WMPilot_03_Image-Creation-Service-Workshop

Security For The Future@olavtwitt

olavtvedt.blogspot.com

@janke75

jankesblog.com

Why Should We Think About Security?

MicrosoftPassport

A world without passwords

3

Hallo vNext

OverviewMicrosoft PassportMicrosoft reference implementation of the FIDO 2.0 implementation specsAimed at replacing passwordsIdentity is proven via a one time password (OTP) or code or using Azure Multi-Factor Authentication (phone)To IT its familiar as its a based on certificate or asymmetrical key pairTo the user, its familiar, Biometric or PINIdentity Provider maps public key of NGC to user accountOverviewCredential OverviewUser EnrollmentUsers will enroll in Microsoft Passport using:Existing passwordOTPCode (e.g.: SMS)Existing 2FA device (e.g.: Smartcard)

5

User CredentialMicrosoft Passport User Credentials

UTILIZE FAMILIAR DEVICES

SECURED BY HARDWARE

USER CREDENTIAL

An asymmetrical key pair

Provisioned via PKI or created locally via Windows 10

6

User CredentialMicrosoft Passport User Credential TypesKeys used for the credential and authentication are generated by the device itself. Keys used for authentication only exist, and can only be used, on the users device No requirement for PKIEasier to manage / deploy, allows for instant revocation PKI RequirementRequired to work with some VPN solutions Key BasedCredential BasedRequirementsNGC TypeHybrid IdentityCloud SolutionOn-PremisesKey BasedAADAAD including Sync for NGC key write-backAD Windows Server 10ADFS Windows Server 10Certificate BasedAADPKIIntune (Provision Certificates)AADPKI infrastructureConfigMgr v.NextWindows Server 10 SchemaADFS Windows Server 10PKIConfigMgr v.Next

7

User Credential

IDPActive DirectoryAzure ADGoogleFacebookMicrosoft Account1Proves IdentityTrust my unique keyUser

2

Windows10

3

IntranetResource44Here is your authorization tokenI trust tokens from IDPSo do I

IntranetResourceA new approachKey Based Authentication Walkthrough

8

User Credential

Securing CredentialsHardware Secured KeysTPM

Default Container

Microsoft Account

Consumer IDP 1

Consumer IDP 2

Enterprise Container

Enterprise IDP

Encrypts Keys

9

Enterprise Data Protection

Sandboxing is soo 2008..

10

EDP provides a corporate data separation and containment in Windows 10Protects data at rest, and wherever it rests or may roam toSeamless integration into the platform, No mode switching and use any appCorporate vs personal data identifiable wherever it rests on the devicePrevents unauthorized apps from accessing business dataIT has fully control of keys and data and can remote wipe data on demandCommon experience across all Windows devices with cross platform supportEnterprise Data ProtectionOverview

ImplementationA Windows 10 device (phone, desktop, laptop, tablet) and a supported management platform are required for Enterprise Data Protection:Microsoft Intune System Center 2012 R2 Configuration ManagerPre-RequisitesPolicy configured by System Center 2012 R2 Configuration Manager or Microsoft Intune management platformDevice receives policy and is configured for Enterprise Data Protection

11

Enterprise Data Protection

How it worksEnterprise Data Protection relies on existing OS encryption technology - EFS used for Work Folders in Windows 8.1.Enterprise Data Protection supports both Modern and Win32 applications Define Enterprise BoundariesConfigure Enterprise Data ProtectionEnterprise boundaries are defined in one of two ways: Administrator defines a set of enterprise approved applications that are allowed to access dataNetwork Boundaries are defines (IP ranges, Cloud locations e.g. O365) - Defines if data is coming from or going to a defined "Enterprise" location Administrators can configure Enterprise Data Protection in one of three ways: Blocking - blocks data from being moved to non-Enterprise locations Policy Override - provides a prompt, but allows users to confirm they want to copy to non-enterprise locations, audits eventReporting Only - no blocks/roadblocks, just audits events

12

Enterprise Data Protection

1User enrolls with enterprise MDM or domain joinMDM or ConfigMgr provisions policy and encryption keysUser

2Policies:Enterprise allowed appsNetwork policiesApp restriction policy

Data Provisioning : Keys and Policies

13

Enterprise Data Protection

User

Data coming in from an enterprise network location is encrypted on deviceExamples: OneDrive For Business, Corporate Exchange mail, file, etc.

Data Ingress Scenario

14

Enterprise Data Protection

Users can save to enterprise folders, encryption will be automatically appliedUsers are given an option to save data as personal or corporateIT admin can configure which apps should automatically protect dataUser

Data Genesis Scenario

15

Enterprise Data Protection

User

Enlightened applications will be able to maintain protection on egressPolicy based app restrictions can block app access to data, meaning it cant egressNetwork policy enables the blocking of data moving to non-corporate locations

Data Egress Scenario

16

Enterprise Data Protection

User

Protected data accessible on non-Windows platformsReaders available for cross-platform editingPublic API for 3rd party adoption

iOSAndroidCross Platform App Sharing Data Scenario

17

Credential Guard

Do not allow insecure NTLM and Kerberos-related authentication protocols (NTLMv1, MS-CHAPv2, and weaker Kerberos encryption types, such as DES)

18

Credential GuardRequirementDescriptionWindows10 EnterpriseThe PC must be running Windows10 Enterprise.UEFI firmware version 2.3.1 or higher and Secure BootTo verify that the firmware is using UEFI version 2.3.1 or higher and Secure Boot, you can validate it against the System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby Windows Hardware Compatibility Program requirement.Virtualization extensionsThe following virtualization extensions are required to support virtualization-based security:Intel VT-x or AMD-VSecond Level Address Translationx64 architectureThe features that virtualization-based security uses in the Windows hypervisor can only run on a 64-bit PC.A VT-d or AMD-Vi IOMMU (Input/output memory management unit)In Windows10, an IOMMU enhances system resiliency against memory attacks. Trusted Platform Module (TPM) 2.0TPM 2.0 provides protection for encryption keys that are stored in the firwmare.NoteTPM 1.2 is not recommended. Secure firmware update processTo verify that the firmware complies with the secure firmware update process, you can validate it against the System.Fundamentals.Firmware.UEFISecureBoot Windows Hardware Compatibility Program requirement.The firmware is updated for Secure MOR implementation The secure MOR bit helps to prevent certain memory attacks.Physical PCYou cannot run Credential Guard on a virtual machine.

19

How Device Guard works

User Mode Code Integrity (UMCI)New kernel code integrity rules (including the new Windows Hardware Quality Labs (WHQL) signing constraints)Secure Boot with database (db/dbx) restrictionsVirtualization-based security to help protect system memory and kernel mode apps and drivers from possible tampering.Optional: Trusted Platform Module (TPM) 1.2 or 2.0

20

Required hardware and softwareWindows10 EnterpriseUEFI 2.3.1 or laterTrusted BootVirtualization-based securityPackage inspector tool

21

Before using Device Guard in your companySigning your appsUsing the Windows Store publishing processUsing your own digital certificate or public key infrastructure (PKI)Using a non-Microsoft signing authorityUsing a Microsoft-provided web service (coming later this year)Code Integrity policy

22

ResourcesCredential Guard https://technet.microsoft.com/en-us/library/mt483740(v=vs.85).aspxMicrosoft Passport https://technet.microsoft.com/en-us/library/dn985839(v=vs.85).aspxDevice Guard https://technet.microsoft.com/en-us/library/dn986865(v=vs.85).aspxEnterprise Data Protection https://technet.microsoft.com/en-us/library/dn985838(v=vs.85).aspxWindows Hello http://windows.microsoft.com/en-us/windows-10/getstarted-what-is-hello

9/23/2015 9:14 AM24 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.