SlideShare uma empresa Scribd logo
1 de 22
Baixar para ler offline
Securing the Microsoft Windows
Platform on Amazon Web Services

Ryan Holland
Ecosystem Solutions Architect
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Shared Responsibility Model For
Infrastructure Services

© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Shared Responsibility Model For
Infrastructure Services

AWS
•
•
•
•
•

Facilities
Physical Security
Physical Infrastructure
Network Infrastructure
Virtualization
Infrastructure

Customer
•
•
•
•
•
•

Operating System
Application
Security Groups
Network ACLs
Network Configuration
Account Management

© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Risk Assessment
Its important to understand how your application works
• What are the network ingress/egress points.
• What parts of the application need to communicate with the other
tiers.

Who needs administrative access and from where?
• Consider both application access as well as infrastructure.

Perform data classification
• Define storage and access policies based on classification.

© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Amazon Virtual Private Cloud (VPC)
Create a logically isolated environment in Amazon’s highly scalable infrastructure
Specify your private IP address range into one or more public or private subnets
Control inbound and outbound access to and from individual subnets using stateless
Network Access Control Lists
Protect your Instances with stateful filters for inbound and outbound traffic using
Security Groups
Attach an Elastic IP address to any instance in your VPC so it can be reached
directly from the Internet
Bridge your VPC and your onsite IT infrastructure with an industry standard encrypted
VPN connection and/or AWS Direct Connect

© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Amazon Virtual Private Cloud (VPC)
Choose the connectivity option that best fits your application.
•
•
•
•

Internet facing applications
VPN Connection to on-premise datacenter
Direct Connect
Software VPN

Leverage subnets and Network ACLs
• Design your network similar to on-premise deployments

Properly configure security groups
Leverage Active Directory within your VPC
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
VPC Subnets
Group instances by
function.
Create isolation
through use of
Network ACLs.
Control routing for
each subnet

© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Security Groups
Mandatory instance firewall.
In VPC security groups are stateful and allow for both
ingress and egress filtering.
Enforcement takes place below hypervisor
Security groups can be used as a source in rules.
Need to ensure proper ports are open for Windows
Active Directory

© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Security Groups Provide Instance Isolation
Customer 1

Customer 2

…

Customer n

Hypervisor
Virtual Interfaces
Customer 1
Security Groups

Customer 2
Security Groups

Firewall

…

Customer n
Security Groups

Physical Interfaces

© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Remote Desktop Best Practices
The RDP Port (TCP/3389) should never be open to the
internet.
Within a VPC use a RDP Gateway
• Instances should only accept RDP connections from the RDP
gateway.
• RDP Gateway should only accept connections from known IPs.

Use software VPN solutions for deployments without VPC
VPN connections or where source IPs will be dynamic.
Walkthrough of implanting an RDP Gateway in VPC can be
found on the AWS Security Blog:
http://tinyurl.com/AWSRDPGW
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Example RDP Gateway Setup
RD Gateway only
accepts traffic from
specified internal
network.
All other instances only
accept RDP traffic from
RD Gateway
Prevents Bypass Attacks
Use resource
authorization policies
(RAP) to control access
to specific instances.

© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
RDP Gateway With High Availability
Deploy RDP Gateways into
multiple availability zones
Note security group names
are the same in each AZ.
Use the RDP GW in the
same AZ to reduce inter-AZ
charges and latency.

© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Obtaining Updates
Applying updates to your OS and applications is a critical part
of the customers responsibility.
Within VPC there are several methods of obtaining updates:
•
•
•
•

Directly from Microsoft via Internet Gateway
Directly from Microsoft via Direct Connect or VPN
WSUS Server on premise
WSUS Server in VPC

Periodically update your base AMIs to minimize the number of
updates new instances will require.
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Using WSUS In VPC
Deploy a WSUS in
each AZ
Use NAT instance for
internet access or
VPN link to onpremise
infrastructure.
Use SSL for update
traffic (TCP/8531)
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Using Active Directory
Must use a VPN and VPC to connect your VPC to your onpremise infrastructure.
Recommended that you replicate AD into VPC rather that
connect back.
Recommended that the AD servers be in each AZ you have
resources deployed.
AD servers should have their own Security Group with the
necessary rules to accept traffic from other instances.
Leverage Reserved Instances for your Active Directory
instances.
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Active Directory Example
For added security
you can deploy Read
Only Domain
Controllers (RODC) in
Windows 2008 and
later.
Change VPC DHCP
Options to use your
AD servers for DNS.
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Identity And Access Management (IAM)
Enables a customer to create multiple users and manage the
permissions for each of these users.
•

Use resource level permissions to provide users least required privilege for API
actions.

Secure by default; new users have no access to AWS until permissions
are explicitly granted.
Recommended that all administration be done with IAM user
credentials.
•

Applications that access our API should use IAM Roles for EC2 Instances.

IAM is for access to the AWS console and APIs not for applications or
the operating system.
Identities can be federated with Active Directory
•

New IAM SAML support allows ADFS to be a SAML identity provider

© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Multi-Factor Authentication (MFA)
Extra level of security
Works with
• AWS root account
• IAM users

xxxxxxxxxxxxxxxxxxxxxxxxxxx

Multiple form factors
• Virtual MFA on your phone
• Hardware MFA key fobs

No additional cost!
•

Except for the hardware option

© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Password Policy Management
Admins define password policies

Users are then forced to comply with
policies at next login

© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Perimeter Threat Protection
Place threat
protection product
between ELBs and
web servers.
Check the AWS
Marketplace for WAF
and perimeter
networking products

Public
Subnet

10.0.9.0/24

Private
Subnet

Private
Sutbnet

10.0.4.0/24

10.0.3.0/24

Threat Tier

Threat Tier

Users
Interne
t
Gatew
ay

Web Tier
Availability Zone 1

Web Tier

10.0.10.0/24 10.0.8.0/24

Public
Subnet

Private
Subnet

10.0.7.0/24

Private
Subnet

Availability Zone 2

AWS Region
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Anti-Virus and Vulnerability Testing
Recommended you run up-to-date anti-virus software.
•
•

Our partner ecosystem has several vendors which have optimized their AV
software for AWS.
You can find many of these in the AWS Marketplace:
http://aws.amazon.com/marketplace

Use AMIs to quickly replace instances that you suspect are infected.
•

Suspect instances can be isolated and allow an investigation to take place while
new uninfected instances are created.

Vulnerability testing is a good security practice but must be done in
accordance with the EC2 terms of service.
•

http://aws.amazon.com/security/penetration-testing/

Customers with Business or higher support plans can use the AWS
Trusted Advisor
•

http://aws.amazon.com/premiumsupport/trustedadvisor/

© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Additional Information
AWS Security Center: http://aws.amazon.com/security

AWS Whitepapers: http://aws.amazon.com/whitepapers
•
•
•
•

AWS Overview of Security Processes
AWS Risk and Compliance Whitepaper
AWS Security Best Practices
Secure Microsoft Applications on AWS

© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.

Mais conteúdo relacionado

Mais de Amazon Web Services

Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Amazon Web Services
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateAmazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSAmazon Web Services
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Amazon Web Services
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsAmazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareAmazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSAmazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAmazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareAmazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWSAmazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckAmazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without serversAmazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...Amazon Web Services
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceAmazon Web Services
 
Come costruire un'architettura Serverless nel Cloud AWS
Come costruire un'architettura Serverless nel Cloud AWSCome costruire un'architettura Serverless nel Cloud AWS
Come costruire un'architettura Serverless nel Cloud AWSAmazon Web Services
 

Mais de Amazon Web Services (20)

Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 
Come costruire un'architettura Serverless nel Cloud AWS
Come costruire un'architettura Serverless nel Cloud AWSCome costruire un'architettura Serverless nel Cloud AWS
Come costruire un'architettura Serverless nel Cloud AWS
 

Último

9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding TeamAdam Moalla
 
Do we need a new standard for visualizing the invisible?
Do we need a new standard for visualizing the invisible?Do we need a new standard for visualizing the invisible?
Do we need a new standard for visualizing the invisible?SANGHEE SHIN
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfinfogdgmi
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfDaniel Santiago Silva Capera
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAshyamraj55
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8DianaGray10
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfDianaGray10
 
Cloud Revolution: Exploring the New Wave of Serverless Spatial Data
Cloud Revolution: Exploring the New Wave of Serverless Spatial DataCloud Revolution: Exploring the New Wave of Serverless Spatial Data
Cloud Revolution: Exploring the New Wave of Serverless Spatial DataSafe Software
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Commit University
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024D Cloud Solutions
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopBachir Benyammi
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...Aggregage
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxGDSC PJATK
 
Babel Compiler - Transforming JavaScript for All Browsers.pptx
Babel Compiler - Transforming JavaScript for All Browsers.pptxBabel Compiler - Transforming JavaScript for All Browsers.pptx
Babel Compiler - Transforming JavaScript for All Browsers.pptxYounusS2
 
Things you didn't know you can use in your Salesforce
Things you didn't know you can use in your SalesforceThings you didn't know you can use in your Salesforce
Things you didn't know you can use in your SalesforceMartin Humpolec
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioChristian Posta
 
GenAI and AI GCC State of AI_Object Automation Inc
GenAI and AI GCC State of AI_Object Automation IncGenAI and AI GCC State of AI_Object Automation Inc
GenAI and AI GCC State of AI_Object Automation IncObject Automation
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureEric D. Schabell
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsSeth Reyes
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxMatsuo Lab
 

Último (20)

9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team
 
Do we need a new standard for visualizing the invisible?
Do we need a new standard for visualizing the invisible?Do we need a new standard for visualizing the invisible?
Do we need a new standard for visualizing the invisible?
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdf
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
 
Cloud Revolution: Exploring the New Wave of Serverless Spatial Data
Cloud Revolution: Exploring the New Wave of Serverless Spatial DataCloud Revolution: Exploring the New Wave of Serverless Spatial Data
Cloud Revolution: Exploring the New Wave of Serverless Spatial Data
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 Workshop
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptx
 
Babel Compiler - Transforming JavaScript for All Browsers.pptx
Babel Compiler - Transforming JavaScript for All Browsers.pptxBabel Compiler - Transforming JavaScript for All Browsers.pptx
Babel Compiler - Transforming JavaScript for All Browsers.pptx
 
Things you didn't know you can use in your Salesforce
Things you didn't know you can use in your SalesforceThings you didn't know you can use in your Salesforce
Things you didn't know you can use in your Salesforce
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
 
GenAI and AI GCC State of AI_Object Automation Inc
GenAI and AI GCC State of AI_Object Automation IncGenAI and AI GCC State of AI_Object Automation Inc
GenAI and AI GCC State of AI_Object Automation Inc
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability Adventure
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and Hazards
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptx
 

AWS Webcast - Securing the Microsoft Windows Platform on Amazon Web Services

  • 1. Securing the Microsoft Windows Platform on Amazon Web Services Ryan Holland Ecosystem Solutions Architect © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • 2. Shared Responsibility Model For Infrastructure Services © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • 3. Shared Responsibility Model For Infrastructure Services AWS • • • • • Facilities Physical Security Physical Infrastructure Network Infrastructure Virtualization Infrastructure Customer • • • • • • Operating System Application Security Groups Network ACLs Network Configuration Account Management © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • 4. Risk Assessment Its important to understand how your application works • What are the network ingress/egress points. • What parts of the application need to communicate with the other tiers. Who needs administrative access and from where? • Consider both application access as well as infrastructure. Perform data classification • Define storage and access policies based on classification. © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • 5. Amazon Virtual Private Cloud (VPC) Create a logically isolated environment in Amazon’s highly scalable infrastructure Specify your private IP address range into one or more public or private subnets Control inbound and outbound access to and from individual subnets using stateless Network Access Control Lists Protect your Instances with stateful filters for inbound and outbound traffic using Security Groups Attach an Elastic IP address to any instance in your VPC so it can be reached directly from the Internet Bridge your VPC and your onsite IT infrastructure with an industry standard encrypted VPN connection and/or AWS Direct Connect © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • 6. Amazon Virtual Private Cloud (VPC) Choose the connectivity option that best fits your application. • • • • Internet facing applications VPN Connection to on-premise datacenter Direct Connect Software VPN Leverage subnets and Network ACLs • Design your network similar to on-premise deployments Properly configure security groups Leverage Active Directory within your VPC © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • 7. VPC Subnets Group instances by function. Create isolation through use of Network ACLs. Control routing for each subnet © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • 8. Security Groups Mandatory instance firewall. In VPC security groups are stateful and allow for both ingress and egress filtering. Enforcement takes place below hypervisor Security groups can be used as a source in rules. Need to ensure proper ports are open for Windows Active Directory © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • 9. Security Groups Provide Instance Isolation Customer 1 Customer 2 … Customer n Hypervisor Virtual Interfaces Customer 1 Security Groups Customer 2 Security Groups Firewall … Customer n Security Groups Physical Interfaces © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • 10. Remote Desktop Best Practices The RDP Port (TCP/3389) should never be open to the internet. Within a VPC use a RDP Gateway • Instances should only accept RDP connections from the RDP gateway. • RDP Gateway should only accept connections from known IPs. Use software VPN solutions for deployments without VPC VPN connections or where source IPs will be dynamic. Walkthrough of implanting an RDP Gateway in VPC can be found on the AWS Security Blog: http://tinyurl.com/AWSRDPGW © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • 11. Example RDP Gateway Setup RD Gateway only accepts traffic from specified internal network. All other instances only accept RDP traffic from RD Gateway Prevents Bypass Attacks Use resource authorization policies (RAP) to control access to specific instances. © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • 12. RDP Gateway With High Availability Deploy RDP Gateways into multiple availability zones Note security group names are the same in each AZ. Use the RDP GW in the same AZ to reduce inter-AZ charges and latency. © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • 13. Obtaining Updates Applying updates to your OS and applications is a critical part of the customers responsibility. Within VPC there are several methods of obtaining updates: • • • • Directly from Microsoft via Internet Gateway Directly from Microsoft via Direct Connect or VPN WSUS Server on premise WSUS Server in VPC Periodically update your base AMIs to minimize the number of updates new instances will require. © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • 14. Using WSUS In VPC Deploy a WSUS in each AZ Use NAT instance for internet access or VPN link to onpremise infrastructure. Use SSL for update traffic (TCP/8531) © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • 15. Using Active Directory Must use a VPN and VPC to connect your VPC to your onpremise infrastructure. Recommended that you replicate AD into VPC rather that connect back. Recommended that the AD servers be in each AZ you have resources deployed. AD servers should have their own Security Group with the necessary rules to accept traffic from other instances. Leverage Reserved Instances for your Active Directory instances. © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • 16. Active Directory Example For added security you can deploy Read Only Domain Controllers (RODC) in Windows 2008 and later. Change VPC DHCP Options to use your AD servers for DNS. © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • 17. Identity And Access Management (IAM) Enables a customer to create multiple users and manage the permissions for each of these users. • Use resource level permissions to provide users least required privilege for API actions. Secure by default; new users have no access to AWS until permissions are explicitly granted. Recommended that all administration be done with IAM user credentials. • Applications that access our API should use IAM Roles for EC2 Instances. IAM is for access to the AWS console and APIs not for applications or the operating system. Identities can be federated with Active Directory • New IAM SAML support allows ADFS to be a SAML identity provider © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • 18. Multi-Factor Authentication (MFA) Extra level of security Works with • AWS root account • IAM users xxxxxxxxxxxxxxxxxxxxxxxxxxx Multiple form factors • Virtual MFA on your phone • Hardware MFA key fobs No additional cost! • Except for the hardware option © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • 19. Password Policy Management Admins define password policies Users are then forced to comply with policies at next login © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • 20. Perimeter Threat Protection Place threat protection product between ELBs and web servers. Check the AWS Marketplace for WAF and perimeter networking products Public Subnet 10.0.9.0/24 Private Subnet Private Sutbnet 10.0.4.0/24 10.0.3.0/24 Threat Tier Threat Tier Users Interne t Gatew ay Web Tier Availability Zone 1 Web Tier 10.0.10.0/24 10.0.8.0/24 Public Subnet Private Subnet 10.0.7.0/24 Private Subnet Availability Zone 2 AWS Region © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • 21. Anti-Virus and Vulnerability Testing Recommended you run up-to-date anti-virus software. • • Our partner ecosystem has several vendors which have optimized their AV software for AWS. You can find many of these in the AWS Marketplace: http://aws.amazon.com/marketplace Use AMIs to quickly replace instances that you suspect are infected. • Suspect instances can be isolated and allow an investigation to take place while new uninfected instances are created. Vulnerability testing is a good security practice but must be done in accordance with the EC2 terms of service. • http://aws.amazon.com/security/penetration-testing/ Customers with Business or higher support plans can use the AWS Trusted Advisor • http://aws.amazon.com/premiumsupport/trustedadvisor/ © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • 22. Additional Information AWS Security Center: http://aws.amazon.com/security AWS Whitepapers: http://aws.amazon.com/whitepapers • • • • AWS Overview of Security Processes AWS Risk and Compliance Whitepaper AWS Security Best Practices Secure Microsoft Applications on AWS © 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.