Presentation is loading. Please wait.

Presentation is loading. Please wait.

5/31/2018 3:40 PM BRK3113 How Microsoft IT builds Privileged Access Workstation using Windows 10 and Windows Server 2016 Jian (Jane) Yan Sr. Program Manager.

Published byDorothy Patterson Modified over 6 years ago

Similar presentations

Presentation on theme: "5/31/2018 3:40 PM BRK3113 How Microsoft IT builds Privileged Access Workstation using Windows 10 and Windows Server 2016 Jian (Jane) Yan Sr. Program Manager."— Presentation transcript:

1 5/31/2018 3:40 PM BRK3113 How Microsoft IT builds Privileged Access Workstation using Windows 10 and Windows Server 2016 Jian (Jane) Yan Sr. Program Manager Dean Wells Principal Program Manager © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

2 Agenda Why do you need Privileged Access Workstation (PAW)?
Existing PAW solutions overview Microsoft IT PAW solution and deployment Would you like to try it out? A PAW for your Hybrid environment

3 Problem - common attack scenario
Microsoft Ignite 2015 5/31/2018 3:40 PM Problem - common attack scenario Workstation and devices Domain controllers Infrastructure & application servers Directory database(s) Compromise the domain Steal data, destroy systems, etc. Persist presence 4 Privilege escalation to compromise more servers 3 Compromised machine and harvest admin credentials 2 Beachhead to compromise credentials through Phishing attack or browser vulnerability 1 © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

4 Protecting Active Directory and Admin privileges http://aka.ms/privsec
Microsoft Ignite 2015 5/31/2018 3:40 PM Protecting Active Directory and Admin privileges 2-4 Weeks 1-3 Months 6 months + 1.4 Unique Local Admin Passwords for Servers 2.6 Attack Detection 1.3 Unique Local Admin Passwords for Workstations 2.2 Time-bound privileges (no permanent admins) Active Directory Azure Active Directory 1.1 Separate Admin account for admin tasks 2.1 Privileged Access Workstations (PAWs) Phases 2 and 3 –All Admins and additional hardening (Credential Guard, RDP Restricted Admin, etc.) 1.2 Privileged Access Workstations (PAWs) Phase 1 - Active Directory admins 2. 4. Just Enough Admin (JEA) for DC Maintenance 2. 5. Lower attack surface of Domain and DCs © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

5 Problem: The weakest link
Microsoft Ignite 2015 5/31/2018 3:40 PM Problem: The weakest link Using the same machine for productivity ( , web) and secure workload Inbound connection to the machine where privileged accounts are used Non-restrictive internet access on the machine using privileged account Corp Domain © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

6 Privileged Access Workstation (PAW)
Microsoft Ignite 2015 5/31/2018 3:40 PM Privileged Access Workstation (PAW) Account separation Workload isolation Hardening OS & Network restriction © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

7 PAW – Physical machine isolation
Microsoft Ignite 2015 5/31/2018 3:40 PM PAW – Physical machine isolation PAW Desktop © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

8 PAW – Physical machine isolation
Microsoft Ignite 2015 5/31/2018 3:40 PM PAW – Physical machine isolation Domain controllers Directory database(s) Workstation and devices Infra. Servers and application servers © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

9 Microsoft IT PAW overview
Ph 5/31/2018 3:40 PM Microsoft IT PAW overview Desktop PAW Internally referred as “Secure Access Workstation” SAW Over 22,000 users Complete separate management infrastructure for services and identity PAW: Physical host Desktop: Virtual machine © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

10 Deployment Production domain servers and Services
High Risk Environment (HRE) 8 9 Proxy 4 OS 3 7 VPN Secure Supply Chain HRE 2 5 Desktop PAW TPM Privileged User Entitlement 6 1

11 Demo: Microsoft IT PAW 5/31/2018 3:40 PM
© Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

12 Microsoft PAW solution
Goals: Protect privileged identities Simple to deploy and manage Easy to scale Backend deployment options: On-prem with full management control Cloud services with minimum touch

13 PAW solution design – SAC (Oct) release
Desktop PAW Locked down host / Guarded host Workload isolation for multiple identities Network isolation Hardening OS Remote health attestation PAW: Virtual machine Desktop: Virtual machine Reduce cost Improves productivity Maintains security

14 Remote health attestation on client
Designed to protect VM workloads from theft and tampering from malware. Host Guardian Server (HGS) Health attestation (using TPM) Known physical machines Trusted Hyper-V instance Code Integrity policy PAW Health attestation Key release to start VM Guarded host

15 Locked down PAW host Non-admin user logon
Whitelist network destinations/ Applications Remote health attestation

16 PAW security enablement
PAW host: Hardware/firmware: TPM2.0 UEFI/SecureBoot Network: Block inbound traffic Hardening the OS: Device guard enabled Enforced CI policy, block apps running on the host Security baseline policy applied BitLocker enabled Defender AppGuard enabled Exploit guard enabled Remote health attestation Credential protection: Logon user has standard user privilege Credential guard Strong authentication (Smartcard or Hello for Business) Monitoring: ATP PAW VM: Gen2 VM with UEFI and SecureBoot vTPM Network: Block inbound traffic Hardening the OS: Device guard enabled Enforced CI policy, block apps running on the host Security baseline policy applied BitLocker enabled Defender AppGuard enabled Exploit guard enabled Only browser or RDP are allowed to run Credential protection: Logon user has standard user privilege Credential guard Monitoring: ATP

17 Demo: PoC PAW Device 5/31/2018 3:40 PM
© Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

18 PAW backend deployment options
5/31/2018 3:40 PM PAW backend deployment options On prem (ESAE) Enhanced Security Administration Environment AD: Dedicated for PAW devices and users Host guardian service(HGS) Windows Deployment Server (WDS) VPN servers Patch management Monitoring (PoC) Azure services Azure PAW service Azure AD Intune Windows Defender ATP © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

19 Call to Action Try it Share you feedback Pawfeedback@microsoft.com
Let’s build it together

20 Related content Room: OCCC W307 Time: 4:00:00 PM - 5:15:00 PM
Tuesday, September 26th BRK Securing virtual workloads in less than 60 minutes: A live guarded fabric deployment Room: OCCC W307 Time: 4:00:00 PM - 5:15:00 PM Booth: Windows Server Security and Identity

21 Please evaluate this session
Tech Ready 15 5/31/2018 Please evaluate this session From your Please expand notes window at bottom of slide and read. Then Delete this text box. PC or tablet: visit MyIgnite Phone: download and use the Microsoft Ignite mobile app Your input is important! © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

22 5/31/2018 3:40 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Download ppt "5/31/2018 3:40 PM BRK3113 How Microsoft IT builds Privileged Access Workstation using Windows 10 and Windows Server 2016 Jian (Jane) Yan Sr. Program Manager."

Similar presentations

Virtual desktops in the cloud: Experiences from the field

Virtual desktops in the cloud: Experiences from the field
Secure Hyperconnectivity with TeamViewer and Windows technologies

Secure Hyperconnectivity with TeamViewer and Windows technologies
Enterprise Security in Practice

Enterprise Security in Practice
From IT Pros to IT Heroes - with Azure DevTest Labs

From IT Pros to IT Heroes - with Azure DevTest Labs
5/21/2018 9:40 PM BRK3021 Learn about modern infrastructure roles in RDS: Next generation Windows desktop & app virtualization Clark Nicholson - Principal.

5/21/2018 9:40 PM BRK3021 Learn about modern infrastructure roles in RDS: Next generation Windows desktop & app virtualization Clark Nicholson - Principal.
Azure Machine Learning Deploying and Managing Models in production

Azure Machine Learning Deploying and Managing Models in production
How Microsoft uses Windows Defender ATP–Welcome to a SecOps world!

How Microsoft uses Windows Defender ATP–Welcome to a SecOps world!
How To Deliver Apps Faster And Secure Them The Microsoft Way

How To Deliver Apps Faster And Secure Them The Microsoft Way
Use any Amazon S3 application with Azure Blob Storage

Use any Amazon S3 application with Azure Blob Storage
6/10/2018 5:07 PM THR2218 Deploying Windows Defender AV and more with Intune and Configuration Manager Amitai Rottem @AmitaiTechie Senior Program Manager,

6/10/2018 5:07 PM THR2218 Deploying Windows Defender AV and more with Intune and Configuration Manager Amitai Senior Program Manager,
6/11/2018 8:14 AM THR2175 Building and deploying existing ASP.NET applications using VSTS and Docker on Windows Marcel de Vries CTO, Xpirit © Microsoft.

6/11/2018 8:14 AM THR2175 Building and deploying existing ASP.NET applications using VSTS and Docker on Windows Marcel de Vries CTO, Xpirit © Microsoft.
Azure Cloud Shell Magic of Modern Command-line Management

Azure Cloud Shell Magic of Modern Command-line Management
Developing Hybrid Apps on Microsoft Azure Stack

Developing Hybrid Apps on Microsoft Azure Stack
Windows 10 and the cloud: Why the future needs hybrid solutions

Windows 10 and the cloud: Why the future needs hybrid solutions
6/19/2018 2:57 AM THR3092 Monitor and investigate actions on your user and data with alerts, insights and reports Binyan Chen Program Manager II, Office.

6/19/2018 2:57 AM THR3092 Monitor and investigate actions on your user and data with alerts, insights and reports Binyan Chen Program Manager II, Office.
Modernizing your Remote Access

Modernizing your Remote Access
6/25/2018 11:13 PM BRK1076 Make Windows devices more secure by taking them out of your existing infrastructure Chris Rhodes & Andrew Bettany MCTs & MVPs.

6/25/ :13 PM BRK1076 Make Windows devices more secure by taking them out of your existing infrastructure Chris Rhodes & Andrew Bettany MCTs & MVPs.
Optimizing Microsoft OneDrive for the enterprise

Optimizing Microsoft OneDrive for the enterprise
The power of common identity across any cloud

The power of common identity across any cloud
Virtual Machine Diagnostics in Microsoft Azure

Virtual Machine Diagnostics in Microsoft Azure

Similar presentations

Ads by Google