Вы находитесь на странице: 1из 31

Active Directory

and Virtualization
Sander Berkouwer
Veeam Vanguard
Current Situation
Why do we virtualize Domain Controllers?

Challenges when virtualizing on Hyper-V
Challenges when virtualizing on Azure

Picking the right solution(s) for your challenges
Current situation
Why do we virtualize Domain Controllers?
Get Domain Controllers fast
Move Domain Controllers without downtime

Cost saving and cost predictability

Virtualization increases hardware usage
Hardware maintenance and upgrades become more

Less dependencies on hardware

Quickly add/remove hardware
Reduce hardware-related outages
Domain Controller Cloning
Virtualization-aware Active Directory
Windows Server 2012-based Domain Controllers detect:
When a snapshot has been applied
When a virtual hard disk is being reused

A feature of the virtualisation platform
Placed in the memory of each Virtual Machine

Not just Hyper-V

VMware vSphere 5.0 U4 +
VMware Workstation 9.0 +
Citrix Xenserver 6.2.0 +
Challenges when using Hyper-V
Integration Components (ICs)
Snapshots, backup and restore

Can you trust Hyper-V administrators?

Can you trust storage administrators?
Challenges when using Azure IaaS
Knowledge of Azure taxonomy and topology
Dynamic IPv4, IPv6 addressing
Azure IaaS v1 (ASM) vs. Azure IaaS v2 (ARM)

Under the hood Azure IaaS uses Hyper-V

Will you ever be able to report on a breach?
Why is this important?
Advanced Persistent Threats
Pass the Hash (PtH) attacks
Pass the Ticket (PtT) attacks
Kerberos Golden Tickets

Rogue and/or disgruntled admins

Legal organizational requirements
Job security
If you can Ctrl-C, Ctrl-
V, than you can hack
VMs running on Hyper-
V. - Ben Armstrong, Microsoft
Reality Check
A bit of Kerberos
Typical Kerberos flow
TGT 1. During startup, logon the client
requests a Ticket Granting
Ticket (TGT) from the Key
1 Distribution Center (KDC). The
2 TGT is then processed clientside
2. For accessing a service within
3 the Kerberos Realm, the client
requests a Service Ticket (TGS),
based on the TGT on any KDC.
3. Client presents the TGS to the
Based on authorization, access
is granted (or not)
The Keys to the Kingdom
KRBTGTs account password signs everything
I dont need to ask for a TGT when I know the
Mitigating risk: Read-Only DCs have their own TGTs
TGTs and TGSs are processed and enforced client-side
I dont need to play by the rules to get access permissions
I can just insert the well-known SIDs I want into my TGT
Only restriction: maximum TGT lifetime of 10 years.
Mitigating risk: Authentication Policies can limit TGT lifetime
Ask yourself
Do you know all your Domain Controllers?
Do you still run Windows Server 2003 Domain Controllers?
Are all your organizations Domain Controllers physically secure?
Are all their backups physically secure?

Do you know your organizations admins?

Do you know your organizations processes?

Do you regularly reset KRBTGT passwords?
Do you use Install from Media (IfM) to deploy DCs at branch offices
Reset KRBTGT Secret
KRBTGT Account Password Resets
KRBTGT account password is used to encrypt Kerberos
KRBTGT account password needs to be reset twice
Reset once to reset KRBTGT and make old secret
Reset twice to make old secret fall out of scope
Tip! Make sure second reset is after TGT Lifetime
(default: 10 hours)

Reset-KrbtgtKeyInteractive v1.7
Available from Microsoft since Februari 2014
Download from the TechNet Gallery
Read-only Domain Controllers
Read-only Domain Controllers
Read-only Domain Controllers offer:
Read-only Active Directory database and DNS
RODC filtered attribute set
Unidirectional replication
Granular credential caching
Administrator role separation
Read-only Domain Controllers offer individual KRBTGT accounts
One Read-only Domain Controller supported per branch network
Identify Advanced Persistent Threats
(APT) using behavioral analytics

Microsoft Advanced Threat Analytics

On-premises solution for access management
Cloud-based analytics based on Machine Learning

Microsoft Identity Protection

Cloud-based solution for access management analytics
Deploy Server Core / Nano Server
Server Core installations
Virtualization hosts without a Graphical User Interface (GUI)
Less susceptive to human error and to vulnerabilities
Smaller attack surface and less patches
2008 (R2): Choose at installation
2012 (R2): Choose at installation of add/remove after install
2016 : Choose at installation

Nano Server installations

Even smaller disk footprint and attack surface
Unfortunately AD DS Role is currently not available for Nano Server
Available for Windows Server 2016 with Software Assurance
Access Control Lists on VHD and VHDX files
Default ACLs on VHD(X)s
Administrators full control
SYSTEM full control
Hyper-V Administrators full control
<VMGUID> - Read and write

Change ACLs
Note: Administrators can take ownership
Hyper-V Administrators Group
Security group on Hyper-V hosts
Introduced with Windows 8, Windows Server 2012

Principle of least administrative privilege

Approach: remove Hyper-V Administrators from
Hyper-V Administrators have access to all Hyper-V
Hyper-V Administrators have full control on VHD(X)s
Integration Components
Integration Components
Theyre drivers and services for VMs
ICs enlighten Virtual Machines

OS shutdown, time synchronization, data
exchange, heartbeat, backup and guest

In Azure IaaS, ICs offer ability to reset

local admin password, etc.
Deploy BitLocker Drive Encryption
Support for virtualization hosts
BitLocker for boot and system volumes
BitLocker on Cluster Shared Volumes (CSVs)

Support in virtual machines

Data disks supported in Hyper-V and Azure IaaS
BitLocker supported on boot and system volumes with
Windows Server 2016:
Generation 1 Virtual Machines
Generation 2 Virtual Machines

Support in Azure IaaS coming soon

Shielded Virtual Machines
New in Windows Server 2016 Hyper-V
Separation between workload and fabric admins
Host Guardian Service, responsible for VM LCM built upon
encryption and protected secrets
Two modes:
1. Hardware Trusted Attestation, based on TPMv2 in hosts
2. Administrator Attestation, based on AD group

A Shielded VM doesnt have a thumbnail in Hyper-V

Manager, nor does it allow VM Connect to connect to
Integration components functionality is limited.
Virtualization wrapped into virtualization and
identity wrapped into identity
Processes, processes, processes
Security Incident and Event Management
Technical State Compliancy Monitoring
Vulnerability Management
Availability Monitoring
Key Management
Change Management
Backup and Restore
Life Cycle Management
Domain Controllers contain sensitive information
Domain Controllers contain info on replication, accounts, credentials
DNS Servers contain caches on queries (visited sites)

Virtualizing Domain Controllers

Virtualizing Domain Controllers safely is not an easy task
Virtualizing Domain Controllers is not just a technical challenge

Ask yourself
Do you really want to virtualize Domain Controllers?
Thank you!