• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Hypervisor and VDI security

Hypervisor and VDI security






Total Views
Views on SlideShare
Embed Views



1 Embed 1

http://www.linkedin.com 1



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

    Hypervisor and VDI security Hypervisor and VDI security Presentation Transcript

    • WelcomeBriForum | © TechTarget
    • Do You Think Your CitrixEnvironment is Secure Enough?Ready or Not, Here I Come!Denis GundarevConsultantEntisys SolutionsBriForum | © TechTarget
    • About presenterC:>whoami /allUSER INFORMATION----------------User Name Twitter Name E-Mail============== ============ ==================ENTISYSdenisg @fdwl DenisG@entisys.comGROUP INFORMATION-----------------Group Name Type SID============================== ================ =================Citrix Technology Professional Well-known group S-1-5-32-544Citrix Certified Instructor Well-known group S-1-5-32-545Microsoft Certified Trainer Well-known group S-1-5-32-546BriForum | © TechTarget 3
    • Disclaimer● Information in this presentation is intended for educational purposes only. Some topics in this presentation may contain the information related to “Hacking Passwords” or “Elevating permissions” (Or Similar terms). Some topics will provide information about the legal ways of retrieving the passwords. You shall not misuse the information to gain unauthorized access. However you may try out these hacks on your own computer at your own risk.● Some of the stuff that you will learn is dangerous, playing with this knowledge on your production environment can make you very unhappyBriForum | © TechTarget 4
    • Agenda● Physical server security● Trusted Platform Module● Hypervisor hardening● VDI security - Microsoft installer - Password security - SQL security #BriForumBriForum | © TechTarget 5
    • ● All links from this presentation are available here: - http://bit.ly/SecureITBriForum | © TechTarget http://bit.ly/SecureIT | @fdwl 6
    • Physical Security• Why you need to secure servers? • Server can be stolen • Server can be duplicated • Seamlessly replace disk in the storage array and stole the data • Attacker can boot from CD/USB and reset the admin password• Do you need to secure your hypervisors? • Sure, hypervisor is a key to your infrastructureBriForum | © TechTarget 7
    • Get Access to the Windows Box - DemoBriForum | © TechTarget 8
    • Breaking into hypervisor● XenServer - http://bit.ly/XenServerPassword● VMware ESX - http://bit.ly/ResetESXPassword, same procedure as for XenServer● VMware ESXi – password reset not supported, but possible http://bit.ly/ResetESXiPasswordBriForum | © TechTarget 9
    • Securing Server boot● Disable boot from CD/USB/PXE - If using UEFI – change the boot order using UEFI manager - Be careful, some UEFI firmware adds removable devices as a boot option by default● Disable removable drives after installation● Set BIOS admin password - Does not prevent boot, but prevent changing the boot order● Disable intelligent provisioning available on HP G8 serversBriForum | © TechTarget 10
    • Out-of-band management (lights-outmanagement)● Implement AD integration for HP iLO, Dell iDRAC or IBM RSA (can be done with or without schema extension)● Disable default local administrator and/or change default password - root/calvin for Dell - Printed on the server label for HP - USERID/PASSW0RD for IBM● Configure SNMP and/or syslog to monitor who are using LOM● Grant permissions carefullyBriForum | © TechTarget 11
    • Out-of-band management (lights-outmanagement)● Use a separate management network● Use trusted certificates● Disable telnet (HP G8 doesn’t have it!, disabled by default on Dell/IBM)● Disable SSH if you not use it● Change SNMP community stringsBriForum | © TechTarget 12
    • Out-of-band management (lights-outmanagement)● Regularly read security guides: - Dell - http://bit.ly/DRACSecurity - HP - http://bit.ly/ILOSecurity - IBM doesn’t have one, just manual  http://bit.ly/IBMRSAGuide● Regularly update firmware● Review audit logs and configure alertsBriForum | © TechTarget 13
    • Trusted Platform Module● Smartcard-like hardware module on the motherboard - Protects secrets - Performs cryptographic functions - Can create, store and manage keys - Performs digital signature operations - Holds Platform Measurements (hashes)● Can be used to check platform integrity● Can be used to store disk encryption keysBriForum | © TechTarget 14
    • Trusted Platform Module● Disabled by default● Resets automatically during the BIOS reset by switches● Owned by OS● Change of ownership not possible without reset● Secure boot order in BIOS+TPM-aware OS+BIOS setup password makes hacker’s life harderBriForum | © TechTarget 15
    • TPMimplementationscenariosBriForum | © TechTarget 16
    • Windows (Hyper-V)● Windows server 2008 and above is a TPM-aware OS● BitLocker Full-Disk Encryption protecting the OS and data● BitLocker protects from the offline password reset (pogostik/opengate/WinRE)● BitLocker protects OS data from offline analysis (stolen or duplicated drives)BriForum | © TechTarget 17
    • BitLocker™ Drive Encryption ArchitectureStatic Root of Trust Measurement of boot components PreOS Static OS All Boot Blobs Volume Blob of Target OS unlocked unlocked TPM Init BIOS MBR BootSector BootBlock BootManager Start OS Loader OS Source: Microsoft
    • Windows disk encryption● BitLocker can be managed with GPO● Data can be recovered if needed● BitLocker can store recovery passwords in AD (schema extension is required) - Domain admins and computer itself can read recovery passwords – permissions can be changed: http://bit.ly/BitLockerAD● Whitepaper is available on Microsoft.com http://bit.ly/HyperVBitLocker● Hyper-V Clusters supported, Hotfix needed: http://support.microsoft.com/kb/2446607● In-Guest VM encryption not supported● Windows Server 2012 support BitLocker-encrypted CSV http://bit.ly/BitLockerCSV2012● HP HOWTO: http://bit.ly/HPBitLockerBriForum | © TechTarget 19
    • XenServer & TPM● No official support● Basic vTPM is in the product, but not documented yet and still not secured with physical TPM● But XenServer is just a Linux! ● TrustedGRUB, GRUB-IMA and Open Secure LOader (OSLO) are available to secure boot process● Disk encryption with dm-crypt with TPM is possible, but complicated. - Details in IBM Blueprint http://bit.ly/IBMTrustedGRUBBriForum | © TechTarget 20
    • Linux Trusted Boot Stages Operating System DB BIOS Bootloader JVM GRUB Stage2 MAC Policy ROT GRUB conf SELinux GRUB Stage1 Kernel Stage1.5 CRTM POST (MBR) TPM PCR01-07 PCR04-05 PCR08-14 Trusted Boot Source: Trent Jaeger
    • TrustedGRUB● IBM BluePrint with step-by-step instructions available http://bit.ly/IBMTrustedGRUB● GPT is not supported by TrustedGRUB, MBR is required - Modify /opt/xensource/installer/constants.py during install - step-by-step instructions from Major Hayden (@rackerhacker) on his blog http://bit.ly/XS6GPTDisable● Sirrix AG together with German Federal Office for Information Security (BSI) tested different TPM-enabled Open source solutions, review the document before implementation - http://bit.ly/TSSStudyBriForum | © TechTarget 22
    • XenServer boot hardening1. Disable boot from removable devices2. Set BIOS setup password3. Enable TPM4. Disable single user mode without password - Add the following entry into /etc/inittab file: - ~~:S:wait:/sbin/sulogin5. Install TrustedGRUB6. Enable GRUB password7. Configure additional checks on /etc/passwd, /etc/shadow, /boot/grub.lst and PAM configuration files8. Enable TrustedGRUBBriForum | © TechTarget 23
    • VMware & Support● VMware claims that TPM is supported (http://kb.vmware.com/kb/1033811)● Not configurable● Not documented● No partner solutions that use TPM● Disk encryption for vKernel is not supported (FAT16!!!)BriForum | © TechTarget 24
    • General HypervisorsecurityrecommendationsBriForum | © TechTarget 25
    • Platform-independent recommendations● Don’t store VMs on the local drive, use SAN/NAS instead● Use mutual CHAP authentication for iSCSI● Consider using Boot from SAN with storage-based encryption and Fibre channel Security Protocol (FC-SP) enabled HBAs - short overview - http://bit.ly/FC-SPOverview - Standard http://bit.ly/FC-SPStandard - HBAs available from all major vendors (Emulex, Qlogic, Cisco, Brocade, Hitachi)● Use fixed virtual disk size to avoid unexpected VMs pauseBriForum | © TechTarget 26
    • Platform-independent recommendations● Separate management network● Optionally implement IPSEC on the management network - VMware - http://bit.ly/VMwareIPsec● Change default MAC addresses to avoid use of MAC address DB by attacker: - http://www.coffer.com/mac_find - 00-15-5D – Hyper-V - 00-50-56 – VMWareBriForum | © TechTarget 27
    • Platform-independent recommendations● vCenter/SCVMM should be secured better than your DC● Configure monitoring and auditing● Use Active Directory for authentication● Disable/lock local users and/or configure Password policy● Do not use management console as a RDP replacementBriForum | © TechTarget http://bit.ly/SecureIT | @fdwl 28
    • XenServer hardening● Review XenServer User Security guide http://bit.ly/XSSecurity● Review XenServer Hardening guide (released by Positive Technologies) - http://bit.ly/XSHardening● Configure AD authentication● Disable SSH if you not using it● Install server certificates http://bit.ly/XSCertificates● Disable unencrypted XAPI access● Disable autologon to the console from XenCenter● Avoid using pool-admin privilege, any pool admin can change root password with xe user-password-changeBriForum | © TechTarget 29
    • XenServer hardening● All passwords stored on XenServer are insecure - Use dedicated user for CIFS iso repositories, limit computers where this user can logon, because passwords can be retrieved even by read-only user (xe pbd-list) - Use dedicated users for power management (any pool operator can retrieve them with xe secret-list)● Be careful with RBAC, lot of “security” implemented in XenCenter only, XAPI and xe.exe gives a lot of information even for read-only user● Be careful with XenServer monitoring, if vendor ask more permissions than read-only user – change your vendor● Avoid saving passwords in XenCenter (more information later)BriForum | © TechTarget 30
    • VMware hardening● Check VMware vSphere hardening guide http://bit.ly/vSphereHardening● Install trusted Certificates● vCenter – remove local admins● vCenter – check permissions on vCenter folders, certificates are stored there● Use remote management instead of console installed on vCenter● Change SQL account permissions after installation http://bit.ly/VMwareSQL● Disable SSH if nobody use itBriForum | © TechTarget 31
    • VMware hardening● Be careful with monitoring agents permissions● Use partner solutions for hardening and compliance management: - vGate from Security Code (http://vgate.info/en/) - HyTrust virtual Appliance (http://www.hytrust.com)BriForum | © TechTarget 32
    • Hyper-V/VMM hardening● Use server core installation● Remove local administrators from VMM● Use remote management instead of console installed on SCVMM● Implement BitLocker● Secure “HKLMSOFTWAREMicrosoftVirtual Machine” on guests● Change permissions on VHD store● Read Hyper-V security guide http://bit.ly/HyperVHardening● Download and use Microsoft Security Compliance Manager http://bit.ly/MS-SCMBriForum | © TechTarget 33
    • VDI securityBriForum | © TechTarget 34
    • VDI security best practices● In most cases – same best practices apply to XenDesktop/View/RDS/vWorkspace● Use GPO to manage VDI● Create separate OUs for different desktop groups● Don’t disable firewall, configure rules instead - http://bit.ly/WindowsFirewall● Monitor Logs● Remove Domain Users from Terminal Server Users/Users groups, use dedicated groups, configure them using GPOBriForum | © TechTarget 35
    • VDI security best practices● Use AppLocker/SRP/other application control tools to audit application usage● Don’t forget about scripting environments: - Visual Basic for applications - Browsers - HTML Applications● Even with AppLocker/AppSense/RES there is a ways to execute any application - XLSploit from Remko Weijnen (@RemkoWeijnen) - http://bit.ly/XLSploit - Application control processes can be suspended/killed from task managerBriForum | © TechTarget http://bit.ly/SecureIT | @fdwl 36
    • Windows InstallerBriForum | © TechTarget http://bit.ly/SecureIT | @fdwl 37
    • Windows Installer● Be careful with Windows Installer, ANY user can restart server● Configure MSI logging with GPO, collect MSI logs and analyze them● “AlwaysInstallElevated” is Equivalent to Granting Administrative Rights - http://bit.ly/AlwaysInstallElevated● Enforce *.MSI signing● Always check permissions on a folder with the source MSI filesBriForum | © TechTarget 38
    • Windows installerBriForum | © TechTarget http://bit.ly/SecureIT | @fdwl 39
    • Password security● Almost all passwords that you enter during the setup/configuration are stored somewhere - HKLMSoftware<VendorName> - HKLMSystemCurrentControlSetServices<ServiceName> - %ProgramFiles%<VendorName> - C:ProgramData<VendorName> - %AppData%<VendorName> - *Anywhere*● Some passwords are encrypted, some notBriForum | © TechTarget 40
    • DPAPI● Data Protection API● Introduced with Windows 2000, improved with every new version of Windows● “Secure by Design”● Simple API, CryptProtectData and CryptUnprotectData functions● Recommended as a best practiceBriForum | © TechTarget 41
    • DPAPI● Widely used: - EFS, Internet Explorer, Outlook, IIS, RMS, WiFi passwords, CredManager - Skype, Gtalk, Chrome - XenApp, AppSense, XenCenter, Acronis, vSphere● Can be “Salted”, not everyone use “salt”● Data can be encrypted with user or system keys - Data encrypted with user keys can be decrypted only by user - Data encrypted with system keys can be decrypted by *ANY* userBriForum | © TechTarget 42
    • DPAPI● Tools from Remko Weijnen (@RemkoWeijnen): - IMA Password decoder - http://bit.ly/IMAPassword - RDP Password decoder - http://bit.ly/RDPPassword● Universal password decoder from me Add-Type -AssemblyName System.Security[system.text.encoding]::Unicode.Getstring([System.Security.Cryptography.ProtectedData]::Unprotect([system.convert]::FromBase64String("Base64EncodedString"),[system.text.encoding]::Unicode.GetBytes("MagicWord:)"),LocalMachine)) - Tested with XenCenter, XenApp, AppSense● 01,00,00,00,D0,8C,9D,DF,01,15,D1,11,8C,7A,00,C0BriForum | © TechTarget 43
    • Other ways to “decrypt” passwordsBriForum | © TechTarget http://bit.ly/SecureIT | @fdwl 44
    • Password Security● Datastore access from the user-accessible desktop - In perfect situation there is no direct DB access from the desktop - Even encrypted password should be secured by ACL - Should have read-only permissions● Good examples: - Citrix IMA password – Secured by the ACL in the registry - XenCenter passwords – stored in the user profileBriForum | © TechTarget 45
    • Database security● Most of the software checking permissions on the application level, not on the database level● Direct access to the database can help to elevate permissions within the application● All tools to access the database is already on the desktop: - Microsoft Office - .NET framework - PowerShell - Scripting environmentBriForum | © TechTarget http://bit.ly/SecureIT | @fdwl 46
    • SlimJim for XenApp 6.51. delete indextable FROM KEYTABLE INNER JOIN INDEXTABLE ON KEYTABLE.nodeid = INDEXTABLE.nodeid WHERE (KEYTABLE.parentid = 42)2. go3. delete KEYTABLE from KEYTABLE where parentid=424. go● Where this “42” is coming from? - DSView from supportdebug folder on XenApp CD - Directory->ServerNeighborhoods-><FarmName>->AdminTool->Users cidBriForum | © TechTarget 47
    • SlimJim for XenApp 6.5BriForum | © TechTarget 48
    • Provisioning Services1. INSERT INTO [AuthGroup]2. ([authGroupId]3. ,[authGroupName]4. ,[authGroupGuidName]5. ,[description])6. VALUES (‘UNIQUE00-GUID-4D0D-B834-15EA4A9F41EA7. ,N‘DOMAIN.FQDN.COM/Users/Domain Users8. ,Nde56c6b1-06ef-4ed6-85b8-a130f036d0759. ,)10. GO11. INSERT INTO [AuthGroupFarm]12. ([authGroupId])13. VALUES (UNIQUE00-GUID-4D0D-B834-15EA4A9F41EA)14. GO● de56c6b1-06ef-4ed6-85b8-a130f036d075 – GUID from adsieditBriForum | © TechTarget 49
    • SQL● SQL servers should be secured even they are “not hosting important company data”  - Access to XA datastore=XA Admin rights - Access to Provisioning Server DB=Assigning of custom image - Access to VMM/vCenter DB= IDDQD  - Access to AppSense/RES/VUEM DB=Ability to bypass SRP and execute processes under another user● Use Microsoft Security Compliance Manager http://bit.ly/MS-SCM● Read SQL Security Best Practices from Microsoft - http://bit.ly/SQLSecurityBriForum | © TechTarget http://bit.ly/SecureIT | @fdwl 50
    • Questions?● http://bit.ly/SecureIT● denisg@entisys.com●@fdwlBriForum | © TechTarget http://bit.ly/SecureIT | @fdwl 51