5/25/2018 2:27 PM Secure Tier 2! Enhance Your Security Posture on End User Machines with Windows 10 Chris Jackson Cybersecurity Enthusiast Chief Awesomeologist,

5/25/2018 2:27 PM Secure Tier 2! Enhance Your Security Posture on End User Machines with Windows 10 Chris Jackson Cybersecurity Enthusiast Chief Awesomeologist, Microsoft © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Data Leakage The Future of Security Investment Cloud Datacenter Device
5/25/2018 2:27 PM Data Leakage The Future of Security Investment Cloud Datacenter Device Security “in the box” Legacy Environment You always need an endpoint! © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Tier Model for Privileged Access
5/25/2018 2:27 PM Tier Model for Privileged Access Privileged Access Control Tier-0 IPsec Tier 1 PAW Data and Services Tier-1 Privileged Access Tier 2 PAW Access Tier-2 Privileged Access © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Security Roadmap for Tier 2
5/25/2018 2:27 PM Security Roadmap for Tier 2 Device Hardening Helpdesk High Value Assets © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Structured Task Worker
5/25/2018 2:27 PM Data Leakage Device Scenarios BYOD Corporate Managed, Employee Owned HBI Corporate Owned Mobile Device MBI Security LBI Domain Joined High Security Scope Information Worker Structured Task Worker Dedicated System Not in scope High Sensitivity System Server Admin Tier 1 Domain In Scope © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Iterative Device Hardening Lifecycle
5/25/2018 2:27 PM Iterative Device Hardening Lifecycle Admin Rights Whitelisting Admin rights: Remove more admin rights Modernize OS: Migrate to evergreen, modern OS Modernize OS Harden Software Harden OS: Leverage security baselines and modern features Harden OS Harden Software: Develop and maintain hardened software Whitelisting: Trust code by exception, mistrust by default © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Data Leakage Admin rights reduction Application Portfolio Management
5/25/2018 2:27 PM Data Leakage Admin rights reduction Application Portfolio Management Fix Broken Applications Software Packaging and Servicing © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Admin rights reduction
5/25/2018 2:27 PM Data Leakage Admin rights reduction File Registry .ini Token Namespace Process Fixable Privilege Other Objects Not Fixable © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Data Leakage DEFENDING AGAINST MODERN SECURITY THREATS
5/25/2018 2:27 PM Data Leakage Modernize the OS SECURED DEVICES SECURED IDENTITIES DEFENDING AGAINST MODERN SECURITY THREATS THREAT RESISTANCE INFORMATION PROTECTION © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Data Leakage What Needs to Change 5/25/2018 2:27 PM
© Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Data Leakage Deploying Windows in Rings ~6 months 16 + months Hundreds
5/25/2018 2:27 PM Data Leakage Deploying Windows in Rings Engineering builds Broad Microsoft internal validation Hundreds of millions Microsoft Insider Preview Branch Several Million 10’s of thousands Users Pilot Broad Deployment Time Pilot Ring IT Pilot Ring QA Pilot Ring Early Adopters ~6 months Broad Deployment Ring I Broad Deployment Ring II Broad Deployment Ring III Broad Deployment Ring IV 16 + months © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Data Leakage Risk Spectrum Windows XP – Windows 7 Windows Update
5/25/2018 2:27 PM Data Leakage Risk Spectrum Previous Experience Windows XP – Windows 7 Windows Update Windows XP Windows 7 Moving to Windows 10 from: Windows 8 © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Sample OU structure and GPO links
5/25/2018 2:27 PM Data Leakage Sticking with Known and Proven Solutions Sample OU structure and GPO links Domain policy Domain Root Windows 10 Defender policy Windows 10 Credential Guard policy Windows 10 Client Internet Explorer Client Computer policy Windows 10 BitLocker policy Windows 10 Computer policy Windows 10 Client Computer Windows 10 User Computer Windows 10 User policy Internet Explorer User policy © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Data Leakage Safer and More Secure
5/25/2018 2:27 PM Data Leakage Safer and More Secure Windows Hello Windows Hello for Business Companion Device Framework Credential Guard Replace passwords, protect identities Strengthen auth. with biometrics and hardware-based multi-factor Secure Boot Device Guard Windows Defender Only run software you trust Eliminate Malware on corporate devices Windows Information Protection Protect sensitive corporate data Automatic encryption with persistent protection Windows Defender Advanced Threat Protection Detect compromised devices quickly Use behavioral detection, cloud, and human threat intelligence to quickly identify compromised devices © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Data Leakage Microsoft Edge Designed for Secure Browsing Objective
5/25/2018 2:27 PM Data Leakage Microsoft Edge Designed for Secure Browsing Objective Keep our customers safe when browsing the web Strategy Make it difficult and costly for attackers to find and exploit vulnerabilities in Microsoft Edge Tactics Eliminate vulnerabilities before attackers can find them Break exploitation techniques in use by attackers Contain the damage of successful exploitation Prevent navigation to known exploit sites Microsoft Edge is the most secure browser Microsoft has ever shipped © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Embedding Security Into Development
Data Leakage Embedding Security Into Development Process Education Accountability © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Windows Defender Exploit Guard
5/25/2018 2:27 PM Windows Defender Exploit Guard Arbitrary Code Guard Block Untrusted Fonts Mandatory ASLR Bottom-Up ASLR Code Integrity Guard Control Flow Guard Data Execution Protection Disable Extension Points Import Address Filtering Simulate Execution Validate API Invocation Validate Heap Integrity SEHOP Validate Handle Usage Validate Image Dependency Integrity Validate Stack Integrity Disable Win32K Calls Block Child Processes Block Remote Images Block Low Integrity Images Export Address Filtering © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Admin Rights Whitelisting Admin rights: Remove more admin rights Modernize OS: Migrate to evergreen, modern OS Modernize OS Harden Software Harden OS: Leverage security baselines and modern features Harden OS Harden Software: Develop and maintain hardened software Whitelisting: Trust code by exception, mistrust by default

APPS Mistrust By Default Trusted by default until defined as threat
Detection based methods alone can’t keep up APPS

Blacklist User Writeable Areas
Program Files Windows Windows System

Device guard in vbs environment
decisive mitigation Kernel Windows Platform Services Apps SystemContainer DEVICE GUARD Trustlet #2 Trustlet #3 Hypervisor Device Hardware Windows Operating System Hyper-V

Solution Offerings Admin rights:
Whitelisting Admin rights: Windows 10 Enterprise Compatibility Workshop Modernize OS: Windows 10 Enterprise Deployment Foundations Modernize OS Harden Software Harden OS: Windows 10 Security Implementation Services Harden OS Harden Software: Secure Development Lifecycle Maturity Assessment Whitelisting: AaronLocker Windows 10 Security Implementation Services

Securing the Helpdesk Step 1: Make beach head
Step 2: Make the device act up Step 3: Wait for user to call helpdesk Step 4: Grab helpdesk credentials Step 5: Win

Helpdesk Attack Chain Contact Helpdesk 2 Connect to device with admin rights 3 User Helpdesk Tech Experience issues with device 1 Device (Physical or Virtual) Device #2 Device #n Bad Guy Typical Helpdesk scenario: techs added to a group which grants them admin rights across all devices

Helpdesk Attack Chain Contact Helpdesk 3 Connect to device with admin rights 4 User Helpdesk Tech Experience issues with device 2 Device (Physical or Virtual) Compromise device, generate issues 1 Compromise all other devices 6 Capture Helpdesk credentials 5 Capturing a single credential grants you access to all devices Helpdesk credential is designed to connect to arbitrary devices, so keeping it secret or off of devices not an option Compromise all other devices 7 Device #2 Device #n Bad Guy

Helpdesk Solution Concept: Restricted Admin
Fatal flaw: a significant percentage of helpdesk calls involve inability to connect to the network Connect to devices using Remote Assistance Leverage the /restrictedadmin switch

Helpdesk Solution Concept: LAPS
Fatal flaw: access to all LAPS passwords simultaneously leaves HELPDESK a high value credential Connect to AD Retrieve the LAPS password for the device Connect with .\Administrator credentials

Helpdesk Solution Concept: Cred Vault
Fatal flaw: holy crap it’s expensive! Connect to credential vault Check out credentials to device Check back in when completed

 LAPS helpdesk attack Mitigation
Contact Helpdesk 2 Connect to Device with Device Creds 9 Request Device Credentials 3 Receive Device Credentials 8 Request Credentials From Script 4 Receive Device Credentials 7 Pull Credentials from AD Attribute 5 Receive Device Credentials 6 User AD LAPS Attribute Experience issues with device 1 Device (Physical or Virtual) Helpdesk Tech Web Portal JEA Script Compromise device, generate issues 1  Capture Helpdesk credentials 9 Credentials 1:1, not reusable 10 An adversary who has compromised the device, using this mitigation, only gains access to the device he already controls JEA Script enforces 1:1 per technician by rolling password before allowing second device password access Device #2 Device #n Bad Guy

By treating all users as special, you’re treating no users as special
High Value Assets Administrators Mission Critical System Operators Developers By treating all users as special, you’re treating no users as special

Data Leakage Academic Background Trust level a
“A flow model FM is secure if and only if execution of a sequence of operations cannot give rise to a flow that violates the relation “”. If a value f(a1, … , an) flows to an object b that is statically bound to a security class b, then a1 …  an  b must hold.” Denning, 1976 Trust level b Trust level c

Device Attack Chain User Interact with untrusted input 2 Admin’s Device Send malicious input to untrusted app 1 Use privilege on the server 6 Capture credentials or execute code 5 Allowing less trusted apps and input opens threat vectors for adversaries to leverage vulnerabilities to execute code Any available compromise on a general purpose computing stack is an opportunity for attack Bad Guy Server or Service

Jump Server Attack Chain
User Interact with untrusted input 2 Malicious input sent to jump server 3 Admin’s Device Jump Server Send malicious input to untrusted app 1 Malicious input sent to server or service 6 Execute code once connected to VDI 5 Allowing less trusted apps and input opens threat vectors for adversaries to leverage vulnerabilities to execute code Jump server implicitly trusts input from the admin’s device, which may be controlled by a malicious actor Bad Guy Server or Service

Gestalt of Hardened Workstations
Privileged assets will be managed by a chain of trust that extends from keyboard to managed asset that only allow execution of applications and data Which Are trusted to the same degree as the asset.

PROTECTIONs Runtime OS Boot Network Logon Hardware
SECURE ROOTS OF TRUST Runtime Application whitelisting EMET Endpoint protection GPO logon restrictions Hardened MS GPO baseline Rapid re-provisioning OS Boot Known good OS image Trusted boot / ELAM Network Internet browsing disabled Windows firewall restrictions Secure remote access only Logon Standard User Privilege Restricted local admin account access (LAPS) Smart Cards Hardware OEM hardware only Disabled USB ports Bitlocker TPM+PIN Virtualization-based security Disabled DMA

Device Scenarios

Dedicated PAW Device 1 Device 2 Root VM Root VM Privileged Access
Productivity

Hosted Productivity PAW
Device 1 Child VM Productivity Root VM Privileged Access

VDI Productivity PAW Device 1 Device 2 Root VM VDI VM
Remote Desktop Client VDI VM Privileged Access Productivity

Launch Pad Device 1 Child VM 2 Child VM 1 Root VM Productivity
Privileged Access Root VM Launch Pad

Configuration Scenarios

Super PAW Super PAW Software Exchange Admin Tools
SQL Server Admin Tools Windows Admin Tools

Scenario PAWs SQL Server PAW Software Exchange PAW Software
Windows Admin Tools SQL Server Admin Tools Exchange PAW Software Exchange Admin Tools Windows Admin Tools

Jump Servers (Per Scenario)
Jump Server Access PAW Jump Server Access PAW Software Jump Servers (Per Scenario) Remote Desktop Client

Security Roadmap for Tier 2
Device Hardening Helpdesk High Value Assets

Please evaluate this session Your feedback is important to us!
5/25/2018 2:27 PM Please evaluate this session Your feedback is important to us! From your PC or Tablet visit MyIgnite at From your phone download and use the Ignite Mobile App by scanning the QR code above or visiting © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

5/25/2018 2:27 PM Secure Tier 2! Enhance Your Security Posture on End User Machines with Windows 10 Chris Jackson Cybersecurity Enthusiast Chief Awesomeologist,

Similar presentations

Presentation on theme: "5/25/2018 2:27 PM Secure Tier 2! Enhance Your Security Posture on End User Machines with Windows 10 Chris Jackson Cybersecurity Enthusiast Chief Awesomeologist,"— Presentation transcript:

Similar presentations

About project

Feedback

Log in

Auth with social network:

5/25/2018 2:27 PM Secure Tier 2! Enhance Your Security Posture on End User Machines with Windows 10 Chris Jackson Cybersecurity Enthusiast Chief Awesomeologist,

Similar presentations

Presentation on theme: "5/25/2018 2:27 PM Secure Tier 2! Enhance Your Security Posture on End User Machines with Windows 10 Chris Jackson Cybersecurity Enthusiast Chief Awesomeologist,"— Presentation transcript:

Similar presentations

About project

Feedback