Hypervisor and VDI security
5 likes2,816 views
This document provides a summary of a presentation on securing Citrix environments. The presenter discusses securing physical servers by disabling boot from removable devices, setting BIOS passwords, and enabling the Trusted Platform Module (TPM). They also cover hypervisor hardening for XenServer, including using TrustedGRUB to secure the boot process and enable full disk encryption with TPM. For Windows hypervisors, they discuss using BitLocker encryption and storing recovery keys in Active Directory.
![DPAPI
● Tools from Remko Weijnen (@RemkoWeijnen):
- IMA Password decoder - http://bit.ly/IMAPassword
- RDP Password decoder - http://bit.ly/RDPPassword
● Universal password decoder from me
Add-Type -AssemblyName System.Security
[system.text.encoding]::Unicode.Getstring([System.Security.Cryptography.ProtectedData]::Unprotect([s
ystem.convert]::FromBase64String("Base64EncodedString"),[system.text.encoding]::Unicode.GetBytes
("MagicWord:)"),'LocalMachine'))
- Tested with XenCenter, XenApp, AppSense
● 01,00,00,00,D0,8C,9D,DF,01,15,D1,11,8C,7A,00,C0
BriForum | © TechTarget 43](https://image.slidesharecdn.com/dg-briforum2012chicago-120726092515-phpapp01/85/Hypervisor-and-VDI-security-43-320.jpg)
![Provisioning Services
1. INSERT INTO [AuthGroup]
2. ([authGroupId]
3. ,[authGroupName]
4. ,[authGroupGuidName]
5. ,[description])
6. VALUES (‘UNIQUE00-GUID-4D0D-B834-15EA4A9F41EA'
7. ,N‘DOMAIN.FQDN.COM/Users/Domain Users'
8. ,N'de56c6b1-06ef-4ed6-85b8-a130f036d075'
9. ,'')
10. GO
11. INSERT INTO [AuthGroupFarm]
12. ([authGroupId])
13. VALUES ('UNIQUE00-GUID-4D0D-B834-15EA4A9F41EA')
14. GO
● de56c6b1-06ef-4ed6-85b8-a130f036d075 – GUID from adsiedit
BriForum | © TechTarget 49](https://image.slidesharecdn.com/dg-briforum2012chicago-120726092515-phpapp01/85/Hypervisor-and-VDI-security-49-320.jpg)
Hypervisor and VDI security
- 1. Welcome BriForum | © TechTarget
- 2. Do You Think Your Citrix Environment is Secure Enough? Ready or Not, Here I Come! Denis Gundarev Consultant Entisys Solutions BriForum | © TechTarget
- 3. About presenter C:>whoami /all USER INFORMATION ---------------- User Name Twitter Name E-Mail ============== ============ ================== ENTISYSdenisg @fdwl DenisG@entisys.com GROUP INFORMATION ----------------- Group Name Type SID ============================== ================ ================= Citrix Technology Professional Well-known group S-1-5-32-544 Citrix Certified Instructor Well-known group S-1-5-32-545 Microsoft Certified Trainer Well-known group S-1-5-32-546 BriForum | © TechTarget 3
- 4. Disclaimer ● Information in this presentation is intended for educational purposes only. Some topics in this presentation may contain the information related to “Hacking Passwords” or “Elevating permissions” (Or Similar terms). Some topics will provide information about the legal ways of retrieving the passwords. You shall not misuse the information to gain unauthorized access. However you may try out these hacks on your own computer at your own risk. ● Some of the stuff that you will learn is dangerous, playing with this knowledge on your production environment can make you very unhappy BriForum | © TechTarget 4
- 5. Agenda ● Physical server security ● Trusted Platform Module ● Hypervisor hardening ● VDI security - Microsoft installer - Password security - SQL security #BriForum BriForum | © TechTarget 5
- 6. ● All links from this presentation are available here: - http://bit.ly/SecureIT BriForum | © TechTarget http://bit.ly/SecureIT | @fdwl 6
- 7. Physical Security • Why you need to secure servers? • Server can be stolen • Server can be duplicated • Seamlessly replace disk in the storage array and stole the data • Attacker can boot from CD/USB and reset the admin password • Do you need to secure your hypervisors? • Sure, hypervisor is a key to your infrastructure BriForum | © TechTarget 7
- 8. Get Access to the Windows Box - Demo BriForum | © TechTarget 8
- 9. Breaking into hypervisor ● XenServer - http://bit.ly/XenServerPassword ● VMware ESX - http://bit.ly/ResetESXPassword, same procedure as for XenServer ● VMware ESXi – password reset not supported, but possible http://bit.ly/ResetESXiPassword BriForum | © TechTarget 9
- 10. Securing Server boot ● Disable boot from CD/USB/PXE - If using UEFI – change the boot order using UEFI manager - Be careful, some UEFI firmware adds removable devices as a boot option by default ● Disable removable drives after installation ● Set BIOS admin password - Does not prevent boot, but prevent changing the boot order ● Disable intelligent provisioning available on HP G8 servers BriForum | © TechTarget 10
- 11. Out-of-band management (lights-out management) ● Implement AD integration for HP iLO, Dell iDRAC or IBM RSA (can be done with or without schema extension) ● Disable default local administrator and/or change default password - root/calvin for Dell - Printed on the server label for HP - USERID/PASSW0RD for IBM ● Configure SNMP and/or syslog to monitor who are using LOM ● Grant permissions carefully BriForum | © TechTarget 11
- 12. Out-of-band management (lights-out management) ● Use a separate management network ● Use trusted certificates ● Disable telnet (HP G8 doesn’t have it!, disabled by default on Dell/IBM) ● Disable SSH if you not use it ● Change SNMP community strings BriForum | © TechTarget 12
- 13. Out-of-band management (lights-out management) ● Regularly read security guides: - Dell - http://bit.ly/DRACSecurity - HP - http://bit.ly/ILOSecurity - IBM doesn’t have one, just manual http://bit.ly/IBMRSAGuide ● Regularly update firmware ● Review audit logs and configure alerts BriForum | © TechTarget 13
- 14. Trusted Platform Module ● Smartcard-like hardware module on the motherboard - Protects secrets - Performs cryptographic functions - Can create, store and manage keys - Performs digital signature operations - Holds Platform Measurements (hashes) ● Can be used to check platform integrity ● Can be used to store disk encryption keys BriForum | © TechTarget 14
- 15. Trusted Platform Module ● Disabled by default ● Resets automatically during the BIOS reset by switches ● Owned by OS ● Change of ownership not possible without reset ● Secure boot order in BIOS+TPM-aware OS+BIOS setup password makes hacker’s life harder BriForum | © TechTarget 15
- 16. TPM implementation scenarios BriForum | © TechTarget 16
- 17. Windows (Hyper-V) ● Windows server 2008 and above is a TPM-aware OS ● BitLocker Full-Disk Encryption protecting the OS and data ● BitLocker protects from the offline password reset (pogostik/opengate/WinRE) ● BitLocker protects OS data from offline analysis (stolen or duplicated drives) BriForum | © TechTarget 17
- 18. BitLocker™ Drive Encryption Architecture Static Root of Trust Measurement of boot components PreOS Static OS All Boot Blobs Volume Blob of Target OS unlocked unlocked TPM Init BIOS MBR BootSector BootBlock BootManager Start OS Loader OS Source: Microsoft
- 19. Windows disk encryption ● BitLocker can be managed with GPO ● Data can be recovered if needed ● BitLocker can store recovery passwords in AD (schema extension is required) - Domain admins and computer itself can read recovery passwords – permissions can be changed: http://bit.ly/BitLockerAD ● Whitepaper is available on Microsoft.com http://bit.ly/HyperVBitLocker ● Hyper-V Clusters supported, Hotfix needed: http://support.microsoft.com/kb/2446607 ● In-Guest VM encryption not supported ● Windows Server 2012 support BitLocker-encrypted CSV http://bit.ly/BitLockerCSV2012 ● HP HOWTO: http://bit.ly/HPBitLocker BriForum | © TechTarget 19
- 20. XenServer & TPM ● No official support ● Basic vTPM is in the product, but not documented yet and still not secured with physical TPM ● But XenServer is just a Linux! ● TrustedGRUB, GRUB-IMA and Open Secure LOader (OSLO) are available to secure boot process ● Disk encryption with dm-crypt with TPM is possible, but complicated. - Details in IBM Blueprint http://bit.ly/IBMTrustedGRUB BriForum | © TechTarget 20
- 21. Linux Trusted Boot Stages Operating System DB BIOS Bootloader JVM GRUB Stage2 MAC Policy ROT GRUB conf SELinux GRUB Stage1 Kernel Stage1.5 CRTM POST (MBR) TPM PCR01-07 PCR04-05 PCR08-14 Trusted Boot Source: Trent Jaeger
- 22. TrustedGRUB ● IBM BluePrint with step-by-step instructions available http://bit.ly/IBMTrustedGRUB ● GPT is not supported by TrustedGRUB, MBR is required - Modify /opt/xensource/installer/constants.py during install - step-by-step instructions from Major Hayden (@rackerhacker) on his blog http://bit.ly/XS6GPTDisable ● Sirrix AG together with German Federal Office for Information Security (BSI) tested different TPM-enabled Open source solutions, review the document before implementation - http://bit.ly/TSSStudy BriForum | © TechTarget 22
- 23. XenServer boot hardening 1. Disable boot from removable devices 2. Set BIOS setup password 3. Enable TPM 4. Disable single user mode without password - Add the following entry into /etc/inittab file: - ~~:S:wait:/sbin/sulogin 5. Install TrustedGRUB 6. Enable GRUB password 7. Configure additional checks on /etc/passwd, /etc/shadow, /boot/grub.lst and PAM configuration files 8. Enable TrustedGRUB BriForum | © TechTarget 23
- 24. VMware & Support ● VMware claims that TPM is supported (http://kb.vmware.com/kb/1033811) ● Not configurable ● Not documented ● No partner solutions that use TPM ● Disk encryption for vKernel is not supported (FAT16!!!) BriForum | © TechTarget 24
- 25. General Hypervisor security recommendations BriForum | © TechTarget 25
- 26. Platform-independent recommendations ● Don’t store VMs on the local drive, use SAN/NAS instead ● Use mutual CHAP authentication for iSCSI ● Consider using Boot from SAN with storage-based encryption and Fibre channel Security Protocol (FC-SP) enabled HBAs - short overview - http://bit.ly/FC-SPOverview - Standard http://bit.ly/FC-SPStandard - HBAs available from all major vendors (Emulex, Qlogic, Cisco, Brocade, Hitachi) ● Use fixed virtual disk size to avoid unexpected VMs pause BriForum | © TechTarget 26
- 27. Platform-independent recommendations ● Separate management network ● Optionally implement IPSEC on the management network - VMware - http://bit.ly/VMwareIPsec ● Change default MAC addresses to avoid use of MAC address DB by attacker: - http://www.coffer.com/mac_find - 00-15-5D – Hyper-V - 00-50-56 – VMWare BriForum | © TechTarget 27
- 28. Platform-independent recommendations ● vCenter/SCVMM should be secured better than your DC ● Configure monitoring and auditing ● Use Active Directory for authentication ● Disable/lock local users and/or configure Password policy ● Do not use management console as a RDP replacement BriForum | © TechTarget http://bit.ly/SecureIT | @fdwl 28
- 29. XenServer hardening ● Review XenServer User Security guide http://bit.ly/XSSecurity ● Review XenServer Hardening guide (released by Positive Technologies) - http://bit.ly/XSHardening ● Configure AD authentication ● Disable SSH if you not using it ● Install server certificates http://bit.ly/XSCertificates ● Disable unencrypted XAPI access ● Disable autologon to the console from XenCenter ● Avoid using pool-admin privilege, any pool admin can change root password with xe user-password-change BriForum | © TechTarget 29
- 30. XenServer hardening ● All passwords stored on XenServer are insecure - Use dedicated user for CIFS iso repositories, limit computers where this user can logon, because passwords can be retrieved even by read-only user (xe pbd-list) - Use dedicated users for power management (any pool operator can retrieve them with xe secret-list) ● Be careful with RBAC, lot of “security” implemented in XenCenter only, XAPI and xe.exe gives a lot of information even for read-only user ● Be careful with XenServer monitoring, if vendor ask more permissions than read-only user – change your vendor ● Avoid saving passwords in XenCenter (more information later) BriForum | © TechTarget 30
- 31. VMware hardening ● Check VMware vSphere hardening guide http://bit.ly/vSphereHardening ● Install trusted Certificates ● vCenter – remove local admins ● vCenter – check permissions on vCenter folders, certificates are stored there ● Use remote management instead of console installed on vCenter ● Change SQL account permissions after installation http://bit.ly/VMwareSQL ● Disable SSH if nobody use it BriForum | © TechTarget 31
- 32. VMware hardening ● Be careful with monitoring agents permissions ● Use partner solutions for hardening and compliance management: - vGate from Security Code (http://vgate.info/en/) - HyTrust virtual Appliance (http://www.hytrust.com) BriForum | © TechTarget 32
- 33. Hyper-V/VMM hardening ● Use server core installation ● Remove local administrators from VMM ● Use remote management instead of console installed on SCVMM ● Implement BitLocker ● Secure “HKLMSOFTWAREMicrosoftVirtual Machine” on guests ● Change permissions on VHD store ● Read Hyper-V security guide http://bit.ly/HyperVHardening ● Download and use Microsoft Security Compliance Manager http://bit.ly/MS-SCM BriForum | © TechTarget 33
- 34. VDI security BriForum | © TechTarget 34
- 35. VDI security best practices ● In most cases – same best practices apply to XenDesktop/View/RDS/vWorkspace ● Use GPO to manage VDI ● Create separate OUs for different desktop groups ● Don’t disable firewall, configure rules instead - http://bit.ly/WindowsFirewall ● Monitor Logs ● Remove Domain Users from Terminal Server Users/Users groups, use dedicated groups, configure them using GPO BriForum | © TechTarget 35
- 36. VDI security best practices ● Use AppLocker/SRP/other application control tools to audit application usage ● Don’t forget about scripting environments: - Visual Basic for applications - Browsers - HTML Applications ● Even with AppLocker/AppSense/RES there is a ways to execute any application - XLSploit from Remko Weijnen (@RemkoWeijnen) - http://bit.ly/XLSploit - Application control processes can be suspended/killed from task manager BriForum | © TechTarget http://bit.ly/SecureIT | @fdwl 36
- 37. Windows Installer BriForum | © TechTarget http://bit.ly/SecureIT | @fdwl 37
- 38. Windows Installer ● Be careful with Windows Installer, ANY user can restart server ● Configure MSI logging with GPO, collect MSI logs and analyze them ● “AlwaysInstallElevated” is Equivalent to Granting Administrative Rights - http://bit.ly/AlwaysInstallElevated ● Enforce *.MSI signing ● Always check permissions on a folder with the source MSI files BriForum | © TechTarget 38
- 39. Windows installer BriForum | © TechTarget http://bit.ly/SecureIT | @fdwl 39
- 40. Password security ● Almost all passwords that you enter during the setup/configuration are stored somewhere - HKLMSoftware<VendorName> - HKLMSystemCurrentControlSetServices<ServiceName> - %ProgramFiles%<VendorName> - C:ProgramData<VendorName> - %AppData%<VendorName> - *Anywhere* ● Some passwords are encrypted, some not BriForum | © TechTarget 40
- 41. DPAPI ● Data Protection API ● Introduced with Windows 2000, improved with every new version of Windows ● “Secure by Design” ● Simple API, CryptProtectData and CryptUnprotectData functions ● Recommended as a best practice BriForum | © TechTarget 41
- 42. DPAPI ● Widely used: - EFS, Internet Explorer, Outlook, IIS, RMS, WiFi passwords, CredManager - Skype, Gtalk, Chrome - XenApp, AppSense, XenCenter, Acronis, vSphere ● Can be “Salted”, not everyone use “salt” ● Data can be encrypted with user or system keys - Data encrypted with user keys can be decrypted only by user - Data encrypted with system keys can be decrypted by *ANY* user BriForum | © TechTarget 42
- 43. DPAPI ● Tools from Remko Weijnen (@RemkoWeijnen): - IMA Password decoder - http://bit.ly/IMAPassword - RDP Password decoder - http://bit.ly/RDPPassword ● Universal password decoder from me Add-Type -AssemblyName System.Security [system.text.encoding]::Unicode.Getstring([System.Security.Cryptography.ProtectedData]::Unprotect([s ystem.convert]::FromBase64String("Base64EncodedString"),[system.text.encoding]::Unicode.GetBytes ("MagicWord:)"),'LocalMachine')) - Tested with XenCenter, XenApp, AppSense ● 01,00,00,00,D0,8C,9D,DF,01,15,D1,11,8C,7A,00,C0 BriForum | © TechTarget 43
- 44. Other ways to “decrypt” passwords BriForum | © TechTarget http://bit.ly/SecureIT | @fdwl 44
- 45. Password Security ● Datastore access from the user-accessible desktop - In perfect situation there is no direct DB access from the desktop - Even encrypted password should be secured by ACL - Should have read-only permissions ● Good examples: - Citrix IMA password – Secured by the ACL in the registry - XenCenter passwords – stored in the user profile BriForum | © TechTarget 45
- 46. Database security ● Most of the software checking permissions on the application level, not on the database level ● Direct access to the database can help to elevate permissions within the application ● All tools to access the database is already on the desktop: - Microsoft Office - .NET framework - PowerShell - Scripting environment BriForum | © TechTarget http://bit.ly/SecureIT | @fdwl 46
- 47. SlimJim for XenApp 6.5 1. delete indextable FROM KEYTABLE INNER JOIN INDEXTABLE ON KEYTABLE.nodeid = INDEXTABLE.nodeid WHERE (KEYTABLE.parentid = 42) 2. go 3. delete KEYTABLE from KEYTABLE where parentid=42 4. go ● Where this “42” is coming from? - DSView from supportdebug folder on XenApp CD - Directory->ServerNeighborhoods-><FarmName>->AdminTool->Users cid BriForum | © TechTarget 47
- 48. SlimJim for XenApp 6.5 BriForum | © TechTarget 48
- 49. Provisioning Services 1. INSERT INTO [AuthGroup] 2. ([authGroupId] 3. ,[authGroupName] 4. ,[authGroupGuidName] 5. ,[description]) 6. VALUES (‘UNIQUE00-GUID-4D0D-B834-15EA4A9F41EA' 7. ,N‘DOMAIN.FQDN.COM/Users/Domain Users' 8. ,N'de56c6b1-06ef-4ed6-85b8-a130f036d075' 9. ,'') 10. GO 11. INSERT INTO [AuthGroupFarm] 12. ([authGroupId]) 13. VALUES ('UNIQUE00-GUID-4D0D-B834-15EA4A9F41EA') 14. GO ● de56c6b1-06ef-4ed6-85b8-a130f036d075 – GUID from adsiedit BriForum | © TechTarget 49
- 50. SQL ● SQL servers should be secured even they are “not hosting important company data” - Access to XA datastore=XA Admin rights - Access to Provisioning Server DB=Assigning of custom image - Access to VMM/vCenter DB= IDDQD - Access to AppSense/RES/VUEM DB=Ability to bypass SRP and execute processes under another user ● Use Microsoft Security Compliance Manager http://bit.ly/MS-SCM ● Read SQL Security Best Practices from Microsoft - http://bit.ly/SQLSecurity BriForum | © TechTarget http://bit.ly/SecureIT | @fdwl 50
- 51. Questions? ● http://bit.ly/SecureIT ● denisg@entisys.com ●@fdwl BriForum | © TechTarget http://bit.ly/SecureIT | @fdwl 51