active directory and virtualization
TRANSCRIPT
Active Directoryand Virtualization
Sander Berkouwer
MCSE, MCITP, MCT, MVP
Veeam Vanguard
Dirteam.com
Agenda
Current SituationWhy do we virtualize Domain Controllers?
ChallengesChallenges when virtualizing on Hyper-VChallenges when virtualizing on Azure IaaS
SolutionsPicking the right solution(s) for your challenges
People
Processes
Technology
Current situation
Why do we virtualize Domain Controllers?
FlexibilityGet Domain Controllers fast
Move Domain Controllers without downtime
Cost saving and cost predictabilityVirtualization increases hardware usageHardware maintenance and upgrades become more predictable
Less dependencies on hardwareQuickly add/remove hardware
Reduce hardware-related outages
Domain Controller Cloning
Virtualization-aware Active DirectoryWindows Server 2012-based Domain Controllers detect:
When a snapshot has been applied
When a virtual hard disk is being reused
VM-GenerationIDA feature of the virtualisation platform
Placed in the memory of each Virtual Machine
Not just Hyper-VVMware vSphere 5.0 U4 +VMware Workstation 9.0 +Citrix Xenserver 6.2.0 +
Challenges
Challenges when using Hyper-V
Performance
Integration Components (ICs)
Security
Snapshots, backup and restore
Can you trust Hyper-V administrators?
Can you trust storage administrators?
Challenges when using Azure IaaS
Connectivity
Knowledge of Azure taxonomy and topology
Dynamic IPv4, IPv6 addressing
Azure IaaS v1 (ASM) vs. Azure IaaS v2 (ARM)
Under the hood Azure IaaS uses Hyper-V
Will you ever be able to report on a breach?
Why is this important?
Advanced Persistent ThreatsPass the Hash (PtH) attacksPass the Ticket (PtT) attacksKerberos Golden Tickets
Rogue and/or disgruntled admins
SecurityLegal organizational requirements
Job security
“If you can Ctrl-C, Ctrl-V, than you can hack VMs running on Hyper-V.” - Ben Armstrong, Microsoft
Reality Check
A bit of Kerberos
Typical Kerberos flow1. During startup, logon the client
requests a Ticket Granting Ticket (TGT) from the Key Distribution Center (KDC). The TGT is then processed clientside
2. For accessing a service within the Kerberos Realm, the client requests a Service Ticket (TGS), based on the TGT on any KDC.
3. Client presents the TGS to the service.Based on authorization, access is granted (or not)
1
2
3
TGT
TGS
‘The Keys to the Kingdom’
KRBTGT’s account password signs everythingI don’t need to ask for a TGT when I know the passwordMitigating risk: Read-Only DCs have their own TGTs
TGTs and TGSs are processed and enforced client-sideI don’t need to play by the rules to get access permissions
I can just insert the well-known SIDs I want into my TGT
Only restriction: maximum TGT lifetime of 10 years.
Mitigating risk: Authentication Policies can limit TGT lifetime
Ask yourself
Do you know all your Domain Controllers?Do you still run Windows Server 2003 Domain Controllers?Are all your organization’s Domain Controllers physically secure?Are all their backups physically secure?
Do you know your organization’s admins?
Do you know your organization’s processes?Do you regularly reset KRBTGT passwords?
Do you use Install from Media (IfM) to deploy DCs at branch offices
Solutions
Reset KRBTGT Secret
KRBTGT Account Password ResetsKRBTGT account password is used to encrypt Kerberos TGTs, TGSsKRBTGT account password needs to be reset twice• Reset once to reset KRBTGT and make old secret
secondary• Reset twice to make old secret fall out of scopeTip! Make sure second reset is after TGT Lifetime (default: 10 hours)
Reset-KrbtgtKeyInteractive v1.7Available from Microsoft since Februari 2014 Download from the TechNet GalleryReset-KrbtgtKeyInteractive.ps1
Read-only Domain Controllers
Read-only Domain ControllersRead-only Domain Controllers offer:
• Read-only Active Directory database and DNS
• RODC filtered attribute set
• Unidirectional replication
• Granular credential caching
• Administrator role separation
Read-only Domain Controllers offer individual KRBTGT accounts
One Read-only Domain Controller supported per branch network
Analytics
Identify Advanced Persistent Threats (APT) using behavioral analytics
Microsoft Advanced Threat AnalyticsOn-premises solution for access management analyticsCloud-based analytics based on Machine Learning
Microsoft Identity ProtectionCloud-based solution for access management analytics
Deploy Server Core / Nano Server
Server Core installationsVirtualization hosts without a Graphical User Interface (GUI)Less susceptive to human error and to vulnerabilitiesSmaller attack surface and less patches
2008 (R2): Choose at installation
2012 (R2): Choose at installation of add/remove after install
2016 : Choose at installation
Nano Server installationsEven smaller disk footprint and attack surfaceUnfortunately AD DS Role is currently not available for Nano ServerAvailable for Windows Server 2016 with Software Assurance
Access Control Lists on VHD and VHDX files
Default ACLs on VHD(X)sAdministrators – full control
SYSTEM – full control
Hyper-V Administrators – full control
<VMGUID> - Read and write
Change ACLsNote: Administrators can take ownership
Hyper-V Administrators Group
Security group on Hyper-V hostsIntroduced with Windows 8, Windows Server 2012
Principle of least administrative privilegeApproach: remove Hyper-V Administrators from Administrators
Hyper-V Administrators have access to all Hyper-V features
Hyper-V Administrators have full control on VHD(X)s
Integration Components
Integration ComponentsThey’re drivers and services for VMs
ICs enlighten Virtual Machines
CapabilitiesOS shutdown, time synchronization, data exchange, heartbeat, backup and guest services
In Azure IaaS, ICs offer ability to reset local admin password, etc.
Deploy BitLocker Drive Encryption
Support for virtualization hostsBitLocker for boot and system volumes
BitLocker on Cluster Shared Volumes (CSVs)
Support in virtual machinesData disks supported in Hyper-V and Azure IaaS
BitLocker supported on boot and system volumes with Windows Server 2016:• Generation 1 Virtual Machines
• Generation 2 Virtual Machines
Support in Azure IaaS coming soon
Shielded Virtual Machines
New in Windows Server 2016 Hyper-V
Separation between workload and fabric adminsHost Guardian Service, responsible for VM LCM built upon encryption and protected secrets
Two modes:
1. Hardware Trusted Attestation, based on TPMv2 in hosts
2. Administrator Attestation, based on AD group membership
A Shielded VM doesn’t have a thumbnail in Hyper-V Manager, nor does it allow VM Connect to connect to it.
Integration components functionality is limited.
Virtualization wrapped into virtualization and identity wrapped into identity
Processes, processes, processes
MonitoringSecurity Incident and Event ManagementTechnical State Compliancy MonitoringVulnerability ManagementAvailability Monitoring
Key Management
Change Management
Auditing
Communication
Documentation
Backup and Restore
Life Cycle Management
Concluding
Concluding
Domain Controllers contain sensitive informationDomain Controllers contain info on replication, accounts, credentials
DNS Servers contain caches on queries (visited sites)
Virtualizing Domain ControllersVirtualizing Domain Controllers safely is not an easy task
Virtualizing Domain Controllers is not just a technical challenge
Ask yourselfDo you really want to virtualize Domain Controllers?
Questions?
Thank you!