Presentation is loading. Please wait.

Presentation is loading. Please wait.

Sander Berkouwer Microsoft MVP Directory Services 2009 - 2015 Microsoft Netherlands Virtual Technical Evangelist Blogger on DirTeam.com ServerCore.Net.

Published byKerrie Randall Modified over 8 years ago

Similar presentations

Presentation on theme: "Sander Berkouwer Microsoft MVP Directory Services 2009 - 2015 Microsoft Netherlands Virtual Technical Evangelist Blogger on DirTeam.com ServerCore.Net."— Presentation transcript:

1

2 Sander Berkouwer Microsoft MVP Directory Services 2009 - 2015 Microsoft Netherlands Virtual Technical Evangelist Blogger on DirTeam.com ServerCore.Net 4SysOps.com @SanderBerkouwer About

3 Current Situation Challenges Challenges when virtualizing DCs on Hyper-V Challenges when virtualizing DCs on Azure IaaS Solutions Picking the right solutions for your challenges Agenda

4 CURRENT SITUATION

5 Flexibility Get DCs there fast, move them without downtime Cost saving and cost predictability Virtualization increases hardware usage Hardware maintenance and upgrades are more predictable Less dependencies on hardware Quickly add/remove hardware, no outages Why do we virtualize DCs?

6 When Active Directory fails… Domain Controllers are centers of universes Domain Controllers are at the centers of many infrastructures (Read-only) Domain Controllers can be distributed everywhere Sensitive Information DCs contain information on replication, accounts, credentials DNS Servers contain caches of queries (info on visited sites) Sensitive Domain Controllers

7 CHALLENGES

8 Performance Snapshots Security Integration components Backup and restore Can you trust Hyper-V administrators? Challenges with DCs on Hyper-V

9 Connectivity Knowledge of Azure taxonomy Knowledge of Azure topology Dynamic IPv4, IPv6 addressing Under the hoof Azure IaaS uses Hyper-V Can you trust the Azure Administrator? Challenges with DCs on Azure

10 Advanced Persistent Threats Pass the Hash (PtH) attacks Pass the Ticket (PtT) attacks Kerberos Golden Tickets Security Legal organizational requirements Job security Why is this important?

11 A REALITY CHECK

12 Typical Kerberos flow 1.During startup, logon the client requests a Ticket Granting Ticket (TGT) from the Key Distribution Center (KDC). The TGT is then processed clientside 2.For accessing a service within the Kerberos Realm, the client requests a Service Ticket (TGS), based on the TGT on any KDC. 3.Client presents the TGS to the service. Based on authorization, access is granted (or not) Kerberos 5 Primer 1 2 3 TGT TGS

13 KRBTGT’s account password signs everything I don’t need to ask for a TGT when I know the password TGTs and TGSs are processed and enforced clientside I don’t need to play by the rules to get access permissions I can just insert the well-known SIDs I want into my TGT Only restriction: maximum TGT lifetime of 10 years. The keys to your kingdom

14 DEMO KRBTGT

15 SOLUTIONS

16 KRBTGT Account Password Reset Scripts KRBTGT account password is used to encrypt TGTs,TGSs KRBTGT account password needs to be reset twice Reset-KrbtgtKeyInteractive v1.4 Reset-KrbtgtKeyInteractive.ps1 Download from the TechNet Gallery Reset KRBTGT

17 Support for virtualization hosts BitLocker for boot and system volumes BitLocer on Cluster Shared Volumes (CSVs) Support in virtual machines BitLocker not supported on boot and system volumes BitLocker on data disks, but TPM is unavailable BitLocker Drive Encryption

18 Backups Treat backups like you would virtual Domain Controllers Hardware encryption Offered by all of todays backup hardware, on by default Software encryption Offered by many of todays backup software, off by default Authorizing access based on Active Directory accounts? Encryption of backups

19 Default ACLs on VHD(X)s Administrators – full control SYSTEM – full control Hyper-V Administrators – full control - Read and write Change ACLs Note: Administrators have Take Ownership Access Control Lists on VHD(X)s

20 Server Core installations Virtualization hosts without a Graphical User Interface (GUI) Less susceptive to human error Less susceptive to vulnerabilities Installation options 2008 (R2): Choose at installation 2012 (R2): Choose at installation of add/remove after install Server Core Virtualization Hosts

21 New security group on Hyper-V hosts Introduced with Windows 8, Windows Server 2012 Principle of least administrative privilege Remove Hyper-V Administrators from Administrators Hyper-V Administrators have access to all Hyper-V features Hyper-V Administrators have full control on VHD(X)s Hyper-V Administrators group

22 Integration Components They’re drivers and services for VMs ICs enlighten Virtual Machines Capabilities OS shutdown, time synchronization, data exchange, heartbeat, backup and guest services Integration Components

23 Read-only Domain Controllers Read-only Domain Controllers offer: Read-only Active Directory database and DNS RODC filtered attribute set Unidirectional replication Granular credential caching Administrator role separation Read-only Domain Controllers offer individual KRBTGT accounts Read-only Domain Controllers

24 System Key Protection Additional protection of secrets Protection methods Password startup System Generated password Store Startup Key on Floppy Disk Store Startup Key Locally Syskey

25 DEMO SYSKEY

26 Monitoring Auditing Backup Administrator role separation Communication Documentation Processes

27 Client Side Encryption Available in Hyper-V in latest TPs of Windows 10 Available in Hyper-V in upcoming TP of Windows Server vNext Currently in development for Azure Storage Objects (source)source Azure Key Vault Currently in public Preview for Azure Hardware Security Module (HSM) in the cloud Sneak Preview

28 DEMO VTPMS

29 CONCLUDING

30 Domain Controllers contain sensitive information DCs contain info on replication, accounts, credentials DNS Servers contain caches on queries (visited sites) Virtualizing Domain Controllers Virtualizing DCs safely is not an easy task Virtualizing DCs is not just a technical challenge Do we really want to virtualize Domain Controllers? Concluding

31

32 Nagrađujemo vas sa 100 WinCoin bodova što ste posjetili predavanje. Osvojite dodatnih 100 WinCoin bodova ukoliko popunite službeni upitnik. HVALA!

33 MVA http://www.microsoftvirtualacademy.com Successful proffessionals never stop learning. Microsoft Virtual Academy offers online Microsoft trainings led by experts to help proffessionals to upgrade their knowledge. Trainings are prepared by leading eyperts from different technology areas. After you take a training, you can test your knowledge. To better understand this session, I advise you to take following trainings: XXX1 XXX2 XXX3 Training name 1 link1 Training name 2 link1 Training name 3 link1

34

Download ppt "Sander Berkouwer Microsoft MVP Directory Services 2009 - 2015 Microsoft Netherlands Virtual Technical Evangelist Blogger on DirTeam.com ServerCore.Net."

Similar presentations

Chapter 20 Oracle Secure Backup.

Chapter 20 Oracle Secure Backup.
Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.

Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.
Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.

Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.
Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).

Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
Access Control Chapter 3 Part 3 Pages 209 to 227.

Access Control Chapter 3 Part 3 Pages 209 to 227.
Brian Desmond Moran Technology Consulting www.morantechnology.com www.briandesmond.com.

Brian Desmond Moran Technology Consulting
Kerberos Part 1 CNS 4650 Fall 2004 Rev. 2. The Name Greek Mythology Cerberus Gatekeeper of Hates Only allowed in dead Prevented dead from leaving Spelling.

Kerberos Part 1 CNS 4650 Fall 2004 Rev. 2. The Name Greek Mythology Cerberus Gatekeeper of Hates Only allowed in dead Prevented dead from leaving Spelling.
Module 3 Windows Server 2008 Branch Office Scenario.

Module 3 Windows Server 2008 Branch Office Scenario.
1 Week #1 Objectives Review clients, servers, and Windows network models Differentiate among the editions of Server 2008 Discuss the new Windows Server.

1 Week #1 Objectives Review clients, servers, and Windows network models Differentiate among the editions of Server 2008 Discuss the new Windows Server.
ACCESS CONTROL MANAGEMENT Project Progress (as of March 3) By: Poonam Gupta Sowmya Sugumaran.

ACCESS CONTROL MANAGEMENT Project Progress (as of March 3) By: Poonam Gupta Sowmya Sugumaran.
Security and Policy Enforcement Mark Gibson Dave Northey

Security and Policy Enforcement Mark Gibson Dave Northey
Michael Kleef Technology Advisor | Microsoft Australia

Michael Kleef Technology Advisor | Microsoft Australia
Introduction to Kerberos Kerberos and Domain Authentication.

Introduction to Kerberos Kerberos and Domain Authentication.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 7 Configuring File Services in Windows Server 2008.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 7 Configuring File Services in Windows Server 2008.
Understanding Active Directory

Understanding Active Directory
Migrating Applications to Windows Azure Virtual Machines Michael Washam Senior Technical Evangelist Microsoft Corporation.

Migrating Applications to Windows Azure Virtual Machines Michael Washam Senior Technical Evangelist Microsoft Corporation.
John Savill Solutions Architect EMC Session Code: WSV403.

John Savill Solutions Architect EMC Session Code: WSV403.
Module 1: Installing Active Directory Domain Services

Module 1: Installing Active Directory Domain Services
Module 1: Installing Active Directory Domain Services

Module 1: Installing Active Directory Domain Services

Similar presentations

Ads by Google