AWS Webcast - Securing the Microsoft Windows Platform on Amazon Web Services
Upcoming SlideShare
Loading in...5
×

Like this? Share it with your network

Share

AWS Webcast - Securing the Microsoft Windows Platform on Amazon Web Services

  • 1,315 views
Uploaded on

In this webcast, we will provide guidance and examples on how to best secure your Microsoft Windows Server-based applications on the AWS Cloud. We will discuss common principles for protecting the......

In this webcast, we will provide guidance and examples on how to best secure your Microsoft Windows Server-based applications on the AWS Cloud. We will discuss common principles for protecting the run time environment of your Microsoft Windows Server applications with a focus on risk assessment, reducing attack surface, and adhering to the principle of “least privilege,” to protect your data. We will also cover design best practices and available controls and capabilities within the AWS platform that can help protect the confidentiality, integrity, and availability of your application infrastructure or data in the system.

Presented by Ryan Holland, Ecosystem Solutions Architect for Amazon Web Services, where he focuses on enabling security partners on the AWS Cloud. Prior to joining AWS, Ryan worked at Trend Micro, where he managed technical business development for Cloud and Data Center Security and previously to that several roles in areas of data security and encryption technologies.

More in: Technology , Business
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
1,315
On Slideshare
1,315
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
23
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Securing the Microsoft Windows Platform on Amazon Web Services Ryan Holland Ecosystem Solutions Architect © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • 2. Shared Responsibility Model For Infrastructure Services © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • 3. Shared Responsibility Model For Infrastructure Services AWS • • • • • Facilities Physical Security Physical Infrastructure Network Infrastructure Virtualization Infrastructure Customer • • • • • • Operating System Application Security Groups Network ACLs Network Configuration Account Management © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • 4. Risk Assessment Its important to understand how your application works • What are the network ingress/egress points. • What parts of the application need to communicate with the other tiers. Who needs administrative access and from where? • Consider both application access as well as infrastructure. Perform data classification • Define storage and access policies based on classification. © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • 5. Amazon Virtual Private Cloud (VPC) Create a logically isolated environment in Amazon’s highly scalable infrastructure Specify your private IP address range into one or more public or private subnets Control inbound and outbound access to and from individual subnets using stateless Network Access Control Lists Protect your Instances with stateful filters for inbound and outbound traffic using Security Groups Attach an Elastic IP address to any instance in your VPC so it can be reached directly from the Internet Bridge your VPC and your onsite IT infrastructure with an industry standard encrypted VPN connection and/or AWS Direct Connect © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • 6. Amazon Virtual Private Cloud (VPC) Choose the connectivity option that best fits your application. • • • • Internet facing applications VPN Connection to on-premise datacenter Direct Connect Software VPN Leverage subnets and Network ACLs • Design your network similar to on-premise deployments Properly configure security groups Leverage Active Directory within your VPC © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • 7. VPC Subnets Group instances by function. Create isolation through use of Network ACLs. Control routing for each subnet © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • 8. Security Groups Mandatory instance firewall. In VPC security groups are stateful and allow for both ingress and egress filtering. Enforcement takes place below hypervisor Security groups can be used as a source in rules. Need to ensure proper ports are open for Windows Active Directory © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • 9. Security Groups Provide Instance Isolation Customer 1 Customer 2 … Customer n Hypervisor Virtual Interfaces Customer 1 Security Groups Customer 2 Security Groups Firewall … Customer n Security Groups Physical Interfaces © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • 10. Remote Desktop Best Practices The RDP Port (TCP/3389) should never be open to the internet. Within a VPC use a RDP Gateway • Instances should only accept RDP connections from the RDP gateway. • RDP Gateway should only accept connections from known IPs. Use software VPN solutions for deployments without VPC VPN connections or where source IPs will be dynamic. Walkthrough of implanting an RDP Gateway in VPC can be found on the AWS Security Blog: http://tinyurl.com/AWSRDPGW © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • 11. Example RDP Gateway Setup RD Gateway only accepts traffic from specified internal network. All other instances only accept RDP traffic from RD Gateway Prevents Bypass Attacks Use resource authorization policies (RAP) to control access to specific instances. © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • 12. RDP Gateway With High Availability Deploy RDP Gateways into multiple availability zones Note security group names are the same in each AZ. Use the RDP GW in the same AZ to reduce inter-AZ charges and latency. © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • 13. Obtaining Updates Applying updates to your OS and applications is a critical part of the customers responsibility. Within VPC there are several methods of obtaining updates: • • • • Directly from Microsoft via Internet Gateway Directly from Microsoft via Direct Connect or VPN WSUS Server on premise WSUS Server in VPC Periodically update your base AMIs to minimize the number of updates new instances will require. © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • 14. Using WSUS In VPC Deploy a WSUS in each AZ Use NAT instance for internet access or VPN link to onpremise infrastructure. Use SSL for update traffic (TCP/8531) © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • 15. Using Active Directory Must use a VPN and VPC to connect your VPC to your onpremise infrastructure. Recommended that you replicate AD into VPC rather that connect back. Recommended that the AD servers be in each AZ you have resources deployed. AD servers should have their own Security Group with the necessary rules to accept traffic from other instances. Leverage Reserved Instances for your Active Directory instances. © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • 16. Active Directory Example For added security you can deploy Read Only Domain Controllers (RODC) in Windows 2008 and later. Change VPC DHCP Options to use your AD servers for DNS. © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • 17. Identity And Access Management (IAM) Enables a customer to create multiple users and manage the permissions for each of these users. • Use resource level permissions to provide users least required privilege for API actions. Secure by default; new users have no access to AWS until permissions are explicitly granted. Recommended that all administration be done with IAM user credentials. • Applications that access our API should use IAM Roles for EC2 Instances. IAM is for access to the AWS console and APIs not for applications or the operating system. Identities can be federated with Active Directory • New IAM SAML support allows ADFS to be a SAML identity provider © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • 18. Multi-Factor Authentication (MFA) Extra level of security Works with • AWS root account • IAM users xxxxxxxxxxxxxxxxxxxxxxxxxxx Multiple form factors • Virtual MFA on your phone • Hardware MFA key fobs No additional cost! • Except for the hardware option © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • 19. Password Policy Management Admins define password policies Users are then forced to comply with policies at next login © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • 20. Perimeter Threat Protection Place threat protection product between ELBs and web servers. Check the AWS Marketplace for WAF and perimeter networking products Public Subnet 10.0.9.0/24 Private Subnet Private Sutbnet 10.0.4.0/24 10.0.3.0/24 Threat Tier Threat Tier Users Interne t Gatew ay Web Tier Availability Zone 1 Web Tier 10.0.10.0/24 10.0.8.0/24 Public Subnet Private Subnet 10.0.7.0/24 Private Subnet Availability Zone 2 AWS Region © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • 21. Anti-Virus and Vulnerability Testing Recommended you run up-to-date anti-virus software. • • Our partner ecosystem has several vendors which have optimized their AV software for AWS. You can find many of these in the AWS Marketplace: http://aws.amazon.com/marketplace Use AMIs to quickly replace instances that you suspect are infected. • Suspect instances can be isolated and allow an investigation to take place while new uninfected instances are created. Vulnerability testing is a good security practice but must be done in accordance with the EC2 terms of service. • http://aws.amazon.com/security/penetration-testing/ Customers with Business or higher support plans can use the AWS Trusted Advisor • http://aws.amazon.com/premiumsupport/trustedadvisor/ © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • 22. Additional Information AWS Security Center: http://aws.amazon.com/security AWS Whitepapers: http://aws.amazon.com/whitepapers • • • • AWS Overview of Security Processes AWS Risk and Compliance Whitepaper AWS Security Best Practices Secure Microsoft Applications on AWS © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.