Download presentation
Presentation is loading. Please wait.
Published byReynold Stokes Modified over 8 years ago
1
Ondrej Sevecek | GOPAS a.s. MCSM:Directory Services | MVP:Enteprise Security | CISA | CEH | CHFI ondrej@Sevecek.com | www.sevecek.com facebook: ondrej.sevecek.official | twitter: @OndrejSevecek What is new in Security in Windows 2016 and Windows 10 Revolution or Evolution? GOLD PARTNER:Hlavní odborný partner:
2
Agenda Virtual Smart Cards and TPM attestation Credentials Guard (Device Guard) Shielded VMs Microsoft Passport authentication with AD DS BitLocker with XTS-AES Windows Defender on servers by default Temporary AD group membership and PAM 2003 DFL/FFL deprecated WAP reverse HTTPS publishing ADFS improvements
3
Smart Cards and Credential Guard
4
High-Level OS Process Credential Guard Traditional LSASS credential management and theft Process LSASS Process NTLM TGT password Process Attacker
5
Why use Smart Cards CryptoCPU public storage memory protected private crypt memory OS firmware ROM API calls PIN master PIN PC Attacker
6
Virtual Smart Cards on Windows 10 TPM based smart card ▪ Smart Card Logon certificates ▪ User identity bound to a device Hardware attestation available with AD CS Windows 2012 TpmVscMgr create /name "SevecekTest" /generate –AdminKey 48 digits –PIN 8 characters –PUK 8 characters certutil.exe -setreg CA\EndorsementKeyListDirectories +"C:\tpmkeys" –6dc60500e98df104c54465638bfb529a2924d75d827b5f50f5630f177721e49e = size 0, no extension
7
Hypervisor Credential Guard Prevent LSASS credential theft Isolate User Mode (IUM) High-Level OS Process LSASS Process NTLM TGT password vmbus trustlet Attacker
8
Credential Guard Requirements Enterprise Edition x64 hardware virtualization UEFI Secure Boot and others...
9
Enabling Credential Guard GPO ▪ Computer Configuration ▪ Administrative Templates ▪ System ▪ Device Guard Image –dism /Enable-Feature /FeatureName:IsolatedUserMode Reboot required (hypervisor installed automatically)
10
Credential Guard Events System log, source WinInt ▪ 13,14,15,16,17
11
Credential Manager and Credential Guard Credential Manager ▪ stores per-user credentials since Vista Does not work with Credential Guard you should have disabled it at all anyway :-)
12
Who can disable Credential Guard without EFI lock local Adminstrators ▪ requires restart ▪ GPO/registry with EFI lock local Administrators –requires physical presence –bcdedit loadoptions DISABLE-LSA-ISO, DISABLE-VBS
13
What attacks still avoid Credential Guard Keylogger Hardware keyloggers Extracting stored passwords DoS Script/code injections Other memory attacks
14
Shielded VMs
15
Separate host Administrators from VMs
16
Cloud identities
17
Windows 8+ ▪ use Microsoft Account to log on locally ▪ maps to a local user account Windows 10 use Microsoft Passport to log on with Kerberos/NTLM tickets mapping certificate to user account in AD just like Smart Card Logon TPM Virtual Smart Card or Smart Card or Software
18
Enabling Microsoft Passport GPO ▪ Windows Configuration ▪ Administrative Templates ▪ Windows Components ▪ Microsoft Passport for Work Current support requirements –Azure subscription, Azure join, Intune, ADFS, System Center, Windows 2016 Future support requirements –Windows 2016 RTM
19
BitLocker
20
BitLocker with XTS-AES Windows Vista, 7, 2008, 2008 R2 ▪ AES 128, AES 256 ▪ AES 128 with Diffuser, AES 256 with Diffuser Windows 8, 8.1, 2012, 2012 R2 ▪ AES 128, AES 256 ▪ Windows 10, 2016 ▪ AES 128, AES 256 ▪ XTS-AES 128, XTS-AES 256
21
Disk de/encryption Whole disks encrypted with a single AES FVEK Every sector gets its own IV based on sector ID AES CBC sector decryption ▪ first block (128 bits/16 bytes) is decrypted by FVEK+sectorIV ▪ subsequent blocks are decrypted by FVEK+previousEncryptedBlock any sector decrypts with FVEK without knowing IV except for the first 128bits/16bytes
22
Sector switch attacks Offline switch some sectors (512 bytes) ▪ will run if the first 16 bytes are not relevant AES Diffuser proprietary MS XTS-AES FIPS compliant
23
Windows Defender on Servers
24
Windows 2016 file and network inspections updated from Windows Update automatic exclusions events
25
Windows Defender automatic exclusions on Servers Group Policy –%allusersprofile%\NTUser.pol –%SystemRoot%\System32\GroupPolicy\Machine\registry.pol –%SystemRoot%\System32\GroupPolicy\User\registry.pol DFSR –%systemroot%\System32\dfsr.exe –%systemroot%\System32\dfsrs.exe Hyper-V –*.vhd, *.vhdx, *.iso,... –%systemroot%\System32\Vmms.exe –%systemroot%\System32\Vmwp.exe Active Directory –HKLM\System\CurrentControlSet\Services\NTDS\Parameters\DSA Database File –HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Database Log Files –HKLM\System\CurrentControlSet\Services\NTDS\Parameters\DSA Working Directory –%systemroot%\System32\ntfrs.exe –%systemroot%\System32\lsass.exe Web server –%SystemRoot%\IIS Temporary Compressed Files –%SystemDrive%\inetpub\temp\IIS Temporary Compressed Files –%SystemDrive%\inetpub\temp\ASP Compiled Templates –%systemDrive%\inetpub\logs –%systemDrive%\inetpub\wwwroot –%SystemRoot%\system32\inetsrv\w3wp.exe –%SystemRoot%\SysWOW64\inetsrv\w3wp.exe –%SystemDrive%\PHP5433\php-cgi.exe ...
26
Windows Defender events Application and Service Logs –Microsoft Windows –Windows Defender »Operational
27
Add exclusion or (un)install Windows Defender Add-MpPreference -ExclusionPath "c:\Accounting" Get-WindowsFeature *defender* Get-WindowsFeature *defender | Remove-WindowsFeature # Restart needed!
28
Temporary group membership aka PAM
29
Privileged Access Management Limited access Temporary access Secure workstations Protect credentials
30
Temporary AD objects (since FFL 2003) dynamicObject class entryTTL = seconds CN=Directory Services,CN=Windows NT,CN=Services,CN=Configuration –ms-DS-Other-Settings: DynamicObjectDefaultTTL (seconds) DynamicObjectMinTTL (seconds)
31
Temporary AD group membership (FFL 2003) Real group Proxy group with TTL User account standard TGT lifetime
32
Privileged Access Management feature (FFL 2016) New AD optional feature –Privileged Access Management Feature –Get-ADOptionalFeature Add-ADGroupMember -MemberTimeToLive –lowest lifetime propagates to Kerberos TGT tickets LDP –LDAP_SERVER_LINK_TTL_OID 1.2.840.113556.1.4.2309
33
2003 DFL/FFL deprecated
34
Move to 2008 DFL –enable/enforce AES for Kerberos –remove RC4 Move to 2012 FFL –enable group managed service accounts –smaller Kerberos tickets Move to 2016 FFL –enable temporary group membership
35
WAP reverse HTTPS publishing
36
Principal scenario (internal HTTP or HTTPS) Web Server Browser Client GUI Client Reverse HTTPS Proxy DC Web Server TLS Certificate https://portal.gopas.cz https://portal GPS gopas.virtual http://portal
37
Reasons for WAP Perimeter TLS offloading Isolate TCP/IP attacks Authenticate users –password forms –certificates Extranet lockout
38
What is new in WAP 2016 HTTP -> HTTPS redirection TLS offloading publishing RDP Web Apps
39
ADFS improvements
40
What is new in ADFS 2016 Certification authority Administrative delegation Access rule wizards Azure MFA built-in –on-premises to cloud | cloud to on-premises
41
Recap Virtual Smart Cards and TPM attestation Credentials Guard (Device Guard) Shielded VMs Microsoft Passport authentication with AD DS BitLocker with XTS-AES Windows Defender on servers by default Temporary AD group membership and PAM 2003 DFL/FFL deprecated WAP reverse HTTPS publishing ADFS improvements
42
Děkuji za pozornost! GOC173 - Enterprise PKI GOC175 - Windows Security Internals GOC171 - Active Directory Internals Ondrej Sevecek | GOPAS a.s. MCSM:Directory Services | MVP:Enteprise Security | CISA | CEH | CHFI ondrej@Sevecek.com | www.sevecek.com facebook: ondrej.sevecek.official | twitter: @OndrejSevecek
43
Aktuální a navazující kurzy sledujte na www.gopas.cz www.gopas.cz DÁREK PRO VÁS! TechEd-DevCon 2016! …získejte tričko TechEd-DevCon 2016!Vyplňte dotazníkové hodnocení a… TechEd party! Xbowling Strašnice, 18. 5. 2016 Buďte The Best IT Pro nebo The Best Developer SOUTĚŽ! SOUTĚŽ! SOUTĚŽ!
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.