Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
WINDOWS 10 DEFENSE IN
DEPTH STRATEGIES (UPDATED
WITH SERVER 2016 TH2)
Eddie David
DISCLAIMER
These slides are “AS IS” without warranty. The topics expressed in this
talk may not reflect the views of my em...
WARNING……
 This is not a marketing sales pitch for Microsoft.
 This talk sets realistic expectation for organizations
 ...
WINDOWS 10 DID
CATEGORIES
Sadly EDP, and Device Guard is only
available in Windows 10 Enterprise
Enterprise Data Protectio...
SECURITY BASELINING?
 Microsoft Security Compliance is free and extremely useful in
importing security baseline’s.
 Bitl...
MICROSOFT LAPS
 If local administrator accounts are a problem in your org.
 Look into laps. It requires a AD schema upda...
MICROSOFT PASSPORT
 Replaces passwords with strong two factor authentication that
consists of an enrolled device and a Wi...
MICROSOFT PASSPORT REQUIREMENTS
MICROSOFT PASSPORT POLICIES
MICROSOFT PASSPORT
MICROSOFT PASSPORT FLOW WITH
AZURE AD AND OOBE MODE
MICROSOFT PASSPORT FLOW WITH
AZURE AD
MICROSOFT PASSPORT ENROLLMENT
FLOW
MICROSOFT PASSPORT ENROLLMENT
FLOW
MICROSOFT PASSPORT ENROLLMENT
FLOW
MICROSOFT PASSPORT ENROLLMENT
WORKFLOW
DATA PROTECTION
 Let’s go over some fascinating headlines
ENCRYPTION FAILURES
ENCRYPTING THUMB DRIVE FAILURES
COMMUNICATION/GOVSEC
ENCRYPTION FAILURES
FDE ENCRYPTION
 As ORG’s Migrate to Windows 10 PRO or ENTERPRISE. There are
very few reasons why you shouldn’t encrypt wi...
REMOVABLE MEDIA ENCRYPTION
 Bitlocker can be moved on down to removable media if allowed
 Enterprise Data protection wit...
ENCRYPTION GUIDELINES
PUBLISH ROOT CA
ENCRYPTION STARTS WITH THE ROOT
CA
FULL DISK ENCRYPTION
 FDE in Windows 10
 No difference from WIN 8.1
 When in doubt on encryption methods always choose ...
FULL DISK ENCRYPTION
USED SPACE ONLY ENCRYPTION -
DON’T DO
ADDITONAL PROTECTIONS WITH
BITLOCKER
 Adds protection against direct memory access attacks (I’ll get to
this and how to m...
TYPES OF ATTACKS
DIRECT MEMORY ATTACK MITIGATION
BRUTE FORCE SIGN IN MITIGATION
BRUTE FORCE SIGN IN END RESULT
MRA ATTACKS
 For Memory remanence attacks apply preboot authentication
before OS starts
 Encrypted Laptops will get owne...
BITLOCKER: STARTER POLICIES
BITLOCKER:PROTECTING OS SYSTEMS
(LAPTOPS)
USB DATA COPYING/OR PREVENTING
THE SNOWDEN SCENARIO
BASIC DATA LEAK PROTECTION WITH
REMOVABLE MEDIA (RSA CAN BE USER
BASED)
BITLOCKER: REMOVABLE MEDIA
ENCRYPTION (USING SMART CARDS)
ALWAYS ENCRYPT REMOVABLE MEDIA
DATA
ALWAYS ENCRYPT REMOVABLE MEDIA
DATA
REMOVABLE MEDIA ENCRYPTION
REMOVABLE MEDIA ENCRYPTION
DATA RECOVERY AGENT
PROTECTORS
WHAT IS A DATA RECOVERY AGENT
FOR BITLOCKER REMOVABLE MEDIA?
 Allows recovery of encrypted data by using a public/private...
CREATING A DATA RECOVERY AGENT
REQ’S
CREATING A DATA RECOVERY AGENT
GROUP POLICY FOR DATA RECOVERY
AGENTS
UNLOCK WITH DATA RECOVERY
AGENT
WINDOWS 10 BROWSERS AND
ENCRYPTION FAILURES
 Comes with Microsoft Edge/IE11
 High security orgs will have a tough time u...
MICROSOFT EDGE RCE FAIL
MICROSOFT EDGE CERTIFICATE FAIL
MICROSOFT EDGE POLICIES
WINDOWS 10 PRIVACY DISABLE
TELEMETRY
WINDOWS 10 DEVICE GUARD
 Threat Resistance and Device Security
 Device Guard: Combines hardware and software security
fe...
DEVICE GUARD
 Device Guard and other parts of the solution
 Utilize the following components with Device Guard: Credenti...
WINDOWS 10 DEVICE GUARD
HARDWARE REQ’S
 Physical machine – VT-x,AMD-v, SLAT, IOMMU, TPM, UEFI 2.31, 2.4
suggested.
 TPM ...
WINDOWS 10 DEVICE GUARD
CONFIGURATION
WINDOWS 10 DEVICE GUARD
CONFIGURATION
CODE INTEGRITY POLICY
CREDENTIAL GUARD
 Credential guard is very practical and easy to roll out
 Con: Locks you into hyper-v
NTLM WITH CREDENTIAL GUARD
ENABLED
NTLM HASH WITHOUT CREDENTIAL
GUARD (FAIL PTH)
VALIDATE ENABLED DEVICE GUARD
HARDWARE BASED SECURITY FEATURES
DEVICE GUARD STEPS QUICK
OVERVIEW
 Create Device Guard GPO policy. Assign it to an OU bucket for
testing with compatible ...
THANK YOU
ABSTRACTS
 Implement Microsoft Passport in your organization:
https://technet.microsoft.com/en-
us/library/mt219734(v=vs....
ABSTRACTS
 Device Guard Deployment Guide:
https://technet.microsoft.com/en-
us/library/mt463091(v=vs.85).aspx
 Step-By-S...
ABSTRACTS
 How to use Bitlocker Data Recovery Agent to unlock Bitlocker
Protected Drives:
http://blogs.technet.com/b/askc...
ABSTRACTS
 Dropping the Hammer Down on Malware Threats with Windows
10’s Device Guard:
https://channel9.msdn.com/Events/I...
ABSTRACTS
 Get apps to run on Device Guard-protected devices:
https://technet.microsoft.com/en-
us/library/mt158214(v=vs....
Upcoming SlideShare
Loading in …5
×

Windows 10 defense

387 views

Published on

Windows 10 Defense in depth strategy talk

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Windows 10 defense

  1. 1. WINDOWS 10 DEFENSE IN DEPTH STRATEGIES (UPDATED WITH SERVER 2016 TH2) Eddie David
  2. 2. DISCLAIMER These slides are “AS IS” without warranty. The topics expressed in this talk may not reflect the views of my employer. I am not responsible for your production issues if you brick a few machines. So please don’t test in PROD.
  3. 3. WARNING……  This is not a marketing sales pitch for Microsoft.  This talk sets realistic expectation for organizations  All Group Policy Slides were taken from a test VM network called derbycon  My slide decks are probably worse than the NSA's
  4. 4. WINDOWS 10 DID CATEGORIES Sadly EDP, and Device Guard is only available in Windows 10 Enterprise Enterprise Data Protection has not been released to the general public Unfortunately all these technologies will require extra MS tech such as ADFS and a active PKI environment My Talk is broken up into these 4 parts
  5. 5. SECURITY BASELINING?  Microsoft Security Compliance is free and extremely useful in importing security baseline’s.  Bitlocker sections are based off of SCM  https://technet.microsoft.com/en- us/solutionaccelerators/cc835245.aspx
  6. 6. MICROSOFT LAPS  If local administrator accounts are a problem in your org.  Look into laps. It requires a AD schema update. ACL restriction on who has access to see the LAPS attributes. Agent installed on a machine and laps GPO policies.  Released in June of this year.  https://www.microsoft.com/en- us/download/details.aspx?id=46899
  7. 7. MICROSOFT PASSPORT  Replaces passwords with strong two factor authentication that consists of an enrolled device and a Windows PIN  FORCE the use of a hardware security device (TPM) when setting up policy  Passport and Windows Hello may not be practical for some org’s after you look at the REQ’s
  8. 8. MICROSOFT PASSPORT REQUIREMENTS
  9. 9. MICROSOFT PASSPORT POLICIES
  10. 10. MICROSOFT PASSPORT
  11. 11. MICROSOFT PASSPORT FLOW WITH AZURE AD AND OOBE MODE
  12. 12. MICROSOFT PASSPORT FLOW WITH AZURE AD
  13. 13. MICROSOFT PASSPORT ENROLLMENT FLOW
  14. 14. MICROSOFT PASSPORT ENROLLMENT FLOW
  15. 15. MICROSOFT PASSPORT ENROLLMENT FLOW
  16. 16. MICROSOFT PASSPORT ENROLLMENT WORKFLOW
  17. 17. DATA PROTECTION  Let’s go over some fascinating headlines
  18. 18. ENCRYPTION FAILURES
  19. 19. ENCRYPTING THUMB DRIVE FAILURES
  20. 20. COMMUNICATION/GOVSEC ENCRYPTION FAILURES
  21. 21. FDE ENCRYPTION  As ORG’s Migrate to Windows 10 PRO or ENTERPRISE. There are very few reasons why you shouldn’t encrypt with native solutions such as Bitlocker.  If legal obligations to report on encryption you will need products such as MBAM  Legitimate companies rely on strong unbreakable encryption technologies not just terrorists  Any talk about back dooring encryption is wrong.
  22. 22. REMOVABLE MEDIA ENCRYPTION  Bitlocker can be moved on down to removable media if allowed  Enterprise Data protection with Windows 10 has not been released yet…..but it’s coming
  23. 23. ENCRYPTION GUIDELINES
  24. 24. PUBLISH ROOT CA
  25. 25. ENCRYPTION STARTS WITH THE ROOT CA
  26. 26. FULL DISK ENCRYPTION  FDE in Windows 10  No difference from WIN 8.1  When in doubt on encryption methods always choose AES256 with Full disk encryption. If there is any doubt in your disk wiping process never use “Encrypt Used Space only” method
  27. 27. FULL DISK ENCRYPTION
  28. 28. USED SPACE ONLY ENCRYPTION - DON’T DO
  29. 29. ADDITONAL PROTECTIONS WITH BITLOCKER  Adds protection against direct memory access attacks (I’ll get to this and how to mitigate in a bit)  Supports SMART CARDS  AES256 support for OS, Fixed Disks, and removable media  Pre-Boot Authentication  No this isn’t a sales pitch….
  30. 30. TYPES OF ATTACKS
  31. 31. DIRECT MEMORY ATTACK MITIGATION
  32. 32. BRUTE FORCE SIGN IN MITIGATION
  33. 33. BRUTE FORCE SIGN IN END RESULT
  34. 34. MRA ATTACKS  For Memory remanence attacks apply preboot authentication before OS starts  Encrypted Laptops will get owned if you fail at DMA mitigation  Enable Secure boot  Laptops are higher value targets than desktops. Choose wisely on what devices get preboot auth.
  35. 35. BITLOCKER: STARTER POLICIES
  36. 36. BITLOCKER:PROTECTING OS SYSTEMS (LAPTOPS)
  37. 37. USB DATA COPYING/OR PREVENTING
  38. 38. THE SNOWDEN SCENARIO
  39. 39. BASIC DATA LEAK PROTECTION WITH REMOVABLE MEDIA (RSA CAN BE USER BASED)
  40. 40. BITLOCKER: REMOVABLE MEDIA ENCRYPTION (USING SMART CARDS)
  41. 41. ALWAYS ENCRYPT REMOVABLE MEDIA DATA
  42. 42. ALWAYS ENCRYPT REMOVABLE MEDIA DATA
  43. 43. REMOVABLE MEDIA ENCRYPTION
  44. 44. REMOVABLE MEDIA ENCRYPTION
  45. 45. DATA RECOVERY AGENT PROTECTORS
  46. 46. WHAT IS A DATA RECOVERY AGENT FOR BITLOCKER REMOVABLE MEDIA?  Allows recovery of encrypted data by using a public/private key pair  Should only use Data Recovery Agents on removable media.  DON’T USE ANYTHING LESS THAN A SHA-384 HASHING ALGO AND RSA 4096 BIT KEY (NEW NSA SUITE-B STANDARD)  DON’T MAKE THE PRIVATE KEY EXPORTABLE ON ANY ADMIN SYSTEM
  47. 47. CREATING A DATA RECOVERY AGENT REQ’S
  48. 48. CREATING A DATA RECOVERY AGENT
  49. 49. GROUP POLICY FOR DATA RECOVERY AGENTS
  50. 50. UNLOCK WITH DATA RECOVERY AGENT
  51. 51. WINDOWS 10 BROWSERS AND ENCRYPTION FAILURES  Comes with Microsoft Edge/IE11  High security orgs will have a tough time using Microsoft Edge  Edge does not support certificate enrollments. So if you are signing up for a security certificate with the browser. It will fail.  I am still suggesting orgs use IE 11 with EMET or Google Chrome
  52. 52. MICROSOFT EDGE RCE FAIL
  53. 53. MICROSOFT EDGE CERTIFICATE FAIL
  54. 54. MICROSOFT EDGE POLICIES
  55. 55. WINDOWS 10 PRIVACY DISABLE TELEMETRY
  56. 56. WINDOWS 10 DEVICE GUARD  Threat Resistance and Device Security  Device Guard: Combines hardware and software security features. Enable enterprises to control what is allowed to run  Great for running on fixed workloads Ex.) Cash Registers, POS, ATM’s  Will run into trouble if you are trying to implement on machines that are updated regularly outside of a Corporate fully managed environment (BYOD…ETC)
  57. 57. DEVICE GUARD  Device Guard and other parts of the solution  Utilize the following components with Device Guard: Credential Guard, Isolated User Mode for some quick wins  Credential Guard brings virtualization based security into the equation. Helps mitigate PTH. Coupled with IUM to protect critical parts of the OS against admin/kernel level malware  Configure Code based integrity
  58. 58. WINDOWS 10 DEVICE GUARD HARDWARE REQ’S  Physical machine – VT-x,AMD-v, SLAT, IOMMU, TPM, UEFI 2.31, 2.4 suggested.  TPM is Required for Credential Guard  Downside: Device Guard will not work on older machines  Downside: Locks you into Hyper-V
  59. 59. WINDOWS 10 DEVICE GUARD CONFIGURATION
  60. 60. WINDOWS 10 DEVICE GUARD CONFIGURATION
  61. 61. CODE INTEGRITY POLICY
  62. 62. CREDENTIAL GUARD  Credential guard is very practical and easy to roll out  Con: Locks you into hyper-v
  63. 63. NTLM WITH CREDENTIAL GUARD ENABLED
  64. 64. NTLM HASH WITHOUT CREDENTIAL GUARD (FAIL PTH)
  65. 65. VALIDATE ENABLED DEVICE GUARD HARDWARE BASED SECURITY FEATURES
  66. 66. DEVICE GUARD STEPS QUICK OVERVIEW  Create Device Guard GPO policy. Assign it to an OU bucket for testing with compatible devices  Create Catalog files and push them out to computers via Windows Settings…File level GPO  Sign your Catalog files!!! Look at my abstract pages on how to do  Create a Code Integrity policy from a “golden image”. Do this in audit mode first before you deploy  https://technet.microsoft.com/en- us/library/mt463091(v=vs.85).aspx
  67. 67. THANK YOU
  68. 68. ABSTRACTS  Implement Microsoft Passport in your organization: https://technet.microsoft.com/en- us/library/mt219734(v=vs.85).aspx  Password-less Authentication with Microsoft Passport: https://technet.microsoft.com/en-US/library/mt126165.aspx  Deploying a ADFS Farm: https://technet.microsoft.com/en- us/library/dn486775.aspx
  69. 69. ABSTRACTS  Device Guard Deployment Guide: https://technet.microsoft.com/en- us/library/mt463091(v=vs.85).aspx  Step-By-Step Guide to Controlling Device Installation Using Group Policy: https://msdn.microsoft.com/en-us/library/bb530324.aspx  Manage identity verification using Microsoft Passport https://technet.microsoft.com/en- us/library/mt219735(v=vs.85).aspx
  70. 70. ABSTRACTS  How to use Bitlocker Data Recovery Agent to unlock Bitlocker Protected Drives: http://blogs.technet.com/b/askcore/archive/2010/10/11/how- to-use-bitlocker-data-recovery-agent-to-unlock-bitlocker- protected-drives.aspx  Using Data Recovery Agents with BitLocker: https://technet.microsoft.com/en- us/library/dd875560(v=ws.10).aspx
  71. 71. ABSTRACTS  Dropping the Hammer Down on Malware Threats with Windows 10’s Device Guard: https://channel9.msdn.com/Events/Ignite/2015/BRK2336  Isolated User Mode Processes and Features in Windows 10 with Logan Gabriel: https://channel9.msdn.com/Blogs/Seth- Juarez/Isolated-User-Mode-Processes-and-Features-in-Windows- 10-with-Logan-Gabriel  Create a device guard code signing cert: https://technet.microsoft.com/en- us/library/mt463091(v=vs.85).aspx#create_DG_code
  72. 72. ABSTRACTS  Get apps to run on Device Guard-protected devices: https://technet.microsoft.com/en- us/library/mt158214(v=vs.85).aspx 

×