1. Protect your infrastructure with Windows Server 2016 Security
2/21/ :53 PM
Protect your infrastructure with Windows Server 2016 Security
Dean Wells Jane Yan
Windows Server Windows Server
BRK2146
Built-in layers of security
Software-defined datacenter
Cloud-ready application platform
Windows Server 2016
Windows Server + System Center session guide: aka.ms/WS2016Ignite
© 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

2. Protect your infrastructure with Windows Server 2016 Security
Microsoft 2016
2/21/ :53 PM
BRK2146
Protect your infrastructure with Windows Server 2016 Security
Dean Wells Jane Yan
Windows Server Windows Server
© 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

3. … perhaps it’s obvious but why does all this matter?
2/21/2018
First: context refresher
… perhaps it’s obvious but why does all this matter?
© 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION

4. Modern Security Threats
2/21/2018
Modern Security Threats
”There are two kinds of big companies, those who’ve been hacked, and those who don’t know they’ve been hacked.”
James Comey, Director FBI
© 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION

5. “Cyber security is a CEO issue.”
2/21/2018
“Cyber security is a CEO issue.”
-McKinsey
CYBER THREATS ARE A MATERIAL RISK TO YOUR BUSINESS
Impact of lost productivity and growth
Average cost of a data breach (15% YoY increase)
$3.0 Trillion
$4 Million
Corporate liability coverage.
$500 Million
Source: McKinsey, Ponemon Institute, Verizon
© 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION

6. Cybercrime: State of the Union
Microsoft Build 2016
2/21/ :53 PM
Cybercrime: State of the Union
Cyberattacks on the rise against US corporations
New York Times [2014]
Espionage malware infects rafts of governments, industries around the world
Ars Technica [2014]
Cybercrime costs US economy up to $140B annually, report says
Los Angeles Times [2014]
Increasing incidents 1
Variety of motivations 2
How hackers allegedly stole “unlimited” amounts of cash from banks in just a few hours
Ars Technica [2014]
The biggest cyberthreat to companies could come from the inside
Cnet [2015]
Ransomware, 0days, malware, scams... all are up, says Symantec
The Register [April 2016]
Forget carjacking, soon it will be carhacking
The Sydney Morning Herald [2014]
Increasing risk 3
© 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

7. Breaches cost a lot of money (Average $4M based on Ponemon Institute)
Cyber security: hidden costs of a breach
Before
After
Breaches cost a lot of money (Average $4M based on Ponemon Institute)
Customers pay for your service
You pay customers compensation to keep them using your service
Productivity
Employees efficiently perform the majority of work activities using a desktop computer
Employees waste hours a day running back and forth to a fax machine (assuming you still have one)
Overspending Reflex
Appropriately sized & dedicated IT Security team
IT Security team exponentially increases in size and remediation efforts require new and expensive products $ $ $

8. Cyber security: hidden costs of a breach
Before
After
Industry Reputation
Industry credibility, positive reputation, customer confidence
Corporate secrets are secret
Loss of credibility, embarrassing information exposed, customer’s lose faith
Corporate secrets are public knowledge; potential loss of competitive advantage
Ransomware
HBI/MBI assets available for day-to-day business operations
Assets encrypted and key business IT services rendered useless
Customer trust
Customers happy to trust you with their PII
Customers reluctant to share information with you

9. Attack timeline Attacker undetected (data exfiltration)
Microsoft Ignite 2015
2/21/ :53 PM
Attack timeline
Attackers often target Active Directory and admins to gain access to business assets
First host compromised
Domain admin compromised
Attack discovered
Research & preparation
Attacker undetected (data exfiltration)
Attackers find any weakness & target information on any device or service
You may be under attack (or already compromised) and unaware
24–48 hours
Mean dwell time 150+ days (varies by industry)
© 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

10. Anatomy of an attack 2/21/2018 ENTER ESTABLISH EXPAND ENDGAME
Browser or Doc Exploit Delivery
USER
Malicious Attachment Delivery
ENTER
Phishing Attacks
Internet Service Compromise
DEVICE
Browser or Doc Exploit Execution
ESTABLISH
Malicious Attachment Execution
Stolen Credential Use
Kernel Exploits
NETWORK
EXPAND
Kernel-mode Malware
Pass-the-Hash
ENDGAME
BUSINESS DISRUPTION
LOST PRODUCTIVITY
DATA THEFT
ESPIONAGE, LOSS OF IP
RANSOM
© 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION

11. What do most attacks have in-common?
Phishing attacks
Stolen credentials
Pass-the-hash
(PtH) attacks
Insider
attacks
Fabric
attacks

12. Central risk: Administrator privileges
2/21/2018
Central risk: Administrator privileges
Administrative
Privileges
Stolen admin credentials
Phishing attacks
Insider
attacks
Fabric
attacks
Most attack-types seek out & exploit privileged accounts
These privileged accounts have the keys to the kingdom; we gave them those keys decades ago
But now, those administrators’ privileges are being compromised through social engineering, bribery, coercion, private initiatives, etc.
© 2015 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

13. Attack vectors Attack the applications and infrastructure
Microsoft Build 2016
2/21/ :53 PM
Attack vectors
Attack the applications and infrastructure
Attack the virtualization fabric itself
Compromised privileged accounts
Unpatched vulnerabilities
Phishing attacks
Malware infections
Compromised fabric exposes guest VMs
Easy to modify or copy VM without notice
Can’t protect VMs with gates, walls, locks, etc.
VMs can’t leverage H/W security (e.g. TPMs)
© 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

14. Windows Server Security Posture
2/21/2018
Windows Server Security Posture
Ongoing focus & innovation on preventative measures; block known attacks & known malware
Protect
Leading response and recovery technologies plus deep consulting expertise
Respond
Comprehensive monitoring tools to help you spot abnormalities and respond to attacks faster
Detect
Isolate OS components & secrets; limit admin. privileges; rigorously measure host health
Isolate
– Security isn’t a bolt-on; it’s an architectural principle –
© 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION

15. Protect credentials and privileged access
2/21/2018
Windows Server 2016
Protect credentials and privileged access
© 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION

16. Challenging to protect credentials
Microsoft Build 2016
2/21/ :53 PM
Challenging to protect credentials
Social engineering leads to credential theft
Most attacks seek out and leverage administrative credentials (PtH or Pass-the-hash)
Administrative credentials often inadvertently provide more privilege than strictly necessary… and for an unlimited time
Domain admin
Ben
Mary
Jake
Admin
Typical administrator
Capability
Time
© 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

17. Windows Server 2016 approach
Microsoft Build 2016
2/21/ :53 PM
Windows Server 2016 approach
Just Enough Administration (JEA) limits administrative privileges to the bare-minimum required set of actions (limited in space)
Just in Time Administration (JIT) provides privileged access upon request through a workflow that is audited and limited in time
Domain admin
Ben
Mary
Jake
Admin
JEA and JIT administration
Capability and time needed
Capability
Time
© 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

18. Demonstrations JIT + JEA 2/21/2018
© 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION

19. Windows Server 2016 approach
Microsoft Build 2016
2/21/ :53 PM
Windows Server 2016 approach
Just Enough Administration (JEA) limits administrative privileges to the bare-minimum required set of actions (limited in space)
Just in Time Administration (JIT) provides privileged access upon request through a workflow that is audited and limited in time
Credential Guard prevents Pass the Hash and Pass the Ticket attacks by protecting stored credentials and credential artifacts using Virtualization based Security (VBS)
Domain admin
Ben
Mary
Jake
Admin
JEA and JIT administration
Capability and time needed
Capability
Time
© 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

20. Demonstration Credential Guard 2/21/2018
© 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION

21. Windows Server 2016 approach
Microsoft Build 2016
2/21/ :53 PM
Windows Server 2016 approach
Just Enough Administration (JEA) limits administrative privileges to the bare-minimum required set of actions (limited in space)
Just in Time Administration (JIT) provides privileged access upon request through a workflow that is audited and limited in time
Credential Guard prevents Pass the Hash and Pass the Ticket attacks by protecting stored credentials and credential artifacts using Virtualization based Security (VBS)
Remote Credential Guard works in conjunction with Credential Guard for RDP sessions providing SSO over RDP while eliminating the need for credentials to be passed to the host
Domain admin
Ben
Mary
Jake
Admin
JEA and JIT administration
Capability and time needed
Capability
Time
© 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

22. Demonstration Remote Credential Guard 2/21/2018
© 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION

23. Active Directory Access Path (ADAP)
Microsoft Build 2016
2/21/ :53 PM
Active Directory Access Path (ADAP)
Scans environment and constructs a map of all administrators across all machines
Enables analysis of potential attack paths throughout entire domain
Real-world case: scan revealed > 2,000 Domain Admins
Root-cause: unnecessary/unknown group nesting
Post-remediation: 20 domain admins
some servers found with 187,000 unintentional administrators
existing breach re-enabling & exploiting disabled accounts
ADAP revealed privilege map
© 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

24. Protecting Active Directory and Admin privileges http://aka.ms/privsec
Microsoft Ignite 2015
2/21/ :53 PM
Protecting Active Directory and Admin privileges
2-4 weeks
1-3 months
6+ months
First response to the most frequently used attack techniques
3. Unique Local Admin Passwords for Workstations
4. Unique Local Admin Passwords for Servers
Active Directory
Azure Active Directory
1. Separate Admin account for admin tasks
2. Privileged Access Workstations (PAWs)
Phase 1 - Active Directory admins
© 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

25. Protecting Active Directory and Admin privileges http://aka.ms/privsec
Microsoft Ignite 2015
2/21/ :53 PM
Protecting Active Directory and Admin privileges
2-4 weeks
1-3 months
6+ months
Build visibility and control of administrator activity, increase protection against typical follow-up attacks
6. Attack Detection
2. Time-bound privileges (no permanent admins)
3. Multi-factor for elevation
Active Directory
Azure Active Directory
1. Privileged Access Workstations (PAWs)
Phases 2 and 3 –All Admins and additional hardening (Credential Guard, RDP Restricted Admin, etc.)
4. Just Enough Admin (JEA) for DC Maintenance
5. Lower attack surface of Domain and DCs
© 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

26. Protecting Active Directory and Admin privileges http://aka.ms/privsec
Microsoft Ignite 2015
2/21/ :53 PM
Protecting Active Directory and Admin privileges
2-4 weeks
1-3 months
6+ months
5. Shielded VMs for virtual DCs (Server 2016 Hyper-V Fabric)
Move to proactive security posture
1. Modernize Roles and Delegation Model
Active Directory
Azure Active Directory
2. Smartcard or Passport Authentication for all admins
3. Admin Forest for Active Directory administrators
4. Code Integrity Policy for DCs (Server 2016)
© 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

27. Move to a proactive security posture
Microsoft Ignite 2015
2/21/ :53 PM
Move to a proactive security posture
2-4 weeks
1-3 months
6+ months
Attack
Defense
Credential Theft & Abuse
Prevent Escalation
Prevent Lateral Traversal
Increase Privilege Usage Visibility
DC Host Attacks
Harden DC configuration
Reduce DC Agent attack surface
AD Attacks
Assign Least Privilege
Attacker Stealth
Detect Attacks
© 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

28. Protect applications and data in any cloud
2/21/2018
Windows Server 2016
Protect applications and data in any cloud
© 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION

29. Control Flow Guard Windows Defender Device Guard Protecting the OS
2/21/2018
Protecting the OS
Defend against new exploits and block attacks without impacting legitimate workloads
Control Flow Guard
Windows Defender
Device Guard
© 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION

30. Control Flow Guard (CFG)
2/21/2018
Control Flow Guard (CFG)
Helps ensure that trusted binaries execute as intended
Helps prevent attacks that use memory corruption vulnerabilities
CFG places controls on how an otherwise-trusted application executes code
Provides defenses against exploits such as buffer overflows
© 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION

31. In-box anti-malware that is Server-workload aware
2/21/2018
Windows Defender
In-box anti-malware that is Server-workload aware
Deep integration with Windows security systems
Anti-tampering (protecting critical dependent OS Services)
Registry hardening; “file-less” malware
Actively protects against malware without impacting workloads
© 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION

32. Demonstration Windows Defender 2/21/2018
© 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION

33. Hardware Rooted Code Integrity
2/21/2018
Device Guard
Hardware Rooted Code Integrity
Windows can be locked down to run ONLY trusted binaries
Untrusted binaries, such as malware, are unable to run
Protects kernel mode processes and drivers from zero-day attacks as well as vulnerabilities through the use of HVCI
Code Integrity policies can be signed and protected against malicious administrators
© 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION

34. Demonstration Device Guard 2/21/2018
© 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION

35. Respond more intelligently with log analytics integration
2/21/2018
Windows Server 2016
Respond more intelligently with log analytics integration
© 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION

36. Challenge: turn log files into operational insights
In order to better detect threats the OS needs to provide additional auditing or event logging information
Security Information and Event Management (SIEM) systems are only as intelligent as the information provided from the OS

37. Windows Server 2016 approach
Enhanced Auditing and Event Logs Log new audit events to better detect malicious behavior by providing more detailed information to security operation centers
SIEM systems such as Operations Management Suite (OMS) can take advantage of this information to provide intelligence reports on potential breaches in the datacenter environment

38. Protect applications with just enough OS
2/21/2018
Windows Server 2016
Protect applications with just enough OS
© 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION

39. Challenges in protecting new apps
Developers are making use of new packaging and deployment tools such as containers
Containers share the same kernel which limits isolation and exposes compliance and regulatory risks
Lower the risk by providing only the components required by application to run VM
Shared Hardware (Hypervisor Isolation)
CONTAINER
Shared Kernel (User Mode Isolation)

40. Windows Server 2016 approach
Hyper-V Containers Provide hypervisor isolation for each container with no additional coding requirements
Align with regulatory requirements for PCI and PII data
Nano Server Reduce the attack surface by deploying a minimal “just enough” server footprint VM
Shared Hardware (Hypervisor Isolation)
Hyper-V CONTAINER
Shared Platform (Hypervisor Isolation)

41. Windows Server 2016 Windows Server 2016
2/21/2018
Windows Server 2016
Windows Server 2016
Protect the virtualization fabric
Software Defined Networking (SDN) & Micro-segmentation
© 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION

42. Application at risk! Phishing for secrets
/24
Subnet3
Tier 3
Virtual Network – “MyNetwork”
Application at risk! Phishing for secrets
/24
Subnet2
Tier 2
Active Directory VM
Internal VIP
/24
Subnet1
Tier 1
File Server 1 VM
File Server 2 VM
Public VIP 
Web Server 1 VM
Web Server 2 VM
Outbound NAT 

43. Application at risk! The attack
/24
Subnet3
Tier 3
Virtual Network – “MyNetwork”
Application at risk! The attack
/24
Subnet2
Tier 2
Active Directory VM
Private VIP 
/24
Subnet1
Tier 1
File Server 1 VM N
File Server 2 VM
Public VIP 
Web Server 1 VM N N
Web Server 2 VM N
Outbound NAT  N

44. Dynamic Security Micro-segmentation
/24
Subnet3
Tier 3
Virtual Network – “MyNetwork”
Dynamic Security Micro-segmentation
/24
Subnet2
Tier 2
Active Directory VM
Internal VIP
/24
Subnet1
Tier 1
File Server 1 VM
File Server 2 VM
Public VIP 
Web Server 1 VM
Web Server 2 VM
Outbound NAT 

45. Dynamic Security Using the distributed firewall
/24
Subnet3
Tier 3
Virtual Network – “MyNetwork”
Dynamic Security Using the distributed firewall
/24
Subnet2
Tier 2
Active Directory VM
NSG
Internal VIP
/24
Subnet1
Tier 1
File Server 1 VM
File Server 2 VM
Public VIP 
Web Server 1 VM
Web Server 2 VM
Outbound NAT 

46. Dynamic Security Virtual Appliances
/24
Subnet3
Tier 3
Virtual Network – “MyNetwork”
Dynamic Security Virtual Appliances
/24
Subnet2
Tier 2
Active Directory VM
NSG
Virtual Appliance VM
Internal VIP
/24
Subnet1
Tier 1
File Server 1 VM
File Server 2 VM
Public VIP 
Web Server 1 VM
Web Server 2 VM
Outbound NAT 

47. Protect the virtualization fabric Protect the Virtualization Fabric
2/21/2018
Windows Server 2016
Windows Server 2016
Protect the virtualization fabric
Protect the Virtualization Fabric
© 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION

48. Attackers target virtual machines
2/21/2018
Attackers target virtual machines
Any compromised or malicious fabric administrators can access guest virtual machines
Hypervisor
Fabric
Storage
Host OS
Customer
Guest VM
Customer
Fabric
Hypervisor
Guest VM
Health of hosts not taken into account before running VMs
Healthy host?
Tenant’s VMs are exposed to storage and network attacks
Virtual Machines can’t take advantage of hardware-rooted security capabilities such as TPMs
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

49. Contrast: Bare Metal vs. Regular VM vs. Shielded VM
Microsoft Build 2016
2/21/ :53 PM
Contrast: Bare Metal vs. Regular VM vs. Shielded VM
BUILDING PERIMETER
Shielded VM Use BitLocker to encrypt the disk and state of virtual machines protecting secrets from compromised admins & malware
Host Guardian Service Attests to host health releasing the keys required to boot or migrate a Shielded VM only to healthy hosts
Generation 2 VM Supports virtualized equivalents of hardware security technologies (e.g. TPMs) enabling BitLocker encryption for Shielded VMs
COMPUTER ROOM
HYPER-V
HYPER-V
Physical machine
Virtual machine
Shielded
virtual machine *
Server ü ü û
Administrator S
torage û ü û
administrator
Network û ü û
administrator
Backup û ü û
operator
Virtualization-host û ü û
administrator
Virtual machine û ü ü
administrator
*Configuration dependent
© 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

50. Decryption keys: controlled by external system
2/21/2018
Decryption keys: controlled by external system
Guarded Fabric
Host Guardian Service (HGS)
Guest VM
Guest VM
Shielded VM
Guest VM
Virtual Secure Mode
Please, guv’na, can I ‘ave some more keys?
Hyper-V Host 1
Guest VM
Guest VM
Guest VM
Guest VM
Windows Server Hyper-V Hosts
Virtual Secure Mode
Why certainly, I know you & I must say you’re looking very healthy today!
Hyper-V Host 2
Guest VM
Guest VM
Guest VM
Guest VM
+ Key Protection
+ Health attestation
Virtual Secure Mode
Hyper-V Host 3
© 2015 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

51. Demonstration Shielded Virtual Machines 2/21/2018
© 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION

52. Summary & Compliance Mapping
2/21/2018
Windows Server 2016
Summary & Compliance Mapping
© 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION

53. Snapshot: our track record + 2016 innovations
Built-in security mechanisms
Privileged Identity Management
Credential Guard / Remote Credential Guard
Control Flow Guard
Defender
Device Guard (Code Integrity +++)
Enhanced auditing
JEA
Virtualization-based Security (VBS)
Windows Server 2016 introduces a new level of security with hardware-rooted Virtualization Based Security (VBS) that enables us to protect the OS from compromised administrators whether running on bare metal or a virtual machine.
Reported Vulnerabilities
Unparalleled security
least vulnerable OS 4 years in a row

54. Windows Server 2016: a different pivot
Host Security Hyper-V based fabric
Protecting virtual machines
Shielded VMs (Server R2, 2016 guests)
Virtual TPM for generation 2 VMs
Host Guardian Service attests to host health
Secure boot for Windows and Linux
Hyper-V platform
Nano-based Hyper-V host
Virtualization Based Security (VBS)
Secure containers
Hyper-V containers
Containers hosted in a Shielded VM
Guest Security Secure on any fabric
Privileged Identity
Credential Guard/Remote Credential Guard
Just In Time administration (JIT)
Just Enough Administration (JEA)
Threat resistance
Control Flow Guard (CFG)
Code Integrity (Device Guard)
Built-in anti-malware
Nano Server reduces attack surface
Threat detection
Enhanced threat detection

55. Quick note on compliance: Windows Server 2016
3rd-party assessment of compliance mappings across various security-related offerings in the Windows Server 2016 wave
Hyper-V Shielded VMs compliance mapping whitepaper
JEA and JIT compliance mapping whitepaper
Device Guard compliance mapping whitepaper
Credential Guard compliance mapping whitepaper
Windows Defender compliance mapping whitepaper

56. Example: Shielded VM Compliance Mapping
2/21/2018
Example: Shielded VM Compliance Mapping
ISO 27001: 2013
PCI DSS 3.2
FedRAMP; NIST Revision 4
Enforcing Separation of Duties
A.6.1.2– Segregation of duties
6.4.2 – Separation of duties between test and production environments
AC-5 – Separation of Duties
Implementation of Least Privilege Access and Partitioning Tenant Functionality
A – Management of privileged access rights
A – Separation of development, testing, and operational environments
6.4.1 – Test and Production Environment Separation
7.2 – User access control on need-to-know basis
7.2.3 – Default “deny-all” setting
AC-6 – Least Privilege
AC-6 (10) – Prohibit Non-Privileged
Users from Executing Privileged Functions
SC-2 – Application Partitioning
Protecting Information Stored in Shared Resources
None
8.7 – Restricted access to databases containing cardholder data
SC-4 – Information in Shared Resources
Protection of Data at Rest
A – Media Access
3.4 – Verifying stored PAN is unreadable
3.4.1 – Disk encryption usage and access control
6.5.3 – Insecure cryptographic storage
SC-28 – Protection of Information at Rest
SC-28(1) – Protection of Information at Rest
Security Function Verification and Integrity Monitoring
11.5 – Change-detection mechanism deployment
SI-6 – Security Function Verification
SI-7 – Software, Firmware, and Information Integrity
© 2015 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

57. Related sessions (some from earlier this week)
2/21/ :53 PM
Related sessions (some from earlier this week) 1
BRK2152: Explore Windows Server security 2
BRK2145: Secure privileged access from active attacks 3
BRK3124: Dive into Shielded VMs with Windows Server 2016 Hyper-V 4
BRK3126: Discover Shielded VMs and learn about real world deployments
Windows Server 2016
Windows Server + System Center session guide: aka.ms/WS2016Ignite
© 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

58. Resources & next steps…
Microsoft Build 2016
2/21/ :53 PM
Resources & next steps…
Security and Assurance documentation
Demo videos, e.g. MS Mechanics on Shielded VMs
Datacenter/Private Cloud Security Blog
Compliance mapping Preliminary mappings contained in this and other related decks
Securing Privileged Access guidance
Microsoft Virtual Academy online courses
© 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

59. Please evaluate this session
2/21/ :53 PM
Please evaluate this session
Your feedback is important to us!
From your PC or Tablet visit MyIgnite at
From your phone download and use the Ignite Mobile App by scanning the QR code above or visiting
© 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

60. 2/21/2018
Q&A
If you have additional questions, please feel free to ask them now… thanks for listening!
© 2015 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

61. 2/21/ :53 PM
© 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.