Better security starts at the OS with Windows Server 2016 Name Title

Better security starts at the OS with Windows Server 2016 Name Title

Security is a top priority for IT Increasing incidents Multiple motivation s Bigger risk

Evolution of attacks Mischief Fraud and theft Damage and disruption Script Kiddies Organized Crime Nations, Terror Groups, Activists Unsophisticated More sophisticated Very sophisticated and well resourced

“Cyber security is a CEO issue.” -McKinsey 3.0 Tr i l l i o n Impact of lost productivity and growth 4 Million Average cost of a data breach (15% YoY increase) 500 Corporate liability coverage. Cyber threats are a m a t e r i a l r i s k to your business Source: McKinsey, Ponemon Institute, Verizon Million

Attacks ruin reputations Before: Respected After: Exposed

Attacks devastate budgets Before: Customers buy After: You pay up

Attacks on organizations hurt productivity Before: Digital collaboration After: Back to fax

Attacks hinder external communication Before: Trusted adviser After: Outsider

Attacks affect the IT security team Before: Focused After: Overwhelmed

Attacks wreck internal communication Before: Transparency After: Need to know

Attacks affect intellectual property Before: Confident After: Vulnerable

Attack timeline First host Domain admin compromised compromised Research and preparation Attackers find any weakness, target information on any device or service 24–48 hours Attackers often target AD and IT Admins to gain access to business assets Attack discovered Attacker undetected (data exfiltration) More than 200 days (varies by industry) You may be under attack (or compromised) and unaware

Anatomy of an attack Attack Browser or Doc Exploit Delivery Malicious Attachment Delivery Enter User Phishing Attacks Internet Service Compromise Establish Device Browser or Doc Exploit Execution Malicious Attachment Execution Stolen Credential Use Kernel Exploits Kernel-mode Malware Expand Network Pass-the-Hash Endgame BUSINESS DISRUPTION LOST PRODUCTIVITY DATA THEFT ESPIONAGE, LOSS OF IP RANSOM

Different attack vectors Attack the applications and infrastructure Compromised privileged accounts Unpatched vulnerabilities Phishing attacks Malware infections Attack the virtualization fabric Compromised fabric exposes guest VMs Easy to modify or copy VM without notice Can’t protect a VM with gates, walls, locks, etc. VMs can’t leverage hardware security (e.g., TPM)

Windows Server 2016: Layers of security Address emerging Help protect applications Detect faster with attack vectors and data in any cloud Hyper-V Log Analytics integration Azure Other Hypervisors Other Clouds

Help protect credentials and privileged access

Challenges in protecting credentials Social engineering leads to credential theft. Administrative credentials typically provide unnecessary extra rights for unlimited time. Mary Jake Typical administrator Capability Most attacks involve gathering credentials (Passthe-Hash attacks). Ben Time Admin Domain admin

Helping protect privileged credentials Credential Guard Remote Credential Guard Works in conjunction with Credential Guard for RDP sessions to deliver Single Sign-On (SSO), eliminating the need to pass credentials to the RDP host. Just Enough Administration Limits administrative privileges to the bareminimum required set of actions (limited in space). Just-in-Time Administration Provides privileged access through a workflow Ben Mary Jake Admin Just Enough Typical administrator and Just in Time administration Capability Prevents Pass-the-Hash and Pass-the-Ticket attacks by protecting stored credentials through virtualization-based security. Capability and time needed Time Domain admin

Help protect applications and data in any cloud

New exploits can attack the OS boot-path all the way up through applications operations. Known and unknown threats need to be blocked without impacting legitimate workloads. ? ? Challenges protecting the OS and applications

Helping protect OS and applications Device Guard Ensure that only permitted binaries can be executed from the moment the OS is booted. Windows Defender Actively protects from known malware without impacting workloads. Control Flow Guard Protects against unknown vulnerabilities by helping prevent memory corruption attacks.

Respond more intelligently with log analytics integration

Challenges turning log files into operational insights In order to better detect threats the OS need to provide additional auditing information. Security Information and Event Management (SIEM) systems are only as intelligent as the information provided from the OS.

Improved detection Enhanced Logs Log new audit events to better detect malicious behavior by providing more detailed information to security operation centers. Integration with systems management Operations Management Suite (OMS) and other SIEM systems, can take advantage of this information to provide intelligence reports on potential breaches in the datacenter environment.

Help protect the virtualization fabric

Challenges protecting virtual machines Any compromised or malicious fabric administrators can access guest virtual machines. Host OS Guest VM Health of hosts not taken into account before running VMs. Tenant’s VMs are exposed to storage and network attacks. Virtual machines can’t take advantage of hardware- Customer Customer Guest VM Healthy host? Storage Hypervisor Hypervisor Fabric Fabric

Helping protect virtual machines Shielded Virtual Machines Building perimeter Use BitLocker to encrypt the disk and state of virtual machines protecting secrets from compromised admins and malware. Host Guardian Service Attests to host health releasing the keys required to boot or migrate a Shielded VM only to healthy hosts. Generation 2 VMs Supports virtualized equivalents of hardware security technologies (e.g., TPMs) enabling BitLocker encryption for Shielded Virtual Machines. Computer room Hyper-V Hyper-V Physical machine Server Administrator Storage Administrator Network Administrator Backup operator Virtualization-host administrator Virtual machine Should have access and does Should not have access and doesn’t Virtual machine Should not have access but does Shielded virtual machine * *Configuration dependent

“ “ Shielded Virtual Machines remove a hosting obstacle and are a huge competitive differentiator. No one but Microsoft has this technology now. Philip Moss Chief Product Officer Acuutech

Protect with just enough OS

Challenges in protecting new apps Developers are protecting by making use of packaging and deployment tools such as containers. Containers share the same kernel which limits isolation and exposes compliance and regulatory risks. VM VM VM VM VM Shared Hardware (Hypervisor Isolation) Container Container Container Container Reduce the risk by providing only the components required by application to run. Shared Kernel (User Mode Isolation) Container

Windows Server 2016 approach Hyper-V containers VM VM VM VM VM Provide hypervisor isolation for each container with no additional coding requirements. Helps align with regulatory requirements for PCI and PII data. Nano Server Shared Hardware (Hypervisor Isolation) Hyper-V Container Hyper-V Container Hyper-V Container Hyper-V Container Reduce the attack surface by deploying a minimal “just enough” server footprint. Shared Platform (Hypervisor Isolation) Hyper-V Container

Windows Server 2016 security summary

Windows Server 2016 security Infrastructure and applications summary Virtualization Fabric Protecting virtual machines Privileged identity Shielded VMs (Server 2012, 2016 guests) Virtual TPM for Generation 2 VMs Guarded fabric attesting to host health Secure boot for Windows and Linux Credential Guard Remote Credential Guard Just In Time administration Just Enough administration Hyper-V platform Control Flow Guard Device Guard Built in anti-malware Nano based Hyper-V host Virtualization-based security Distributed networking firewall Secure containers Hyper-V containers Containers hosted in a Shielded VM Threat resistance Threat detection Enhanced threat detection

Next steps Download Windows Server 2016 Today! www.microsoft.com/WindowsServer2016 Visit the Datacenter & Private Cloud Security Blog: blogs.technet.microsoft.com/datacentersecurity/ Move to a secure virtualization infrastructure: http://www.microsoft.com/vmwareshift

2016 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Click icon to add picture Appendix

Before Breaches cost a lot of money Customers pay for your services. After (Average 4M based on Ponemon Institute) Productivity Employees efficiently perform work activities. You pay customers compensation to keep them using your services. Employees waste hours a day using manual processes. Overspending reflex Appropriately sized and dedicated IT Security team. IT Security team exponentially increases in size and remediation efforts require new and expensive products.

Before Industry reputation Industry credibility, positive reputation, customer confidence. After Ransomware HBI/MBI assets available for day-to-day business operations. Loss of credibility, embarrassing information exposed, customer’s lose faith. Corporate secrets are public knowledge; potential loss of competitive advantage. Assets encrypted and key business IT services rendered useless. Customer trust Customers happy to trust you with their personal information. Customers reluctant to share information with you. Corporate secrets are secret.

How better security starts at the OS Enterprises need to: Example threat: Windows Server 2016 helps: Protect admin credentials A Pass-the-Hash attack provides an attacker with admin credentials on a hospital network, which the attacker uses to access confidential patient data. Just Enough Administration Just-in-Time Administration Credential Guard Remote Credential Guard for Remote Desktop Protocol (RDP) sessions Protect servers, detect threats and respond in time Ransomware on university servers locks users away from critical student and research data—until a ransom is paid to the attacker. Device Guard Control Flow Guard Windows Defender A line-of-business application developer downloads code from the public internet to integrate into her application. The downloaded code includes malware that can track activity in other containers through the shared kernel. Hyper-V containers Nano Server Quickly identify malicious behavior Malware tries to access the credential manager on a Windows server to gain access to user credentials. Enhanced Logging Microsoft Operations Management Suite Log Analytics Virtualize without compromising security Attacker compromises fabric admin credentials at a bank, giving him access to virtualized Active Directory Domain Controllers and SQL databases where client account information is stored. Shielded Virtual Machines BitLocker Host Guardian Service

Alignment with regulatory compliance Windows Server 2016 can now directly help address certification requirements Helps you more easily comply with government and industry regulations for protecting data, such as HIPPA, SOX, ISO 27001, PCI, and FedRAMP. PCI DSS 3.1 ISO 27001:2013 FEDRamp 3.4 – Verifying stored PAN is unreadable 3.4.1 – Disk encryption usage and access control 6.4.2 – Separation of duties between test and production environments 6.4.1 – Test and Production Environment Separation 6.5.3 – Insecure cryptographic storage 7.1 – System components and cardholder data access restricted to job-based needs 7.1.2 – User ID access based on least privileges 7.1.3 – Assigning access to job function and classification 7.1.4 – Documented approval of access privileges 7.2.2 – Assigning privileges to job function and classification 7.2.3 – Default “deny-all” setting 8.7 – Restricted access to databases containing cardholder data 10.2.2 – Logging actions by root privileges individual 10.2.5 – User changes logging 11.5 – Change-detection mechanism deployment 12.5.4 – Administer user accounts 12.5.5 – Monitor and control all A.6.1.2– Segregation of duties A.8.2.3 – Media Access A.9.1 – Business requirement of access control A.9.1.2 – Access to networks and network services A.9.2.2 – User access provisioning A.9.2.3 – Management of privileged access rights A.9.4.1 – Information access restriction A.9.4.5 – Access control to program source code A.12.1.4 – Separation of development, testing, and operational environments A.12.4.1 – Event logging A.12.4.3 – Administrator and operator logs AC-2 – Account Management AC-2 (4) – Automated Audit Actions AC-2 (12) – Account Monitoring AC-3 – Access Enforcement AC-5 – Separation of Duties AC-6 – Least Privilege AC-6 (1) – Authorize Access to Security Functions AC-6 (2) – Non-Privileged Access for Non-Security Functions AC-6 (5) – Privileged Accounts AC-6 (9) – Auditing Use of Privileged Functions AC-6 (10) – Prohibit Non-Privileged Users from Executing Privileged Functions AU-2 – Audit Events AU-9 (4) – Audit Access by Subset of Privileged Users AU-12 – Audit Generation CM-5 – Access Restrictions for Change CM-5 (1) – Automated Access Enforcement CM-5 (5) – Limit Production / Operational Privileges SC-2 – Application Partitioning SC-4 – Information in Shared Resources SC-28 – Protection of Information at Rest SC-28(1) – Protection of Information at Rest SI-6 – Security Function Verification

Just-in-Time Administration compliance mapping JIT Security and Compliance Capability ISO 27001: 2013 PCI DSS 3.1 FedRAMP; NIST 800-53 Revision 4 Controlling Logical Access Privileges and Implementing Least Privilege Access A.9.1 – Business requirement of access control A.9.1.2 – Access to networks and network services A.9.2.2 – User access provisioning A.9.2.3 – Management of privileged access rights A.9.4.1 – Information access restriction A.9.4.5 – Access control to program source code 7.1 – System components and cardholder data access restricted to job-based needs 7.1.2 – User ID access based on least privileges 7.1.3 – Assigning access to job function and classification 7.1.4 – Documented approval of access privileges 7.2.2 – Assigning privileges to job function and classification 7.2.3 – Default “deny-all” setting 12.5.4 – Administer user accounts 12.5.5 – Monitor and control all access to data AC-2 – Account Management AC-3 – Access Enforcement AC-6 – Least Privilege AC-6 (1) – Authorize Access to Security Functions AC-6 (2) – Non-Privileged Access for Non-Security Functions AC-6 (5) – Privileged Accounts AU-9 (4) – Audit Access by Subset of Privileged Users CM-5 – Access Restrictions for Change CM-5 (1) – Automated Access Enforcement CM-5 (5) – Limit Production / Operational Privileges Access Logging / Monitoring / Auditing A.12.4.1 – Event logging A.12.4.3 – Administrator and operator logs 10.2.2 – Logging actions by root privileges individual 10.2.5 – User changes logging AC-2 – Account Management AC-2 (4) – Automated Audit Actions AC-2 (12) – Account Monitoring AC-6 (9) – Auditing Use of Privileged Functions AU-2 – Audit Events AU-12 – Audit Generation CM-5 (1) – Automated Access Enforcement

Hyper-V Shielded VM compliance mapping Hyper-V Shielded VM Security and Compliance Capability ISO 27001: 2013 PCI DSS 3.1 FedRAMP; NIST 800-53 Revision 4 Enforcing Separation of Duties A.6.1.2– Segregation of duties 6.4.2 – Separation of duties between test and production environments AC-5 – Separation of Duties Implementation of Least Privilege Access and Partitioning Tenant Functionality A.9.2.3 – Management of privileged access rights A.12.1.4 – Separation of development, testing, and operational environments 6.4.1 – Test and Production Environment Separation 7.2 – User access control on need-toknow basis 7.2.3 – Default “deny-all” setting AC-6 – Least Privilege AC-6 (10) – Prohibit Non-Privileged Users from Executing Privileged Functions SC-2 – Application Partitioning Protecting Information Stored in Shared Resources None 8.7 – Restricted access to databases containing cardholder data SC-4 – Information in Shared Resources Protection of Data at Rest A.8.2.3 – Media Access 3.4 – Verifying stored PAN is unreadable 3.4.1 – Disk encryption usage and access control 6.5.3 – Insecure cryptographic storage SC-28 – Protection of Information at Rest SC-28(1) – Protection of Information at Rest Security Function Verification and Integrity Monitoring None 11.5 – Change-detection mechanism deployment SI-6 – Security Function Verification SI-7 – Software, Firmware, and Information Integrity