DIM-B305

Dive into Shielded VMs withWindows Server 2016 Hyper-V

What’s the attack vector?

Who am I protecting against?

Why would I want to shield a VM?

Windows Server 2016 Hyper-V& Shielded VMs

attack types

Attack applications and infrastructure

Attack the virtualization fabric itself

in-common?

Insiderattacks

Phishing attacks

Fabricattacks

Pass-the-hash(PtH) attacks

Stolencredentials

Stolen admincredentials

Insiderattacks

Phishing attacks

Fabricattacks

These privileged accounts have the keys to the kingdom; we gave them those keys decades ago

But now, those administrators’ privileges are being compromised through social engineering, bribery, coercion, private initiatives, etc.

Administrative Privileges

A malicious fabric-admin up to no good…

Demonstration

A Hyper-V powered virtualization fabric capable of protectingtenant workloads from inspection, theft and tampering frommalware and system administrators both at rest as well as in-flight. These protected workloads are called “Shielded VMs”.

Shielded VM

Shielded VM

Host Guardian Service

Generation 2 VM

Security Assurance Goals

Encryption of data, both at-rest & in-flight

Fabric admins locked out

Attestation of host health required

NOTE: Shielding is not intended as a defense against DoS attacks

two modes of shielding

Shielded

Encryption Supported

NOTE: a VM’s shielding type is dictated/configured by the Shielding Data from which the shielded VM is born

who’s it for?

As a Hoster

As a Tenant

As an Enterprise

deployment scenarios

Enterprise private cloud

Public cloud: general hoster/tenant

Branch office

Compliance

Attacks are simple, sophisticated and everything in between … does that lead to a complex user-experience?

1.Convert an existing VM to a shielded VM

2.Create a new shielded VM

3.Attack a shielded VM

Demonstrations

Protect the virtualization fabric

Windows Server 2016

Demonstration of OpenStack managing a guarded fabric

3rd party fabric manager support

Protect the virtualization fabric

Windows Server 2016

Overview of the security model

Shielded VMs: A Guarded Fabric

Decryption keys: controlled by external system

Guest VM Shielded

VM

H Y P E R - V H O S T 1

+ K E Y P R O T E C T I O N

+ H E A L T H A T T E S T A T I O N

H O S T G U A R D I A N

S E R V I C E ( H G S )

WIN

DO

WS

S

ER

VE

R 2

01

6

HY

PE

R-

V H

OS

TS

Guest VM

GUARDED FABRIC

Guest VM

Guest VM Guest VM

H Y P E R - V H O S T 2

Guest VMGuest VM

Guest VM Guest VM

H Y P E R - V H O S T 3

Guest VMGuest VM

Why certainly, I know you & I must say you’re looking very healthy today!

Virtual Secure Mode

Virtual Secure Mode

Virtual Secure Mode

‘Hello, I’m HOST1, can I

have some keys, please?

Decryption keys: controlled by external system

Guest VM Shielded

VM

H Y P E R - V H O S T 1

+ K E Y P R O T E C T I O N

+ H E A L T H A T T E S T A T I O N

H O S T G U A R D I A N

S E R V I C E ( H G S )

Guest VM

GUARDED FABRIC

Guest VM

Guest VM Guest VM

H Y P E R - V H O S T 2

Guest VMGuest VM

Guest VM Guest VM

H Y P E R - V H O S T 3

Guest VMGuest VM

Sure, your certificate of

health authorizes me to release

keys to you for 8 hours

Virtual Secure Mode

Virtual Secure Mode

Virtual Secure Mode

OK, so I’m healthy then! Can I have

the keys now?

WIN

DO

WS

S

ER

VE

R 2

01

6

HY

PE

R-

V H

OS

TS

Attestation Modes

TPM-trusted

Complex setup/configuration Register each Hyper-V host’s TPM (EKpub) with the

guardian service

Baseline CI policy for each different hardware SKU

Optional: Deploy HSM and use HSM-backed certificates

Specific host hardware required Needs to support TPM v2.0 and UEFI 2.3.1

Highest levels of assurance Fabric-admin untrusted

Trust rooted in hardware

Compliance with code-integrity policy required for key-

release (attestation)

RECOMMENDED STEADY-STATE

Admin-trusted

Simplified Setup/Configuration Setup an Active Directory trust + register group

Authorize a Hyper-V host to run shielded VMs by

adding it to the Active Directory group

Leveraging Existing H/W H/W needs to support Hyper-V on Windows Server

2016

Weaker levels of assurance Fabric-admin is trusted

No hardware-rooted trust or measured-boot

No enforced code-integrity

INITIAL ADOPTION SIMPLIFIER

: TPM-trusted attestation

Trusted

Boot

Code

Integrity

Trusted

Boot

Code

IntegrityUEFI UEFI

All measurements valid?Guarded

Host

Shielded VM

Host Guardian Service

Attestation: validates the health of the host (boot and CI measurements)

: admin-trusted attestation

Trusted

Boot

Code

Integrity

Trusted

Boot

Code

IntegrityUEFI UEFI

Guarded

Host

Shielded VM

Host Guardian Service

Attestation: no boot measurements or code-integrity policies are taken into account

Correct AD group?

1. Pre-configure fabric for TPM-trusted attestation• Extract and upload baseline/TCGlog

• Generate, compile and upload CI policy

• Extract endorsement key (Ekpub) for host TPM

2. Convert fabric to TPM-trusted attestation

3. Malicious admin attacks CI policy of guarded host

Demonstrations

a few Spotlights

Generation 2 VMs onlyLeveraging virtual EFI, Secure boot, virtual TPM

Hyper-V Host: Windows Server 2016Guarded host requires Windows Server 2016 Datacenter edition

Shielded Guest VM OS supportWindows 8 / Windows Server 2012 or newer

vTPM not tied to physical TPMPermits VM mobility, e.g. Live Migration

restricting admin access

Capabilities that might expose VM state unavailable

Several virtual devices are removed

Requirements:

Host Guardian Service

Guarded hosts

Optional: Fabric Management

1. Setup Guarded Fabric…

a) Deploy and configure Host Guardian Service

b) Upgrade Hyper-V hosts and fabric manager

c) Configure Hyper-V hosts as guarded

1. get TPM’s endorsement key -> add to HGSNB: this task is performed once on each and every fabric Hyper-V host

2. get TPM’s baseline measurements -> add to HGSNB: this task is performed once for each type of server hardware

3. create code-integrity policy -> add to HGSNB: this task is performed once for each type of server hardware

4. Configure attestation and key protections endpoints

d) Run guarded fabric diagnostics

2. Create shielded VM fabric artifacts…

a) Prepare template disks for use by shielded VMs

b) Create shielded templates

4. Deploy/manage/maintain shielded VMs…

a) Create new shielded VMs on guarded fabric

b) Obtain/maintain BitLocker recovery keys per shielded VM

c) Troubleshoot failed shielded VMs as necessary

3. Create shielded VM tenant artifacts…

a) Obtain guardian key(s) from guarded fabric(s)

b) Create/obtain owner keys to protect your shielded VMs

c) Obtain volume signatures for trusted template disks

d) Create shielding data and upload to guarded fabric(s)

e) Ongoing management tasks (keys and misc. artifacts):

1. Maintain/protect owner keys

2. Maintain trusted volume signature catalogs

PHASE 1: HOSTER / I.T. staff…

PHASE 2: HOSTER / Fabric administrators…

PHASE 3: TENANT / I.T. Security staff…

PHASE 4: TENANT / VM owners…

Details:

build a PoC?

Minimalist (using nested virtualization)

More representative of production deployment

Compliance Mapping

ISO 27001: 2013 PCI DSS 3.2 FedRAMP; NIST 800-53 Revision 4

Enforcing Separation of

Duties

A.6.1.2– Segregation of duties 6.4.2 – Separation of duties between test

and production environments

AC-5 – Separation of Duties

Implementation of

Least Privilege Access

and Partitioning Tenant

Functionality

A.9.2.3 – Management of

privileged access rights

A.12.1.4 – Separation of

development, testing, and

operational environments

6.4.1 – Test and Production Environment

Separation

7.2 – User access control on need-to-

know basis

7.2.3 – Default “deny-all” setting

AC-6 – Least Privilege

AC-6 (10) – Prohibit Non-Privileged

Users from Executing Privileged

Functions

SC-2 – Application Partitioning

Protecting Information

Stored in Shared

Resources

None 8.7 – Restricted access to databases

containing cardholder data

SC-4 – Information in Shared Resources

Protection of Data at

Rest

A.8.2.3 – Media Access 3.4 – Verifying stored PAN is unreadable

3.4.1 – Disk encryption usage and access

control

6.5.3 – Insecure cryptographic storage

SC-28 – Protection of Information at Rest

SC-28(1) – Protection of Information at

Rest

Security Function

Verification and

Integrity Monitoring

None 11.5 – Change-detection mechanism

deployment

SI-6 – Security Function Verification

SI-7 – Software, Firmware, and

Information Integrity

takeaways

REMINDER: LIKELY DEPLOYMENT SCENARIOS

1. 11/30: DIM-B201 Windows Server 2016 -

通往混合云之路！

2. 11/30: DIM-B301 深入Windows Server,

Hyper-V, Storage开发与实践

3. 12/01: DIM-B303 实战：45分钟从零部署SDN

4. 12/02: DIM-B304 深入 Storage Space

Direct: 为 Hyper-V 设计的终极软件定义存储

5. 12/02: DIM-B305 深入 Windows Server

2016 Hyper-V 隔离虚拟机

www.microsoft.com/itprocareercenter

www.microsoft.com/itprocloudessentials

www.microsoft.com/mechanics

https://techcommunity.microsoft.com