1. Security in Windows Server 2016
Name
Area

2. Cybercrime overview 2 Increasing incidents 1 Multiple motivations
Microsoft Build 2016
10/8/ :46 AM
Cybercrime overview
Increasing incidents 1
Cyberattacks on the rise against US corporations
New York Times [2014]
Espionage malware infects rafts of governments, industries around the world
Ars Technica [2014]
Cybercrime costs US economy up to $140B annually, report says
Los Angeles Times [2014]
Multiple motivations 2
How hackers allegedly stole “unlimited” amounts of cash from banks in just a few hours
Ars Technica [2014]
The biggest cyberthreat to companies could come from the inside
Cnet [2015]
Ransomware, 0days, malware, scams... all are up, says Symantec
The Register [April 2016]
Forget carjacking, soon it will be carhacking
The Sydney Morning Herald [2014]
Bigger risk 3
In the last two years, breaches have hit the White House, the State Department, the top federal intelligence agency, the largest American bank, the top hospital operator, energy companies, retailers and even the Postal Service.
Companies that continue to rely on prevention and detection technologies like firewalls and antivirus products are considered sitting ducks.
In nearly every case, by the time the victims noticed that hackers were inside their systems, their most sensitive government secrets, trade secrets and customer data had already left the building.
“They are looking obsessively at new penetrations,” Mr. Borg said. “But once someone is inside, they can carry on for months unnoticed.”
The New York Times - Hacked vs. Hackers: Game On – December 2, 2014
© 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

3. Attack timeline Attacks not detected Target AD and identities
Microsoft Ignite 2015
10/8/ :46 AM
Attack timeline
Attacker undetected (data exfiltration)
Research and preparation
More than 200 days* (varies by industry)
24–48 hours
First host compromised
Domain admin compromised
Attack discovered
Key Message: Microsoft Understands these attacks from firsthand experience helping customers with them
Timeline
Targeted Attacks usually follow a timeline similar to this slide with
(Blue) Research on Company (Using social media, open source intelligence sources, data from previous attacks) and Preparing for the attack
(Yellow) Elevation of privilege attack (typically using credential theft, but also abuse of administrative/management tools and configuration weaknesses)
(Red) Attackers typically exfiltrate data for illicit purposes and go undetected for 200+ days. This is a general observation based on our incident response team’s experience (which is similar to what is reported by others in industry). Precise numbers are difficult to produce because evidence of the initial “Patient 0” host is frequently lost after such a long period of time. Because most attacks are discovered by external parties, the variance in time to discover attacker presence usually depends on the organization’s industry (retail will be quick as credit cards are put onto market whereas the loss of other IP like technical designs takes longer to be apparent)
Observations
(1) Attack Sophistication
Attackers are usually after your organizations data to make money (though we have also seen destructive attacks), they will go after any device or server or service to get it.
Attackers will research you and exploit any seam or inconsistency or weakness (slow patching process, weak configurations, sophisticated attacks, old/weak passwords, etc.)
(2) Target AD and Identities
In the attacks we have seen, attackers that get a “beachhead” on one of your network hosts will seek and steal active directory administrator credentials within hours of gaining a beachhead (often quicker)
This gives them the ability to steal almost any information on any computer.
(3) Attacks Not Detected
Most of these attacks go undetected for around a year (on average), leaving organizations vulnerable to ongoing loss and damage
(4) Response and Recovery
Investigating and cleaning up from these attacks is typically very complex, technically challenging, and requires a lot of expertise.
Attacks not detected
Current detection tools miss most attacks
You may be under attack (or compromised)
Target AD and identities
Active Directory controls access to business assets
Attackers commonly target AD and IT Admins
Response and recovery
Response requires advanced expertise and tools
Expensive and challenging to successfully recover
Attack sophistication
Attack operators exploit any weakness
Target information on any device or service
© 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

4. Example attack scenario
Microsoft Ignite 2015
10/8/ :46 AM
Example attack scenario
Compromises administrative control
24–48 hours
Tier 0
Domain and enterprise admins
Directory database(s)
Domain controllers
Tier 1
Server admins
Execute primary mission
Steal data, destroy systems, etc. 3
Persist presence
Key Message: Credential theft attacks can happen on just about conventionally secured environment and requires new types of defenses
This is an example view of a typical attack on a typical environment.
The resources are broken out by the Microsoft Tiered administration model
Tier 0 – Full control of identities and all assets
Tier 1 – Full control of Enterprise Servers, Applications, and Cloud Services
Tier 2 – Full control of Enterprise Devices typically used by individual
*CLICK 1*
Attacks start by gaining control of a beachhead in your network, sometimes called “Patient Zero”.
[Attacker] This is usually a phishing attack, but can also be done by compromising a website frequently visited by your users, by delivering malware through advertising, or other techniques.
*CLICK 2*
The attackers can directly attempt to escalate their access to the environment by directly attacking servers
*CLICK 4*
More commonly, we see privilege escalation by stealing higher tier credentials (e.g. domain admins) where they are exposed on lower tier devices (e.g. standard workstations)
This leads to an attacker gaining full control of the environment
This is a shared state of control, so it doesn’t “kick out” the real admins
This attack is very difficult to detect with conventional means because attackers are using real legitimate credentials (and can then move to creating fake accounts, install malware on any computer, etc.)
Privilege escalation
Compromise unpatched servers 2
Tier 2
Workstation and device admins
Beachhead (Phishing Attack, etc.) 1
© 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

5. Different attack vectors
Microsoft Build 2016
10/8/ :46 AM
Different attack vectors
Attack the Applications
and Infrastructure
Attack the virtualization fabric
Compromised privileged accounts
Unpatched vulnerabilities
Phishing attacks
Malware infections
Compromised fabric exposes guest VMs
Easy to modify or copy VM without notice
Can’t protect a VM with gates, walls, locks, etc.
VMs can’t leverage hardware security (e.g. TPM)
With the evolution of servers to virtual environments, which brings new challenges when trying to protect the datacenter environment.
In addition to the regular attacks already discussed in previous slides, we also have the virtualization fabric that needs to be protected. The virtualization fabric bring new items to be considered when planning for a security strategy:
Administrators have the keys to the kingdom and in the case of sensitive workloads, such as Domain Controllers, virtualization admins can access the secrets inside virtual machines. A compromised fabric administrator can be a malicious administrator or an administrative account that was compromised by an attacker.
A virtual machine is really just a file and virtual disks can be copied to a USB stick or a laptop and be mounted in another environment.
In the past, to protect a server or a sensitive workload, we use to put these servers in a highly secured physical environment that only allowed people would be able to access and have physical access to the assets. In the case of a virtual machine, anyone who have access to the virtualization host will have access to the virtual machine source files, which bring us back to the first statement.
In the last few years, great new capabilities came up such as TPM chips, Secure Boot, UEFI 2.0 and others. The problem is that these features are tied to hardware capabilities that are not exposed to virtual machines.
All of these problems are not specific for Microsoft. Other platforms such as VMware, will have the same issues, however the solutions that will be presented in this deck are unique to Windows Server.
© 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

6. Windows Server 2016 introduces layers of security
Address new attack vectors
Actively secure virtualization hosts and guests
Detect faster with Log Analytics integration
Hyper-V
Azure
Other Hypervisors
Other Clouds
L50 Overview:
The biggest problem today in protecting the environment is compromised credentials, and this will continue to be a problem, so the first thing we did in Windows Server 2016 is to severely limit the impact of those compromised credentials by limiting the scope of credentials and the time in which they’re active
Farther into the DC, there is currently an issue where once you have admin credentials, you have free access to the VMs on hosts.  Now you can encrypt those VMs and also prohibit them from being booted on non-trusted hosts
On the workload level, we want to make sure every Windows Server deployment is secure even if it’s running in a different Cloud, such as AWS, VMware, etc.
In addition to all of the new built in Security features, Windows Server 2016 takes another step in protecting the environment by providing detailed and useful information for Log Analytics systems such as OMS and Splunk.
L150 Overview:
In Windows Server 2016 Microsoft adopts a new approach on which we introduce new layers of Security. These layers tend to defend the datacenter environment from multiple types of attacks and emerging threats. Examples are Pass the Hash and Pass the Ticket attacks as well as malicious administrators or compromised privileged accounts from which an attacker could penetrate the environment without being noticed. In addition, Windows Server 2016 provides new capabilities to administrators to identify and mitigate the risks of someone who already breached the environment.
The first pillar covers the new capabilities in Windows Server 2016 to reduce the risks of compromised accounts and malicious administrators who have privileged domain credentials, such as Domain Admins. In Windows Server 2016 we introduce technologies such as:
Just Enough Administration
Just in Time Administration
Credential Guard
These technologies will limit the scope of actions of a legitimate administrator, while still providing the ability to perform the necessary tasks. In addition, common attacks such as Pass the Hash and Pass the Ticket are mitigated by technologies in this pillar.
Preventing attacks to credentials is not enough in today’s datacenter environment and in the second pillar we cover built in technologies to protect a Virtualization Environment, its Hosts and VMS as well as Windows Server 2016 deployed in any Cloud as a Virtual Machine. In the bottom are technologies such as:
Shielded Virtual Machines (VMs)
Guarded Fabric
Hyper-V Containers
Virtual TPM
Gen 2 VM Security (Secure Boot, Bitlocker)
The use of the above technologies (Built in to Hyper-V 2016) allows the protection of the Virtualization fabric. In this scenario we protect against attacks to Virtual Machines, such as an Storage Operator stealing a Virtual Disk because they have access to it and many other. In addition, we measure the health of Hosts and VMs to make sure no malwares are running in the system.
However, Windows Server 2016 can be deployed outside of a protected Hyper-V environment, such as VMware, AWS, etc. Because Microsoft wants to protect every deployment of Windows Server 2016, regardless of the Cloud customers decide to use, we provide capabilities that can leveraged regardless of the Cloud/Virtualization environment. This includes technologies such as:
Code Integrity
Control Flow Guard
Device Guard
Built in Anti-malware
Enhanced logging
With these technologies Windows Server 2016 is capable of measuring the boot process, up to the application level and identify abnormal behaviors such as a malware infecting applications, a debugger attached to the boot process, infected code in the kernel level and many more. Most of these technologies are known by customers, since Windows Server 2016 shares these technologies with Windows 10.
In addition to the technologies above that prevent someone to compromising accounts, physical and virtual machines and the Operating System, it’s important to keep looking for traces of suspicious activities. With that in mind, Windows Server 2016 takes a new step in providing intelligent information to Security Information and Event Management (SIEM) systems, such as OMS and Splunk. With these systems, customers can take advantage of Log Analysis systems that will proactively identify suspicious activities and provide possible actions.

7. Protect credentials and privileged access
10/8/ :46 AM
Protect credentials and privileged access
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

8. Challenges in protecting credentials
Microsoft Build 2016
10/8/ :46 AM
Challenges in protecting credentials
Domain
Admin
Social engineering leads to credential theft
Most attacks involve gathering credentials (PtH)
Administrative credentials typically provide unnecessary extra rights for unlimited time
Ben
Mary
John
Admin
Typical administrator
Capability
Time
© 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

9. Windows Server 2016 approach
Microsoft Build 2016
10/8/ :46 AM
Windows Server 2016 approach
Domain
Admin
Credential Guard Prevents Pass the Hash and Pass the Ticket attacks by protecting stored credentials through Virtualization based Security
Just Enough Administration Limits administrative privileges to the bare-minimum required set of actions (limited in space)
Just in Time Administration Provide privileged access through a workflow that is audited and limited in time
JEA + JIT = limited in time & capability
Ben
Mary
John
Admin
Just Enough and Just in Time Administration
Typical administrator
Capability
Time
Capability and time needed
© 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

10. Protecting Active Directory and Admin privileges http://aka.ms/privsec
Microsoft Ignite 2015
10/8/ :46 AM
Protecting Active Directory and Admin privileges
2-4 weeks
1-3 months
6+ months
First response to the most frequently used attack techniques
3. Unique Local Admin Passwords for Workstations
4. Unique Local Admin Passwords for Servers
Active Directory
Azure Active Directory
Stage 1 of the roadmap is focused on quickly mitigating the most frequently used attack techniques of credential theft and abuse. Stage 1 is designed to be implemented in approximately 2-4 weeks and is depicted in this diagram:
1. Separate Admin account for admin tasks
Why: Separate internet risks (phishing attacks, web browsing) from AD administrative privileges
What: Create a dedicated account for all personnel with privileges (starting with domain administration, then server/app admins, then workstation/helpdesk admins)
How: Create new admin account, move all privilege assignments to admin account, use admin account for only privileged tasks
2. Privileged Access Workstations (PAWs)
Phase 1 - Active Directory admins
Why: Separate internet risks (phishing attacks, web browsing) from domain administrative privileges
What: Create a dedicated workstation for all personnel with AD administrative privileges (starting with domain administration, then server/app admins, then workstation/helpdesk admins)
How: Follow guidance published at
Microsoft Services solutions:
Privileged Access Workstation (PAW)
Enhanced Security Administrative Environment (ESAE)
3. Unique Local Admin Passwords for Workstations
4. Unique Local Admin Passwords for Servers
Why: Adversaries can steal and re-use password hashes for local admin accounts to take control of machines with the same local account passwords
What: Configure unique (random) passwords on each workstation and register them in Active Directory
How: Install the Local Administrator Password Solution on workstation and servers from
Microsoft Services solution: Proactive Operations Program - Securing Lateral Account Movement (POP SLAM)
1. Separate Admin account for admin tasks
2. Privileged Access Workstations (PAWs)
Phase 1 - Active Directory admins
© 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

11. Protecting Active Directory and Admin privileges http://aka.ms/privsec
Microsoft Ignite 2015
10/8/ :46 AM
Protecting Active Directory and Admin privileges
2-4 weeks
1-3 months
6+ months
Build visibility and control of administrator activity, increase protection against typical follow-up attacks
6. Attack Detection
2. Time-bound privileges (no permanent admins)
3. Multi-factor for elevation
Active Directory
Azure Active Directory
These capabilities will build on the mitigations from the 2-4 week plan and provide a broader spectrum of mitigations including increased visibility and control of administrative rights.
1. PAW Phases 2 and 3: all admins and additional hardening
Why: Separate internet risks (phishing attacks, web browsing) from all administrative privileges
What: Build on the PAW program from stage 1 to create a dedicated workstation for all privileged access (continuing to domain administration, then server/app admins, then workstation/helpdesk admins)
How: Follow Phase 2 and 3 guidance published at
Microsoft Services solution: Privileged Access Workstation (PAW)
2. Time-bound privileges (no permanent administrators)
Why: Lower Exposure of Privileges and Increase Visibility into privilege use by providing them to admins just in time (JIT)
What: Provide administrative rights on demand:
• For Active Directory Domain Services (AD DS), use Microsoft Identity Manager (MIM)’s Privileged Access Manager (PAM) capability
• For Azure Active Directory, use Azure AD Privileged Identity Management (PIM) capability
How: Follow guidance to install and configure (MIM PAM) or configure (Azure AD PIM) these capabilities • •
Microsoft Services solution: Managed Access Request System (MARS)
3. Multi-factor for time-bound elevation
Why: Increase the assurance level of administrator authentication before granting privileges
What: Require Azure Multi-factor authentication (MFA) before administrative rights are granted to administrative accounts in AD (via MIM PAM) or Azure AD (via Azure PIM)
How: Configure requirement for MFA into privilege workflows using product documentation
4. Just Enough Admin (JEA) for DC Maintenance
Why: Reduce quantity and risk exposure of accounts with domain administration privileges
What: Use Just Enough Administration (JEA) feature in PowerShell to perform maintenance operations on the domain controllers instead of accounts with full administrative rights on the DC (and domain)
How: Configure JEA feature on domain controllers using guidance at
5. Lower attack surface of Domain and DCs
Why: Reduce opportunities for adversaries to take control of domains
What: Reduce known means of gaining control of DCs and AD Domains/Forests
How: Follow guidance to reduce this risk published at to
• Remove Agents from DCs
• Remove Service Accounts from Domain Admin and equivalent groups
• Harden the remaining assets with control of DCs and domain (Virtualization Fabric, management tools, etc.)
Microsoft Services solution: Advanced Directory Services Hardening (ADSH)
6. Attack Detection
Why: Gain visibility into credential theft and other identity attacks
What: Deploy and configure Microsoft Advanced Threat Analytics (ATA)
How:
• Engage Microsoft Services to deploy ATA and help prepare you for detected incidents
Microsoft Services solution: ATA Implementation Services (ATAIS)
• Follow ATA deployment guide linked at
IMPORTANT: ATA is designed to detect an active adversary, so we strongly recommend engaging Microsoft services for an ATAIS engagement to ensure your team is prepared for this incident. This engagement integrates real world lessons learned from our incident response teams.
1. Privileged Access Workstations (PAWs)
Phases 2 and 3 –All Admins and additional hardening (Credential Guard, RDP Restricted Admin, etc.)
4. Just Enough Admin (JEA) for DC Maintenance
5. Lower attack surface of Domain and DCs
© 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

12. Protecting Active Directory and Admin privileges http://aka.ms/privsec
Microsoft Ignite 2015
10/8/ :46 AM
Protecting Active Directory and Admin privileges
2-4 weeks
1-3 months
6+ months
5. Shielded VMs for virtual DCs (Server 2016 Hyper-V Fabric)
Move to proactive security posture
1. Modernize Roles and Delegation Model
Active Directory
Azure Active Directory
These capabilities will build on the mitigations from previous phases and move your defenses into a proactive posture. While there will never be perfect security, this represents the strong protections against privilege attacks currently known/available today.
1. Modernize Roles and Delegation Model
Why: Reduce Security Risk and operational friction
What: Redesign Roles and Delegation model to adhere to the tier model rules (aka.ms/tiermodel), manage cloud privileges, and capitalize on JIT/JEA capabilities
How: Do this your self or engage Microsoft Services to assist with scoping an engagement that makes sense for your organization. Contact your account team or TAM for more information.
2. Smartcard or Passport Authentication for all admins
Why: Increase the assurance level and usability of administrator authentication
What: Require strong authentication for all admin accounts in your on-premises AD (including those federated for cloud services)
How: Follow guidance at
• Microsoft Passport -
• Virtual Smartcards –
• 3rd party multi-factor authentication
3. Admin Forest for domain administrators
Why: Provide the strongest protection for domain administrators with no security dependencies on the
What: The strongest protection for domain administrators can
How: Engage Microsoft Services to scope an Enhanced Security Administrative Environment (ESAE) engagement. Contact your account team or TAM for more information.
For an overview of the ESAE Admin Forest approach see
4. Code Integrity Policy for DCs (Server 2016)
Why: Lock down your domain controllers so that only approved and signed applications and drivers can run on these machines.
What: Code Integrity for kernel (drivers) and user mode (applications) allows only authorized executables to run on the machine.
How: Create a code integrity policy based on a baseline domain controller machine. Sign the code integrity policy and apply the code integrity policy to all domain controllers
5. Shielded VMs for virtual DCs (Server 2016 Hyper-V Fabric)
Why: Protect virtualized domain controllers from attack vectors that exploit a virtual machine’s inherent loss of physical security
What: Use this new Server 2016 Hyper-V capability to prevent the theft of Active Directory secrets from Virtual DCs by fabric administrators and attackers/malware impersonating them. Generation 2 VMs using this feature can protect the data and state of a shielded VM against inspection, theft, and tampering.
How: Use Guarded fabric functionality per the guidance provided at:
2. Smartcard or Passport Authentication for all admins
3. Admin Forest for Active Directory administrators
4. Code Integrity Policy for DCs (Server 2016)
© 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

13. Protect applications and data in any cloud
10/8/ :46 AM
Protect applications and data in any cloud
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

14. Challenges in protecting the OS
New exploits can attack the OS boot-path all the way up through applications operations
Known and unknown threats need to be blocked without impacting legitimate workloads ? ?

15. Windows Server 2016 approach
Code Integrity Ensure that only permitted binaries can be executed from the moment the OS is booted
Windows Defender Actively protects from known malware without impacting workloads
Control Flow Guard Protects against unknown vulnerabilities by blocking common attack vectors

16. Protect the virtualization fabric
10/8/ :46 AM
Protect the virtualization fabric
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

17. Protect virtual machines
10/8/2017
Protect virtual machines
Any compromised or malicious fabric administrators can access guest virtual machines
Hypervisor
Fabric
Storage
Host OS
Customer
Guest VM
Customer
Fabric
Hypervisor
Guest VM
Health of hosts not taken into account before running VMs
Healthy host?
Tenant’s VMs are exposed to storage and network attacks
Virtual Machines can’t take advantage of hardware-rooted security capabilities such as TPMs
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

18. Windows Server 2016 approach
Shielded VMs Use BitLocker to encrypt the disk and state of virtual machines protecting secrets from compromised admins & malware
Host Guardian Service Attests to host health releasing the keys required to boot or migrate a Shielded VM only to healthy hosts
Generation 2 VMs Supports virtualized equivalents of hardware security technologies (e.g. TPMs) enabling BitLocker encryption for Shielded VMs
BUILDING PERIMETER
COMPUTER ROOM
HYPER-V
HYPER-V
Physical machine
Virtual machine
Shielded
virtual machine
Server ü ü û *
Administrator S
torage û ü û
administrator
Network û ü û
administrator
Backup û ü û
operator
Virtualization-host û ü û
administrator
Virtual machine û ü ü
administrator
*Configuration dependent

19. Decryption keys controlled by external system
Cloud/Datacenter
Guest VM
Guest VM
Guest VM
Host OS
Controller
Fabric
Hypervisor
Hyper-V Host 1
Please sir, may I have some keys?
Host OS
Hypervisor
Guest VM
Hyper-V Host 2
Host OS
Hypervisor
Guest VM
Hyper-V Host 3
Key Protection
Host Guardian Service

20. Key release policy for trusted environment
Key release criteria (TPM-mode)
Known physical machines
Trusted Hyper-V instance
CI-compliant configuration
Cloud/Datacenter
Guest VM
Guest VM
Guest VM
Host OS
Controller
Fabric
Hypervisor
Hyper-V Host 1
Sure, I know you and you look healthy
Host OS
Hypervisor
Guest VM
Hyper-V Host 2
Host OS
Hypervisor
Guest VM
Hyper-V Host 3
Key Protection
Host Guardian Service

21. Shielded VMs in TP5 New ‘Encryption Supported’ mode
Lesser set of protections than ‘Shielded’ but more than a regular VM
Still supports vTPM, disk encryption, Live Migration traffic encryption, etc.
Permits fabric admin conveniences such as VM console connections and PowerShell Direct to switched back on
Ability to switch Attestation modes on a running Host Guardian Service
Shielded VM end-to-end diagnostics tooling
VMM now able to view the fabrics upon which a Shielded VM is authorized to run
Recovery environment
A means for the owner of a Shielded VM to securely troubleshoot and repair it within the fabric in which it normally runs
The repair process provides exactly the same level of protection that Shielded VMs receive

22. Respond more intelligently with log analytics integration
10/8/ :46 AM
Respond more intelligently with log analytics integration
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

23. Challenges turning log files into operational insights
In order to better detect threats the OS need to provide additional auditing information
Security Information and Event Management (SIEM) systems are only as intelligent as the information provided from the OS

24. Windows Server 2016 approach
Enhanced Logs Log new audit events to better detect malicious behavior by providing more detailed information to security operation centers
SIEM systems such as Operations Management Suite (OMS) can take advantage of this information to provide intelligence reports on potential breaches in the datacenter environment

25. Protect applications with just enough OS
10/8/ :46 AM
Protect applications with just enough OS
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

26. Challenges in protecting new apps
Developers are making use of new packaging and deployment tools such as containers
Containers share the same kernel which limits isolation and exposes compliance and regulatory risks
Lower the risk by providing only the components required by application to run VM
Shared Hardware (Hypervisor Isolation)
CONTAINER
Shared Kernel (User Mode Isolation)

27. Windows Server 2016 approach
Hyper-V Containers Provide hypervisor isolation for each container with no additional coding requirements
Align with regulatory requirements for PCI and PII data
Nano Server Reduce the attack surface by deploying a minimal “just enough” server footprint VM
Shared Hardware (Hypervisor Isolation)
Hyper-V CONTAINER
Shared Platform (Hypervisor Isolation)

28. Windows Server 2016 Security summary
10/8/ :46 AM
Windows Server 2016 Security summary
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

29. Windows Server 2016 Security
Hyper-V (Fabric) Security
Protecting virtual machines
Shielded VMs (Server 2012, 2016 guests)
Guarded fabric attesting to host health
Secure boot for Windows and Linux
Hyper-V platform
Nano based Hyper-V host
Virtualization Based security
Secure containers
Hyper-V containers
Containers hosted in a Shielded VM
Infrastructure and application security
Privileged Identity
Credential Guard
Just In Time administration
Just Enough administration
Threat resistance
Control Flow Guard
Code Integrity (Device Guard)
Built in anti-malware
Nano Server reduces attack surface
Threat detection
Enhanced threat detection
During the last several years, cybersecurity is consistently rated as a top priority for IT. This is no surprise for anyone as top companies and government agencies are publically called out for being hacked and failing to protect themselves and their customer’s and employee personal information.
On the other hand, attackers are using readily available tools to infiltrate large organization and remain undetected for a long period of time while conducting exfiltration of secrets or simply attacking the infrastructure and making ransom demands.
Windows Server 2016 delivers layers of protection that help address emerging threats and make Windows Server 2016 an active participant in your security defenses. These include the new Shielded VM solution that protects VMs from attacks and compromised administrators in the underlying fabric, extensive threat resistance components built into the Windows Server 2016 operating system and enhanced auditing events that will help security systems detect malicious activity.
Protecting virtual machines
Shielded VMs provides protection for the data and state of the VM against inspection, theft and tampering from administrator privileges. Shielded VMs works for Generation 2 VMs that provide the necessary secure boot, UEFI firmware and virtual TPM (vTPM) 2.0 support required. While the Hyper-V hosts must be running Windows Server 2016 the guest operating system in the VM can be Windows Server or above.
Guarded Fabric: Shielded VMs can only run on Guarded hosts. These hosts need to pass an attestation check to make sure they are locked down and comply with the policy that enables Shielded VMs to run on them. This functionality is implemented through a new Host Guardian Service deployed in the environment which will store the keys required for an approved Hyper-V host that can prove their health to run shielded VMs
Secure boot for Linux: While Windows VMs had secure boot for some time, the team focused on enabling Secure Boot on Linux so that we can increase the security of the Linux OS when running on Hyper-V
Hyper-V platform
Nano based Hyper-V host: Nano Hyper-V hosts are optimized to run the Hyper-V workload so that they minimize attack surface, increase availability, and reduce resource usage with “just enough OS” .
Virtualization Based Security: Achieving isolation from administrator attacks, Virtualization Based Security provides the building block for our new threat resistance security and Shielded VMs by enabling storing secrets and applying protections that are enforced by the Hypervizor and are outside of the administrator control.
Secure containers
Hyper-V containers: To solve the current security risk for lack of isolation between containers and other containers as well as the underlying operating system they are running on, Hyper-V Containers ensure that code running in one container object remains completely isolated. The Hyper-V Container object cannot impact other container objects or the host operating system, or vice versa, because it is a separate virtualized container.
Containers hosted in a Shielded VM: Using nested virtualization, you can further secure your containers from a compromised fabric by hosting them in a Shielded VM
Privileged Identity
Compromised privileged identity is the most prevalent attack vector today. Microsoft provides customers with a plan of how to secure their Privileged Identity:
There are two major concepts that were integrated into Windows Server 2016 and are also available for downlevel OS.
Just In Time Administration: Move from perpetual administration to time based administration. When a user needs to be an administrator, they go through a workflow that is fully audited and provides them with administration privilege for a limited amount of time after which that privilege gets revoked.
Just Enough Administration: Administrators should only be able to do their role and nothing more. For example: A File Server administrator can restart services but should not be able to browse the data on the server.
Credential Guard: Based on Windows 10, Credential Guard use Virtualization Based Security to protect credentials on the system from being stolen by compromised administrator or malware.
OS Threat Resistant Technologies
Windows Server 2016 includes integrated threat resistance technologies that range from blocking external attackers trying to exploit vulnerabilities (Control Flow Guard) to resistance to attacks by malicious users and software that gained administrator access to the server (Credential Guard and Code Integrity).
Control Flow Guard: Serves as a safeguard by preventing common attack vectors in case the system has unknown vulnerabilities. Control Flow Guard (CFG) is a highly- optimized platform security feature that was created to combat memory corruption vulnerabilities. By placing tight restrictions on where an application can execute code from, it makes it much harder for exploits to execute arbitrary code through vulnerabilities such as buffer overflows
Code Integrity (Device Guard): Uses Virtualization Based Security to ensure that only allowed binaries can be run on the system.
Built in anti-malware: Windows Defender is installed and functional on Windows Server Windows Defender has been optimized to run on server supporting the various server roles and integrated with PowerShell for malware scanning.
OS Enhanced threat detection:
Security auditing optimized for threat detection: Based on the Microsoft internal security operation center Windows Server 2016 includes targeted auditing to better detect malicious behavior. These include auditing access to kernel and sensitive processes as well as new information in the logon events. These events can then be streamed to threat detection systems such as the Microsoft Operations Management Suite to alert on malicious behavior.

30. Hyper-V Shielded VM Compliance Mapping
Hyper-V Shielded VM Security and Compliance Capability
ISO 27001: 2013
PCI DSS 3.1
FedRAMP; NIST Revision 4
Enforcing Separation of Duties
A.6.1.2– Segregation of duties
6.4.2 – Separation of duties between test and production environments
AC-5 – Separation of Duties
Implementation of Least Privilege Access and Partitioning Tenant Functionality
A – Management of privileged access rights
A – Separation of development, testing, and operational environments
6.4.1 – Test and Production Environment Separation
7.2 – User access control on need-to-know basis
7.2.3 – Default “deny-all” setting
AC-6 – Least Privilege
AC-6 (10) – Prohibit Non-Privileged
Users from Executing Privileged Functions
SC-2 – Application Partitioning
Protecting Information Stored in Shared Resources
None
8.7 – Restricted access to databases containing cardholder data
SC-4 – Information in Shared Resources
Protection of Data at Rest
A – Media Access
3.4 – Verifying stored PAN is unreadable
3.4.1 – Disk encryption usage and access control
6.5.3 – Insecure cryptographic storage
SC-28 – Protection of Information at Rest
SC-28(1) – Protection of Information at Rest
Security Function Verification and Integrity Monitoring
11.5 – Change-detection mechanism deployment
SI-6 – Security Function Verification
SI-7 – Software, Firmware, and Information Integrity

31. Just In Time Administration Compliance Mapping
JIT Security and Compliance Capability
ISO 27001: 2013
PCI DSS 3.1
FedRAMP; NIST Revision 4
Controlling Logical Access Privileges and Implementing Least Privilege Access
A.9.1 – Business requirement of access control
A – Access to networks and network services
A – User access provisioning
A – Management of privileged access rights
A – Information access restriction
A – Access control to program source code
7.1 – System components and cardholder data access restricted to job-based needs
7.1.2 – User ID access based on least privileges
7.1.3 – Assigning access to job function and classification
7.1.4 – Documented approval of access privileges
7.2.2 – Assigning privileges to job function and classification
7.2.3 – Default “deny-all” setting
– Administer user accounts
– Monitor and control all access to data
AC-2 – Account Management
AC-3 – Access Enforcement
AC-6 – Least Privilege
AC-6 (1) – Authorize Access to Security Functions
AC-6 (2) – Non-Privileged Access for Non-Security Functions
AC-6 (5) – Privileged Accounts
AU-9 (4) – Audit Access by Subset of Privileged Users
CM-5 – Access Restrictions for Change
CM-5 (1) – Automated Access Enforcement
CM-5 (5) – Limit Production / Operational Privileges
Access Logging / Monitoring / Auditing
A – Event logging
A – Administrator and operator logs
– Logging actions by root privileges individual
– User changes logging
AC-2 (4) – Automated Audit Actions
AC-2 (12) – Account Monitoring
AC-6 (9) – Auditing Use of Privileged Functions
AU-2 – Audit Events
AU-12 – Audit Generation

32. Next steps
Try Windows Server 2016 Technical Preview: windows-server-technical-preview
Review Security and Assurance documentation:
Visit the Datacenter & Private Cloud Security Blog: