Windows 10 Defense in depth strategies with Server 2016. Thank you for coming to this talk. Lets get started.
Disclaimer that this does not necessarily reflect the views of my employer. I am not responsible for your production issues if you brick a few machines. So please don’t test in prod.
This talk sets realistic expectations for organizations that are planning to use Windows 10 in the future and the caveats of implementing some of these new technologies. All work in these slide decks were done on a test virtualized network called derbycon. This is not a Microsoft sales pitch. I do apologize in advanced as I skimped a little with security baselining and Microsoft LAPS tool. I wanted to focus more on Windows 10 specific defenses
This talk is going to be broke out in 4 separate parts. It’s broken out into Identity protection, Data Protection. Threat Resistance, and device security. Products such as enterprise device protection and Device Guard require Win 10 enterprise. Some slides I am going to go through very quickly. At the end of this presentation there are several abstracts where all this information was compiled. I’m not a fan of just regenerating known information. I like to generate my own thoughts related to implementation of these products. At the end of my slides there are abstracts contain further in depth analysis on this talk.
If you want to do any type of security baselining. Then download this free tool. It’s fantastic to use and it saves a lot of security build time with group policy objects
LAPS is a local administrator password administration tool. If you are not actively disabling local administrator accounts then this tool you probably need.
Microsoft Passport. This is a Microsoft product designed to mitigate pass the hash threats. Instead of entering in a password against a domain controller we are putting in a pin to a trusted device to authenticate into an enterprise environment. It’s important to force the use of TPM chips when setting up your passport policies. Using passport and Windows Hello may not be practical for some orgs after you look at the requirements.
So what are Microsoft Passport requirements. That depends on how you want to roll it out and configure. Do you want to do Key Based authentication or certificate based authentication? Will you use a hybrid cloud model with Azure or are you wanting to do everything with AD on premises. The minimum you have to do with if you want to roll out with Active Directory on prim is Server 2016, with ADFS and System Center 2012 R2 Configuration Manager SP2 for key based authentication. So why ADFS? There may be some things on your network that will not understand what a passport PIN is. This will provide Single Sign on for those types of systems if you authenticated in using a Windows 10 device and a pin.
This slide is a sample passport group policy object configuration for Passport for Work. Notice that I am telling the GPO that we want to use the hardware as a security device. This is your 2 factor authentication. When passport provisions to a machine. The machine you enrolled with is “trusted” with the TPM chip that is embedded in your system.
Flow of execution with Microsoft passport.
This example is from a customized out of the box experience for an end user with Azure Active Directory. So I will select This device belongs to my organization.
I am going to join with Azure AD and type in my credentials. My credentials that exist in Azure tells a lot about me. I’ll get to that in the next few slides.
This enrollment flow is based upon a domain join with Azure AD. It may slightly vary on AD on prim with ADFS. Notice how I am immediately asked to create a work pin.
Here is where I need to approve who I say I am. I’ve entered in my account credentials but that doesn’t necessarily mean I am who I say I am. We need a way to further prove my identity. I am going to send this notification to my authenticator app
My authenticator application receives the request. At this point I can approve so I can create my pin.
As soon as you create your pin you can now log into your system with this pin going forward. This is Microsoft passport in a quick demo and how it mitigates pass the hash.
Let’s go over some fascinating headlines when it comes to data protection.
We have other articles where it indicates encrypting data at rest is vital but it’s not happening as often as it should. The two bottom articles highlight those risks.
Regrettably employees are still copying PII data because they need to look at it offline or to review at home because they don’t have access remotely. Anyone that has access to removable media should be forced to encrypt data.
Probably my favorite headline and most scary is when political leaders don’t understand encryption at all. Even on a basic level and what it does to protect information.
Since native solutions such as bitlocker is available with Win 10 Pro and above there should be very little reason to not encrypt with these types of native solutions. Bitlocker is not free. It takes the infrastructure and time to properly implement. If you are under a legal obligation to report on encryption status on lost or stolen devices then you will need Microsoft Bitlocker Monitoring. Which is not free.
You can move bitlocker policies down to removable media. If you do your configuration right. End users get a very simplistic device encryption experience. Enterprise data protection with Windows 10 has not been release yet but it is coming.
Benefits of EDP EDP provides: Additional protection against enterprise data leakage, with minimal impact on employee’s regular work practices. Obvious separation between personal and corporate data, without requiring employee's to switch environments or apps. Additional data protection for existing line of business apps without a need to update the apps. Ability to wipe corporate data from devices while leaving personal data alone. Use of audit reports for tracking issues and remedial actions. Integration with your existing management system (Microsoft Intune, System Center 2012 R2 Configuration Manager, or your current mobile device management (MDM) system) to configure, deploy, and manage EDP for your company. Additional protection for your data (through RMS integration) while roaming and sharing, like when you share encrypted content through Outlook or move encrypted files to USB keys.
If you are ever stuck on how to decide on cipher’s and hashing to use or rollout into your organization. I use NSA Suite B Guidelines. The upcoming slides follow these standards.
Full GPO path to publish your root CA.
This is my Root CA that I’ve deployed in my test environment. You will notice that I am using a SHA-384 hashing algorithm and a 4096 bit RSA key. A trusted Root CA is needed so you can sign a bitlocker recovery agent. I’ll get to that in a bit.
Rolling out full disk encryption is no different from rolling it out in Windows 8.1. Win81 enterprise adoption is pretty low. I think the general expectation is Win 10 will be more widely adopted in the enterprise. A few points on this. There are a lot of configuration tweaks in bitlocker. It can get a little complicated. As a security administrator any complicated process or procedure should always be on the back end. Encryption to your end users needs to be easy to deploy and use. If there is any take away from this slide. Don’t ever use the setting “encrypt used space only” unless you are confident in your internal wiping procedures. With the explosion of SSD disks you need to do full disk encryption. A 128 gig SSD drive takes around 30 minutes to encrypt. Always encrypt with AES256. Bitlocker defaults to AES 128.
Bitlocker is pretty flexible with what you can do with it. You can provide extra mitigation for direct memory access attacks. It supports smart cards. You can do pervasive AES256 encryption for your OS, any type of secondary fixed disks and removable media. Preboot authentication before the OS boots. I promise this is not a sales pitch.
I am going to show how to do some threat mitigation around each of these attacks. We have several compromising vectors that we need to ensure are secured so we aren't leaving an area of opportunity for a bitlocker fail.
In this slide I am preventing the installation of firewire device drivers. Disabling firewire will help alleviate direct memory attacks to lift encryption keys from memory.
In this slide I am limiting my interactive login to 10 attempts coupled. When you doing bitlocker with TPM chips it is a great security measure to stop brute force sign ins.
Bitlocker is now locked out and you are forced to do a 48 digit recovery. This is a worse scenario to contend with if you are trying to steal data off a computer.
For memory based attacks you want to make sure you setup a few policies. Any laptop in a enterprise organization should have preboot authentication before the Operating system starts. Always enable secure boot with integrity validation on your encryption policies.
Note that the selected encryption method is AES 256. Don’t allow stand by states on protected computers. Standby states will have your encryption key in memory and opens the door to DMA attacks.
If you are protecting laptops. Make sure you are requiring startup pin’s with TPM chips. Notice that Allowing bitlocker without a compatible TPM is not allowed. Typically enterprise business line desktops have TPM chips built in. At the top or this. Notice we want to allow secure boot for integrity validation.
This is a sample policy if you want to do basic DLP with Removable storage access and device installation restrictions. Removable Storage Access can be based upon user instead of machines. What I would do is place the GPO to be active for domain users. Then make another user based GPO that doesn’t deny read/write access and make it a lower priority based upon a specific security group. Let Bitlocker do the rest of the work on those that do have access.
This example uses smart cards to allow removable device encryption. Reminder that you should enforce full disk encryption on removable media data drives. Note how we deny write access to removable drives not protected by bitlocker.
When a USB device gets inserted this should be the first thing a user will see. They get two options. Either you encrypt the drive or you don’t encrypt the drive and everything is read only. This is the place you want all your users that have write access to removable media to be in.
After a user chooses to encrypt. They have to put in a password/smartcard to encrypt. Passwords should be based on your org password policies. The drive will remain in read only until it is fully encrypted.
Always set this policy. You never want to give end users the ability to decrypt removable media. There is one con about this. You aren't able to prevent someone from taking a device home and decrypting it on a non corporate device. Use device encryption sparingly if people really do need it.
With the command manage-bde –status I can quickly get a status of the device that is encrypted. What kind of key protectors is has on it and what kind of encryption method was used to encrypt the device. Notice how one of my key protectors is a data recovery agent.
With this command I can get further information on the key protects for removable media. The certificate thumbprint is important in case an end user forgets the password they made to the thumbdrive
Data recovery agents allows you to recovery data on a encrypted medium with a public/private keypair. Same rules apply to use NSA Suite B standards when making a public/private keypair
Bitlocker data recovery agents work in tandem with bitlocker identification fields. In this example my bitlocker identification is Derbycon and my allowed bitlocker identification field is derbycon
A data recovery agent needs the following key usage: key encipherment
Group Policy Object locations for data recovery agents
This is an example of a network unlock using the private key to the certificate thumb print that was rolled out into the derbycon network.
I am going to step back a moment and talk about Microsoft new browser Edge. High Security organizations are going to have a tough time use edge. Edge does support certificate enrollments of any kind. I'll show those slides in a few. IE 11 has it's own challenges. At this time I'd recommend IE 11 with EMET or google chrome.
Remote code executions are still happening. Even with Microsoft Edge
I am still having a tough time understanding why Microsoft wants to phase out Internet Explorer with a browser that doesn't even understand how to do certificate enrollment.
A listing of Sample policies on MS edge. These are a night and day difference from internet explorer. But problems are still present in edge. PKI certificate structures are a large problem if you are doing any type of certificate based authentication.
Telemetry based problems with Windows 10 has also been dominating the headlines. Even if you disable telemetry in Windows 10 pro. It's not disabled. Use the following GPO registry key if you wish to disable in Win 10.
Device guard is going to be a big undertaking for companies. Device Guard will be great to prevent the execution of certain processes or apps. The largest issue I see will be around independent software vendors not signing their code. Device guard is meant more for fix work loads. Cash Registers, point of sale systems, and atms... etc.. This will not work in BYOD environments. High security organizations will need to look into this futher.
Device guard needs to be thought more in terms of a wholistic solution. When combines with Credential guard and isolated user mode you have some quick wins right out of the gate. Credential guard is a good for mitigation pass the hash attacks and IUM protects critical parts of the OS against administrative and kernel level malware. Credential guard and Isolated user mode is easy to implement compared to locking down your systems with device guard.
Virtualization-based security requirements:
VBS drives the primary features in Device Guard and is crucial to the successful deployment of Device Guard in your organization.
When you consider new hardware, look for these following features so that you can take advantage of VBS:
CPU virtualization extensions. Virtualization extensions are required to run type 1 hypervisors. Device Guard VBS requires these virtualization extensions, such as Intel VT-x and AMD-V, as well. SLAT memory virtualization enabled. SLAT provides hypervisors with an intermediary cache of virtual-to-physical address translation, which drastically reduces the amount of time the hypervisor takes to service translation requests to the physical memory of the host. This feature is enabled in the BIOS of the host machine and is required to implement Windows 10 VBS. IOMMU. The VBS features within Device Guard require memory management units, such as Intel VT-d and AMD-IOV. This feature is required for direct memory access (DMA) protection. TPM. Device Guard and configurable code integrity do not require a TPM. However, Credential Guard, which is frequently deployed in combination with Device Guard and configurable code integrity, requires a TPM to protect data at rest.
Inital setup of device guard. This is one of the downsides as you are locked into hyper v.
The following are a example set GPO. Before I get to deep into device guard. We are going to look at the benefits of deploying credential guard after Hyper-v and virtualization based security has been deployed.
CI is something you will need to roll out to machines as you decide to audit and enforce these policies.
Example of LSA isolated NTLM hash with credential guard.
NTLM hash without credential guard. Mitigation for pass the hash has fully failed in this scenario.
Windows 10 and Windows Server 2016 and later have a WMI class for Device Guard–related properties and features: Win32_DeviceGuard. This class can be queried from an elevated Windows PowerShell session by using the following command:
This was done inside a VM… so Device guard is not running on this system.
Create your device guard GPO policies. Assign it to an OU bucket for testing with compatibile devices. Create catalog files first. Creation of catalog files is the first step to add an unsigned applications to a code integrity policy. Sign your catalog files. Create you CI policy from a golden image. It may be necessary to do a scan to a shadow copy of your file volume because of file locks. Deploy code integrity in audit mode before you start enforcing. Lets take a look at technet for the deployment flow.
Windows 10 defense
WINDOWS 10 DEFENSE IN
DEPTH STRATEGIES (UPDATED
WITH SERVER 2016 TH2)
These slides are “AS IS” without warranty. The topics expressed in this
talk may not reflect the views of my employer. I am not responsible
for your production issues if you brick a few machines. So please
don’t test in PROD.
This is not a marketing sales pitch for Microsoft.
This talk sets realistic expectation for organizations
All Group Policy Slides were taken from a test VM network called
My slide decks are probably worse than the NSA's
WINDOWS 10 DID
Sadly EDP, and Device Guard is only
available in Windows 10 Enterprise
Enterprise Data Protection has not
been released to the general public
Unfortunately all these technologies
will require extra MS tech such as
ADFS and a active PKI environment
My Talk is broken up into these 4 parts
Microsoft Security Compliance is free and extremely useful in
importing security baseline’s.
Bitlocker sections are based off of SCM
If local administrator accounts are a problem in your org.
Look into laps. It requires a AD schema update. ACL restriction on
who has access to see the LAPS attributes. Agent installed on a
machine and laps GPO policies.
Released in June of this year.
Replaces passwords with strong two factor authentication that
consists of an enrolled device and a Windows PIN
FORCE the use of a hardware security device (TPM) when setting
Passport and Windows Hello may not be practical for some org’s
after you look at the REQ’s
As ORG’s Migrate to Windows 10 PRO or ENTERPRISE. There are
very few reasons why you shouldn’t encrypt with native solutions
such as Bitlocker.
If legal obligations to report on encryption you will need products
such as MBAM
Legitimate companies rely on strong unbreakable encryption
technologies not just terrorists
Any talk about back dooring encryption is wrong.
REMOVABLE MEDIA ENCRYPTION
Bitlocker can be moved on down to removable media if allowed
Enterprise Data protection with Windows 10 has not been
released yet…..but it’s coming
FULL DISK ENCRYPTION
FDE in Windows 10
No difference from WIN 8.1
When in doubt on encryption methods always choose AES256
with Full disk encryption. If there is any doubt in your disk wiping
process never use “Encrypt Used Space only” method
ADDITONAL PROTECTIONS WITH
Adds protection against direct memory access attacks (I’ll get to
this and how to mitigate in a bit)
Supports SMART CARDS
AES256 support for OS, Fixed Disks, and removable media
No this isn’t a sales pitch….
For Memory remanence attacks apply preboot authentication
before OS starts
Encrypted Laptops will get owned if you fail at DMA mitigation
Enable Secure boot
Laptops are higher value targets than desktops. Choose wisely
on what devices get preboot auth.
WHAT IS A DATA RECOVERY AGENT
FOR BITLOCKER REMOVABLE MEDIA?
Allows recovery of encrypted data by using a public/private key
Should only use Data Recovery Agents on removable media.
DON’T USE ANYTHING LESS THAN A SHA-384 HASHING ALGO AND
RSA 4096 BIT KEY (NEW NSA SUITE-B STANDARD)
DON’T MAKE THE PRIVATE KEY EXPORTABLE ON ANY ADMIN
WINDOWS 10 BROWSERS AND
Comes with Microsoft Edge/IE11
High security orgs will have a tough time using Microsoft Edge
Edge does not support certificate enrollments. So if you are
signing up for a security certificate with the browser. It will fail.
I am still suggesting orgs use IE 11 with EMET or Google Chrome
WINDOWS 10 DEVICE GUARD
Threat Resistance and Device Security
Device Guard: Combines hardware and software security
features. Enable enterprises to control what is allowed to run
Great for running on fixed workloads Ex.) Cash Registers, POS,
Will run into trouble if you are trying to implement on machines
that are updated regularly outside of a Corporate fully managed
Device Guard and other parts of the solution
Utilize the following components with Device Guard: Credential
Guard, Isolated User Mode for some quick wins
Credential Guard brings virtualization based security into the
equation. Helps mitigate PTH. Coupled with IUM to protect critical
parts of the OS against admin/kernel level malware
Configure Code based integrity
WINDOWS 10 DEVICE GUARD
Physical machine – VT-x,AMD-v, SLAT, IOMMU, TPM, UEFI 2.31, 2.4
TPM is Required for Credential Guard
Downside: Device Guard will not work on older machines
Downside: Locks you into Hyper-V
VALIDATE ENABLED DEVICE GUARD
HARDWARE BASED SECURITY FEATURES
DEVICE GUARD STEPS QUICK
Create Device Guard GPO policy. Assign it to an OU bucket for
testing with compatible devices
Create Catalog files and push them out to computers via
Windows Settings…File level GPO
Sign your Catalog files!!! Look at my abstract pages on how to do
Create a Code Integrity policy from a “golden image”. Do this in
audit mode first before you deploy
Implement Microsoft Passport in your organization:
Password-less Authentication with Microsoft Passport:
Deploying a ADFS Farm: https://technet.microsoft.com/en-
Device Guard Deployment Guide:
Step-By-Step Guide to Controlling Device Installation Using Group
Manage identity verification using Microsoft Passport
How to use Bitlocker Data Recovery Agent to unlock Bitlocker
Using Data Recovery Agents with BitLocker:
Dropping the Hammer Down on Malware Threats with Windows
10’s Device Guard:
Isolated User Mode Processes and Features in Windows 10 with
Logan Gabriel: https://channel9.msdn.com/Blogs/Seth-
Create a device guard code signing cert:
Get apps to run on Device Guard-protected devices: