GOLD PARTNER Hlavn odborn partner What is new
GOLD PARTNER: Hlavní odborný partner: What is new in Security in Windows 2016 and Windows 10 Revolution or Evolution? Ondrej Sevecek | GOPAS a. s. MCSM: Directory Services | MVP: Enteprise Security | CISA | CEH | CHFI ondrej@Sevecek. com | www. sevecek. com facebook: ondrej. sevecek. official | twitter: @Ondrej. Sevecek
Agenda § § § Virtual Smart Cards and TPM attestation Credentials Guard (Device Guard) Shielded VMs Microsoft Passport authentication with AD DS Bit. Locker with XTS-AES § § § Windows Defender on servers by default Temporary AD group membership and PAM 2003 DFL/FFL deprecated WAP reverse HTTPS publishing ADFS improvements
Smart Cards and Credential Guard
Credential Guard § Traditional LSASS credential management and theft NTLM Process Process LSASS password High-Level OS Attacker TGT
Why use Smart Cards public storage memory PC API calls PIN Crypto. CPU master PIN protected private crypt memory Attacker OS firmware ROM
Virtual Smart Cards on Windows 10 § TPM based smart card ▪ Smart Card Logon certificates ▪ User identity bound to a device § Hardware attestation available with AD CS Windows 2012 § Tpm. Vsc. Mgr create /name "Sevecek. Test" /generate – Admin. Key 48 digits – PIN 8 characters – PUK 8 characters § certutil. exe -setreg CAEndorsement. Key. List. Directories +"C: tpmkeys" – 6 dc 60500 e 98 df 104 c 54465638 bfb 529 a 2924 d 75 d 827 b 5 f 50 f 5630 f 177721 e 49 e = size 0, no extension
Credential Guard § Prevent LSASS credential theft NTLM TGT Process LSASS Isolate User Mode (IUM) password High-Level OS Attacker Hypervisor vmbus trustlet
Credential Guard Requirements § Enterprise Edition § x 64 hardware virtualization § UEFI Secure Boot § and others. . .
Enabling Credential Guard § GPO ▪ Computer Configuration ▪ Administrative Templates ▪ System ▪ Device Guard § Image – dism /Enable-Feature /Feature. Name: Isolated. User. Mode § Reboot required (hypervisor installed automatically)
Credential Guard Events § System log, source Win. Int ▪ 13, 14, 15, 16, 17
Credential Manager and Credential Guard § Credential Manager ▪ stores per-user credentials since Vista § Does not work with Credential Guard § you should have disabled it at all anyway : -)
Who can disable Credential Guard § without EFI lock local Adminstrators ▪ requires restart ▪ GPO/registry § with EFI lock local Administrators – requires physical presence – bcdedit loadoptions DISABLE-LSA-ISO, DISABLE-VBS
What attacks still avoid Credential Guard § § § Keylogger Hardware keyloggers Extracting stored passwords Do. S Script/code injections Other memory attacks
Shielded VMs
Shielded VMs § Separate host Administrators from VMs
Cloud identities
Cloud identities § Windows 8+ ▪ use Microsoft Account to log on locally ▪ maps to a local user account § Windows 10 § use Microsoft Passport to log on with Kerberos/NTLM tickets § mapping certificate to user account in AD just like Smart Card Logon § TPM Virtual Smart Card or Software
Enabling Microsoft Passport § GPO ▪ Windows Configuration ▪ Administrative Templates ▪ Windows Components ▪ Microsoft Passport for Work § Current support requirements – Azure subscription, Azure join, Intune, ADFS, System Center, Windows 2016 § Future support requirements – Windows 2016 RTM
Bit. Locker
Bit. Locker with XTS-AES § Windows Vista, 7, 2008 R 2 ▪ AES 128, AES 256 ▪ AES 128 with Diffuser, AES 256 with Diffuser § Windows 8, 8. 1, 2012 R 2 ▪ AES 128, AES 256 ▪ Windows 10, 2016 ▪ AES 128, AES 256 ▪ XTS-AES 128, XTS-AES 256
Disk de/encryption § Whole disks encrypted with a single AES FVEK § Every sector gets its own IV based on sector ID § AES CBC sector decryption ▪ first block (128 bits/16 bytes) is decrypted by FVEK+sector. IV ▪ subsequent blocks are decrypted by FVEK+previous. Encrypted. Block § any sector decrypts with FVEK without knowing IV § except for the first 128 bits/16 bytes
Sector switch attacks § Offline switch some sectors (512 bytes) ▪ will run if the first 16 bytes are not relevant § AES Diffuser § proprietary MS § XTS-AES § FIPS compliant
Windows Defender on Servers
Windows Defender on Servers § § § Windows 2016 file and network inspections updated from Windows Update automatic exclusions events
Windows Defender automatic exclusions on Servers § Group Policy § DFSR § Hyper-V § Active Directory § Web server § . . . – – – %allusersprofile%NTUser. pol %System. Root%System 32Group. PolicyMachineregistry. pol %System. Root%System 32Group. PolicyUserregistry. pol – – %systemroot%System 32dfsr. exe %systemroot%System 32dfsrs. exe – – – *. vhd, *. vhdx, *. iso, . . . %systemroot%System 32Vmms. exe %systemroot%System 32Vmwp. exe – – – HKLMSystemCurrent. Control. SetServicesNTDSParametersDSA Database File HKLMSystemCurrent. Control. SetServicesNTDSParametersDatabase Log Files HKLMSystemCurrent. Control. SetServicesNTDSParametersDSA Working Directory %systemroot%System 32ntfrs. exe %systemroot%System 32lsass. exe – – – – %System. Root%IIS Temporary Compressed Files %System. Drive%inetpubtempASP Compiled Templates %system. Drive%inetpublogs %system. Drive%inetpubwwwroot %System. Root%system 32inetsrvw 3 wp. exe %System. Root%Sys. WOW 64inetsrvw 3 wp. exe %System. Drive%PHP 5433php-cgi. exe
Windows Defender events § Application and Service Logs – Microsoft • Windows – Windows Defender » Operational
Add exclusion or (un)install Windows Defender Add-Mp. Preference -Exclusion. Path "c: Accounting" Get-Windows. Feature *defender* Get-Windows. Feature *defender | Remove-Windows. Feature # Restart needed!
Temporary group membership aka PAM
Privileged Access Management § § Limited access Temporary access Secure workstations Protect credentials
Temporary AD objects (since FFL 2003) § dynamic. Object class § entry. TTL = seconds § CN=Directory Services, CN=Windows NT, CN=Services, CN=Configuration – ms-DS-Other-Settings: Dynamic. Object. Default. TTL (seconds) Dynamic. Object. Min. TTL (seconds)
Temporary AD group membership (FFL 2003) Real group Proxy group with TTL User account standard TGT lifetime
Privileged Access Management feature (FFL 2016) § New AD optional feature – Privileged Access Management Feature – Get-ADOptional. Feature § Add-ADGroup. Member -Member. Time. To. Live – lowest lifetime propagates to Kerberos TGT tickets § LDP – LDAP_SERVER_LINK_TTL_OID 1. 2. 840. 113556. 1. 4. 2309
2003 DFL/FFL deprecated
2003 DFL/FFL deprecated § Move to 2008 DFL – enable/enforce AES for Kerberos – remove RC 4 § Move to 2012 FFL – enable group managed service accounts – smaller Kerberos tickets § Move to 2016 FFL – enable temporary group membership
WAP reverse HTTPS publishing
Principal scenario (internal HTTP or HTTPS) TLS Certificate http: //portal Web Server https: //portal TLS Certificate https: //portal. gopas. cz Reverse HTTPS Proxy TLS Certificate DC DC GPS gopas. virtual Browser Client GUI Client
Reasons for WAP § Perimeter TLS offloading § Isolate TCP/IP attacks § Authenticate users – password forms – certificates § Extranet lockout
What is new in WAP 2016 § HTTP -> HTTPS redirection § TLS offloading § publishing RDP Web Apps
ADFS improvements
What is new in ADFS 2016 § § Certification authority Administrative delegation Access rule wizards Azure MFA built-in – on-premises to cloud | cloud to on-premises
Recap § § § Virtual Smart Cards and TPM attestation Credentials Guard (Device Guard) Shielded VMs Microsoft Passport authentication with AD DS Bit. Locker with XTS-AES § § § Windows Defender on servers by default Temporary AD group membership and PAM 2003 DFL/FFL deprecated WAP reverse HTTPS publishing ADFS improvements
Děkuji za pozornost! GOC 173 - Enterprise PKI GOC 175 - Windows Security Internals GOC 171 - Active Directory Internals Ondrej Sevecek | GOPAS a. s. MCSM: Directory Services | MVP: Enteprise Security | CISA | CEH | CHFI ondrej@Sevecek. com | www. sevecek. com facebook: ondrej. sevecek. official | twitter: @Ondrej. Sevecek
Aktuální a navazující kurzy sledujte na www. gopas. cz DÁREK PRO VÁS! Vyplňte dotazníkové hodnocení a… …získejte tričko Tech. Ed-Dev. Con 2016! SOUTĚŽ! Tech. Ed party! Xbowling Strašnice, 18. 5. 2016 Buďte The Best IT Pro nebo The Best Developer
- Slides: 43