Microsoft MVP (Enterprise / Azure Security 9 Years) Microsoft Certified Trainer (20 years) Founder: Cybercrime Security Forum!

Transcription

1

2 Session Overview

3 Andy Malone (Scotland, UK) Microsoft MVP (Enterprise / Azure Security 9 Years) Microsoft Certified Trainer (20 years) Founder: Cybercrime Security Forum! Worldwide Event Speaker Winner: Microsoft Speaker Idol 2006 Author off the Sc-Fi Thriller The Seventh Day

4

5

6

7 TODAY, WE RE EXPERIENCING A REVOLUTION OF CYBER-THREATS

8 THE EVOLUTION OF ATTACKS Volume and Impact Script Kiddies BLASTER, SLAMMER Motive: Mischief

9 THE EVOLUTION OF ATTACKS 2005-PRESENT Organized Crime RANSOMWARE, CLICK-FRAUD, IDENTITY THEFT Motive: Profit Script Kiddies BLASTER, SLAMMER Motive: Mischief

10 THE EVOLUTION OF ATTACKS Beyond 2005-PRESENT Organized Crime Script Kiddies BLASTER, SLAMMER Motive: Mischief RANSOMWARE, CLICK-FRAUD, IDENTITY THEFT Motive: Profit Nation States, Activists, Terror Groups BRAZEN, COMPLEX, PERSISTENT Motives: IP Theft, Damage, Disruption

11 ADDRESSING THE THREATS REQUIRES A NEW APPROACH: RUIN THE ATTACKERS ECONOMIC MODEL BREAK THE ATTACK PLAYBOOK ELIMINATE THE ACTUAL VECTORS OF ATTACK Security from the inside out beyond bigger walls

12 Windows 8.1 / Windows 10 Secure hardware UEFI (Unified Extensible Firmware Interface) UEFI is a standards-based solution that offers a modern-day replacement for the BIOS and provides the same functionality as BIOS while adding security features and other advanced capabilities TPM (Trusted Platform Module) A TPM is a tamper-resistant security processor capable of storing cryptographic keys and hashes. Besides storing data, a TPM can digitally sign data using a private key that software cannot access

13 Windows 8.1 / Windows 10 Secure startup Trusted boot Secure Boot verifies that the bootloader is trusted, and then Trusted Boot protects the rest of the boot process by verifying that all Windows boot components have integrity and can be trusted ELAM Malware on previous versions of Windows often attempted to start before the antimalware solution. To do this, some types of malware would update or replace a non-microsoft-related driver that starts during the Windows boot process. The malicious driver would then use its kernel-level privileges to modify critical parts of the system and disguise its presence so it could not be detected when the antimalware solution later starts

14 Setting ELAM with Group Policy You can use Group Policy settings to configure how ELAM responds to potentially malicious boot drivers In the Group Policy Management Editor, go to Computer Configuration\Administrative Templates\System\Early Launch Antimalware, and enable the Boot-Start Driver Initialization Policy setting

15 Windows Defender Full-featured antimalware Windows Defender has been upgraded from antispyware to a full-featured antimalware solution capable of detecting and stopping a wider range of potentially malicious software, including viruses Windows 8 and higher users no longer need Microsoft Security Essentials, because Windows Defender is now just as powerful Windows Defender supports Windows 8 and higher ELAM feature, which makes Windows Defender capable of detecting rootkits that infect non-microsoft drivers. If Windows Defender detects an infected driver, it will prevent the driver from starting

16 AppLocker Control over apps Easily create a default rule that prevents users from running any app Windows 8 and higher supports AppLocker to give you complete and centralized control over the apps users are allowed to run. With AppLocker and Group Policy settings in an Active Directory Domain Services environment, you can create a list of every app users can run and specify which publishers to trust, or simply block apps like Solitaire that might not help the company s productivity Configurable with Group Policy Computer Configuration\Windows Settings\Security Settings\Application Control Policies\AppLocker\Packaged App Rules

17 TPM provisioning Windows 7 challenges The TPM can be turned off in BIOS, requiring someone to either go into the BIOS settings to turn it on or to install a driver to turn it on from within Windows Enabling the TPM may require one or more restarts Enabling BitLocker for devices already in users hands can be cumbersome Simplified TPM provisioning in Windows 8 and higher With Windows 8 and higher, Microsoft has added instrumentation that enables the operating system to fully manage the TPM. There is no need to go into the BIOS, and all required restarts have been eliminated

18 BitLocker provisioning Encryption of hard drives since Windows Vista BitLocker is capable of encrypting entire hard drives, including both system and data drives Windows 8 improvements The time needed to provision new PCs with BitLocker enabled has been reduced Administrators can now turn on BitLocker and the TPM from within the Windows Pre-installation Environment (Win PE) Used Space Only encryption Standard PIN and password change Network Unlock Note: The most secure option is still to encrypt the entire drive during provisioning

19 BitLocker administration and monitoring MBAM 2.5 Makes it simple to manage and support BitLocker and BitLocker To Go MBAM supports the Windows 8 and higher operating systems as a target platform for the MBAM Client installation This support enables IT administrators to install the MBAM agent, to encrypt Windows 8 and higher operating system drives, and to report on the compliance of the computers MBAM uses the TPM and TPM+PIN protectors to manage the Windows 7 and higher operating systems MBAM 2.5 supports encrypting Windows To Go clients

20 Windows 10 Identity USER IDENTITY & AUTHENTICATION

21 Problems with Passwords shhh! SHARED SECRETS Easily mishandled or lost (Hint: The user is the problem)

22 Internet username and password THE SITES WE USE ARE A WEAK LINK User 1 Bank.com Social.com Network.com LOL.com 2 Bad Guy 1 Obscure.com

23 Business username and password 1 THE USER AND DEVICE ARE THE WEAK LINKS User 2 Device 3 4 IDP IDP IDP 5 Bad Guy Network Resource

24 PKI SOLUTIONS Complex, costly, and under attack

25 PKI based authentication THE CA 1 3 IS UNDER ATTACK User 2 IDP Active Directory 4 5 Bad Guy Network Resource 6 Windows 8.1

26 Typical multi-factor authentication implementations High-value assets LIMITED USE OF MFA CREATES WEAK LINKS Multi-factor VPN High Value Assets Most network resources File Servers OneDrive UN/Password User Wireless

27 Identity Choices Active Directory provides key business identity and security capabilities Azure Active Directory takes this to the cloud Both work together Windows 10 fully leverages both

28 Windows 10 Identity Choices Organization Owned Personally Owned (BYOD) Computer joins AD to establish trust User signs on using AD account Group Policy + System Center Computer joins Azure AD to establish trust User signs on using Azure AD account Intune/MDM Settings roaming Computer registers with AD or Azure AD via Device Registration to establish trust for remote resource access User signs in with a Microsoft account, associates an Azure AD account Intune/MDM Single sign-on to enterprise + cloud-based services

29 Azure Active Directory Simple connection Self-service Single sign on Windows Server Active Directory Other Directories Username Azure Intune SaaS Office 365 On-premises Microsoft Azure Active Directory Cloud

30

31 Time-limited group memberships

32 JIT forest (Just in Time) Create new Server 2016 forest No need to change existing forest Create new PIM Privileged Identity Management) trust to existing forest Add shadow principals in new forest Shadow group which is new object class created in config NC. Unlike security group, the security identifier (SID) with a domain in another forest Add shadow admin user Remove admins from existing groups PIM system manages TTL groups Workflow to add shadow user to shadow admin group

33 MICROSOFT PASSPORT USER CREDENTIAL YOUR DEVICE IS ONE OF THE FACTORS An asymmetrical key pair Provisioned via PKI or created locally via Windows 10 SECURED BY HARDWARE

34 Going beyond passwords Problems: Passwords are hard to remember Passwords are re-used -> server breach attacks Microsoft passport solution: User has to remember only one PIN or can use Windows Hello No secret is stored on servers -> Two factor authentication with asymmetric keys

35 Next Generation User Credentials Proves Identity A NEW APPROACH User Intranet Resource I trust tokens from IDP 4 1 Trust my unique key 2 Here is your authorization token 3 IDP Active Directory Azure AD Google Facebook Microsoft Account So do I Intranet Resource 4 Windows10

36 ACCESSING CREDENTIALS PIN Simplest implementation option No hardware dependencies User familiarity Windows Hello Improved security Ease of use Impossible to forget Sample design, UI not final

37 Hello Chris WINDOWS HELLO Fingerprint Iris Facial

38 Strong user authentication For everybody! Azure AD, on prem AD, and Microsoft Account are already integrated with Microsoft passport Developers have access to Microsoft Passport Microsoft is in FIDO and our Microsoft Passport will be a reference implementation for FIDO 2.0

39

40

41

42

43 How could a 4-digit PIN be more secure? Attacker needs to know both your PIN and have access to your device TPM provides anti-hammering support to help thwart offline attacks Hardware bound keys cannot be stolen or replayed PIN is never stored in the device or sent to server

44

45

46

47 Who owns this PC? This choice is important, and it isn t easy to switch later. If this machine belongs to your organization, signing in with that ID will give you access to their resources. This device belongs to my organization This device belongs to me Help me choose Next Back Next

48 Let s get you signed in Work or school account [email protected] [email protected] Password Forgot your password? Which account should I use? Sign in with the username and password you use with Office 365 (or other business services from Microsoft). Skip this step Privacy statement Back Sign in

49 Let s get you signed in Work or school account [email protected] Password Forgot your password? Need help? Contact the Contoso Help Desk at (206) This service is operated by Microsoft on behalf of Starbucks and is for the exclusive use of their employees and partners. Skip this step Privacy statement Back Sign in

50

51

52 USER ENTERPRISE IDENTITY DATA & AUTHENTICATION PROTECTION

53 Unenrollment with alerts Removal of Enterprise configuration (apps, certs, profiles, policies) and Enterprise encrypted data (with EDP) Full device wipe Remote Lock, PIN reset, Ring, & Find Enhanced inventory for compliance decisions Curated Windows Store Business Store Portal (BSP) app deployment; license reclaim Enterprise App management Simplified LOB app management Win32 (MSI) app management App inventory (LOB/store apps) App allow/deny lists via Applocker Enterprise data protection One consistent set of MDM capabilities across Mobile, Desktop, and IoT Provisioning Bulk enrollment Simple bootstrap Converged protocol Azure AD Integration Additional device inventory Extended set of policies Client certificate management Enterprise Wi-Fi VPN management provisioning MDM Push Device Update control Kiosk, Start screen, Start menu configuration and control

54

55 Before mobile devices can access Office 365 data they must be enrolled and healthy. 1. A user downloads the public OneDrive app on a personal ipad 2. The user is shown a page that directs them to enroll the ipad 3. The user steps through multiple parts to compete the enrollment process 4. The OneDrive app is now MDM enabled 5. The user is able to access their OneDrive data

56 Device Polices Control what mobile devices can connect to Office 365 Data Set device configuration policies such as pin lock Enforce data encryption on devices Admin Controls Seamless Integration with Existing Azure AD Configure device policies by groups Product level granular control Device Reporting Device compliance reports Mobile usage and trends in our organization Notifications and Alerts

57 Contoso Device Successfully Enrolled Return to

58 ACTIVATION SUCCESSFUL! Your access to and other corporate resources has been granted (this page may need additional design work)

59 TODAY S SECURITY CHALLENGE PASS THE HASH ATTACKS

60 VSM uses Hyper-V powered secure execution environment to protect derived credentials you can get things in but can t get things out SOLUTION Decouples NTLM hash from logon secret PASS THE HASH ATTACKS Fully randomizes and manages full length NTLM hash to prevent brute force attack Derived credentials that VSM protected LSA Service gives to Windows are non-replayable

61 VSM isolates sensitive Windows processes in a hardware based Hyper-V container Virtualization VIRTUAL SECURE MODE (VSM) VSM runs the Windows Kernel and a series of Trustlets (Processes) within it VSM protects VSM kernel and Trustlets even if Windows Kernel is fully compromised Requires processor virtualization extensions (e.g.: VT-X, VT-D)

62 Virtual Secure Mode Local Security Auth Service Virtual TPM Hyper-Visor Code Integrity Apps Virtual Secure Mode (VSM) Windows

63

64

65

66

67 Diagnostics Tracking Service dmwappushsvc Restart PC

68

69 Review

70

71 Andy Thank You for attending!

72