5/31/2018 3:40 PM BRK3113 How Microsoft IT builds Privileged Access Workstation using Windows 10 and Windows Server 2016 Jian (Jane) Yan Sr. Program Manager.

Slides:



Advertisements
Similar presentations
Virtual desktops in the cloud: Experiences from the field
Advertisements

Secure Hyperconnectivity with TeamViewer and Windows technologies
Enterprise Security in Practice
From IT Pros to IT Heroes - with Azure DevTest Labs
5/21/2018 9:40 PM BRK3021 Learn about modern infrastructure roles in RDS: Next generation Windows desktop & app virtualization Clark Nicholson - Principal.
Azure Machine Learning Deploying and Managing Models in production
How Microsoft uses Windows Defender ATP–Welcome to a SecOps world!
How To Deliver Apps Faster And Secure Them The Microsoft Way
Use any Amazon S3 application with Azure Blob Storage
6/10/2018 5:07 PM THR2218 Deploying Windows Defender AV and more with Intune and Configuration Manager Amitai Senior Program Manager,
6/11/2018 8:14 AM THR2175 Building and deploying existing ASP.NET applications using VSTS and Docker on Windows Marcel de Vries CTO, Xpirit © Microsoft.
Azure Cloud Shell Magic of Modern Command-line Management
Developing Hybrid Apps on Microsoft Azure Stack
Windows 10 and the cloud: Why the future needs hybrid solutions
6/19/2018 2:57 AM THR3092 Monitor and investigate actions on your user and data with alerts, insights and reports Binyan Chen Program Manager II, Office.
Modernizing your Remote Access
6/25/ :13 PM BRK1076 Make Windows devices more secure by taking them out of your existing infrastructure Chris Rhodes & Andrew Bettany MCTs & MVPs.
Optimizing Microsoft OneDrive for the enterprise
The power of common identity across any cloud
Virtual Machine Diagnostics in Microsoft Azure
Secure Remote Access to on-premises Web Apps using Azure AD
Microsoft Ignite /31/ :08 AM
8/6/ :17 AM THR2214 Hybrid Cloud Activated A customer case study optimizing on-premises & Azure performance and cost Mor Cohen-Tal Senior Product.
Microsoft 365 Business: Under the Hood
Why WCD is WiCkeD for modern deployment
Workflow Orchestration with Adobe I/O
The utility belt for managing security and compliance in Office 365
9/12/2018 7:18 AM THR1081 Don’t be the first victim of new malware Turn Windows Defender AV Cloud Protection on! Amitai Senior Program.
Azure Security in four steps
Automate all things! Microsoft Azure continuous deployment
Agile Planning with Visual Studio Team Services (VSTS)
Servicing Windows 10 in the Real World
9/22/2018 3:49 AM BRK2247 Learn from MVPs: Panel discussion on all things SharePoint and OneDrive © Microsoft Corporation. All rights reserved. MICROSOFT.
Azure PowerShell Aaron Roney Senior Program Manager Cormac McCarthy
Continuous Delivery for Microsoft Azure
Laura A. Robinson July 10, June 30, /15/2018 4:19 PM
Azure AD Domain Services
Continuous Delivery with Visual Studio Team Services
Fixing Bad IT Security: Stupid Mistakes and Dangerous Conveniences
12/5/2018 2:50 AM How to secure your front door with real-time risk assessments of your logons Jan Ketil Skanke COO and Principal Cloud Architect CloudWay.
Microsoft products for non-profits
Automating security for better, continuous compliance in the cloud
Introduction to ASP.NET Core 1.0
Five mistakes to avoid when deploying Enterprise Mobility + Security
Five cool things you can do with Windows PowerShell on Office 365
Microsoft To-Do Preview
Securely pass passwords into your deployment
Microsoft Exchange: Through the eyes of MVPs (Panel discussion)
1/2/2019 5:18 PM THR3016 Customer stories: Plan and orchestrate large resource deployments on Azure infrastructure Igal Figlin Principal PM Manager – Azure.
MDM Migration Analysis Tool (MMAT)
Enabling the hybrid cloud with remote access appliances
Overview: Dynamics 365 for Project Service Automation
Understand your Azure cloud assets dependencies with BMC Discovery
Surviving identity management in a hybrid world
System Center Marketing
Breaking Down the Value of A Yammer Post: 20 Things to Do
Getting the most out of Azure resources with Azure Advisor
Manage your App Service resources using Command line tools
“Hey Mom, I’ll Fix Your Computer”
Consolidate, manage, backup, and secure your cloud content
Designing Bots that Fit Your Organization
Ask the Experts: Windows 10 deployment and servicing
Passwordless Service Accounts
Microsoft Virtual Academy
Azure Networking inside and out
Digital Transformation: Putting the Jigsaw Together
WCF and .NET Framework Microservices in Containers
Diagnostics and troubleshooting in Azure App Service Support Center
Optimizing your content for search and discovery
Microsoft Virtual Academy
Presentation transcript:

5/31/2018 3:40 PM BRK3113 How Microsoft IT builds Privileged Access Workstation using Windows 10 and Windows Server 2016 Jian (Jane) Yan Sr. Program Manager Dean Wells Principal Program Manager © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Agenda Why do you need Privileged Access Workstation (PAW)? Existing PAW solutions overview Microsoft IT PAW solution and deployment Would you like to try it out? A PAW for your Hybrid environment

Problem - common attack scenario Microsoft Ignite 2015 5/31/2018 3:40 PM Problem - common attack scenario Workstation and devices Domain controllers Infrastructure & application servers Directory database(s) Compromise the domain Steal data, destroy systems, etc. Persist presence 4 Privilege escalation to compromise more servers 3 Compromised machine and harvest admin credentials 2 Beachhead to compromise credentials through Phishing attack or browser vulnerability 1 © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Protecting Active Directory and Admin privileges http://aka.ms/privsec Microsoft Ignite 2015 5/31/2018 3:40 PM Protecting Active Directory and Admin privileges http://aka.ms/privsec 2-4 Weeks 1-3 Months 6 months + 1.4 Unique Local Admin Passwords for Servers http://Aka.ms/LAPS 2.6 Attack Detection http://aka.ms/ata 1.3 Unique Local Admin Passwords for Workstations http://Aka.ms/LAPS 2.2 Time-bound privileges (no permanent admins) http://aka.ms/PAM http://aka.ms/AzurePIM Active Directory Azure Active Directory 1.1 Separate Admin account for admin tasks 2.1 Privileged Access Workstations (PAWs) Phases 2 and 3 –All Admins and additional hardening (Credential Guard, RDP Restricted Admin, etc.) http://aka.ms/CyberPAW 1.2 Privileged Access Workstations (PAWs) Phase 1 - Active Directory admins http://Aka.ms/CyberPAW 2. 4. Just Enough Admin (JEA) for DC Maintenance http://aka.ms/JEA 2. 5. Lower attack surface of Domain and DCs http://aka.ms/HardenAD © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Problem: The weakest link Microsoft Ignite 2015 5/31/2018 3:40 PM Problem: The weakest link Using the same machine for productivity (email, web) and secure workload Inbound connection to the machine where privileged accounts are used Non-restrictive internet access on the machine using privileged account Corp Domain © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Privileged Access Workstation (PAW) Microsoft Ignite 2015 5/31/2018 3:40 PM Privileged Access Workstation (PAW) Account separation Workload isolation Hardening OS & Network restriction © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

PAW – Physical machine isolation Microsoft Ignite 2015 5/31/2018 3:40 PM PAW – Physical machine isolation PAW Desktop © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

PAW – Physical machine isolation Microsoft Ignite 2015 5/31/2018 3:40 PM PAW – Physical machine isolation Domain controllers Directory database(s) Workstation and devices Infra. Servers and application servers © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Microsoft IT PAW overview Ph 5/31/2018 3:40 PM Microsoft IT PAW overview Desktop PAW Internally referred as “Secure Access Workstation” SAW Over 22,000 users Complete separate management infrastructure for services and identity PAW: Physical host Desktop: Virtual machine © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Deployment Production domain servers and Services High Risk Environment (HRE) 8 9 Proxy 4 OS 3 7 VPN Secure Supply Chain HRE 2 5 Desktop PAW TPM Privileged User Entitlement 6 1

Demo: Microsoft IT PAW 5/31/2018 3:40 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Microsoft PAW solution Goals: Protect privileged identities Simple to deploy and manage Easy to scale Backend deployment options: On-prem with full management control Cloud services with minimum touch

PAW solution design – SAC (Oct) release Desktop PAW Locked down host / Guarded host Workload isolation for multiple identities Network isolation Hardening OS Remote health attestation PAW: Virtual machine Desktop: Virtual machine Reduce cost Improves productivity Maintains security

Remote health attestation on client Designed to protect VM workloads from theft and tampering from malware. Host Guardian Server (HGS) Health attestation (using TPM) Known physical machines Trusted Hyper-V instance Code Integrity policy PAW Health attestation Key release to start VM Guarded host

Locked down PAW host Non-admin user logon Whitelist network destinations/ Applications Remote health attestation

PAW security enablement PAW host: Hardware/firmware: TPM2.0 UEFI/SecureBoot Network: Block inbound traffic Hardening the OS: Device guard enabled Enforced CI policy, block apps running on the host Security baseline policy applied BitLocker enabled Defender AppGuard enabled Exploit guard enabled Remote health attestation Credential protection: Logon user has standard user privilege Credential guard Strong authentication (Smartcard or Hello for Business) Monitoring: ATP PAW VM: Gen2 VM with UEFI and SecureBoot vTPM Network: Block inbound traffic Hardening the OS: Device guard enabled Enforced CI policy, block apps running on the host Security baseline policy applied BitLocker enabled Defender AppGuard enabled Exploit guard enabled Only browser or RDP are allowed to run Credential protection: Logon user has standard user privilege Credential guard Monitoring: ATP

Demo: PoC PAW Device 5/31/2018 3:40 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

PAW backend deployment options 5/31/2018 3:40 PM PAW backend deployment options On prem (ESAE) Enhanced Security Administration Environment AD: Dedicated for PAW devices and users Host guardian service(HGS) Windows Deployment Server (WDS) VPN servers Patch management Monitoring (PoC) Azure services Azure PAW service Azure AD Intune Windows Defender ATP © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Call to Action Try it Share you feedback Pawfeedback@microsoft.com Let’s build it together

Related content Room: OCCC W307 Time: 4:00:00 PM - 5:15:00 PM Tuesday, September 26th BRK3309 - Securing virtual workloads in less than 60 minutes: A live guarded fabric deployment Room: OCCC W307 Time: 4:00:00 PM - 5:15:00 PM Booth: Windows Server Security and Identity

Please evaluate this session Tech Ready 15 5/31/2018 Please evaluate this session From your Please expand notes window at bottom of slide and read. Then Delete this text box. PC or tablet: visit MyIgnite https://myignite.microsoft.com/evaluations Phone: download and use the Microsoft Ignite mobile app https://aka.ms/ignite.mobileapp Your input is important! © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

5/31/2018 3:40 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.