot) However you need to have supported hardware Demo Application Whitelisting Summary: Best Practices
Windows * Guards Credential Guard Exploit Guard (next session) Device Guard Block unknown Applocker Windows Defender Application Control Put on the Hacker’s Shoes Never trust Always verify Cloud! What’s the buzz? Modern Solutions
On premise Cloud only Hybrid IaaS Environment Applications
Data
Middleware
O/S
Virtualization PaaS Environment Applications
Data SaaS Environment
SaaS provider has full responsibilities
Modifications from client: • Configuration based customization • SaaS customization • logic • triggers • workflows • etc. Why do breaches occur?
Vulnerabilities Malware
. Configuration Errors . Installing suspect . “Weak” defaults applications . Easy passwords . Clicking malicious . “Bugs” links . Input validation . Phishing Emails . Watering Hole attacks
Source: IBM Security Services Cyber Security Intelligence Index Top 10 configuration risks for cloud
1. To much network access 2. Administrative access for SSH 3. Single factor authentication 4. Unused or unsecured access keys 5. Insufficient audits and logging 6. Open access for administrative access (RDP) 7. ICMP access 8. Open access for databases 9. Permissions assigned to users 10. Lack of encryption Hybrid management Windows Admin Center Windows Admin Center complements existing Cloud/hybrid management solutions deployments
Remote Desktop + in-box tools
RSAT - Remote Server Administration Tools Azure security and management
System Center Large deployments Small deployments Management before Windows Admin Center
Windows Server Windows Server Core 2016, 2012 R2, 2012, 2008 R2 SAC, 2016, 2012 R2, 2012 Management with Windows Admin Center
Modernized – Simplified - Integrated
Windows Server Windows Server Core 2016, 2012 R2, 2012, 2008 R2 SAC, 2016, 2012 R2, 2012 Modernized – Simplified – Integrated
Responsive design gif Modernized – Simplified – Integrated All your servers & clusters All your tools
Windows Server (SAC) Windows Server 2019 Windows Server 2016 Windows Server 2012 R2 Windows Server 2012 Windows Server 2008 R2 Overview Registry Windows 10 Certificates Remote Desktop Devices Roles and Features Events Scheduled Tasks Files Services Firewall Storage Local Users and Groups Storage Replica Network Updates PowerShell Virtual Machines Processes Virtual Switches Troubleshooting, configuration, and maintenance
Servers Failover clusters Hyper-converged clusters
Overview Remote Desktop Overview Dashboard Apps & Features Roles & Features Disks Virtual Machines Certificates Scheduled Tasks Networks Virtual Switches Devices Services Overview Servers Events Storage Settings Volumes Files Storage Migration Service Virtual Machines Drives Firewall Storage Replica Virtual Switches Virtual Networks Local Users & Groups System Insights SDN Monitoring Networks Updates Settings PowerShell Virtual Machines Processes Virtual Switches Registry Settings Modernized – Simplified – Integrated Lightweight & fast deployment
Access from anywhere!
Internet Internet connection not required Publish to DNS & open firewall On-Premises
Client browser Connect from a modern browser
HTTPS
Windows Web server Admin ~60 MB installer, install in minutes Gateway Center
PowerShell / WMI over WinRM
Managed nodes No agent installation required Flexible deployment options
Windows 10 desktop Dedicated gateway server Managed node High availability Manage servers anywhere
Internet
On-Premises Protection at two layers
Secure access to Windows Admin Center • HTTPS communication 1 • Active Directory & local groups • Multi-factor authentication & conditional access with Azure Active Directory
Secure access to managed servers 2 • Role-based access control (RBAC) • Delegation for single sign-on • Local administrator password solution (LAPS) Increased visibility of actions for auditing
Who: which user took the action, 1 from which Windows Admin Center gateway What: name of PowerShell script run, from which tool When: time of action 2 Where: event logged on the target server How: security features used (delegation, LAPS) TODO: Consider
. TODO: Consider
.
What Who TODO:Where Consider
. When Windows Admin Center is built for hybrid
Bridge to the cloud
Embrace true hybrid infrastructure
Enhance Windows Admin Center capabilities with Azure Intro to WSL
.
.
. The reasons to use WSL
.
.
.
. The reasons to use WSL - part 2
.
.
.
. WSLConfig and WSL
.
.
. Architecture Architecture Limitations
.
.
. Conatiners with Docker Containers: A new approach build, ship, deploy apps
Physical Traditionally apps are built and deployed onto physical systems with 1:1 relationship. New applications often required new physical systems for isolation of resources Virtual Higher consolidation ratios and better utilization Faster app deployment than in a physical environment Apps benefited from key VM features i.e., live migration, HA Containers . Package Software into Standardized Units for: . Development . Shipment . Deployment Containers: A new approach build, ship, deploy apps
Containers Package and run apps within containers Further accelerate of app deployment Reduce effort to deploy apps Streamline development and testing Lower costs associated with app deployment Increase server consolidation Containerized Application Containers:
Dependencies -
Virtualization - Container engine is a light weight virtualization mechanism which isolates dependencies per application by packaging them into virtual containers Shared host OS - Container runs as an isolated process in user space on the host OS, sharing the kernel with other containers Flexible - Differences in underlying OS and infrastructure are abstracted away, streamlining “deploy anywhere” approach Fast - Containers can be created almost instantly, enabling rapid scale-up and scale-down in response to changes in demand Container vs VM Process Isolation Hyper-V isolation Terminology . Container Host . Container Image . Sandbox . Container OS Image . Container Repository Container lifecycle . You start a container. . That container starts a process. . That process performs its mission. . The process finishes its mission. . The process terminates. . The container stops. Containers properties . Well-designed containers only use resources when they perform useful work . Containerized applications tend to be easier to scale . Containerizing applications separates their functions into individual compute units . Container recycling limits exposure Containers properties . Containers are tiny . Containers start ridiculously fast . Containers don’t (necessarily) need IT Ops to build individual instances . Containers can be packaged and instantiated directly from developer IDEs Containers properties – problems? . Containers can't be domain joined . Containers can't be rebooted . Containers sometimes think about security differently . Windows Containers can't be run with Linux Containers . Syntax for building and running containers is frustrating . Doing containers correctly isn't easy Dockerfile . # escape=` . FROM mcr.microsoft.com/windows/servercore:ltsc2019 . COPY scripts/installdns.ps1 c:\installdns.ps1 . RUN powershell.exe –ExecutionPolicyBypass c:\installdns.ps1 . ENTRYPOINT “ping -t localhost > NULL” Containers:
Bridge network: containers on the same host may communicate IP addresses assigned to each container are not accessible from outside the host NAT is used to provide communication beyond the host eliminates port conflict problems Host network: containers shares the network with host Possible problems with port conflicts Overlay network: use networking tunnels to communicate across hosts containers behave as if they are on the same machine by tunneling network subnets between hosts (VXLAN) VBS: Attack applications and infrastructure
Potential attack vectors:
Compromised Privilege Accounts
Unpatched vulnerability
Phishing Attacks
Malware infections VBS: Attack virtualization fabric
Potential attack vectors:
Compromised fabric exposes guest VMs
Easy to modify or copy VM without notice
Can’t protect VMs with physical security
VMs cannot leverage Hardware Security (TPM) VBS: Attack on virtual machines
Any compromised or malicious fabric administrator can access all guest VMs
Health of host is not taken into account before running VMs
Tenant’s VMs are exposed to storage and network attacks
VMs do not use hardware security capabilities such as TPM VBS: Attack on virtual machines Potential attacks . Storage admin accesses virtual hard drives
. Potentially attacker can access Domain Controller
. Accessing AD Database gives access password hashes
. Exploit the system further Possible mitigation . Encrypt storage volumes with VHDX . What if storage admin and virtualization admin are the same person? . What if they collude? [coffee and cakes bribery is a . common attack . You guessed correctly encryption does not apply Potential attacks 2 . Virtualization admin export / copy VHDX
. VHDX can be mounted on any computer
. We have open path to perform offline attacks Possible mitigation 2 . Use BitLocker inside VM . Now to access the VHDX you need to provide password . What if fabric admin will modify boot loader and VM owner will provide the password willingly? . What if fabric admin will make memory dump? . Again you are correct they have the BitLocker password Possible mitigation 2 - Improvments . Move to Generation 2 VM
. UEFI + SecureBoot Prevent untrusted bootloaders
. vTPM To securely release BitLocker secrets Potential attacks 3 . Virtualization admin modifies a golden image
. All newly deployed machines contain malware
. It can be very stealthy attack Possible mitigation 3
. Use Signed Template Disk
. If signature test fails machine cannot be run and temper error will be returned VBS: Guarded fabric
Hyper-V Fabric capable of protecting tenants against: inspection theft tampering Protection works against: malware malicious system admins VBS: Machine Security VBS: Shielded VMs
Shielded VMs – are using BitLocker to encrypt disk and state of virtual machines
Host Guardian Service – attests the host health releasing the keys required to boot shielded VM
Generation 2 VMs – support virtualized TPM, which enables BitLocker encryption for shielded VMs Shielded VMs: Compliance
ISO 27001: 2013 PCI DSS 3.2 FedRAMP; NIST 800-53 Revision 4
Enforcing Separation of 6.4.2 – Separation of duties between test A.6.1.2– Segregation of duties AC-5 – Separation of Duties Duties and production environments
A.9.2.3 – Management of 6.4.1 – Test and Production Environment AC-6 – Least Privilege Implementation of Least privileged access rights Separation AC-6 (10) – Prohibit Non-Privileged Privilege Access and A.12.1.4 – Separation of 7.2 – User access control on need-to- Users from Executing Privileged Partitioning Tenant development, testing, and know basis Functions Functionality operational environments 7.2.3 – Default “deny-all” setting SC-2 – Application Partitioning Protecting Information 8.7 – Restricted access to databases Stored in Shared None SC-4 – Information in Shared Resources containing cardholder data Resources 3.4 – Verifying stored PAN is unreadable SC-28 – Protection of Information at Rest Protection of Data at 3.4.1 – Disk encryption usage and access A.8.2.3 – Media Access SC-28(1) – Protection of Information at Rest control Rest 6.5.3 – Insecure cryptographic storage Security Function SI-6 – Security Function Verification 11.5 – Change-detection mechanism Verification and Integrity None SI-7 – Software, Firmware, and deployment Monitoring Information Integrity Shielded VMs: Deployment
Safe host to run Virtual Machines
A way to verify that host is healthy
A process to release keys to healthy hosts
Management tools Shielded VMs: Guarded Hosts
Windows Server 2016 Datacenter Hyper-V hosts are capable of running Shielded VMs
Hosts must prove to an external authority that they are running in a known, trusted state Shielded VMs: Host Guardian Service (HGS)
An external authority in a guarded fabric that verifies the health of guarded hosts
It controls the release of keys required to start or live migrate a Shielded VM Shielded VMs: Host Guardian Service (HGS)
Usually runs as a cluster of three machines
Separate forest
Additional set of roles is required
Responsible for releasing the keys required and attestation
Host Guardian Service Shielded VMs: Tools
Hyper-V Manager
PowerShell
Optional tools: System Center Virtual Machine Manager Service Provider Foundations Windows Azure Pack Active Directory Bastion Forest Guarded Fabric: Deployment
Install Hyper-V hosts on Hyper-V hosts Windows Server 2016 (or later) Datacenter Windows Server 2016
Microsoft SQL Windows Azure Server Virtual Machine Pack Manager
Domain contoso.com Controller(s) Guarded Fabric: Deployment
Deploy Host Guardian Service STEP #2: Deploy a Host Guardian Service (HGS) cluster
Recommended: Deploy Cluster
secure.contoso.com Guarded Fabric: Deployment
Host Guardian Service (HGS) cluster Upgrade Hyper-V hosts to Windows Server 2016 (or later) Datacenter
secure.contoso.com
Microsoft SQL Windows Azure Server Virtual Machine Pack Manager Extract identity, hardware baseline and code integrity policies from Hyper-V hosts
Domain contoso.com Controller(s) Shielded VMs: Security Roles
FABRIC ADMINISTRATOR HGS ADMINISTRATOR TENANT ADMINISTRATOR Manages the operation of the Manages the setup and on- An owner of virtual machines Hyper-V hosts, including going maintenance of the Host hosted on the Guarded Fabric. Guarded Hosts. Includes Guardian Service (HGS). This May be 1st or 3rd party in storage, network, backup, and should be a distinct individual relation to the hosting system administrators in all or group that will act as the organization or enterprise. shapes and sizes from NOC manager of the Guarded staff to domain administrators. Fabric. Attestation: TPM Trusted Mode
Measured Boot Required
Code Integrity Enforcement
Platform Identity Verification Attestation: Active Directory Trusted Mode
Kerberos ticket
Group membership validation for atestation Starting Shielded VMs Attestation: Host Key Mode
Host Key validation Certificate can be shared across multiple hosts Key stored in: TMP HSM Certificate Store No host health checks Troubleshooting: Issue 1
Connectivity to the VM is failing for an unknown reason. To investigate, you need to connect to the VM’s console session. However, access to the shielded VM is blocked for security purposes Troubleshooting: Issue 2 & 3
You need to determine whether a VM is shielded.
Starting a VM results in the following error message in the Hyper-V console: An error occurred while attempting to start the selected virtual machine(s).
Attempting to generate a new HGS key protector (by using the Windows PowerShell cmdlet New-HGSKeyProtector) fails with the following error message: New-HgsKeyProtector: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
Attempting to connect to the console session of a VM returns the following message: You cannot connect to a shielded virtual machine using a Virtual Machine Connect. Use a Remote Desktop Connection instead.
Commands in PowerShell . .
Verb Get-Help Noun
. . . The PowerShell Help System ...... Get-Help Get-Help . . How to enumerate Cmdlets . .
Get-Command Get-* Get-Command *-Service Get-Command Get-Net*Ip* Providers ...... The Pipeline
. PowerShell runs commands in a pipline . Even a single Cmdlet is a pipeline
. Pipelines can contain one or more commands, with multiple commands separated by a vertical pipe character (|)
Get-Service | Out-File
. Commands execute from left to right, with the output of each command being piped (passed) to the command after it
Input cmdLet Output Input cmdLet Pipeline PowerShell
. . . . Package Repositories
.
. . Tips & Tricks
...... Demo: Working with PS Just Enough Administration: What it is?
JEA provides Windows with an RBAC on Windows PowerShell remoting
Limit users to a set of defined Windows PowerShell cmdlets
Actions are performed by using a special machine local virtual account Why you should use JEA?
Reduce the number of administrators on your machines
Limit what users can do
Better understand what your users are doing What are the prerequiremnet
Server Operating System JEA Availability
Windows Server 2019 Preinstalled
Windows Server 2016 Preinstalled
Windows Server 2012 R2 Full functionality with WMF 5.1
Windows Server 2012 Full functionality with WMF 5.1
1 Windows Server 2008 R2 Reduced functionality with WMF 5.1 JEA: Limitations
JEA only works with Windows PowerShell sessions JEA does not work with: Management Consoles Remote Administration Tools You need to understand required: Cmdlets Parameters Aliases JEA: Role-capability files
Role-capability files specify what can be done in a Windows PowerShell session Anything that is not explicitly allowed is not allowed New blank role-capability can be created by using the New-PSRoleCapabilityFile cmdlet JEA: Session-configuration files
Session-configuration files determine: What can be done in JEA session Which security principals can do it New session configuration file can be created by using the New- PSSessionConfigurationFile cmdlet JEA: Endpoints Connect to JEA endpoint to perform administrative tasks Configuration is determined by session configuration files that links security groups and role capability files Server can have multiple JEA Endpoints Create JEA endpoints by using the Register-PSSessionConfiguration JEA: JEA Helper Tool
GUI tool, which helps to create JEA configuration
Helping generate the “Security Descriptor Definition Language” (SDDL) syntax when you want to use Two-Factor Authentication Demo: JEA Desired State Configuration: What it is?
An extension to PowerShell Create and manage server configuration files Ensures that servers are always configured the way we want Desired State Configuration: Architecture
Push Model Configuration deployed to servers Start-DSCConfiguration to deploy Pull Model Server pull from central server using: HTTP/HTTPS SMB We can use traditional load balancing techniques Desired State Configuration: Compilation
DSC configuration is compiled to MOF format Each MOF is for single target node You can have only one MOF file applied to single node at any given time Desired State Configuration: Execution
The Local Configuration Manager (LCM) is the engine of (DSC) The LCM runs on every target node It is responsible for: parsing and enacting configurations determining refresh mode (push or pull) specifying how often a node pulls and enacts configurations associating the node with pull servers Desired State Configuration: Resources
DSC Built-in resources: Enable / disable server roles and features Manage registry settings Manage files and folders Manage processes and services Manage local users and groups Deploy new software packages Manage environment variables Run PowerShell scripts