Beruflich Dokumente
Kultur Dokumente
and Virtualization
Sander Berkouwer
MCSE, MCITP, MCT, MVP
Veeam Vanguard
Dirteam.com
Agenda
Current Situation
Why do we virtualize Domain Controllers?
Challenges
Challenges when virtualizing on Hyper-V
Challenges when virtualizing on Azure
IaaS
Solutions
Picking the right solution(s) for your challenges
People
Processes
Technology
Current situation
Why do we virtualize Domain Controllers?
Flexibility
Get Domain Controllers fast
Move Domain Controllers without downtime
VM-GenerationID
A feature of the virtualisation platform
Placed in the memory of each Virtual Machine
Security
Legal organizational requirements
Job security
If you can Ctrl-C, Ctrl-
V, than you can hack
VMs running on Hyper-
V. - Ben Armstrong, Microsoft
Reality Check
A bit of Kerberos
Typical Kerberos flow
TGT 1. During startup, logon the client
requests a Ticket Granting
Ticket (TGT) from the Key
TGS
1 Distribution Center (KDC). The
2 TGT is then processed clientside
2. For accessing a service within
3 the Kerberos Realm, the client
requests a Service Ticket (TGS),
based on the TGT on any KDC.
3. Client presents the TGS to the
service.
Based on authorization, access
is granted (or not)
The Keys to the Kingdom
KRBTGTs account password signs everything
I dont need to ask for a TGT when I know the
password
Mitigating risk: Read-Only DCs have their own TGTs
TGTs and TGSs are processed and enforced client-side
I dont need to play by the rules to get access permissions
I can just insert the well-known SIDs I want into my TGT
Only restriction: maximum TGT lifetime of 10 years.
Mitigating risk: Authentication Policies can limit TGT lifetime
Ask yourself
Do you know all your Domain Controllers?
Do you still run Windows Server 2003 Domain Controllers?
Are all your organizations Domain Controllers physically secure?
Are all their backups physically secure?
Reset-KrbtgtKeyInteractive v1.7
Available from Microsoft since Februari 2014
Download from the TechNet Gallery
Reset-KrbtgtKeyInteractive.ps1
Read-only Domain Controllers
Read-only Domain Controllers
Read-only Domain Controllers offer:
Read-only Active Directory database and DNS
RODC filtered attribute set
Unidirectional replication
Granular credential caching
Administrator role separation
Read-only Domain Controllers offer individual KRBTGT accounts
One Read-only Domain Controller supported per branch network
Analytics
Identify Advanced Persistent Threats
(APT) using behavioral analytics
Change ACLs
Note: Administrators can take ownership
Hyper-V Administrators Group
Security group on Hyper-V hosts
Introduced with Windows 8, Windows Server 2012
Capabilities
OS shutdown, time synchronization, data
exchange, heartbeat, backup and guest
services
Ask yourself
Do you really want to virtualize Domain Controllers?
Questions?
Thank you!