Professional Documents
Culture Documents
Security and
Authentication
Security
incidents
Bigger
motivation
s
Bigger
risk
How hackers
allegedly stole
unlimited
amounts of cash
from banks in just
a few hours
Ars Technica
[2014]
infects
rafts of governments,
industries around the
world
Ars Technica [2014]
The biggest
cyberthreat
to companies
could come
from the
inside
Cnet
[2015]
economy up to $140
billion annually,
report says
Malware
burrows deep
into computer
BIOS to
escape AV
The Register
[September 2014]
Forget
carjacking,
soon it will be
carhacking
Built-in security
Shielded Virtual Machines
Credential Guard
Just Enough
Administration
Virtualization-based Security
(VBS)
Code Integrity
Hyper-V Containers
Enhanced Threat
Detection
Windows Defender
Protection to credentials
Credential Guard
Ben
John
Just Enough
Administration
Limits
administrative privileges to the
bare-minimum required set of
actions (limited in space)
Mary
Domain
Admin Admin
Capability
Just in Time
Administration
Provide
privileged access through a
Time
Windows Defender
Actively protects from known
malware without impacting
workloads
BUILDING PERIMETER
Host Guardian
Service
Attests to host health releasing
the keys required to boot or
migrate a Shielded VM only to
healthy hosts
Generation 2 VMs
Supports virtualized equivalents
of hardware security
COMPUTER ROOM
HYPER-V
HYPER-V
Physical machine
Virtual machine
Shielded
virtual machine
Server
Administrator
Storage
administrator
Network
administrator
Backup
operator
Virtualization-host
administrator
Virtual machine
administrator
*Configuration dependent
A privileged fabric
controllers
Tenant
Virtual
virtual
machin
es
2
Public cloud
1
Fabric/virtuali
zation
administrator
HyperV hosts
So what is a
Shielded Virtual
The data and state of a Shielded VM are
Machine?
protected against inspection, theft, and
tampering from both malware and
datacenter administrators1
1
.VHDX
Perimeter
Computer
room
.VHDX
Server administrator
Yes
Yes
Storage administrator
No
Yes
Network administrator
No
Yes
Backup operator
No
Yes
Virtualization-host administrator
No
Yes
Hyper-V
.VHDX
Perimeter
Computer
room
Step
VM-state
data
Step1:
1:Encrypt
How things
lookand
today
.VHDX
.VHDX
Server administrator
Yes
Configuration
Yes
dependent
Storage administrator
No
Yes
No
Network administrator
No
Yes
No
Backup operator
No
Yes
No
Virtualization-host administrator
No
Yes
No
Hyper-V
Cloud datacenter
Host
OS
Guest
VM
Guest
VM
Guest
VM
Hypervisor
Hyper-V host 1
Host
OS
Guest VM
Guest VM
Hypervisor
Hyper-V host 2
Host
OS
Guest VM
Hypervisor
Hyper-V host 2
Guest VM
Please
Sure,sir,
I
may
know
I have
you
and
some
you
more
look
healthy
keys?
Key
protection
Host guardian
service
Shielded VM
Shielded VMs
(e.g.,BitLocker)
VM configuration files and VM state are encrypted
All live migration traffic is also encrypted without having to
implementIPsec
The host crash dumps are encrypted
VM crash dumps are turned off by default, and theyll also be
encrypted
if you enable them have no access to VMs
Fabric
administrators
Cant attach debuggers while theyre running (the hardened
Hyper-V host
VMs can only run on known and healthy (safe) hosts via the
HostGuardianService
Architectures
Hosting service provider infrastructure
Host Guardian Service
Relecloud.com
Relecloud.co
m
Trusts
Fabrikam.com
Virtual Machine Manager Technical Preview
HSM
Shielded VMs
Shielded VMs
Demo
Shielded Virtual Machines
Remote
Desktop
Services
Server-based computing
(SBC)
Hosted desktop
Remote
desktop
Virtual
workspace
Digital
workspace
Virtual
desktop
Cloud computing
Desktop-as-a-service
User
virtualization
VDI
foundation
Users
Apps
Devices
Data
Microsoft Remote
Desktop Protocol
Enable
users
Manage
access
Protect
assets
Session-based desktops
Remote applications
Personal and pooled
virtual desktops onpremises
On-premises,
cloud-based, or
hosted deployments
Cost
reduction
Consolidate your
infrastructure to
improve efficiency
Secure
extensible
platform
Session-based desktops
and RemoteApp
Cost-effective,
easy to manage
Virtual Desktop
infrastructure
Access to pooled or
personal Virtual
Desktops running
Windows Client OS
High performance,
app compatibility
On-premises
Session-based
computing in the
cloud
Application
delivery from the
cloud
In cloud
Increased
performance
Enhanced
scale
Optimized
for cloud
Graphics
improvements
Connection broker,
shared SQL
connections
INCREASED PERFORMANCE
RemoteFX vGPU
Windows
Server
2012
RemoteFX vGPU
Windows
Server
2012 R2
RemoteFX vGPU
Hyper-V integration
DX 11.0
DX 11.1 support
DX 9 support
VM connect with
vGPU
GPU management
Up to 2560 x 1600
resolution
Scale improvements
Windows
Server
2016
RemoteFX vGPU
OpenGL 4.4 & OpenCL
1.1
1GB dedicated VRAM
Up to 4k resolution
Server VM support
Improved performance
DDA
Full API support*
ENHANCED SCALE
Optimized server
VM architecture
for the cloud
RDS 2012R2 Infra:
7 role services
8 VMs
RDS 2016+:
4 role services
2 VMs
Roles that can be deployed
into one VM:
RD gateway
RD connection broker
RD licensing
RD web access
Other improvements
Support for
gen 2 VMs
End user
experience
changes
Pen Remoting
Support
Windows client
desktop UX
improvements
New zoom
functionality in
MSTSC
Personal
session
desktops
Windows
Multipoint
Services is
now a role