PowerShell Desired State Configuration for Securing Systems Jeffrey Snover Distinguished Engineer (MSFT) Hemant Mahawar Senior Program Manager (MSFT) #devconnections

PowerShell DSC Shipped in WS2012-R2 Agile release approach – Resource Kit (6 waves) – WMF Previews Major investment going forward – Servers and devops focus DSC simplifies complex configurations – Useful for Security #devconnections

Typical Corporate Environment Personal health information (PHI) Personally identifiable information (PII) Trade secrets Intellectual property Hacker

“New” Threat Personal health information (PHI) Personally identifiable information (PII) Trade secrets Intellectual property Hacker

Scenario Environment Domain Controller Domain Admin Dept. Head User Domain ( Corporate.Contoso.Com ) Servers containing critical information Phish

Post exploit toolkits (like mimikatz) allow bad guys to spider their way through the network compromising systems and users Makes it very hard to have confidence that you’ve remediated an attack Consider what happens with a restore SideNote on Exploits #devconnections

Scenario Recap Corporate domain Admin rights sprawl Bad guys are in the environment and have compromised one or more : – users – machines – admin accounts – domain admin accounts Business critical information on file servers #devconnections

One Solution Build a new datacenter with an air gap Create a new AD Provision new machines Set up application/service Users go into the datacenter to use the applications #devconnections

Safe Harbor Approach Experimental PowerShell DSC module Uses PowerShell DSC, JEA and virtualization to script a “Safe Harbor” where servers are highly isolated, locked down and tightly managed Benefits – Safe and Secure – Simple (once the base resources are available) – Requires no concrete #devconnections

Starting Environment Domain Controller Domain Admin Dept. Head User P.A.P.A Domain ( Corporate.Contoso.Com ) Servers containing critical information #devconnections

Hyper-V Domain Admin Dept. Head P.A.P.A User SH DC One Way Trust Jump Box DSC Pull Server File Servers Corporate Request A C T I O N ( W S M A N O N L Y ) A C C E S S ( S M B O N L Y ) Safe Harbor ( Safe Harbor.contoso.com ) Safe Harbor Configuration #devconnections

Safe Harbor Scenario #devconnections

Demo: Safe Harbor - Users can access File Servers - Specified users enabled to for specific admin actions - No other admin actions allowed

Mitigations Used Move critical data into protected environment Restrict “Administrator” role Provide specific access to specific users (Firewalls, lockdown policies, etc.)

How we did it

Safe Harbor Steps Create Protected Environment Separate Domain Controller DSC Pull Server JEA Management head (Jump box) Limit Access Domain Admins Firewall Ports Resources Add Servers Securely Never on Corp Domain Boot to Pull Server for Configuration Configure Servers Configure and Copy Critical Information

Implementation Options GUI tools PowerShell Scripts PowerShell Desired State Configuration PowerShell DSC dramatically simplifies complex composition #devconnections

DSC Supports Composition Declarative approach – Allows you to safely refactor and abstract to your hearts content Supports distributed definition of resources and nodes – DSC does the aggregation Couldn’t I just do this with scripts? – Yes, but No #devconnections

Demo: Evolution of SMB Share

DSC Simplification Intent Logging & Error Handling Reboot Resiliency Environmental Side effects Dependency Resolution Repeatable Automation DSC Engine Dependency Resolution Logging & Error Handling Reboot Resiliency Repeatable Automation Resources Technology Specific Configuration Intent Traditional Scripts

DSC Decouples … DSC Engine Dependency Resolution Logging & Error Handling Reboot Resiliency Repeatable Automation Resources Technology Specific Configuration Intent Make It So HOW : DSC Resources Do the heavy lifting in an idempotent way Intent WHAT : Structural Configuration Stays same irrespective of the environment WHERE : Environmental Configuration Changes as system goes through different env. Dev  Test  Production

DSC and Security The things that thwart security: – Complexity – Scale – Drift DSC is designed to address these #devconnections

Demo DSC addresses: - Complexity - Scale - Drift #devconnections

Domain Admin Dept. Head P.A.P.A User SH Admin SH DC One Way Trust Jump Box DSC Pull Server File Servers Run As M.A.T.A Corporate Request A C T I O N ( W S M A N O N L Y ) A C C E S S ( S M B O N L Y ) Safe Harbor ( Safe Harbor.contoso.com ) Remember Safe Harbor? #devconnections

Configuring Safe Harbor for File Server

Recall DSC Engine Dependency Resolution Logging & Error Handling Reboot Resiliency Repeatable Automation Resources Technology Specific Configuration Intent Make It So HOW : DSC Resources Do the heavy lifting in an idempotent way Intent WHAT : Structural Configuration Stays same irrespective of the environment WHERE : Environmental Configuration Changes as system goes through different env. Dev  Test  Production

Components #devconnections Assert- SafeFileServer DSC Resource SafeHarbor Resource Safe FileServer Structural Configuration Safe FileServer Structural Configuration +  FileServer in a Safe Harbor Environment Configuration Data

Summary Security requires large scale configuration of complex configurations which don’t drift PowerShell DSC dramatically simplifies configuration of complex environments Safe Harbor is an experimental PowerShell DSC module t o create a secure environment to run services/applications – Users can access the applications – Specified users can use a JumpBox to perform a limited set of admin functions – Domain Admins can’t get at these machines/resources #devconnections

SESSION TITLE #devconnections Rate This Session Now! Rate with Mobile App: 1.Select the session from the Agenda or Speakers menus 2.Select the Actions tab 3.Click Rate Session Rate Using Our Website: 1.Register at 2.Go to 3.Select this session from the list and rate it Tell Us What You Thought of This Session Be Entered to WIN Prizes!