AWS Webcast - Securing the Microsoft Windows Platform on Amazon Web Services
-
Upload
amazon-web-services -
Category
Technology
-
view
900 -
download
2
description
Transcript of AWS Webcast - Securing the Microsoft Windows Platform on Amazon Web Services
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Securing the Microsoft Windows
Platform on Amazon Web Services
Ryan Holland
Ecosystem Solutions Architect
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Shared Responsibility Model For
Infrastructure Services
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Shared Responsibility Model For
Infrastructure Services
• Facilities
• Physical Security
• Physical Infrastructure
• Network Infrastructure
• Virtualization Infrastructure
AWS Customer • Operating System
• Application
• Security Groups
• Network ACLs
• Network Configuration
• Account Management
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Risk Assessment
Its important to understand how your application works
• What are the network ingress/egress points.
• What parts of the application need to communicate with the other
tiers.
Who needs administrative access and from where?
• Consider both application access as well as infrastructure.
Perform data classification
• Define storage and access policies based on classification.
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Amazon Virtual Private Cloud (VPC)
Create a logically isolated environment in Amazon’s highly scalable infrastructure
Specify your private IP address range into one or more public or private subnets
Control inbound and outbound access to and from individual subnets using stateless
Network Access Control Lists
Protect your Instances with stateful filters for inbound and outbound traffic using
Security Groups
Attach an Elastic IP address to any instance in your VPC so it can be reached
directly from the Internet
Bridge your VPC and your onsite IT infrastructure with an industry standard encrypted
VPN connection and/or AWS Direct Connect
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Amazon Virtual Private Cloud (VPC)
Choose the connectivity option that best fits your application.
• Internet facing applications
• VPN Connection to on-premise datacenter
• Direct Connect
• Software VPN
Leverage subnets and Network ACLs
• Design your network similar to on-premise deployments
Properly configure security groups
Leverage Active Directory within your VPC
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
VPC Subnets
Group instances by
function.
Create isolation
through use of
Network ACLs.
Control routing for
each subnet
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Security Groups
Mandatory instance firewall.
In VPC security groups are stateful and allow for both
ingress and egress filtering.
Enforcement takes place below hypervisor
Security groups can be used as a source in rules.
Need to ensure proper ports are open for Windows
Active Directory
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Security Groups Provide Instance Isolation
Physical Interfaces
Customer 1
Hypervisor
Customer 2 Customer n …
… Virtual Interfaces
Firewall
Customer 1 Security Groups
Customer 2 Security Groups
Customer n Security Groups
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Remote Desktop Best Practices
The RDP Port (TCP/3389) should never be open to the internet.
Within a VPC use a RDP Gateway • Instances should only accept RDP connections from the RDP
gateway.
• RDP Gateway should only accept connections from known IPs.
Use software VPN solutions for deployments without VPC VPN connections or where source IPs will be dynamic.
Walkthrough of implanting an RDP Gateway in VPC can be found on the AWS Security Blog: http://tinyurl.com/AWSRDPGW
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Example RDP Gateway Setup
RD Gateway only accepts traffic from specified internal network.
All other instances only accept RDP traffic from RD Gateway
Prevents Bypass Attacks
Use resource authorization policies (RAP) to control access to specific instances.
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
RDP Gateway With High Availability
Deploy RDP Gateways into
multiple availability zones
Note security group names
are the same in each AZ.
Use the RDP GW in the
same AZ to reduce inter-AZ
charges and latency.
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Obtaining Updates
Applying updates to your OS and applications is a critical part
of the customers responsibility.
Within VPC there are several methods of obtaining updates:
• Directly from Microsoft via Internet Gateway
• Directly from Microsoft via Direct Connect or VPN
• WSUS Server on premise
• WSUS Server in VPC
Periodically update your base AMIs to minimize the number of
updates new instances will require.
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Using WSUS In VPC
Deploy a WSUS in each AZ
Use NAT instance for internet access or VPN link to on-premise infrastructure.
Use SSL for update traffic (TCP/8531)
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Using Active Directory
Must use a VPN and VPC to connect your VPC to your on-premise infrastructure.
Recommended that you replicate AD into VPC rather that connect back.
Recommended that the AD servers be in each AZ you have resources deployed.
AD servers should have their own Security Group with the necessary rules to accept traffic from other instances.
Leverage Reserved Instances for your Active Directory instances.
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Active Directory Example
For added security
you can deploy Read
Only Domain
Controllers (RODC) in
Windows 2008 and
later.
Change VPC DHCP
Options to use your
AD servers for DNS.
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Identity And Access Management (IAM)
Enables a customer to create multiple users and manage the permissions for each of these users. • Use resource level permissions to provide users least required privilege for API
actions.
Secure by default; new users have no access to AWS until permissions are explicitly granted.
Recommended that all administration be done with IAM user credentials. • Applications that access our API should use IAM Roles for EC2 Instances.
IAM is for access to the AWS console and APIs not for applications or the operating system.
Identities can be federated with Active Directory • New IAM SAML support allows ADFS to be a SAML identity provider
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Multi-Factor Authentication (MFA)
Extra level of security
Works with
• AWS root account
• IAM users
Multiple form factors
• Virtual MFA on your phone
• Hardware MFA key fobs
No additional cost!
• Except for the hardware option
xxxxxxxxxxxxxxxxxxxxxxxxxxx
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Password Policy Management
Admins define password policies Users are then forced to comply with
policies at next login
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Perimeter Threat Protection
Place threat
protection product
between ELBs and
web servers.
Check the AWS
Marketplace for WAF
and perimeter
networking products
AWS Region
Availability Zone 2
Private
Subnet
Availability Zone 1
Public
Subnet
Private
Sutbnet
Private
Subnet
Private
Subnet Public
Subnet
Web Tier Threat Tier
Web Tier Threat Tier Interne
t
Gatew
ay
Users
10.0.3.0/24 10.0.4.0/24 10.0.9.0/24
10.0.7.0/24 10.0.8.0/24 10.0.10.0/24
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Anti-Virus and Vulnerability Testing
Recommended you run up-to-date anti-virus software. • Our partner ecosystem has several vendors which have optimized their AV
software for AWS.
• You can find many of these in the AWS Marketplace: http://aws.amazon.com/marketplace
Use AMIs to quickly replace instances that you suspect are infected. • Suspect instances can be isolated and allow an investigation to take place while
new uninfected instances are created.
Vulnerability testing is a good security practice but must be done in accordance with the EC2 terms of service. • http://aws.amazon.com/security/penetration-testing/
Customers with Business or higher support plans can use the AWS Trusted Advisor • http://aws.amazon.com/premiumsupport/trustedadvisor/
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Additional Information
AWS Security Center: http://aws.amazon.com/security
AWS Whitepapers: http://aws.amazon.com/whitepapers
• AWS Overview of Security Processes
• AWS Risk and Compliance Whitepaper
• AWS Security Best Practices
• Secure Microsoft Applications on AWS