Presentation is loading. Please wait.

Presentation is loading. Please wait.

Ondrej Sevecek | GOPAS a.s. MCSM:Directory Services | MVP:Enteprise Security | CISA | CEH | CHFI | facebook: ondrej.sevecek.official.

Published byReynold Stokes Modified over 8 years ago

Similar presentations

Presentation on theme: "Ondrej Sevecek | GOPAS a.s. MCSM:Directory Services | MVP:Enteprise Security | CISA | CEH | CHFI | facebook: ondrej.sevecek.official."— Presentation transcript:

1 Ondrej Sevecek | GOPAS a.s. MCSM:Directory Services | MVP:Enteprise Security | CISA | CEH | CHFI ondrej@Sevecek.com | www.sevecek.com facebook: ondrej.sevecek.official | twitter: @OndrejSevecek What is new in Security in Windows 2016 and Windows 10 Revolution or Evolution? GOLD PARTNER:Hlavní odborný partner:

2 Agenda  Virtual Smart Cards and TPM attestation  Credentials Guard (Device Guard)  Shielded VMs  Microsoft Passport authentication with AD DS  BitLocker with XTS-AES  Windows Defender on servers by default  Temporary AD group membership and PAM  2003 DFL/FFL deprecated  WAP reverse HTTPS publishing  ADFS improvements

3 Smart Cards and Credential Guard

4 High-Level OS Process Credential Guard  Traditional LSASS credential management and theft Process LSASS Process NTLM TGT password Process Attacker

5 Why use Smart Cards CryptoCPU public storage memory protected private crypt memory OS firmware ROM API calls PIN master PIN PC Attacker

6 Virtual Smart Cards on Windows 10  TPM based smart card ▪ Smart Card Logon certificates ▪ User identity bound to a device  Hardware attestation available with AD CS Windows 2012  TpmVscMgr create /name "SevecekTest" /generate –AdminKey 48 digits –PIN 8 characters –PUK 8 characters  certutil.exe -setreg CA\EndorsementKeyListDirectories +"C:\tpmkeys" –6dc60500e98df104c54465638bfb529a2924d75d827b5f50f5630f177721e49e = size 0, no extension

7 Hypervisor Credential Guard  Prevent LSASS credential theft Isolate User Mode (IUM) High-Level OS Process LSASS Process NTLM TGT password vmbus trustlet Attacker

8 Credential Guard Requirements  Enterprise Edition  x64 hardware virtualization  UEFI Secure Boot  and others...

9 Enabling Credential Guard  GPO ▪ Computer Configuration ▪ Administrative Templates ▪ System ▪ Device Guard  Image –dism /Enable-Feature /FeatureName:IsolatedUserMode  Reboot required (hypervisor installed automatically)

10 Credential Guard Events  System log, source WinInt ▪ 13,14,15,16,17

11 Credential Manager and Credential Guard  Credential Manager ▪ stores per-user credentials since Vista  Does not work with Credential Guard  you should have disabled it at all anyway :-)

12 Who can disable Credential Guard  without EFI lock local Adminstrators ▪ requires restart ▪ GPO/registry  with EFI lock local Administrators –requires physical presence –bcdedit loadoptions DISABLE-LSA-ISO, DISABLE-VBS

13 What attacks still avoid Credential Guard  Keylogger  Hardware keyloggers  Extracting stored passwords  DoS  Script/code injections  Other memory attacks

14 Shielded VMs

15  Separate host Administrators from VMs

16 Cloud identities

17  Windows 8+ ▪ use Microsoft Account to log on locally ▪ maps to a local user account  Windows 10  use Microsoft Passport to log on with Kerberos/NTLM tickets  mapping certificate to user account in AD just like Smart Card Logon  TPM Virtual Smart Card or Smart Card or Software

18 Enabling Microsoft Passport  GPO ▪ Windows Configuration ▪ Administrative Templates ▪ Windows Components ▪ Microsoft Passport for Work  Current support requirements –Azure subscription, Azure join, Intune, ADFS, System Center, Windows 2016  Future support requirements –Windows 2016 RTM

19 BitLocker

20 BitLocker with XTS-AES  Windows Vista, 7, 2008, 2008 R2 ▪ AES 128, AES 256 ▪ AES 128 with Diffuser, AES 256 with Diffuser  Windows 8, 8.1, 2012, 2012 R2 ▪ AES 128, AES 256 ▪ Windows 10, 2016 ▪ AES 128, AES 256 ▪ XTS-AES 128, XTS-AES 256

21 Disk de/encryption  Whole disks encrypted with a single AES FVEK  Every sector gets its own IV based on sector ID  AES CBC sector decryption ▪ first block (128 bits/16 bytes) is decrypted by FVEK+sectorIV ▪ subsequent blocks are decrypted by FVEK+previousEncryptedBlock  any sector decrypts with FVEK without knowing IV  except for the first 128bits/16bytes

22 Sector switch attacks  Offline switch some sectors (512 bytes) ▪ will run if the first 16 bytes are not relevant  AES Diffuser  proprietary MS  XTS-AES  FIPS compliant

23 Windows Defender on Servers

24  Windows 2016  file and network inspections  updated from Windows Update  automatic exclusions  events

25 Windows Defender automatic exclusions on Servers  Group Policy –%allusersprofile%\NTUser.pol –%SystemRoot%\System32\GroupPolicy\Machine\registry.pol –%SystemRoot%\System32\GroupPolicy\User\registry.pol  DFSR –%systemroot%\System32\dfsr.exe –%systemroot%\System32\dfsrs.exe  Hyper-V –*.vhd, *.vhdx, *.iso,... –%systemroot%\System32\Vmms.exe –%systemroot%\System32\Vmwp.exe  Active Directory –HKLM\System\CurrentControlSet\Services\NTDS\Parameters\DSA Database File –HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Database Log Files –HKLM\System\CurrentControlSet\Services\NTDS\Parameters\DSA Working Directory –%systemroot%\System32\ntfrs.exe –%systemroot%\System32\lsass.exe  Web server –%SystemRoot%\IIS Temporary Compressed Files –%SystemDrive%\inetpub\temp\IIS Temporary Compressed Files –%SystemDrive%\inetpub\temp\ASP Compiled Templates –%systemDrive%\inetpub\logs –%systemDrive%\inetpub\wwwroot –%SystemRoot%\system32\inetsrv\w3wp.exe –%SystemRoot%\SysWOW64\inetsrv\w3wp.exe –%SystemDrive%\PHP5433\php-cgi.exe ...

26 Windows Defender events  Application and Service Logs –Microsoft Windows –Windows Defender »Operational

27 Add exclusion or (un)install Windows Defender Add-MpPreference -ExclusionPath "c:\Accounting" Get-WindowsFeature *defender* Get-WindowsFeature *defender | Remove-WindowsFeature # Restart needed!

28 Temporary group membership aka PAM

29 Privileged Access Management  Limited access  Temporary access  Secure workstations  Protect credentials

30 Temporary AD objects (since FFL 2003)  dynamicObject class  entryTTL = seconds  CN=Directory Services,CN=Windows NT,CN=Services,CN=Configuration –ms-DS-Other-Settings: DynamicObjectDefaultTTL (seconds) DynamicObjectMinTTL (seconds)

31 Temporary AD group membership (FFL 2003) Real group Proxy group with TTL User account standard TGT lifetime

32 Privileged Access Management feature (FFL 2016)  New AD optional feature –Privileged Access Management Feature –Get-ADOptionalFeature  Add-ADGroupMember -MemberTimeToLive –lowest lifetime propagates to Kerberos TGT tickets  LDP –LDAP_SERVER_LINK_TTL_OID 1.2.840.113556.1.4.2309

33 2003 DFL/FFL deprecated

34  Move to 2008 DFL –enable/enforce AES for Kerberos –remove RC4  Move to 2012 FFL –enable group managed service accounts –smaller Kerberos tickets  Move to 2016 FFL –enable temporary group membership

35 WAP reverse HTTPS publishing

36 Principal scenario (internal HTTP or HTTPS) Web Server Browser Client GUI Client Reverse HTTPS Proxy DC Web Server TLS Certificate https://portal.gopas.cz https://portal GPS gopas.virtual http://portal

37 Reasons for WAP  Perimeter TLS offloading  Isolate TCP/IP attacks  Authenticate users –password forms –certificates  Extranet lockout

38 What is new in WAP 2016  HTTP -> HTTPS redirection  TLS offloading  publishing RDP Web Apps

39 ADFS improvements

40 What is new in ADFS 2016  Certification authority  Administrative delegation  Access rule wizards  Azure MFA built-in –on-premises to cloud | cloud to on-premises

41 Recap  Virtual Smart Cards and TPM attestation  Credentials Guard (Device Guard)  Shielded VMs  Microsoft Passport authentication with AD DS  BitLocker with XTS-AES  Windows Defender on servers by default  Temporary AD group membership and PAM  2003 DFL/FFL deprecated  WAP reverse HTTPS publishing  ADFS improvements

42 Děkuji za pozornost! GOC173 - Enterprise PKI GOC175 - Windows Security Internals GOC171 - Active Directory Internals Ondrej Sevecek | GOPAS a.s. MCSM:Directory Services | MVP:Enteprise Security | CISA | CEH | CHFI ondrej@Sevecek.com | www.sevecek.com facebook: ondrej.sevecek.official | twitter: @OndrejSevecek

43 Aktuální a navazující kurzy sledujte na www.gopas.cz www.gopas.cz DÁREK PRO VÁS! TechEd-DevCon 2016! …získejte tričko TechEd-DevCon 2016!Vyplňte dotazníkové hodnocení a… TechEd party! Xbowling Strašnice, 18. 5. 2016 Buďte The Best IT Pro nebo The Best Developer SOUTĚŽ! SOUTĚŽ! SOUTĚŽ!

Download ppt "Ondrej Sevecek | GOPAS a.s. MCSM:Directory Services | MVP:Enteprise Security | CISA | CEH | CHFI | facebook: ondrej.sevecek.official."

Similar presentations

Security Features in Microsoft® Windows® XP James Noyce, Senior Consultant Security Solutions Team, Business Critical Services Microsoft Security Solutions,

Security Features in Microsoft® Windows® XP James Noyce, Senior Consultant Security Solutions Team, Business Critical Services Microsoft Security Solutions,
Securing. Agenda  Hard Drive Encryption  User Account Permissions  Root Level Access  Firewall Protection  Malware Protection.

Securing. Agenda  Hard Drive Encryption  User Account Permissions  Root Level Access  Firewall Protection  Malware Protection.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
Ing. Ondřej Ševeček | GOPAS a.s. | MCSM:Directory | MVP:Enterprise Security | CEH:Certified Ethical Hacker | CHFI:Computer Hacking Forensic Investigator.

Ing. Ondřej Ševeček | GOPAS a.s. | MCSM:Directory | MVP:Enterprise Security | CEH:Certified Ethical Hacker | CHFI:Computer Hacking Forensic Investigator.
Script Kiddies; CybercrimeCyber-espionage; Cyber-warfare CybercriminalsState sponsored actions; Unlimited resources Attacks on fortune 500All sectors.

Script Kiddies; CybercrimeCyber-espionage; Cyber-warfare CybercriminalsState sponsored actions; Unlimited resources Attacks on fortune 500All sectors.
ASSUME BREACH PREVENT BREACH + Research & Preparation First Host Compromised 24-48 Hours Domain Admin Compromised Data Exfiltration (Attacker.

ASSUME BREACH PREVENT BREACH + Research & Preparation First Host Compromised Hours Domain Admin Compromised Data Exfiltration (Attacker.
Chapter 7 HARDENING SERVERS.

Chapter 7 HARDENING SERVERS.
Security and Policy Enforcement Mark Gibson Dave Northey

Security and Policy Enforcement Mark Gibson Dave Northey
Chapter 6: Configuring Security. Group Policy and LGPO Setting Options Software Installation not available with LGPOs Remote Installation Services Scripts.

Chapter 6: Configuring Security. Group Policy and LGPO Setting Options Software Installation not available with LGPOs Remote Installation Services Scripts.
Pre-adoption concern 60% cited concerns around data security as a barrier to adoption 45% concerned that the cloud would result in a lack of data control.

Pre-adoption concern 60% cited concerns around data security as a barrier to adoption 45% concerned that the cloud would result in a lack of data control.
Microsoft Server 2008 R2 Group Policies & Network Policy and Access Services.

Microsoft Server 2008 R2 Group Policies & Network Policy and Access Services.
Kerberos Underworld Ondrej Sevecek | MCM: Directory | MVP: Security |

Kerberos Underworld Ondrej Sevecek | MCM: Directory | MVP: Security |
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.

Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
Ing. Ondřej Ševeček MCSM:Directory | MVP:Enterprise Security | Certified Ethical Hacker | MCSE:SharePoint | Smart card.

Ing. Ondřej Ševeček MCSM:Directory | MVP:Enterprise Security | Certified Ethical Hacker | MCSE:SharePoint | Smart card.
Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | | |

Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | | |
Module 9 Configuring Server Security Compliance. Module Overview Securing a Windows Infrastructure Overview of EFS Configuring an Audit Policy Overview.

Module 9 Configuring Server Security Compliance. Module Overview Securing a Windows Infrastructure Overview of EFS Configuring an Audit Policy Overview.
Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | Certified Ethical Hacker | |

Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | Certified Ethical Hacker | |
Internet Information Server 6.0. Overview  What’s New in IIS 6.0?  Built-in Accounts and IIS 6.0  IIS Pass-Through Authentication  Securing Web Traffic.

Internet Information Server 6.0. Overview  What’s New in IIS 6.0?  Built-in Accounts and IIS 6.0  IIS Pass-Through Authentication  Securing Web Traffic.
Working with Applications Lesson 7. Objectives Administer Internet Explorer Secure Internet Explorer Configure Application Compatibility Configure Application.

Working with Applications Lesson 7. Objectives Administer Internet Explorer Secure Internet Explorer Configure Application Compatibility Configure Application.
Deploying and Managing Windows Server 2012

Deploying and Managing Windows Server 2012

Similar presentations

Ads by Google