Active Directoryand Virtualization

Sander Berkouwer

MCSE, MCITP, MCT, MVP

Veeam Vanguard

Dirteam.com

Agenda

Current SituationWhy do we virtualize Domain Controllers?

ChallengesChallenges when virtualizing on Hyper-VChallenges when virtualizing on Azure IaaS

SolutionsPicking the right solution(s) for your challenges

People

Processes

Technology

Current situation

Why do we virtualize Domain Controllers?

FlexibilityGet Domain Controllers fast

Move Domain Controllers without downtime

Cost saving and cost predictabilityVirtualization increases hardware usageHardware maintenance and upgrades become more predictable

Less dependencies on hardwareQuickly add/remove hardware

Reduce hardware-related outages

Domain Controller Cloning

Virtualization-aware Active DirectoryWindows Server 2012-based Domain Controllers detect:

When a snapshot has been applied

When a virtual hard disk is being reused

VM-GenerationIDA feature of the virtualisation platform

Placed in the memory of each Virtual Machine

Not just Hyper-VVMware vSphere 5.0 U4 +VMware Workstation 9.0 +Citrix Xenserver 6.2.0 +

Challenges

Challenges when using Hyper-V

Performance

Integration Components (ICs)

Security

Snapshots, backup and restore

Can you trust Hyper-V administrators?

Can you trust storage administrators?

Challenges when using Azure IaaS

Connectivity

Knowledge of Azure taxonomy and topology

Dynamic IPv4, IPv6 addressing

Azure IaaS v1 (ASM) vs. Azure IaaS v2 (ARM)

Under the hood Azure IaaS uses Hyper-V

Will you ever be able to report on a breach?

Why is this important?

Advanced Persistent ThreatsPass the Hash (PtH) attacksPass the Ticket (PtT) attacksKerberos Golden Tickets

Rogue and/or disgruntled admins

SecurityLegal organizational requirements

Job security

“If you can Ctrl-C, Ctrl-V, than you can hack VMs running on Hyper-V.” - Ben Armstrong, Microsoft

Reality Check

A bit of Kerberos

Typical Kerberos flow1. During startup, logon the client

requests a Ticket Granting Ticket (TGT) from the Key Distribution Center (KDC). The TGT is then processed clientside

2. For accessing a service within the Kerberos Realm, the client requests a Service Ticket (TGS), based on the TGT on any KDC.

3. Client presents the TGS to the service.Based on authorization, access is granted (or not)

1

2

3

TGT

TGS

‘The Keys to the Kingdom’

KRBTGT’s account password signs everythingI don’t need to ask for a TGT when I know the passwordMitigating risk: Read-Only DCs have their own TGTs

TGTs and TGSs are processed and enforced client-sideI don’t need to play by the rules to get access permissions

I can just insert the well-known SIDs I want into my TGT

Only restriction: maximum TGT lifetime of 10 years.

Mitigating risk: Authentication Policies can limit TGT lifetime

Ask yourself

Do you know all your Domain Controllers?Do you still run Windows Server 2003 Domain Controllers?Are all your organization’s Domain Controllers physically secure?Are all their backups physically secure?

Do you know your organization’s admins?

Do you know your organization’s processes?Do you regularly reset KRBTGT passwords?

Do you use Install from Media (IfM) to deploy DCs at branch offices

Solutions

Reset KRBTGT Secret

KRBTGT Account Password ResetsKRBTGT account password is used to encrypt Kerberos TGTs, TGSsKRBTGT account password needs to be reset twice• Reset once to reset KRBTGT and make old secret

secondary• Reset twice to make old secret fall out of scopeTip! Make sure second reset is after TGT Lifetime (default: 10 hours)

Reset-KrbtgtKeyInteractive v1.7Available from Microsoft since Februari 2014 Download from the TechNet GalleryReset-KrbtgtKeyInteractive.ps1

Read-only Domain Controllers

Read-only Domain ControllersRead-only Domain Controllers offer:

• Read-only Active Directory database and DNS

• RODC filtered attribute set

• Unidirectional replication

• Granular credential caching

• Administrator role separation

Read-only Domain Controllers offer individual KRBTGT accounts

One Read-only Domain Controller supported per branch network

Analytics

Identify Advanced Persistent Threats (APT) using behavioral analytics

Microsoft Advanced Threat AnalyticsOn-premises solution for access management analyticsCloud-based analytics based on Machine Learning

Microsoft Identity ProtectionCloud-based solution for access management analytics

Deploy Server Core / Nano Server

Server Core installationsVirtualization hosts without a Graphical User Interface (GUI)Less susceptive to human error and to vulnerabilitiesSmaller attack surface and less patches

2008 (R2): Choose at installation

2012 (R2): Choose at installation of add/remove after install

2016 : Choose at installation

Nano Server installationsEven smaller disk footprint and attack surfaceUnfortunately AD DS Role is currently not available for Nano ServerAvailable for Windows Server 2016 with Software Assurance

Access Control Lists on VHD and VHDX files

Default ACLs on VHD(X)sAdministrators – full control

SYSTEM – full control

Hyper-V Administrators – full control

<VMGUID> - Read and write

Change ACLsNote: Administrators can take ownership

Hyper-V Administrators Group

Security group on Hyper-V hostsIntroduced with Windows 8, Windows Server 2012

Principle of least administrative privilegeApproach: remove Hyper-V Administrators from Administrators

Hyper-V Administrators have access to all Hyper-V features

Hyper-V Administrators have full control on VHD(X)s

Integration Components

Integration ComponentsThey’re drivers and services for VMs

ICs enlighten Virtual Machines

CapabilitiesOS shutdown, time synchronization, data exchange, heartbeat, backup and guest services

In Azure IaaS, ICs offer ability to reset local admin password, etc.

Deploy BitLocker Drive Encryption

Support for virtualization hostsBitLocker for boot and system volumes

BitLocker on Cluster Shared Volumes (CSVs)

Support in virtual machinesData disks supported in Hyper-V and Azure IaaS

BitLocker supported on boot and system volumes with Windows Server 2016:• Generation 1 Virtual Machines

• Generation 2 Virtual Machines

Support in Azure IaaS coming soon

Shielded Virtual Machines

New in Windows Server 2016 Hyper-V

Separation between workload and fabric adminsHost Guardian Service, responsible for VM LCM built upon encryption and protected secrets

Two modes:

1. Hardware Trusted Attestation, based on TPMv2 in hosts

2. Administrator Attestation, based on AD group membership

A Shielded VM doesn’t have a thumbnail in Hyper-V Manager, nor does it allow VM Connect to connect to it.

Integration components functionality is limited.

Virtualization wrapped into virtualization and identity wrapped into identity

Processes, processes, processes

MonitoringSecurity Incident and Event ManagementTechnical State Compliancy MonitoringVulnerability ManagementAvailability Monitoring

Key Management

Change Management

Auditing

Communication

Documentation

Backup and Restore

Life Cycle Management

Concluding

Concluding

Domain Controllers contain sensitive informationDomain Controllers contain info on replication, accounts, credentials

DNS Servers contain caches on queries (visited sites)

Virtualizing Domain ControllersVirtualizing Domain Controllers safely is not an easy task

Virtualizing Domain Controllers is not just a technical challenge

Ask yourselfDo you really want to virtualize Domain Controllers?

Questions?

Thank you!