You are on page 1of 26

Microsoft Virtual Academy

Security and
Authentication

Security

Emerging security threats

Rising number of organizations suffering from


breaches
Cyberattacks on
Espionage malware
Cybercrime costs US
Increasing
1

incidents
Bigger
motivation
s
Bigger
risk

the rise against


US corporations

New York Times


[2014]

How hackers
allegedly stole
unlimited
amounts of cash
from banks in just
a few hours
Ars Technica
[2014]

infects
rafts of governments,
industries around the
world
Ars Technica [2014]

The biggest
cyberthreat
to companies
could come
from the
inside
Cnet
[2015]

economy up to $140
billion annually,
report says

Los Angeles Times


[2014]

Malware
burrows deep
into computer
BIOS to
escape AV

The Register
[September 2014]

Forget
carjacking,
soon it will be
carhacking

The Sydney Morning


Herald [2014]

Built-in security
Shielded Virtual Machines

Credential Guard

Host Guardian Service

Justin Time Administration

Secure Boot for Windows &


Linux

Just Enough
Administration

Nano Server Hyper-V Host

Control Flow Guard

Virtualization-based Security
(VBS)

Code Integrity

Hyper-V Containers

Enhanced Threat
Detection

Containers in Shielded VMs

Windows Defender

Protection to credentials
Credential Guard

Ben

Prevents Pass the Hash and


Pass the Ticket attacks by
protecting stored credentials
through Virtualization based
Security

John

Just Enough and


JustTypical
in Time
Administration
administrator

Just Enough
Administration

Limits
administrative privileges to the
bare-minimum required set of
actions (limited in space)

Mary

Domain
Admin Admin

Capability

Just in Time
Administration

Provide
privileged access through a

Capability and time needed

Time

Protection to the OS in any cloud


Code Integrity
Ensure that only permitted binaries
can be executed from the moment
the OS is booted

Windows Defender
Actively protects from known
malware without impacting
workloads

Control Flow Guard


Protects against unknown
vulnerabilities by blocking common
attack vectors

Protection to virtual machines


Shielded VMs

BUILDING PERIMETER

Use BitLocker to encrypt the disk


and state of virtual machines
protecting secrets from
compromised admins & malware

Host Guardian
Service
Attests to host health releasing
the keys required to boot or
migrate a Shielded VM only to
healthy hosts

Generation 2 VMs
Supports virtualized equivalents
of hardware security

COMPUTER ROOM

HYPER-V

HYPER-V

Physical machine

Virtual machine

Shielded
virtual machine

Server
Administrator
Storage
administrator
Network
administrator
Backup
operator
Virtualization-host
administrator
Virtual machine
administrator

*Configuration dependent

A privileged fabric

Spread of virtualization has led to unexpected security


implications
1 Fabric/virtualization
administrators

Have the highest privileges, instead of


thetraditional model where domain
administrators are the most trusted IT
staff
Virtualized domain

controllers

Tenant
Virtual
virtual
machin
es
2

If DCs are virtualized and Im a Hyper-V


administrator, I can shut down the VM,
copythe virtual disks for offline attacks,
orinstall malware

Public cloud

Fabric administrators could potentially


havefullaccess to tenant VMs

Shielded Virtual Machines


Strong separation between the fabric
administrators and the workload
administrators, implemented through
encryption and protectedsecrets

1
Fabric/virtuali
zation
administrator

HyperV hosts

So what is a
Shielded Virtual
The data and state of a Shielded VM are
Machine?
protected against inspection, theft, and
tampering from both malware and
datacenter administrators1
1

Fabric admins, storage admins, server admins, network


admins

.VHDX

Perimeter

Computer
room

Step 1: How things look today


.VHDX

.VHDX

Physical machines Virtual machines

Server administrator

Yes

Yes

Storage administrator

No

Yes

Network administrator

No

Yes

Backup operator

No

Yes

Virtualization-host administrator

No

Yes

Hyper-V

.VHDX

Perimeter

Computer
room

Step
VM-state
data
Step1:
1:Encrypt
How things
lookand
today
.VHDX

.VHDX

Physical machines Virtual machines

Server administrator

Yes

Configuration
Yes
dependent

Storage administrator

No

Yes
No

Network administrator

No

Yes
No

Backup operator

No

Yes
No

Virtualization-host administrator

No

Yes
No

Hyper-V

Step 2: Decryption keys controlled by


external system
Fabric controller

Cloud datacenter
Host
OS

Guest
VM

Guest
VM

Guest
VM

Hypervisor

Hyper-V host 1
Host
OS

Guest VM

Guest VM

Hypervisor

Hyper-V host 2
Host
OS

Guest VM

Hypervisor

Hyper-V host 2

Guest VM

Please
Sure,sir,
I
may
know
I have
you
and
some
you
more
look
healthy
keys?

Key
protection
Host guardian
service

Shielded VM
Shielded VMs

When you turn on a shielded VM


Virtual TPM enables the use of disk encryption within a VM

(e.g.,BitLocker)
VM configuration files and VM state are encrypted
All live migration traffic is also encrypted without having to

implementIPsec
The host crash dumps are encrypted
VM crash dumps are turned off by default, and theyll also be

encrypted
if you enable them have no access to VMs
Fabric
administrators
Cant attach debuggers while theyre running (the hardened

VMworker processes that run each VM dont allow it)


Cant access the content of BitLocker-protected VHDX files
Cant console connect to a VM

Hyper-V host

VMs can only run on known and healthy (safe) hosts via the

HostGuardianService

Architectures
Hosting service provider infrastructure
Host Guardian Service
Relecloud.com

Hoster Active Directory


Fabrikam.com

Hosting service provider infrastructure


Host Guardian Service
Relecloud.com

Hoster Active Directory


Fabrikam.com

Relecloud.co
m
Trusts

Fabrikam.com
Virtual Machine Manager Technical Preview
HSM

TPM v2 + UEFI 2.3.1

Virtual Machine Manager Technical Preview


HSM

Hyper-V hosts for


shielded VMs
Mixed Hyper-V hosts
Physical or virtual server

Physical or virtual server

Windows Server Technical Preview


Host Guardian Service role
Attestation server
Key protected server

Windows Server Technical Preview


Host Guardian Service role
Attestation server
Key protected server

Shielded VMs

Shielded VMs

Demo
Shielded Virtual Machines

Remote
Desktop
Services

INNOVATIONS IN WINDOWS SERVER 2016

2016 Microsoft Corporation. All rights reserved. This document


is for informational purposes only. Microsoft makes no warranties,
express or implied, with respect to the information presented here.

Server-based computing
(SBC)

Hosted desktop

Remote
desktop

Virtual
workspace
Digital
workspace

Virtual
desktop

Cloud computing

Desktop-as-a-service
User
virtualization

VDI

Remote Desktop Services


Desktop
virtualization

Virtual work environment

The platform for your


virtual workspace strategy

Build your solution on a trusted

foundation

Users

Apps

Devices

Data

Remote Desktop Services


Microsof
t

Remote Desktop Services

Microsoft Remote
Desktop Protocol

Enable
users

Manage
access

Protect
assets

Session-based desktops
Remote applications
Personal and pooled
virtual desktops onpremises

Remote Desktop Services

The platform for your virtual workspace strategy

Windows apps Deployment


anywhere
flexibility
Enable users to access
Windows applications and
data from any device and any
location

On-premises,
cloud-based, or
hosted deployments

Cost
reduction
Consolidate your
infrastructure to
improve efficiency

Secure
extensible
platform

Protect against loss and


leaks of sensitive corporate
data
Build customized solutions

Solutions to meet your requirements


Session-based
computing

Session-based desktops
and RemoteApp
Cost-effective,
easy to manage

Virtual Desktop
infrastructure

Access to pooled or
personal Virtual
Desktops running
Windows Client OS
High performance,
app compatibility

On-premises

Session-based
computing in the
cloud

Remote Desktop Session


Host deployed on cloud
infrastructure services
Customizable with
minimum capital
expenditure

Application
delivery from the
cloud

Windows Server sessionbased applications


delivered from the Azure
cloud
Turnkey solution; scale
without large capital
expenditure

In cloud

RDS innovations in Windows Server 2016

Increased
performance

Enhanced
scale

Optimized
for cloud

Graphics
improvements

Connection broker,
shared SQL
connections

Efficient and secure


architecture

INCREASED PERFORMANCE

Hyper-V graphics virtualization


evolution
Windows
Server
2008 R2

RemoteFX vGPU

Windows
Server
2012

RemoteFX vGPU

Windows
Server
2012 R2

RemoteFX vGPU

Hyper-V integration

DX 11.0

DX 11.1 support

DX 9 support

VM connect with
vGPU

Higher video memory

GPU management

Up to 2560 x 1600
resolution
Scale improvements

Windows
Server
2016

RemoteFX vGPU
OpenGL 4.4 & OpenCL
1.1
1GB dedicated VRAM
Up to 4k resolution
Server VM support
Improved performance
DDA
Full API support*

*Verify card support for this configuration with GPU vendor

Native GPU driver


support

ENHANCED SCALE

High-availability connection broker


Use existing SQL Server
cluster or Azure SQL DB
Improved connection
handling performance,
10K+concurrent
connection requests
supported in log on
storm situations

OPTIMIZED FOR CLOUD

Optimized server
VM architecture
for the cloud
RDS 2012R2 Infra:
7 role services
8 VMs
RDS 2016+:
4 role services
2 VMs
Roles that can be deployed
into one VM:

RD gateway

RD connection broker

RD licensing

RD web access

OPTIMIZED FOR CLOUD

Other improvements
Support for
gen 2 VMs

End user
experience
changes

Pen Remoting
Support

Windows client
desktop UX
improvements

New zoom
functionality in
MSTSC

Personal
session
desktops

Windows
Multipoint
Services is
now a role