Explore scenarios where shielded data is an appropriate solution.
- [Instructor] Now we're going to talk about the types of scenarios that Shielded VMs are designed to protect against. To protect our tenant data. So I'll log into my Hyper-V host, and we'll have a look at a few things here. So, one of the first channels that we're going to block for rogue administrators, and bear in mind, we're talking about in TPM trusted mode here. So certainly, we're reducing our security if we use that admin trusted mode with the active directory security group. So the TPM trusted option in production is typically going to be where we would like to wind up.
So, one of the examples of a channel we're going to try to shut down with that TPM option is the VM Console connection. So I'm going to prevent a rogue administrator from logging on to the physical box, and then connecting directly to the console. I'm also going to prevent them from coming in and trying PowerShell Direct, where we just use Enter-PSSession, and put a VM name in there. And go directly to that virtual machine. I'm going to require them to come across the network to get to these virtual machines. So another common step we might see in a rogue scenario would be to try to change the virtual machine bootloader.
So, basically, secure boot is going to block a VM if the boodloader's changed. And what about an admin trying to get in and disabling secure boot, for example? Well, secure boot's the only way that virtual machine is going to come up in this scenario. And what we're effectively seeing here, is the ability to block not only the boot process, but also to block the rogue adminstrator's capability to change that in any way.
So if I look at this from an Active Directory perspective, what we're really talking about here is virtualization-based security. So if I have a look at my group policy management console here, I can have a look at what is possible with virtualization-based security in terms of locking boot. So if I just edit this policy, I'll go under computer configuration policies, and I'll look under admin templates in the system area. And we'll see device guard. So, with device guard which is part of virtualization-based security, we can turn on virtualization-based security and we can secure the boot, we can enable it with UEFI lock, which means we can't turn that setting off without physically visiting that VM.
And we can do the same with credential guard, which is going to encrypt credentials in memory as well. With that UEFI lock option. So we're really locking this VM down all together. And so, if an administrator were to get frustrated and then maybe try to take the next step, so rather than messing around on the console, maybe they say, hey I'm just going to find out where this disc is, where the VHDX file is for this virtual machine. And I'm going to copy it off. And boot it up on my laptop.
And then you know, attack it from there. So, I can come in here and have a look at where those discs are located as an administrator. Simply go out and grab a copy of the VHDX file, and at that point, I can mount that. So, in modern versions of Windows, I can simply copy that VHDX off, and I could try to mount it to my own file system here, so I can make changes. And this is where TPM trusted mode and all of these attestations come into play.
So if I bring this virtual machine over and I try to simply mount this VHDX to HyperV on my personal laptop, this laptop is not a trusted host, so it's not going to boot. Perhaps I decide I'll just mount this VHDX and go in and make some changes. I'm actually looking at the VHDX I copied there. The moment I make changes here, it breaks the disc signature. So now if I mount that VHDX directly and then try to boot it on the guarded host, it's still not going to work.
And that's really preventing that theft channel where we can take that VHDX off, boot it, and mount a brute force attack. So again, we have our choice of attestation modes and the TPM trusted mode as part of a guarded fabric is really going to allow us to shut down those common threats.
- Exploring features and benefits of Hyper-V guarded fabric
- Implementing guarded fabric in Windows Server 2016
- Shielding virtual machine data
- Configuring security policies
- Managing and responding to security alerts
- Encrypting data at rest in Azure