1 / 21

Windows Server 2008 : New features and how they help manage and secure virtualized environments

Windows Server 2008 : New features and how they help manage and secure virtualized environments. Kirk Munro, MVP Sr. Software Developer Quest Software poshoholic@hotmail.com http://poshoholic.com . Managing Windows Server 2008. Server Manager. Initial Configuration. Product Installation.

quade
Télécharger la présentation

Windows Server 2008 : New features and how they help manage and secure virtualized environments

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Windows Server 2008: New features and how they help manage and secure virtualized environments Kirk Munro, MVP • Sr. Software Developer • Quest Software • poshoholic@hotmail.com • http://poshoholic.com

  2. Managing Windows Server 2008 Server Manager Initial Configuration Product Installation

  3. demo • Server Manager

  4. Read-Only Domain Controller RODC Main Office Remote Site • Features • Read Only Active Directory Database • Only allowed user passwords are stored on RODC • Unidirectional Replication • Role Separation • Benefits • Increases security for remote Domain Controllers where physical security cannot be guaranteed • Support • ADFS,DNS, DHCP, FRS V1, DFSR (FRS V2), Group Policy, IAS/VPN, DFS, SMS, ADSI queries, MOM

  5. Why Branch Offices Asked for RODC Windows Server 2008 DC Read Only DC 3 4 2 RODC Branch Hub 5 6 1 6 RODC: Looks in DB: "I don't have the users secrets" RODC gives TGT to User and RODC will cache credentials Returns authentication response and TGT back to the RODC Windows Server 2008 DC authenticates request Forwards Request to Windows Server 2008 DC 5 6 4 3 2 1 User logs on and authenticates

  6. How RODC Mitigates “Stolen DC” Issues Hub Admin Perspective • Attacker Perspective

  7. Windows Server Core Server Core Security, TCP/IP, File Systems, RPC,plus other Core Server Sub-Systems Hyper-V AD DS DHCP AD LDS DNS Media GUI, CLR, Shell, IE, OE, etc. File Print IIS7 Small subset of the executable files and DLLs installed No GUI interface, no .NET, no PowerShell Nine available Server Roles Managed with remote tools

  8. demo • Server Core

  9. Active Directory Improvements • Now called Active Directory Domain Services • Fine Grained Password Control • Restartable Domain Services • Improved Auditing • Improved Disaster Recovery • Server Core Role • Fully IPv6 compliant

  10. Admin Role Separation • Problem: • Too many accounts in the Domain Adminsgroup • Most of these DAs are really server admins (patch management, etc) • Solution: • Provides a new “local administrator” level of access per Read-Only Domain Controller • Also includes all Builtin groups (Backup Operators, etc) • Prevents “accidental” Active Directory modifications by machine administrators • Does not prevent “local administrator” from maliciously modifying the local DB • This is only a true security feature for Read-Only DC

  11. BitLocker™ Drive Encryption Full Volume Encryption Key (FVEK) Encryption Policy • Group Policy allows central encryption policy and provides Branch Office protection • Provides data protection, even when the system is in unauthorized hands or is running a different or exploiting Operating System • Uses a v1.2 TPM or USB flash drive for key storage

  12. Address Space Location Randomization (ASLR) • Prior to Windows Vista • Executables and DLLs load at fixed locations • Buffer overflows commonly relied on known system function addresses to cause specific code to execute • The Windows Vista loader bases modules at one of 256 random points in the address space • OS images now include relocation information • Relocation performed once per image and shared across processes • User stack locations are also randomized

  13. USER32 USER32 ntdll ntdll kernel32 kernel32 GDI32 GDI32 RPCRT4 RPCRT4 ATTACK ATTACK ATTACK ADVAP132 ADVAP132 msvcrt msvcrt 0x7d000000 0x7d000000 Malware Protection with ASLR 0x7b000000 0x7b000000 USER32 ntdll kernel32 0x79000000 0x79000000 GDI32 0x77000000 0x77000000 RPCRT4 2008 0x75000000 0x75000000 ADVAP132 msvcrt 0x73000000 0x73000000

  14. Service Hardening • System services presented a large attack target • Many were network facing and running as SYSTEM • Bugs allowed for privilege elevation attacks • Security Improvements • Concept of least privilege applied to services • Give few services full SYSTEM control • Reduce which services can use the network • Limit system exposure in case of compromise • “Sandbox” such low privileged services • Limit the damage to Windows in case of take over

  15. Service Hardening • Service-specific SIDs permit a service’s access to objects to be limited • Only required objects give SID access • Specified by most Windows 2008 services • SIDs are marked disabled until service starts • Firewall policy can be applied to service SID (and many services are now blocked at the firewall) • Write-restricted service processes further limit write access • Can only modify objects allowing WRITE for service SIDs

  16. Service Changes

  17. Windows PowerShell New Command-line shell & Scripting Language Improves productivity & control Accelerates automation of system admin Easy-to-use Works with existing scripts Remote server management via WMI

  18. Windows PowerShell Resources • TechNet ScriptCenter • Exchange Server 2007 • Terminal Server • WMI, Registry, Hardware, etc. • Community-Submitted scripts • PowerShellCommunity.org Hundreds of Scripts • Manning Publications • O’Reilly Media • Sapien Press & others… Books & Training Materials • MS MVPs • PowerShell Team Blog • Active Newsgroup and User Groups • Channel 9: DFO Show • IIS.net Community Support

  19. demo PowerShell

  20. Resources • Windows Server 2008: • Windows Server 2008 Administrator’s Companion by Charlie Russell • Administering Windows Server 2008 Server Core by John Paul Mueller • Core configuration commands – cscript C:\Windows\System32\SCRegEdit.wsf /cli • CoreConfigurator – User Interface for key configuration items in Server Core • PowerShell: • My Blog: http://poshoholic.com • PowerShell Community Site: http://www.powershellcommunity.org • PowerGUI Community Site: http://www.powergui.org • TechNet Script Center: http://www.microsoft.com/technet/scriptcenter/default.mspx • PowerShell: TFM (2nd edition) by Don Jones (Sapien Press) • PowerShell in Action by Bruce Payette (Manning) • Key cmdlets to help you get started: Get-Help, Get-Command, Get-Alias, Get-Member, Get-PSDrive, Get-PSProvider, Get-PSSnapin • Bootcamp: • http://www.microsoft.ca/bootcamp(slide decks available June 1, 2008)

  21. Questions? Kirk Munro, MVP • Sr. Software Developer • Quest Software • poshoholic@hotmail.com • http://poshoholic.com

More Related