Sander Berkouwer Microsoft MVP Directory Services Microsoft Netherlands Virtual Technical Evangelist Blogger on DirTeam.com ServerCore.Net About
Current Situation Challenges Challenges when virtualizing DCs on Hyper-V Challenges when virtualizing DCs on Azure IaaS Solutions Picking the right solutions for your challenges Agenda
CURRENT SITUATION
Flexibility Get DCs there fast, move them without downtime Cost saving and cost predictability Virtualization increases hardware usage Hardware maintenance and upgrades are more predictable Less dependencies on hardware Quickly add/remove hardware, no outages Why do we virtualize DCs?
When Active Directory fails… Domain Controllers are centers of universes Domain Controllers are at the centers of many infrastructures (Read-only) Domain Controllers can be distributed everywhere Sensitive Information DCs contain information on replication, accounts, credentials DNS Servers contain caches of queries (info on visited sites) Sensitive Domain Controllers
CHALLENGES
Performance Snapshots Security Integration components Backup and restore Can you trust Hyper-V administrators? Challenges with DCs on Hyper-V
Connectivity Knowledge of Azure taxonomy Knowledge of Azure topology Dynamic IPv4, IPv6 addressing Under the hoof Azure IaaS uses Hyper-V Can you trust the Azure Administrator? Challenges with DCs on Azure
Advanced Persistent Threats Pass the Hash (PtH) attacks Pass the Ticket (PtT) attacks Kerberos Golden Tickets Security Legal organizational requirements Job security Why is this important?
A REALITY CHECK
Typical Kerberos flow 1.During startup, logon the client requests a Ticket Granting Ticket (TGT) from the Key Distribution Center (KDC). The TGT is then processed clientside 2.For accessing a service within the Kerberos Realm, the client requests a Service Ticket (TGS), based on the TGT on any KDC. 3.Client presents the TGS to the service. Based on authorization, access is granted (or not) Kerberos 5 Primer TGT TGS
KRBTGT’s account password signs everything I don’t need to ask for a TGT when I know the password TGTs and TGSs are processed and enforced clientside I don’t need to play by the rules to get access permissions I can just insert the well-known SIDs I want into my TGT Only restriction: maximum TGT lifetime of 10 years. The keys to your kingdom
DEMO KRBTGT
SOLUTIONS
KRBTGT Account Password Reset Scripts KRBTGT account password is used to encrypt TGTs,TGSs KRBTGT account password needs to be reset twice Reset-KrbtgtKeyInteractive v1.4 Reset-KrbtgtKeyInteractive.ps1 Download from the TechNet Gallery Reset KRBTGT
Support for virtualization hosts BitLocker for boot and system volumes BitLocer on Cluster Shared Volumes (CSVs) Support in virtual machines BitLocker not supported on boot and system volumes BitLocker on data disks, but TPM is unavailable BitLocker Drive Encryption
Backups Treat backups like you would virtual Domain Controllers Hardware encryption Offered by all of todays backup hardware, on by default Software encryption Offered by many of todays backup software, off by default Authorizing access based on Active Directory accounts? Encryption of backups
Default ACLs on VHD(X)s Administrators – full control SYSTEM – full control Hyper-V Administrators – full control - Read and write Change ACLs Note: Administrators have Take Ownership Access Control Lists on VHD(X)s
Server Core installations Virtualization hosts without a Graphical User Interface (GUI) Less susceptive to human error Less susceptive to vulnerabilities Installation options 2008 (R2): Choose at installation 2012 (R2): Choose at installation of add/remove after install Server Core Virtualization Hosts
New security group on Hyper-V hosts Introduced with Windows 8, Windows Server 2012 Principle of least administrative privilege Remove Hyper-V Administrators from Administrators Hyper-V Administrators have access to all Hyper-V features Hyper-V Administrators have full control on VHD(X)s Hyper-V Administrators group
Integration Components They’re drivers and services for VMs ICs enlighten Virtual Machines Capabilities OS shutdown, time synchronization, data exchange, heartbeat, backup and guest services Integration Components
Read-only Domain Controllers Read-only Domain Controllers offer: Read-only Active Directory database and DNS RODC filtered attribute set Unidirectional replication Granular credential caching Administrator role separation Read-only Domain Controllers offer individual KRBTGT accounts Read-only Domain Controllers
System Key Protection Additional protection of secrets Protection methods Password startup System Generated password Store Startup Key on Floppy Disk Store Startup Key Locally Syskey
DEMO SYSKEY
Monitoring Auditing Backup Administrator role separation Communication Documentation Processes
Client Side Encryption Available in Hyper-V in latest TPs of Windows 10 Available in Hyper-V in upcoming TP of Windows Server vNext Currently in development for Azure Storage Objects (source)source Azure Key Vault Currently in public Preview for Azure Hardware Security Module (HSM) in the cloud Sneak Preview
DEMO VTPMS
CONCLUDING
Domain Controllers contain sensitive information DCs contain info on replication, accounts, credentials DNS Servers contain caches on queries (visited sites) Virtualizing Domain Controllers Virtualizing DCs safely is not an easy task Virtualizing DCs is not just a technical challenge Do we really want to virtualize Domain Controllers? Concluding
Nagrađujemo vas sa 100 WinCoin bodova što ste posjetili predavanje. Osvojite dodatnih 100 WinCoin bodova ukoliko popunite službeni upitnik. HVALA!
MVA Successful proffessionals never stop learning. Microsoft Virtual Academy offers online Microsoft trainings led by experts to help proffessionals to upgrade their knowledge. Trainings are prepared by leading eyperts from different technology areas. After you take a training, you can test your knowledge. To better understand this session, I advise you to take following trainings: XXX1 XXX2 XXX3 Training name 1 link1 Training name 2 link1 Training name 3 link1