1. Microsoft Virtual Academy
Free, online, technical courses
Take a free online course.

2. Module 4
Security Improvements

3. 10/8/2017
Evolving security threats Rising number of organizations suffer from breaches
Increasing incidents 1
Cyberattacks on the rise against US corporations
New York Times [2014]
Espionage malware infects rafts of governments, industries around the world
Ars Technica [2014]
Cybercrime costs US economy up to $140 billion annually, report says
Los Angeles Times [2014]
Bigger motivations 2 1 1 2
Bigger risk 3
How hackers allegedly stole “unlimited” amounts of cash from banks in just a few hours
Ars Technica [2014]
The biggest cyberthreat to companies could come from the inside
Cnet [2015]
Malware burrows deep into computer BIOS to escape AV
The Register [September 2014]
Forget carjacking, soon it will be carhacking
The Sydney Morning Herald [2014] 2 3 3 3
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

4. Central risk: Administrator privileges
Phishing attacks
Stolen admin credentials
Insider
attacks
… each of these attacks seeks out & exploits privileged accounts.
We know that administrators have the keys to the kingdom; we gave them those keys decades ago
But those administrators privileges are being compromised through social engineering, bribery, coercion, private initiatives

5. Microsoft Ignite 2015
10/8/ :43 AM
Conclusion: change the way we think about security We have to “assume breach” – not a position of pessimism, one of security rigor
Problem
A breach will (already did?) happen
Lacking the security-analysis manpower
Can’t determine the impact of the breach
Unable to adequately respond to the breach
New approach (in addition to ‘prevention’)
Limit or block the breach from spreading
Detect the breach
Respond to the breach
© 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

6. 10/8/2017
Protect virtual machines Challenges in protecting high value virtual machines
Any seized or infected host administrators can access guest virtual machines
Hypervisor
Fabric
Storage
Host OS
Customer
Guest VM
Fabric
Hypervisor
Customer
Guest VM
Impossible to identify legitimate hosts without a hardware based verification
Legitimate host?
Tenants VMs are exposed to storage and network attacks while unencrypted
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

7. Protect virtual machines Microsoft’s approach
10/8/2017
Protect virtual machines Microsoft’s approach
Any seized or infected host administrators can access guest virtual machines
Hardware-rooted technologies to separate the guest operating system from host administrators
Virtual Secure Mode
Process and Memory access protection from the host
Virtual machine OS
Data
Workload
Compute
Storage
Network
Hypervisor
Fabric
Host OS
Customer
Customer
Guest VM
Guest VM
Guarded fabric to identify legitimate hosts and certify them to run shielded tenant VMs
Impossible to identify legitimate hosts without a hardware based verification
Host Guardian Service
Enabler to run Shielded Virtual Machines on a legitimate host in the fabric
Trust the host
Storage
Virtualized trusted platform module (vTPM) support to encrypt virtual machines
Tenants VMs are exposed to storage and network attacks while unencrypted
Shielded VM
Bitlocker enabled VM
Hypervisor
Hypervisor
Fabric
Fabric
Host Guardian Service
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

8. So what is a ‘Shielded VM’?
Microsoft Ignite 2015
10/8/ :43 AM
So what is a ‘Shielded VM’?
“The data and state of a shielded VM are protected against inspection, theft and tampering from both malware and datacenter administrators1.” 1 fabric admins, storage admins, server admins, network admins
© 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

9. 10/8/ :43 AM
Protect virtual machines How it works with Windows Server and System Center
Shielded VM
Manage encrypted VM
SCVMM
Hypervisor
Fabric
Storage
Host OS
Customer
Guest VM
Logo certified server hardware (UEFI, TPM v2.0, Virtualization, IOMMU)
Host Guardian Service
vTPM key
management
Host verification
Trusted administrator
Enable BitLocker
VM provisioning
Manage Legitimate Hosts
Virtual Secure Mode to protect OS secrets
Secure and measured boot
Host management
Attestation information  Certificate
Key management service for VM TPMs
Encrypted key + Certificate  Key
Virtual machine OS
Data
Workload
Compute
Storage
Network
Hypervisor
Fabric
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

10. Protect virtual machines Shielded Virtual Machines
10/8/2017
Protect virtual machines Shielded Virtual Machines
Shielded Virtual Machines can only run in fabrics that are designated as owners of that virtual machine
Shielded Virtual Machines will need to be encrypted (by BitLocker or other means) in order to ensure that only the designated owners can run this virtual machine
You can convert a running virtual machine into a Shielded Virtual Machine
Storage
HOST without TPM (generic host)
Virtual hard disk
HOST with TPM
Shielded Virtual Machines
Host Guardian Service
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

11. Shielded VMs: Security Assurance Goals
Encryption & data at-rest/in-flight protection
Virtual TPM enables the use of disk encryption within a VM (e.g. BitLocker)
Both Live Migration and VM-state are encrypted
Admin-lockout
Host administrators cannot access guest VM secrets (e.g. can’t see disks or video)
Host administrators cannot run arbitrary kernel-mode code
Attestation of health
VM-workloads can only run on “healthy” hosts

12. Attestation Modes: mutually exclusive
H/W-trusted attestation (TPM-based)
More complex setup/configuration
Register each Hyper-V host’s TPM (EKpub) with the HGS
Establish baseline CI policy for each different H/W SKU
Deploy HSM and use HSM-backed certificates
New Hyper-V host hardware required
Needs to support TPM v2.0 and UEFI 2.3.1
Highest levels of assurance
Trust rooted in hardware
Compliance with code-integrity policy required for key-release (attestation)
Fabric-admin untrusted
Admin-trusted (Active Directory-based)
Simplified deployment and configuration
Setup an Active Directory trust + register group
Authorize a Hyper-V host to run shielded VMs by adding it to the Active Directory group
Existing H/W likely to meet requirements
Scenarios enabled
Data-protection at rest and on-the-wire
Secure DR to a hoster (VM already shielded)
Weaker levels of assurance
Fabric-admin is trusted
No hardware-rooted trust or measured-boot
No enforced code-integrity
Typical for Service Providers
Typical for Enterprises

13. Attestation Workflow (hardware-trusted)1
Start Shielded VM 2
Attestation Client initiates Attestation Protocol 3
Host sends boot & CI measurements 4
Validates host measurements
REST API
Attestation Service
(IIS WebApp)
Attestation Protocol 5
Issues signed Attestation Certificate encrypted to host
Key Protection Service
(IIS WebApp)
Guarded Host
Host Guardian Service node

14. Attestation Workflow (admin-trusted)1
Start Shielded VM 2
Attestation Client initiates Attestation Protocol 3
Host presents Kerberos service ticket 4
Validates group membership
REST API
Attestation Service
(IIS WebApp)
Attestation Protocol 5
Issues signed Attestation Certificate encrypted to host
Key Protection Service
(IIS WebApp)
Guarded Host
Host Guardian Service node

15. Protect virtual machines Virtual Secure Mode
10/8/2017
Protect virtual machines Virtual Secure Mode
Virtual Secure Mode enabled virtual machines prevents infected hosts accessing physical memory data, physical processor. Virtual Secure Mode introduces the concept of Virtual Trust Levels, which consist Memory Access Protections, Virtual Processor State and Interrupt Subsystem
Virtual Trust Levels (VTLs): Security mechanism on top of existing privilege enforcement (ring 0/ring 3)
Memory Access Protections: A VTL’s memory access protections can only be changed by software running at a higher VTL
Virtual Processor State: Isolation of processor state between VTL’s
Interrupt Subsystem: Interrupts to be managed securely at a particular VTL without risk of a lower VTL generating unexpected interrupts or masking interrupts
Hypervisor
Virtual Machine
Virtual Machine
CPU
Memory
HOST
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

16. Hyper-V based code integrity
10/8/2017
Protect virtual machines Host Guardian Service
Host Guardian Service holds keys of the legitimate fabrics as well as encrypted virtual machines
Host Guardian Service runs as a service to verify if it is a trusted machine
Host Guardian Service can live anywhere even as a virtual machine
Host Guardian Service
vTPM key
management
Host attestation
Shielded VMs
Verification
HOSTS
Hyper-V based code integrity
Customer
Service provider
Microsoft
FABRIC GUARDIAN
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

17. Demo VM Security Tech Ready 15 10/8/2017
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

18. Linux Secure Boot PowerShell to enable:
Providing kernel code integrity protections for Linux guest operating systems
Works with:
Ubuntu and later
SUSE Linux Enterprise Server 12
PowerShell to enable:
Set-VMFirmware “Ubuntu” -SecureBootTemplate MicrosoftUEFICertificateAuthority

19. Demo Linux Secure Boot Tech Ready 15 10/8/2017
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

20. TechNet Virtual Labs
Deep technical content and free product evaluations
Hands-on deep technical labs
Free, online, technical courses
At the TechNet Evaluation Center you can download free, trial versions of Microsoft software, with no feature limits. Dozens of trials are available – all at no cost.
Try Windows Server 2012 R2 for up to 180 days. Download the Windows 8.1 Enterprise 90-day evaluation. Or try Microsoft Azure at no-cost for up to 90 days.
Microsoft Hands On Labs offer virtual environments that will take you through guided, technically deep product learning experience.
Learn at your own pace in labs that you can complete in 90 minutes or less. There is no complex setup or installation is required to use TechNet Virtual Labs.
Microsoft Virtual Academy provides free online training on the IT scenarios that are important to your company and your career.
Learn at your own pace and boost your IT skills with over 100 courses across more than 15 Microsoft technologies including Windows Server, Windows 8, Microsoft Azure, Office 365, virtualization, Windows Phone, and more.
Download Microsoft software trials today.
Find Hand On Labs.
Take a free online course.
Technet.microsoft.com/evalcenter
Technet.microsoft.com/virtuallabs
microsoftvirtualacademy.com

21. 10/8/ :43 AM
© 2015 Microsoft Corporation. All rights reserved. Microsoft, Windows and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
© 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.