Protect your infrastructure with Windows Server 2016 Security 2/21/2018 12:53 PM Protect your infrastructure with Windows Server 2016 Security Dean Wells Jane Yan Windows Server Windows Server BRK2146 Built-in layers of security Software-defined datacenter Cloud-ready application platform Windows Server 2016 Windows Server + System Center session guide: aka.ms/WS2016Ignite © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Protect your infrastructure with Windows Server 2016 Security Microsoft 2016 2/21/2018 12:53 PM BRK2146 Protect your infrastructure with Windows Server 2016 Security Dean Wells Jane Yan Windows Server Windows Server © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

… perhaps it’s obvious but why does all this matter? 2/21/2018 First: context refresher … perhaps it’s obvious but why does all this matter? © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION

Modern Security Threats 2/21/2018 Modern Security Threats ”There are two kinds of big companies, those who’ve been hacked, and those who don’t know they’ve been hacked.” James Comey, Director FBI © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION

“Cyber security is a CEO issue.” 2/21/2018 “Cyber security is a CEO issue.” -McKinsey CYBER THREATS ARE A MATERIAL RISK TO YOUR BUSINESS Impact of lost productivity and growth Average cost of a data breach (15% YoY increase) $3.0 Trillion $4 Million Corporate liability coverage. $500 Million Source: McKinsey, Ponemon Institute, Verizon © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION

Cybercrime: State of the Union Microsoft Build 2016 2/21/2018 12:53 PM Cybercrime: State of the Union Cyberattacks on the rise against US corporations New York Times [2014] Espionage malware infects rafts of governments, industries around the world Ars Technica [2014] Cybercrime costs US economy up to $140B annually, report says Los Angeles Times [2014] Increasing incidents 1 Variety of motivations 2 How hackers allegedly stole “unlimited” amounts of cash from banks in just a few hours Ars Technica [2014] The biggest cyberthreat to companies could come from the inside Cnet [2015] Ransomware, 0days, malware, scams... all are up, says Symantec The Register [April 2016] Forget carjacking, soon it will be carhacking The Sydney Morning Herald [2014] Increasing risk 3 © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Breaches cost a lot of money (Average $4M based on Ponemon Institute) Cyber security: hidden costs of a breach Before After Breaches cost a lot of money (Average $4M based on Ponemon Institute) Customers pay for your service You pay customers compensation to keep them using your service Productivity Employees efficiently perform the majority of work activities using a desktop computer Employees waste hours a day running back and forth to a fax machine (assuming you still have one) Overspending Reflex Appropriately sized & dedicated IT Security team IT Security team exponentially increases in size and remediation efforts require new and expensive products $ $ $

Cyber security: hidden costs of a breach Before After Industry Reputation Industry credibility, positive reputation, customer confidence Corporate secrets are secret Loss of credibility, embarrassing information exposed, customer’s lose faith Corporate secrets are public knowledge; potential loss of competitive advantage Ransomware HBI/MBI assets available for day-to-day business operations Assets encrypted and key business IT services rendered useless Customer trust Customers happy to trust you with their PII Customers reluctant to share information with you

Attack timeline Attacker undetected (data exfiltration) Microsoft Ignite 2015 2/21/2018 12:53 PM Attack timeline Attackers often target Active Directory and admins to gain access to business assets First host compromised Domain admin compromised Attack discovered Research & preparation Attacker undetected (data exfiltration) Attackers find any weakness & target information on any device or service You may be under attack (or already compromised) and unaware 24–48 hours Mean dwell time 150+ days (varies by industry) © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Anatomy of an attack 2/21/2018 ENTER ESTABLISH EXPAND ENDGAME Browser or Doc Exploit Delivery USER Malicious Attachment Delivery ENTER Phishing Attacks Internet Service Compromise DEVICE Browser or Doc Exploit Execution ESTABLISH Malicious Attachment Execution Stolen Credential Use Kernel Exploits NETWORK EXPAND Kernel-mode Malware Pass-the-Hash ENDGAME BUSINESS DISRUPTION LOST PRODUCTIVITY DATA THEFT ESPIONAGE, LOSS OF IP RANSOM © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION

What do most attacks have in-common? Phishing attacks Stolen credentials Pass-the-hash (PtH) attacks Insider attacks Fabric attacks

Central risk: Administrator privileges 2/21/2018 Central risk: Administrator privileges Administrative Privileges Stolen admin credentials Phishing attacks Insider attacks Fabric attacks Most attack-types seek out & exploit privileged accounts These privileged accounts have the keys to the kingdom; we gave them those keys decades ago But now, those administrators’ privileges are being compromised through social engineering, bribery, coercion, private initiatives, etc. © 2015 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Attack vectors Attack the applications and infrastructure Microsoft Build 2016 2/21/2018 12:53 PM Attack vectors Attack the applications and infrastructure Attack the virtualization fabric itself Compromised privileged accounts Unpatched vulnerabilities Phishing attacks Malware infections Compromised fabric exposes guest VMs Easy to modify or copy VM without notice Can’t protect VMs with gates, walls, locks, etc. VMs can’t leverage H/W security (e.g. TPMs) © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Windows Server Security Posture 2/21/2018 Windows Server Security Posture Ongoing focus & innovation on preventative measures; block known attacks & known malware Protect Leading response and recovery technologies plus deep consulting expertise Respond Comprehensive monitoring tools to help you spot abnormalities and respond to attacks faster Detect Isolate OS components & secrets; limit admin. privileges; rigorously measure host health Isolate – Security isn’t a bolt-on; it’s an architectural principle – © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION

Protect credentials and privileged access 2/21/2018 Windows Server 2016 Protect credentials and privileged access © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION

Challenging to protect credentials Microsoft Build 2016 2/21/2018 12:53 PM Challenging to protect credentials Social engineering leads to credential theft Most attacks seek out and leverage administrative credentials (PtH or Pass-the-hash) Administrative credentials often inadvertently provide more privilege than strictly necessary… and for an unlimited time Domain admin Ben Mary Jake Admin Typical administrator Capability Time © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Windows Server 2016 approach Microsoft Build 2016 2/21/2018 12:53 PM Windows Server 2016 approach Just Enough Administration (JEA) limits administrative privileges to the bare-minimum required set of actions (limited in space) Just in Time Administration (JIT) provides privileged access upon request through a workflow that is audited and limited in time Domain admin Ben Mary Jake Admin JEA and JIT administration Capability and time needed Capability Time © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Demonstrations JIT + JEA 2/21/2018 © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION

Windows Server 2016 approach Microsoft Build 2016 2/21/2018 12:53 PM Windows Server 2016 approach Just Enough Administration (JEA) limits administrative privileges to the bare-minimum required set of actions (limited in space) Just in Time Administration (JIT) provides privileged access upon request through a workflow that is audited and limited in time Credential Guard prevents Pass the Hash and Pass the Ticket attacks by protecting stored credentials and credential artifacts using Virtualization based Security (VBS) Domain admin Ben Mary Jake Admin JEA and JIT administration Capability and time needed Capability Time © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Demonstration Credential Guard 2/21/2018 © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION

Windows Server 2016 approach Microsoft Build 2016 2/21/2018 12:53 PM Windows Server 2016 approach Just Enough Administration (JEA) limits administrative privileges to the bare-minimum required set of actions (limited in space) Just in Time Administration (JIT) provides privileged access upon request through a workflow that is audited and limited in time Credential Guard prevents Pass the Hash and Pass the Ticket attacks by protecting stored credentials and credential artifacts using Virtualization based Security (VBS) Remote Credential Guard works in conjunction with Credential Guard for RDP sessions providing SSO over RDP while eliminating the need for credentials to be passed to the host Domain admin Ben Mary Jake Admin JEA and JIT administration Capability and time needed Capability Time © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Demonstration Remote Credential Guard 2/21/2018 © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION

Active Directory Access Path (ADAP) Microsoft Build 2016 2/21/2018 12:53 PM Active Directory Access Path (ADAP) Scans environment and constructs a map of all administrators across all machines Enables analysis of potential attack paths throughout entire domain Real-world case: scan revealed > 2,000 Domain Admins Root-cause: unnecessary/unknown group nesting Post-remediation: 20 domain admins some servers found with 187,000 unintentional administrators existing breach re-enabling & exploiting disabled accounts ADAP revealed privilege map © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Protecting Active Directory and Admin privileges http://aka.ms/privsec Microsoft Ignite 2015 2/21/2018 12:53 PM Protecting Active Directory and Admin privileges http://aka.ms/privsec 2-4 weeks 1-3 months 6+ months First response to the most frequently used attack techniques 3. Unique Local Admin Passwords for Workstations http://Aka.ms/LAPS 4. Unique Local Admin Passwords for Servers http://Aka.ms/LAPS Active Directory Azure Active Directory 1. Separate Admin account for admin tasks 2. Privileged Access Workstations (PAWs) Phase 1 - Active Directory admins http://Aka.ms/CyberPAW © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Protecting Active Directory and Admin privileges http://aka.ms/privsec Microsoft Ignite 2015 2/21/2018 12:53 PM Protecting Active Directory and Admin privileges http://aka.ms/privsec 2-4 weeks 1-3 months 6+ months Build visibility and control of administrator activity, increase protection against typical follow-up attacks 6. Attack Detection http://aka.ms/ata 2. Time-bound privileges (no permanent admins) http://aka.ms/PAM http://aka.ms/AzurePIM 3. Multi-factor for elevation Active Directory Azure Active Directory 9872521 1. Privileged Access Workstations (PAWs) Phases 2 and 3 –All Admins and additional hardening (Credential Guard, RDP Restricted Admin, etc.) http://aka.ms/CyberPAW 4. Just Enough Admin (JEA) for DC Maintenance http://aka.ms/JEA 5. Lower attack surface of Domain and DCs http://aka.ms/HardenAD © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Protecting Active Directory and Admin privileges http://aka.ms/privsec Microsoft Ignite 2015 2/21/2018 12:53 PM Protecting Active Directory and Admin privileges http://aka.ms/privsec 2-4 weeks 1-3 months 6+ months 5. Shielded VMs for virtual DCs (Server 2016 Hyper-V Fabric) http://aka.ms/shieldedvms Move to proactive security posture 1. Modernize Roles and Delegation Model Active Directory Azure Active Directory 2. Smartcard or Passport Authentication for all admins http://aka.ms/Passport 3. Admin Forest for Active Directory administrators http://aka.ms/ESAE 4. Code Integrity Policy for DCs (Server 2016) © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Move to a proactive security posture Microsoft Ignite 2015 2/21/2018 12:53 PM Move to a proactive security posture 2-4 weeks 1-3 months 6+ months Attack Defense Credential Theft & Abuse Prevent Escalation Prevent Lateral Traversal Increase Privilege Usage Visibility DC Host Attacks Harden DC configuration Reduce DC Agent attack surface AD Attacks Assign Least Privilege Attacker Stealth Detect Attacks © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Protect applications and data in any cloud 2/21/2018 Windows Server 2016 Protect applications and data in any cloud © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION

Control Flow Guard Windows Defender Device Guard Protecting the OS 2/21/2018 Protecting the OS Defend against new exploits and block attacks without impacting legitimate workloads Control Flow Guard Windows Defender Device Guard © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION

Control Flow Guard (CFG) 2/21/2018 Control Flow Guard (CFG) Helps ensure that trusted binaries execute as intended Helps prevent attacks that use memory corruption vulnerabilities CFG places controls on how an otherwise-trusted application executes code Provides defenses against exploits such as buffer overflows © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION

In-box anti-malware that is Server-workload aware 2/21/2018 Windows Defender In-box anti-malware that is Server-workload aware Deep integration with Windows security systems Anti-tampering (protecting critical dependent OS Services) Registry hardening; “file-less” malware Actively protects against malware without impacting workloads © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION

Demonstration Windows Defender 2/21/2018 © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION

Hardware Rooted Code Integrity 2/21/2018 Device Guard Hardware Rooted Code Integrity Windows can be locked down to run ONLY trusted binaries Untrusted binaries, such as malware, are unable to run Protects kernel mode processes and drivers from zero-day attacks as well as vulnerabilities through the use of HVCI Code Integrity policies can be signed and protected against malicious administrators © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION

Demonstration Device Guard 2/21/2018 © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION

Respond more intelligently with log analytics integration 2/21/2018 Windows Server 2016 Respond more intelligently with log analytics integration © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION

Challenge: turn log files into operational insights In order to better detect threats the OS needs to provide additional auditing or event logging information Security Information and Event Management (SIEM) systems are only as intelligent as the information provided from the OS

Windows Server 2016 approach Enhanced Auditing and Event Logs Log new audit events to better detect malicious behavior by providing more detailed information to security operation centers SIEM systems such as Operations Management Suite (OMS) can take advantage of this information to provide intelligence reports on potential breaches in the datacenter environment

Protect applications with just enough OS 2/21/2018 Windows Server 2016 Protect applications with just enough OS © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION

Challenges in protecting new apps Developers are making use of new packaging and deployment tools such as containers Containers share the same kernel which limits isolation and exposes compliance and regulatory risks Lower the risk by providing only the components required by application to run VM Shared Hardware (Hypervisor Isolation) CONTAINER Shared Kernel (User Mode Isolation)

Windows Server 2016 approach Hyper-V Containers Provide hypervisor isolation for each container with no additional coding requirements Align with regulatory requirements for PCI and PII data Nano Server Reduce the attack surface by deploying a minimal “just enough” server footprint VM Shared Hardware (Hypervisor Isolation) Hyper-V CONTAINER Shared Platform (Hypervisor Isolation)

Windows Server 2016 Windows Server 2016 2/21/2018 Windows Server 2016 Windows Server 2016 Protect the virtualization fabric Software Defined Networking (SDN) & Micro-segmentation © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION

Application at risk! Phishing for secrets 192.168.3.0/24 Subnet3 Tier 3 Virtual Network – “MyNetwork” Application at risk! Phishing for secrets 192.168.2.0/24 Subnet2 Tier 2 Active Directory VM Internal VIP 10.127.132.4 192.168.1.0/24 Subnet1 Tier 1 File Server 1 VM File Server 2 VM Public VIP  10.127.132.6 Web Server 1 VM Web Server 2 VM Outbound NAT  10.127.132.5

Application at risk! The attack 192.168.3.0/24 Subnet3 Tier 3 Virtual Network – “MyNetwork” Application at risk! The attack 192.168.2.0/24 Subnet2 Tier 2 Active Directory VM Private VIP  10.127.132.4 192.168.1.0/24 Subnet1 Tier 1 File Server 1 VM N File Server 2 VM Public VIP  10.127.132.6 Web Server 1 VM N N Web Server 2 VM N Outbound NAT  10.127.132.5 N

Dynamic Security Micro-segmentation 192.168.3.0/24 Subnet3 Tier 3 Virtual Network – “MyNetwork” Dynamic Security Micro-segmentation 192.168.2.0/24 Subnet2 Tier 2 Active Directory VM Internal VIP 10.127.132.4 192.168.1.0/24 Subnet1 Tier 1 File Server 1 VM File Server 2 VM Public VIP  10.127.132.6 Web Server 1 VM Web Server 2 VM Outbound NAT  10.127.132.5

Dynamic Security Using the distributed firewall 192.168.3.0/24 Subnet3 Tier 3 Virtual Network – “MyNetwork” Dynamic Security Using the distributed firewall 192.168.2.0/24 Subnet2 Tier 2 Active Directory VM NSG Internal VIP 10.127.132.4 192.168.1.0/24 Subnet1 Tier 1 File Server 1 VM File Server 2 VM Public VIP  10.127.132.6 Web Server 1 VM Web Server 2 VM Outbound NAT  10.127.132.5

Dynamic Security Virtual Appliances 192.168.3.0/24 Subnet3 Tier 3 Virtual Network – “MyNetwork” Dynamic Security Virtual Appliances 192.168.2.0/24 Subnet2 Tier 2 Active Directory VM NSG Virtual Appliance VM Internal VIP 10.127.132.4 192.168.1.0/24 Subnet1 Tier 1 File Server 1 VM File Server 2 VM Public VIP  10.127.132.6 Web Server 1 VM Web Server 2 VM Outbound NAT  10.127.132.5

Protect the virtualization fabric Protect the Virtualization Fabric 2/21/2018 Windows Server 2016 Windows Server 2016 Protect the virtualization fabric Protect the Virtualization Fabric © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION

Attackers target virtual machines 2/21/2018 Attackers target virtual machines Any compromised or malicious fabric administrators can access guest virtual machines Hypervisor Fabric Storage Host OS Customer Guest VM Customer Fabric Hypervisor Guest VM Health of hosts not taken into account before running VMs Healthy host? Tenant’s VMs are exposed to storage and network attacks Virtual Machines can’t take advantage of hardware-rooted security capabilities such as TPMs © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Contrast: Bare Metal vs. Regular VM vs. Shielded VM Microsoft Build 2016 2/21/2018 12:53 PM Contrast: Bare Metal vs. Regular VM vs. Shielded VM BUILDING PERIMETER Shielded VM Use BitLocker to encrypt the disk and state of virtual machines protecting secrets from compromised admins & malware Host Guardian Service Attests to host health releasing the keys required to boot or migrate a Shielded VM only to healthy hosts Generation 2 VM Supports virtualized equivalents of hardware security technologies (e.g. TPMs) enabling BitLocker encryption for Shielded VMs COMPUTER ROOM HYPER-V HYPER-V Physical machine Virtual machine Shielded virtual machine * Server ü ü û Administrator S torage û ü û administrator Network û ü û administrator Backup û ü û operator Virtualization-host û ü û administrator Virtual machine û ü ü administrator *Configuration dependent © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Decryption keys: controlled by external system 2/21/2018 Decryption keys: controlled by external system Guarded Fabric Host Guardian Service (HGS) Guest VM Guest VM Shielded VM Guest VM Virtual Secure Mode Please, guv’na, can I ‘ave some more keys? Hyper-V Host 1 Guest VM Guest VM Guest VM Guest VM Windows Server 2016 Hyper-V Hosts Virtual Secure Mode Why certainly, I know you & I must say you’re looking very healthy today! Hyper-V Host 2 Guest VM Guest VM Guest VM Guest VM + Key Protection + Health attestation Virtual Secure Mode Hyper-V Host 3 © 2015 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Demonstration Shielded Virtual Machines 2/21/2018 © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION

Summary & Compliance Mapping 2/21/2018 Windows Server 2016 Summary & Compliance Mapping © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION

Snapshot: our track record + 2016 innovations Built-in security mechanisms Privileged Identity Management Credential Guard / Remote Credential Guard Control Flow Guard Defender Device Guard (Code Integrity +++) Enhanced auditing JEA Virtualization-based Security (VBS) Windows Server 2016 introduces a new level of security with hardware-rooted Virtualization Based Security (VBS) that enables us to protect the OS from compromised administrators whether running on bare metal or a virtual machine. Reported Vulnerabilities Unparalleled security least vulnerable OS 4 years in a row

Windows Server 2016: a different pivot Host Security Hyper-V based fabric Protecting virtual machines Shielded VMs (Server 2012 + R2, 2016 guests) Virtual TPM for generation 2 VMs Host Guardian Service attests to host health Secure boot for Windows and Linux Hyper-V platform Nano-based Hyper-V host Virtualization Based Security (VBS) Secure containers Hyper-V containers Containers hosted in a Shielded VM Guest Security Secure on any fabric Privileged Identity Credential Guard/Remote Credential Guard Just In Time administration (JIT) Just Enough Administration (JEA) Threat resistance Control Flow Guard (CFG) Code Integrity (Device Guard) Built-in anti-malware Nano Server reduces attack surface Threat detection Enhanced threat detection

Quick note on compliance: Windows Server 2016 3rd-party assessment of compliance mappings across various security-related offerings in the Windows Server 2016 wave Hyper-V Shielded VMs compliance mapping whitepaper JEA and JIT compliance mapping whitepaper Device Guard compliance mapping whitepaper Credential Guard compliance mapping whitepaper Windows Defender compliance mapping whitepaper

Example: Shielded VM Compliance Mapping 2/21/2018 Example: Shielded VM Compliance Mapping ISO 27001: 2013 PCI DSS 3.2 FedRAMP; NIST 800-53 Revision 4 Enforcing Separation of Duties A.6.1.2– Segregation of duties   6.4.2 – Separation of duties between test and production environments AC-5 – Separation of Duties Implementation of Least Privilege Access and Partitioning Tenant Functionality A.9.2.3 – Management of privileged access rights A.12.1.4 – Separation of development, testing, and operational environments 6.4.1 – Test and Production Environment Separation 7.2 – User access control on need-to-know basis 7.2.3 – Default “deny-all” setting AC-6 – Least Privilege AC-6 (10) – Prohibit Non-Privileged Users from Executing Privileged Functions SC-2 – Application Partitioning Protecting Information Stored in Shared Resources None 8.7 – Restricted access to databases containing cardholder data SC-4 – Information in Shared Resources Protection of Data at Rest A.8.2.3 – Media Access 3.4 – Verifying stored PAN is unreadable 3.4.1 – Disk encryption usage and access control 6.5.3 – Insecure cryptographic storage SC-28 – Protection of Information at Rest SC-28(1) – Protection of Information at Rest Security Function Verification and Integrity Monitoring 11.5 – Change-detection mechanism deployment SI-6 – Security Function Verification SI-7 – Software, Firmware, and Information Integrity © 2015 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Related sessions (some from earlier this week) 2/21/2018 12:53 PM Related sessions (some from earlier this week) 1 BRK2152: Explore Windows Server 2016 security 2 BRK2145: Secure privileged access from active attacks 3 BRK3124: Dive into Shielded VMs with Windows Server 2016 Hyper-V 4 BRK3126: Discover Shielded VMs and learn about real world deployments Windows Server 2016 Windows Server + System Center session guide: aka.ms/WS2016Ignite © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Resources & next steps… Microsoft Build 2016 2/21/2018 12:53 PM Resources & next steps… Security and Assurance documentation https://technet.microsoft.com/en-us/library/mt130644.aspx Demo videos, e.g. MS Mechanics on Shielded VMs https://youtu.be/Vp5E1-4Ks8E Datacenter/Private Cloud Security Blog https://blogs.technet.microsoft.com/datacentersecurity Compliance mapping Preliminary mappings contained in this and other related decks Securing Privileged Access guidance http://aka.ms/privsec Microsoft Virtual Academy online courses https://mva.microsoft.com/ © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Please evaluate this session 2/21/2018 12:53 PM Please evaluate this session Your feedback is important to us! From your PC or Tablet visit MyIgnite at http://myignite.microsoft.com From your phone download and use the Ignite Mobile App by scanning the QR code above or visiting https://aka.ms/ignite.mobileapp © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

2/21/2018 Q&A If you have additional questions, please feel free to ask them now… thanks for listening! © 2015 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

2/21/2018 12:53 PM © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.