Length 60 Min can be customized based on presenter preference or industry vertical Key Message Security continues to be rated as a top priority for IT This is no surprise as major companies and government agencies are publicly criticized for being hacked and failing to protect themselves an ID: 658419
Download Presentation The PPT/PDF document "How to use this presentation" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
How to use this presentation
Length
60 Min – can be customized based on presenter preference or industry vertical
Key Message
Security continues to be rated as a top priority for IT. This is no surprise as major companies and government agencies are publicly criticized for being hacked and failing to protect themselves and their customer and employee personal information.
At the same time, attackers are using readily available tools to infiltrate large organizations and remain undetected for a long period of time while conducting exfiltration of secrets or attacking the infrastructure and making ransom demands.
Windows Server 2016 delivers new layers of protection that help address these emerging threats so that the server becomes an active component in your security defenses. These security protections were built with the mindset of how we deal with the overall threat of ongoing attacks inside the datacenter environment and range from threat resistance and enhanced detection to managing privileged identity and protecting virtual machines from a potentially compromised virtualization fabric.
Target Audience
IT Pro, ITDM, CSO
Demos
No demos provided. Potential videos that can be used to demonstrate concepts are:
Credential Guard and Remote Guard
https://www.youtube.com/watch?v=eUpKOGSl7yk
Device Guard
https://www.youtube.com/watch?v=F-pTkesjkhI
Just Enough and Just in Time Administration
https://www.youtube.com/watch?v=xnBrbkY9P20
Shielded Virtual Machines
https://www.youtube.com/watch?v=fjLYOHZvcKc
Preparation Resources
MSDN :
https://channel9.msdn.com/Blogs/windowsserver/Security
Microsoft MVA:
https://mva.microsoft.com/en-US/training-courses/whats-new-in-windows-server-2016-16457?l=VQZhK7sXC_9206218965
#Slide2
Better security starts at the OS with Windows Server 2016
Name
TitleSlide3
Increasing
incidents
Multiple
motivations
Bigger risk
Security is a top priority for ITSlide4
Mischief
Script Kiddies
Unsophisticated
Fraud and theft
Organized Crime
More
sophisticated
Damage and disruption
Nations, Terror
Groups, Activists
Very sophisticated
and well resourced
Evolution of attacksSlide5
Source: McKinsey,
Ponemon
Institute, Verizon
Cyber threats are a
material risk
to your business
Impact of lost
productivity and growth
Average
cost
of a data breach (15% YoY increase)
$
3.0
Trillion
$
4 Million
Corporate
liability
coverage.
$
500
Million
“
Cyber security is a
CEO issue
.”
-
McKinseySlide6
Attacks ruin reputations
Before:
Respected
After:
ExposedSlide7
Attacks devastate budgets
Before:
Customers buy
After:
You pay upSlide8
Before:
Digital collaboration
Attacks on organizations hurt productivity
After:
Back to faxSlide9
Before:
Trusted adviser
Attacks hinder external communication
After:
OutsiderSlide10
Attacks affect the IT security team
Before:
Focused
After:
OverwhelmedSlide11
Attacks wreck internal communication
Before:
Transparency
After:
Need to knowSlide12
Attacks affect intellectual property
Before:
Confident
After:
VulnerableSlide13
Attack timeline
24–48 hours
More than 200 days (varies by industry)
First host compromised
Domain admin compromised
Attack discovered
Attackers find any weakness, target information on any device or service
Attackers often target AD and IT Admins
to gain access to business assets
You may be under attack (or compromised) and unaware
Attacker undetected
(
data exfiltration)
Research and preparationSlide14
Malicious Attachment Execution
Browser or Doc Exploit Execution
Stolen Credential Use
Internet Service Compromise
Kernel-mode Malware
Kernel
Exploits
Pass-the-Hash
Malicious Attachment Delivery
Browser or Doc Exploit Delivery
Phishing Attacks
Attack
ESPIONAGE, LOSS OF IP
DATA THEFT
RANSOM
LOST PRODUCTIVITY
BUSINESS DISRUPTION
Enter
Establish
Expand
Endgame
Network
Anatomy of an attack
User
DeviceSlide15
Different attack vectors
Compromised privileged accounts
Unpatched vulnerabilities
Phishing attacks
Malware infections
Attack the applications
and infrastructure
Compromised fabric exposes guest VMs
Easy to modify or copy VM without notice
Can’t protect a VM with gates, walls,
locks, etc.
VMs can’t leverage hardware security
(e.g., TPM)
Attack the
virtualization fabricSlide16
Windows Server 2016: Layers of security
Help protect applications
and data in any cloud
Address emerging
attack vectors
Hyper-V
Azure
Other Clouds
Detect faster with Log Analytics integration
Other HypervisorsSlide17
Help protect credentials and privileged accessSlide18
Challenges in protecting credentials
Ben
Mary
Jake
Admin
Domain admin
Typical administrator
Capability
Time
Social engineering leads
to credential theft.
Most attacks involve gathering credentials (Pass-the-Hash attacks).
Administrative credentials typically provide unnecessary extra rights for unlimited time
.Slide19
Typical administrator
Helping protect privileged credentials
Ben
Mary
Jake
Admin
Domain admin
Just Enough and Just in Time administration
Capability
Time
Credential Guard
Prevents Pass-the-Hash and Pass-the-Ticket attacks
by protecting stored credentials through
virtualization-based security.
Remote Credential Guard
Works in conjunction with Credential Guard
for RDP sessions to deliver Single Sign-On (SSO), eliminating the need to pass credentials to the RDP host.
Just Enough Administration
Limits administrative privileges to the bare-minimum required set of actions (limited in space).
Just-in-Time Administration
Provides privileged access through a workflow
that is audited and limited in time.
Capability and
time neededSlide20
Help protect Active Directory, admin privileges
6+ months
1-3 months
2-4 weeks
First response to the most frequently used attack techniques.
Separate Admin account for admin tasks
1
Privileged Access Workstations (PAWs)
Phase 1 – Active Directory admins
http://Aka.ms/CyberPAW
2
Unique Local Admin Passwords
for Workstations
http://Aka.ms/LAPS
3
Unique Local Admin Passwords for Servers
http://Aka.ms/LAPS
4
Active
Directory
Azure Active DirectorySlide21
Help protect Active Directory, admin privileges
6+ months
1-3 months
2-4 weeks
Build visibility and control of administrator activity, increase protection against typical follow-up attacks.
Privileged Access Workstations (PAWs)
Phases 2 and 3 – All Admins and additional hardening (Credential Guard, RDP Restricted Admin, etc.)
http://aka.ms/CyberPAW
1
Just Enough Admin (JEA)
for DC Maintenance
http://aka.ms/JEA
4
Lower attack surface of Domain and DCs
http://aka.ms/HardenAD
5
Time-bound privileges (no permanent admins)
http://aka.ms/PAM
; http://aka.ms/AzurePIM
2
Attack Detection
http://aka.ms/ata
6
Active
Directory
Azure Active Directory
Multi-factor for elevation
3
9872521Slide22
Help protect Active Directory, admin privileges
http://aka.ms/privsec
6+ months
1-3 months
2-4 weeks
Build visibility and control of administrator activity, increase protection against typical follow-up attacks.
Privileged Access Workstations (PAWs)
Phases 2 and 3 – All Admins and additional hardening (Credential Guard, RDP Restricted Admin, etc.)
http://aka.ms/CyberPAW
2
Admin Forest for Active Directory administrators
http://aka.ms/ESAE
3
Device Guard Policy for DCs (Server 2016)
4
Modernize Roles and Delegation Model
1
Shielded VMs for virtual DCs (Server 2016 Hyper-V Fabric)
http://aka.ms/shieldedvms
5
Active
Directory
Azure Active DirectorySlide23
Help protect applications
and data in
any cloudSlide24
Challenges protecting the OS and applications
New exploits can attack the OS
boot-path all the way up through applications operations.
Known and unknown threats need to be blocked without impacting legitimate workloads.
?
?Slide25
Helping protect OS and applications
Device Guard
Ensure that only permitted binaries can be executed from the moment the OS is booted.
Windows Defender
Actively protects from known malware without impacting workloads.
Control Flow Guard
Protects against unknown vulnerabilities
by helping prevent memory corruption attacks. Slide26
Respond more intelligently with log analytics integrationSlide27
Challenges turning log files into operational insights
In order to better detect threats the OS need to provide additional auditing information.
Security Information and Event Management (SIEM) systems are only as intelligent as the information provided from the OS.Slide28
Improved detection
Enhanced Logs
Log new audit events to better detect malicious behavior by providing more detailed information to security operation centers.
Integration with systems management
Operations Management Suite (OMS) and other SIEM systems, can take advantage of this information to provide intelligence reports on potential breaches in the datacenter environment.Slide29
Help protect the virtualization fabricSlide30
Customer
Fabric
Hypervisor
Hypervisor
Fabric
Storage
Host OS
Customer
Guest VM
Challenges protecting virtual machines
Healthy host?
Any compromised or malicious fabric administrators can access guest virtual machines.
Health of hosts not taken into account before running VMs.
Tenant’s VMs are exposed to storage and network attacks.
Virtual machines can’t
take advantage of hardware-
rooted security capabilities such as TPMs.
Guest VMSlide31
Helping protect virtual machines
Shielded Virtual Machines
Use BitLocker to encrypt the disk and state
of virtual machines protecting secrets from compromised admins and malware.
Host Guardian Service
Attests to host health releasing the keys required to boot or migrate a Shielded
VM only to healthy hosts.
Generation 2 VMs
Supports virtualized equivalents of
hardware security technologies (e.g., TPMs) enabling BitLocker encryption for Shielded Virtual Machines.
Hyper-V
Virtual machine
Computer room
Building perimeter
Physical machine
Hyper-V
Shielded virtual machine
Server
Administrator
*
Storage
Administrator
Network
Administrator
Backup
operator
Virtualization-host
administrator
Virtual machine
*Configuration
dependent
Should have
access and does
Should not have
access and doesn’t
Should not have
access but does
`Slide32
Shielded Virtual MachinesWorks with Host Guardian Service
Fabric Controller
Cloud/Datacenter
Hyper-V Host 1
Hypervisor
Guest VM
Guest VM
Guest VM
Host OS
Hyper-V Host 2
Hypervisor
Guest VM
Guest VM
Host OS
Hyper-V Host 3
Hypervisor
Guest VM
Guest VM
Host OS
Please sir, may I have some keys?
Key Protection
Host Guardian ServiceSlide33
Shielded Virtual MachinesWorks with Host Guardian Service
Fabric Controller
Cloud/Datacenter
Hyper-V Host 1
Hypervisor
Guest VM
Guest VM
Guest VM
Host OS
Hyper-V Host 2
Hypervisor
Guest VM
Guest VM
Host OS
Hyper-V Host 3
Hypervisor
Guest VM
Guest VM
Host OS
Key Protection
Host Guardian Service
Sure, I know you and you look
healthy
Key release criteria
(
TPM-mode)
Known physical machines
Trusted Hyper-V instance
CI-compliant configurationSlide34
Philip Moss
Chief Product Officer
Acuutech
Shielded Virtual Machines remove a hosting obstacle and are a huge competitive differentiator. No one but Microsoft has this technology now.
“
“Slide35
Protectwith just enough OSSlide36
Challenges in protecting new apps
Developers are protecting by making use of packaging and deployment tools such as containers.
Containers share the same kernel which limits isolation and exposes compliance and regulatory risks.
Reduce the risk by providing only the components required by application to run.
Shared Hardware (Hypervisor
Isolation)
VM
VM
VM
VM
VM
Container
Container
Container
Container
Container
Shared Kernel (User Mode Isolation)Slide37
Windows Server 2016 approach
Hyper-V containers
Provide hypervisor isolation for
each container with no additional coding requirements.
Helps align with regulatory requirements for PCI and PII data.
Nano Server
Reduce the attack surface by deploying a minimal “just enough” server footprint.
Shared Hardware (Hypervisor
Isolation)
VM
VM
VM
VM
VM
Hyper-V Container
Hyper-V Container
Hyper-V Container
Hyper-V Container
Hyper-V Container
Shared Platform
(Hypervisor
Isolation)Slide38
Windows Server 2016 security summarySlide39
Windows Server 2016 security summary
Virtualization Fabric
Protecting virtual machines
Shielded VMs (Server 2012, 2016 guests)
Virtual TPM for Generation 2 VMs
Guarded fabric attesting to host health
Secure boot for Windows and Linux
Hyper-V platform
Nano based Hyper-V host
Virtualization-based security
Distributed networking firewall
Secure containers
Hyper-V containers
Containers hosted in a Shielded VM
Infrastructure and applications
Privileged
identity
Credential Guard
Remote Credential Guard
Just In Time administration
Just Enough administration
Threat
resistance
Control Flow Guard
Device Guard
Built in anti-malware
Threat
detection
Enhanced threat detection
Slide40
Next steps
Download Windows Server 2016 Today!
www.microsoft.com/WindowsServer2016
Visit the Datacenter & Private Cloud Security Blog:
blogs.technet.microsoft.com/
datacentersecurity
/Move to a secure virtualization infrastructure:http://www.microsoft.com/vmwareshift
Slide41Slide42
AppendixSlide43
Breaches cost a lot
of money
(Average $4M based
on
Ponemon
Institute)
Customers pay
for your
services.
You pay customers
compensation to
keep them using
your
services.
Productivity
Employees efficiently
perform work
activities.
Employees waste hours
a day using manual
processes.
Overspending
reflex
Appropriately sized
and
dedicated
IT Security
team.
IT Security team exponentially increases in size and remediation efforts require new
and expensive
products.
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
$
Before
After
$
$
$
$
$Slide44
Industry
reputation
Industry credibility, positive reputation, customer
confidence.
Corporate secrets
are
secret.
Loss of credibility, embarrassing information exposed, customer’s lose
faith.
Ransomware
HBI/MBI assets available for day-to-day business
operations.
Assets encrypted and key business IT services rendered
useless.
Customer trust
Customers happy to trust
you with their personal
information.
Customers reluctant
to share information
with
you.
$
Before
After
Corporate secrets are public knowledge; potential loss of competitive
advantage. Slide45
How better security starts at the OS
Enterprises
need
to:
Example threat:
Windows Server 2016 helps:
Protect
admin credentials
A Pass-the-Hash attack provides an attacker with admin credentials on a hospital network, which the attacker uses to access confidential patient data.
Just Enough Administration
Just-in-Time Administration
Credential Guard
Remote Credential Guard for Remote Desktop Protocol (RDP) sessions
Protect
servers,
detect
threats
and
respond
in
time
Ransomware on university servers locks users away from critical student and research data—until a ransom is paid to the attacker.
Device Guard
Control Flow Guard
Windows Defender
A line-of-business application developer downloads code from the public internet to integrate into her application. The downloaded code includes malware that can track activity in other containers through the shared kernel.Hyper-V containers Nano ServerQuickly identify malicious behaviorMalware tries to access the credential manager on a Windows server to gain access to user credentials. Enhanced Logging Microsoft Operations Management Suite Log Analytics Virtualize without compromising security
Attacker compromises fabric admin credentials at a bank, giving him access to virtualized Active Directory Domain Controllers and SQL databases where client account information is stored.
Shielded Virtual Machines
BitLocker
Host Guardian ServiceSlide46
Alignment with regulatory compliance
PCI DSS 3.1
ISO 27001:2013
FEDRamp
3.4 – Verifying stored PAN is unreadable
3.4.1 – Disk encryption usage and access control
6.4.2 – Separation of duties between test and production environments
6.4.1 – Test and Production Environment Separation6.5.3 – Insecure cryptographic storage7.1 – System components and cardholder data access restricted to job-based needs
7.1.2 – User ID access based on least privileges7.1.3 – Assigning access to job function and classification7.1.4 – Documented approval of access privileges
7.2.2 – Assigning privileges to job function and classification
7.2.3 – Default “deny-all” setting
8.7 – Restricted access to databases containing cardholder data10.2.2 – Logging actions by root privileges individual10.2.5 – User changes logging
11.5 – Change-detection mechanism deployment
12.5.4 – Administer user accounts12.5.5 – Monitor and control all access to data
A.6.1.2– Segregation of dutiesA.8.2.3 – Media Access
A.9.1 – Business requirement of access controlA.9.1.2 – Access to networks and network servicesA.9.2.2 – User access provisioningA.9.2.3 – Management of privileged access rights
A.9.4.1 – Information access restriction
A.9.4.5 – Access control to program source codeA.12.1.4 – Separation of development, testing, and operational environments
A.12.4.1 – Event loggingA.12.4.3 – Administrator and operator logs
AC-2 – Account Management
AC-2 (4) – Automated Audit Actions
AC-2 (12) – Account Monitoring
AC-3 – Access Enforcement
AC-5 – Separation of Duties
AC-6 – Least Privilege
AC-6 (1) – Authorize Access to Security Functions
AC-6 (2) – Non-Privileged Access for Non-Security Functions
AC-6 (5) – Privileged Accounts
AC-6 (9) – Auditing Use of Privileged Functions
AC-6 (10) – Prohibit Non-Privileged
Users from Executing Privileged Functions
AU-2 – Audit Events
AU-9 (4) – Audit Access by Subset of Privileged UsersAU-12 – Audit GenerationCM-5 – Access Restrictions for ChangeCM-5 (1) – Automated Access EnforcementCM-5 (5) – Limit Production / Operational PrivilegesSC-2 – Application PartitioningSC-4 – Information in Shared ResourcesSC-28 – Protection of Information at RestSC-28(1) – Protection of Information at RestSI-6 – Security Function VerificationSI-7 – Software, Firmware, and Information IntegrityWindows Server 2016 can now directly help address certification requirements Helps you more easily comply with government and industry regulations for protecting data, such as HIPPA, SOX, ISO 27001, PCI, and FedRAMP. Slide47
Just-in-Time Administration compliance mapping
JIT Security and Compliance Capability
ISO 27001: 2013
PCI DSS 3.1
FedRAMP
; NIST 800-53 Revision 4
Controlling Logical Access Privileges and Implementing Least Privilege Access
A.9.1 – Business requirement of access control
A.9.1.2 – Access to networks and network servicesA.9.2.2 – User access provisioning
A.9.2.3 – Management of privileged access rights
A.9.4.1 – Information access restrictionA.9.4.5 – Access control to program source code
7.1 – System components and cardholder data access restricted to job-based needs
7.1.2 – User ID access based on least privileges
7.1.3 – Assigning access to job function and classification7.1.4 – Documented approval of access privileges
7.2.2 – Assigning privileges to job function and classification7.2.3 – Default “deny-all” setting
12.5.4 – Administer user accounts12.5.5 – Monitor and control all access to data
AC-2 – Account ManagementAC-3 – Access EnforcementAC-6 – Least PrivilegeAC-6 (1) – Authorize Access to Security Functions
AC-6 (2) – Non-Privileged Access for Non-Security Functions
AC-6 (5) – Privileged AccountsAU-9 (4) – Audit Access by Subset of Privileged Users
CM-5 – Access Restrictions for ChangeCM-5 (1) – Automated Access Enforcement
CM-5 (5) – Limit Production / Operational Privileges
Access Logging / Monitoring / Auditing
A.12.4.1 – Event logging
A.12.4.3 – Administrator and operator logs
10.2.2 – Logging actions by root privileges individual
10.2.5 – User changes logging
AC-2 – Account Management
AC-2 (4) – Automated Audit Actions
AC-2 (12) – Account Monitoring
AC-6 (9) – Auditing Use of Privileged Functions
AU-2 – Audit Events
AU-12 – Audit Generation
CM-5 (1) – Automated Access EnforcementSlide48
Hyper-V Shielded VM compliance mapping
Hyper-V Shielded VM Security and Compliance Capability
ISO 27001: 2013
PCI DSS 3.1
FedRAMP
; NIST 800-53 Revision 4
Enforcing Separation
of Duties
A.6.1.2– Segregation of duties
6.4.2 – Separation of duties between test and production environments
AC-5 – Separation of Duties
Implementation of Least Privilege Access and Partitioning Tenant Functionality
A.9.2.3 – Management of privileged access rights
A.12.1.4 – Separation of development, testing, and operational environments
6.4.1 – Test and Production Environment Separation
7.2 – User access control on need-to-know basis
7.2.3 – Default “deny-all” setting
AC-6 – Least Privilege
AC-6 (10) – Prohibit Non-Privileged
Users from Executing Privileged Functions
SC-2 – Application Partitioning
Protecting Information
Stored in Shared Resources
None
8.7 – Restricted access to databases containing cardholder data
SC-4 – Information in Shared Resources
Protection of Data
at Rest
A.8.2.3 – Media Access
3.4 – Verifying stored PAN is unreadable
3.4.1 – Disk encryption usage and access control
6.5.3 – Insecure cryptographic storageSC-28 – Protection of Information at RestSC-28(1) – Protection of Information at RestSecurity Function Verification and Integrity MonitoringNone11.5 – Change-detection mechanism deployment
SI-6 – Security Function Verification
SI-7 – Software, Firmware, and Information Integrity