SlideShare a Scribd company logo

CSF18 - GDPR - Sami Laiho

NCCOMMS, profile picture
NCCOMMS

The document discusses shielded virtual machines (VMs) which are a new security feature in Windows Server 2016 that protects VMs from potential compromise of the host machine. Shielded VMs use virtual secure mode and virtual trust levels to isolate VM memory and processors from the host. The host guardian service verifies that the host is authorized to run a shielded VM by checking a store of keys for trustworthy hosts.

Technology
1 of 140
Downloaded 12 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
GDPR Sami Laiho Senior Technical Fellow Adminize.com / Win-Fu.com Senior Advisor, Intility / Applixure
Sami Laiho Senior Technical Fellow adminize.com • IT Admin since 1996 • MCT since 2001 (MCT Regional Lead – Finland → 2016) • MVP in Windows OS since 2011 • Specializes in and trains: • Troubleshooting • Security • Active Directory • Hacking • Penetration testing • Social Engineering • Trophies: • TechDays Sweden 2016 – Best Speaker • NIC 2016, 2017 – Best Speaker • Ignite 2015 - #2 out of 1000+ • TechEd Europe 2014 – Best session • TechEd North America 2014 - Best session, Best speaker • TechEd Australia 2013 - Best session, Best speaker • TechEd Europe 2013 - Best Session by an external speaker
@samilaiho If you are not on Twitter – get on Twitter! 3
Schedule • 09.00-10.15 Session • 10.15-10.30 Coffee Break • 10.30-12.00 Session • 12.00-13.00 Lunch • 13.00-16.00 Q&A 4
Agenda • GDPR • Server 2016 • Kernel changes • Shielded VM’s • Nano-server • PowerShell 5 Security • Containers • Credential Guard and Device Guard • Defender on a Server • Data and Identity Protection on Server 2016 • General Security recommendations 5
GDPR • Biggest change in 20 years • Biggest project since Y2k • Data Protection Officers needed a lot 6
GDPR • What is the point of the new laws? • They have been designed to give power back to citizens over how their data is processed and used. • Under the new rules, individuals have “the right to be forgotten” • meaning they will be able to request that businesses delete their no longer necessary or accurate personal data • The intention is to simplify the regulatory environment 7
GDPR • Recommended process: • Discover (what data do we have and where) • Manage (who has access and from where) • Protect (How can we protect the data) • Report (Monitoring and auditing) • MYTHS • Myth 1: “The GDPR only affects companies in the European Union” • Myth 2: “All security incidents must be reported within 72 hours” • Myth 3: “All data must be encrypted in order to be in compliance with the GDPR” • Myth 4: “Kids are under 16” 8
MORE INFO on Windows and GDPR • https://docs.microsoft.com/en-us/windows- server/security/gdpr/gdpr-winserver-whitepaper • https://docs.microsoft.com/en-us/windows/configuration/gdpr- win10-whitepaper 9
Windows Server 2016 New Features • Hyper-V on Nano Server • Hyper-V Container • Linux Secure Boot • Discrete Device Assignment • Host Resource Protection • SVHDX Disk Format • Hyper-V Replica Enhancements • Hot add and remove for network adapters and memory • Switch Embedded Teaming • Production Checkpoints • VM configuration version • Powershell Direct • VM Groups • Accelerated VHDX Operations • Hyper-V Manager improvements • Cross Version Management • Nested Virtualization • Shielded VMs • Windows Hello for Business • Azure AD join • Passport Authentication • IIS 10 • ADFS 3.1 • Nano Server • PAM Trust • Time limited group membership • Time sync vNext • Storage Replica • Storage Spaces Direct • Network Controller • Docker • Package Management • Powershell 5 • RDS HA with Azure DB • Multipoint Server • Cluster Rolling Upgrade • Workgroup Cluster • Multi-Domain Cluster • Site-aware Cluster • Cluster Storage Resiliency • Cluster Network Resiliency • Cluster Node Quarantine • Web Application Proxy protocol redirect • Web Application Proxy Pre-Auth • Device Guard • Credential Guard
Kernel Changes 11
Secure Kernel
Traditional Kernel Mode vs User Mode KERNEL MODE USER MODE
Normal and Secure Mode SECURE MODE KERNEL USER MODE ISOLATED USER MODE SECURE KERNEL HYPERVISOR NORMAL MODE
How does it work technically? • Hypervisor now associates a Virtual Trust Level (VTL) with each Virtual Processor (VP) • Two VTLs defined today (higher → more privileged) – more are supported • VTL 0, which is the Normal World • VTL 1, which is the Secure World
How does it work technically? • Hypervisor uses Enhanced Page Tables (EPT) which now have essentially a “VTL” associated with them • VTL 0 access to VTL 1 pages can be controlled • Blocking +R → allows hiding cryptographic secrets (Credential Guard) • Blocking +RX (or +RWX) → allows preventing execution of code, or modification of code (Device Guard) • Blocking +W → allows preventing modification of executable pages shared with VTL 1 • With VSM, the hypervisor no longer implicitly trusts the root partition
Isolated User Mode • User Mode that is protected from the code in the normal Kernel Mode • Normally Kernel has full visibility to User Mode processes’ memory
Secure Kernel • IUM is on top of Secure Kernel (Secure System) • Known as SK, SKM, SMART (Secure Mode Application RunTime) • Not a real Kernel but more a proxy that talks to the real Kernel but marshalls the transactions • Does not implement stuff that the normal kernel already does • 300KB compared to 8MB • SECUREKERNEL.exe
Secure Kernel • Secure Kernel cannot be extended like the normal • Only accessible by Microsoft not 3rd party • All Trustlets need to be signed by Microsoft with a certain kind of certificate • All CryptoCode, Challenge/Response is here so it stays private to the Virtual Secure Mode • To communicate with • Other trustlets it uses Storage Blobs • The Normal Mode (NTOSKERNEL) is uses Mailboxes
Traditional Kernel Mode vs User Mode KERNEL MODE USER MODE ISOLATED USER MODE SECURE KERNEL HYPERVISOR SHARED BUFFER (Marshall)
How come the Kernel is not able to access the memory of the Secure Kernel?
Traditional Virtual memory PAGETABLE PROCESS 0 V-Address P-Address ACCESSMASK xxxx yyyy z-z-z 6789 0x7777777 R-X Process 0 Virtual Addres 6789? Process 1 Virtual Addres 6789? PAGETABLE PROCESS 0 V-Address P-Address ACCESSMASK xxxx yyyy z-z-z 6789 0x7778888 RW-
Hypervisors and VMs VIRTUAL RAM Physical Address? PAGETABLE VM 1 GPA SPA ACCESSMASK xxxx yyyy z-z-z 67890 0x7777777 R-X VIRTUAL RAM Physical Address? PAGETABLE VM 2 GPA SPA ACCESSMASK xxxx yyyy z-z-z 67890 0x7778888 R-X SLAT
Kernel and Secure Kernel have their own SLAT’s KERNEL MODE USER MODE ISOLATED USER MODE SECURE KERNEL HYPERVISOR SHARED BUFFER (Marshall) SLAT SLAT
Hypervisors and VMs KERNEL VIRTUAL RAM PAGETABLE KERNEL GPA SPA ACCESSMASK 67890 0x7777777 - - - SECURE KERNEL (VSM) VIRTUAL RAM PAGETABLE VSM GPA SPA ACCESSMASK 67890 0x7777777 R - X SLAT SLAT
Trustlets • Processes running in Virtual Secure Mode • Currently not available for developers • In the future anything that needs Secrets to stay secret • Currently four trustlets • LSAISO = Credential Guard • BIOISO = Biometrics information • vTPM = Virtual TPM • HVCI = Kernel Mode Code Integrity • More is coming as Edge (Barcelona) will run Edge in its own container • Windows Defender Application Guard
IUM • Isolated User Mode is now included with Hyper-V so you don't have to install it separately
Memory 28
Virtual memory in Server 2016 • In 1993 computers usually had maximum of 8MB of memory ;)
IOMMU • I/O Memory Management Unit • MMU for devices, as opposed to processors • Where an MMU translates virtual to physical addresses for a CPU accessing your system's memory, an IOMMU translates virtual to physical addresses for devices • Hardware based protection against DMA-access • Protects against buggy drivers and malicious code • Works with SLAT • Makes sure a device or VM won’t have access to physical memory addresses not meant for them • Known as: Intel VT-d / AMD-Vi
Hardware and editions 31
Improvements in scalability
Upgrade/Migration to Windows Server 2016 • Upgrading to Windows Server 2016: • Upgrade from Windows Server 2008 R2 x64 • Upgrade to the same or higher version • Requires the same processor architecture and language • Migration to Windows Server 2016: • Migration must be from x86 version • Using Windows Server Migration Tools
Removed Functions • File Server Konsole (mmc plugin removed) • Security Configuration Wizard (removed) • Software Quality Metrics (SQM removed) • Configuration Tools (scregedit, sconfig) • NetCfg custom APIs • Remote management (WinRM.vbs) • SMB 2+ over NetBT • NAP support
Licensing
Licensing Windows Server 2016 • Licensing based on the processor cores • Compared to processor sockets in Windows Server 2012 (R2) • All physical cores must be licensed • Minimum 16 cores must be licensed per server • Minimum 8 cores must be licensed to each physical processor • Sale of the core licenses always as 2-core packs • Eight 2 core packs are minimally needed to license a server
Licensing Comparison - Editions
Licensing example
Licensing - Virtualization Rights • Standard Edition allows operation of up to two OSEs or Hyper-V containers • Datacenter Edition allows unrestricted virtualization rights for OSEs or Hyper-V containers
Windows Server 2016 Servicing/Support • Standard/Datacenter follows Long Term Service Branch (LTSB) • 5+5 Support Model • Nano Server follows Current Branch for Business (CBB) • Mandatory Updates (2-3/Year)
Shielded VM’s 41
Good run through • https://myignite.microsoft.com/videos/53182 42
Security • “Shielded VM” • Virtual Secure Mode • LSAISO, vTPM • Host Guardian Service • Signature service for checking the host • Bitlocker enabled VM (vTPM)
VM Protection – THE Challenge! Legitimate host?
Protect virtual machines – Microsoft’s approach Trust the host
Protect virtual machines – virtual Secure Mode • Protected VMs prevent access to RAM and processor from the host • Virtual Trust Levels (VTLs): Safety mechanism in addition to existing processor rings (ring 0 / ring 3) • Memory Access Protections: VTL memory protection can only be changed by software running in a higher VTL • Virtual Processor State: Isolation of processor states between VTL's
Host Guardian Service • HostGuardian Service stores keys of all trustworthy hosts as well as encrypted VMs • Runs as a service to verify if the host is trustworthy • Can also be operated as VM
Virtual hard disk Shielded Virtual Machines Shielded Virtual Machines • Shielded Virtual Machines can only run on hosts that are marked as owners of the VM • Must be encrypted (BitLocker or other methods) to ensure that only the OwnerHost can start the VM • VMs can be converted to shielded VMs
Shielded VMs: Security Assurance Goals • Encryption & data at-rest/in-flight protection • Virtual TPM Enables Encryption of VM Disk (BitLocker) • Both VM State and Live Migration are encrypted • Admin-lockout • Host administrators can not access VM directly • Host administrators can not run any code in the kernel • Attestation of health • VM runs only on hosts that are considered safe
Attestation Modes: Either…Or… Admin-trusted (Active Directory -based) Simplified Rollout Establish an Active Directory Trust + Register a group Add authorized Hyper-V hosts to the AD group Existing hardware probably sufficient Lower confidence level Depending on the Hyper-V Admin No HW-based protection No code integrity H/W-trusted attestation (TPM-based) More complex setup / configuration Registration of each Hyper-V host TPM (EKpub) in the HGS Roll out / operate an HSM Current Hyper-V hardware required Support for TPM v2.0 and UEFI 2.3.1 Highest level of trust Trust is based on HW module Regardless of the Hyper-V Admin
Spectre/Meltdown? 51
Nano-server 52
What is Nano Server? • Reduced server version • X64 only - no x86 subsystem! • Very small Footprint ~ 400MB • Headless Server - Remote Admin only (PS, WMI) • Fast deployment • Very few patches, very few reboots • Standard / Datacenter License
Servicing Improvements 0 5 10 15 20 25 Critical Bulletins Nano Server Server Core Full Server 0 5 10 15 20 25 30 Important Bulletins Nano Server Server Core Full Server 0 2 4 6 8 10 12 Number of Reboots Nano Server Server Core Full Server 23 8 2 9 23 26 6 11 3
Security Improvements 0 5 10 15 20 25 30 35 Ports open Nano Server Server Core 0 5 10 15 20 25 30 35 40 45 50 Services running Nano Server Server Core 0 20 40 60 80 100 120 Drivers loaded Nano Server Server Core 12 31 22 46 73 98
0 50 100 150 200 250 300 Boot IO (MB) Nano Server Server Core Resource Utilization Improvements 0 5 10 15 20 25 30 Process Count Nano Server Server Core 0 20 40 60 80 100 120 140 160 Kernel memory in use (MB) Nano Server Server Core 26 21 61 139 150 255
0 50 100 150 200 250 300 350 Setup Time (sec) Nano Server Server Core 0 1 2 3 4 5 6 Disk Footprint (GB) Nano Server Server Core Deployment Improvements 0 1 2 3 4 5 6 7 VHD Size (GB) Nano Server Server Core .41 6.3 40 300 4.84 .4
Nano Server Workloads • Hyper-V • Storage Server/Scale Out File Server • Application Server (IIS) • DNS • Containers • 3rd Party Packages (Node.js, etc.)
PowerShell 5 Security 59
Crypto API $cred = Get-Credential $pass = Read-Host -AsSecureString "Pa$$w0rd" | Convertto-SecureString -AsPlainText - Force Convertfrom-SecureString | Out-File
Crypto API $key | Out-File –FileName key.txt ConvertFrom-SecureString -key $Key | Out-File
Crypto CMDLets • Based on Cryptographic Message Standard (CMS) Encryption and decryption using CMDLet • Protect-CmsMessage • Unprotect-CmsMessage • Requires certificate • OID_DOCUMENT_ENCRYPTION • Is thus independent of the user • Private/Public Key • Public Key => Encrypt (CER) • Private Key => Decrypt (PFX)
Constrained PowerShell • Integration of Powershell with Applocker • Blocks advanced Powershell features when enabled • No .NET classes, WIN32API, etc. • Exceptions possible • Signed scripts • Path Exceptions
Protected Event Logging • Deep Script Logging logs all script blocks • Danger that sensitive information is logged ...! • Protected EventLogging encrypts eventlog entries • Certificates required • Encryption according to CMS standard
Just Enough Administration (JEA) • Implements a Role Based Access Control model • Users only get the CMDLets they need for their tasks • Works only for remote Powershell • Specifying the configuration context determines the JEA session • Implemented via Role Capability Files • Defines which CMDLets, etc.
Containers 66
Containers • Containers are a new level of virtualization • I see it like App-V for Operating Systems • Two different levels: Server Containers and Hyper-V Containers • More info: • http://blogs.technet.com/b/virtualization/archive/2015/10/13/windows- insider-preview-nested-virtualization.aspx • https://channel9.msdn.com/Events/Build/2015/2-704
CSF18 - GDPR - Sami Laiho
Expectations of Cloud Applications
CSF18 - GDPR - Sami Laiho
CSF18 - GDPR - Sami Laiho
Fast Iterations Rapid Deployment Reproducibility Service Separation High Availability Test at ScaleOn Any Cloud Scalability Reduced CostsImmutability
What is a container?
What is a container? Application OS Hardware
What is a container? Traditional virtual machines = hardware virtualization VM VM VM
What is a container? Traditional virtual machines = hardware virtualization VM VM VM
What is a container? Traditional virtual machines = hardware virtualization VM VM VM
What is a container? Containers = Operating system virtualization Traditional virtual machines = hardware virtualization Applications Kernel VM VM VM
What is a container? Containers = Operating system virtualization Traditional virtual machines = hardware virtualization Applications Kernel CONTAINER CONTAINER CONTAINER VM VM VM
What is a container? Containers = Operating system virtualization Traditional virtual machines = hardware virtualization Applications Kernel CONTAINER CONTAINER CONTAINER VM VM VM
What is a container? Containers = Operating system virtualization Traditional virtual machines = hardware virtualization Applications Kernel CONTAINER CONTAINER CONTAINER CONTAINER CONTAINER CONTAINER Windows Server Containers Maximum speed and density VM VM VM
What is a container? Containers = Operating system virtualization Traditional virtual machines = hardware virtualization CONTAINER CONTAINER CONTAINER Windows Server Containers Maximum speed and density Kernel CONTAINER Kernel CONTAINER Kernel CONTAINER Hyper-V Containers Isolation plus performance Applications Kernel CONTAINER CONTAINER CONTAINER VM VM VM
How do containers work?
High Level Architecture Container Development and Management Toolset Container Runtime
Windows Containers Host User Mode Container Management System Processes
Windows Containers Host User Mode Container Management System Processes
Windows Containers Host User Mode Container Management System Processes System Processes
Windows Containers Host User Mode Container Management System Processes Application Process(es) System Processes
System Processes Application Process(es) Windows Containers Host User Mode Container Management System Processes Application Process(es) System Processes
System Processes Application Process(es) Windows Containers Host User Mode Container Management System Processes Application Process(es) System Processes Hyper-V Container
Hyper-V Container System Processes Application Process(es) Windows Containers Host User Mode Container Management System Processes Application Process(es) System Processes
Hyper-V Container Windows Containers Host User Mode Container Management System Processes Application Process(es) System Processes System Processes Application Process(es)
Virtual Machine Specifically Optimized To Run a Container Windows Containers Host User Mode Container Management System Processes Application Process(es) System Processes Hyper-V Container System Processes Application Process(es)
Windows Server Container Under 600 Milliseconds! A virtual machine takes ~3 seconds Hyper-V Container ~1.75 seconds Startup Performance Windows Server Container ~1 second A virtual machine takes ~5 seconds to over a min Hyper-V Container ~3.3 seconds HP ProLiant SL250s Gen8, E5-2600, 2 Socket, 8 Core, 128GB RAM, HP SATA SSD
Windows Server Container Under 600 Milliseconds! A virtual machine takes ~3 seconds Hyper-V Container ~1.75 seconds Startup Performance Windows Server Container ~1 second A virtual machine takes ~5 seconds to over a min Hyper-V Container ~3.3 seconds
Windows Server Container First Container ~120MB Additional Containers ~75MB Hyper-V Container First Container ~340MB Additional Containers ~150MB Density Windows Server Container First Container ~150MB Additional Containers ~75MB Hyper-V Container First Container ~555MB Additional Containers ~280MB HP ProLiant SL250s Gen8, E5-2600, 2 Socket, 8 Core, 128GB RAM, HP SATA SSD
Windows Server Container First Container ~120MB Additional Containers ~75MB Hyper-V Container First Container ~340MB Additional Containers ~150MB Density Windows Server Container First Container ~150MB Additional Containers ~75MB Hyper-V Container First Container ~555MB Additional Containers ~280MB
Credential Guard and Device Guard 98
Credential Guard • Problems with (but not limited to): • F5 Big-IP Edge Client • Check Point Capsule • Cylance Protect • Aim to deploy this to all workstations!
Remote Credential Guard • Applies to • Windows 10 • Windows Server 2016 100
Remote Credential Guard • Remote Credential Guard helps you protect your credentials over a Remote Desktop connection by redirecting the Kerberos requests back to the device that's requesting the connection • It also provides single sign on experiences for Remote Desktop sessions • If the target device is compromised, your credentials are not exposed because both credential and credential derivatives are never sent to the target device. 101
Usage Scenarios • Administrator credentials are highly privileged and must be protected. By using Remote Credential Guard to connect, you can be assured that your credentials are not passed over the network to the target device. • Helpdesk employees in your organization must connect to domain- joined devices that could be compromised. With Remote Credential Guard, the helpdesk employee can use RDP to connect to the target device without compromising their credentials to malware. 102
Credential Guard vs Remote Credential Guard 103
Enable Remote Credential Guard • You must enable Remote Credential Guard on the target device by using the registry. • Open Registry Editor. • Enable Remote Credential Guard: • Go to HKEY_LOCAL_MACHINESystemCurrentControlSetControlLsa. • Add a new DWORD value named DisableRestrictedAdmin. Set the value of this registry setting to 0 to turn on Remote Credential Guard. • Close Registry Editor. • You can add this by running the following from an elevated command prompt: • reg add HKLMSYSTEMCurrentControlSetControlLsa /v DisableRestrictedAdmin /d 0 /t REG_DWORD 104
Device Guard • Single purpose machines • No user exceptions • VERY HARDCORE!!
Device Guard • Device Guard has a number of prerequisites • Windows 10 64-bit (Enterprise, Enterprise LTSB and Education editions) • Hyper-V and Configurable Code Integrity features enabled to provide Virtualization-Based Security (VBS) • UEFI firmware with GUID Partition Table (GPT) disk and Secure Boot enabled • Processor virtualization extensions (Intel VT-x / AMD-V) • Second Level Address Translation (SLAT) • Input-Output Memory Management Units (IOMMU) (Intel VT-d / AMD-Vi) • Trusted Platform Module (TPM) 1.2 or 2.0
Device Guard • You will also need: • A file share • A code signing certificate • Good run through: https://www.1e.com/blogs/2016/05/03/device- guard-practice/
CSF18 - GDPR - Sami Laiho
Signing • 95% of Malware is not signed – just something to think about • AppLocker + Packageinspector.exe(Windows10) not a bad idea at all for some
Defender (and Firewall) on a Server 110
Firewall • Set log size to max 32MB • Log dropped packets = YES • Log successful connections = YES • I don’t display a notification for normal end users
Windows Defender • By default, Windows Defender is installed and functional on Windows Server 2016 • The user interface is installed by default on some SKUs • You can manage Windows Defender by using WMI, Windows PowerShell, or by using Group Policy • https://technet.microsoft.com/en-us/windows-server- docs/security/windows-defender/windows-defender-overview- windows-server
Things to note about Defender • Only things that Defender can’t do • Centralized Reporting • Centralized Management • Talk to the Firewall • We can say that the engine of Defender is just fine • 1% more found malware in tests currently means 3000 malware samples that were not detected → Basically useless! • I choose by • The size of the wallet • Burden on the OS • Honestly: • If you have System Center use SCEP • Take a look at ATP!
Advanced Threat Protection • Windows Defender Advanced Threat Protection (Windows Defender ATP) is a security service that enables enterprise customers to detect, investigate, and respond to advanced threats on their networks • Endpoint behavioral sensors • Cloud security analytics • Threat intelligence • Windows Defender ATP is available as part of Windows 10 Enterprise E5 and although its name is Windows Defended ATP it does not have to run with Windows Defender and works with other anti-malware solutions • Hard to get prices as they are through quotes but a questimate: • a step up price from E3 to E5 for €22,95 per user per year (this was for a university) • I call it centralized Sysmon + Knowledgepool
CSF18 - GDPR - Sami Laiho
ATP Requirements • SKU • Windows 10 Enterprise • Windows 10 Education • Windows 10 Pro • Windows 10 Pro Education • Internet connectivity on endpoints is required • SENSE can utilize up to 5MB daily
Onboarding • Windows Defender ATP supports the following deployment tools and methods: • Group Policy • System Center Configuration Manager • Mobile Device Management (including Microsoft Intune) • Local script
CSF18 - GDPR - Sami Laiho
CSF18 - GDPR - Sami Laiho
CSF18 - GDPR - Sami Laiho
CSF18 - GDPR - Sami Laiho
And gets better… • Upcoming enhancements to Windows Defender ATP will take its capabilities one step further by enabling network isolation of compromised machines. The update will also provide an option to quarantine and prevent subsequent execution of files
Data and Identity Protection on Server 2016 123
Windows Information Protection (WIP) 124
Windows Information Protection (WIP) • With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data leak through apps and services • With WIP Windows now includes the functionality necessary to identify personal and business information, determine which apps have access to it, and provide the basic controls necessary to determine what users are able to do with business data (e.g.: Copy and Paste restrictions). • Available on Pro SKU and up on Workstations
WIP • Can work in different modes • Block • Override • Silent • Off • Knows about Corporate vs Personal data by • Network boundaries • Save As –dialog • Settings for Office365 Outlook etc.
Best Practices • https://technet.microsoft.com/itpro/windows/keep-secure/guidance- and-best-practices-wip
Active Directory 128
Privileged access management • Privileged access management (PAM) helps mitigate security concerns for Active Directory environments that are caused by credential theft techniques such pass-the-hash, spear phishing, and similar types of attacks • It provides a new administrative access solution that is configured by using Microsoft Identity Manager (MIM) • Requirements • Microsoft Identity Manager • Active Directory forest functional level of Windows Server 2012 R2 or higher 129
Bastion Forest • A new bastion Active Directory forest, which is provisioned by MIM • The bastion forest has a special PAM trust with an existing forest • It provides • a new Active Directory environment that is known to be free of any malicious activity • isolation from an existing forest for the use of privileged accounts 130
New Features • New processes in MIM to request administrative privileges, along with new workflows based on the approval of requests • New shadow security principals (groups) that are provisioned in the bastion forest by MIM in response to administrative privilege requests • The shadow security principals have an attribute that references the SID of an administrative group in an existing forest • This allows the shadow group to access resources in an existing forest without changing any access control lists (ACLs) • An expiring links feature • enables time-bound membership in a shadow group • A user can be added to the group for just enough time required to perform an administrative task • The time-bound membership is expressed by a time-to-live (TTL) value that is propagated to a Kerberos ticket lifetime 131
New Features • KDC enhancements are built in to Active Directory domain controllers to restrict Kerberos ticket lifetime to the lowest possible time-to-live (TTL) value in cases where a user has multiple time-bound memberships in administrative groups • For example, if you are added to a time-bound group A, then when you log on, the Kerberos ticket-granting ticket (TGT) lifetime is equal to the time you have remaining in group A. If you are also a member of another time-bound group B, which has a lower TTL than group A, then the TGT lifetime is equal to the time you have remaining in group B. • New monitoring capabilities to help you easily identify who requested access, what access was granted, and what activities were performed. 132
MS Goals 133 Traditional Applications Physical and Virtual Cloud Applications Cloud Host Azure, Azure Stack, SDDC Sustaining Success New Growth Guest Business Host Business
Server as a Service • “Server as a Service” • LTSB ~ oct 2019 • Insider and TAP earlier • Server RS3 2017 pilot, in sync with Windows 10 1709 • 3-4 months to “Broad” • Support 18 months • Monthly cumulative updates like now 134
CSF18 - GDPR - Sami Laiho
Server RS 3 investments • Encrypted Networks • Fabric ACLs • SDN validation tool • SDN gateway improvements • Faster failover • Measuring outbound bandwidth • Guest-support for RDMA • Container-networks • Compatibility in all directions • TCP Fast Open (TFO) • LEDBAT++ • Time • Nowadays 5 minute separation allowed • Target 1ms, to meet EU regulations • NIC Timestamping+ • 0,1ms target on higher levels 136
Windows Server v1709 Core Improvements
Nano Server, version 1709
General Security Recommendations • Least Privilege • Whitelisting • BitLocker • LAPS • Stop re-using passwords, MFA 139
Contact • sami@adminize.com • Twitter: @samilaiho • Blog: http://blog.win-fu.com/ • Free newsletter: http://eepurl.com/F-GOj • Websites: • www.adminize.com • www.win-fu.com • www.wioski.com • www.samilaiho.com • Video-based training: • http://www.pluralsight.com/ • Email me to get free access!! • http://dojo.win-fu.com/

More Related Content

PDF
CSF18 - The Night is Dark and Full of Hackers - Sami Laiho
NCCOMMS
 
PDF
CSF18 - BitLocker Deep Dive - Sami Laiho
NCCOMMS
 
PDF
CSF18 - Moving from Reactive to Proactive Security - Sami Laiho
NCCOMMS
 
PDF
CSF18 - Securing the Cloud - Karim El-Melhaoui
NCCOMMS
 
PPTX
Securing the cloud and your assets
Marcus Dempsey
 
PPTX
SnapComms Technical Overview
leanne_abarro
 
PPT
W982 05092004
Sumit Tambe
 
PPTX
Reaching PCI Nirvana: Ensure a Successful Audit & Maintain Continuous Compliance
AlgoSec
 
CSF18 - The Night is Dark and Full of Hackers - Sami Laiho
NCCOMMS
 
CSF18 - BitLocker Deep Dive - Sami Laiho
NCCOMMS
 
CSF18 - Moving from Reactive to Proactive Security - Sami Laiho
NCCOMMS
 
CSF18 - Securing the Cloud - Karim El-Melhaoui
NCCOMMS
 
Securing the cloud and your assets
Marcus Dempsey
 
SnapComms Technical Overview
leanne_abarro
 
W982 05092004
Sumit Tambe
 
Reaching PCI Nirvana: Ensure a Successful Audit & Maintain Continuous Compliance
AlgoSec
 

What's hot (20)

PPTX
Azure Security Fundamentals
Lorenzo Barbieri
 
PPTX
Going outside the application
Matthew Saltzman
 
PDF
Predstavitev Kaspersky Small Office Security za mala podjetja
Dejan Pogačnik
 
PDF
RSA SecurID Access
MarketingArrowECS_CZ
 
PDF
Rsa authentication manager 8.2 presentation
Zeev Shetach
 
PPT
RSA Secur id for windows
arpit06055
 
PDF
Security Considerations for Microservices and Multi cloud
Neelkamal Gaharwar
 
PDF
BIG IRON, BIG RISK? SECURING THE MAINFRAME - #MFSummit2017
Micro Focus
 
PPTX
Azure security basics
Stas Lebedenko
 
PPT
12 steps to_cloud_security
Wisecube AI
 
PPTX
Attacking VPN's
n|u - The Open Security Community
 
PDF
A Pragmatic Approach to Network Security Across Your Hybrid Cloud Environment
AlgoSec
 
PDF
Defcon 22-tim-mcguffin-one-man-shop
Priyanka Aash
 
PDF
UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud comp...
Vincent Giersch
 
PPTX
Enterprise Forensics 101
Mona Arkhipova
 
PDF
VMUGIT UC 2013 - 03b Trend Micro
VMUG IT
 
PDF
PROTECT AND SURVIVE – SAFEGUARDING YOUR INFORMATION ASSETS - #MFSummit2017
Micro Focus
 
PDF
Secure Cloud Development Resources with DevOps
CloudPassage
 
PPTX
ICS Cybersecurity: How to Protect the Proprietary Cyber Assets That Hackers C...
EnergySec
 
PPTX
Dos and Don’ts for Managing External Connectivity to/from Your Network
AlgoSec
 
Azure Security Fundamentals
Lorenzo Barbieri
 
Going outside the application
Matthew Saltzman
 
Predstavitev Kaspersky Small Office Security za mala podjetja
Dejan Pogačnik
 
RSA SecurID Access
MarketingArrowECS_CZ
 
Rsa authentication manager 8.2 presentation
Zeev Shetach
 
RSA Secur id for windows
arpit06055
 
Security Considerations for Microservices and Multi cloud
Neelkamal Gaharwar
 
BIG IRON, BIG RISK? SECURING THE MAINFRAME - #MFSummit2017
Micro Focus
 
Azure security basics
Stas Lebedenko
 
12 steps to_cloud_security
Wisecube AI
 
Attacking VPN's
n|u - The Open Security Community
 
A Pragmatic Approach to Network Security Across Your Hybrid Cloud Environment
AlgoSec
 
Defcon 22-tim-mcguffin-one-man-shop
Priyanka Aash
 
UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud comp...
Vincent Giersch
 
Enterprise Forensics 101
Mona Arkhipova
 
VMUGIT UC 2013 - 03b Trend Micro
VMUG IT
 
PROTECT AND SURVIVE – SAFEGUARDING YOUR INFORMATION ASSETS - #MFSummit2017
Micro Focus
 
Secure Cloud Development Resources with DevOps
CloudPassage
 
ICS Cybersecurity: How to Protect the Proprietary Cyber Assets That Hackers C...
EnergySec
 
Dos and Don’ts for Managing External Connectivity to/from Your Network
AlgoSec
 
Ad

Similar to CSF18 - GDPR - Sami Laiho (20)

PPTX
Security best practices for hyper v and server virtualisation [svr307]
Louis Göhl
 
PDF
Windows Server 2016 First Look (Part 1)
Tuan Yang
 
PDF
Tips to Remediate your Vulnerability Management Program
BeyondTrust
 
PPTX
What's New in Windows Server 2012 R2
Aidan Finn
 
PPT
cybersecurityawarnessiit------------------------------.ppt
AninditaGhosh82
 
PPTX
Security @ Windows 10 Partner Technical Bootcamp Microsoft Norway October 2015
Jan Ketil Skanke
 
PPT
2337610
hantfhan
 
PPTX
Yashi dealer meeting settembre 2016 windows server 2016 microsoft italia
Yashi Italia
 
PDF
D1 t2 jonathan brossard - breaking virtualization by switching to virtual 8...
kbour23
 
PPTX
1 introduction to windows server 2016
Hameda Hurmat
 
PPT
Trend Micro VForum Agentless Scanning Presentation
Graeme Wood
 
PPT
0828 Windows Server 2008 新安全功能探討
Timothy Chen
 
PPTX
CSC_406_5_Virtualization - Case Study, it's base on virtualization
dolandarc2
 
PPTX
MCSA Installing & Configuring Windows Server 2012 70-410
omardabbas
 
PDF
Bcit win8 ws2012 session
Information and Communications Technology Council
 
PPTX
What's New In Windows Server 2008 R2 For IT Pros - Extended Edition
Amit Gatenyo
 
PPTX
Scale17x: Thinking outside of the conceived tech comfort zone
The Linux Foundation
 
PPTX
windows-server- 2019 installing and configuring
apel7
 
PDF
Dear Hacker: Infrastructure Security Reality Check
Paula Januszkiewicz
 
PDF
EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)
David Sweigert
 
Security best practices for hyper v and server virtualisation [svr307]
Louis Göhl
 
Windows Server 2016 First Look (Part 1)
Tuan Yang
 
Tips to Remediate your Vulnerability Management Program
BeyondTrust
 
What's New in Windows Server 2012 R2
Aidan Finn
 
cybersecurityawarnessiit------------------------------.ppt
AninditaGhosh82
 
Security @ Windows 10 Partner Technical Bootcamp Microsoft Norway October 2015
Jan Ketil Skanke
 
2337610
hantfhan
 
Yashi dealer meeting settembre 2016 windows server 2016 microsoft italia
Yashi Italia
 
D1 t2 jonathan brossard - breaking virtualization by switching to virtual 8...
kbour23
 
1 introduction to windows server 2016
Hameda Hurmat
 
Trend Micro VForum Agentless Scanning Presentation
Graeme Wood
 
0828 Windows Server 2008 新安全功能探討
Timothy Chen
 
CSC_406_5_Virtualization - Case Study, it's base on virtualization
dolandarc2
 
MCSA Installing & Configuring Windows Server 2012 70-410
omardabbas
 
Bcit win8 ws2012 session
Information and Communications Technology Council
 
What's New In Windows Server 2008 R2 For IT Pros - Extended Edition
Amit Gatenyo
 
Scale17x: Thinking outside of the conceived tech comfort zone
The Linux Foundation
 
windows-server- 2019 installing and configuring
apel7
 
Dear Hacker: Infrastructure Security Reality Check
Paula Januszkiewicz
 
EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)
David Sweigert
 
Ad

More from NCCOMMS (20)

PDF
O365Con19 - UI:UX 101 Learn How to Design Custom Experiences for SharePoint -...
NCCOMMS
 
PDF
O365Con19 - Model-driven Apps or Canvas Apps? - Rick Bakker
NCCOMMS
 
PDF
O365Con19 - Office 365 Groups Surviving the Real World - Jasper Oosterveld
NCCOMMS
 
PDF
O365Con19 - Developing Timerjob and Eventhandler Equivalents - Adis Jugo
NCCOMMS
 
PDF
O365Con19 - Sharepoint with (Artificial) Intelligence - Adis Jugo
NCCOMMS
 
PDF
O365Con19 - What Do You Mean 90 days Isn't Enough - Paul Hunt
NCCOMMS
 
PDF
O365Con19 - Tips and Tricks for Complex Migrations to SharePoint Online - And...
NCCOMMS
 
PDF
O365Con19 - Start Developing Teams Tabs and SharePoint Webparts with SPFX - O...
NCCOMMS
 
PDF
O365Con19 - Start Your Journey from Skype for Business to Teams - Sasja Beere...
NCCOMMS
 
PDF
O365Con19 - Lets Get Started with Azure Container Instances - Jussi Roine
NCCOMMS
 
PDF
O365Con19 - Azure Blackbelt - Jussi Roine
NCCOMMS
 
PDF
O365Con19 - Customise the UI in Modern SharePoint Workspaces - Corinna Lins
NCCOMMS
 
PDF
O365Con19 - Be The Protagonist of Your Modern Workplace - Corinna Lins
NCCOMMS
 
PDF
O365Con19 - How to Really Manage all your Tasks Across Microsoft 365 - Luise ...
NCCOMMS
 
PDF
O365Con19 - Sharing Code Efficiently in your Organisation - Elio Struyf
NCCOMMS
 
PDF
O365Con19 - Things I've Learned While Building a Product on SharePoint Modern...
NCCOMMS
 
PDF
O365Con19 - Keep Control of Your Data with AIP and CA - Bram de Jager
NCCOMMS
 
PDF
O365Con19 - Kaizala a Dive Into the Unknown - Rick van Rousselt
NCCOMMS
 
PDF
O365Con19 - How to Inspire Users to Unstick from Email - Luise Freese
NCCOMMS
 
PDF
O365Con19 - O365 Identity Management and The Golden Config - Chris Goosen
NCCOMMS
 
O365Con19 - UI:UX 101 Learn How to Design Custom Experiences for SharePoint -...
NCCOMMS
 
O365Con19 - Model-driven Apps or Canvas Apps? - Rick Bakker
NCCOMMS
 
O365Con19 - Office 365 Groups Surviving the Real World - Jasper Oosterveld
NCCOMMS
 
O365Con19 - Developing Timerjob and Eventhandler Equivalents - Adis Jugo
NCCOMMS
 
O365Con19 - Sharepoint with (Artificial) Intelligence - Adis Jugo
NCCOMMS
 
O365Con19 - What Do You Mean 90 days Isn't Enough - Paul Hunt
NCCOMMS
 
O365Con19 - Tips and Tricks for Complex Migrations to SharePoint Online - And...
NCCOMMS
 
O365Con19 - Start Developing Teams Tabs and SharePoint Webparts with SPFX - O...
NCCOMMS
 
O365Con19 - Start Your Journey from Skype for Business to Teams - Sasja Beere...
NCCOMMS
 
O365Con19 - Lets Get Started with Azure Container Instances - Jussi Roine
NCCOMMS
 
O365Con19 - Azure Blackbelt - Jussi Roine
NCCOMMS
 
O365Con19 - Customise the UI in Modern SharePoint Workspaces - Corinna Lins
NCCOMMS
 
O365Con19 - Be The Protagonist of Your Modern Workplace - Corinna Lins
NCCOMMS
 
O365Con19 - How to Really Manage all your Tasks Across Microsoft 365 - Luise ...
NCCOMMS
 
O365Con19 - Sharing Code Efficiently in your Organisation - Elio Struyf
NCCOMMS
 
O365Con19 - Things I've Learned While Building a Product on SharePoint Modern...
NCCOMMS
 
O365Con19 - Keep Control of Your Data with AIP and CA - Bram de Jager
NCCOMMS
 
O365Con19 - Kaizala a Dive Into the Unknown - Rick van Rousselt
NCCOMMS
 
O365Con19 - How to Inspire Users to Unstick from Email - Luise Freese
NCCOMMS
 
O365Con19 - O365 Identity Management and The Golden Config - Chris Goosen
NCCOMMS
 

Recently uploaded (20)

PDF
Oracle AI Vector Search- Getting Started and what's new in 2025- AIOUG Yatra ...
Sandesh Rao
 
PPTX
What-is-the-World-Wide-Web -- Introduction
tonifi9488
 
PDF
Trying to figure out MCP by actually building an app from scratch with open s...
Julien SIMON
 
PDF
The Future of Artificial Intelligence (AI)
Mukul
 
PDF
NewMind AI Weekly Chronicles - July'25 - Week IV
NewMind AI
 
PDF
Software Development Methodologies in 2025
KodekX
 
PDF
CIFDAQ's Market Wrap : Bears Back in Control?
CIFDAQ
 
PPTX
New ThousandEyes Product Innovations: Cisco Live June 2025
ThousandEyes
 
PDF
Using Anchore and DefectDojo to Stand Up Your DevSecOps Function
Anchore
 
PDF
A Strategic Analysis of the MVNO Wave in Emerging Markets.pdf
IPLOOK Networks
 
PDF
Research-Fundamentals-and-Topic-Development.pdf
ayesha butalia
 
PPTX
The-Ethical-Hackers-Imperative-Safeguarding-the-Digital-Frontier.pptx
sujalchauhan1305
 
PDF
Presentation about Hardware and Software in Computer
snehamodhawadiya
 
PDF
Brief History of Internet - Early Days of Internet
sutharharshit158
 
PDF
Accelerating Oracle Database 23ai Troubleshooting with Oracle AHF Fleet Insig...
Sandesh Rao
 
PDF
Responsible AI and AI Ethics - By Sylvester Ebhonu
Sylvester Ebhonu
 
PPTX
Introduction to Flutter by Ayush Desai.pptx
ayushdesai204
 
PDF
MASTERDECK GRAPHSUMMIT SYDNEY (Public).pdf
Neo4j
 
PPTX
OA presentation.pptx OA presentation.pptx
pateldhruv002338
 
PDF
Unlocking the Future- AI Agents Meet Oracle Database 23ai - AIOUG Yatra 2025.pdf
Sandesh Rao
 
Oracle AI Vector Search- Getting Started and what's new in 2025- AIOUG Yatra ...
Sandesh Rao
 
What-is-the-World-Wide-Web -- Introduction
tonifi9488
 
Trying to figure out MCP by actually building an app from scratch with open s...
Julien SIMON
 
The Future of Artificial Intelligence (AI)
Mukul
 
NewMind AI Weekly Chronicles - July'25 - Week IV
NewMind AI
 
Software Development Methodologies in 2025
KodekX
 
CIFDAQ's Market Wrap : Bears Back in Control?
CIFDAQ
 
New ThousandEyes Product Innovations: Cisco Live June 2025
ThousandEyes
 
Using Anchore and DefectDojo to Stand Up Your DevSecOps Function
Anchore
 
A Strategic Analysis of the MVNO Wave in Emerging Markets.pdf
IPLOOK Networks
 
Research-Fundamentals-and-Topic-Development.pdf
ayesha butalia
 
The-Ethical-Hackers-Imperative-Safeguarding-the-Digital-Frontier.pptx
sujalchauhan1305
 
Presentation about Hardware and Software in Computer
snehamodhawadiya
 
Brief History of Internet - Early Days of Internet
sutharharshit158
 
Accelerating Oracle Database 23ai Troubleshooting with Oracle AHF Fleet Insig...
Sandesh Rao
 
Responsible AI and AI Ethics - By Sylvester Ebhonu
Sylvester Ebhonu
 
Introduction to Flutter by Ayush Desai.pptx
ayushdesai204
 
MASTERDECK GRAPHSUMMIT SYDNEY (Public).pdf
Neo4j
 
OA presentation.pptx OA presentation.pptx
pateldhruv002338
 
Unlocking the Future- AI Agents Meet Oracle Database 23ai - AIOUG Yatra 2025.pdf
Sandesh Rao
 

CSF18 - GDPR - Sami Laiho

  • 1. GDPR Sami Laiho Senior Technical Fellow Adminize.com / Win-Fu.com Senior Advisor, Intility / Applixure
  • 2. Sami Laiho Senior Technical Fellow adminize.com • IT Admin since 1996 • MCT since 2001 (MCT Regional Lead – Finland → 2016) • MVP in Windows OS since 2011 • Specializes in and trains: • Troubleshooting • Security • Active Directory • Hacking • Penetration testing • Social Engineering • Trophies: • TechDays Sweden 2016 – Best Speaker • NIC 2016, 2017 – Best Speaker • Ignite 2015 - #2 out of 1000+ • TechEd Europe 2014 – Best session • TechEd North America 2014 - Best session, Best speaker • TechEd Australia 2013 - Best session, Best speaker • TechEd Europe 2013 - Best Session by an external speaker
  • 3. @samilaiho If you are not on Twitter – get on Twitter! 3
  • 4. Schedule • 09.00-10.15 Session • 10.15-10.30 Coffee Break • 10.30-12.00 Session • 12.00-13.00 Lunch • 13.00-16.00 Q&A 4
  • 5. Agenda • GDPR • Server 2016 • Kernel changes • Shielded VM’s • Nano-server • PowerShell 5 Security • Containers • Credential Guard and Device Guard • Defender on a Server • Data and Identity Protection on Server 2016 • General Security recommendations 5
  • 6. GDPR • Biggest change in 20 years • Biggest project since Y2k • Data Protection Officers needed a lot 6
  • 7. GDPR • What is the point of the new laws? • They have been designed to give power back to citizens over how their data is processed and used. • Under the new rules, individuals have “the right to be forgotten” • meaning they will be able to request that businesses delete their no longer necessary or accurate personal data • The intention is to simplify the regulatory environment 7
  • 8. GDPR • Recommended process: • Discover (what data do we have and where) • Manage (who has access and from where) • Protect (How can we protect the data) • Report (Monitoring and auditing) • MYTHS • Myth 1: “The GDPR only affects companies in the European Union” • Myth 2: “All security incidents must be reported within 72 hours” • Myth 3: “All data must be encrypted in order to be in compliance with the GDPR” • Myth 4: “Kids are under 16” 8
  • 9. MORE INFO on Windows and GDPR • https://docs.microsoft.com/en-us/windows- server/security/gdpr/gdpr-winserver-whitepaper • https://docs.microsoft.com/en-us/windows/configuration/gdpr- win10-whitepaper 9
  • 10. Windows Server 2016 New Features • Hyper-V on Nano Server • Hyper-V Container • Linux Secure Boot • Discrete Device Assignment • Host Resource Protection • SVHDX Disk Format • Hyper-V Replica Enhancements • Hot add and remove for network adapters and memory • Switch Embedded Teaming • Production Checkpoints • VM configuration version • Powershell Direct • VM Groups • Accelerated VHDX Operations • Hyper-V Manager improvements • Cross Version Management • Nested Virtualization • Shielded VMs • Windows Hello for Business • Azure AD join • Passport Authentication • IIS 10 • ADFS 3.1 • Nano Server • PAM Trust • Time limited group membership • Time sync vNext • Storage Replica • Storage Spaces Direct • Network Controller • Docker • Package Management • Powershell 5 • RDS HA with Azure DB • Multipoint Server • Cluster Rolling Upgrade • Workgroup Cluster • Multi-Domain Cluster • Site-aware Cluster • Cluster Storage Resiliency • Cluster Network Resiliency • Cluster Node Quarantine • Web Application Proxy protocol redirect • Web Application Proxy Pre-Auth • Device Guard • Credential Guard
  • 13. Traditional Kernel Mode vs User Mode KERNEL MODE USER MODE
  • 14. Normal and Secure Mode SECURE MODE KERNEL USER MODE ISOLATED USER MODE SECURE KERNEL HYPERVISOR NORMAL MODE
  • 15. How does it work technically? • Hypervisor now associates a Virtual Trust Level (VTL) with each Virtual Processor (VP) • Two VTLs defined today (higher → more privileged) – more are supported • VTL 0, which is the Normal World • VTL 1, which is the Secure World
  • 16. How does it work technically? • Hypervisor uses Enhanced Page Tables (EPT) which now have essentially a “VTL” associated with them • VTL 0 access to VTL 1 pages can be controlled • Blocking +R → allows hiding cryptographic secrets (Credential Guard) • Blocking +RX (or +RWX) → allows preventing execution of code, or modification of code (Device Guard) • Blocking +W → allows preventing modification of executable pages shared with VTL 1 • With VSM, the hypervisor no longer implicitly trusts the root partition
  • 17. Isolated User Mode • User Mode that is protected from the code in the normal Kernel Mode • Normally Kernel has full visibility to User Mode processes’ memory
  • 18. Secure Kernel • IUM is on top of Secure Kernel (Secure System) • Known as SK, SKM, SMART (Secure Mode Application RunTime) • Not a real Kernel but more a proxy that talks to the real Kernel but marshalls the transactions • Does not implement stuff that the normal kernel already does • 300KB compared to 8MB • SECUREKERNEL.exe
  • 19. Secure Kernel • Secure Kernel cannot be extended like the normal • Only accessible by Microsoft not 3rd party • All Trustlets need to be signed by Microsoft with a certain kind of certificate • All CryptoCode, Challenge/Response is here so it stays private to the Virtual Secure Mode • To communicate with • Other trustlets it uses Storage Blobs • The Normal Mode (NTOSKERNEL) is uses Mailboxes
  • 20. Traditional Kernel Mode vs User Mode KERNEL MODE USER MODE ISOLATED USER MODE SECURE KERNEL HYPERVISOR SHARED BUFFER (Marshall)
  • 21. How come the Kernel is not able to access the memory of the Secure Kernel?
  • 22. Traditional Virtual memory PAGETABLE PROCESS 0 V-Address P-Address ACCESSMASK xxxx yyyy z-z-z 6789 0x7777777 R-X Process 0 Virtual Addres 6789? Process 1 Virtual Addres 6789? PAGETABLE PROCESS 0 V-Address P-Address ACCESSMASK xxxx yyyy z-z-z 6789 0x7778888 RW-
  • 23. Hypervisors and VMs VIRTUAL RAM Physical Address? PAGETABLE VM 1 GPA SPA ACCESSMASK xxxx yyyy z-z-z 67890 0x7777777 R-X VIRTUAL RAM Physical Address? PAGETABLE VM 2 GPA SPA ACCESSMASK xxxx yyyy z-z-z 67890 0x7778888 R-X SLAT
  • 24. Kernel and Secure Kernel have their own SLAT’s KERNEL MODE USER MODE ISOLATED USER MODE SECURE KERNEL HYPERVISOR SHARED BUFFER (Marshall) SLAT SLAT
  • 25. Hypervisors and VMs KERNEL VIRTUAL RAM PAGETABLE KERNEL GPA SPA ACCESSMASK 67890 0x7777777 - - - SECURE KERNEL (VSM) VIRTUAL RAM PAGETABLE VSM GPA SPA ACCESSMASK 67890 0x7777777 R - X SLAT SLAT
  • 26. Trustlets • Processes running in Virtual Secure Mode • Currently not available for developers • In the future anything that needs Secrets to stay secret • Currently four trustlets • LSAISO = Credential Guard • BIOISO = Biometrics information • vTPM = Virtual TPM • HVCI = Kernel Mode Code Integrity • More is coming as Edge (Barcelona) will run Edge in its own container • Windows Defender Application Guard
  • 27. IUM • Isolated User Mode is now included with Hyper-V so you don't have to install it separately
  • 29. Virtual memory in Server 2016 • In 1993 computers usually had maximum of 8MB of memory ;)
  • 30. IOMMU • I/O Memory Management Unit • MMU for devices, as opposed to processors • Where an MMU translates virtual to physical addresses for a CPU accessing your system's memory, an IOMMU translates virtual to physical addresses for devices • Hardware based protection against DMA-access • Protects against buggy drivers and malicious code • Works with SLAT • Makes sure a device or VM won’t have access to physical memory addresses not meant for them • Known as: Intel VT-d / AMD-Vi
  • 33. Upgrade/Migration to Windows Server 2016 • Upgrading to Windows Server 2016: • Upgrade from Windows Server 2008 R2 x64 • Upgrade to the same or higher version • Requires the same processor architecture and language • Migration to Windows Server 2016: • Migration must be from x86 version • Using Windows Server Migration Tools
  • 34. Removed Functions • File Server Konsole (mmc plugin removed) • Security Configuration Wizard (removed) • Software Quality Metrics (SQM removed) • Configuration Tools (scregedit, sconfig) • NetCfg custom APIs • Remote management (WinRM.vbs) • SMB 2+ over NetBT • NAP support
  • 36. Licensing Windows Server 2016 • Licensing based on the processor cores • Compared to processor sockets in Windows Server 2012 (R2) • All physical cores must be licensed • Minimum 16 cores must be licensed per server • Minimum 8 cores must be licensed to each physical processor • Sale of the core licenses always as 2-core packs • Eight 2 core packs are minimally needed to license a server
  • 39. Licensing - Virtualization Rights • Standard Edition allows operation of up to two OSEs or Hyper-V containers • Datacenter Edition allows unrestricted virtualization rights for OSEs or Hyper-V containers
  • 40. Windows Server 2016 Servicing/Support • Standard/Datacenter follows Long Term Service Branch (LTSB) • 5+5 Support Model • Nano Server follows Current Branch for Business (CBB) • Mandatory Updates (2-3/Year)
  • 42. Good run through • https://myignite.microsoft.com/videos/53182 42
  • 43. Security • “Shielded VM” • Virtual Secure Mode • LSAISO, vTPM • Host Guardian Service • Signature service for checking the host • Bitlocker enabled VM (vTPM)
  • 44. VM Protection – THE Challenge! Legitimate host?
  • 45. Protect virtual machines – Microsoft’s approach Trust the host
  • 46. Protect virtual machines – virtual Secure Mode • Protected VMs prevent access to RAM and processor from the host • Virtual Trust Levels (VTLs): Safety mechanism in addition to existing processor rings (ring 0 / ring 3) • Memory Access Protections: VTL memory protection can only be changed by software running in a higher VTL • Virtual Processor State: Isolation of processor states between VTL's
  • 47. Host Guardian Service • HostGuardian Service stores keys of all trustworthy hosts as well as encrypted VMs • Runs as a service to verify if the host is trustworthy • Can also be operated as VM
  • 48. Virtual hard disk Shielded Virtual Machines Shielded Virtual Machines • Shielded Virtual Machines can only run on hosts that are marked as owners of the VM • Must be encrypted (BitLocker or other methods) to ensure that only the OwnerHost can start the VM • VMs can be converted to shielded VMs
  • 49. Shielded VMs: Security Assurance Goals • Encryption & data at-rest/in-flight protection • Virtual TPM Enables Encryption of VM Disk (BitLocker) • Both VM State and Live Migration are encrypted • Admin-lockout • Host administrators can not access VM directly • Host administrators can not run any code in the kernel • Attestation of health • VM runs only on hosts that are considered safe
  • 50. Attestation Modes: Either…Or… Admin-trusted (Active Directory -based) Simplified Rollout Establish an Active Directory Trust + Register a group Add authorized Hyper-V hosts to the AD group Existing hardware probably sufficient Lower confidence level Depending on the Hyper-V Admin No HW-based protection No code integrity H/W-trusted attestation (TPM-based) More complex setup / configuration Registration of each Hyper-V host TPM (EKpub) in the HGS Roll out / operate an HSM Current Hyper-V hardware required Support for TPM v2.0 and UEFI 2.3.1 Highest level of trust Trust is based on HW module Regardless of the Hyper-V Admin
  • 53. What is Nano Server? • Reduced server version • X64 only - no x86 subsystem! • Very small Footprint ~ 400MB • Headless Server - Remote Admin only (PS, WMI) • Fast deployment • Very few patches, very few reboots • Standard / Datacenter License
  • 54. Servicing Improvements 0 5 10 15 20 25 Critical Bulletins Nano Server Server Core Full Server 0 5 10 15 20 25 30 Important Bulletins Nano Server Server Core Full Server 0 2 4 6 8 10 12 Number of Reboots Nano Server Server Core Full Server 23 8 2 9 23 26 6 11 3
  • 55. Security Improvements 0 5 10 15 20 25 30 35 Ports open Nano Server Server Core 0 5 10 15 20 25 30 35 40 45 50 Services running Nano Server Server Core 0 20 40 60 80 100 120 Drivers loaded Nano Server Server Core 12 31 22 46 73 98
  • 56. 0 50 100 150 200 250 300 Boot IO (MB) Nano Server Server Core Resource Utilization Improvements 0 5 10 15 20 25 30 Process Count Nano Server Server Core 0 20 40 60 80 100 120 140 160 Kernel memory in use (MB) Nano Server Server Core 26 21 61 139 150 255
  • 57. 0 50 100 150 200 250 300 350 Setup Time (sec) Nano Server Server Core 0 1 2 3 4 5 6 Disk Footprint (GB) Nano Server Server Core Deployment Improvements 0 1 2 3 4 5 6 7 VHD Size (GB) Nano Server Server Core .41 6.3 40 300 4.84 .4
  • 58. Nano Server Workloads • Hyper-V • Storage Server/Scale Out File Server • Application Server (IIS) • DNS • Containers • 3rd Party Packages (Node.js, etc.)
  • 60. Crypto API $cred = Get-Credential $pass = Read-Host -AsSecureString "Pa$$w0rd" | Convertto-SecureString -AsPlainText - Force Convertfrom-SecureString | Out-File
  • 61. Crypto API $key | Out-File –FileName key.txt ConvertFrom-SecureString -key $Key | Out-File
  • 62. Crypto CMDLets • Based on Cryptographic Message Standard (CMS) Encryption and decryption using CMDLet • Protect-CmsMessage • Unprotect-CmsMessage • Requires certificate • OID_DOCUMENT_ENCRYPTION • Is thus independent of the user • Private/Public Key • Public Key => Encrypt (CER) • Private Key => Decrypt (PFX)
  • 63. Constrained PowerShell • Integration of Powershell with Applocker • Blocks advanced Powershell features when enabled • No .NET classes, WIN32API, etc. • Exceptions possible • Signed scripts • Path Exceptions
  • 64. Protected Event Logging • Deep Script Logging logs all script blocks • Danger that sensitive information is logged ...! • Protected EventLogging encrypts eventlog entries • Certificates required • Encryption according to CMS standard
  • 65. Just Enough Administration (JEA) • Implements a Role Based Access Control model • Users only get the CMDLets they need for their tasks • Works only for remote Powershell • Specifying the configuration context determines the JEA session • Implemented via Role Capability Files • Defines which CMDLets, etc.
  • 67. Containers • Containers are a new level of virtualization • I see it like App-V for Operating Systems • Two different levels: Server Containers and Hyper-V Containers • More info: • http://blogs.technet.com/b/virtualization/archive/2015/10/13/windows- insider-preview-nested-virtualization.aspx • https://channel9.msdn.com/Events/Build/2015/2-704
  • 69. Expectations of Cloud Applications
  • 72. Fast Iterations Rapid Deployment Reproducibility Service Separation High Availability Test at ScaleOn Any Cloud Scalability Reduced CostsImmutability
  • 73. What is a container?
  • 74. What is a container? Application OS Hardware
  • 75. What is a container? Traditional virtual machines = hardware virtualization VM VM VM
  • 76. What is a container? Traditional virtual machines = hardware virtualization VM VM VM
  • 77. What is a container? Traditional virtual machines = hardware virtualization VM VM VM
  • 78. What is a container? Containers = Operating system virtualization Traditional virtual machines = hardware virtualization Applications Kernel VM VM VM
  • 79. What is a container? Containers = Operating system virtualization Traditional virtual machines = hardware virtualization Applications Kernel CONTAINER CONTAINER CONTAINER VM VM VM
  • 80. What is a container? Containers = Operating system virtualization Traditional virtual machines = hardware virtualization Applications Kernel CONTAINER CONTAINER CONTAINER VM VM VM
  • 81. What is a container? Containers = Operating system virtualization Traditional virtual machines = hardware virtualization Applications Kernel CONTAINER CONTAINER CONTAINER CONTAINER CONTAINER CONTAINER Windows Server Containers Maximum speed and density VM VM VM
  • 82. What is a container? Containers = Operating system virtualization Traditional virtual machines = hardware virtualization CONTAINER CONTAINER CONTAINER Windows Server Containers Maximum speed and density Kernel CONTAINER Kernel CONTAINER Kernel CONTAINER Hyper-V Containers Isolation plus performance Applications Kernel CONTAINER CONTAINER CONTAINER VM VM VM
  • 84. High Level Architecture Container Development and Management Toolset Container Runtime
  • 85. Windows Containers Host User Mode Container Management System Processes
  • 86. Windows Containers Host User Mode Container Management System Processes
  • 87. Windows Containers Host User Mode Container Management System Processes System Processes
  • 88. Windows Containers Host User Mode Container Management System Processes Application Process(es) System Processes
  • 89. System Processes Application Process(es) Windows Containers Host User Mode Container Management System Processes Application Process(es) System Processes
  • 90. System Processes Application Process(es) Windows Containers Host User Mode Container Management System Processes Application Process(es) System Processes Hyper-V Container
  • 91. Hyper-V Container System Processes Application Process(es) Windows Containers Host User Mode Container Management System Processes Application Process(es) System Processes
  • 92. Hyper-V Container Windows Containers Host User Mode Container Management System Processes Application Process(es) System Processes System Processes Application Process(es)
  • 93. Virtual Machine Specifically Optimized To Run a Container Windows Containers Host User Mode Container Management System Processes Application Process(es) System Processes Hyper-V Container System Processes Application Process(es)
  • 94. Windows Server Container Under 600 Milliseconds! A virtual machine takes ~3 seconds Hyper-V Container ~1.75 seconds Startup Performance Windows Server Container ~1 second A virtual machine takes ~5 seconds to over a min Hyper-V Container ~3.3 seconds HP ProLiant SL250s Gen8, E5-2600, 2 Socket, 8 Core, 128GB RAM, HP SATA SSD
  • 95. Windows Server Container Under 600 Milliseconds! A virtual machine takes ~3 seconds Hyper-V Container ~1.75 seconds Startup Performance Windows Server Container ~1 second A virtual machine takes ~5 seconds to over a min Hyper-V Container ~3.3 seconds
  • 96. Windows Server Container First Container ~120MB Additional Containers ~75MB Hyper-V Container First Container ~340MB Additional Containers ~150MB Density Windows Server Container First Container ~150MB Additional Containers ~75MB Hyper-V Container First Container ~555MB Additional Containers ~280MB HP ProLiant SL250s Gen8, E5-2600, 2 Socket, 8 Core, 128GB RAM, HP SATA SSD
  • 97. Windows Server Container First Container ~120MB Additional Containers ~75MB Hyper-V Container First Container ~340MB Additional Containers ~150MB Density Windows Server Container First Container ~150MB Additional Containers ~75MB Hyper-V Container First Container ~555MB Additional Containers ~280MB
  • 98. Credential Guard and Device Guard 98
  • 99. Credential Guard • Problems with (but not limited to): • F5 Big-IP Edge Client • Check Point Capsule • Cylance Protect • Aim to deploy this to all workstations!
  • 100. Remote Credential Guard • Applies to • Windows 10 • Windows Server 2016 100
  • 101. Remote Credential Guard • Remote Credential Guard helps you protect your credentials over a Remote Desktop connection by redirecting the Kerberos requests back to the device that's requesting the connection • It also provides single sign on experiences for Remote Desktop sessions • If the target device is compromised, your credentials are not exposed because both credential and credential derivatives are never sent to the target device. 101
  • 102. Usage Scenarios • Administrator credentials are highly privileged and must be protected. By using Remote Credential Guard to connect, you can be assured that your credentials are not passed over the network to the target device. • Helpdesk employees in your organization must connect to domain- joined devices that could be compromised. With Remote Credential Guard, the helpdesk employee can use RDP to connect to the target device without compromising their credentials to malware. 102
  • 103. Credential Guard vs Remote Credential Guard 103
  • 104. Enable Remote Credential Guard • You must enable Remote Credential Guard on the target device by using the registry. • Open Registry Editor. • Enable Remote Credential Guard: • Go to HKEY_LOCAL_MACHINESystemCurrentControlSetControlLsa. • Add a new DWORD value named DisableRestrictedAdmin. Set the value of this registry setting to 0 to turn on Remote Credential Guard. • Close Registry Editor. • You can add this by running the following from an elevated command prompt: • reg add HKLMSYSTEMCurrentControlSetControlLsa /v DisableRestrictedAdmin /d 0 /t REG_DWORD 104
  • 105. Device Guard • Single purpose machines • No user exceptions • VERY HARDCORE!!
  • 106. Device Guard • Device Guard has a number of prerequisites • Windows 10 64-bit (Enterprise, Enterprise LTSB and Education editions) • Hyper-V and Configurable Code Integrity features enabled to provide Virtualization-Based Security (VBS) • UEFI firmware with GUID Partition Table (GPT) disk and Secure Boot enabled • Processor virtualization extensions (Intel VT-x / AMD-V) • Second Level Address Translation (SLAT) • Input-Output Memory Management Units (IOMMU) (Intel VT-d / AMD-Vi) • Trusted Platform Module (TPM) 1.2 or 2.0
  • 107. Device Guard • You will also need: • A file share • A code signing certificate • Good run through: https://www.1e.com/blogs/2016/05/03/device- guard-practice/
  • 109. Signing • 95% of Malware is not signed – just something to think about • AppLocker + Packageinspector.exe(Windows10) not a bad idea at all for some
  • 110. Defender (and Firewall) on a Server 110
  • 111. Firewall • Set log size to max 32MB • Log dropped packets = YES • Log successful connections = YES • I don’t display a notification for normal end users
  • 112. Windows Defender • By default, Windows Defender is installed and functional on Windows Server 2016 • The user interface is installed by default on some SKUs • You can manage Windows Defender by using WMI, Windows PowerShell, or by using Group Policy • https://technet.microsoft.com/en-us/windows-server- docs/security/windows-defender/windows-defender-overview- windows-server
  • 113. Things to note about Defender • Only things that Defender can’t do • Centralized Reporting • Centralized Management • Talk to the Firewall • We can say that the engine of Defender is just fine • 1% more found malware in tests currently means 3000 malware samples that were not detected → Basically useless! • I choose by • The size of the wallet • Burden on the OS • Honestly: • If you have System Center use SCEP • Take a look at ATP!
  • 114. Advanced Threat Protection • Windows Defender Advanced Threat Protection (Windows Defender ATP) is a security service that enables enterprise customers to detect, investigate, and respond to advanced threats on their networks • Endpoint behavioral sensors • Cloud security analytics • Threat intelligence • Windows Defender ATP is available as part of Windows 10 Enterprise E5 and although its name is Windows Defended ATP it does not have to run with Windows Defender and works with other anti-malware solutions • Hard to get prices as they are through quotes but a questimate: • a step up price from E3 to E5 for €22,95 per user per year (this was for a university) • I call it centralized Sysmon + Knowledgepool
  • 116. ATP Requirements • SKU • Windows 10 Enterprise • Windows 10 Education • Windows 10 Pro • Windows 10 Pro Education • Internet connectivity on endpoints is required • SENSE can utilize up to 5MB daily
  • 117. Onboarding • Windows Defender ATP supports the following deployment tools and methods: • Group Policy • System Center Configuration Manager • Mobile Device Management (including Microsoft Intune) • Local script
  • 122. And gets better… • Upcoming enhancements to Windows Defender ATP will take its capabilities one step further by enabling network isolation of compromised machines. The update will also provide an option to quarantine and prevent subsequent execution of files
  • 123. Data and Identity Protection on Server 2016 123
  • 125. Windows Information Protection (WIP) • With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data leak through apps and services • With WIP Windows now includes the functionality necessary to identify personal and business information, determine which apps have access to it, and provide the basic controls necessary to determine what users are able to do with business data (e.g.: Copy and Paste restrictions). • Available on Pro SKU and up on Workstations
  • 126. WIP • Can work in different modes • Block • Override • Silent • Off • Knows about Corporate vs Personal data by • Network boundaries • Save As –dialog • Settings for Office365 Outlook etc.
  • 129. Privileged access management • Privileged access management (PAM) helps mitigate security concerns for Active Directory environments that are caused by credential theft techniques such pass-the-hash, spear phishing, and similar types of attacks • It provides a new administrative access solution that is configured by using Microsoft Identity Manager (MIM) • Requirements • Microsoft Identity Manager • Active Directory forest functional level of Windows Server 2012 R2 or higher 129
  • 130. Bastion Forest • A new bastion Active Directory forest, which is provisioned by MIM • The bastion forest has a special PAM trust with an existing forest • It provides • a new Active Directory environment that is known to be free of any malicious activity • isolation from an existing forest for the use of privileged accounts 130
  • 131. New Features • New processes in MIM to request administrative privileges, along with new workflows based on the approval of requests • New shadow security principals (groups) that are provisioned in the bastion forest by MIM in response to administrative privilege requests • The shadow security principals have an attribute that references the SID of an administrative group in an existing forest • This allows the shadow group to access resources in an existing forest without changing any access control lists (ACLs) • An expiring links feature • enables time-bound membership in a shadow group • A user can be added to the group for just enough time required to perform an administrative task • The time-bound membership is expressed by a time-to-live (TTL) value that is propagated to a Kerberos ticket lifetime 131
  • 132. New Features • KDC enhancements are built in to Active Directory domain controllers to restrict Kerberos ticket lifetime to the lowest possible time-to-live (TTL) value in cases where a user has multiple time-bound memberships in administrative groups • For example, if you are added to a time-bound group A, then when you log on, the Kerberos ticket-granting ticket (TGT) lifetime is equal to the time you have remaining in group A. If you are also a member of another time-bound group B, which has a lower TTL than group A, then the TGT lifetime is equal to the time you have remaining in group B. • New monitoring capabilities to help you easily identify who requested access, what access was granted, and what activities were performed. 132
  • 133. MS Goals 133 Traditional Applications Physical and Virtual Cloud Applications Cloud Host Azure, Azure Stack, SDDC Sustaining Success New Growth Guest Business Host Business
  • 134. Server as a Service • “Server as a Service” • LTSB ~ oct 2019 • Insider and TAP earlier • Server RS3 2017 pilot, in sync with Windows 10 1709 • 3-4 months to “Broad” • Support 18 months • Monthly cumulative updates like now 134
  • 136. Server RS 3 investments • Encrypted Networks • Fabric ACLs • SDN validation tool • SDN gateway improvements • Faster failover • Measuring outbound bandwidth • Guest-support for RDMA • Container-networks • Compatibility in all directions • TCP Fast Open (TFO) • LEDBAT++ • Time • Nowadays 5 minute separation allowed • Target 1ms, to meet EU regulations • NIC Timestamping+ • 0,1ms target on higher levels 136
  • 137. Windows Server v1709 Core Improvements
  • 139. General Security Recommendations • Least Privilege • Whitelisting • BitLocker • LAPS • Stop re-using passwords, MFA 139
  • 140. Contact • [email protected] • Twitter: @samilaiho • Blog: http://blog.win-fu.com/ • Free newsletter: http://eepurl.com/F-GOj • Websites: • www.adminize.com • www.win-fu.com • www.wioski.com • www.samilaiho.com • Video-based training: • http://www.pluralsight.com/ • Email me to get free access!! • http://dojo.win-fu.com/