Presentation is loading. Please wait.

Presentation is loading. Please wait.

PowerShell Desired State Configuration for Securing Systems Jeffrey Snover Distinguished Engineer (MSFT) Hemant Mahawar Senior Program Manager (MSFT) #devconnections.

Published byGeoffrey McLaughlin Modified over 8 years ago

Similar presentations

Presentation on theme: "PowerShell Desired State Configuration for Securing Systems Jeffrey Snover Distinguished Engineer (MSFT) Hemant Mahawar Senior Program Manager (MSFT) #devconnections."— Presentation transcript:

1 PowerShell Desired State Configuration for Securing Systems Jeffrey Snover Distinguished Engineer (MSFT) Hemant Mahawar Senior Program Manager (MSFT) #devconnections

2 PowerShell DSC Shipped in WS2012-R2 Agile release approach – Resource Kit (6 waves) – WMF Previews Major investment going forward – Servers and devops focus DSC simplifies complex configurations – Useful for Security #devconnections

3 Typical Corporate Environment Personal health information (PHI) Personally identifiable information (PII) Trade secrets Intellectual property Hacker

4 “New” Threat Personal health information (PHI) Personally identifiable information (PII) Trade secrets Intellectual property Hacker

5 Scenario Environment Domain Controller Domain Admin Dept. Head User Domain ( Corporate.Contoso.Com ) Servers containing critical information Phish

6 Post exploit toolkits (like mimikatz) allow bad guys to spider their way through the network compromising systems and users Makes it very hard to have confidence that you’ve remediated an attack Consider what happens with a restore SideNote on Exploits #devconnections

7 Scenario Recap Corporate domain Admin rights sprawl Bad guys are in the environment and have compromised one or more : – users – machines – admin accounts – domain admin accounts Business critical information on file servers #devconnections

8 One Solution Build a new datacenter with an air gap Create a new AD Provision new machines Set up application/service Users go into the datacenter to use the applications #devconnections

9 Safe Harbor Approach Experimental PowerShell DSC module Uses PowerShell DSC, JEA and virtualization to script a “Safe Harbor” where servers are highly isolated, locked down and tightly managed Benefits – Safe and Secure – Simple (once the base resources are available) – Requires no concrete #devconnections

10 Starting Environment Domain Controller Domain Admin Dept. Head User P.A.P.A Domain ( Corporate.Contoso.Com ) Servers containing critical information #devconnections

11 Hyper-V Domain Admin Dept. Head P.A.P.A User SH DC One Way Trust Jump Box DSC Pull Server File Servers Corporate Request A C T I O N ( W S M A N O N L Y ) A C C E S S ( S M B O N L Y ) Safe Harbor ( Safe Harbor.contoso.com ) Safe Harbor Configuration #devconnections

12 Safe Harbor Scenario #devconnections

13 Demo: Safe Harbor - Users can access File Servers - Specified users enabled to for specific admin actions - No other admin actions allowed

14 Mitigations Used Move critical data into protected environment Restrict “Administrator” role Provide specific access to specific users (Firewalls, lockdown policies, etc.)

15 How we did it

16 Safe Harbor Steps Create Protected Environment Separate Domain Controller DSC Pull Server JEA Management head (Jump box) Limit Access Domain Admins Firewall Ports Resources Add Servers Securely Never on Corp Domain Boot to Pull Server for Configuration Configure Servers Configure and Copy Critical Information

17 Implementation Options GUI tools PowerShell Scripts PowerShell Desired State Configuration PowerShell DSC dramatically simplifies complex composition #devconnections

18 DSC Supports Composition Declarative approach – Allows you to safely refactor and abstract to your hearts content Supports distributed definition of resources and nodes – DSC does the aggregation Couldn’t I just do this with scripts? – Yes, but No #devconnections

19 Demo: Evolution of SMB Share

20 DSC Simplification Intent Logging & Error Handling Reboot Resiliency Environmental Side effects Dependency Resolution Repeatable Automation DSC Engine Dependency Resolution Logging & Error Handling Reboot Resiliency Repeatable Automation Resources Technology Specific Configuration Intent Traditional Scripts

21 DSC Decouples … DSC Engine Dependency Resolution Logging & Error Handling Reboot Resiliency Repeatable Automation Resources Technology Specific Configuration Intent Make It So HOW : DSC Resources Do the heavy lifting in an idempotent way Intent WHAT : Structural Configuration Stays same irrespective of the environment WHERE : Environmental Configuration Changes as system goes through different env. Dev  Test  Production

22

23 DSC and Security The things that thwart security: – Complexity – Scale – Drift DSC is designed to address these #devconnections

24 Demo DSC addresses: - Complexity - Scale - Drift #devconnections

25 Domain Admin Dept. Head P.A.P.A User SH Admin SH DC One Way Trust Jump Box DSC Pull Server File Servers Run As M.A.T.A Corporate Request A C T I O N ( W S M A N O N L Y ) A C C E S S ( S M B O N L Y ) Safe Harbor ( Safe Harbor.contoso.com ) Remember Safe Harbor? #devconnections

26 Configuring Safe Harbor for File Server

27 Recall DSC Engine Dependency Resolution Logging & Error Handling Reboot Resiliency Repeatable Automation Resources Technology Specific Configuration Intent Make It So HOW : DSC Resources Do the heavy lifting in an idempotent way Intent WHAT : Structural Configuration Stays same irrespective of the environment WHERE : Environmental Configuration Changes as system goes through different env. Dev  Test  Production

28 Components #devconnections Assert- SafeFileServer DSC Resource SafeHarbor Resource Safe FileServer Structural Configuration Safe FileServer Structural Configuration +  FileServer in a Safe Harbor Environment Configuration Data

29 Summary Security requires large scale configuration of complex configurations which don’t drift PowerShell DSC dramatically simplifies configuration of complex environments Safe Harbor is an experimental PowerShell DSC module t o create a secure environment to run services/applications – Users can access the applications – Specified users can use a JumpBox to perform a limited set of admin functions – Domain Admins can’t get at these machines/resources #devconnections

30 SESSION TITLE #devconnections Rate This Session Now! Rate with Mobile App: 1.Select the session from the Agenda or Speakers menus 2.Select the Actions tab 3.Click Rate Session Rate Using Our Website: 1.Register at www.devconnections.com/logintoratesession 2.Go to www.devconnections.com/ratesession 3.Select this session from the list and rate it Tell Us What You Thought of This Session Be Entered to WIN Prizes!

Download ppt "PowerShell Desired State Configuration for Securing Systems Jeffrey Snover Distinguished Engineer (MSFT) Hemant Mahawar Senior Program Manager (MSFT) #devconnections."

Similar presentations

Auditing Microsoft Active Directory

Auditing Microsoft Active Directory
High Availability Deep Dive What’s New in vSphere 5 David Lane, Virtualization Engineer High Point Solutions.

High Availability Deep Dive What’s New in vSphere 5 David Lane, Virtualization Engineer High Point Solutions.
Windows Server 2003 SP1. Windows Server™ 2003 Service Pack 1 Technical Overview Jill Steinberg: Added TM Jill Steinberg: Added TM.

Windows Server 2003 SP1. Windows Server™ 2003 Service Pack 1 Technical Overview Jill Steinberg: Added TM Jill Steinberg: Added TM.
1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.

1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.
Configuring Windows Vista Security Chapter 3. IE7 Pop-up Blocker Pop-up Blocker prevents annoying and sometimes unsafe pop-ups from web sites Can block.

Configuring Windows Vista Security Chapter 3. IE7 Pop-up Blocker Pop-up Blocker prevents annoying and sometimes unsafe pop-ups from web sites Can block.
© 2009 IBM Corporation RESEARCH Peeking into Cloud for better Application Manageability Sambit Sahu IBM Research.

© 2009 IBM Corporation RESEARCH Peeking into Cloud for better Application Manageability Sambit Sahu IBM Research.
1 Version 3.0 Module 8 Virtual LANs. 2 Version 3.0.

1 Version 3.0 Module 8 Virtual LANs. 2 Version 3.0.
Security and Policy Enforcement Mark Gibson Dave Northey

Security and Policy Enforcement Mark Gibson Dave Northey
IT:Network:Applications VIRTUAL DESKTOP INFRASTRUCTURE.

IT:Network:Applications VIRTUAL DESKTOP INFRASTRUCTURE.
$$$ Idea BusinessDevelopmentOperations codeProduct.

$$$ Idea BusinessDevelopmentOperations codeProduct.
Patching MIT SUS Services IS&T Network Infrastructure Services Team.

Patching MIT SUS Services IS&T Network Infrastructure Services Team.
Cost Effort Complexity Benefit ON-PREMISES SERVICE PROVIDER MICROSOFT Azure CONSISTENT PLATFORM 1.

Cost Effort Complexity Benefit ON-PREMISES SERVICE PROVIDER MICROSOFT Azure CONSISTENT PLATFORM 1.
Streams – DataStage Integration InfoSphere Streams Version 3.0

Streams – DataStage Integration InfoSphere Streams Version 3.0
SYSTEM CENTER: ENDPOINT PROTECTION FUNDAMENTALS Howard A. Carter III Senior Consultant Microsoft Consulting Services September 21, 2013 TechGate 2013 –

SYSTEM CENTER: ENDPOINT PROTECTION FUNDAMENTALS Howard A. Carter III Senior Consultant Microsoft Consulting Services September 21, 2013 TechGate 2013 –
Using PowerShell to Configure Secure Environments and Delegated Administration.

Using PowerShell to Configure Secure Environments and Delegated Administration.
Deploying and Managing Windows Server 2012

Deploying and Managing Windows Server 2012
MCTS Guide to Microsoft Windows Server 2008 Applications Infrastructure Configuration (Exam # 70-643) Chapter Two Deploying Windows Servers.

MCTS Guide to Microsoft Windows Server 2008 Applications Infrastructure Configuration (Exam # ) Chapter Two Deploying Windows Servers.
Chapter 14: Remote Server Administration BAI617. Chapter Topics Configure Windows Server 2008 R2 servers for remote administration Remotely connect to.

Chapter 14: Remote Server Administration BAI617. Chapter Topics Configure Windows Server 2008 R2 servers for remote administration Remotely connect to.
PowerShell Desired State Configuration for Securing Systems Jeffrey Snover Distinguished Engineer (MSFT) Hemant Mahawar Senior Program Manager (MSFT) #devconnections.

PowerShell Desired State Configuration for Securing Systems Jeffrey Snover Distinguished Engineer (MSFT) Hemant Mahawar Senior Program Manager (MSFT) #devconnections.
Honeypot and Intrusion Detection System

Honeypot and Intrusion Detection System

Similar presentations

Ads by Google