AWS Webcast - Securing the Microsoft Windows Platform on Amazon Web Services

© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.

Securing the Microsoft Windows

Platform on Amazon Web Services

Ryan Holland

Ecosystem Solutions Architect


Shared Responsibility Model For

Infrastructure Services


Shared Responsibility Model For

Infrastructure Services

• Facilities

• Physical Security

• Physical Infrastructure

• Network Infrastructure

• Virtualization Infrastructure

AWS Customer • Operating System

• Application

• Security Groups

• Network ACLs

• Network Configuration

• Account Management


Risk Assessment

Its important to understand how your application works

• What are the network ingress/egress points.

• What parts of the application need to communicate with the other

tiers.

Who needs administrative access and from where?

• Consider both application access as well as infrastructure.

Perform data classification

• Define storage and access policies based on classification.


Amazon Virtual Private Cloud (VPC)

Create a logically isolated environment in Amazon’s highly scalable infrastructure

Specify your private IP address range into one or more public or private subnets

Control inbound and outbound access to and from individual subnets using stateless

Network Access Control Lists

Protect your Instances with stateful filters for inbound and outbound traffic using

Security Groups

Attach an Elastic IP address to any instance in your VPC so it can be reached

directly from the Internet

Bridge your VPC and your onsite IT infrastructure with an industry standard encrypted

VPN connection and/or AWS Direct Connect


Amazon Virtual Private Cloud (VPC)

Choose the connectivity option that best fits your application.

• Internet facing applications

• VPN Connection to on-premise datacenter

• Direct Connect

• Software VPN

Leverage subnets and Network ACLs

• Design your network similar to on-premise deployments

Properly configure security groups

Leverage Active Directory within your VPC


VPC Subnets

Group instances by

function.

Create isolation

through use of

Network ACLs.

Control routing for

each subnet


Security Groups

Mandatory instance firewall.

In VPC security groups are stateful and allow for both

ingress and egress filtering.

Enforcement takes place below hypervisor

Security groups can be used as a source in rules.

Need to ensure proper ports are open for Windows

Active Directory


Security Groups Provide Instance Isolation

Physical Interfaces

Customer 1

Hypervisor

Customer 2 Customer n …

… Virtual Interfaces

Firewall

Customer 1 Security Groups

Customer 2 Security Groups

Customer n Security Groups


Remote Desktop Best Practices

The RDP Port (TCP/3389) should never be open to the internet.

Within a VPC use a RDP Gateway • Instances should only accept RDP connections from the RDP

gateway.

• RDP Gateway should only accept connections from known IPs.

Use software VPN solutions for deployments without VPC VPN connections or where source IPs will be dynamic.

Walkthrough of implanting an RDP Gateway in VPC can be found on the AWS Security Blog: http://tinyurl.com/AWSRDPGW

http://tinyurl.com/AWSRDPGW




Example RDP Gateway Setup

RD Gateway only accepts traffic from specified internal network.

All other instances only accept RDP traffic from RD Gateway

Prevents Bypass Attacks

Use resource authorization policies (RAP) to control access to specific instances.


RDP Gateway With High Availability

Deploy RDP Gateways into

multiple availability zones

Note security group names

are the same in each AZ.

Use the RDP GW in the

same AZ to reduce inter-AZ

charges and latency.


Obtaining Updates

Applying updates to your OS and applications is a critical part

of the customers responsibility.

Within VPC there are several methods of obtaining updates:

• Directly from Microsoft via Internet Gateway

• Directly from Microsoft via Direct Connect or VPN

• WSUS Server on premise

• WSUS Server in VPC

Periodically update your base AMIs to minimize the number of

updates new instances will require.


Using WSUS In VPC

Deploy a WSUS in each AZ

Use NAT instance for internet access or VPN link to on-premise infrastructure.

Use SSL for update traffic (TCP/8531)


Using Active Directory

Must use a VPN and VPC to connect your VPC to your on-premise infrastructure.

Recommended that you replicate AD into VPC rather that connect back.

Recommended that the AD servers be in each AZ you have resources deployed.

AD servers should have their own Security Group with the necessary rules to accept traffic from other instances.

Leverage Reserved Instances for your Active Directory instances.


Active Directory Example

For added security

you can deploy Read

Only Domain

Controllers (RODC) in

Windows 2008 and

later.

Change VPC DHCP

Options to use your

AD servers for DNS.


Identity And Access Management (IAM)

Enables a customer to create multiple users and manage the permissions for each of these users. • Use resource level permissions to provide users least required privilege for API

actions.

Secure by default; new users have no access to AWS until permissions are explicitly granted.

Recommended that all administration be done with IAM user credentials. • Applications that access our API should use IAM Roles for EC2 Instances.

IAM is for access to the AWS console and APIs not for applications or the operating system.

Identities can be federated with Active Directory • New IAM SAML support allows ADFS to be a SAML identity provider


Multi-Factor Authentication (MFA)

Extra level of security

Works with

• AWS root account

• IAM users

Multiple form factors

• Virtual MFA on your phone

• Hardware MFA key fobs

No additional cost!

• Except for the hardware option

xxxxxxxxxxxxxxxxxxxxxxxxxxx


Password Policy Management

Admins define password policies Users are then forced to comply with

policies at next login


Perimeter Threat Protection

Place threat

protection product

between ELBs and

web servers.

Check the AWS

Marketplace for WAF

and perimeter

networking products

AWS Region

Availability Zone 2

Private

Subnet

Availability Zone 1

Public

Subnet

Private

Sutbnet

Private

Subnet

Private

Subnet Public

Subnet

Web Tier Threat Tier

Web Tier Threat Tier Interne

t

Gatew

ay

Users

10.0.3.0/24 10.0.4.0/24 10.0.9.0/24

10.0.7.0/24 10.0.8.0/24 10.0.10.0/24


Anti-Virus and Vulnerability Testing

Recommended you run up-to-date anti-virus software. • Our partner ecosystem has several vendors which have optimized their AV

software for AWS.

• You can find many of these in the AWS Marketplace: http://aws.amazon.com/marketplace

Use AMIs to quickly replace instances that you suspect are infected. • Suspect instances can be isolated and allow an investigation to take place while

new uninfected instances are created.

Vulnerability testing is a good security practice but must be done in accordance with the EC2 terms of service. • http://aws.amazon.com/security/penetration-testing/

Customers with Business or higher support plans can use the AWS Trusted Advisor • http://aws.amazon.com/premiumsupport/trustedadvisor/

http://aws.amazon.com/marketplace

http://aws.amazon.com/security/penetration-testing/




http://aws.amazon.com/premiumsupport/trustedadvisor/

http://aws.amazon.com/premiumsupport/trustedadvisor/


Additional Information

AWS Security Center: http://aws.amazon.com/security

AWS Whitepapers: http://aws.amazon.com/whitepapers

• AWS Overview of Security Processes

• AWS Risk and Compliance Whitepaper

• AWS Security Best Practices

• Secure Microsoft Applications on AWS

http://aws.amazon.com/security

http://aws.amazon.com/whitepapers

AWS Webcast - Securing the Microsoft Windows Platform on Amazon Web Services

Technology

Transcript of AWS Webcast - Securing the Microsoft Windows Platform on Amazon Web Services