Tag Archives: sophisticated

Microsoft’s new approach to hybrid: Azure services when and where customers need them | Innovation Stories

As business computing needs have grown more complex and sophisticated, many enterprises have discovered they need multiple systems to meet various requirements – a mix of technology environments in multiple locations, known as hybrid IT or hybrid cloud.

Technology vendors have responded with an array of services and platforms – public clouds, private clouds and the growing edge computing model – but there hasn’t necessarily been a cohesive strategy to get them to work together.

We got here in an ad hoc fashion,” said Erik Vogel, global vice president for customer experience for HPE GreenLake at Hewlett Packard Enterprise. Customers didn’t have a strategic model to work from.

Instead, he said, various business owners in the same company may have bought different software as a service (SaaS) applications, or developers may have independently started leveraging Amazon Web Services, Azure or Google Cloud Platform to develop a set of applications.

At its Ignite conference this week in Orlando, Florida, Microsoft announced its solution to such cloud sprawl. The company has launched a preview of Azure Arc, which offers Azure services and management to customers on other clouds or infrastructure, including those offered by Amazon and Google.

John JG Chirapurath, general manager for Azure data, blockchain and artificial intelligence at Microsoft, said the new service is both an acknowledgement of, and a response to, the reality that many companies face today. They are running various parts of their businesses on different cloud platforms, and they also have a lot of data stored on their own new or legacy systems.

In all those cases, he said, these customers are telling Microsoft they could use the benefits of Azure cloud innovation whether or not their data is stored in the cloud, and they could benefit from having the same Azure capabilities – including security safeguards – available to them across their entire portfolio.

We are offering our customers the ability to take their services, untethered from Azure, and run them inside their own datacenter or in another cloud,” Chirapurath said.

Microsoft says Azure Arc builds on years of work the company has done to serve hybrid cloud needs. For example, Azure Resource Manager, released in 2014, was created with the vision that it would manage resources outside of Azure, including in companies’ internal servers and on other clouds.

That flexibility can help customers operate their services on a mix of clouds more efficiently, without purchasing new hardware or switching among cloud providers. Companies can use a public cloud to obtain computing power and data storage from an outside vendor, but they can also house critical applications and sensitive data on their own premises in a private cloud or server.

Then there’s edge computing, which stores data where the user is, in between the company and the public cloud for example, on their customers’ mobile devices or on sensors in smart buildings like hospitals and factories.

YouTube Video

That’s compelling for companies that need to run AI models on systems that aren’t reliably connected to the cloud, or to make computations more quickly than if they had to send large amounts of data to and from the cloud. But it also must work with companies’ cloud-based, internet-connected systems.

“A customer at the edge doesn’t want to use different app models for different environments,” said Mark Russinovich, Azure chief technology officer. “They need apps that span cloud and edge, leveraging the same code and same management constructs.”

Streamlining and standardizing a customer’s IT structure gives developers more time to build applications that produce value for the business instead of managing multiple operating models. And enabling Azure to integrate administrative and compliance needs across the enterprise – automating system updates and security enhancements brings additional savings in time and money.

“You begin to free up people to go work on other projects, which means faster development time, faster time to market,” said HPE’s Vogel. HPE is working with Microsoft on offerings that will complement Azure Arc.

Arpan Shah, general manager of Azure infrastructure, said Azure Arc allows companies to use Azure’s governance tools for their virtual machines, Kubernetes clusters and data across different locations, helping ensure companywide compliance on things like regulations, security, spending policies and auditing tools.

Azure Arc is underpinned in part by Microsoft’s commitment to technologies that customers are using today, including virtual machines, containers and Kubernetes, an open source system for organizing and managing containers. That makes clusters of applications easily portable across a hybrid IT environment – to the cloud, the edge or an internal server.

“It’s easy for a customer to put that container anywhere,” Chirapurath said. “Today, you can keep it here. Tomorrow, you can move it somewhere else.”

Microsoft says these latest Azure updates reflect an ongoing effort to better understand the complex needs of customers trying to manage their Linux and Windows servers, Kubernetes clusters and data across environments.

“This is just the latest wave of this sort of innovation,” Chirapurath said. “We’re really thinking much more expansively about customer needs and meeting them according to how they’d like to run their applications and services.”

Top image: Erik Vogel, global vice president for customer experience for HPE GreenLake at Hewlett Packard Enterprise, with a prototype of memory-driven computing. HPE is working with Microsoft on offerings that will complement Azure Arc. Photo by John Brecher for Microsoft.

Related:

Go to Original Article
Author: Microsoft News Center

What is the Hyper-V Core Scheduler?

In the past few years, sophisticated attackers have targeted vulnerabilities in CPU acceleration techniques. Cache side-channel attacks represent a significant danger. They magnify on a host running multiple virtual machines. One compromised virtual machine can potentially retrieve information held in cache for a thread owned by another virtual machine. To address such concerns, Microsoft developed its new “HyperClear” technology pack. HyperClear implements multiple mitigation strategies. Most of them work behind the scenes and require no administrative effort or education. However, HyperClear also includes the new “core scheduler”, which might need you to take action.

The Classic Scheduler

Now that Hyper-V has all new schedulers, its original has earned the “classic” label. I wrote an article on that scheduler some time ago. The advanced schedulers do not replace the classic scheduler so much as they hone it. So, you need to understand the classic scheduler in order to understand the core scheduler. A brief recap of the earlier article:

  • You assign a specific number of virtual CPUs to a virtual machine. That sets the upper limit on how many threads the virtual machine can actively run.
  • When a virtual machine assigns a thread to a virtual CPU, Hyper-V finds the next available logical processor to operate it.

To keep it simple, imagine that Hyper-V assigns threads in round-robin fashion. Hyper-V does engage additional heuristics, such as trying to keep a thread with its owned memory in the same NUMA node. It also knows about simultaneous multi-threading (SMT) technologies, including Intel’s Hyper-Threading and AMD’s recent advances. That means that the classic scheduler will try to place threads where they can get the most processing power. Frequently, a thread shares a physical core with a completely unrelated thread — perhaps from a different virtual machine.

Risks with the Classic Scheduler

The classic scheduler poses a cross-virtual machine data security risk. It stems from the architectural nature of SMT: a single physical core can run two threads but has only one cache.

Classic SchedulerIn my research, I discovered several attacks in which one thread reads cached information belonging to the other. I did not find any examples of one thread polluting the others’ data. I also did not see anything explicitly preventing that sort of assault.

On a physically installed operating system, you can mitigate these risks with relative ease by leveraging antimalware and following standard defensive practices. Software developers can make use of fencing techniques to protect their threads’ cached data. Virtual environments make things harder because the guest operating systems and binary instructions have no influence on where the hypervisor places threads.

The Core Scheduler

The core scheduler makes one fairly simple change to close the vulnerability of the classic scheduler: it never assigns threads from more than one virtual machine to any physical core. If it can’t assign a second thread from the same VM to the second logical processor, then the scheduler leaves it empty. Even better, it allows the virtual machine to decide which threads can run together.

Hyper-V Core Scheduler

We will move on through implementation of the scheduler before discussing its impact.

Implementing Hyper-V’s Core Scheduler

The core scheduler has two configuration points:

  1. Configure Hyper-V to use the core scheduler
  2. Configure virtual machines to use two threads per virtual core

Many administrators miss that second step. Without it, a VM will always use only one logical processor on its assigned cores. Each virtual machine has its own independent setting.

We will start by changing the scheduler. You can change the scheduler at a command prompt (cmd or PowerShell) or by using Windows Admin Center.

How to Use the Command Prompt to Enable and Verify the Hyper-V Core Scheduler

For Windows and Hyper-V Server 2019, you do not need to do anything at the hypervisor level. You still need to set the virtual machines. For Windows and Hyper-V Server 2016, you must manually switch the scheduler type.

You can make the change at an elevated command prompt (PowerShell prompt is fine):

Note: if bcdedit does not accept the setting, ensure that you have patched the operating system.

Reboot the host to enact the change. If you want to revert to the classic scheduler, use “classic” instead of “core”. You can also select the “root” scheduler, which is intended for use with Windows 10 and will not be discussed further here.

To verify the scheduler, just run bcdedit by itself and look at the last line:

bcdedit

bcdedit will show the scheduler type by name. It will always appear, even if you disable SMT in the host’s BIOS/UEFI configuration.

How to Use Windows Admin Center to Enable the Hyper-V Core Scheduler

Alternatively, you can use Windows Admin Center to change the scheduler.

  1. Use Windows Admin Center to open the target Hyper-V host.
  2. At the lower left, click Settings. In most browsers, it will hide behind any URL tooltip you might have visible. Move your mouse to the lower left corner and it should reveal itself.
  3. Under Hyper-V Host Settings sub-menu, click General.
  4. Underneath the path options, you will see Hypervisor Scheduler Type. Choose your desired option. If you make a change, WAC will prompt you to reboot the host.

windows admin center

Note: If you do not see an option to change the scheduler, check that:

  • You have a current version of Windows Admin Center
  • The host has SMT enabled
  • The host runs at least Windows Server 2016

The scheduler type can change even if SMT is disabled on the host. However, you will need to use bcdedit to see it (see previous sub-section).

Implementing SMT on Hyper-V Virtual Machines

With the core scheduler enabled, virtual machines can no longer depend on Hyper-V to make the choice to use a core’s second logical processor. Hyper-V will expect virtual machines to decide when to use the SMT capabilities of a core. So, you must enable or disable SMT capabilities on each virtual machine just like you would for a physical host.

Because of the way this technology developed, the defaults and possible settings may seem unintuitive. New in 2019, newly-created virtual machines can automatically detect the SMT status of the host and hypervisor and use that topology. Basically, they act like a physical host that ships with Hyper-Threaded CPUs — they automatically use it. Virtual machines from previous versions need a bit more help.

Every virtual machine has a setting named “HwThreadsPerCore”. The property belongs to the Msvm_ProcessorSettingData CIM class, which connects to the virtual machine via its Msvm_Processor associated instance. You can drill down through the CIM API using the following PowerShell (don’t forget to change the virtual machine name):

The output of the cmdlet will present one line per virtual CPU. If you’re worried that you can only access them via this verbose technique hang in there! I only wanted to show you where this information lives on the system. You have several easier ways to get to and modify the data. I want to finish the explanation first.

The HwThreadsPerCore setting can have three values:

  • 0 means inherit from the host and scheduler topology — limited applicability
  • 1 means 1 thread per core
  • 2 means 2 threads per core

The setting has no other valid values.

A setting of 0 makes everything nice and convenient, but it only works in very specific circumstances. Use the following to determine defaults and setting eligibility:

  • VM config version < 8.0
    • Setting is not present
    • Defaults to 1 if upgraded to VM version 8.x
    • Defaults to 0 if upgraded to VM version 9.0+
  • VM config version 8.x
    • Defaults to 1
    • Cannot use a 0 setting (cannot inherit)
    • Retains its setting if upgraded to VM version 9.0+
  • VM config version 9.x
    • Defaults to 0

I will go over the implications after we talk about checking and changing the setting.

You can see a VM’s configuration version in Hyper-V Manager and PowerShell’s Get-VM :

Hyper-V Manager

The version does affect virtual machine mobility. I will come back to that topic toward the end of the article.

How to Determine a Virtual Machine’s Threads Per Core Count

Fortunately, the built-in Hyper-V PowerShell module provides direct access to the value via the *-VMProcessor cmdlet family. As a bonus, it simplifies the input and output to a single value. Instead of the above, you can simply enter:

If you want to see the value for all VMs:

You can leverage positional parameters and aliases to simplify these for on-the-fly queries:

You can also see the setting in recent version of Hyper-V Manager (Windows Server 2019 and current versions of Windows 10). Look on the NUMA sub-tab of the Processor tab. Find the Hardware threads per core setting:

settings

In Windows Admin Center, access a virtual machine’s Processor tab in its settings. Look for Enable Simultaneous Multithreading (SMT).

processors

If the setting does not appear, then the host does not have SMT enabled.

How to Set a Virtual Machine’s Threads Per Core Count

You can easily change a virtual machine’s hardware thread count. For either the GUI or the PowerShell commands, remember that the virtual machine must be off and you must use one of the following values:

  • 0 = inherit, and only works on 2019+ and current versions of Windows 10 and Windows Server SAC
  • 1 = one thread per hardware core
  • 2 = two threads per hardware core
  • All values above 2 are invalid

To change the setting in the GUI or Windows Admin Center, access the relevant tab as shown in the previous section’s screenshots and modify the setting there. Remember that Windows Admin Center will hide the setting if the host does not have SMT enabled. Windows Admin Center does not allow you to specify a numerical value. If unchecked, it will use a value of 1. If checked, it will use a value of 2 for version 8.x VMs and 0 for version 9.x VMs.

To change the setting in PowerShell:

To change the setting for all VMs in PowerShell:

Note on the cmdlet’s behavior: If the target virtual machine is off, the setting will work silently with any valid value. If the target machine is on and the setting would have no effect, the cmdlet behaves as though it made the change. If the target machine is on and the setting would have made a change, PowerShell will error. You can include the -PassThru parameter to receive the modified vCPU object:

Considerations for Hyper-V’s Core Scheduler

I recommend using the core scheduler in any situation that does not explicitly forbid it. I will not ask you to blindly take my advice, though. The core scheduler’s security implications matter, but you also need to think about scalability, performance, and compatibility.

Security Implications of the Core Scheduler

This one change instantly nullifies several exploits that could cross virtual machines, most notably in the Spectre category. Do not expect it to serve as a magic bullet, however. In particular, remember that an exploit running inside a virtual machine can still try to break other processes in the same virtual machine. By extension, the core scheduler cannot protect against threats running in the management operating system. It effectively guarantees that these exploits cannot cross partition boundaries.

For the highest level of virtual machine security, use the core scheduler in conjunction with other hardening techniques, particularly Shielded VMs.

Scalability Impact of the Core Scheduler

I have spoken with one person who was left with the impression that the core scheduler does not allow for oversubscription. They called into Microsoft support, and the engineer agreed with that assessment. I reviewed Microsoft’s public documentation as it was at the time, and I understand how they reached that conclusion. Rest assured that you can continue to oversubscribe CPU in Hyper-V. The core scheduler prevents threads owned by separate virtual machines from running simultaneously on the same core. When it starts a thread from a different virtual machine on a core, the scheduler performs a complete context switch.

You will have some reduced scalability due to the performance impact, however.

Performance Impact of the Core Scheduler

On paper, the core scheduler presents severe deleterious effects on performance. It reduces the number of possible run locations for any given thread. Synthetic benchmarks also show a noticeable performance reduction when compared to the classic scheduler. A few points:

  • Generic synthetic CPU benchmarks drive hosts to abnormal levels using atypical loads. In simpler terms, they do not predict real-world outcomes.
  • Physical hosts with low CPU utilization will experience no detectable performance hits.
  • Running the core scheduler on a system with SMT enabled will provide better performance than the classic scheduler on the same system with SMT disabled

Your mileage will vary. No one can accurately predict how a general-purpose system will perform after switching to the core scheduler. Even a heavily-laden processor might not lose anything. Remember that, even in the best case, an SMT-enabled core will not provide more than about a 25% improvement over the same core with SMT disabled. In practice, expect no more than a 10% boost. In the simplest terms: switching from the classic scheduler to the core scheduler might reduce how often you enjoy a 10% boost from SMT’s second logical processor. I expect few systems to lose much by switching to the core scheduler.

Some software vendors provide tools that can simulate a real-world load. Where possible, leverage those. However, unless you dedicate an entire host to guests that only operate that software, you still do not have a clear predictor.

Compatibility Concerns with the Core Scheduler

As you saw throughout the implementation section, a virtual machine’s ability to fully utilize the core scheduler depends on its configuration version. That impacts Hyper-V Replica, Live Migration, Quick Migration, virtual machine import, backup, disaster recovery, and anything else that potentially involves hosts with mismatched versions.

Microsoft drew a line with virtual machine version 5.0, which debuted with Windows Server 2012 R2 (and Windows 8.1). Any newer Hyper-V host can operate virtual machines of its version all the way down to version 5.0. On any system, run  Get-VMHostSupportedVersion to see what it can handle. From a 2019 host:

So, you can freely move version 5.0 VMs between a 2012 R2 host and a 2016 host and a 2019 host. But, a VM must be at least version 8.0 to use the core scheduler at all. So, when a v5.0 VM lands on a host running the core scheduler, it cannot use SMT. I did not uncover any problems when testing an SMT-disabled guest on an SMT-enabled host or vice versa. I even set up two nodes in a cluster, one with Hyper-Threading on and the other with Hyper-Threading off, and moved SMT-enabled and SMT-disabled guests between them without trouble.

The final compatibility verdict: running old virtual machine versions on core-scheduled systems means that you lose a bit of density, but they will operate.

Summary of the Core Scheduler

This is a lot of information to digest, so let’s break it down to its simplest components. The core scheduler provides a strong inter-virtual machine barrier against cache side-channel attacks, such as the Spectre variants. Its implementation requires an overall reduction in the ability to use simultaneous multi-threaded (SMT) cores. Most systems will not suffer a meaningful performance penalty. Virtual machines have their own ability to enable or disable SMT when running on a core-scheduled system. All virtual machine versions prior to 8.0 (WS2016/W10 Anniversary) will only use one logical processor per core when running on a core-scheduled host.

Go to Original Article
Author: Eric Siron

Cheap 2-bay (or 4-bay) NAS without HDDs

Looking for another NAs for local media streaming duties, not needing anything sophisticated, one which isn’t forced into RAID mirroring would be good.

Location: Fareham

______________________________________________________
This message is automatically inserted in all classifieds forum threads.
By replying to this thread you agree to abide by the trading rules detailed here.
Please be advised, all…

Cheap 2-bay (or 4-bay) NAS without HDDs

Cheap 2-bay (or 4-bay) NAS without HDDs

Looking for another NAs for local media streaming duties, not needing anything sophisticated, one which isn’t forced into RAID mirroring would be good.

Location: Fareham

______________________________________________________
This message is automatically inserted in all classifieds forum threads.
By replying to this thread you agree to abide by the trading rules detailed here.
Please be advised, all…

Cheap 2-bay (or 4-bay) NAS without HDDs

Cheap 2-bay (or 4-bay) NAS without HDDs

Looking for another NAs for local media streaming duties, not needing anything sophisticated, one which isn’t forced into RAID mirroring would be good.

Location: Fareham

______________________________________________________
This message is automatically inserted in all classifieds forum threads.
By replying to this thread you agree to abide by the trading rules detailed here.
Please be advised, all…

Cheap 2-bay (or 4-bay) NAS without HDDs

Cheap 2-bay (or 4-bay) NAS without HDDs

Looking for another NAs for local media streaming duties, not needing anything sophisticated, one which isn’t forced into RAID mirroring would be good.

Location: Fareham

______________________________________________________
This message is automatically inserted in all classifieds forum threads.
By replying to this thread you agree to abide by the trading rules detailed here.
Please be advised, all…

Cheap 2-bay (or 4-bay) NAS without HDDs

Cheap 2-bay (or 4-bay) NAS without HDDs

Looking for another NAs for local media streaming duties, not needing anything sophisticated, one which isn’t forced into RAID mirroring would be good.

Location: Fareham

______________________________________________________
This message is automatically inserted in all classifieds forum threads.
By replying to this thread you agree to abide by the trading rules detailed here.
Please be advised, all…

Cheap 2-bay (or 4-bay) NAS without HDDs

Educate users to avert email phishing attacks

Cybercriminals use more sophisticated and efficient email phishing methods to attack businesses, forcing IT teams…

“;
}
});

/**
* remove unnecessary class from ul
*/
$(“#inlineregform”).find( “ul” ).removeClass(“default-list”);

/**
* Replace “errorMessageInput” class with “sign-up-error-msg” class
*/
function renameErrorMsgClass() {
$(“.errorMessageInput”).each(function() {
if ($(this).hasClass(“hidden”)) {
$(this).removeClass(“errorMessageInput hidden”).addClass(“sign-up-error-msg hidden”);
} else {
$(this).removeClass(“errorMessageInput”).addClass(“sign-up-error-msg”);
}
});
}

/**
* when validation function is called, replace “errorMessageInput” with “sign-up-error-msg”
* before return
*/
function validateThis(v, form) {
var validateReturn = urValidation.validate(v, form);
renameErrorMsgClass();
return validateReturn;
}

/**
* DoC pop-up window js – included in moScripts.js which is not included in responsive page
*/
$(“#inlineRegistration”).on(“click”,”a.consentWindow”, function(e) {
window.open(this.href, “Consent”, “width=500,height=600,scrollbars=1”);
e.preventDefault();
});

to protect systems from frequent and costly data breaches and infections. But security tools aren’t enough to stop advanced threats.

Ransomware and other malicious code often slip through the IT defensive perimeter — despite IT’s best efforts. Several recent attacks occurred when unsuspecting users clicked on a link or opened an email attachment that ran malicious code and infected the computer. IT departments use several tools to reduce these threats, but attackers shift tactics constantly and not all security components can block every threat.

Don’t rely on technology; take a more human approach to defend the business and educate users. These four critical steps will build a successful security culture and awareness within an organization.

Create a human security layer

To bolster protection, train and educate employees of lurking threats, which come in different flavors and different approaches.

Chief information security officers recognize that no single security initiative or measure will block every threat; those tactics exist to diminish the risks associated with an attack. Even with security tools, unsuspecting users could inadvertently give away credentials and cause a data breach.

To bolster protection, train and educate employees of lurking threats, which come in different flavors and different approaches. To prepare employees, must teach them what to look for in phishing attempts and what to avoid in email messages. Some organizations make it mandatory or part of a yearly review to address security.

Perform regular security audits

IT performs audits to uncover security gaps within the environment. In addition to performing a technical audit, use a third-party service, such as KnowBe4, to send a fake spear phishing attempt via email to all users. The service then reports back to IT on who responded or clicked on the links. IT can give those employees additional training.

Open up feedback to collect and document new threats

With email attacks, cybercriminals pose as an employee or encourage the end user to open a document or link. As attack strategies continuously evolve, IT must keep up to date on new methods before it can devise a strategy to defend against them. Encourage users to self-report some email messages with a designated IT resource. This helps the organization catalog attack methods.

Provide frequent security reminders

Create regular reminders and routinely schedule lessons to ensure security remains top of mind for all end users. Build different security campaigns — periodically send out newsletters and post videos that warn of recent threats and provide email security tips. This reminds users to be proactive to protect themselves from attacks.

Organizations implement security awareness to mitigate the risks of infections or data breaches that come with email attacks. No single security system will block all threats that arrive via email; end users that know what to look for are less likely to fall victim to an attack.

Cybercriminals use more sophisticated and efficient email phishing methods to attack businesses, forcing IT teams to protect systems from frequent and costly data breaches and infections. But security tools aren’t enough to stop advanced threats.

Ransomware and other malicious code often slip through the IT defensive perimeter — despite IT’s best efforts. Several recent attacks occurred when unsuspecting users clicked on a link or opened an email attachment that ran malicious code and infected the computer. IT departments use several tools to reduce these threats, but attackers shift tactics constantly and not all security components can block every threat.

Don’t rely on technology; take a more human approach to defend the business and educate users. These four critical steps will build a successful security culture and awareness within an organization.

Create a human security layer

Chief information security officers recognize that no single security initiative or measure will block every threat; those tactics exist to diminish the risks associated with an attack. Even with security tools, unsuspecting users could inadvertently give away credentials and cause a data breach.

To bolster protection, train and educate employees of lurking threats, which come in different flavors and different approaches. To prepare employees, must teach them what to look for in phishing attempts and what to avoid in email messages. Some organizations make it mandatory or part of a yearly review to address security.

Perform regular security audits

IT performs audits to uncover security gaps within the environment. In addition to performing a technical audit, use a third-party service, such as KnowBe4, to send a fake spear phishing attempt via email to all users. The service then reports back to IT on who responded or clicked on the links. IT can give those employees additional training.

Open up feedback to collect and document new threats

With email attacks, cybercriminals pose as an employee or encourage the end user to open a document or link. As attack strategies continuously evolve, IT must keep up to date on new methods before it can devise a strategy to defend against them. Encourage users to self-report some email messages with a designated IT resource. This helps the organization catalog attack methods.

Provide frequent security reminders

Create regular reminders and routinely schedule lessons to ensure security remains top of mind for all end users. Build different security campaigns — periodically send out newsletters and post videos that warn of recent threats and provide email security tips. This reminds users to be proactive to protect themselves from attacks.

Organizations implement security awareness to mitigate the risks of infections or data breaches that come with email attacks. No single security system will block all threats that arrive via email; end users that know what to look for are less likely to fall victim to an attack.

Next Steps

Train employees to ward off attacks

Test your Office 365 Advanced Threat Protection knowledge

Respond quickly to a malware attack

Powered by WPeMatico

Securing Privileged Access program builds wall against attacks

As cyberattacks become more sophisticated, Windows administrators need to work with security teams to review the…

“;
}
});

/**
* remove unnecessary class from ul
*/
$(“#inlineregform”).find( “ul” ).removeClass(“default-list”);

/**
* Replace “errorMessageInput” class with “sign-up-error-msg” class
*/
function renameErrorMsgClass() {
$(“.errorMessageInput”).each(function() {
if ($(this).hasClass(“hidden”)) {
$(this).removeClass(“errorMessageInput hidden”).addClass(“sign-up-error-msg hidden”);
} else {
$(this).removeClass(“errorMessageInput”).addClass(“sign-up-error-msg”);
}
});
}

/**
* when validation function is called, replace “errorMessageInput” with “sign-up-error-msg”
* before return
*/
function validateThis(v, form) {
var validateReturn = urValidation.validate(v, form);
renameErrorMsgClass();
return validateReturn;
}

/**
* DoC pop-up window js – included in moScripts.js which is not included in responsive page
*/
$(“#inlineRegistration”).on(“click”,”a.consentWindow”, function(e) {
window.open(this.href, “Consent”, “width=500,height=600,scrollbars=1”);
e.preventDefault();
});

infrastructure. It’s important to tighten control over credentials that, if stolen, give attackers unfettered access to the organization’s assets.

For Windows shops, the administrator account — both the local admin and the domain or forest admin — is a main target. Microsoft’s Securing Privileged Access program helps IT teams analyze and review ways to protect administrator accounts and privileges.

Phase-in administrator account protection

The Securing Privileged Access program mitigates attacks that involve credential theft and abuse, the domain controller host and Active Directory deployment. The plan minimizes the number of administrator accounts and limits the times those accounts are needed. The strategy takes over six months to complete and consists of three phases:

  • First phase: This phase lasts two to four weeks and focuses on mitigating the easy attack vectors that take little effort and process change to turn off or fix.
  • Second phase: This phase takes one to three months and builds on the progress made in the first phase. Administrative privileges can shift from permanent to time-bound, lowering the exposure time of privileges and increasing visibility into how privileges are used. Administrative controls change how privileges are redeemed and carried out.
  • Third phase: This phase can take six months to a year and transitions the security strategy from reactive to proactive. Admins need to make systemic changes, which include software updates, to have the best possible security posture.

Follow this program at your own pace. As administrators complete each step, the quality and integrity of the defenses improve.

Follow this program at your own pace. As administrators complete each step, the quality and integrity of the defenses improve. Even if the organization does not finish the program, making just a few modifications will improve infrastructure security. The IT staff can resume the remainder of the phases at another time.

The Securing Privileged Access roadmap

Because of the complex nature of today’s data centers, which run on multiple operating systems and several identity repositories, Securing Privileged Access provides a roadmap and prescriptive strategy to manage administrative privileges. The third phase is the most complicated; it recommends the most changes to established processes for administrative tasks and requires that an organization run more recent — or current — versions of Windows Server.

Here is a more detailed outline of each phase of Securing Privileged Access:

  • Phase one directives: Mitigate the most frequent attack vectors. Make a separate administrative account just for administrative tasks and set up dedicated privileged access workstations for Active Directory administrators. Implement Local Administrator Password Solutions to generate unique local admin passwords for workstations and servers.
  • Phase two directives: Add visibility into administrative activity and build a wall against common follow-up attacks that target administrator accounts. Expand the privileged access workstation concept from Active Directory administrators only to all enterprise admins. Turn off additional features, such as Credential Guard and RDP Restricted Administrator groups, to harden these workstations. Use time-bound privileges so there is no permanent administrator, turn on multifactor authentication to elevate ordinary accounts to privileged levels and enable Just Enough Administration to manage domain controllers. Lower the attack surface on domain controllers and security boundaries overall, and develop methods to detect real-time attacks.
  • Phase three directives: Move into role-based administration and implement models to delegate privilege. All administrators will use smartcard or Microsoft Passport authentication.

Create a separate forest for Active Directory administrators to provide a second security boundary that protect accounts with the highest privilege. Organizations on Windows Server 2016 can enable code-integrity policies for another layer of malware protection on domain controllers. Those organizations also can move virtualized workloads to shielded VMs on the Windows Server 2016 Hyper-V fabric. If a VM is copied, the encryption will prevent data loss.

Microsoft provides this roadmap and the prescriptive guidance for free. While the Securing Privileged Access program exists in several different locations on the Microsoft site, the overarching plan can be found here with links to each phase.

Next Steps

Reinforce Windows Server security with these tactics

Just Enough Administration limits privileged access

Microsoft Identity Manager 2016 helps monitor, administer credentials

Dig Deeper on Windows Server Monitoring and Administration

Powered by WPeMatico