SlideShare una empresa de Scribd logo

Hypervisor and VDI security

Denis Gundarev
Denis Gundarev
Tecnología
1 de 51
Welcome BriForum | © TechTarget
Do You Think Your Citrix Environment is Secure Enough? Ready or Not, Here I Come! Denis Gundarev Consultant Entisys Solutions BriForum | © TechTarget
About presenter C:>whoami /all USER INFORMATION ---------------- User Name Twitter Name E-Mail ============== ============ ================== ENTISYSdenisg @fdwl DenisG@entisys.com GROUP INFORMATION ----------------- Group Name Type SID ============================== ================ ================= Citrix Technology Professional Well-known group S-1-5-32-544 Citrix Certified Instructor Well-known group S-1-5-32-545 Microsoft Certified Trainer Well-known group S-1-5-32-546 BriForum | © TechTarget 3
Disclaimer ● Information in this presentation is intended for educational purposes only. Some topics in this presentation may contain the information related to “Hacking Passwords” or “Elevating permissions” (Or Similar terms). Some topics will provide information about the legal ways of retrieving the passwords. You shall not misuse the information to gain unauthorized access. However you may try out these hacks on your own computer at your own risk. ● Some of the stuff that you will learn is dangerous, playing with this knowledge on your production environment can make you very unhappy BriForum | © TechTarget 4
Agenda ● Physical server security ● Trusted Platform Module ● Hypervisor hardening ● VDI security - Microsoft installer - Password security - SQL security #BriForum BriForum | © TechTarget 5
● All links from this presentation are available here: - http://bit.ly/SecureIT BriForum | © TechTarget http://bit.ly/SecureIT | @fdwl 6
Physical Security • Why you need to secure servers? • Server can be stolen • Server can be duplicated • Seamlessly replace disk in the storage array and stole the data • Attacker can boot from CD/USB and reset the admin password • Do you need to secure your hypervisors? • Sure, hypervisor is a key to your infrastructure BriForum | © TechTarget 7
Get Access to the Windows Box - Demo BriForum | © TechTarget 8
Breaking into hypervisor ● XenServer - http://bit.ly/XenServerPassword ● VMware ESX - http://bit.ly/ResetESXPassword, same procedure as for XenServer ● VMware ESXi – password reset not supported, but possible http://bit.ly/ResetESXiPassword BriForum | © TechTarget 9
Securing Server boot ● Disable boot from CD/USB/PXE - If using UEFI – change the boot order using UEFI manager - Be careful, some UEFI firmware adds removable devices as a boot option by default ● Disable removable drives after installation ● Set BIOS admin password - Does not prevent boot, but prevent changing the boot order ● Disable intelligent provisioning available on HP G8 servers BriForum | © TechTarget 10
Out-of-band management (lights-out management) ● Implement AD integration for HP iLO, Dell iDRAC or IBM RSA (can be done with or without schema extension) ● Disable default local administrator and/or change default password - root/calvin for Dell - Printed on the server label for HP - USERID/PASSW0RD for IBM ● Configure SNMP and/or syslog to monitor who are using LOM ● Grant permissions carefully BriForum | © TechTarget 11
Out-of-band management (lights-out management) ● Use a separate management network ● Use trusted certificates ● Disable telnet (HP G8 doesn’t have it!, disabled by default on Dell/IBM) ● Disable SSH if you not use it ● Change SNMP community strings BriForum | © TechTarget 12
Out-of-band management (lights-out management) ● Regularly read security guides: - Dell - http://bit.ly/DRACSecurity - HP - http://bit.ly/ILOSecurity - IBM doesn’t have one, just manual  http://bit.ly/IBMRSAGuide ● Regularly update firmware ● Review audit logs and configure alerts BriForum | © TechTarget 13
Trusted Platform Module ● Smartcard-like hardware module on the motherboard - Protects secrets - Performs cryptographic functions - Can create, store and manage keys - Performs digital signature operations - Holds Platform Measurements (hashes) ● Can be used to check platform integrity ● Can be used to store disk encryption keys BriForum | © TechTarget 14
Trusted Platform Module ● Disabled by default ● Resets automatically during the BIOS reset by switches ● Owned by OS ● Change of ownership not possible without reset ● Secure boot order in BIOS+TPM-aware OS+BIOS setup password makes hacker’s life harder BriForum | © TechTarget 15
TPM implementation scenarios BriForum | © TechTarget 16
Windows (Hyper-V) ● Windows server 2008 and above is a TPM-aware OS ● BitLocker Full-Disk Encryption protecting the OS and data ● BitLocker protects from the offline password reset (pogostik/opengate/WinRE) ● BitLocker protects OS data from offline analysis (stolen or duplicated drives) BriForum | © TechTarget 17
BitLocker™ Drive Encryption Architecture Static Root of Trust Measurement of boot components PreOS Static OS All Boot Blobs Volume Blob of Target OS unlocked unlocked TPM Init BIOS MBR BootSector BootBlock BootManager Start OS Loader OS Source: Microsoft
Windows disk encryption ● BitLocker can be managed with GPO ● Data can be recovered if needed ● BitLocker can store recovery passwords in AD (schema extension is required) - Domain admins and computer itself can read recovery passwords – permissions can be changed: http://bit.ly/BitLockerAD ● Whitepaper is available on Microsoft.com http://bit.ly/HyperVBitLocker ● Hyper-V Clusters supported, Hotfix needed: http://support.microsoft.com/kb/2446607 ● In-Guest VM encryption not supported ● Windows Server 2012 support BitLocker-encrypted CSV http://bit.ly/BitLockerCSV2012 ● HP HOWTO: http://bit.ly/HPBitLocker BriForum | © TechTarget 19
XenServer & TPM ● No official support ● Basic vTPM is in the product, but not documented yet and still not secured with physical TPM ● But XenServer is just a Linux!  ● TrustedGRUB, GRUB-IMA and Open Secure LOader (OSLO) are available to secure boot process ● Disk encryption with dm-crypt with TPM is possible, but complicated. - Details in IBM Blueprint http://bit.ly/IBMTrustedGRUB BriForum | © TechTarget 20
Linux Trusted Boot Stages Operating System DB BIOS Bootloader JVM GRUB Stage2 MAC Policy ROT GRUB conf SELinux GRUB Stage1 Kernel Stage1.5 CRTM POST (MBR) TPM PCR01-07 PCR04-05 PCR08-14 Trusted Boot Source: Trent Jaeger
TrustedGRUB ● IBM BluePrint with step-by-step instructions available http://bit.ly/IBMTrustedGRUB ● GPT is not supported by TrustedGRUB, MBR is required - Modify /opt/xensource/installer/constants.py during install - step-by-step instructions from Major Hayden (@rackerhacker) on his blog http://bit.ly/XS6GPTDisable ● Sirrix AG together with German Federal Office for Information Security (BSI) tested different TPM-enabled Open source solutions, review the document before implementation - http://bit.ly/TSSStudy BriForum | © TechTarget 22
XenServer boot hardening 1. Disable boot from removable devices 2. Set BIOS setup password 3. Enable TPM 4. Disable single user mode without password - Add the following entry into /etc/inittab file: - ~~:S:wait:/sbin/sulogin 5. Install TrustedGRUB 6. Enable GRUB password 7. Configure additional checks on /etc/passwd, /etc/shadow, /boot/grub.lst and PAM configuration files 8. Enable TrustedGRUB BriForum | © TechTarget 23
VMware & Support ● VMware claims that TPM is supported (http://kb.vmware.com/kb/1033811) ● Not configurable ● Not documented ● No partner solutions that use TPM ● Disk encryption for vKernel is not supported (FAT16!!!) BriForum | © TechTarget 24
General Hypervisor security recommendations BriForum | © TechTarget 25
Platform-independent recommendations ● Don’t store VMs on the local drive, use SAN/NAS instead ● Use mutual CHAP authentication for iSCSI ● Consider using Boot from SAN with storage-based encryption and Fibre channel Security Protocol (FC-SP) enabled HBAs - short overview - http://bit.ly/FC-SPOverview - Standard http://bit.ly/FC-SPStandard - HBAs available from all major vendors (Emulex, Qlogic, Cisco, Brocade, Hitachi) ● Use fixed virtual disk size to avoid unexpected VMs pause BriForum | © TechTarget 26
Platform-independent recommendations ● Separate management network ● Optionally implement IPSEC on the management network - VMware - http://bit.ly/VMwareIPsec ● Change default MAC addresses to avoid use of MAC address DB by attacker: - http://www.coffer.com/mac_find - 00-15-5D – Hyper-V - 00-50-56 – VMWare BriForum | © TechTarget 27
Platform-independent recommendations ● vCenter/SCVMM should be secured better than your DC ● Configure monitoring and auditing ● Use Active Directory for authentication ● Disable/lock local users and/or configure Password policy ● Do not use management console as a RDP replacement BriForum | © TechTarget http://bit.ly/SecureIT | @fdwl 28
XenServer hardening ● Review XenServer User Security guide http://bit.ly/XSSecurity ● Review XenServer Hardening guide (released by Positive Technologies) - http://bit.ly/XSHardening ● Configure AD authentication ● Disable SSH if you not using it ● Install server certificates http://bit.ly/XSCertificates ● Disable unencrypted XAPI access ● Disable autologon to the console from XenCenter ● Avoid using pool-admin privilege, any pool admin can change root password with xe user-password-change BriForum | © TechTarget 29
XenServer hardening ● All passwords stored on XenServer are insecure - Use dedicated user for CIFS iso repositories, limit computers where this user can logon, because passwords can be retrieved even by read-only user (xe pbd-list) - Use dedicated users for power management (any pool operator can retrieve them with xe secret-list) ● Be careful with RBAC, lot of “security” implemented in XenCenter only, XAPI and xe.exe gives a lot of information even for read-only user ● Be careful with XenServer monitoring, if vendor ask more permissions than read-only user – change your vendor ● Avoid saving passwords in XenCenter (more information later) BriForum | © TechTarget 30
VMware hardening ● Check VMware vSphere hardening guide http://bit.ly/vSphereHardening ● Install trusted Certificates ● vCenter – remove local admins ● vCenter – check permissions on vCenter folders, certificates are stored there ● Use remote management instead of console installed on vCenter ● Change SQL account permissions after installation http://bit.ly/VMwareSQL ● Disable SSH if nobody use it BriForum | © TechTarget 31
VMware hardening ● Be careful with monitoring agents permissions ● Use partner solutions for hardening and compliance management: - vGate from Security Code (http://vgate.info/en/) - HyTrust virtual Appliance (http://www.hytrust.com) BriForum | © TechTarget 32
Hyper-V/VMM hardening ● Use server core installation ● Remove local administrators from VMM ● Use remote management instead of console installed on SCVMM ● Implement BitLocker ● Secure “HKLMSOFTWAREMicrosoftVirtual Machine” on guests ● Change permissions on VHD store ● Read Hyper-V security guide http://bit.ly/HyperVHardening ● Download and use Microsoft Security Compliance Manager http://bit.ly/MS-SCM BriForum | © TechTarget 33
VDI security BriForum | © TechTarget 34
VDI security best practices ● In most cases – same best practices apply to XenDesktop/View/RDS/vWorkspace ● Use GPO to manage VDI ● Create separate OUs for different desktop groups ● Don’t disable firewall, configure rules instead - http://bit.ly/WindowsFirewall ● Monitor Logs ● Remove Domain Users from Terminal Server Users/Users groups, use dedicated groups, configure them using GPO BriForum | © TechTarget 35
VDI security best practices ● Use AppLocker/SRP/other application control tools to audit application usage ● Don’t forget about scripting environments: - Visual Basic for applications - Browsers - HTML Applications ● Even with AppLocker/AppSense/RES there is a ways to execute any application - XLSploit from Remko Weijnen (@RemkoWeijnen) - http://bit.ly/XLSploit - Application control processes can be suspended/killed from task manager BriForum | © TechTarget http://bit.ly/SecureIT | @fdwl 36
Windows Installer BriForum | © TechTarget http://bit.ly/SecureIT | @fdwl 37
Windows Installer ● Be careful with Windows Installer, ANY user can restart server ● Configure MSI logging with GPO, collect MSI logs and analyze them ● “AlwaysInstallElevated” is Equivalent to Granting Administrative Rights - http://bit.ly/AlwaysInstallElevated ● Enforce *.MSI signing ● Always check permissions on a folder with the source MSI files BriForum | © TechTarget 38
Windows installer BriForum | © TechTarget http://bit.ly/SecureIT | @fdwl 39
Password security ● Almost all passwords that you enter during the setup/configuration are stored somewhere - HKLMSoftware<VendorName> - HKLMSystemCurrentControlSetServices<ServiceName> - %ProgramFiles%<VendorName> - C:ProgramData<VendorName> - %AppData%<VendorName> - *Anywhere* ● Some passwords are encrypted, some not BriForum | © TechTarget 40
DPAPI ● Data Protection API ● Introduced with Windows 2000, improved with every new version of Windows ● “Secure by Design” ● Simple API, CryptProtectData and CryptUnprotectData functions ● Recommended as a best practice BriForum | © TechTarget 41
DPAPI ● Widely used: - EFS, Internet Explorer, Outlook, IIS, RMS, WiFi passwords, CredManager - Skype, Gtalk, Chrome - XenApp, AppSense, XenCenter, Acronis, vSphere ● Can be “Salted”, not everyone use “salt” ● Data can be encrypted with user or system keys - Data encrypted with user keys can be decrypted only by user - Data encrypted with system keys can be decrypted by *ANY* user BriForum | © TechTarget 42
DPAPI ● Tools from Remko Weijnen (@RemkoWeijnen): - IMA Password decoder - http://bit.ly/IMAPassword - RDP Password decoder - http://bit.ly/RDPPassword ● Universal password decoder from me  Add-Type -AssemblyName System.Security [system.text.encoding]::Unicode.Getstring([System.Security.Cryptography.ProtectedData]::Unprotect([s ystem.convert]::FromBase64String("Base64EncodedString"),[system.text.encoding]::Unicode.GetBytes ("MagicWord:)"),'LocalMachine')) - Tested with XenCenter, XenApp, AppSense ● 01,00,00,00,D0,8C,9D,DF,01,15,D1,11,8C,7A,00,C0 BriForum | © TechTarget 43
Other ways to “decrypt” passwords BriForum | © TechTarget http://bit.ly/SecureIT | @fdwl 44
Password Security ● Datastore access from the user-accessible desktop - In perfect situation there is no direct DB access from the desktop - Even encrypted password should be secured by ACL - Should have read-only permissions ● Good examples: - Citrix IMA password – Secured by the ACL in the registry - XenCenter passwords – stored in the user profile BriForum | © TechTarget 45
Database security ● Most of the software checking permissions on the application level, not on the database level ● Direct access to the database can help to elevate permissions within the application ● All tools to access the database is already on the desktop: - Microsoft Office - .NET framework - PowerShell - Scripting environment BriForum | © TechTarget http://bit.ly/SecureIT | @fdwl 46
SlimJim for XenApp 6.5 1. delete indextable FROM KEYTABLE INNER JOIN INDEXTABLE ON KEYTABLE.nodeid = INDEXTABLE.nodeid WHERE (KEYTABLE.parentid = 42) 2. go 3. delete KEYTABLE from KEYTABLE where parentid=42 4. go ● Where this “42” is coming from? - DSView from supportdebug folder on XenApp CD - Directory->ServerNeighborhoods-><FarmName>->AdminTool->Users cid BriForum | © TechTarget 47
SlimJim for XenApp 6.5 BriForum | © TechTarget 48
Provisioning Services 1. INSERT INTO [AuthGroup] 2. ([authGroupId] 3. ,[authGroupName] 4. ,[authGroupGuidName] 5. ,[description]) 6. VALUES (‘UNIQUE00-GUID-4D0D-B834-15EA4A9F41EA' 7. ,N‘DOMAIN.FQDN.COM/Users/Domain Users' 8. ,N'de56c6b1-06ef-4ed6-85b8-a130f036d075' 9. ,'') 10. GO 11. INSERT INTO [AuthGroupFarm] 12. ([authGroupId]) 13. VALUES ('UNIQUE00-GUID-4D0D-B834-15EA4A9F41EA') 14. GO ● de56c6b1-06ef-4ed6-85b8-a130f036d075 – GUID from adsiedit BriForum | © TechTarget 49
SQL ● SQL servers should be secured even they are “not hosting important company data”  - Access to XA datastore=XA Admin rights - Access to Provisioning Server DB=Assigning of custom image - Access to VMM/vCenter DB= IDDQD  - Access to AppSense/RES/VUEM DB=Ability to bypass SRP and execute processes under another user ● Use Microsoft Security Compliance Manager http://bit.ly/MS-SCM ● Read SQL Security Best Practices from Microsoft - http://bit.ly/SQLSecurity BriForum | © TechTarget http://bit.ly/SecureIT | @fdwl 50
Questions? ● http://bit.ly/SecureIT ● denisg@entisys.com ●@fdwl BriForum | © TechTarget http://bit.ly/SecureIT | @fdwl 51

Recomendados

How to encrypt everything that moves and keep it usable
How to encrypt everything that moves and keep it usableHow to encrypt everything that moves and keep it usable
How to encrypt everything that moves and keep it usable
Denis Gundarev
 
BriForum 2013 Chicago - Citrix Troubleshooting - Denis Gundarev
BriForum 2013 Chicago - Citrix Troubleshooting - Denis GundarevBriForum 2013 Chicago - Citrix Troubleshooting - Denis Gundarev
BriForum 2013 Chicago - Citrix Troubleshooting - Denis Gundarev
Denis Gundarev
 
Citrix Internals: Tracing, Debugging & Troubleshooting
Citrix Internals: Tracing, Debugging & TroubleshootingCitrix Internals: Tracing, Debugging & Troubleshooting
Citrix Internals: Tracing, Debugging & Troubleshooting
Denis Gundarev
 
BlueHat v17 || Betraying the BIOS: Where the Guardians of the BIOS are Failing
BlueHat v17 || Betraying the BIOS: Where the Guardians of the BIOS are Failing BlueHat v17 || Betraying the BIOS: Where the Guardians of the BIOS are Failing
BlueHat v17 || Betraying the BIOS: Where the Guardians of the BIOS are Failing
BlueHat Security Conference
 
Betabeers Android as a Digital Signage platform
Betabeers Android as a Digital Signage platformBetabeers Android as a Digital Signage platform
Betabeers Android as a Digital Signage platform
Orestes Carracedo
 
Virtually Pwned
Virtually PwnedVirtually Pwned
Virtually Pwned
Claudio Criscione
 
BlueHat v17 || Securing Windows Defender Application Guard
BlueHat v17 || Securing Windows Defender Application Guard BlueHat v17 || Securing Windows Defender Application Guard
BlueHat v17 || Securing Windows Defender Application Guard
BlueHat Security Conference
 
Hack any website
Hack any websiteHack any website
Hack any website
sunil kumar
 

Recomendados

How to encrypt everything that moves and keep it usable
How to encrypt everything that moves and keep it usableHow to encrypt everything that moves and keep it usable
How to encrypt everything that moves and keep it usable
Denis Gundarev
 
BriForum 2013 Chicago - Citrix Troubleshooting - Denis Gundarev
BriForum 2013 Chicago - Citrix Troubleshooting - Denis GundarevBriForum 2013 Chicago - Citrix Troubleshooting - Denis Gundarev
BriForum 2013 Chicago - Citrix Troubleshooting - Denis Gundarev
Denis Gundarev
 
Citrix Internals: Tracing, Debugging & Troubleshooting
Citrix Internals: Tracing, Debugging & TroubleshootingCitrix Internals: Tracing, Debugging & Troubleshooting
Citrix Internals: Tracing, Debugging & Troubleshooting
Denis Gundarev
 
BlueHat v17 || Betraying the BIOS: Where the Guardians of the BIOS are Failing
BlueHat v17 || Betraying the BIOS: Where the Guardians of the BIOS are Failing BlueHat v17 || Betraying the BIOS: Where the Guardians of the BIOS are Failing
BlueHat v17 || Betraying the BIOS: Where the Guardians of the BIOS are Failing
BlueHat Security Conference
 
Betabeers Android as a Digital Signage platform
Betabeers Android as a Digital Signage platformBetabeers Android as a Digital Signage platform
Betabeers Android as a Digital Signage platform
Orestes Carracedo
 
Virtually Pwned
Virtually PwnedVirtually Pwned
Virtually Pwned
Claudio Criscione
 
BlueHat v17 || Securing Windows Defender Application Guard
BlueHat v17 || Securing Windows Defender Application Guard BlueHat v17 || Securing Windows Defender Application Guard
BlueHat v17 || Securing Windows Defender Application Guard
BlueHat Security Conference
 
Hack any website
Hack any websiteHack any website
Hack any website
sunil kumar
 
Automation Compliance Checks
Automation Compliance ChecksAutomation Compliance Checks
Automation Compliance Checks
Ekaterina Pukhareva
 
V center configuration manager customer facing technical presentation
V center configuration manager customer facing technical presentationV center configuration manager customer facing technical presentation
V center configuration manager customer facing technical presentation
solarisyourep
 
A Review on Traffic Classification Methods in WSN
A Review on Traffic Classification Methods in WSNA Review on Traffic Classification Methods in WSN
A Review on Traffic Classification Methods in WSN
IJARIIT
 
Postroenie kompleksnoj sistemy obespechenija informacionnoj bezopasnosti v vi...
Postroenie kompleksnoj sistemy obespechenija informacionnoj bezopasnosti v vi...Postroenie kompleksnoj sistemy obespechenija informacionnoj bezopasnosti v vi...
Postroenie kompleksnoj sistemy obespechenija informacionnoj bezopasnosti v vi...
vGate R2
 
Презентация с Форума ИБ Директоров 16 апреля 2012г. "Безопасность инфраструкт...
Презентация с Форума ИБ Директоров 16 апреля 2012г. "Безопасность инфраструкт...Презентация с Форума ИБ Директоров 16 апреля 2012г. "Безопасность инфраструкт...
Презентация с Форума ИБ Директоров 16 апреля 2012г. "Безопасность инфраструкт...
Максим Федотенко
 
VMware vSphere 4.1 Security Hardening Guide Revision A
VMware vSphere 4.1 Security Hardening Guide Revision AVMware vSphere 4.1 Security Hardening Guide Revision A
VMware vSphere 4.1 Security Hardening Guide Revision A
Максим Федотенко
 
Безопасность ЦОД-часть 1
Безопасность ЦОД-часть 1Безопасность ЦОД-часть 1
Безопасность ЦОД-часть 1
Cisco Russia
 
Cis critical security controls. контроль 3 безопасная конфигурация устройств
Cis critical security controls. контроль 3 безопасная конфигурация устройствCis critical security controls. контроль 3 безопасная конфигурация устройств
Cis critical security controls. контроль 3 безопасная конфигурация устройств
Teymur Kheirkhabarov
 
Integrity Protection for Embedded Systems
Integrity Protection for Embedded SystemsIntegrity Protection for Embedded Systems
Integrity Protection for Embedded Systems
Samsung Open Source Group
 
этичный хакинг и тестирование на проникновение (Publ)
этичный хакинг и тестирование на проникновение (Publ)этичный хакинг и тестирование на проникновение (Publ)
этичный хакинг и тестирование на проникновение (Publ)
Teymur Kheirkhabarov
 
Trusted Platform Module (TPM)
Trusted Platform Module (TPM)Trusted Platform Module (TPM)
Trusted Platform Module (TPM)
k33a
 
RUCUG: 9. Sergey Khalyapin: Представляем XenDesktop 5
RUCUG: 9. Sergey Khalyapin: Представляем XenDesktop 5RUCUG: 9. Sergey Khalyapin: Представляем XenDesktop 5
RUCUG: 9. Sergey Khalyapin: Представляем XenDesktop 5
Denis Gundarev
 
Mule security - saml
Mule security - samlMule security - saml
Mule security - saml
charan teja R
 
Who Are You? From Meat to Electrons - SXSW 2014
Who Are You? From Meat to Electrons - SXSW 2014Who Are You? From Meat to Electrons - SXSW 2014
Who Are You? From Meat to Electrons - SXSW 2014
Mike Schwartz
 
DaaS/IaaS Forum Moscow - Chris Rogers
DaaS/IaaS Forum Moscow - Chris RogersDaaS/IaaS Forum Moscow - Chris Rogers
DaaS/IaaS Forum Moscow - Chris Rogers
Denis Gundarev
 
The Tools I Use
The Tools I UseThe Tools I Use
The Tools I Use
Dan Brinkmann
 
DaaS/IaaS Forum Moscow - Najat Messaoud
DaaS/IaaS Forum Moscow - Najat MessaoudDaaS/IaaS Forum Moscow - Najat Messaoud
DaaS/IaaS Forum Moscow - Najat Messaoud
Denis Gundarev
 
Briforum 2011 Chicago
Briforum 2011 ChicagoBriforum 2011 Chicago
Briforum 2011 Chicago
Dan Brinkmann
 
ID Next 2013 Keynote Slides by Mike Schwartz
ID Next 2013 Keynote Slides by Mike SchwartzID Next 2013 Keynote Slides by Mike Schwartz
ID Next 2013 Keynote Slides by Mike Schwartz
Mike Schwartz
 
Cloud Identity: A Recipe for Higher Education
Cloud Identity: A Recipe for Higher EducationCloud Identity: A Recipe for Higher Education
Cloud Identity: A Recipe for Higher Education
Mike Schwartz
 
Windows 7 professional Vs Windows 7 enterprise
Windows 7 professional Vs Windows 7 enterpriseWindows 7 professional Vs Windows 7 enterprise
Windows 7 professional Vs Windows 7 enterprise
247infotech
 
5. boot process
5. boot process5. boot process
5. boot process
Marian Marinov
 

Más contenido relacionado

Destacado

Postroenie kompleksnoj sistemy obespechenija informacionnoj bezopasnosti v vi...
Postroenie kompleksnoj sistemy obespechenija informacionnoj bezopasnosti v vi...Postroenie kompleksnoj sistemy obespechenija informacionnoj bezopasnosti v vi...
Postroenie kompleksnoj sistemy obespechenija informacionnoj bezopasnosti v vi...
vGate R2
 
Презентация с Форума ИБ Директоров 16 апреля 2012г. "Безопасность инфраструкт...
Презентация с Форума ИБ Директоров 16 апреля 2012г. "Безопасность инфраструкт...Презентация с Форума ИБ Директоров 16 апреля 2012г. "Безопасность инфраструкт...
Презентация с Форума ИБ Директоров 16 апреля 2012г. "Безопасность инфраструкт...
Максим Федотенко
 
Безопасность ЦОД-часть 1
Безопасность ЦОД-часть 1Безопасность ЦОД-часть 1
Безопасность ЦОД-часть 1
Cisco Russia
 
Who Are You? From Meat to Electrons - SXSW 2014
Who Are You? From Meat to Electrons - SXSW 2014Who Are You? From Meat to Electrons - SXSW 2014
Who Are You? From Meat to Electrons - SXSW 2014
Mike Schwartz
 
DaaS/IaaS Forum Moscow - Chris Rogers
DaaS/IaaS Forum Moscow - Chris RogersDaaS/IaaS Forum Moscow - Chris Rogers
DaaS/IaaS Forum Moscow - Chris Rogers
Denis Gundarev
 
DaaS/IaaS Forum Moscow - Najat Messaoud
DaaS/IaaS Forum Moscow - Najat MessaoudDaaS/IaaS Forum Moscow - Najat Messaoud
DaaS/IaaS Forum Moscow - Najat Messaoud
Denis Gundarev
 
Cloud Identity: A Recipe for Higher Education
Cloud Identity: A Recipe for Higher EducationCloud Identity: A Recipe for Higher Education
Cloud Identity: A Recipe for Higher Education
Mike Schwartz
 

Destacado (20)

Automation Compliance Checks
Automation Compliance ChecksAutomation Compliance Checks
Automation Compliance Checks
 
V center configuration manager customer facing technical presentation
V center configuration manager customer facing technical presentationV center configuration manager customer facing technical presentation
V center configuration manager customer facing technical presentation
 
A Review on Traffic Classification Methods in WSN
A Review on Traffic Classification Methods in WSNA Review on Traffic Classification Methods in WSN
A Review on Traffic Classification Methods in WSN
 
Postroenie kompleksnoj sistemy obespechenija informacionnoj bezopasnosti v vi...
Postroenie kompleksnoj sistemy obespechenija informacionnoj bezopasnosti v vi...Postroenie kompleksnoj sistemy obespechenija informacionnoj bezopasnosti v vi...
Postroenie kompleksnoj sistemy obespechenija informacionnoj bezopasnosti v vi...
 
Презентация с Форума ИБ Директоров 16 апреля 2012г. "Безопасность инфраструкт...
Презентация с Форума ИБ Директоров 16 апреля 2012г. "Безопасность инфраструкт...Презентация с Форума ИБ Директоров 16 апреля 2012г. "Безопасность инфраструкт...
Презентация с Форума ИБ Директоров 16 апреля 2012г. "Безопасность инфраструкт...
 
VMware vSphere 4.1 Security Hardening Guide Revision A
VMware vSphere 4.1 Security Hardening Guide Revision AVMware vSphere 4.1 Security Hardening Guide Revision A
VMware vSphere 4.1 Security Hardening Guide Revision A
 
Безопасность ЦОД-часть 1
Безопасность ЦОД-часть 1Безопасность ЦОД-часть 1
Безопасность ЦОД-часть 1
 
Cis critical security controls. контроль 3 безопасная конфигурация устройств
Cis critical security controls. контроль 3 безопасная конфигурация устройствCis critical security controls. контроль 3 безопасная конфигурация устройств
Cis critical security controls. контроль 3 безопасная конфигурация устройств
 
Integrity Protection for Embedded Systems
Integrity Protection for Embedded SystemsIntegrity Protection for Embedded Systems
Integrity Protection for Embedded Systems
 
этичный хакинг и тестирование на проникновение (Publ)
этичный хакинг и тестирование на проникновение (Publ)этичный хакинг и тестирование на проникновение (Publ)
этичный хакинг и тестирование на проникновение (Publ)
 
Trusted Platform Module (TPM)
Trusted Platform Module (TPM)Trusted Platform Module (TPM)
Trusted Platform Module (TPM)
 
RUCUG: 9. Sergey Khalyapin: Представляем XenDesktop 5
RUCUG: 9. Sergey Khalyapin: Представляем XenDesktop 5RUCUG: 9. Sergey Khalyapin: Представляем XenDesktop 5
RUCUG: 9. Sergey Khalyapin: Представляем XenDesktop 5
 
Mule security - saml
Mule security - samlMule security - saml
Mule security - saml
 
Who Are You? From Meat to Electrons - SXSW 2014
Who Are You? From Meat to Electrons - SXSW 2014Who Are You? From Meat to Electrons - SXSW 2014
Who Are You? From Meat to Electrons - SXSW 2014
 
DaaS/IaaS Forum Moscow - Chris Rogers
DaaS/IaaS Forum Moscow - Chris RogersDaaS/IaaS Forum Moscow - Chris Rogers
DaaS/IaaS Forum Moscow - Chris Rogers
 
The Tools I Use
The Tools I UseThe Tools I Use
The Tools I Use
 
DaaS/IaaS Forum Moscow - Najat Messaoud
DaaS/IaaS Forum Moscow - Najat MessaoudDaaS/IaaS Forum Moscow - Najat Messaoud
DaaS/IaaS Forum Moscow - Najat Messaoud
 
Briforum 2011 Chicago
Briforum 2011 ChicagoBriforum 2011 Chicago
Briforum 2011 Chicago
 
ID Next 2013 Keynote Slides by Mike Schwartz
ID Next 2013 Keynote Slides by Mike SchwartzID Next 2013 Keynote Slides by Mike Schwartz
ID Next 2013 Keynote Slides by Mike Schwartz
 
Cloud Identity: A Recipe for Higher Education
Cloud Identity: A Recipe for Higher EducationCloud Identity: A Recipe for Higher Education
Cloud Identity: A Recipe for Higher Education
 

Similar a Hypervisor and VDI security

Windows 7 professional Vs Windows 7 enterprise
Windows 7 professional Vs Windows 7 enterpriseWindows 7 professional Vs Windows 7 enterprise
Windows 7 professional Vs Windows 7 enterprise
247infotech
 
Distro Recipes 2013: Secure Boot and Linux: several issues, one solution
Distro Recipes 2013: Secure Boot and Linux: several issues, one solutionDistro Recipes 2013: Secure Boot and Linux: several issues, one solution
Distro Recipes 2013: Secure Boot and Linux: several issues, one solution
Anne Nicolas
 
XPDDS17: EFI Secure Boot, Shim and Xen: Current Status and Developments - Da...
XPDDS17: EFI Secure Boot, Shim and Xen: Current Status and Developments - Da...XPDDS17: EFI Secure Boot, Shim and Xen: Current Status and Developments - Da...
XPDDS17: EFI Secure Boot, Shim and Xen: Current Status and Developments - Da...
The Linux Foundation
 
An Introduction to the Yocto Embedded Framework 2018
An Introduction to the Yocto Embedded Framework 2018An Introduction to the Yocto Embedded Framework 2018
An Introduction to the Yocto Embedded Framework 2018
ICS
 
Mikrotik
MikrotikMikrotik
Mikrotik
hzcom
 
XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...
XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...
XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...
The Linux Foundation
 

Similar a Hypervisor and VDI security (20)

Windows 7 professional Vs Windows 7 enterprise
Windows 7 professional Vs Windows 7 enterpriseWindows 7 professional Vs Windows 7 enterprise
Windows 7 professional Vs Windows 7 enterprise
 
5. boot process
5. boot process5. boot process
5. boot process
 
Distro Recipes 2013: Secure Boot and Linux: several issues, one solution
Distro Recipes 2013: Secure Boot and Linux: several issues, one solutionDistro Recipes 2013: Secure Boot and Linux: several issues, one solution
Distro Recipes 2013: Secure Boot and Linux: several issues, one solution
 
BeagleBone Black Booting Process
BeagleBone Black Booting ProcessBeagleBone Black Booting Process
BeagleBone Black Booting Process
 
XPDDS17: EFI Secure Boot, Shim and Xen: Current Status and Developments - Da...
XPDDS17: EFI Secure Boot, Shim and Xen: Current Status and Developments - Da...XPDDS17: EFI Secure Boot, Shim and Xen: Current Status and Developments - Da...
XPDDS17: EFI Secure Boot, Shim and Xen: Current Status and Developments - Da...
 
Managing bitlocker with MBAM
Managing bitlocker with MBAMManaging bitlocker with MBAM
Managing bitlocker with MBAM
 
CSF18 - BitLocker Deep Dive - Sami Laiho
CSF18 - BitLocker Deep Dive - Sami LaihoCSF18 - BitLocker Deep Dive - Sami Laiho
CSF18 - BitLocker Deep Dive - Sami Laiho
 
Sorage &amp; pc booting ppt prabu
Sorage &amp; pc booting ppt prabuSorage &amp; pc booting ppt prabu
Sorage &amp; pc booting ppt prabu
 
[Webinar] An Introduction to the Yocto Embedded Framework
[Webinar] An Introduction to the Yocto Embedded Framework[Webinar] An Introduction to the Yocto Embedded Framework
[Webinar] An Introduction to the Yocto Embedded Framework
 
Bootkits step by-step-slides-final-v1-release
Bootkits step by-step-slides-final-v1-releaseBootkits step by-step-slides-final-v1-release
Bootkits step by-step-slides-final-v1-release
 
An Introduction to the Yocto Embedded Framework 2018
An Introduction to the Yocto Embedded Framework 2018An Introduction to the Yocto Embedded Framework 2018
An Introduction to the Yocto Embedded Framework 2018
 
BeagleBoard-xM Booting Process
BeagleBoard-xM Booting ProcessBeagleBoard-xM Booting Process
BeagleBoard-xM Booting Process
 
Grub and dracut ii
Grub and dracut iiGrub and dracut ii
Grub and dracut ii
 
Mikrotik
MikrotikMikrotik
Mikrotik
 
U-boot and Android Verified Boot 2.0
U-boot and Android Verified Boot 2.0U-boot and Android Verified Boot 2.0
U-boot and Android Verified Boot 2.0
 
A million ways to provision embedded linux devices
A million ways to provision embedded linux devicesA million ways to provision embedded linux devices
A million ways to provision embedded linux devices
 
Cleartext and PtH still alive
Cleartext and PtH still aliveCleartext and PtH still alive
Cleartext and PtH still alive
 
XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...
XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...
XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...
 
Bootkits: Past, Present & Future - Virus Bulletin
Bootkits: Past, Present & Future - Virus BulletinBootkits: Past, Present & Future - Virus Bulletin
Bootkits: Past, Present & Future - Virus Bulletin
 
Path to Surfdroid
Path to SurfdroidPath to Surfdroid
Path to Surfdroid
 

Más de Denis Gundarev

How to fail or succeed with desktop virtualization and workspace mobility
How to fail or succeed with desktop virtualization and workspace mobilityHow to fail or succeed with desktop virtualization and workspace mobility
How to fail or succeed with desktop virtualization and workspace mobility
Denis Gundarev
 
Application Virtualization overview - BayCUG
Application Virtualization overview - BayCUGApplication Virtualization overview - BayCUG
Application Virtualization overview - BayCUG
Denis Gundarev
 
DaaS/IaaS Forum Moscow - Ivo Murris
DaaS/IaaS Forum Moscow - Ivo MurrisDaaS/IaaS Forum Moscow - Ivo Murris
DaaS/IaaS Forum Moscow - Ivo Murris
Denis Gundarev
 
DaaS/IaaS Forum Moscow - Rick Dehlinger
DaaS/IaaS Forum Moscow - Rick DehlingerDaaS/IaaS Forum Moscow - Rick Dehlinger
DaaS/IaaS Forum Moscow - Rick Dehlinger
Denis Gundarev
 
How to hack Citrix (So, You Just Inherited Someone Else's Citrix Environment....
How to hack Citrix (So, You Just Inherited Someone Else's Citrix Environment....How to hack Citrix (So, You Just Inherited Someone Else's Citrix Environment....
How to hack Citrix (So, You Just Inherited Someone Else's Citrix Environment....
Denis Gundarev
 
RUCUG: 11. Rick Dehlinger BYOC: Beware the Perimeter
RUCUG: 11. Rick Dehlinger BYOC: Beware the PerimeterRUCUG: 11. Rick Dehlinger BYOC: Beware the Perimeter
RUCUG: 11. Rick Dehlinger BYOC: Beware the Perimeter
Denis Gundarev
 
Alexander Tarasov: 5. Wyse Xenith - новейший тонкий клиент с поддержкой HDX
Alexander Tarasov: 5. Wyse Xenith - новейший тонкий клиент с поддержкой HDXAlexander Tarasov: 5. Wyse Xenith - новейший тонкий клиент с поддержкой HDX
Alexander Tarasov: 5. Wyse Xenith - новейший тонкий клиент с поддержкой HDX
Denis Gundarev
 

Más de Denis Gundarev (20)

VMware App Volumes Troubleshooting
VMware App Volumes TroubleshootingVMware App Volumes Troubleshooting
VMware App Volumes Troubleshooting
 
Application Streaming is dead. A smart way to choose an alternative
Application Streaming is dead. A smart way to choose an alternativeApplication Streaming is dead. A smart way to choose an alternative
Application Streaming is dead. A smart way to choose an alternative
 
Citrix Internals: ICA Connectivity
Citrix Internals: ICA ConnectivityCitrix Internals: ICA Connectivity
Citrix Internals: ICA Connectivity
 
SAML and Other Types of Federation for Your Enterprise
SAML and Other Types of Federation for Your EnterpriseSAML and Other Types of Federation for Your Enterprise
SAML and Other Types of Federation for Your Enterprise
 
How to build a Citrix infrastructure on AWS
How to build a Citrix infrastructure on AWSHow to build a Citrix infrastructure on AWS
How to build a Citrix infrastructure on AWS
 
How to fail or succeed with desktop virtualization and workspace mobility
How to fail or succeed with desktop virtualization and workspace mobilityHow to fail or succeed with desktop virtualization and workspace mobility
How to fail or succeed with desktop virtualization and workspace mobility
 
Application Virtualization overview - BayCUG
Application Virtualization overview - BayCUGApplication Virtualization overview - BayCUG
Application Virtualization overview - BayCUG
 
Deep dive in Citrix Troubleshooting
Deep dive in Citrix TroubleshootingDeep dive in Citrix Troubleshooting
Deep dive in Citrix Troubleshooting
 
SYN507: Reducing desktop infrastructure management overhead using “old school...
SYN507: Reducing desktop infrastructure management overhead using “old school...SYN507: Reducing desktop infrastructure management overhead using “old school...
SYN507: Reducing desktop infrastructure management overhead using “old school...
 
DaaS/IaaS Forum Moscow - Ivo Murris
DaaS/IaaS Forum Moscow - Ivo MurrisDaaS/IaaS Forum Moscow - Ivo Murris
DaaS/IaaS Forum Moscow - Ivo Murris
 
DaaS/IaaS Forum Moscow - Rick Dehlinger
DaaS/IaaS Forum Moscow - Rick DehlingerDaaS/IaaS Forum Moscow - Rick Dehlinger
DaaS/IaaS Forum Moscow - Rick Dehlinger
 
How to hack Citrix (So, You Just Inherited Someone Else's Citrix Environment....
How to hack Citrix (So, You Just Inherited Someone Else's Citrix Environment....How to hack Citrix (So, You Just Inherited Someone Else's Citrix Environment....
How to hack Citrix (So, You Just Inherited Someone Else's Citrix Environment....
 
RUCUG: 6. Fabian Kienle - NetScaler and Branch Repeater for Hyper-V
RUCUG: 6. Fabian Kienle - NetScaler and Branch Repeater for Hyper-VRUCUG: 6. Fabian Kienle - NetScaler and Branch Repeater for Hyper-V
RUCUG: 6. Fabian Kienle - NetScaler and Branch Repeater for Hyper-V
 
Anton Zhbankov: 7. Back side of the cloud
Anton Zhbankov: 7. Back side of the cloudAnton Zhbankov: 7. Back side of the cloud
Anton Zhbankov: 7. Back side of the cloud
 
RUCUG: 4. Brian Madden:Terminal Services или VDI, что сейчас происходит с des...
RUCUG: 4. Brian Madden:Terminal Services или VDI, что сейчас происходит с des...RUCUG: 4. Brian Madden:Terminal Services или VDI, что сейчас происходит с des...
RUCUG: 4. Brian Madden:Terminal Services или VDI, что сейчас происходит с des...
 
RUCUG: 11. Rick Dehlinger BYOC: Beware the Perimeter
RUCUG: 11. Rick Dehlinger BYOC: Beware the PerimeterRUCUG: 11. Rick Dehlinger BYOC: Beware the Perimeter
RUCUG: 11. Rick Dehlinger BYOC: Beware the Perimeter
 
RUCUG: 10. Robert Morris:Жизнь в окопах виртуализационной войны
RUCUG: 10. Robert Morris:Жизнь в окопах виртуализационной войныRUCUG: 10. Robert Morris:Жизнь в окопах виртуализационной войны
RUCUG: 10. Robert Morris:Жизнь в окопах виртуализационной войны
 
Alexander Tarasov: 5. Wyse Xenith - новейший тонкий клиент с поддержкой HDX
Alexander Tarasov: 5. Wyse Xenith - новейший тонкий клиент с поддержкой HDXAlexander Tarasov: 5. Wyse Xenith - новейший тонкий клиент с поддержкой HDX
Alexander Tarasov: 5. Wyse Xenith - новейший тонкий клиент с поддержкой HDX
 
RUCUG: 3. Vasily Malanin:Microsoft + Citrix: Обзор новых возможностей
RUCUG: 3. Vasily Malanin:Microsoft + Citrix: Обзор новых возможностейRUCUG: 3. Vasily Malanin:Microsoft + Citrix: Обзор новых возможностей
RUCUG: 3. Vasily Malanin:Microsoft + Citrix: Обзор новых возможностей
 
RUCUG: 2. Harry Labana:Keynote: Новости Citrix Synergy, технологии будущего
RUCUG: 2. Harry Labana:Keynote: Новости Citrix Synergy, технологии будущегоRUCUG: 2. Harry Labana:Keynote: Новости Citrix Synergy, технологии будущего
RUCUG: 2. Harry Labana:Keynote: Новости Citrix Synergy, технологии будущего
 

Último

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
Overkill Security
 

Último (20)

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 

Hypervisor and VDI security

  • 1. Welcome BriForum | © TechTarget
  • 2. Do You Think Your Citrix Environment is Secure Enough? Ready or Not, Here I Come! Denis Gundarev Consultant Entisys Solutions BriForum | © TechTarget
  • 3. About presenter C:>whoami /all USER INFORMATION ---------------- User Name Twitter Name E-Mail ============== ============ ================== ENTISYSdenisg @fdwl DenisG@entisys.com GROUP INFORMATION ----------------- Group Name Type SID ============================== ================ ================= Citrix Technology Professional Well-known group S-1-5-32-544 Citrix Certified Instructor Well-known group S-1-5-32-545 Microsoft Certified Trainer Well-known group S-1-5-32-546 BriForum | © TechTarget 3
  • 4. Disclaimer ● Information in this presentation is intended for educational purposes only. Some topics in this presentation may contain the information related to “Hacking Passwords” or “Elevating permissions” (Or Similar terms). Some topics will provide information about the legal ways of retrieving the passwords. You shall not misuse the information to gain unauthorized access. However you may try out these hacks on your own computer at your own risk. ● Some of the stuff that you will learn is dangerous, playing with this knowledge on your production environment can make you very unhappy BriForum | © TechTarget 4
  • 5. Agenda ● Physical server security ● Trusted Platform Module ● Hypervisor hardening ● VDI security - Microsoft installer - Password security - SQL security #BriForum BriForum | © TechTarget 5
  • 6. ● All links from this presentation are available here: - http://bit.ly/SecureIT BriForum | © TechTarget http://bit.ly/SecureIT | @fdwl 6
  • 7. Physical Security • Why you need to secure servers? • Server can be stolen • Server can be duplicated • Seamlessly replace disk in the storage array and stole the data • Attacker can boot from CD/USB and reset the admin password • Do you need to secure your hypervisors? • Sure, hypervisor is a key to your infrastructure BriForum | © TechTarget 7
  • 8. Get Access to the Windows Box - Demo BriForum | © TechTarget 8
  • 9. Breaking into hypervisor ● XenServer - http://bit.ly/XenServerPassword ● VMware ESX - http://bit.ly/ResetESXPassword, same procedure as for XenServer ● VMware ESXi – password reset not supported, but possible http://bit.ly/ResetESXiPassword BriForum | © TechTarget 9
  • 10. Securing Server boot ● Disable boot from CD/USB/PXE - If using UEFI – change the boot order using UEFI manager - Be careful, some UEFI firmware adds removable devices as a boot option by default ● Disable removable drives after installation ● Set BIOS admin password - Does not prevent boot, but prevent changing the boot order ● Disable intelligent provisioning available on HP G8 servers BriForum | © TechTarget 10
  • 11. Out-of-band management (lights-out management) ● Implement AD integration for HP iLO, Dell iDRAC or IBM RSA (can be done with or without schema extension) ● Disable default local administrator and/or change default password - root/calvin for Dell - Printed on the server label for HP - USERID/PASSW0RD for IBM ● Configure SNMP and/or syslog to monitor who are using LOM ● Grant permissions carefully BriForum | © TechTarget 11
  • 12. Out-of-band management (lights-out management) ● Use a separate management network ● Use trusted certificates ● Disable telnet (HP G8 doesn’t have it!, disabled by default on Dell/IBM) ● Disable SSH if you not use it ● Change SNMP community strings BriForum | © TechTarget 12
  • 13. Out-of-band management (lights-out management) ● Regularly read security guides: - Dell - http://bit.ly/DRACSecurity - HP - http://bit.ly/ILOSecurity - IBM doesn’t have one, just manual  http://bit.ly/IBMRSAGuide ● Regularly update firmware ● Review audit logs and configure alerts BriForum | © TechTarget 13
  • 14. Trusted Platform Module ● Smartcard-like hardware module on the motherboard - Protects secrets - Performs cryptographic functions - Can create, store and manage keys - Performs digital signature operations - Holds Platform Measurements (hashes) ● Can be used to check platform integrity ● Can be used to store disk encryption keys BriForum | © TechTarget 14
  • 15. Trusted Platform Module ● Disabled by default ● Resets automatically during the BIOS reset by switches ● Owned by OS ● Change of ownership not possible without reset ● Secure boot order in BIOS+TPM-aware OS+BIOS setup password makes hacker’s life harder BriForum | © TechTarget 15
  • 17. Windows (Hyper-V) ● Windows server 2008 and above is a TPM-aware OS ● BitLocker Full-Disk Encryption protecting the OS and data ● BitLocker protects from the offline password reset (pogostik/opengate/WinRE) ● BitLocker protects OS data from offline analysis (stolen or duplicated drives) BriForum | © TechTarget 17
  • 18. BitLocker™ Drive Encryption Architecture Static Root of Trust Measurement of boot components PreOS Static OS All Boot Blobs Volume Blob of Target OS unlocked unlocked TPM Init BIOS MBR BootSector BootBlock BootManager Start OS Loader OS Source: Microsoft
  • 19. Windows disk encryption ● BitLocker can be managed with GPO ● Data can be recovered if needed ● BitLocker can store recovery passwords in AD (schema extension is required) - Domain admins and computer itself can read recovery passwords – permissions can be changed: http://bit.ly/BitLockerAD ● Whitepaper is available on Microsoft.com http://bit.ly/HyperVBitLocker ● Hyper-V Clusters supported, Hotfix needed: http://support.microsoft.com/kb/2446607 ● In-Guest VM encryption not supported ● Windows Server 2012 support BitLocker-encrypted CSV http://bit.ly/BitLockerCSV2012 ● HP HOWTO: http://bit.ly/HPBitLocker BriForum | © TechTarget 19
  • 20. XenServer & TPM ● No official support ● Basic vTPM is in the product, but not documented yet and still not secured with physical TPM ● But XenServer is just a Linux!  ● TrustedGRUB, GRUB-IMA and Open Secure LOader (OSLO) are available to secure boot process ● Disk encryption with dm-crypt with TPM is possible, but complicated. - Details in IBM Blueprint http://bit.ly/IBMTrustedGRUB BriForum | © TechTarget 20
  • 21. Linux Trusted Boot Stages Operating System DB BIOS Bootloader JVM GRUB Stage2 MAC Policy ROT GRUB conf SELinux GRUB Stage1 Kernel Stage1.5 CRTM POST (MBR) TPM PCR01-07 PCR04-05 PCR08-14 Trusted Boot Source: Trent Jaeger
  • 22. TrustedGRUB ● IBM BluePrint with step-by-step instructions available http://bit.ly/IBMTrustedGRUB ● GPT is not supported by TrustedGRUB, MBR is required - Modify /opt/xensource/installer/constants.py during install - step-by-step instructions from Major Hayden (@rackerhacker) on his blog http://bit.ly/XS6GPTDisable ● Sirrix AG together with German Federal Office for Information Security (BSI) tested different TPM-enabled Open source solutions, review the document before implementation - http://bit.ly/TSSStudy BriForum | © TechTarget 22
  • 23. XenServer boot hardening 1. Disable boot from removable devices 2. Set BIOS setup password 3. Enable TPM 4. Disable single user mode without password - Add the following entry into /etc/inittab file: - ~~:S:wait:/sbin/sulogin 5. Install TrustedGRUB 6. Enable GRUB password 7. Configure additional checks on /etc/passwd, /etc/shadow, /boot/grub.lst and PAM configuration files 8. Enable TrustedGRUB BriForum | © TechTarget 23
  • 24. VMware & Support ● VMware claims that TPM is supported (http://kb.vmware.com/kb/1033811) ● Not configurable ● Not documented ● No partner solutions that use TPM ● Disk encryption for vKernel is not supported (FAT16!!!) BriForum | © TechTarget 24
  • 26. Platform-independent recommendations ● Don’t store VMs on the local drive, use SAN/NAS instead ● Use mutual CHAP authentication for iSCSI ● Consider using Boot from SAN with storage-based encryption and Fibre channel Security Protocol (FC-SP) enabled HBAs - short overview - http://bit.ly/FC-SPOverview - Standard http://bit.ly/FC-SPStandard - HBAs available from all major vendors (Emulex, Qlogic, Cisco, Brocade, Hitachi) ● Use fixed virtual disk size to avoid unexpected VMs pause BriForum | © TechTarget 26
  • 27. Platform-independent recommendations ● Separate management network ● Optionally implement IPSEC on the management network - VMware - http://bit.ly/VMwareIPsec ● Change default MAC addresses to avoid use of MAC address DB by attacker: - http://www.coffer.com/mac_find - 00-15-5D – Hyper-V - 00-50-56 – VMWare BriForum | © TechTarget 27
  • 28. Platform-independent recommendations ● vCenter/SCVMM should be secured better than your DC ● Configure monitoring and auditing ● Use Active Directory for authentication ● Disable/lock local users and/or configure Password policy ● Do not use management console as a RDP replacement BriForum | © TechTarget http://bit.ly/SecureIT | @fdwl 28
  • 29. XenServer hardening ● Review XenServer User Security guide http://bit.ly/XSSecurity ● Review XenServer Hardening guide (released by Positive Technologies) - http://bit.ly/XSHardening ● Configure AD authentication ● Disable SSH if you not using it ● Install server certificates http://bit.ly/XSCertificates ● Disable unencrypted XAPI access ● Disable autologon to the console from XenCenter ● Avoid using pool-admin privilege, any pool admin can change root password with xe user-password-change BriForum | © TechTarget 29
  • 30. XenServer hardening ● All passwords stored on XenServer are insecure - Use dedicated user for CIFS iso repositories, limit computers where this user can logon, because passwords can be retrieved even by read-only user (xe pbd-list) - Use dedicated users for power management (any pool operator can retrieve them with xe secret-list) ● Be careful with RBAC, lot of “security” implemented in XenCenter only, XAPI and xe.exe gives a lot of information even for read-only user ● Be careful with XenServer monitoring, if vendor ask more permissions than read-only user – change your vendor ● Avoid saving passwords in XenCenter (more information later) BriForum | © TechTarget 30
  • 31. VMware hardening ● Check VMware vSphere hardening guide http://bit.ly/vSphereHardening ● Install trusted Certificates ● vCenter – remove local admins ● vCenter – check permissions on vCenter folders, certificates are stored there ● Use remote management instead of console installed on vCenter ● Change SQL account permissions after installation http://bit.ly/VMwareSQL ● Disable SSH if nobody use it BriForum | © TechTarget 31
  • 32. VMware hardening ● Be careful with monitoring agents permissions ● Use partner solutions for hardening and compliance management: - vGate from Security Code (http://vgate.info/en/) - HyTrust virtual Appliance (http://www.hytrust.com) BriForum | © TechTarget 32
  • 33. Hyper-V/VMM hardening ● Use server core installation ● Remove local administrators from VMM ● Use remote management instead of console installed on SCVMM ● Implement BitLocker ● Secure “HKLMSOFTWAREMicrosoftVirtual Machine” on guests ● Change permissions on VHD store ● Read Hyper-V security guide http://bit.ly/HyperVHardening ● Download and use Microsoft Security Compliance Manager http://bit.ly/MS-SCM BriForum | © TechTarget 33
  • 34. VDI security BriForum | © TechTarget 34
  • 35. VDI security best practices ● In most cases – same best practices apply to XenDesktop/View/RDS/vWorkspace ● Use GPO to manage VDI ● Create separate OUs for different desktop groups ● Don’t disable firewall, configure rules instead - http://bit.ly/WindowsFirewall ● Monitor Logs ● Remove Domain Users from Terminal Server Users/Users groups, use dedicated groups, configure them using GPO BriForum | © TechTarget 35
  • 36. VDI security best practices ● Use AppLocker/SRP/other application control tools to audit application usage ● Don’t forget about scripting environments: - Visual Basic for applications - Browsers - HTML Applications ● Even with AppLocker/AppSense/RES there is a ways to execute any application - XLSploit from Remko Weijnen (@RemkoWeijnen) - http://bit.ly/XLSploit - Application control processes can be suspended/killed from task manager BriForum | © TechTarget http://bit.ly/SecureIT | @fdwl 36
  • 37. Windows Installer BriForum | © TechTarget http://bit.ly/SecureIT | @fdwl 37
  • 38. Windows Installer ● Be careful with Windows Installer, ANY user can restart server ● Configure MSI logging with GPO, collect MSI logs and analyze them ● “AlwaysInstallElevated” is Equivalent to Granting Administrative Rights - http://bit.ly/AlwaysInstallElevated ● Enforce *.MSI signing ● Always check permissions on a folder with the source MSI files BriForum | © TechTarget 38
  • 39. Windows installer BriForum | © TechTarget http://bit.ly/SecureIT | @fdwl 39
  • 40. Password security ● Almost all passwords that you enter during the setup/configuration are stored somewhere - HKLMSoftware<VendorName> - HKLMSystemCurrentControlSetServices<ServiceName> - %ProgramFiles%<VendorName> - C:ProgramData<VendorName> - %AppData%<VendorName> - *Anywhere* ● Some passwords are encrypted, some not BriForum | © TechTarget 40
  • 41. DPAPI ● Data Protection API ● Introduced with Windows 2000, improved with every new version of Windows ● “Secure by Design” ● Simple API, CryptProtectData and CryptUnprotectData functions ● Recommended as a best practice BriForum | © TechTarget 41
  • 42. DPAPI ● Widely used: - EFS, Internet Explorer, Outlook, IIS, RMS, WiFi passwords, CredManager - Skype, Gtalk, Chrome - XenApp, AppSense, XenCenter, Acronis, vSphere ● Can be “Salted”, not everyone use “salt” ● Data can be encrypted with user or system keys - Data encrypted with user keys can be decrypted only by user - Data encrypted with system keys can be decrypted by *ANY* user BriForum | © TechTarget 42
  • 43. DPAPI ● Tools from Remko Weijnen (@RemkoWeijnen): - IMA Password decoder - http://bit.ly/IMAPassword - RDP Password decoder - http://bit.ly/RDPPassword ● Universal password decoder from me  Add-Type -AssemblyName System.Security [system.text.encoding]::Unicode.Getstring([System.Security.Cryptography.ProtectedData]::Unprotect([s ystem.convert]::FromBase64String("Base64EncodedString"),[system.text.encoding]::Unicode.GetBytes ("MagicWord:)"),'LocalMachine')) - Tested with XenCenter, XenApp, AppSense ● 01,00,00,00,D0,8C,9D,DF,01,15,D1,11,8C,7A,00,C0 BriForum | © TechTarget 43
  • 44. Other ways to “decrypt” passwords BriForum | © TechTarget http://bit.ly/SecureIT | @fdwl 44
  • 45. Password Security ● Datastore access from the user-accessible desktop - In perfect situation there is no direct DB access from the desktop - Even encrypted password should be secured by ACL - Should have read-only permissions ● Good examples: - Citrix IMA password – Secured by the ACL in the registry - XenCenter passwords – stored in the user profile BriForum | © TechTarget 45
  • 46. Database security ● Most of the software checking permissions on the application level, not on the database level ● Direct access to the database can help to elevate permissions within the application ● All tools to access the database is already on the desktop: - Microsoft Office - .NET framework - PowerShell - Scripting environment BriForum | © TechTarget http://bit.ly/SecureIT | @fdwl 46
  • 47. SlimJim for XenApp 6.5 1. delete indextable FROM KEYTABLE INNER JOIN INDEXTABLE ON KEYTABLE.nodeid = INDEXTABLE.nodeid WHERE (KEYTABLE.parentid = 42) 2. go 3. delete KEYTABLE from KEYTABLE where parentid=42 4. go ● Where this “42” is coming from? - DSView from supportdebug folder on XenApp CD - Directory->ServerNeighborhoods-><FarmName>->AdminTool->Users cid BriForum | © TechTarget 47
  • 48. SlimJim for XenApp 6.5 BriForum | © TechTarget 48
  • 49. Provisioning Services 1. INSERT INTO [AuthGroup] 2. ([authGroupId] 3. ,[authGroupName] 4. ,[authGroupGuidName] 5. ,[description]) 6. VALUES (‘UNIQUE00-GUID-4D0D-B834-15EA4A9F41EA' 7. ,N‘DOMAIN.FQDN.COM/Users/Domain Users' 8. ,N'de56c6b1-06ef-4ed6-85b8-a130f036d075' 9. ,'') 10. GO 11. INSERT INTO [AuthGroupFarm] 12. ([authGroupId]) 13. VALUES ('UNIQUE00-GUID-4D0D-B834-15EA4A9F41EA') 14. GO ● de56c6b1-06ef-4ed6-85b8-a130f036d075 – GUID from adsiedit BriForum | © TechTarget 49
  • 50. SQL ● SQL servers should be secured even they are “not hosting important company data”  - Access to XA datastore=XA Admin rights - Access to Provisioning Server DB=Assigning of custom image - Access to VMM/vCenter DB= IDDQD  - Access to AppSense/RES/VUEM DB=Ability to bypass SRP and execute processes under another user ● Use Microsoft Security Compliance Manager http://bit.ly/MS-SCM ● Read SQL Security Best Practices from Microsoft - http://bit.ly/SQLSecurity BriForum | © TechTarget http://bit.ly/SecureIT | @fdwl 50
  • 51. Questions? ● http://bit.ly/SecureIT ● denisg@entisys.com ●@fdwl BriForum | © TechTarget http://bit.ly/SecureIT | @fdwl 51