Hypervisor and VDI security


Published on

Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Hypervisor and VDI security

  1. 1. WelcomeBriForum | © TechTarget
  2. 2. Do You Think Your CitrixEnvironment is Secure Enough?Ready or Not, Here I Come!Denis GundarevConsultantEntisys SolutionsBriForum | © TechTarget
  3. 3. About presenterC:>whoami /allUSER INFORMATION----------------User Name Twitter Name E-Mail============== ============ ==================ENTISYSdenisg @fdwl DenisG@entisys.comGROUP INFORMATION-----------------Group Name Type SID============================== ================ =================Citrix Technology Professional Well-known group S-1-5-32-544Citrix Certified Instructor Well-known group S-1-5-32-545Microsoft Certified Trainer Well-known group S-1-5-32-546BriForum | © TechTarget 3
  4. 4. Disclaimer● Information in this presentation is intended for educational purposes only. Some topics in this presentation may contain the information related to “Hacking Passwords” or “Elevating permissions” (Or Similar terms). Some topics will provide information about the legal ways of retrieving the passwords. You shall not misuse the information to gain unauthorized access. However you may try out these hacks on your own computer at your own risk.● Some of the stuff that you will learn is dangerous, playing with this knowledge on your production environment can make you very unhappyBriForum | © TechTarget 4
  5. 5. Agenda● Physical server security● Trusted Platform Module● Hypervisor hardening● VDI security - Microsoft installer - Password security - SQL security #BriForumBriForum | © TechTarget 5
  6. 6. ● All links from this presentation are available here: - http://bit.ly/SecureITBriForum | © TechTarget http://bit.ly/SecureIT | @fdwl 6
  7. 7. Physical Security• Why you need to secure servers? • Server can be stolen • Server can be duplicated • Seamlessly replace disk in the storage array and stole the data • Attacker can boot from CD/USB and reset the admin password• Do you need to secure your hypervisors? • Sure, hypervisor is a key to your infrastructureBriForum | © TechTarget 7
  8. 8. Get Access to the Windows Box - DemoBriForum | © TechTarget 8
  9. 9. Breaking into hypervisor● XenServer - http://bit.ly/XenServerPassword● VMware ESX - http://bit.ly/ResetESXPassword, same procedure as for XenServer● VMware ESXi – password reset not supported, but possible http://bit.ly/ResetESXiPasswordBriForum | © TechTarget 9
  10. 10. Securing Server boot● Disable boot from CD/USB/PXE - If using UEFI – change the boot order using UEFI manager - Be careful, some UEFI firmware adds removable devices as a boot option by default● Disable removable drives after installation● Set BIOS admin password - Does not prevent boot, but prevent changing the boot order● Disable intelligent provisioning available on HP G8 serversBriForum | © TechTarget 10
  11. 11. Out-of-band management (lights-outmanagement)● Implement AD integration for HP iLO, Dell iDRAC or IBM RSA (can be done with or without schema extension)● Disable default local administrator and/or change default password - root/calvin for Dell - Printed on the server label for HP - USERID/PASSW0RD for IBM● Configure SNMP and/or syslog to monitor who are using LOM● Grant permissions carefullyBriForum | © TechTarget 11
  12. 12. Out-of-band management (lights-outmanagement)● Use a separate management network● Use trusted certificates● Disable telnet (HP G8 doesn’t have it!, disabled by default on Dell/IBM)● Disable SSH if you not use it● Change SNMP community stringsBriForum | © TechTarget 12
  13. 13. Out-of-band management (lights-outmanagement)● Regularly read security guides: - Dell - http://bit.ly/DRACSecurity - HP - http://bit.ly/ILOSecurity - IBM doesn’t have one, just manual  http://bit.ly/IBMRSAGuide● Regularly update firmware● Review audit logs and configure alertsBriForum | © TechTarget 13
  14. 14. Trusted Platform Module● Smartcard-like hardware module on the motherboard - Protects secrets - Performs cryptographic functions - Can create, store and manage keys - Performs digital signature operations - Holds Platform Measurements (hashes)● Can be used to check platform integrity● Can be used to store disk encryption keysBriForum | © TechTarget 14
  15. 15. Trusted Platform Module● Disabled by default● Resets automatically during the BIOS reset by switches● Owned by OS● Change of ownership not possible without reset● Secure boot order in BIOS+TPM-aware OS+BIOS setup password makes hacker’s life harderBriForum | © TechTarget 15
  16. 16. TPMimplementationscenariosBriForum | © TechTarget 16
  17. 17. Windows (Hyper-V)● Windows server 2008 and above is a TPM-aware OS● BitLocker Full-Disk Encryption protecting the OS and data● BitLocker protects from the offline password reset (pogostik/opengate/WinRE)● BitLocker protects OS data from offline analysis (stolen or duplicated drives)BriForum | © TechTarget 17
  18. 18. BitLocker™ Drive Encryption ArchitectureStatic Root of Trust Measurement of boot components PreOS Static OS All Boot Blobs Volume Blob of Target OS unlocked unlocked TPM Init BIOS MBR BootSector BootBlock BootManager Start OS Loader OS Source: Microsoft
  19. 19. Windows disk encryption● BitLocker can be managed with GPO● Data can be recovered if needed● BitLocker can store recovery passwords in AD (schema extension is required) - Domain admins and computer itself can read recovery passwords – permissions can be changed: http://bit.ly/BitLockerAD● Whitepaper is available on Microsoft.com http://bit.ly/HyperVBitLocker● Hyper-V Clusters supported, Hotfix needed: http://support.microsoft.com/kb/2446607● In-Guest VM encryption not supported● Windows Server 2012 support BitLocker-encrypted CSV http://bit.ly/BitLockerCSV2012● HP HOWTO: http://bit.ly/HPBitLockerBriForum | © TechTarget 19
  20. 20. XenServer & TPM● No official support● Basic vTPM is in the product, but not documented yet and still not secured with physical TPM● But XenServer is just a Linux! ● TrustedGRUB, GRUB-IMA and Open Secure LOader (OSLO) are available to secure boot process● Disk encryption with dm-crypt with TPM is possible, but complicated. - Details in IBM Blueprint http://bit.ly/IBMTrustedGRUBBriForum | © TechTarget 20
  21. 21. Linux Trusted Boot Stages Operating System DB BIOS Bootloader JVM GRUB Stage2 MAC Policy ROT GRUB conf SELinux GRUB Stage1 Kernel Stage1.5 CRTM POST (MBR) TPM PCR01-07 PCR04-05 PCR08-14 Trusted Boot Source: Trent Jaeger
  22. 22. TrustedGRUB● IBM BluePrint with step-by-step instructions available http://bit.ly/IBMTrustedGRUB● GPT is not supported by TrustedGRUB, MBR is required - Modify /opt/xensource/installer/constants.py during install - step-by-step instructions from Major Hayden (@rackerhacker) on his blog http://bit.ly/XS6GPTDisable● Sirrix AG together with German Federal Office for Information Security (BSI) tested different TPM-enabled Open source solutions, review the document before implementation - http://bit.ly/TSSStudyBriForum | © TechTarget 22
  23. 23. XenServer boot hardening1. Disable boot from removable devices2. Set BIOS setup password3. Enable TPM4. Disable single user mode without password - Add the following entry into /etc/inittab file: - ~~:S:wait:/sbin/sulogin5. Install TrustedGRUB6. Enable GRUB password7. Configure additional checks on /etc/passwd, /etc/shadow, /boot/grub.lst and PAM configuration files8. Enable TrustedGRUBBriForum | © TechTarget 23
  24. 24. VMware & Support● VMware claims that TPM is supported (http://kb.vmware.com/kb/1033811)● Not configurable● Not documented● No partner solutions that use TPM● Disk encryption for vKernel is not supported (FAT16!!!)BriForum | © TechTarget 24
  25. 25. General HypervisorsecurityrecommendationsBriForum | © TechTarget 25
  26. 26. Platform-independent recommendations● Don’t store VMs on the local drive, use SAN/NAS instead● Use mutual CHAP authentication for iSCSI● Consider using Boot from SAN with storage-based encryption and Fibre channel Security Protocol (FC-SP) enabled HBAs - short overview - http://bit.ly/FC-SPOverview - Standard http://bit.ly/FC-SPStandard - HBAs available from all major vendors (Emulex, Qlogic, Cisco, Brocade, Hitachi)● Use fixed virtual disk size to avoid unexpected VMs pauseBriForum | © TechTarget 26
  27. 27. Platform-independent recommendations● Separate management network● Optionally implement IPSEC on the management network - VMware - http://bit.ly/VMwareIPsec● Change default MAC addresses to avoid use of MAC address DB by attacker: - http://www.coffer.com/mac_find - 00-15-5D – Hyper-V - 00-50-56 – VMWareBriForum | © TechTarget 27
  28. 28. Platform-independent recommendations● vCenter/SCVMM should be secured better than your DC● Configure monitoring and auditing● Use Active Directory for authentication● Disable/lock local users and/or configure Password policy● Do not use management console as a RDP replacementBriForum | © TechTarget http://bit.ly/SecureIT | @fdwl 28
  29. 29. XenServer hardening● Review XenServer User Security guide http://bit.ly/XSSecurity● Review XenServer Hardening guide (released by Positive Technologies) - http://bit.ly/XSHardening● Configure AD authentication● Disable SSH if you not using it● Install server certificates http://bit.ly/XSCertificates● Disable unencrypted XAPI access● Disable autologon to the console from XenCenter● Avoid using pool-admin privilege, any pool admin can change root password with xe user-password-changeBriForum | © TechTarget 29
  30. 30. XenServer hardening● All passwords stored on XenServer are insecure - Use dedicated user for CIFS iso repositories, limit computers where this user can logon, because passwords can be retrieved even by read-only user (xe pbd-list) - Use dedicated users for power management (any pool operator can retrieve them with xe secret-list)● Be careful with RBAC, lot of “security” implemented in XenCenter only, XAPI and xe.exe gives a lot of information even for read-only user● Be careful with XenServer monitoring, if vendor ask more permissions than read-only user – change your vendor● Avoid saving passwords in XenCenter (more information later)BriForum | © TechTarget 30
  31. 31. VMware hardening● Check VMware vSphere hardening guide http://bit.ly/vSphereHardening● Install trusted Certificates● vCenter – remove local admins● vCenter – check permissions on vCenter folders, certificates are stored there● Use remote management instead of console installed on vCenter● Change SQL account permissions after installation http://bit.ly/VMwareSQL● Disable SSH if nobody use itBriForum | © TechTarget 31
  32. 32. VMware hardening● Be careful with monitoring agents permissions● Use partner solutions for hardening and compliance management: - vGate from Security Code (http://vgate.info/en/) - HyTrust virtual Appliance (http://www.hytrust.com)BriForum | © TechTarget 32
  33. 33. Hyper-V/VMM hardening● Use server core installation● Remove local administrators from VMM● Use remote management instead of console installed on SCVMM● Implement BitLocker● Secure “HKLMSOFTWAREMicrosoftVirtual Machine” on guests● Change permissions on VHD store● Read Hyper-V security guide http://bit.ly/HyperVHardening● Download and use Microsoft Security Compliance Manager http://bit.ly/MS-SCMBriForum | © TechTarget 33
  34. 34. VDI securityBriForum | © TechTarget 34
  35. 35. VDI security best practices● In most cases – same best practices apply to XenDesktop/View/RDS/vWorkspace● Use GPO to manage VDI● Create separate OUs for different desktop groups● Don’t disable firewall, configure rules instead - http://bit.ly/WindowsFirewall● Monitor Logs● Remove Domain Users from Terminal Server Users/Users groups, use dedicated groups, configure them using GPOBriForum | © TechTarget 35
  36. 36. VDI security best practices● Use AppLocker/SRP/other application control tools to audit application usage● Don’t forget about scripting environments: - Visual Basic for applications - Browsers - HTML Applications● Even with AppLocker/AppSense/RES there is a ways to execute any application - XLSploit from Remko Weijnen (@RemkoWeijnen) - http://bit.ly/XLSploit - Application control processes can be suspended/killed from task managerBriForum | © TechTarget http://bit.ly/SecureIT | @fdwl 36
  37. 37. Windows InstallerBriForum | © TechTarget http://bit.ly/SecureIT | @fdwl 37
  38. 38. Windows Installer● Be careful with Windows Installer, ANY user can restart server● Configure MSI logging with GPO, collect MSI logs and analyze them● “AlwaysInstallElevated” is Equivalent to Granting Administrative Rights - http://bit.ly/AlwaysInstallElevated● Enforce *.MSI signing● Always check permissions on a folder with the source MSI filesBriForum | © TechTarget 38
  39. 39. Windows installerBriForum | © TechTarget http://bit.ly/SecureIT | @fdwl 39
  40. 40. Password security● Almost all passwords that you enter during the setup/configuration are stored somewhere - HKLMSoftware<VendorName> - HKLMSystemCurrentControlSetServices<ServiceName> - %ProgramFiles%<VendorName> - C:ProgramData<VendorName> - %AppData%<VendorName> - *Anywhere*● Some passwords are encrypted, some notBriForum | © TechTarget 40
  41. 41. DPAPI● Data Protection API● Introduced with Windows 2000, improved with every new version of Windows● “Secure by Design”● Simple API, CryptProtectData and CryptUnprotectData functions● Recommended as a best practiceBriForum | © TechTarget 41
  42. 42. DPAPI● Widely used: - EFS, Internet Explorer, Outlook, IIS, RMS, WiFi passwords, CredManager - Skype, Gtalk, Chrome - XenApp, AppSense, XenCenter, Acronis, vSphere● Can be “Salted”, not everyone use “salt”● Data can be encrypted with user or system keys - Data encrypted with user keys can be decrypted only by user - Data encrypted with system keys can be decrypted by *ANY* userBriForum | © TechTarget 42
  43. 43. DPAPI● Tools from Remko Weijnen (@RemkoWeijnen): - IMA Password decoder - http://bit.ly/IMAPassword - RDP Password decoder - http://bit.ly/RDPPassword● Universal password decoder from me Add-Type -AssemblyName System.Security[system.text.encoding]::Unicode.Getstring([System.Security.Cryptography.ProtectedData]::Unprotect([system.convert]::FromBase64String("Base64EncodedString"),[system.text.encoding]::Unicode.GetBytes("MagicWord:)"),LocalMachine)) - Tested with XenCenter, XenApp, AppSense● 01,00,00,00,D0,8C,9D,DF,01,15,D1,11,8C,7A,00,C0BriForum | © TechTarget 43
  44. 44. Other ways to “decrypt” passwordsBriForum | © TechTarget http://bit.ly/SecureIT | @fdwl 44
  45. 45. Password Security● Datastore access from the user-accessible desktop - In perfect situation there is no direct DB access from the desktop - Even encrypted password should be secured by ACL - Should have read-only permissions● Good examples: - Citrix IMA password – Secured by the ACL in the registry - XenCenter passwords – stored in the user profileBriForum | © TechTarget 45
  46. 46. Database security● Most of the software checking permissions on the application level, not on the database level● Direct access to the database can help to elevate permissions within the application● All tools to access the database is already on the desktop: - Microsoft Office - .NET framework - PowerShell - Scripting environmentBriForum | © TechTarget http://bit.ly/SecureIT | @fdwl 46
  47. 47. SlimJim for XenApp 6.51. delete indextable FROM KEYTABLE INNER JOIN INDEXTABLE ON KEYTABLE.nodeid = INDEXTABLE.nodeid WHERE (KEYTABLE.parentid = 42)2. go3. delete KEYTABLE from KEYTABLE where parentid=424. go● Where this “42” is coming from? - DSView from supportdebug folder on XenApp CD - Directory->ServerNeighborhoods-><FarmName>->AdminTool->Users cidBriForum | © TechTarget 47
  48. 48. SlimJim for XenApp 6.5BriForum | © TechTarget 48
  49. 49. Provisioning Services1. INSERT INTO [AuthGroup]2. ([authGroupId]3. ,[authGroupName]4. ,[authGroupGuidName]5. ,[description])6. VALUES (‘UNIQUE00-GUID-4D0D-B834-15EA4A9F41EA7. ,N‘DOMAIN.FQDN.COM/Users/Domain Users8. ,Nde56c6b1-06ef-4ed6-85b8-a130f036d0759. ,)10. GO11. INSERT INTO [AuthGroupFarm]12. ([authGroupId])13. VALUES (UNIQUE00-GUID-4D0D-B834-15EA4A9F41EA)14. GO● de56c6b1-06ef-4ed6-85b8-a130f036d075 – GUID from adsieditBriForum | © TechTarget 49
  50. 50. SQL● SQL servers should be secured even they are “not hosting important company data”  - Access to XA datastore=XA Admin rights - Access to Provisioning Server DB=Assigning of custom image - Access to VMM/vCenter DB= IDDQD  - Access to AppSense/RES/VUEM DB=Ability to bypass SRP and execute processes under another user● Use Microsoft Security Compliance Manager http://bit.ly/MS-SCM● Read SQL Security Best Practices from Microsoft - http://bit.ly/SQLSecurityBriForum | © TechTarget http://bit.ly/SecureIT | @fdwl 50
  51. 51. Questions?● http://bit.ly/SecureIT● denisg@entisys.com●@fdwlBriForum | © TechTarget http://bit.ly/SecureIT | @fdwl 51