Ondrej Sevecek | GOPAS a.s. MCSM:Directory Services | MVP:Enteprise Security | CISA | CEH | CHFI | facebook: ondrej.sevecek.official | What is new in Security in Windows 2016 and Windows 10 Revolution or Evolution? GOLD PARTNER:Hlavní odborný partner:
Agenda Virtual Smart Cards and TPM attestation Credentials Guard (Device Guard) Shielded VMs Microsoft Passport authentication with AD DS BitLocker with XTS-AES Windows Defender on servers by default Temporary AD group membership and PAM 2003 DFL/FFL deprecated WAP reverse HTTPS publishing ADFS improvements
Smart Cards and Credential Guard
High-Level OS Process Credential Guard Traditional LSASS credential management and theft Process LSASS Process NTLM TGT password Process Attacker
Why use Smart Cards CryptoCPU public storage memory protected private crypt memory OS firmware ROM API calls PIN master PIN PC Attacker
Virtual Smart Cards on Windows 10 TPM based smart card ▪ Smart Card Logon certificates ▪ User identity bound to a device Hardware attestation available with AD CS Windows 2012 TpmVscMgr create /name "SevecekTest" /generate –AdminKey 48 digits –PIN 8 characters –PUK 8 characters certutil.exe -setreg CA\EndorsementKeyListDirectories +"C:\tpmkeys" –6dc60500e98df104c bfb529a2924d75d827b5f50f5630f177721e49e = size 0, no extension
Hypervisor Credential Guard Prevent LSASS credential theft Isolate User Mode (IUM) High-Level OS Process LSASS Process NTLM TGT password vmbus trustlet Attacker
Credential Guard Requirements Enterprise Edition x64 hardware virtualization UEFI Secure Boot and others...
Enabling Credential Guard GPO ▪ Computer Configuration ▪ Administrative Templates ▪ System ▪ Device Guard Image –dism /Enable-Feature /FeatureName:IsolatedUserMode Reboot required (hypervisor installed automatically)
Credential Guard Events System log, source WinInt ▪ 13,14,15,16,17
Credential Manager and Credential Guard Credential Manager ▪ stores per-user credentials since Vista Does not work with Credential Guard you should have disabled it at all anyway :-)
Who can disable Credential Guard without EFI lock local Adminstrators ▪ requires restart ▪ GPO/registry with EFI lock local Administrators –requires physical presence –bcdedit loadoptions DISABLE-LSA-ISO, DISABLE-VBS
What attacks still avoid Credential Guard Keylogger Hardware keyloggers Extracting stored passwords DoS Script/code injections Other memory attacks
Shielded VMs
Separate host Administrators from VMs
Cloud identities
Windows 8+ ▪ use Microsoft Account to log on locally ▪ maps to a local user account Windows 10 use Microsoft Passport to log on with Kerberos/NTLM tickets mapping certificate to user account in AD just like Smart Card Logon TPM Virtual Smart Card or Smart Card or Software
Enabling Microsoft Passport GPO ▪ Windows Configuration ▪ Administrative Templates ▪ Windows Components ▪ Microsoft Passport for Work Current support requirements –Azure subscription, Azure join, Intune, ADFS, System Center, Windows 2016 Future support requirements –Windows 2016 RTM
BitLocker
BitLocker with XTS-AES Windows Vista, 7, 2008, 2008 R2 ▪ AES 128, AES 256 ▪ AES 128 with Diffuser, AES 256 with Diffuser Windows 8, 8.1, 2012, 2012 R2 ▪ AES 128, AES 256 ▪ Windows 10, 2016 ▪ AES 128, AES 256 ▪ XTS-AES 128, XTS-AES 256
Disk de/encryption Whole disks encrypted with a single AES FVEK Every sector gets its own IV based on sector ID AES CBC sector decryption ▪ first block (128 bits/16 bytes) is decrypted by FVEK+sectorIV ▪ subsequent blocks are decrypted by FVEK+previousEncryptedBlock any sector decrypts with FVEK without knowing IV except for the first 128bits/16bytes
Sector switch attacks Offline switch some sectors (512 bytes) ▪ will run if the first 16 bytes are not relevant AES Diffuser proprietary MS XTS-AES FIPS compliant
Windows Defender on Servers
Windows 2016 file and network inspections updated from Windows Update automatic exclusions events
Windows Defender automatic exclusions on Servers Group Policy –%allusersprofile%\NTUser.pol –%SystemRoot%\System32\GroupPolicy\Machine\registry.pol –%SystemRoot%\System32\GroupPolicy\User\registry.pol DFSR –%systemroot%\System32\dfsr.exe –%systemroot%\System32\dfsrs.exe Hyper-V –*.vhd, *.vhdx, *.iso,... –%systemroot%\System32\Vmms.exe –%systemroot%\System32\Vmwp.exe Active Directory –HKLM\System\CurrentControlSet\Services\NTDS\Parameters\DSA Database File –HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Database Log Files –HKLM\System\CurrentControlSet\Services\NTDS\Parameters\DSA Working Directory –%systemroot%\System32\ntfrs.exe –%systemroot%\System32\lsass.exe Web server –%SystemRoot%\IIS Temporary Compressed Files –%SystemDrive%\inetpub\temp\IIS Temporary Compressed Files –%SystemDrive%\inetpub\temp\ASP Compiled Templates –%systemDrive%\inetpub\logs –%systemDrive%\inetpub\wwwroot –%SystemRoot%\system32\inetsrv\w3wp.exe –%SystemRoot%\SysWOW64\inetsrv\w3wp.exe –%SystemDrive%\PHP5433\php-cgi.exe ...
Windows Defender events Application and Service Logs –Microsoft Windows –Windows Defender »Operational
Add exclusion or (un)install Windows Defender Add-MpPreference -ExclusionPath "c:\Accounting" Get-WindowsFeature *defender* Get-WindowsFeature *defender | Remove-WindowsFeature # Restart needed!
Temporary group membership aka PAM
Privileged Access Management Limited access Temporary access Secure workstations Protect credentials
Temporary AD objects (since FFL 2003) dynamicObject class entryTTL = seconds CN=Directory Services,CN=Windows NT,CN=Services,CN=Configuration –ms-DS-Other-Settings: DynamicObjectDefaultTTL (seconds) DynamicObjectMinTTL (seconds)
Temporary AD group membership (FFL 2003) Real group Proxy group with TTL User account standard TGT lifetime
Privileged Access Management feature (FFL 2016) New AD optional feature –Privileged Access Management Feature –Get-ADOptionalFeature Add-ADGroupMember -MemberTimeToLive –lowest lifetime propagates to Kerberos TGT tickets LDP –LDAP_SERVER_LINK_TTL_OID
2003 DFL/FFL deprecated
Move to 2008 DFL –enable/enforce AES for Kerberos –remove RC4 Move to 2012 FFL –enable group managed service accounts –smaller Kerberos tickets Move to 2016 FFL –enable temporary group membership
WAP reverse HTTPS publishing
Principal scenario (internal HTTP or HTTPS) Web Server Browser Client GUI Client Reverse HTTPS Proxy DC Web Server TLS Certificate GPS gopas.virtual
Reasons for WAP Perimeter TLS offloading Isolate TCP/IP attacks Authenticate users –password forms –certificates Extranet lockout
What is new in WAP 2016 HTTP -> HTTPS redirection TLS offloading publishing RDP Web Apps
ADFS improvements
What is new in ADFS 2016 Certification authority Administrative delegation Access rule wizards Azure MFA built-in –on-premises to cloud | cloud to on-premises
Recap Virtual Smart Cards and TPM attestation Credentials Guard (Device Guard) Shielded VMs Microsoft Passport authentication with AD DS BitLocker with XTS-AES Windows Defender on servers by default Temporary AD group membership and PAM 2003 DFL/FFL deprecated WAP reverse HTTPS publishing ADFS improvements
Děkuji za pozornost! GOC173 - Enterprise PKI GOC175 - Windows Security Internals GOC171 - Active Directory Internals Ondrej Sevecek | GOPAS a.s. MCSM:Directory Services | MVP:Enteprise Security | CISA | CEH | CHFI | facebook: ondrej.sevecek.official |
Aktuální a navazující kurzy sledujte na DÁREK PRO VÁS! TechEd-DevCon 2016! …získejte tričko TechEd-DevCon 2016!Vyplňte dotazníkové hodnocení a… TechEd party! Xbowling Strašnice, Buďte The Best IT Pro nebo The Best Developer SOUTĚŽ! SOUTĚŽ! SOUTĚŽ!