Website under construction



Download 13,37 Mb.
Pdf ko'rish
bet93/131
Sana27.03.2022
Hajmi13,37 Mb.
#512480
1   ...   89   90   91   92   93   94   95   96   ...   131
Bog'liq
9780735697744 Introducing Windows Server 2016 pdf

Rules for containers 
For Windows, the container image you download must be an OS image that matches the container 
host in respect of build and patch level. Table 3-1 details the support of what base image will run on 
what type of container host. 
Table 3-1:
Supported container images on container hosts 
 
Container OS runtime
 
 
Server Core 
Nano Server (AB1) 
Contai
ner
 Host
 OS
 
Deployme
nt
 
Server with UI (LTSB) Windows Server Containers 
and/or Hyper-V Containers 
Windows Server Containers 
and/or Hyper-V Containers 
Server Core (LTSB) 
Windows Server Containers 
and/or Hyper-V Containers 
Windows Server Containers 
and/or Hyper-V Containers 
Nano Server (AB1) 
Hyper-V Containers 
Windows Server Containers 
or Hyper-V Container 


105 
CHAPTER 3 | Application platform 
Patching a container host will require you to patch the container image and commit to ensure normal 
operation. 
Microsoft will provide an updated Windows Docker image on a monthly basis, which you can use to 
rebuild your container image. 
If you are planning on using Hyper-V containers inside a guest VM, you must ensure the following: 

Nested Virtualization is turned on for the container host 

There is at least 4 GB of RAM on the host 

You’re using Windows Server 2016 or Windows 10 for the host OS 

The container host guest VM needs at least two virtual processors 
There are additional images in the Docker repository that also follow the same rules. 
More info This book does not present a deep deployment guide for Windows Server containers. 
For more information, go to 
https://msdn.microsoft.com/virtualization/windowscontainers/ 
quick_start/manage_docker.
 


106 
CHAPTER 4 | Security and identity 
C H A P T E R

Security and 
identity 
Over the past several years, cybersecurity has been consistently rated as a 
top priority for IT. This is not surprising, given that top companies and 
government agencies are being publicly called out for being hacked and 
failing to protect their customers’ and employees’ personal information. 
On the other hand, with readily available tools and a lack of adequate protections, attackers are able 
to infiltrate large organizations and remain undetected for long periods of time while conducting 
exfiltration of secrets or attacking internal resources. 
In this chapter, we explore the layers of protection in Microsoft Windows Server 2016 that help 
address emerging threats and make it an active participant in your security defenses. First, we will 
describe the new shielded virtual machine solution that protects virtual machines (VMs) from attacks 
on the underlying fabric. 
Then, we introduce you to the extensive threat-resistance components built in to the Windows Server 
2016 operating system (OS) and the enhanced auditing events that can help security systems detect 
malicious activity. 
Last, we will share with you an end-to-end plan for securing privileged access based on existing and 
new capabilities in Windows Server. 


107 
CHAPTER 4 | Security and identity 
Shielded VMs 
By John Saville 
Today, in most virtual environments there are many types of administrators who have access to VM 
assets, such as storage. That includes virtualization administrators, storage administrators, network 
administrators, backup administrators, just to name just a few. Many organizations including hosting 
providers need a way to secure VMs—even from administrators—which is exactly what shielded VMs 
provides. Keep in mind that this protection from administrators is needed for a number of reasons. 
Here are just a few: 

Phishing attacks 

Stolen administrator credentials 

Insider attacks 
Shielded VMs provide protection for the data and state of the VM against inspection, theft, and 
tampering from administrator privileges. Shielded VMs work for Generation 2 VMs that provide the 
necessary secure startup, UEFI firmware, and virtual Trusted Platform Module (vTPM) 2.0 support 
required. Although the Microsoft Hyper-V hosts must be running Windows Server 2016, the guest OS 
in the VM can be Windows Server 2012 or above. 
A new Host Guardian Service instance is deployed in the environment, which stores the keys required 
for an approved Hyper-V host that can prove its health to run shielded VMs. 
A shielded VM provides the following benefits: 

BitLocker encrypted drives (utilizing its vTPM) 

A hardened VM worker process (VMWP) that encrypts live migration traffic in addition to its 
runtime state file, saved state, checkpoints, and even Hyper-V Replica files 

No console access in addition to blocking Windows PowerShell Direct, Guest File Copy Integration 
Components, and other services that provide possible paths from a user or process with 
administrative privileges to the VM 
How is this security possible? First, it’s important that the Hyper-V host has not been compromised 
before the required keys to access VM resources are released from the Host Guardian Service (HGS). 
This attestation can happen in one of two ways. The preferred way is by using the TPM 2.0 that is 
present in the Hyper-V host. Using the TPM, the boot path of the server is assured, which guarantees 
no malware or root kits are on the server that could compromise the security. The TPM secures 
communication to and from the HGS attestation service. For hosts that do not have a TPM 2.0, an 
alternate Active Directory–based attestation is possible; however, this merely checks whether the host 
is part of a configured Active Directory group. Therefore, it does not provide the same levels of 
assurance and protection from binary meddling and thus host administrator privileges for a 
sophisticated attacker. However, the same shielded VM features are available. 
After a host undergoes the attestation, it receives a health certificate from the attestation service on 
the HGS that authorizes the host to get keys released from the key protection service that also runs 
on the HGS. The keys are encrypted during transmission and can be decrypted only within a protected 
enclave that is new to Windows 10 and Windows Server 2016 (more on that later). These keys can 
then be used to decrypt the vTPM to make it possible for the VM to access its BitLocker-protected 
storage and start the VM. Therefore, only if a host is authorized and noncompromised will it be able 
to get the required key and turn on the VM’s access to the encrypted storage (not the administrator, 
though, as the virtual hard drive (VHD) remains encrypted on the drive). 


108 
CHAPTER 4 | Security and identity 
At this point, it might be self-defeating: If I am an administrator on the Hyper-V and the keys are 
released to the host to start the VM, I would be able to gain access to the memory of the host and 
get the keys, thus nullifying the very security that should protect VMs from administrative privileges. 
Fortunately, another new feature in Windows 10 and Windows Server 2016 prevents this from 
happening. This feature is the protected enclave mentioned earlier, which is known as Virtual Secure 
Mode (VSM). A number of components use this service, including Credential Guard. VSM is a secure 
execution environment in which secrets and keys are maintained and critical security processes run as 

Download 13,37 Mb.

Do'stlaringiz bilan baham:
1   ...   89   90   91   92   93   94   95   96   ...   131




Ma'lumotlar bazasi mualliflik huquqi bilan himoyalangan ©hozir.org 2024
ma'muriyatiga murojaat qiling

kiriting | ro'yxatdan o'tish
    Bosh sahifa
юртда тантана
Боғда битган
Бугун юртда
Эшитганлар жилманглар
Эшитмадим деманглар
битган бодомлар
Yangiariq tumani
qitish marakazi
Raqamli texnologiyalar
ilishida muhokamadan
tasdiqqa tavsiya
tavsiya etilgan
iqtisodiyot kafedrasi
steiermarkischen landesregierung
asarlaringizni yuboring
o'zingizning asarlaringizni
Iltimos faqat
faqat o'zingizning
steierm rkischen
landesregierung fachabteilung
rkischen landesregierung
hamshira loyihasi
loyihasi mavsum
faolyatining oqibatlari
asosiy adabiyotlar
fakulteti ahborot
ahborot havfsizligi
havfsizligi kafedrasi
fanidan bo’yicha
fakulteti iqtisodiyot
boshqaruv fakulteti
chiqarishda boshqaruv
ishlab chiqarishda
iqtisodiyot fakultet
multiservis tarmoqlari
fanidan asosiy
Uzbek fanidan
mavzulari potok
asosidagi multiservis
'aliyyil a'ziym
billahil 'aliyyil
illaa billahil
quvvata illaa
falah' deganida
Kompyuter savodxonligi
bo’yicha mustaqil
'alal falah'
Hayya 'alal
'alas soloh
Hayya 'alas
mavsum boyicha


yuklab olish