Microsoft MVP (Enterprise / Azure Security 9 Years) Microsoft Certified Trainer (20 years) Founder: Cybercrime Security Forum!

Similar documents
Hacker s Perspective on your Windows Infrastructure: Windows 10 Mandatory Check List

Microsoft Enterprise Mobility Suite

Enterprise Mobility Services

MCTS Guide to Microsoft Windows 7. Chapter 7 Windows 7 Security Features

Mobile device and application management. Speaker Name Date

Windows Phone 8.1 Mobile Device Management Overview

Session ID: Session Classification:

Alexander De Houwer Technology Advisor Devices Win 10 Vincent Dal Technology Advisor Business Productivity

Windows 10 edition. Find out which. is right for you. Core features. Familar, and better than ever Home Pro Enterprise Education Mobile.

DriveLock and Windows 7

Apps. Devices. Users. Data. Deploying and managing applications across platforms is difficult.

Enterprise Mobility Suite Overview. Joe Kuster Catapult Systems

Protecting Data with Short- Lived Encryption Keys and Hardware Root of Trust. Dan Griffin DefCon 2013

ADDING STRONGER AUTHENTICATION for VPN Access Control

Security Guide. BlackBerry Enterprise Service 12. for ios, Android, and Windows Phone. Version 12.0

Microsoft Enterprise Mobility Suite

Enhancing Organizational Security Through the Use of Virtual Smart Cards

DriveLock and Windows 8

Windows 7, Enterprise Desktop Support Technician Course 50331: 5 days; Instructor-led

Advanced Configuration Steps

Microsoft Windows Intune: Cloud-based solution

"Charting the Course to Your Success!" MOC D Windows 7 Enterprise Desktop Support Technician Course Summary

Windows 7. Qing Liu Michael Stevens

Multi-factor authentication

Windows 7, Enterprise Desktop Support Technician

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

How To Make Your Computer System More Secure And Secure

BitLocker Encryption for non-tpm laptops

Where are Organizations Today? The Cloud. The Current and Future State of IT When, Where, and How To Leverage the Cloud. The Cloud and the Players

STRONGER AUTHENTICATION for CA SiteMinder

ICT Professional Optional Programmes

Course Description. Course Audience. Course Outline. Course Page - Page 1 of 12

Andrej Zdravkovic Regional Vice President, Platform Solutions Intellinet

Trustworthy Computing

MICROSOFT BITLOCKER ADMINISTRATION AND MONITORING (MBAM)

Enterprise Mobility Management Migration Migrating from Legacy EMM to an epo Managed EMM Environment. Paul Luetje Enterprise Solutions Architect

What Windows 10 Means for the Modern Enterprise

Chapter 15: Computer and Network Security

Ondřej Výšek Sales Lead, Microsoft MVP.

Overview of Microsoft Enterprise Mobility Suite (EMS) Cloud University

Strong Authentication: Enabling Efficiency and Maximizing Security in Your Microsoft Environment

Guidance End User Devices Security Guidance: Apple OS X 10.9

Centralized Self-service Password Reset: From the Web and Windows Desktop

Microsoft Enterprise Mobility and Client Futures

Centrify Cloud Connector Deployment Guide

Module 3: Resolve Software Failure This module explains how to fix problems with applications that have problems after being installed.

GO!Enterprise MDM Device Application User Guide Installation and Configuration for Android

Windows Phone 8 Security Overview

Agenda. Enterprise challenges. Hybrid identity. Mobile device management. Data protection. Offering details

IDENTITY & ACCESS. Privileged Identity Management. controlling access without compromising convenience

An Overview of Samsung KNOX Active Directory-based Single Sign-On

An Overview of Samsung KNOX Active Directory and Group Policy Features

EMBASSY Remote Administration Server (ERAS) BitLocker Deployment Guide

MS Managing and Maintaining Windows 8

Enterprise Mobility as a Service

Leveraging SAML for Federated Single Sign-on:

Systems Manager Cloud Based Mobile Device Management

Management of Hardware Passwords in Think PCs.

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

The Convergence of IT Security and Physical Access Control

Speeding Office 365 Implementation Using Identity-as-a-Service

Operating System Security

Identity + Mobile Management + Security = Enterprise Mobility Suite

IDENTITY & ACCESS. Providing Cost-Effective Strong Authentication in the Cloud. a brief for cloud service providers

End User Devices Security Guidance: Apple OS X 10.10

A brief on Two-Factor Authentication

User Manual. HitmanPro.Kickstart User Manual Page 1

Course 20688A: Managing and Maintaining Windows 8

Mobile Device Management Version 8. Last updated:

Modern Multi-factor and Remote Access Technologies

NCSU SSO. Case Study

MBAM Self-Help Portals

Section 12 MUST BE COMPLETED BY: 4/22

FileCloud Security FAQ

Security Best Practices for Microsoft Azure Applications

Getting Started Guide: Getting the most out of your Windows Intune cloud

How To Configure A Windows 8.1 On A Windows (Windows) With A Powerpoint (Windows 8) On A Blackberry) On An Ipad Or Ipad (Windows 7) On Your Blackberry Or Black

Microsoft Exam

Google Identity Services for work

People-centric IT: Bedeutung für das Identity und Access Management. Uwe Lüthy Solution Sales Specialist Core Infrastructure Microsoft Schweiz Gmbh

Software Token Security & Provisioning: Innovation Galore!

Windows 7, Enterprise Desktop Support Technician

Identity & Access Management in the Cloud: Fewer passwords, more productivity

The Top 5 Federated Single Sign-On Scenarios

User Guide. Version R91. English

Architecture and Data Flow Overview. BlackBerry Enterprise Service Version: Quick Reference

Copyright 2013, 3CX Ltd.

ZyWALL OTP Co works with Active Directory Not Only Enhances Password Security but Also Simplifies Account Management

Securing Office 365 with MobileIron

Welcome Guide for MP-1 Token for Microsoft Windows

AVG Business SSO Partner Getting Started Guide

Windows Phone 8.1 in the Enterprise

The Convergence of IT Security and Physical Access Control

Transcription:

Session Overview

Andy Malone (Scotland, UK) Microsoft MVP (Enterprise / Azure Security 9 Years) Microsoft Certified Trainer (20 years) Founder: Cybercrime Security Forum! Worldwide Event Speaker Winner: Microsoft Speaker Idol 2006 Author off the Sc-Fi Thriller The Seventh Day

TODAY, WE RE EXPERIENCING A REVOLUTION OF CYBER-THREATS

THE EVOLUTION OF ATTACKS 2003-2004 Volume and Impact Script Kiddies BLASTER, SLAMMER Motive: Mischief

THE EVOLUTION OF ATTACKS 2005-PRESENT Organized Crime 2003-2004 RANSOMWARE, CLICK-FRAUD, IDENTITY THEFT Motive: Profit Script Kiddies BLASTER, SLAMMER Motive: Mischief

THE EVOLUTION OF ATTACKS 2012 - Beyond 2005-PRESENT Organized Crime 2003-2004 Script Kiddies BLASTER, SLAMMER Motive: Mischief RANSOMWARE, CLICK-FRAUD, IDENTITY THEFT Motive: Profit Nation States, Activists, Terror Groups BRAZEN, COMPLEX, PERSISTENT Motives: IP Theft, Damage, Disruption

ADDRESSING THE THREATS REQUIRES A NEW APPROACH: RUIN THE ATTACKERS ECONOMIC MODEL BREAK THE ATTACK PLAYBOOK ELIMINATE THE ACTUAL VECTORS OF ATTACK Security from the inside out beyond bigger walls

Windows 8.1 / Windows 10 Secure hardware UEFI (Unified Extensible Firmware Interface) UEFI is a standards-based solution that offers a modern-day replacement for the BIOS and provides the same functionality as BIOS while adding security features and other advanced capabilities TPM (Trusted Platform Module) A TPM is a tamper-resistant security processor capable of storing cryptographic keys and hashes. Besides storing data, a TPM can digitally sign data using a private key that software cannot access

Windows 8.1 / Windows 10 Secure startup Trusted boot Secure Boot verifies that the bootloader is trusted, and then Trusted Boot protects the rest of the boot process by verifying that all Windows boot components have integrity and can be trusted ELAM Malware on previous versions of Windows often attempted to start before the antimalware solution. To do this, some types of malware would update or replace a non-microsoft-related driver that starts during the Windows boot process. The malicious driver would then use its kernel-level privileges to modify critical parts of the system and disguise its presence so it could not be detected when the antimalware solution later starts

Setting ELAM with Group Policy You can use Group Policy settings to configure how ELAM responds to potentially malicious boot drivers In the Group Policy Management Editor, go to Computer Configuration\Administrative Templates\System\Early Launch Antimalware, and enable the Boot-Start Driver Initialization Policy setting

Windows Defender Full-featured antimalware Windows Defender has been upgraded from antispyware to a full-featured antimalware solution capable of detecting and stopping a wider range of potentially malicious software, including viruses Windows 8 and higher users no longer need Microsoft Security Essentials, because Windows Defender is now just as powerful Windows Defender supports Windows 8 and higher ELAM feature, which makes Windows Defender capable of detecting rootkits that infect non-microsoft drivers. If Windows Defender detects an infected driver, it will prevent the driver from starting

AppLocker Control over apps Easily create a default rule that prevents users from running any app Windows 8 and higher supports AppLocker to give you complete and centralized control over the apps users are allowed to run. With AppLocker and Group Policy settings in an Active Directory Domain Services environment, you can create a list of every app users can run and specify which publishers to trust, or simply block apps like Solitaire that might not help the company s productivity Configurable with Group Policy Computer Configuration\Windows Settings\Security Settings\Application Control Policies\AppLocker\Packaged App Rules

TPM provisioning Windows 7 challenges The TPM can be turned off in BIOS, requiring someone to either go into the BIOS settings to turn it on or to install a driver to turn it on from within Windows Enabling the TPM may require one or more restarts Enabling BitLocker for devices already in users hands can be cumbersome Simplified TPM provisioning in Windows 8 and higher With Windows 8 and higher, Microsoft has added instrumentation that enables the operating system to fully manage the TPM. There is no need to go into the BIOS, and all required restarts have been eliminated

BitLocker provisioning Encryption of hard drives since Windows Vista BitLocker is capable of encrypting entire hard drives, including both system and data drives Windows 8 improvements The time needed to provision new PCs with BitLocker enabled has been reduced Administrators can now turn on BitLocker and the TPM from within the Windows Pre-installation Environment (Win PE) Used Space Only encryption Standard PIN and password change Network Unlock Note: The most secure option is still to encrypt the entire drive during provisioning

BitLocker administration and monitoring MBAM 2.5 Makes it simple to manage and support BitLocker and BitLocker To Go MBAM supports the Windows 8 and higher operating systems as a target platform for the MBAM Client installation This support enables IT administrators to install the MBAM agent, to encrypt Windows 8 and higher operating system drives, and to report on the compliance of the computers MBAM uses the TPM and TPM+PIN protectors to manage the Windows 7 and higher operating systems MBAM 2.5 supports encrypting Windows To Go clients

Windows 10 Identity USER IDENTITY & AUTHENTICATION

Problems with Passwords shhh! SHARED SECRETS Easily mishandled or lost (Hint: The user is the problem)

Internet username and password THE SITES WE USE ARE A WEAK LINK User 1 Bank.com Social.com Network.com LOL.com 2 Bad Guy 1 Obscure.com

Business username and password 1 THE USER AND DEVICE ARE THE WEAK LINKS User 2 Device 3 4 IDP IDP IDP 5 Bad Guy Network Resource

PKI SOLUTIONS Complex, costly, and under attack

PKI based authentication THE CA 1 3 IS UNDER ATTACK User 2 IDP Active Directory 4 5 Bad Guy Network Resource 6 Windows 8.1

Typical multi-factor authentication implementations High-value assets LIMITED USE OF MFA CREATES WEAK LINKS Multi-factor VPN High Value Assets Most network resources File Servers OneDrive UN/Password User Email Wireless

Identity Choices Active Directory provides key business identity and security capabilities Azure Active Directory takes this to the cloud Both work together Windows 10 fully leverages both

Windows 10 Identity Choices Organization Owned Personally Owned (BYOD) Computer joins AD to establish trust User signs on using AD account Group Policy + System Center Computer joins Azure AD to establish trust User signs on using Azure AD account Intune/MDM Settings roaming Computer registers with AD or Azure AD via Device Registration to establish trust for remote resource access User signs in with a Microsoft account, associates an Azure AD account Intune/MDM Single sign-on to enterprise + cloud-based services

Azure Active Directory Simple connection Self-service Single sign on Windows Server Active Directory Other Directories Username Azure Intune SaaS Office 365 On-premises Microsoft Azure Active Directory Cloud

Time-limited group memberships

JIT forest (Just in Time) Create new Server 2016 forest No need to change existing forest Create new PIM Privileged Identity Management) trust to existing forest Add shadow principals in new forest Shadow group which is new object class created in config NC. Unlike security group, the security identifier (SID) with a domain in another forest Add shadow admin user Remove admins from existing groups PIM system manages TTL groups Workflow to add shadow user to shadow admin group

MICROSOFT PASSPORT USER CREDENTIAL YOUR DEVICE IS ONE OF THE FACTORS An asymmetrical key pair Provisioned via PKI or created locally via Windows 10 SECURED BY HARDWARE

Going beyond passwords Problems: Passwords are hard to remember Passwords are re-used -> server breach attacks Microsoft passport solution: User has to remember only one PIN or can use Windows Hello No secret is stored on servers -> Two factor authentication with asymmetric keys

Next Generation User Credentials Proves Identity A NEW APPROACH User Intranet Resource I trust tokens from IDP 4 1 Trust my unique key 2 Here is your authorization token 3 IDP Active Directory Azure AD Google Facebook Microsoft Account So do I Intranet Resource 4 Windows10

ACCESSING CREDENTIALS PIN Simplest implementation option No hardware dependencies User familiarity Windows Hello Improved security Ease of use Impossible to forget Sample design, UI not final

Hello Chris WINDOWS HELLO Fingerprint Iris Facial

Strong user authentication For everybody! Azure AD, on prem AD, and Microsoft Account are already integrated with Microsoft passport Developers have access to Microsoft Passport Microsoft is in FIDO and our Microsoft Passport will be a reference implementation for FIDO 2.0

How could a 4-digit PIN be more secure? Attacker needs to know both your PIN and have access to your device TPM provides anti-hammering support to help thwart offline attacks Hardware bound keys cannot be stolen or replayed PIN is never stored in the device or sent to server

Who owns this PC? This choice is important, and it isn t easy to switch later. If this machine belongs to your organization, signing in with that ID will give you access to their resources. This device belongs to my organization This device belongs to me Help me choose Next Back Next

Let s get you signed in Work or school account someone@example.com bob@contoso.com Password Forgot your password? Which account should I use? Sign in with the username and password you use with Office 365 (or other business services from Microsoft). Skip this step Privacy statement Back Sign in

Let s get you signed in Work or school account bob@contoso.com Password Forgot your password? Need help? Contact the Contoso Help Desk at (206) 555-1234. This service is operated by Microsoft on behalf of Starbucks and is for the exclusive use of their employees and partners. Skip this step Privacy statement Back Sign in

USER ENTERPRISE IDENTITY DATA & AUTHENTICATION PROTECTION

Unenrollment with alerts Removal of Enterprise configuration (apps, certs, profiles, policies) and Enterprise encrypted data (with EDP) Full device wipe Remote Lock, PIN reset, Ring, & Find Enhanced inventory for compliance decisions Curated Windows Store Business Store Portal (BSP) app deployment; license reclaim Enterprise App management Simplified LOB app management Win32 (MSI) app management App inventory (LOB/store apps) App allow/deny lists via Applocker Enterprise data protection One consistent set of MDM capabilities across Mobile, Desktop, and IoT Provisioning Bulk enrollment Simple bootstrap Converged protocol Azure AD Integration Additional device inventory Extended set of policies Client certificate management Enterprise Wi-Fi VPN management Email provisioning MDM Push Device Update control Kiosk, Start screen, Start menu configuration and control

Before mobile devices can access Office 365 data they must be enrolled and healthy. 1. A user downloads the public OneDrive app on a personal ipad 2. The user is shown a page that directs them to enroll the ipad 3. The user steps through multiple parts to compete the enrollment process 4. The OneDrive app is now MDM enabled 5. The user is able to access their OneDrive data

Device Polices Control what mobile devices can connect to Office 365 Data Set device configuration policies such as pin lock Enforce data encryption on devices Admin Controls Seamless Integration with Existing Azure AD Configure device policies by groups Product level granular control Device Reporting Device compliance reports Mobile usage and trends in our organization Notifications and Alerts

Contoso Device Successfully Enrolled Return to e-mail

https://activate.aad/activate ACTIVATION SUCCESSFUL! Your access to email and other corporate resources has been granted (this page may need additional design work)

TODAY S SECURITY CHALLENGE PASS THE HASH ATTACKS

VSM uses Hyper-V powered secure execution environment to protect derived credentials you can get things in but can t get things out SOLUTION Decouples NTLM hash from logon secret PASS THE HASH ATTACKS Fully randomizes and manages full length NTLM hash to prevent brute force attack Derived credentials that VSM protected LSA Service gives to Windows are non-replayable

VSM isolates sensitive Windows processes in a hardware based Hyper-V container Virtualization VIRTUAL SECURE MODE (VSM) VSM runs the Windows Kernel and a series of Trustlets (Processes) within it VSM protects VSM kernel and Trustlets even if Windows Kernel is fully compromised Requires processor virtualization extensions (e.g.: VT-X, VT-D)

Virtual Secure Mode Local Security Auth Service Virtual TPM Hyper-Visor Code Integrity Apps Virtual Secure Mode (VSM) Windows

Diagnostics Tracking Service dmwappushsvc Restart PC

Review

Andy Malone @AndyMalone Thank You for attending!

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information