Active Directory

and Virtualization
Sander Berkouwer
MCSE, MCITP, MCT, MVP
Veeam Vanguard
Dirteam.com
Agenda
Current Situation
Why do we virtualize Domain Controllers?

Challenges
Challenges when virtualizing on Hyper-V
Challenges when virtualizing on Azure
IaaS

Solutions
Picking the right solution(s) for your challenges
 People
Processes
Technology
Current situation
Why do we virtualize Domain Controllers?
Flexibility
Get Domain Controllers fast
Move Domain Controllers without downtime

Cost saving and cost predictability

Virtualization increases hardware usage
Hardware maintenance and upgrades become more
predictable

Less dependencies on hardware

Quickly add/remove hardware
Reduce hardware-related outages
Domain Controller Cloning
Virtualization-aware Active Directory
Windows Server 2012-based Domain Controllers detect:
When a snapshot has been applied
When a virtual hard disk is being reused

VM-GenerationID
A feature of the virtualisation platform
Placed in the memory of each Virtual Machine

Not just Hyper-V

VMware vSphere 5.0 U4 +
VMware Workstation 9.0 +
Citrix Xenserver 6.2.0 +
Challenges
Challenges when using Hyper-V
Performance
Integration Components (ICs)
Security
Snapshots, backup and restore

Can you trust Hyper-V administrators?

Can you trust storage administrators?
Challenges when using Azure IaaS
Connectivity
Knowledge of Azure taxonomy and topology
Dynamic IPv4, IPv6 addressing
Azure IaaS v1 (ASM) vs. Azure IaaS v2 (ARM)

Under the hood Azure IaaS uses Hyper-V

Will you ever be able to report on a breach?
Why is this important?
Advanced Persistent Threats
Pass the Hash (PtH) attacks
Pass the Ticket (PtT) attacks
Kerberos Golden Tickets

Rogue and/or disgruntled admins

Security
Legal organizational requirements
Job security
If you can Ctrl-C, Ctrl-
V, than you can hack
VMs running on Hyper-
V. - Ben Armstrong, Microsoft
Reality Check
A bit of Kerberos
Typical Kerberos flow
TGT 1. During startup, logon the client
requests a Ticket Granting
Ticket (TGT) from the Key
TGS
1 Distribution Center (KDC). The
2 TGT is then processed clientside
2. For accessing a service within
3 the Kerberos Realm, the client
requests a Service Ticket (TGS),
based on the TGT on any KDC.
3. Client presents the TGS to the
service.
Based on authorization, access
is granted (or not)
The Keys to the Kingdom
KRBTGTs account password signs everything
I dont need to ask for a TGT when I know the
password
Mitigating risk: Read-Only DCs have their own TGTs
TGTs and TGSs are processed and enforced client-side
I dont need to play by the rules to get access permissions
I can just insert the well-known SIDs I want into my TGT
Only restriction: maximum TGT lifetime of 10 years.
Mitigating risk: Authentication Policies can limit TGT lifetime
Ask yourself
Do you know all your Domain Controllers?
Do you still run Windows Server 2003 Domain Controllers?
Are all your organizations Domain Controllers physically secure?
Are all their backups physically secure?

Do you know your organizations admins?

Do you know your organizations processes?

Do you regularly reset KRBTGT passwords?
Do you use Install from Media (IfM) to deploy DCs at branch offices
Solutions
Reset KRBTGT Secret
KRBTGT Account Password Resets
KRBTGT account password is used to encrypt Kerberos
TGTs, TGSs
KRBTGT account password needs to be reset twice
Reset once to reset KRBTGT and make old secret
secondary
Reset twice to make old secret fall out of scope
Tip! Make sure second reset is after TGT Lifetime
(default: 10 hours)

Reset-KrbtgtKeyInteractive v1.7
Available from Microsoft since Februari 2014
Download from the TechNet Gallery
Reset-KrbtgtKeyInteractive.ps1
Read-only Domain Controllers
Read-only Domain Controllers
Read-only Domain Controllers offer:
Read-only Active Directory database and DNS
RODC filtered attribute set
Unidirectional replication
Granular credential caching
Administrator role separation
Read-only Domain Controllers offer individual KRBTGT accounts
One Read-only Domain Controller supported per branch network
Analytics
Identify Advanced Persistent Threats
(APT) using behavioral analytics

Microsoft Advanced Threat Analytics

On-premises solution for access management
analytics
Cloud-based analytics based on Machine Learning

Microsoft Identity Protection

Cloud-based solution for access management analytics
Deploy Server Core / Nano Server
Server Core installations
Virtualization hosts without a Graphical User Interface (GUI)
Less susceptive to human error and to vulnerabilities
Smaller attack surface and less patches
2008 (R2): Choose at installation
2012 (R2): Choose at installation of add/remove after install
2016 : Choose at installation

Nano Server installations

Even smaller disk footprint and attack surface
Unfortunately AD DS Role is currently not available for Nano Server
Available for Windows Server 2016 with Software Assurance
Access Control Lists on VHD and VHDX files
Default ACLs on VHD(X)s
Administrators full control
SYSTEM full control
Hyper-V Administrators full control
<VMGUID> - Read and write

Change ACLs
Note: Administrators can take ownership
Hyper-V Administrators Group
Security group on Hyper-V hosts
Introduced with Windows 8, Windows Server 2012

Principle of least administrative privilege

Approach: remove Hyper-V Administrators from
Administrators
Hyper-V Administrators have access to all Hyper-V
features
Hyper-V Administrators have full control on VHD(X)s
Integration Components
Integration Components
Theyre drivers and services for VMs
ICs enlighten Virtual Machines

Capabilities
OS shutdown, time synchronization, data
exchange, heartbeat, backup and guest
services

In Azure IaaS, ICs offer ability to reset

local admin password, etc.
Deploy BitLocker Drive Encryption
Support for virtualization hosts
BitLocker for boot and system volumes
BitLocker on Cluster Shared Volumes (CSVs)

Support in virtual machines

Data disks supported in Hyper-V and Azure IaaS
BitLocker supported on boot and system volumes with
Windows Server 2016:
Generation 1 Virtual Machines
Generation 2 Virtual Machines

Support in Azure IaaS coming soon

Shielded Virtual Machines
New in Windows Server 2016 Hyper-V
Separation between workload and fabric admins
Host Guardian Service, responsible for VM LCM built upon
encryption and protected secrets
Two modes:
1. Hardware Trusted Attestation, based on TPMv2 in hosts
2. Administrator Attestation, based on AD group
membership

A Shielded VM doesnt have a thumbnail in Hyper-V

Manager, nor does it allow VM Connect to connect to
it.
Integration components functionality is limited.
Virtualization wrapped into virtualization and
identity wrapped into identity
Processes, processes, processes
Monitoring
Security Incident and Event Management
Technical State Compliancy Monitoring
Vulnerability Management
Availability Monitoring
Key Management
Change Management
Auditing
Communication
Documentation
Backup and Restore
Life Cycle Management
Concluding
Concluding
Domain Controllers contain sensitive information
Domain Controllers contain info on replication, accounts, credentials
DNS Servers contain caches on queries (visited sites)

Virtualizing Domain Controllers

Virtualizing Domain Controllers safely is not an easy task
Virtualizing Domain Controllers is not just a technical challenge

Ask yourself
Do you really want to virtualize Domain Controllers?
Questions?
Thank you!