How to use this presentation - PowerPoint Presentation

Slide1

How to use this presentation

Length

60 Min – can be customized based on presenter preference or industry vertical

Key Message

Security continues to be rated as a top priority for IT. This is no surprise as major companies and government agencies are publicly criticized for being hacked and failing to protect themselves and their customer and employee personal information.

At the same time, attackers are using readily available tools to infiltrate large organizations and remain undetected for a long period of time while conducting exfiltration of secrets or attacking the infrastructure and making ransom demands.

Windows Server 2016 delivers new layers of protection that help address these emerging threats so that the server becomes an active component in your security defenses. These security protections were built with the mindset of how we deal with the overall threat of ongoing attacks inside the datacenter environment and range from threat resistance and enhanced detection to managing privileged identity and protecting virtual machines from a potentially compromised virtualization fabric.

Target Audience

IT Pro, ITDM, CSO

Demos

No demos provided. Potential videos that can be used to demonstrate concepts are:

Credential Guard and Remote Guard

https://www.youtube.com/watch?v=eUpKOGSl7yk

Device Guard

https://www.youtube.com/watch?v=F-pTkesjkhI

Just Enough and Just in Time Administration

https://www.youtube.com/watch?v=xnBrbkY9P20

Shielded Virtual Machines

https://www.youtube.com/watch?v=fjLYOHZvcKc

Preparation Resources

MSDN :

https://channel9.msdn.com/Blogs/windowsserver/Security

Microsoft MVA:

https://mva.microsoft.com/en-US/training-courses/whats-new-in-windows-server-2016-16457?l=VQZhK7sXC_9206218965

#Slide2

Better security starts at the OS with Windows Server 2016

Name

TitleSlide3

Increasing

incidents

Multiple

motivations

Bigger risk

Security is a top priority for ITSlide4

Mischief

Script Kiddies

Unsophisticated

Fraud and theft

Organized Crime

More

sophisticated

Damage and disruption

Nations, Terror

Groups, Activists

Very sophisticated

and well resourced

Evolution of attacksSlide5

Source: McKinsey,

Ponemon

Institute, Verizon

Cyber threats are a

material risk

to your business

Impact of lost

productivity and growth

Average

cost

of a data breach (15% YoY increase)

$

3.0

Trillion

$

4 Million

Corporate

liability

coverage.

$

500

Million

“

Cyber security is a

CEO issue

.”

-

McKinseySlide6

Attacks ruin reputations

Before:

Respected

After:

ExposedSlide7

Attacks devastate budgets

Before:

Customers buy

After:

You pay upSlide8

Before:

Digital collaboration

Attacks on organizations hurt productivity

After:

Back to faxSlide9

Before:

Trusted adviser

Attacks hinder external communication

After:

OutsiderSlide10

Attacks affect the IT security team

Before:

Focused

After:

OverwhelmedSlide11

Attacks wreck internal communication

Before:

Transparency

After:

Need to knowSlide12

Attacks affect intellectual property

Before:

Confident

After:

VulnerableSlide13

Attack timeline

24–48 hours

More than 200 days (varies by industry)

First host compromised

Domain admin compromised

Attack discovered

Attackers find any weakness, target information on any device or service

Attackers often target AD and IT Admins

to gain access to business assets

You may be under attack (or compromised) and unaware

Attacker undetected

(

data exfiltration)

Research and preparationSlide14

Malicious Attachment Execution

Browser or Doc Exploit Execution

Stolen Credential Use

Internet Service Compromise

Kernel-mode Malware

Kernel

Exploits

Pass-the-Hash

Malicious Attachment Delivery

Browser or Doc Exploit Delivery

Phishing Attacks

Attack

ESPIONAGE, LOSS OF IP

DATA THEFT

RANSOM

LOST PRODUCTIVITY

BUSINESS DISRUPTION

Enter

Establish

Expand

Endgame

Network

Anatomy of an attack

User

DeviceSlide15

Different attack vectors

Compromised privileged accounts

Unpatched vulnerabilities

Phishing attacks

Malware infections

Attack the applications

and infrastructure

Compromised fabric exposes guest VMs

Easy to modify or copy VM without notice

Can’t protect a VM with gates, walls,

locks, etc.

VMs can’t leverage hardware security

(e.g., TPM)

Attack the

virtualization fabricSlide16

Windows Server 2016: Layers of security

Help protect applications

and data in any cloud

Address emerging

attack vectors

Hyper-V

Azure

Other Clouds

Detect faster with Log Analytics integration

Other HypervisorsSlide17

Help protect credentials and privileged accessSlide18

Challenges in protecting credentials

Ben

Mary

Jake

Admin

Domain admin

Typical administrator

Capability

Time

Social engineering leads

to credential theft.

Most attacks involve gathering credentials (Pass-the-Hash attacks).

Administrative credentials typically provide unnecessary extra rights for unlimited time

.Slide19

Typical administrator

Helping protect privileged credentials

Ben

Mary

Jake

Admin

Domain admin

Just Enough and Just in Time administration

Capability

Time

Credential Guard

Prevents Pass-the-Hash and Pass-the-Ticket attacks

by protecting stored credentials through

virtualization-based security.

Remote Credential Guard

Works in conjunction with Credential Guard

for RDP sessions to deliver Single Sign-On (SSO), eliminating the need to pass credentials to the RDP host.

Just Enough Administration

Limits administrative privileges to the bare-minimum required set of actions (limited in space).

Just-in-Time Administration

Provides privileged access through a workflow

that is audited and limited in time.

Capability and

time neededSlide20

Help protect Active Directory, admin privileges

6+ months

1-3 months

2-4 weeks

First response to the most frequently used attack techniques.

Separate Admin account for admin tasks

1

Privileged Access Workstations (PAWs)

Phase 1 – Active Directory admins

http://Aka.ms/CyberPAW

2

Unique Local Admin Passwords

for Workstations

http://Aka.ms/LAPS

3

Unique Local Admin Passwords for Servers

http://Aka.ms/LAPS

4

Active

Directory

Azure Active DirectorySlide21

Help protect Active Directory, admin privileges

6+ months

1-3 months

2-4 weeks

Build visibility and control of administrator activity, increase protection against typical follow-up attacks.

Privileged Access Workstations (PAWs)

Phases 2 and 3 – All Admins and additional hardening (Credential Guard, RDP Restricted Admin, etc.)

http://aka.ms/CyberPAW

1

Just Enough Admin (JEA)

for DC Maintenance

http://aka.ms/JEA

4

Lower attack surface of Domain and DCs

http://aka.ms/HardenAD

5

Time-bound privileges (no permanent admins)

http://aka.ms/PAM

; http://aka.ms/AzurePIM

2

Attack Detection

http://aka.ms/ata

6

Active

Directory

Azure Active Directory

Multi-factor for elevation

3

9872521Slide22

Help protect Active Directory, admin privileges

http://aka.ms/privsec

6+ months

1-3 months

2-4 weeks

Build visibility and control of administrator activity, increase protection against typical follow-up attacks.

Privileged Access Workstations (PAWs)

Phases 2 and 3 – All Admins and additional hardening (Credential Guard, RDP Restricted Admin, etc.)

http://aka.ms/CyberPAW

2

Admin Forest for Active Directory administrators

http://aka.ms/ESAE

3

Device Guard Policy for DCs (Server 2016)

4

Modernize Roles and Delegation Model

1

Shielded VMs for virtual DCs (Server 2016 Hyper-V Fabric)

http://aka.ms/shieldedvms

5

Active

Directory

Azure Active DirectorySlide23

Help protect applications

and data in

any cloudSlide24

Challenges protecting the OS and applications

New exploits can attack the OS

boot-path all the way up through applications operations.

Known and unknown threats need to be blocked without impacting legitimate workloads.

?

?Slide25

Helping protect OS and applications

Device Guard

Ensure that only permitted binaries can be executed from the moment the OS is booted.

Windows Defender

Actively protects from known malware without impacting workloads.

Control Flow Guard

Protects against unknown vulnerabilities

by helping prevent memory corruption attacks. Slide26

Respond more intelligently with log analytics integrationSlide27

Challenges turning log files into operational insights

In order to better detect threats the OS need to provide additional auditing information.

Security Information and Event Management (SIEM) systems are only as intelligent as the information provided from the OS.Slide28

Improved detection

Enhanced Logs

Log new audit events to better detect malicious behavior by providing more detailed information to security operation centers.

Integration with systems management

Operations Management Suite (OMS) and other SIEM systems, can take advantage of this information to provide intelligence reports on potential breaches in the datacenter environment.Slide29

Help protect the virtualization fabricSlide30

Customer

Fabric

Hypervisor

Hypervisor

Fabric

Storage

Host OS

Customer

Guest VM

Challenges protecting virtual machines

Healthy host?

Any compromised or malicious fabric administrators can access guest virtual machines.

Health of hosts not taken into account before running VMs.

Tenant’s VMs are exposed to storage and network attacks.

Virtual machines can’t

take advantage of hardware-

rooted security capabilities such as TPMs.

Guest VMSlide31

Helping protect virtual machines

Shielded Virtual Machines

Use BitLocker to encrypt the disk and state

of virtual machines protecting secrets from compromised admins and malware.

Host Guardian Service

Attests to host health releasing the keys required to boot or migrate a Shielded

VM only to healthy hosts.

Generation 2 VMs

Supports virtualized equivalents of

hardware security technologies (e.g., TPMs) enabling BitLocker encryption for Shielded Virtual Machines.

Hyper-V

Virtual machine

Computer room

Building perimeter

Physical machine

Hyper-V

Shielded virtual machine

Server

Administrator



*





Storage

Administrator







Network

Administrator







Backup

operator







Virtualization-host

administrator







Virtual machine







*Configuration

dependent

Should have

access and does



Should not have

access and doesn’t



Should not have

access but does



`Slide32

Shielded Virtual MachinesWorks with Host Guardian Service

Fabric Controller

Cloud/Datacenter

Hyper-V Host 1

Hypervisor

Guest VM

Guest VM

Guest VM

Host OS

Hyper-V Host 2

Hypervisor

Guest VM

Guest VM

Host OS

Hyper-V Host 3

Hypervisor

Guest VM

Guest VM

Host OS

Please sir, may I have some keys?

Key Protection

Host Guardian ServiceSlide33

Shielded Virtual MachinesWorks with Host Guardian Service

Fabric Controller

Cloud/Datacenter

Hyper-V Host 1

Hypervisor

Guest VM

Guest VM

Guest VM

Host OS

Hyper-V Host 2

Hypervisor

Guest VM

Guest VM

Host OS

Hyper-V Host 3

Hypervisor

Guest VM

Guest VM

Host OS

Key Protection

Host Guardian Service

Sure, I know you and you look

healthy

Key release criteria

(

TPM-mode)

Known physical machines

Trusted Hyper-V instance

CI-compliant configurationSlide34

Philip Moss

Chief Product Officer

Acuutech

Shielded Virtual Machines remove a hosting obstacle and are a huge competitive differentiator. No one but Microsoft has this technology now.

“

“Slide35

Protectwith just enough OSSlide36

Challenges in protecting new apps

Developers are protecting by making use of packaging and deployment tools such as containers.

Containers share the same kernel which limits isolation and exposes compliance and regulatory risks.

Reduce the risk by providing only the components required by application to run.

Shared Hardware (Hypervisor

Isolation)

VM

VM

VM

VM

VM

Container

Container

Container

Container

Container

Shared Kernel (User Mode Isolation)Slide37

Windows Server 2016 approach

Hyper-V containers

Provide hypervisor isolation for

each container with no additional coding requirements.

Helps align with regulatory requirements for PCI and PII data.

Nano Server

Reduce the attack surface by deploying a minimal “just enough” server footprint.

Shared Hardware (Hypervisor

Isolation)

VM

VM

VM

VM

VM

Hyper-V Container

Hyper-V Container

Hyper-V Container

Hyper-V Container

Hyper-V Container

Shared Platform

(Hypervisor

Isolation)Slide38

Windows Server 2016 security summarySlide39

Windows Server 2016 security summary

Virtualization Fabric

Protecting virtual machines

Shielded VMs (Server 2012, 2016 guests)

Virtual TPM for Generation 2 VMs

Guarded fabric attesting to host health

Secure boot for Windows and Linux

Hyper-V platform

Nano based Hyper-V host

Virtualization-based security

Distributed networking firewall

Secure containers

Hyper-V containers

Containers hosted in a Shielded VM

Infrastructure and applications

Privileged

identity

Credential Guard

Remote Credential Guard

Just In Time administration

Just Enough administration

Threat

resistance

Control Flow Guard

Device Guard

Built in anti-malware

Threat

detection

Enhanced threat detection

Slide40

Next steps

Download Windows Server 2016 Today!

www.microsoft.com/WindowsServer2016

Visit the Datacenter & Private Cloud Security Blog:

blogs.technet.microsoft.com/

datacentersecurity

/Move to a secure virtualization infrastructure:http://www.microsoft.com/vmwareshift

Slide41
Slide42

AppendixSlide43

Breaches cost a lot

of money

(Average $4M based

on

Ponemon

Institute)

Customers pay

for your

services.

You pay customers

compensation to

keep them using

your

services.

Productivity

Employees efficiently

perform work

activities.

Employees waste hours

a day using manual

processes.

Overspending

reflex

Appropriately sized

and

dedicated

IT Security

team.

IT Security team exponentially increases in size and remediation efforts require new

and expensive

products.

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

$

Before

After

$

$

$

$

$Slide44

Industry

reputation

Industry credibility, positive reputation, customer

confidence.

Corporate secrets

are

secret.

Loss of credibility, embarrassing information exposed, customer’s lose

faith.

Ransomware

HBI/MBI assets available for day-to-day business

operations.

Assets encrypted and key business IT services rendered

useless.

Customer trust

Customers happy to trust

you with their personal

information.

Customers reluctant

to share information

with

you.

$

Before

After

Corporate secrets are public knowledge; potential loss of competitive

advantage. Slide45

How better security starts at the OS

Enterprises

need

to:

Example threat:

Windows Server 2016 helps:

Protect

admin credentials

A Pass-the-Hash attack provides an attacker with admin credentials on a hospital network, which the attacker uses to access confidential patient data.

Just Enough Administration

Just-in-Time Administration

Credential Guard

Remote Credential Guard for Remote Desktop Protocol (RDP) sessions

Protect

servers,

detect

threats

and

respond

in

time

Ransomware on university servers locks users away from critical student and research data—until a ransom is paid to the attacker.

Device Guard

Control Flow Guard

Windows Defender

A line-of-business application developer downloads code from the public internet to integrate into her application. The downloaded code includes malware that can track activity in other containers through the shared kernel.Hyper-V containers Nano ServerQuickly identify malicious behaviorMalware tries to access the credential manager on a Windows server to gain access to user credentials. Enhanced Logging Microsoft Operations Management Suite Log Analytics Virtualize without compromising security

Attacker compromises fabric admin credentials at a bank, giving him access to virtualized Active Directory Domain Controllers and SQL databases where client account information is stored.

Shielded Virtual Machines

BitLocker

Host Guardian ServiceSlide46

Alignment with regulatory compliance

PCI DSS 3.1

ISO 27001:2013

FEDRamp

3.4 – Verifying stored PAN is unreadable

3.4.1 – Disk encryption usage and access control

6.4.2 – Separation of duties between test and production environments

6.4.1 – Test and Production Environment Separation6.5.3 – Insecure cryptographic storage7.1 – System components and cardholder data access restricted to job-based needs

7.1.2 – User ID access based on least privileges7.1.3 – Assigning access to job function and classification7.1.4 – Documented approval of access privileges

7.2.2 – Assigning privileges to job function and classification

7.2.3 – Default “deny-all” setting

8.7 – Restricted access to databases containing cardholder data10.2.2 – Logging actions by root privileges individual10.2.5 – User changes logging

11.5 – Change-detection mechanism deployment

12.5.4 – Administer user accounts12.5.5 – Monitor and control all access to data

A.6.1.2– Segregation of dutiesA.8.2.3 – Media Access

A.9.1 – Business requirement of access controlA.9.1.2 – Access to networks and network servicesA.9.2.2 – User access provisioningA.9.2.3 – Management of privileged access rights

A.9.4.1 – Information access restriction

A.9.4.5 – Access control to program source codeA.12.1.4 – Separation of development, testing, and operational environments

A.12.4.1 – Event loggingA.12.4.3 – Administrator and operator logs

AC-2 – Account Management

AC-2 (4) – Automated Audit Actions

AC-2 (12) – Account Monitoring

AC-3 – Access Enforcement

AC-5 – Separation of Duties

AC-6 – Least Privilege

AC-6 (1) – Authorize Access to Security Functions

AC-6 (2) – Non-Privileged Access for Non-Security Functions

AC-6 (5) – Privileged Accounts

AC-6 (9) – Auditing Use of Privileged Functions

AC-6 (10) – Prohibit Non-Privileged

Users from Executing Privileged Functions

AU-2 – Audit Events

AU-9 (4) – Audit Access by Subset of Privileged UsersAU-12 – Audit GenerationCM-5 – Access Restrictions for ChangeCM-5 (1) – Automated Access EnforcementCM-5 (5) – Limit Production / Operational PrivilegesSC-2 – Application PartitioningSC-4 – Information in Shared ResourcesSC-28 – Protection of Information at RestSC-28(1) – Protection of Information at RestSI-6 – Security Function VerificationSI-7 – Software, Firmware, and Information IntegrityWindows Server 2016 can now directly help address certification requirements Helps you more easily comply with government and industry regulations for protecting data, such as HIPPA, SOX, ISO 27001, PCI, and FedRAMP. Slide47

Just-in-Time Administration compliance mapping

JIT Security and Compliance Capability

ISO 27001: 2013

PCI DSS 3.1

FedRAMP

; NIST 800-53 Revision 4

Controlling Logical Access Privileges and Implementing Least Privilege Access

A.9.1 – Business requirement of access control

A.9.1.2 – Access to networks and network servicesA.9.2.2 – User access provisioning

A.9.2.3 – Management of privileged access rights

A.9.4.1 – Information access restrictionA.9.4.5 – Access control to program source code

7.1 – System components and cardholder data access restricted to job-based needs

7.1.2 – User ID access based on least privileges

7.1.3 – Assigning access to job function and classification7.1.4 – Documented approval of access privileges

7.2.2 – Assigning privileges to job function and classification7.2.3 – Default “deny-all” setting

12.5.4 – Administer user accounts12.5.5 – Monitor and control all access to data

AC-2 – Account ManagementAC-3 – Access EnforcementAC-6 – Least PrivilegeAC-6 (1) – Authorize Access to Security Functions

AC-6 (2) – Non-Privileged Access for Non-Security Functions

AC-6 (5) – Privileged AccountsAU-9 (4) – Audit Access by Subset of Privileged Users

CM-5 – Access Restrictions for ChangeCM-5 (1) – Automated Access Enforcement

CM-5 (5) – Limit Production / Operational Privileges

Access Logging / Monitoring / Auditing

A.12.4.1 – Event logging

A.12.4.3 – Administrator and operator logs

10.2.2 – Logging actions by root privileges individual

10.2.5 – User changes logging

AC-2 – Account Management

AC-2 (4) – Automated Audit Actions

AC-2 (12) – Account Monitoring

AC-6 (9) – Auditing Use of Privileged Functions

AU-2 – Audit Events

AU-12 – Audit Generation

CM-5 (1) – Automated Access EnforcementSlide48

Hyper-V Shielded VM compliance mapping

Hyper-V Shielded VM Security and Compliance Capability

ISO 27001: 2013

PCI DSS 3.1

FedRAMP

; NIST 800-53 Revision 4

Enforcing Separation

of Duties

A.6.1.2– Segregation of duties

6.4.2 – Separation of duties between test and production environments

AC-5 – Separation of Duties

Implementation of Least Privilege Access and Partitioning Tenant Functionality

A.9.2.3 – Management of privileged access rights

A.12.1.4 – Separation of development, testing, and operational environments

6.4.1 – Test and Production Environment Separation

7.2 – User access control on need-to-know basis

7.2.3 – Default “deny-all” setting

AC-6 – Least Privilege

AC-6 (10) – Prohibit Non-Privileged

Users from Executing Privileged Functions

SC-2 – Application Partitioning

Protecting Information

Stored in Shared Resources

None

8.7 – Restricted access to databases containing cardholder data

SC-4 – Information in Shared Resources

Protection of Data

at Rest

A.8.2.3 – Media Access

3.4 – Verifying stored PAN is unreadable

3.4.1 – Disk encryption usage and access control

6.5.3 – Insecure cryptographic storageSC-28 – Protection of Information at RestSC-28(1) – Protection of Information at RestSecurity Function Verification and Integrity MonitoringNone11.5 – Change-detection mechanism deployment

SI-6 – Security Function Verification

SI-7 – Software, Firmware, and Information Integrity