PowerShell Desired State Configuration for Securing Systems Jeffrey Snover Distinguished Engineer (MSFT) Hemant Mahawar Senior Program Manager (MSFT) #devconnections.

Slides:



Advertisements
Similar presentations
Auditing Microsoft Active Directory
Advertisements

Faith Allington Program Manager Microsoft Corporation WSV322.
High Availability Deep Dive What’s New in vSphere 5 David Lane, Virtualization Engineer High Point Solutions.
NODEMANAGER WEBLOGIC SERVER. 1.Creating logical machines 2.Using nodemanager for server startup and shutdown GETTING STARTED.
Sandia is a multiprogram laboratory operated by Sandia Corporation, a Lockheed Martin Company, for the United States Department of Energy’s National Nuclear.
Windows Server 2003 SP1. Windows Server™ 2003 Service Pack 1 Technical Overview Jill Steinberg: Added TM Jill Steinberg: Added TM.
Leveraging WinPE and Linux Preboot for Effective Provisioning Jonathan Richey | Director of Development | Altiris, Inc.
Configuring Windows Vista Security Chapter 3. IE7 Pop-up Blocker Pop-up Blocker prevents annoying and sometimes unsafe pop-ups from web sites Can block.
Automating SQL Buildouts With Hyper-V and SQL Server 2008 R2 Robert L Davis, Sr. DBA, Microsoft Corp.
© 2009 IBM Corporation RESEARCH Peeking into Cloud for better Application Manageability Sambit Sahu IBM Research.
Security and Policy Enforcement Mark Gibson Dave Northey
IT:Network:Applications VIRTUAL DESKTOP INFRASTRUCTURE.
$$$ Idea BusinessDevelopmentOperations codeProduct.
Patching MIT SUS Services IS&T Network Infrastructure Services Team.
Cost Effort Complexity Benefit ON-PREMISES SERVICE PROVIDER MICROSOFT Azure CONSISTENT PLATFORM 1.
Exchange 2013 (backup &) Disaster Recovery
SYSTEM CENTER: ENDPOINT PROTECTION FUNDAMENTALS Howard A. Carter III Senior Consultant Microsoft Consulting Services September 21, 2013 TechGate 2013 –
Using PowerShell to Configure Secure Environments and Delegated Administration.
Real Security for Server Virtualization Rajiv Motwani 2 nd October 2010.
Deploying and Managing Windows Server 2012
Chapter 14: Remote Server Administration BAI617. Chapter Topics Configure Windows Server 2008 R2 servers for remote administration Remotely connect to.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
MANAGEMENT ANTIMALWARE PLATFORM Microsoft Malware Protection Center Dynamic Signature Svc Available only in Windows 8 Endpoint Protection Management.
11 MANAGING AND DISTRIBUTING SOFTWARE BY USING GROUP POLICY Chapter 5.
20411B 8: Installing, Configuring, and Troubleshooting the Network Policy Server Role Presentation: 60 minutes Lab: 60 minutes After completing this module,
FIspace SPT Seyhun Futaci. Technology behind FIspace Authentication and Authorization IDM service of Fispace provides SSO solution for web apps, mobile.
Microsoft FrontPage 2003 Illustrated Complete Finalizing a Web Site.
Module 11: Remote Access Fundamentals
MCTS Guide to Microsoft Windows Server 2008 Applications Infrastructure Configuration (Exam # ) Chapter Four Windows Server 2008 Remote Desktop Services,
Network and Perimeter Security Paula Kiernan Senior Consultant Ward Solutions.
CHAPTER Creating and Managing Users and Groups. Chapter Objectives Explain the use of Local Users and Groups Tool in the Systems Tools Option to create.
Scale means… Business is growing!! However… More servers => More Failures Scale * Complexity Exceeds Skill Rapid change means… Can respond and capture.
SC2012 Infrastructure Components Management Justin Cook (Data # 3) Principal Consultant, Systems Management Noel Fairclough (Data # 3) Consultant, Systems.
Czy są zmiany w AD Domain Services Windows 2012 Andrzej Kokociński
Microsoft Management Seminar Series SMS 2003 Change Management.
SONIC-3: Creating Large Scale Installations & Deployments Andrew S. Neumann Principal Engineer Progress Sonic.
Module 10: Windows Firewall and Caching Fundamentals.
PowerShell Desired State Configuration for Securing Systems Jeffrey Snover Distinguished Engineer (MSFT) Hemant Mahawar Senior Program Manager (MSFT) #devconnections.
Privileged Access Management (PAM) with MIM 2016
Infrastructure as code. “Enable the reconstruction of the business from nothing but a source code repository, an application data backup, and bare metal.
Implementing Server Security on Windows 2000 and Windows Server 2003 Fabrizio Grossi.
Linux Operations and Administration
Configuring, Managing and Maintaining Windows Server® 2008 Servers Course 6419A.
How To Build a Production-Ready SP 2013 Farm Martin Cox SharePoint / O365 Architect SharePoint 2013 BI Farm Setup Best Practices.
Copyright © New Signature Who we are: Focused on consistently delivering great customer experiences. What we do: We help you transform your business.
Develop – minimize your dependencies Package – know your dependencies Configure – use intent based configuration Deploy – use modular, componentized.
By the end of this lesson you will be able to: 1. Determine the preventive support measures that are in place at your school.
The best of WF 4.0 and AppFabric Damir Dobric MVP-Connected System Developer Microsoft Connected System Division Advisor Visual Studio Inner Circle member.
Productivity Architect Meet Chris Bortlik Author, Blogger, Speaker.
Top 10 Enterprise client management frustrations and how to avoid them.
Architecting Enterprise Workloads on AWS Mike Pfeiffer.
Configuration Management, Continuous Integration, Continuous Delivery Revealed.
ArcGIS for Server Security: Advanced
Chapter Objectives In this chapter, you will learn:
Business Continuity for Virtual SQL Servers
5/31/2018 3:40 PM BRK3113 How Microsoft IT builds Privileged Access Workstation using Windows 10 and Windows Server 2016 Jian (Jane) Yan Sr. Program Manager.
Microsoft SharePoint Server 2016
7/28/ :17 PM © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or.
Azure RMS Deep Dive.
Power BI Security Best Practices
Deploying and Configuring SSIS Packages
Darren Mar-Elia Head of Product
Microsoft FrontPage 2003 Illustrated Complete
The future of deployments by Rami Mounla
Implementing Client Security on Windows 2000 and Windows XP Level 150
Security through Group Policy
BACHELOR’S THESIS DEFENSE
TechEd /23/2019 9:23 AM © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks.
Server Management and Automation Windows Server 2012 R2
06 | SQL Server and the Cloud
Presentation transcript:

PowerShell Desired State Configuration for Securing Systems Jeffrey Snover Distinguished Engineer (MSFT) Hemant Mahawar Senior Program Manager (MSFT) #devconnections

Typical Corporate Environment Personal health information (PHI) Personally identifiable information (PII) Trade secrets Intellectual property

“New” Threat Personal health information (PHI) Personally identifiable information (PII) Trade secrets Intellectual property

Scenario Environment Domain Controller Domain Admin Dept. Head User Domain ( Corporate.Contoso.Com ) Servers containing critical information Phish

Post exploit toolkits (like mimikatz) allow bad guys to spider their way through the network compromising systems and users Makes it very hard to have confidence that you’ve remediated an attack Consider what happens with a restore SideNote on Exploits

Scenario Recap Corporate domain Admin rights sprawl Bad guys are in the environment and have compromised: – One or more users – One or more machines – One or more machine admin accounts – One or more domain admin accounts Business critical information on file servers

One Solution Build a new datacenter with an air gap Create a new AD Provision new machines Set up application/service Users go into the datacenter to use the applications #devconnections

Safe Harbor Approach Experimental PowerShell DSC module Uses PowerShell DSC, JEA and virtualization to script a “Safe Harbor” where servers are highly isolated, locked down and tightly managed Benefits – Implementable – Simple (once the base components are available) – Safe and Secure #devconnections

Starting Environment Domain Controller Domain Admin Dept. Head User P.A.P.A Domain ( Corporate.Contoso.Com ) Servers containing critical information

Hyper-V Domain Admin Dept. Head P.A.P.A User SH DC One Way Trust Jump Box DSC Pull Server File Servers Corporate Request A C T I O N ( W S M A N O N L Y ) A C C E S S ( S M B O N L Y ) Safe Harbor ( Safe Harbor.contoso.com ) Safe Harbor Configuration

Safe Harbor Scenario

Demo: Safe Harbor - Users can access File Servers - Specified users enabled to for specific admin actions - No other admin actions allowed #devconnections

Mitigations Used Move critical data into protected environment Restrict “Administrator” role Provide specific access to specific users (Firewalls, lockdown policies, etc.)

How we did it

Safe Harbor Steps Create Projected Environment Separate Domain Controller DSC Pull Server JEA Management head (Jump box) Limit Access Domain Admins Firewall Ports Resources Add Servers Securely Never on Corp domain Boot to pull server for configuration Configure Servers Configure and copy critical information

Implementation Options GUI tools PowerShell Scripts PowerShell Desired State Configuration PowerShell DSC dramatically simplifies complex composition

DSC Supports Composition Declarative approach – Allows you to safely refactor and abstract to your hearts content Supports distributed definition of resources and nodes – DSC does the aggregation Couldn’t I just do this with scripts? – Yes but No

Demo: Evolution of SMBShare #devconnections

DSC Simplification Intent Logging & Error Handling Reboot Resiliency Environmental Side effects Dependency Resolution Repeatable Automation DSC Engine Dependency Resolution Logging & Error Handling Reboot Resiliency Repeatable Automation Resources Technology Specific Configuration Intent Traditional Scripts

DSC Decouples … DSC Engine Dependency Resolution Logging & Error Handling Reboot Resiliency Repeatable Automation Resources Technology Specific Configuration Intent Make It So HOW : DSC Resources Do the heavy lifting in an idempotent way Intent WHAT : Structural Configuration Stays same irrespective of the environment WHERE : Environmental Configuration Changes as system goes through different env. Dev  Test  Production

DSC and Security The things that thwart security: – Complexity – Scale – Drift DSC is designed to address these

Demo DSC addresses: - Complexity - Scale - Drift #devconnections

Domain Admin Dept. Head P.A.P.A User SH Admin SH DC One Way Trust Jump Box DSC Pull Server File Servers Run As M.A.T.A Corporate Request A C T I O N A C C E S S Safe Harbor ( Safe Harbor.contoso.com ) Remember Safe Harbor?

#devconnections Configuring Safe Harbor for File Server

Components #devconnections Assert- SafeFileServer DSC Resource SafeHarbor Resource Safe FileServer Structural Configuration Safe FileServer Structural Configuration + => FileServer in a Safe Harbor Environment Configuration Data

Summary Safe Harbor is an experimental PowerShell DSC module Address the problem of creating a very secure environment to run services/applications – Users can access the applications – Specified users can use a JumpBox to perform a limited set of admin functions – Domain Admins can’t get at these machines/resources Security requires large scale configuration of complex configurations which don’t drift PowerShell DSC dramatically simplifies configuration of complex environments

SESSION TITLE #devconnections Rate This Session Now! Rate with Mobile App: 1.Select the session from the Agenda or Speakers menus 2.Select the Actions tab 3.Click Rate Session Rate Using Our Website: 1.Register at 2.Go to 3.Select this session from the list and rate it Tell Us What You Thought of This Session Be Entered to WIN Prizes!

Jeffrey Hemant

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.