105
CHAPTER 3 | Application platform
Patching a container host will require you to patch the container image
and commit to ensure normal
operation.
Microsoft will provide an updated Windows Docker image on a monthly basis, which you can use to
rebuild your container image.
If you are planning on using Hyper-V containers inside a guest VM, you must ensure the following:
Nested Virtualization is turned on for the container host
There is at least 4 GB of RAM on the host
You’re using Windows Server 2016 or Windows 10 for the host OS
The container host guest VM needs at least two virtual processors
There are additional images in the Docker repository that also follow the same rules.
More info This book does not present a deep deployment guide for Windows Server containers.
For more
information, go to
https://msdn.microsoft.com/virtualization/windowscontainers/
quick_start/manage_docker.
106
CHAPTER 4 | Security and identity
C H A P T E R
4
Security and
identity
Over the past several years, cybersecurity has been consistently rated as a
top priority for IT. This is not surprising, given that top companies and
government agencies are being publicly called out for being hacked and
failing to protect their customers’ and employees’ personal information.
On the other hand, with readily available tools and a lack
of adequate protections, attackers are able
to infiltrate large organizations and remain undetected for long periods of time while conducting
exfiltration of secrets or attacking internal resources.
In this chapter, we explore the layers of protection in Microsoft Windows Server 2016 that help
address emerging threats and make it an active participant in your security defenses. First, we will
describe the new shielded virtual machine solution that protects virtual machines (VMs) from attacks
on the underlying fabric.
Then, we introduce you to the extensive threat-resistance components built in to the Windows Server
2016 operating system (OS) and the enhanced auditing events that can help security systems detect
malicious activity.
Last, we will share with you an end-to-end plan for securing privileged access based on existing and
new capabilities in Windows Server.
107
CHAPTER 4 | Security and identity
Shielded VMs
By John Saville
Today, in most virtual environments there are many types of administrators who have access to VM
assets, such as storage. That includes
virtualization administrators, storage administrators, network
administrators, backup administrators, just to name just a few. Many organizations including hosting
providers need a way to secure VMs—even from administrators—which is exactly what shielded VMs
provides. Keep in mind that this protection from administrators is needed for a number of reasons.
Here are just a few:
Phishing attacks
Stolen administrator credentials
Insider attacks
Shielded VMs provide protection for the data and state of the VM against inspection, theft, and
tampering from administrator privileges. Shielded VMs work for Generation 2 VMs that provide the
necessary secure startup, UEFI
firmware, and virtual Trusted Platform Module (vTPM) 2.0 support
required. Although the Microsoft Hyper-V hosts must be running Windows Server 2016, the guest OS
in the VM can be Windows Server 2012 or above.
A new Host Guardian Service instance is deployed in the environment, which stores the keys required
for an approved Hyper-V host that can prove its health to run shielded VMs.
A shielded VM provides the following benefits:
BitLocker encrypted drives (utilizing its vTPM)
A hardened VM worker process (VMWP) that encrypts live migration traffic in addition to its
runtime state file, saved state, checkpoints, and even Hyper-V Replica files
No console access in addition to blocking Windows PowerShell Direct, Guest File Copy Integration
Components, and other services that provide possible paths from
a user or process with
administrative privileges to the VM
How is this security possible? First, it’s important that the Hyper-V host has not been compromised
before the required keys to access VM resources are released from the Host Guardian Service (HGS).
This attestation can happen in one of two ways. The preferred way is by using the TPM 2.0 that is
present in the Hyper-V host. Using the TPM, the boot path of the server is assured, which guarantees
no malware or root kits are on the server that could compromise the security. The TPM secures
communication to and from the HGS attestation service. For hosts that do not have a TPM 2.0, an
alternate Active Directory–based attestation is possible; however, this merely checks whether the host
is part of a configured Active Directory group. Therefore, it does not provide the same levels of
assurance and protection from binary meddling and thus host administrator privileges for a
sophisticated attacker. However, the same shielded VM features are available.
After a host undergoes the attestation, it receives a health certificate from the attestation
service on
the HGS that authorizes the host to get keys released from the key protection service that also runs
on the HGS. The keys are encrypted during transmission and can be decrypted only within a protected
enclave that is new to Windows 10 and Windows Server 2016 (more on that later). These keys can
then be used to decrypt the vTPM to make it possible for the VM to access its BitLocker-protected
storage and start the VM. Therefore, only if a host is authorized and noncompromised will it be able
to get the required key and turn on the VM’s access to the encrypted storage (not the administrator,
though, as the virtual hard drive (VHD) remains encrypted on the drive).
108
CHAPTER 4 | Security and identity
At this point, it might be self-defeating: If I am an administrator on the Hyper-V and the keys are
released to the
host to start the VM, I would be able to gain access to the memory of the host and
get the keys, thus nullifying the very security that should protect VMs from administrative privileges.
Fortunately, another new feature in Windows 10 and Windows Server 2016 prevents this from
happening. This feature is the protected enclave mentioned earlier, which is known as Virtual Secure
Mode (VSM). A number of components use this service, including Credential Guard. VSM is a secure
execution environment in which secrets and keys are maintained and critical security processes run as
Do'stlaringiz bilan baham: 
