HAROLD BAELE – MICROSOFT CLOUD TECHNICAL CONSULTANT New protection – MICROSOFT CERTIFIED TRAINER capabilities in Windows Server 2016 HAROLD BAELE – MICROSOFT CLOUD TECHNICAL CONSULTANT AND MICROSOFT CERTIFIED TRAINER @REALDOLMEN
[email protected] - @hbaele • Trainer since 2000 on Operating Systems, Networking, AD Exchange Office 365 PowerShell Azure IAAS • Consultant since 2016 Azure IAAS …in a Hybrid Cloud context Office 365 • Speaker @MicrosoftBE since 2015 ModernBiz - PPE’s – CSP Workshops … Security is a top priority for IT
Increasing incidents
Multiple motivations
Bigger risk Before After Breaches cost a lot • Customers pay $ • You pay customers of money for your services $ $ $ compensation to keep them using (Average $4M based your services on Ponemon Institute)
Productivity • Employees efficiently • Employees waste hours perform work activities a day using manual processes $
Overspending Reflex • Appropriately sized • IT Security team exponentially & dedicated increases in size and remediation IT Security team efforts require new and expensive products Attack timeline
First host Domain admin Attack compromised compromised discovered
Mean dwell time 150+ days 24–48 hours (varies by industry) Example attack scenario Hard lessons…
The network is no longer the security Identity is the (new) security perimeter (it hasn’t been for some time) perimeter
Entry—we can’t stop this from happening People will be fooled, bribed, blackmailed, etc.
Eliminating human error isn’t possible Phishing works and will continue to do so
Anomalous activity monitoring helps in detection; Insider-attacks are a big problem limit access through identity management & isolation
But compliance and security are not the same thing: Compliance is very important compliant != secure Many will be operational and that will impose some Prevention methods aren’t always level of additional operational friction—security has a technical or architectural price $$$ Managed privileged identities Secure virtualization Secure the OS Help protect credentials and privileged access Challenges in protecting credentials
Social engineering leads to credential theft Domain Ben Mary Jake Admin Most attacks involve gathering admin credentials (Pass-the-Hash Typical administrator attacks) Administrative credentials typically provide unnecessary extra rights for unlimited time Capability
Time Helping protect privileged credentials
Just Enough Administration (JEA)
Domain Ben Mary Jake Admin admin Just in Time Administration (JIT) JEA and JIT administration
Covered by Anthony Van Den Bossche in Capability and ‘Identity: driving enterprise Mobility and Security’ time needed Capability
Time Helping protect privileged credentials
Just Enough Administration (JEA)
Domain Just in Time Administration (JIT) Ben Mary Jake Admin admin
Credential Guard JEA and JIT administration
Capability and time needed Capability
Time Helping protect privileged credentials
Just Enough Administration (JEA)
Just in Time Administration (JIT) Domain Ben Mary Jake Admin admin
Credential Guard JEA and JIT administration
Remote Credential Guard
Capability and time needed Capability
Time VIRTUALISATION BASED SECURITY
• Credential process is doubled and running in Isolated User Mode • Drivers or other kernel processes can access memory addresses where credentials hashes are stored • LSALSO.exe is running in a separate zone, container based on virtualisation ENABLING CREDENTIAL GUARD
Using registry 1. Add the virtualization-based security key features by using Programs and Features 2. HKEY_LOCAL_MACHINE\System\ CurrentControlSet\Control\LSA\ LsaCfgFlags DWORD value = 1 (with UEFI lock) or 2 (without UEFI lock) Using Group Policy Using DISM 1. dism /image:
2. dism /image:
• Windows 10 Enterprise • Active Directory (any forest or domain level) • UEFI firmware 2.3.1 or higher • Secure firmware update process • Secure Boot • Intel VT-x or AMD-V • Intel VT-d or AMD-Vi I/O memory management unit • Second Level Address Translation • 64-bit CPU • TPM 2.0
https://technet.microsoft.com/en-us/itpro/windows/keep-secure/credential-guard#requirements REQUIREMENTS SERVER 2016
• Active Directory (any forest or domain level) • UEFI firmware 2.3.1 or higher • Secure firmware update process • Secure Boot
• Cannot be a domain controller… REQUIREMENTS FOR VIRTUAL MACHINES
• The Hyper-V host must have an IOMMU, • input–output memory management unit (IOMMU) is a memory management unit (MMU) that connects a direct-memory-access–capable (DMA-capable) I/O bus to the main memory
• Host and guest must be running Windows Server 2016 or Windows 10 version 1607.
• The Hyper-V virtual machine must be Generation 2, have an enabled virtual TPM USING HASHES & IMPLEMENTING CREDENTIAL GUARD
MimiKatz
• Preparations: • No antivirus running • NewAdmin is domain administrator • On Client local share with localadmin NWTRADERS.LOCAL credentials created • On client share for NewUser accessible only • CMD with admin credentials GEN2DC SECURESRV1
• Using hash to connect to connect 172.16.1.0/24
• Credential guard implemented using GPO Win10VM W2016VM REMOTE CREDENTIAL GUARD One Identity checked at every connection aka Single Sign On • No hash on remote session SSO with SSO Previous Identity check re-used • aka Seamless Sign On CONSIDERATIONS FOR REMOTE CREDENTIAL GUARD
• Active Directory Directory Services only. • Remote Desktop Gateway is not compatible with RCG. • No use of saved credentials. • Needs the same domain or trusted domains.
Forcing it: mstsc /remoteguard LOGGING ON WITH REMOTE CREDENTIAL GUARD
• Preparation: • GPO with remote credential guard
• From Gen2DC, RDP to Win10VM with current credentials YOU ENABLED CREDENTIAL GUARD. WHAT CREDENTIALS ARE STILL IN THE OPEN?
• Software that manages credentials outside of Windows feature protection • Local accounts and Microsoft Accounts • The Directory database running on Windows Server 2016 domain controllers • Credential input pipelines, such as Windows Server 2016 servers running Remote Desktop Gateway • Key loggers • Physical attacks • Attacker with malware on the PC using the privileges associated with any credential • Third-party security packages • Digest and CredSSP credentials • Supplied credentials for NTLM authentication are not protected • Stored credentials DISABLE CREDENTIAL (DEVICE) GUARD FROM OUTSIDE THE VM
• Credential guard and device guard rely on Virtualization Based Security…
• From the host, you can disable this for a virtual machine:
Set-VMSecurity -VMName
Any compromised or malicious fabric administrators can access guest virtual machines.
Health of hosts not taken into account before running VMs.
Tenant’s VMs are exposed to storage and network attacks.
Virtual machines can’t take advantage of hardware- rooted security capabilities such as TPMs. Helping protect virtual machines
Shielded Virtual Machines Building perimeter Use BitLocker to encrypt the disk and state Computer room Hyper-V Hyper-V of virtual machines protecting secrets from compromised admins and malware.
Shielded virtual` Host Guardian Service Physical machine Virtual machine machine Attests to host health releasing the keys * required to boot or migrate a Shielded VM only to healthy hosts. Generation 2 VMs Supports virtualized equivalents of hardware security technologies (e.g., TPMs) enabling BitLocker encryption for Shielded Virtual Machines.
Demonstration video
Shielded VMs GUARDED FABRIC
Guest VM Guest VM Shielded Guest VM VM HOST GUARDIAN SERVICE (HGS) Hello, I’m Virtual Secure Mode HOST1, can I HYPER- V HOST 1 have some keys,
WINDOWS2016 SERVER please?
Guest VM Guest VM Guest VM Guest VM HYPER
Virtual Secure Mode HYPER- V HOST 2 - Why certainly, V HOSTS I know you & I Guest VM Guest VM Guest VM Guest VM must say you’re + KEY PROTECTION looking very + HEALTH ATTESTATION healthy today!
Virtual Secure Mode HYPER- V HOST 3 GUARDED FABRIC
Guest VM Guest VM Shielded Guest VM VM HOST GUARDIAN SERVICE (HGS) OK, so I’m Virtual Secure Mode HYPER- V HOST 1 healthy then! Can I have the WINDOWS2016 SERVER keys now? Guest VM Guest VM Guest VM Guest VM HYPER
Virtual Secure Mode HYPER- V HOST 2 -
V HOSTS Sure, your certificate of Guest VM Guest VM Guest VM Guest VM + KEY PROTECTION health authorizes + HEALTH ATTESTATION me to release keys to you for 8 Virtual Secure Mode hours HYPER- V HOST 3 Shielded VMs – Multiple levels of security
• •
•
• •
https://technet.microsoft.com/en-us/windows-server-docs/security/guarded-fabric-shielded-vm/guarded-fabric-and-shielded-vms Shielded VMs – Host Guardian Service
https://technet.microsoft.com/en-us/windows-server-docs/security/guarded-fabric-shielded-vm/guarded-fabric-and-shielded-vms Shielded VMs – Attestation mode types
Attestation mode you choose for hosts Host assurances
Guarded hosts that can run shielded VMs are TPM-trusted attestation: Offers the strongest possible protections but also requires more approved based on their TPM configuration steps. Host hardware and firmware identity, measured boot sequence and code must include TPM 2.0 and UEFI 2.3.1 with secure integrity policies so that you can ensure that these boot enabled. hosts are only running approved code.
Guarded hosts that can run shielded VMs are Admin-trusted attestation: Intended to approved by the Host Guardian Service based support existing host hardware where TPM 2.0 is not on membership in a designated Active available. Requires fewer configuration steps and is compatible with commonplace server hardware. Directory Domain Services (AD DS) security group.
https://technet.microsoft.com/en-us/windows-server-docs/security/guarded-fabric-shielded-vm/guarded-fabric-and-shielded-vms Shielded VMs – Trusted apps on trusted Hosts
•
https://technet.microsoft.com/en-us/windows-server-docs/security/guarded-fabric-shielded-vm/guarded-fabric-and-shielded-vms Shielded VMs – Trusted hardware check
•
• •
https://technet.microsoft.com/en-us/windows-server-docs/security/guarded-fabric-shielded-vm/guarded-fabric-and-shielded-vms Shielded VMs – VHD protection using trusted VHD image • • • • • •
• •
https://technet.microsoft.com/en-us/windows-server-docs/security/guarded-fabric-shielded-vm/guarded-fabric-and-shielded-vms Shielded VMs – shielding data
• • •
• •
https://technet.microsoft.com/en-us/windows-server-docs/security/guarded-fabric-shielded-vm/guarded-fabric-and-shielded-vms Shielded VMs - guardian
https://technet.microsoft.com/en-us/windows-server-docs/security/guarded-fabric-shielded-vm/guarded-fabric-and-shielded-vms