This post was authored by the Windows Server Security and Assurance Team
Six months ago, in a previous blog post “Protecting your datacenter and cloud from emerging threats” we introduced our strategy and direction on how Microsoft can help customers protect their datacenter and private cloud from emerging threats.
In this post, we’ll cover the great progress that was made since May 2015 in each of the areas we were focusing on and what offerings are already available for you to better secure your environment.
Landscape shifts that affect the way we think about security
Looking at the datacenter and cloud through security lenses, there are two major aspects that we need to pay attention to.
1. Virtualization is everywhere and increasing number of high value assets such as domain controllers and company sensitive workloads are virtualized. While operationally this makes a lot of sense, from a security point of view, this shift increases the attack vectors ten-fold as anyone that has access to the storage, backup, network, hosts or fabric controller where these Virtual Machines are running can compromise them.
2. Gaining administrative rights is a common attack vector. We trust our administrators but when their accounts are compromised through any of the ways attackers use today (such as phishing and malware), the attackers gain unprecedented access to the environment and can then stay in the system for a long time undetected.
Principles for security and assurance solutions
We have established a few key guiding principles that drive our work in security and assurance:
• Assume breach: analyze the environment to determine how an attack may propagate and make changes to contain any compromise by preventing lateral movement of the attacker inside the environment.
• Protect existing environments without requiring major upgrades and re-architecture of your datacenter or hosting infrastructure.
• Support the extension of your datacenter into the Azure cloud while bringing the Azure security and security operations to the datacenter and private cloud.
Focus areas for datacenter and private cloud security:
Given the “Assume Breach” mindset and the desire to protect existing environments, we focused our initiatives on three main areas:
- Protecting Virtual Machines (Workloads) from attacks through the private cloud or service provider fabric
- Privileged Access Management to address threats that occur with compromised administrator credentials
- Threat detection and response
Since May, 2015 we have continuously delivered security solutions in the form of cloud services, released products and technical previews so that you can start evaluating and using these solutions to protect your environment.
Protecting Virtual Machines (Workloads) from fabric attacks
With the shift to virtualization, most of us are running critical and high value workloads as virtual machines. Consider your identity infrastructure (e.g.: Domain controllers) or your most sensitive business applications that have access to customer data running as VMs.
This leads to new attack vectors that did not exist in the past. Any administrator on the storage, network, management tools and host has access to these Virtual Machines. This includes not only the highly trusted administrators but also people that have access to the disks, network controllers, patching and so on…
To put it plainly, if we “assume breach” of a datacenter administrator, it can lead to a lateral movement attack, where all the virtual machines running in that datacenter are accessible to the attacker who is then able to stealthily access sensitive information and inject malicious executables.
In Windows Server 2016 Technical Preview 4 and System Center Virtual Machine Manager 2016 Technical Preview 4, we are enabling an end to end solution for Shielded Virtual Machines that protects all “Generation 2” Windows virtual machines (Starting from Windows Server 2012/Windows 8) on storage, and on the network, and allows running the virtual machine only on Guarded Hosts that are hardened so that even an administrator on the host where the virtual machine is running will require to break protection techniques applied to the host in order to compromise the virtual machine data.
In parallel, Azure customers can take advantage of the new Azure Disk Encryption that enables encryption of Windows Virtual Machines using BitLocker Drive Encryption and Linux Virtual Machines using DM-Crypt.
Privileged Access Management
Security experts tell us that compromised administrator privileges are the common attack vector. Once an attacker gains access to an administrator account, they can escalate their privilege to create backdoors and eventually control an entire Active Directory domain.
There are best practices and solutions that will considerably increase the security of your organization to avoid compromise and contain the extent of the damage in case that happens:
- There are no perpetual administrators.
- Administration accounts are separate from user accounts (accounts that are used for email, web browsing, where the number of applications and attack vectors is higher…).
- Administration should be done from designated hardened machines.
- Logging of administration actions helps early discovery and forensic investigations of malicious behavior.
- Usage of two factor authentication and role based administration significantly increases the resiliency should an account or its credential be compromised.
To help customers manage and secure their Privilege Access, in Aug. 2015, we released Microsoft Identity Manager 2016 (MIM 2016). This supports:
- Privileged user and account discovery
- Workflow management: elevated just-in-time administrator access including automatic authorization, Azure Multi-Factor authorization and manual authorization.
- Reporting and auditing specific to privileged access management
The focus is protecting privileged administrative access for applications in existing Windows Server environments, so that there is no need to change your groups or access control rules in order to deploy MIM 2016 Privileged Access Management in your organization.
At the same time, we also introduced the Azure AD Privileged Identity Management to apply Privileged Access Management and monitoring to Microsoft Online Services, such as Azure AD and Office 365.
These solutions enable you to control your administration workflows on-premises and in the cloud. MIM 2016 provide Windows PowerShell, SOAP and REST based APIs so that you can call from existing trouble ticket or service desk automation systems into these solutions.
For hardened administration workstations, we highly recommend that you take a look at the Windows 10 Device Guard solution. This enables you to completely lock down machines that administrators use to access servers and sensitive workloads. Device Guard helps harden these workstations against malicious code that could execute while an administrator is accessing the most sensitive areas of your organization.
In addition, we are releasing our first version of Just Enough Administration to enable PowerShell based “Role Based Access Control”. This is released as part of the Windows Management Framework 5.0 and will be available for Windows Server 2008 R2/Windows 7 and later versions so that you can deploy it in existing environments.
Just Enough Administration (JEA) is all about removing administration privilege from as many user accounts as possible while still allowing them to do their job. If for example, someone is responsible for DNS management on the domain controller, they should be able to restart the DNS services and flush the DNS but they should not need to be domain administrators to do so. In the first version of JEA, we provide a flexible role-based administration framework. We also provide specific guidance on how to use JEA on domain controllers and for general server maintenance.
Threat detection and response
This brings us to the detection and forensics. We know that the attackers are clever, and they learn and adapt. We also know that accuracy is important so that you don’t find yourself drowning in false positive investigations.
Two great offerings are now publically available from Microsoft:
The first is Microsoft Advanced Threat Analytics. This is an on-premises platform that uses Active Directory network traffic and SIEM data to discover and alert on potential threats. ATA’s high-accuracy detection is enabled by a combination of its unique deterministic detection engine, network and entities resolution engine and world-class machine learning algorithms. This combination also allows ATA to map the potential impact of the attacker and tell the attack story in a clear and actionable Attack Timeline.
The second is Microsoft Operations Management Suite (OMS) Security and Compliance. This processes security logs and firewall events from on-premises and cloud environments to analyze and detect malicious behavior. Using this capability, an IT pro can review suspicious behavior and decide whether further investigation is required and then use deep search capabilities to track and investigate the issues. OMS Security and Compliance is a scalable cloud service that ingests and indexes multi-TB of data each day. We can use the power of the cloud to correlate this data with information such as malicious internet IP addresses from our cyber-crime unit as well as information from industry partnerships, government sources and others.
Last but not least, the upcoming Azure Security Center will enable you to fully secure your Azure properties from one portal. This will empower you to prevent, detect, and respond to threats with increased visibility into, and control over, the security of your Azure resources.
The Azure Security Center includes:
- Centralized Security Management with visibility, focused recommendations and control over the security state of cloud deployments.
- Rapid Deployment of Integrated Best-in-Class Technologies from a rich partner ecosystem.
- Effective Advanced Threat Detection using behavioral analytics, machines learning and fusion of signals from Microsoft products and services, partner solutions, and global threat intelligence.
- Guided Investigation for fast triage and shorter time to remediate by building the attack timeline and reducing noise.
Driven by the “Assume Breach” combined with the experience of running a public cloud and the need to address emerging threats in existing datacenter environment, we have been working tirelessly on a stream of security solutions that can help customers take action to increase their security stance.
Solutions that were still in development in May are now publically available for use and we will continue to work tirelessly to help you secure your environment both in the datacenter and private and public cloud.
We believe that the set of solutions and capabilities that we are bringing forth clearly shows our commitment to help our customers be secure in their existing datacenter and private cloud all the way to their workloads that are running in Azure.