6. What is New in Windows 10 for Securing Identities
7. How Microsoft Passport Works
8. Microsoft Passport Considerations
9. What Is Virtual Secure Mode
1. Configure Local User and Microsoft Accounts
2. Certificate–based Authentication
3. Where Certificates Come From
4. How Certificate-based Authentication Works
6. Configuration Stages for Windows Hello
7. Configure Virtual SmartCards
After completing this topic, you should be able to
If we spend five to ten minutes looking at today's headlines, no doubt you are going to run in to a headline that says "such and such company– information breach." These types of security hacks are common place. So Windows 10 has a bunch of new security technologies that help address some of today's types of threats. So, in this section we are going to look at new security technologies, both old and new really. We are going to talk about ways in which we can secure and harden Windows 10, and make it the most secure platform available to us. So lets look at protecting our systems from today's threat.
After completing this topic, you should be able to
I think it's easy to say that this is one of the most important topics for us to be having right now. That's the question of are you prepared from today's threats. Are you secure from today's threats? And, when we talk about today's threats, we're talking about the kinds of things that are happening in the headlines all the time. You see, the days of malicious script kiddies and the kind of pranks and the kind of hacking that was done in the past, well, those are gone. Today we're seeing some really scary types of attacks – attacks that are being engineered by other countries, attacks that are being used to target other companies, and acts of terror. And this isn't just reserved to just a few individuals or a few agencies, this is actually happening across the board. And it's happening to organizations that we would just take for granted would be safe like our government. And we're also seeing attacks happening to technical companies. Every technical company experiences some sort of hack. Retail, finance, healthcare, and even some – you know – dating sites have seen attacks with result of being very, very costly. So every industry is under a threat. And the type of attacks are rather scary and are becoming easier and easier to perform. So, because of this changing landscape that we're in the middle of a revolution of cyber threats, it's very important that we're prepared – of course – to protect our systems. And so let's have a conversation about security in Windows 10.
[Today's threats include Acts of terror and Corporate Espionage. The attacks include industries such as Banks, Software, Defense, and Insurance.]
Now here's some important security concepts – these are kind of like security 101. These are terms we often use to refer to ways that we can protect our systems and protect our networks from threats. So, for instance, attack surface. Attack surface is in regards to reducing the number of attack vectors. And that means if we've got systems with software that's unused or software that has default settings, well, let's reduce those, let's remove those, let's change those settings so that they are more secure. So reducing the attack surface has a lot to do with getting rid of waste and making configuration changes that are following best practices. Now another one that's important to consider here is vulnerability and exploits. In a similar sense, what we're doing is we're looking for areas of our system that is susceptible and where they can be easily taken advantage of. The best way to address those is through patches. And so, as a vulnerability is discovered, then we want to have a way and a system in place where our systems and our computers and devices get patched as quickly as possible.
Defense-in-depth is something many of you may have heard of before. It's a basic idea of providing multiple layers of protection. And then we have this least privilege – another important concept – and that is we want to grant permissions at the minimal level. We want to grant enough permissions so that users and services can do what they are meant to do, but we don't want to grant too many permissions so that those additional permissions can be taken advantage of. Now these are some basic concepts, but it's surprising even though they are basic ideas, how difficult it is to kind of stay on top of these especially when we have a large population of users and computers.
Now, when we consider our Windows networks, one of the things we have to keep in mind is the different types of vulnerabilities that our network might be prone to. So, for example, if you look at this diagram right here – this picture of a typical Windows network – we've got our web servers, we've got our devices, we've got our wireless users, our branch office. When you look at this, what kind of vulnerabilities do you think might actually exist? Well, vulnerabilities can take all kinds of forms. It's not just software, but physical. Are our doors locked? Do we have a good physical secure system? Are we auditing who is coming and going? What about the environment? What kind of concerns do we have in terms of, like, a natural disaster? Are we protected from fire? What about hardware, keeping our systems up-to-date in terms of firmware, making sure that the firmware has been patched and up-to-date? Then there are other concerns regarding software. Are Web servers patched to address the latest exploit? Are devices patched that are coming and going in and out of our system? Or are users trained to follow those best practices to avoid social engineering situations? So one of the things you want to evaluate when we're talking about security is you want to be sure you understand where you are vulnerable. And often times it's not just dealing with the computers themselves, but you also have to deal with the human factor. You have to deal with the risk of social engineering and the risk of spoofing. These are all areas or all vectors of attack.
After completing this topic, you should be able to
Right now what I want to do is talk about different examples of an attack starting with this one here – social engineering. And this is the one where it's the human factor, right. It's where somebody is coursed or persuaded to give up some information maybe on the phone, maybe someone pretending to be somebody that they are not. Or maybe they get an e-mail that says, "You won a million dollars, click here and download such and such. Or view this great picture and so forth." – right. So this is all about the human factor and it's amazing. No matter how often we talk about this, this is probably one of the most successful vectors of attack. In fact, one of the more famous retail store attacks of recent years was the result of a password share so that a facility worker could do their job, but that password ended up affecting hundreds of thousands of customers. So this is a very real threat.
Another type of attack is ransomware. Ransomware is where...good example of this is where data gets like encrypted or hijacked and then in order to access that data again you have to pay a fee to whoever is ransoming that information. This actually happened to a friend of mine who was working with some customers. And the customers didn't follow his best practices, and didn't apply some of his security recommendations. And their small business data was encrypted, and the only way for them to decrypt it was to actually pay some money to those who have performed this type of attack, which is rather inconvenient and of course expensive.
Then we've got infection and exploit kits. And this is where we have somebody visits a compromised web page. That web page has in it an exploit kit, which is primarily intended to basically propagate additional infections. So from one kit we've spawned additional kits so the system is noninfective with just a single virus. Now it's infected with a virus that's actually depositing other viruses and affecting, you know, taking advantage of additional exploit.
Then we've got infiltration. And this is actually a surprising attack vector to many people. And that is how easy and convenient it is. And literally there is a convenient aspect to this – of once a system is actually infected, how quickly it takes an attacker to, or short of time I should say takes an attacker to compromise a domain privilege account. So let me give you an example of this. You've a user whose machine is infected. They ask for help. The helpdesk person calls in. Then this infected machine silently attacks the helpdesk user, acquires the helpdesk user's credentials. So that gives them additional privileges. From there the time...and they have actually done some studies on this and they looked at the timeline. The time it takes once they have the helpdesk credentials to actually compromise like a domain admin credentials is like within just two or three days. It's amazing how quickly they are actually able to leverage this type of attack to compromise the entire network. And what is also scary about this type of attack is it can go unobserved and undetected for weeks if not months and so that means that you, maybe, compromised and not even know about it.
After completing this topic, you should be able to
So the next question is how do we protect our systems from these different types of attack? Well, we're going to need to recognize, of course, what our attacks are, what the threat landscape is all about, and the different vectors in which we might be attacked. But then we're going to apply this concept here – defense in depth. Defense in depth – as I mentioned earlier – is a basic security concept where we're actually applying multiple protections. And we're not relying on any one system, but we're relying on multiple systems together in aggregate. And this is a very simple concept in that, if you think about like protecting your home, what are the ways in which you can protect your home? Well, of course, you can lock the door; you can have lights on; you might have a gate; you might be in a gated community; you might have a pet like a dog that can alert you; and if you're really concerned and you've some security threats that require an alarm system perhaps. So there are other things that you can do to actually protect your home and all of those things together become a deterrent and become a way to prevent attacks. Now when it comes to software systems and computer systems and more importantly – because it's not really the systems we care about – it's this guy right here in the middle, right. It's the data that we care about. So we would only need to protect the data, so we want security systems that's going to focus on and limiting access to the data, requiring authorized access to the data – maybe multi-factor authorization to that data. We want to make sure the data is protected and backed up in the event that there is a physical disaster. So all of that together is going to be part of our security strategy. And this is called defense in depth.
Now I want to talk to you about Windows 10 security for a little bit. Now Windows 10 also adopts the model of defense in depth. Now one of the things I want to highlight for you in regards to Windows 10 security is Windows 10 is the most secure operating system that Microsoft has developed to date. It just might be the most secure operating system that's out there in the market. And that's because they have made big investments to address a lot of the types of attacks that are occurring today. This means secure identities; it means information protection; and it means enhancements in terms of threat resistance. Now Windows 10 inherits from previous Windows generations a lot of security technologies, these are both old and improved technologies. This includes things like User Account Control which is an important part of Windows 10 security because it prevents software and malicious users from taking advantage of administrative credentials. But we've other technologies as well that can protect data like RMS, RMS is a huge investment area. If you're not familiar with RMS, it works like this; when you protect files with permissions – like on an NTFS drive – those files are guarded, but only as long as they stay at rest on that actual drive. The minute they get attached as an e-mail or they get moved to a USB stick, then we're at risk right because the permissions won't follow it. RMS provides protection no matter where that file goes. And we will see here in a moment that Windows 10 has continued and invested in this area a big time. Then we've device encryption; we've the ability to restrict what applications can run; and we've built in antimalware. Now these are technologies that have continued to improve and that Windows 10 also possesses, but there is more.
[Heading: Inherited or Improved Security Technologies. Windows 10 secures identities such as Virtual smart cards and Key attestation. Windows 10 protects information with the help of NTFS, EFS, and so on. Secure boot, AppLocker, and Windows defender provides threat resistance.]
Windows 10 also takes advantage of new technologies, architectural changes, and improvements in even the application model. So, for instance, one of the things that's a big deal is the fact that you can actually protect Windows 10 from a lot of common password stealing or credential stealing types of attacks. It's because those credentials can be isolated and locked down in new ways with the help of TPM and UEFI and technology like Microsoft Passport. Then there is improvements in terms of biometrics; improvements in terms of RMS and protecting data and preventing data from accidentally being leaked. I mean, you can prevent users from tweeting corporate information with Enterprise Data Protection. You can restrict certain applications even in BYOD type of scenarios. Then we've got things like device guard and advanced threat analytics and little things that add up to big things like font block because fonts were an attack vector. This is just an example of some of the technologies that are included with Windows 10. Again, adding these together, what you've is a system that's defended in depth.
Now I'll say this again – I think Windows 10 is the most secure operating system to date and that's because of all the different security systems that when you put them together, you have a much stronger, more resilient – a system that can resist a lot of kinds of attacks that are occurring today. And that doesn't exclude a lot of common sense and best practices we still need to employee – user education is still important, physical security is still going to be important. But when we look at our Windows network, we want to make sure that it's as secure as possible. And one of the ways that we can do that is we can start employing and using some of the latest technologies in Windows 10, because those latest technologies in Windows 10, were designed with in mind to directly address some of the threats that are occurring today.
After completing this topic, you should be able to
Strong and solid authentication is an absolute necessity when you need to grant discretionary access and when you need to grant user's access to corporate resources in a secure manner. Now Windows 10 supports the strongest authentication framework yet. And today, I want to go under the hood and show you how Windows logon works. Now I love the fact that I can just walk up to my refrigerator, open the door, pull out a soda, right. And I don't have to think much about how the refrigerator actually works, how it keeps it cold. And yet, I visit the refrigerator on a daily basis. Now it's like that with the logon system, I think. You and I walk up to our Windows systems and on a regular basis, we log on. And we don't think much about, you know, how it works. Of course, it's not magic really. It's actually the logical execution of multiple, carefully engineered components or software processes. In other words, it's a lot of things working together like – for instance – where the accounts live and the local security authority and credential services and even my hardware. Now what I want to do is consider exactly how these processes work together. So consider with me how these processes work together to give us a secure access and that daily experience of logging in.
[Heading: Behind Login. Some of the examples of credentials services are Password, Biometrics, Smart Card, Phone Code, PIN, and Certificates.]
Now the first thing I want you to understand is that there is a difference between logging in and accessing a resource. You might call it authentication versus authorization. Authentication is all about the process of validating credentials and proving the person or the identity of the person or even an object like a service. Authorization on the other hand – well, that's about determining the level of access somebody has to a resource. So for instance, with authentication, we have – Who are you? And we have a couple of key concepts related to this starting with the fact that we're authenticating security entities. We call those security principles or trustees, right. And authentication itself is an activity that can occur interactively – so in front of a system interactively. Or authentication may be necessary over the network. In all of these cases, authentication is a process of validating credentials. So there is a requirement for evidence, right – evidence that says "This is who I am." And then that evidence...once it's been verified, we have successful authentication. And usually that, you know, results in a transaction where – like – a security token is given to the user as proof that they've been authenticated.
Now that brings us to this concept of authorization. Now, with authorization, we're going to take that security token – that validation that we've received from our authenticating source – and we're going to present that when we go to access resources. So authorization is about what resources, what operations, what rights, what permissions that I have. And this is something that occurs after authentication, right. So you authenticate first. And then, after you authenticate, you're giving your desktop. And the very fact that you're presented a desktop is a type of authorization you've been authorized on your local system. And then, if you go across the network, right, and you go and access – like – a SharePoint site or a file share or a cloud service, then you have also another step involved with that. You have authorization at end. If it's a different system protected by different credentials, you might be required to authenticate again using an entity or a security trustee that is valid for that particular resource – basically, a security source that's trusted by that resource. So these are two important concepts to keep in mind when we're talking about security. They're not the same thing. They're related processes. But authentication is a validation of who somebody is. And authorization is that person or that service accessing a resource, and it's the discretionary control based on who they are.
After completing this topic, you should be able to
Now one of the first concepts behind the logon is the fact that we're presenting credentials, right. And those credentials are tied to a security trustee or security principle – a user account, essentially. And we're doing that on a device. So, in this next section, I want to talk about the different kinds of security principles that Windows 10 supports during logon. Now the first thing you do when you go to log in to a Windows 10 system – now you are going to provide user account information, the name of your user account. Now it's a fundamental security object, right. A user account is called a trustee or sometimes called a security principle. And it's going to represent you or you can have accounts represent services as well. And, with this account – this object – we can control access or identify levels of access. Now not all user accounts have an equal level of scope. They have kind of a different range or different territory, if you will. And their information is also stored in different places. In other words, the validating agent is – you know, the database that contains this information for validating it – in different places.
[Heading: Types of User Accounts. There are three types of users: Administrator, Standard User, and Power User. Power User had been deprecated.]
So here's a list of some different user accounts and where they're located. So we have, first of all, this local user account. Now the local user account is stored in the local system, right. And it's something that you can build. In Windows 10, it's a little hard to factually access this thing at the beginning. So, when you actually do a fresh install of Windows 10, Windows 10 setup really wants you to create a Microsoft account or join an Azure Active Directory. And so the way you actually build a local account from setup is you indicate that you're going to join a corporate domain. And then it's going to provision a local account. And then you go through and, you know, join a domain through normal processes like you've done in the past. My point is that in setup, in the past, they would just automatically create a local account for you. That was only good on the local system. Not anymore. Microsoft recognizes that you're going to be using your Windows 10 desktop or laptop to actually connect to services and resources. And, even if it's a personally owned device, there is an assumption there that you want to take advantage of all that Windows 10 has to offer in terms of synchronization and OneDrive in those cloud services. So they ask you to create even a Microsoft account – an outlook.com type of account. Anyway, that was just a little tangent there in terms of where the live account went during set up. All right. Now there are other types of accounts listed here. We do have the domain account. We have a Microsoft account, which is what I was just talking to you about. That's kind of the default that's presented during a consumer setup and installation of Windows 10. And then we have this new thing here called Azure AD account. We're going to talk about that here in a moment.
Now, when it comes to these accounts, these accounts have...they're stored in different places, but they also have different levels of access on the system. So, if the account is a member of the local administrators group, then there is a high level of privileges and things like installations for software and drivers are permitted that users got – a high degree of rights and privileges. Whereas, a standard user is going to be a limited user. And they can run applications, but installing things...well, they're not going to be permitted to do so, typically, except if it's like a Windows Store application that doesn't require administrative privileges – so a per user type of application. So there are some restrictions.Administrators – they have the necessary rights and privileges to support the device that they're logging in to. And so you want to limit really who is going to, you know, be an administrator on your typical corporate systems because they also have the ability to make system-wide changes. And, if that account – if an administrator account gets compromised – well then, of course, that's going to result in the potential of malicious changes or malware being installed. So we are concerned, of course, about that. So the typical corporation is going to have most people – user devices – as standard users. The home user though – well, they're going to want to able to do everything. So they're going to be, you know, an administrator over their own machine. Nevertheless, we have two kinds of levels of account. Notice here, quick note that the whole power user thing from, you know, XP days – that's gone. So these are their two levels of account.
After completing this topic, you should be able to
So let's go ahead and continue talking about these user accounts. And I want to ask this question and answer it – where do these accounts live? So we've been talking about standard user accounts, we've have been talking about domain accounts and Microsoft accounts. So let's talk a little bit about where those accounts live. Now local accounts live in a database on the local machine. And that database is called the SAM – the Security Accounts Manager – and it's in the registry. So this is where local accounts are going to exist. And you can actually see this if you open up the registry, but you can't read it. So you'll see that SAM is there. And the way we manage local accounts really has not changed. So you can still interact with the SAM through Computer Management, through the Control Panel, right, through the Settings app now.
Now over here, we've got On-Premise Accounts. So what that is in reference to is on-premise Active Directory. So those domain accounts are going to live in a database over here. So, when you're providing your credentials, those credentials...that username actually may not exist in the SAM. Instead, it might exist in a database on a server called the domain controller. And, in a very similar fashion, those accounts could actually live up here in the cloud. And that could be either an Azure Active Directory account or it could be a Microsoft account with a live.com or outlook.com suffix. So these accounts here live in different places. And so, when I was saying earlier that accounts have kind of different territories, notice that a local account right here – if it's part of the SAM database and even if it's an administrator account, it's going to be restricted in scope in terms of its authorization, what kind of resources it can access. It's going to be limited to the local machine. But, if it's an account that's stored elsewhere, right – particularly if it's an on-premise domain account or an Azure Active Directory account – then that account has additional scope and additional territory. It could be granted access. And it has a lot to do with the fact that by putting the accounts in these centralized databases, then other resources can leverage that account for securing access and granting access. So, you know, we can use these accounts for network based resources. Whereas, with the local account, we're not going to be doing that. The local account only has authorization ability on the local machine. So where the account lives has a lot to do with how we're going to use the account and has a lot to do with what kind of resources are going to leverage that account.
Now we've already talked a little bit about where accounts live and pointed out that you can store them in Active Directory. You could store them...you know, you could use a Microsoft account, which is stored in Microsoft's cloud, but there is this new type of account called Azure AD. You see the local account, the AD account, and even the Microsoft account – well, those have actually been around. The Microsoft account was introduced with Windows 8, but Azure AD account – this is new. It's new for Windows 10 in terms of being an option. So what is the Azure Active Directory account? Well, Azure Active Directory is not Active Directory on a domain controller in a virtual machine running in Azure. So let me take a step back. Let's start with what is Azure, right. If you're not familiar with what Azure is, Azure is Microsoft public cloud service. And sometimes they call it az-YOOr, sometimes they call it AZH-uhr, maybe az-uhREE. I don't know. I've heard Microsoft pronounce it different ways. I like to say az-YOOr – so whichever way suits you. Okay. So we've got Azure Active Directory. And the idea here is Microsoft has a whole score of services and resources like Office 365 and that if you're an Office 365 customer, you have Azure Active Directory. You may not even know it. Now Azure Active Directory is its own directory store. It's not the same as your on-premise Active Directory like, for example, here is one big difference – no Group Policy. Azure AD isn't going to deliver Group Policy the way your on-premise does. Instead, Azure Active Directory is a light-weight directory store with its own kinds of services and features including, if you have the premium edition, the ability to do multi-factor authentication.
So there are actually two variations of this. There is basic and there is premium. And with premium, you get some additional identity features. Now, when you install Windows 10, you're presented with the question that says "Do you want to provide an Azure Active Directory account or you're going to join the Azure AD or you're going to join the domain, right?" So you're given two choices now during set up. Now, if you choose Azure Active Directory, they're going to have you and ask you to actually supply your organizational e-mail address. And, if it's set up, you're going to be able to authenticate using your Azure Active Directory account. And this is going to enable you to access cloud-based resources like Office 365. Now the other aspect of this is Azure Active Directory does provide for us conditional access policies. And it also supports what is called Single Sign-On, which is pretty cool.
[Heading: What is an Azure AD account? Windows 10 allows users to login to their devices with an Azure AD account, thereby granting users a single sign-on with conditional access to services and applications in the cloud or on-premises. This is ideal for businesses or schools without on-premises AD.]
So the benefit of Azure Active Directory is if you do have cloud-based services, users can access those applications and services with this Azure AD account from Windows 10. Here's the other cool thing about this is it supports Single Sign-On. So they're not having to log on to each and every one of those services. They're logging in once. Now the other cool thing about this is you can actually integrate Azure AD with your on-premise environment or not. So Azure AD is growing in popularity because some companies and organizations are finding that it's easier to maintain their directory and identity services in the cloud. Then they have to do it in on-premises with their domain controllers. I mean domain controllers are wonderful things. And I've been working with Active Directory for my whole career. And so we've got these DCs and they've got policies and we've got schemas and we've got, you know, the various kinds of service accounts and DNS integration and such and such and such. Well, a lot of that is very powerful. It's effective, Active Directory does what it's intended to do, but there is all of that overhead in terms of maintaining it. A lot of businesses are considering and turning to Azure Active Directory. And Windows 10 is positioned to take advantage of that as being a client system that can provide a way to access resources and even log on with an Azure Active Directory account. So Azure Active Directory is a new type of account in Windows 10. It allows users to access cloud-based services and also potentially access on-premise services if Azure Active Directory and the on-premises have a synchronization relationship – pretty cool stuff.
After completing this topic, you should be able to
Now user credentials and user accounts might be the foundation of authentication, but we also have to think about the devices because the devices that they are authenticating from and accessing resources from and on, well, those are also critical factors for the overall authentication processes. Now devices can align themselves to different identity storage where the accounts live. And they can actually authenticate to account stores in a very similar fashion than user accounts – so, for example, the Domain Joined device over there. Domain-joined devices – well, what they do is they have actually a computer account that lives in Active Directory just like the user account can live in Active Directory. And so a Domain-joined device will have a shared secret between it and the servers. And so then that device actually authenticates. In fact, it changes its password on a regular basis. And all of that is transparent to the user. Another example – consider Workplace Join, which was introduced with Windows 8.1 and also supported with Windows 10. Workplace Join relies on the user and the device. The device isn't actually joining Active Directory in the same manner that a domain-joined device does, but this device can also be used as part of multi-factor authentication. So the device can contribute to the authentication process. The same is true for these Cloud Joined types of the devices. And the devices themselves actually don't have to be company-owned devices for this kind of device authentication for them to contribute in terms of authentication.
Now then we've got these consumer devices here. And, even in a HomeGroup – right – or I would say Workgroup I suppose, the device plays a role in your security. So, for example in Windows 10, you have to verify your device. And this is interesting. You have to verify your device before Windows will actually sync the settings to the cloud. So, if I actually sit in front of your machine and I create an account or you create an account for me to log in and I turn around and go in and set up my Microsoft account...so, if I set up my Microsoft account on your machine – then when I go back in the settings – my synchronization settings are disabled until I verify that I am who I am on that actual device. So the device actually adds an additional safeguard. Now these are just some examples where the device is becoming a physical asset that participates in authentication.
After completing this topic, you should be able to
Now the next thing I want to talk about is the actual credentials that a user requires in order to validate who they are, that they are who they are, and how that authentication process uses those credentials. And I want to talk about a new feature right here in Windows 10 called Microsoft Passport and Virtual Secure Mode – cool stuff. Now, to start things off with, we need to consider this Credential Services and the different types of credentials that we can use in order to validate who we are. So we're providing an account. That account lives in one of these databases – either a local one in the cloud, on-premise server. And then, of course, we need to supply proof that we are the person behind that account. And what are the different types of proofs? Well, here are the different types of evidence we can provide. We've got passwords, biometrics, smart cards, maybe a one time password, maybe a PIN number, maybe a certificate, right.
So we have these different ways in which we can validate. Now these different methods fall into a couple of different categories. So credentially, we can say that we're thinking here about "What you know." And that, of course, would be your simple password. You know a password. And so you're providing that. But then we have the "What you have" level of credentialing, which is related to things like having a smart card or having a certificate. And these get stronger as we go up the scale here – this one here being "Who you are." This is going to be considered by most to be the kind of the stronger credentialing type on its own. And that's related to your Biometrics – so facial recognition and, like, your fingerprint and such. So that's all "Who you are" type of authentication method. Now you can actually combine to these, right. So you can like combine the PIN number with the certificate or combine a smart card with a PIN number, which is kind of the same thing. And what you are doing then is that creates multi-factor authentication. And multi-factor authentication has historically been difficult to implement, but it's becoming more critical to consider because of the kinds of security threats that are happening, the kinds of attacks that are occurring. And so multi-factor authentication is kind of a defense in depth in regards to just credentialing. Microsoft is seeking to make that a whole lot easier and we're going to learn a little bit why that's important.
[Heading: Credential Types. Windows supports multiple credential types or identity proofs.]
After completing this topic, you should be able to
All right, so here is a look at some of those technologies in Windows 10. We have Microsoft Passport. We have Windows Hello, which is a biometric credentialing technology. We have Isolated LSASS secrets. These are just three of several technologies that Microsoft includes. And the focus of these is regarding those identities, is in regards to providing more robust authentication methods that go beyond just the traditional password. So let's focus in on this one right here. What is Microsoft Passport? Alright, now I want to mention here that this is not the same kind of passport technology that Microsoft has developed in the past. There was another kind of an online electronic wallet technology, like ten years back or so, the Microsoft called Passport. This is entirely different. They're kind of reviving the word and it applies to something else now. The idea behind passport...and this is important. The idea behind passport is to upset the whole password culture and replace it with something stronger. And there are several reasons why this is important. You know, passwords are easily forgotten, they are alphanumeric keys, they can easily be replayed. Well, let's put it this way. There are essentially three key problem areas with passwords – three key problem areas and maybe you guys can come up with some more, but there are three that I can think of.
[Heading: What is Microsoft Passport? Microsoft Passport replaces passwords with a private key accessed by a "user gesture." It provides a strong two-factor authentication. It is intended to counter brute-force, replay, and phishing attacks.]
Number one – they are symmetrical. And, being the fact that they are symmetrical, that means they can be replayed. So here's one of the realities. And this is interesting. Attackers have figured out that users use the same password everywhere, okay. We use the same password everywhere because too many passwords are just too difficult. In fact, the human brain can only really remember four to seven digits. Much more than that – too difficult. So here we are. We have the strong passwords, which were combinations of all these things, you know – uppercase, lowercase, symbols, numbers, right, ten digits long. Well, those are really challenging for the human being. So what we do is we try to simplify, we use phrase-based passwords, we get really creative, we write it down, but even then it's complex. So we use that password everywhere, right. We use it on Facebook, we use it on Twitter, we use it on our shopping sites, on our login sites, and we use it for our corporate network. See where I'm going with this, right. So, if that password is compromised at Facebook or it's compromised at that greeting card web site, right, then now they've got a password that they can turn around and replay and use it to attack other more sensitive areas that belongs to that person or is related to that person. So, of course, then we're looking at compromises. And so one of the things that attackers are doing is they're attacking a lot of these – what you might call – lower tier, small-business types of web sites and from there extracting passwords and replaying them on larger web sites on banking and such. And they are discovering that they're actually...you know, they are gaining access and stealing our resources that way. And that's one of the ways they're breaching.
So passwords are very, very prone to...they have a lot of vulnerabilities. So that's one – symmetrical and replay attacks. Number two – they're software based. And, because they're software based, they are actually far more vulnerable than – like – a hardware based, protected key or certificate. So they're vulnerable to, like, an offline type of attack or an online type of attack where they extract it out of memory. So those are one of the concerns we also have about passwords. And finally, they are vulnerable to phishing because even if you've got the greatest password, even if your passwords vary, there's still the risk – right – of somebody calling up the user and saying, "Hey, I am from helpdesk. I'm trying to access...you know, reset your password for you or access this thing for you. And can, you know, you give me your password so I can help you and so there is whole social engineering thing?" Well, there is a risk, right, of them giving the password up over the phone and/or through some other channel. And, if they do and it gets used elsewhere, then the other resources where that password is protecting are also compromised. So, once a password is up, everything else is up. That's a problem.
So Microsoft Passport seeks to kind of overcome the whole password culture and to replace it. And the way they replace this – they replace it with asymmetric keys or private keys. So now we're going to use private keys. And the way that these private keys are used is the user provides a gesture, okay. And that gesture could be a PIN number, it could be like a remote device like the phone in their pocket, it could be a PIN number. So the user provides a gesture that actually unlocks the private key. And so there you have kind of a multi-factor authentication occurring right there. And, because the device and the user together are actually being the authentication or the authenticating components and it's not just a single software password, but the device and the user together, then you've got a more secure environment, okay – a much more secure environment. Now this confuses people initially. So let me explain a couple of things. When you set up Windows 10, it's going to recommend that you set up a PIN number instead of a password. And the initial thought that I had and many people have is, "Well, why wouldn't a six-, seven-, eight-digit, ten-digit password be less than...you know, why would it be weaker than a four-digit PIN number, okay?"
Microsoft is recognizing not so much that the length matters, right. The size of the password doesn't matter. What we're doing here is we're also including the identity of the device as part of the authentication with the PIN number. So this is an important concept. So hear me on this. It's not just the PIN number that authenticates you. The device also is part of the authentication. And the reason that's important is you need to understand the relationship a PIN has. So say for instance, you have a bank card like an ATM card. You go to an ATM machine. You can't just put your PIN number into the ATM machine and get money, right. That's what a password essentially is though. The password is something that you can just use anywhere and have access, but the way a bank card works is it doesn't work on PIN numbers. It works on two-factor authentication. You provide the card and the PIN number. So that's what we're doing here. It's kind of like the ATM machine. It's the device and the PIN number. The device and the PIN number together is providing our authentication. And there is another important concept here and it's this. If you make security too difficult, it's no longer going to be secured. So one of Microsoft's goals with Passport is convenience. And by making it convenient, right, by making it simpler, they're attempting to increase security for vast number of Windows 10 users. And Windows Passport or Microsoft Passport, as you kind of dig into it, is pretty exciting in how it accomplishes that.
After completing this topic, you should be able to
Now what I want to do is dig into the details of how Microsoft Passport works. So let's start with the fact that on one hand here, we have the user and their device. And over here, we have an Identity Provider. Now a word about the Identity Provider before I go into the procedure here – Microsoft is part of FIDO. FIDO stands for Fast Identity Online Alliance – FIDO. And FIDO is a consortium, a committee, an alliance of organization seeking to get rid of passwords. And this isn't just a Microsoft thing. This is Google, this is Facebook, this is Lenovo, this is MasterCard, this is a whole group of individuals who are concerned about the vulnerability of online services at the hands of the password. So it's well known in the industry that passwords are probably are an Achilles' heel. And so this group is set out to attack this problem. Microsoft Passport is FIDO compliant. Now there are other implications to that by the way. And that is not only is it, you know, aligned with what some of these other organizations are seeking to do, but it also means that services that these other organizations are providing that are also FIDO compliant, means the passport could potentially be used in kind of a Single Sign-On situation, which means you don't have to put your password in every time you visited this site and that site and that other site. Instead, the authentication could support a Single Sign-On scenario. So theoretically, you would log on once and you don't even have to enter a password to these other locations. And it will be secure. And I know some of you may not be convinced of this. And so let's talk a little bit more about how Passport works, okay.
So for starters, right, we have the user and the device over here. So the first thing we're going to do – number one here – is we're going to kind of provision or set up the user account. This is the verification process. So this is when an account is created or when the user decides that they want to give up their password and then exchange it for a Passport and a PIN number. So this initial verification occurs. So the user does supply password here that matches the credential information in the Identity Provider's database. And, once you have Passport set up though, they should not have to supply that password any longer unless they're going to register another device. So we'll go through this registration process, right. So then the next thing that happens as part of that is we have these keys generated. Now this is an important concept right here. And that is what we're doing at this point is the device is creating an identity for itself. At the time of provisioning, there is kind of a marrying that's happening between the user account, the Identity Provider, and the device itself using cryptography, using asymmetric keys.
So a private key is generated. Ideally, it's generated by the hardware, and it's bound to the hardware – so, like, TPM supports this. So TPM can generate the keys for us. You can have software do it, but it's preferred to have TPM do it. So TPM generates these keys. Then the private key gets locked away and is secure. The public key then...and here is an interesting thing that happens. The public key is then sent to the Identity Provider and its part of the other end of the marriage here. It gets mapped to the identity. So we've got this strong security relationship established that goes beyond just what you know. It's also the fact that this provisioning, this exchange occurred and a trust was established. This trust is not dependent just on a single, you know, piece of information like the password that can be replayed elsewhere. It's very specific to this device. So authenticating to this device is going to require, right, this particular key set. So you can't use this on other devices. Moreover, the way that this is going to work is that the keys themselves are not going to be used for authentication until the user provides a gesture of some sort. And that's where the PIN number actually comes in.
So let's go further now and let's talk about what happens when the user tries to go and access this resource down here. Okay, so they want to access this resources application down here. So next what is going to happen is the user is going to log on. And, when they logon, they're not providing the password, but they are using some sort of gesture. This could be a couple of different things. It could be a PIN number, it could be Windows Hello which is biometrics – fingerprint, facial recognition. It could also be, excuse me, the phone in their pocket. It could also be the phone that they have, right – something that they have. So they have some sort of gesture here that unlocks the PIN number. Then what they are going to do is they are going to take the private key that they've unlocked and they are going to use that as part of an authentication transaction between the Identity Provider and the user over here. Now the way that works, you guys, is the Identity Provider sends a challenge, right. And a challenge is just stuff. It might have like the date in it, and it might have some other information in it, but that's not really that important as much as it is that the device turns around and digitally signs it with the private key. And they can't do that, of course, unless private key has been unlocked. So the user unlocks it and then it's sent to the Identity Provider. Now, because it's been signed with the private key – if you're familiar with the way asymmetric keys work and certificates work –
the only way that this can be validated is with the public key. It gets validated with the public key, which is further proof, right – that is the magic right there – that this actually came from this user and this device. So that's the two-factor authentication – the user providing a gesture and the device being presented to the Identity Provider. The Identity Provider can, without a shadow of a doubt, validate that it is the device that they did up here and they provisioned up here because of this private/public key validation. Once that happens, the next thing that happens is the Identity Provider can send an authentication token to the user. And, with this authentication token, the user then can access resources. Now here's another interesting factor to this. It's because Microsoft recognized that we've got a very secure authentication process. It goes well beyond what passwords can do. And yet nevertheless, if we have an authentication token that resides in memory, it could be potentially made vulnerable, right. If it's stolen in transit, perhaps, it can then be used and replayed elsewhere. Well, an attacker cannot steal this token and replay it elsewhere because it has anti-replay protection built in to it. So the token itself is specifically tied to this device. So only this device can actually use this authentication token. And that's an interesting additional development to this process to avoid different...you know, prevent certain types of attacks – so things like brute force attacks, replay attacks, and phishing types of attacks. So lot of those types of attacks have been prevented or frustrated to some level as a result of Microsoft Passport and this extensive authentication process that's based on identifying the device as well as the user.
After completing this topic, you should be able to
All right, here are some considerations for using Microsoft Passport as I mentioned earlier. The best implementation of this is going to rely on hardware-generated keys. And that's because inside of the TPM 2.0, there's a root certificate that is used to then generate the keys. This root certificate is built by what is called the trusted computing group. So this is an industry-wide, industry-sponsored security certificate, root certificate. And so that is great deal more kind of attestation that can be done. And it's far less vulnerable to a software-based set of keys. Now another thing I want to mention is that browser support is being developed and has been developed for Microsoft Passport. So you can expect to see this implemented in a wide variety of different types of scenarios. Another thing I want to mention is that there are two versions of Passport. It's not mentioned here on the screen, but there are two versions of Passport. There's local Passport and Passport to go. So here is another scenario where you might see Passport in use.
Let's say, for instance, you come over to my house to play on my Xbox. And so what you could do is, if we had an account set up for you, you can authenticate without actually putting in your password. Instead, what happens is the infrared connect camera recognizes your face, right. And so we can authenticate you using the biometrics. And what happens with...and it's based on, you know, Passport technology. And what is going to happen is when you leave my house, there is not going to be the kind of artifacts that are left behind when you use a password-based authentication because not only is it authenticating your face, but you have a phone in your pocket. And so that's called Passport to go. So you can actually use your phone as an authenticator. So there is your multi-factor authentication. And that's pretty tough stuff, right – facial recognition and the fact that you possess a phone. And so that's a Windows Hello, Microsoft Passport, Xbox kind of scenario put together. And that's kind of an exciting implementation of Microsoft Passport. So here is a look at how the TPM protects those credentials on a device. Now one of things I want emphasize here is that we're not storing the PIN number on our servers, right. Instead, we're securing the device authenticating information on the local machine. And using the TPM is the best practice. Now in the TPM, once you provide a PIN number, the first thing it does when you provision it – it sets up a default container for the secure storage of this identity provider information.
In an organization, if you want to adopt a Microsoft Passport, say, for Active Directory or Azure Active Directory or a hybrid approach – in either case – Microsoft has an enterprise container to keep those work credentials separate – so a personal PIN and a work PIN. Again, the PIN number isn't being stored on the servers. Nevertheless, you can actually use Microsoft Passport for authenticating domain or Azure AD credentials. Now, if you want to use this in your organization, there are some requirements here. And we've got – for instance – under Azure Active Directory, probably the simplest approach. And that is you just need Azure Active Directory and you can set up your keys, set up your PIN numbers. If you wanted to do on-premise Active Directory, there are a few more requirements. For instance, you're going to actually have to update your schema, you're going to need new domain controllers with the latest release of Windows Server to support this. I guess, 2012 domain controllers currently don't support Microsoft Passport. You're also going to need the latest version that can support Windows 10 or Federation Services.
[Heading: Microsoft Passport Requirements. A table is illustrated that contains four columns and two rows. The four columns are Microsoft Passport Mode, Azure AD, On-Premises AD, and Hybrid. In the first row, the entry under Microsoft Passport Mode is "Key-Based Authentication;" the entry under Azure AD is "Azure AD;" the entries under On-Premises AD are "W10 ADFS, W10 DCs, and SCCM R2 SP2;" and the entries under Hybrid are "Azure AD, Azure AD Connect, W10 DCs, and SCCM R2 SP2." In the second row, the entry under Microsoft Passport Mode is "Certificate-Based Authentication;" the entries under Azure AD is "Azure AD, MDM, and PKI;" the entries under On-Premises AD are "W10 ADFS, W10 Schema, PKI, and MDM;" and the entries under Hybrid are "Azure AD, PKI, and MDM." MDM can be SCCM R2 SP2, InTune, or third party.]
So earlier versions of Federations Services don't support this. Now System Center is not necessarily required, but these first two, especially the domain controller will be. But, if you want to manage this, then there is support in System Center R2 Service Pack 2, okay. So there's support from Microsoft Passport in policy. And it's available in MDM. It's available in System Center Configuration Manager. And then, if you're going to have some set of hybrid configuration between Azure Active Directory and on-premises Active Directory, then essentially you're going to have very similar type of requirements. You're going to need – you know – new domain controllers, but you're also going to need to have synchronization. And that's called Azure Active Directory Connect or used to be called DirSync. So you have to have some sort of synchronization. That might also include Federation Services. So this is the hybrid approach. Key emphasis here is that this can be managed. And so you've got control over this. So, from an IT standpoint, you can implement different requirements. You can implement different supported keys. It's manageable through Group Policy, manageable through Intune, manageable through System Center Configuration Manager. You just have to have the right additions and make sure you've got a supported infrastructure.
After completing this topic, you should be able to
Okay, I want to talk to you now about another new technology in Windows 10. This is intended to address a very specific attack vector. And so Local Security Authority in Virtual Secure Mode is designed to prevent credential thefts like pass-the-hash type of attacks. Now, if you're not familiar with the LSA, just go into Task Manager. You'll see the LSA listed LSASS or the L-SASS. The LSASS is...I think of it is kind of like the credential accountant of Windows 10. I mean, it's the one that keeps the credential books. It's the one that you really want to protect because it knows all of the secrets. And so these new LSA protections in Windows 10 are really fantastic. So what is Virtual Secure Mode and these new protections for the LSA? Well, Windows 10 has this new feature that isolates the LSA and prevents pass-the-hash type of attacks. Now you might actually see this technology listed as isolated user mode as well. That's another name that it goes by. Now the idea here is to use existing technology. So this isn't requiring specialized hardware or an infrastructure or anything. All what we're doing here is we're actually maintaining the LSA in a secure environment and putting it behind a really strong barrier. And that barrier is Hyper-V.
[Heading: What is Virtual Secure Mode? Virtual Secure Mode runs kernel and trustlets inside a secure and isolated container. It requires the processor virtualization extensions.]
So here's a look at how Virtual Secure Mode works. Notice that the Local Security Authority Service is running on top of the separate kernel. Now this kernel is a special kernel. It's not the same kernel and doing the same types of functions as this one over here and that this is regular Windows, right – my applications, my data, that kind of thing. This is where you and I live and our applications live, but our passwords, our credentials, Kerberos, NTLM, even clear text passwords – they're all locked and secured over here with this barrier here. Now, if you ever need that information, a question can be passed to this through a very restricted channel. And so we can provide responses, but we're never sending or sharing the passwords over here. We're protecting, okay, this information from the processes and protecting these processes from this information. And so, by isolating them and creating this barrier between them, we create a very secure environment. Over here, we don't have device drivers. There is no GUI. There is no networking access, okay. But, as you see, the LSA isn't the only resident. There are other security technologies. In fact, this whole idea of Virtual Secure Mode is really kind of the foundation for other security features as well such as code integrity, which is part of device card and virtual TPM. They actually called these technically trustlets. Okay, so these are little trustlets.
The main thing I want you to derive from this graphic is that LSA is running instead in this protected environment. And that's going to address very specific types of attacks. Now there are other types of attacks. You know, there's a whole range of attacks. And this isn't going to address all of them, but it is going to address specific ones. When you combine Local Security Authority in Virtual Secure Mode with other security features, then you're applying the strategy – a defense in depth. And together combining these, then you're creating a system that's far more resilient. Now I, for one, don't believe in a totally perfect bulletproof system, but I do believe that this isolation feature is an enormous step forward in making your Windows system more secure than ever.
After completing this topic, you should be able to
In this next section, I want to talk about how Kerberos works. Now Kerberos or kur-BER-uhs, depending on how you like to say it, is one of the more commonly used primary protocol we use inside our organization to authenticate to domain controllers, to authenticate Active Directory. So let's have a look at how Kerberos works. Now Kerberos is one of the authentication protocols we can use. It's actually not the only authentication protocol. There are others that can be used in other context, maybe for remote access, maybe for backward compatibility, and maybe – if I'm willing to be using smartcards – I'm going to use something like a certificate as well. Nevertheless, Kerberos is commonly used inside Active Directory and it has a lot of key advantages. It also has some limitations to it. So let's talk now a little bit more about the Kerberos protocol. So what exactly is Kerberos or kur-BER-uhs? It's interesting – kur-BER-uhs or Kerberos wasn't actually developed by Microsoft. It was developed by some folks on the UNIX system – MIT. Microsoft adopted Kerberos because it supported Single Sign-On. It had a strong security system – very similar to kind of like public key, but without the certificates. It supports Single Sign-On within your Active Directory floor. So it's not a web-based technology. And that's one of the challenges with Kerberos is it's not used on the web. It also can support mutual authentication. So those are some of the key benefits behind Kerberos and why we like it.
[Heading: Authentication Protocols. Authentication protocols are cryptographic protocols that provide a secure exchange of credentials and other security information. Windows supported authentication protocols include Kerberos v5 and EAP.]
So here is a look at how Kerberos works. So we've got our client, it's a member of the domain. Once accessed, I have resource over there. So how does Kerberos provide access to that resource? Well, the user is going to authenticate, right, and going to talk to the domain controller. It says KDC here because that's the Kerberos term – key distribution center. So our domain controllers are also Kerberos KDC servers. And running on our KDC servers are these services, the authentication service and the Ticket-granting service. So, when the authentication attempt occurs, what happens is the KDC will turn around and issue to the client what is called a Ticket-granting ticket. So the Ticket-granting ticket is then what the client is going to use in order to request access to this network resource. So we have the initial authentication request. The Kerberos client has an initial ticket it received. And then it's going to send that request again saying "Hey, I need a ticket for the network resource." So it talks with the TGT, who validates the Ticket-granting ticket. From that, it received from the KDC a moment earlier. And then this comes back with a session ticket that it can then present to the network resource, okay.
So the key thing I want to indicate to you here is what we have is a similar type of experience that you might have if you go to the county fair. So I don't know if you've got county fairs where you live. But, in my hometown, we have this county fair that comes every year. And, when I was in high school, I used to work there a lot. And the way that it worked is there was a main gate admission. And then, once you were at the main gate, then there were all of these carnival rides – you know, the Zipper and the...you know, the Zipper is the primary one I remember, but then there is the Kiddie Rides and the spinning octopus thing and all those kinds of different fun rides that people go that you might find in an amusement park. Well, here's the interesting thing, the main gate admission was insufficient enough for you to have admission on each of these individual rides.
So what would happen is you would go to the main gate and you would get kind of your primary ticket there – your Ticket-granting ticket – that validated you paid for main admission. But then, if you wanted to access any individual resource in the park, you would have to go and you would have to go to the ticket booth inside the fair grounds and acquire a special ticket, right, that allowed you to access that resource. In a very similar way Kerberos provides similar access. And the reason why they do this is because it removes the number of connections...it reduces the number of connections that a network resource might have to maintain. So there is a shared secret between the KDC and the network resource that the two of them exclusively know about each other. So the network resource recognizes and trusts the KDC. So, when the client presents a ticket, the resource can validate it came from that KDC. Client can't spoof this because it's digitally signed and protected by keys. There can't be any kind of...you can't fake this. There is limited replay, if any at all, because everything gets timestamped. So Kerberos is an efficient way of reducing network impact and providing the Single Sign-On experience within the domain.
After completing this topic, you should be able to
So we've been talking about authentication. The next thing we're going to look at is how access tokens work. A successful authentication will result in an access token. What is an access token? How does that work? Well, that's what I want to talk about next. So we've been looking at what is behind the logon process. I'm talking about some of the different components that contribute to authentication. This includes accounts, credentials, and new security features like Microsoft Passport. We also talked about the authentication protocol – Kerberos. Now, when these components are working together successfully, the user can be authenticated. Then that authentication results in an access token or a security context. The access token is an important part because this is how we go from authentication to authorization. Remember friends, authentication is about identifying and proving the user entity – the security entity – whereas authorization is all about granting access to the resource based on that authenticated entity. So, now that we have an access token, we're moving closer to authorization.
So what exactly is inside the access token? The access token contains information about who the user is. That's the user security identifier or SID in Windows terms. And then any groups the users are members of – those are called group SIDs. So, if the user is an administrator, then it will list the administrator's group. If the user is just a standard user, well, then it will have the users groups in there. Another important part that's inside the access token are user rights and privileges. Now user rights and privileges are the ability to perform tasks and operations in the system, but permissions are not inside the access token. There are no permissions inside the access token. Instead, there are rights and privileges. The other thing that's inside the access token, which is relatively new – and that is claims. The original implementation of Kerberos in Windows didn't include claims, but now it does. In fact, they're changing Kerberos on a regular basis and so improving new support for, like, Microsoft Passport claims here support what is called Dynamic Access Control. So these are the four things that are inside your access token – your SID, your group SID, user rights and privileges, not permissions, and claims. All right. Now –
[Heading: Anatomy of the Access Token. An access token resides in memory and represents a logon session. The elements within an access token are used to control access to resources and system tasks.]
so what about permissions? Well, I want to take a moment and make an important distinction between rights and permissions. So you understand the role that the token plays. The token does affect permissions but affects it an indirect fashion inside the token itself. That's where rights and privileges are stored. Now a right and a privilege is the same thing. Basically what they are, guys, is they are system task – the ability to perform system things like, friends, I'm shutting the system down, changing the size of the page file, changing the system time. Those are user rights, right. So these are what are going to be stored inside the token and they are pulled out of security policy. So they even come from a different location than a permission is. A permission – well, these are read, write, execute, full control, that kind of stuff. And this is actually on the resource. So the applications have permissions, files have permissions, right – share permissions, NTFS permissions. So these are enforced by an application or the file system, whereas user rights are enforced by the operating system. Nevertheless, they both are tied to the token in this sense. When I go to change the system time, I need to have that right available in my token, okay. On the other hand, if I go to access a file, well, then what happens is my username and my groups, right – the groups that I am a member of – those are listed in the token. And so my group memberships and my user account – those are compared to the access list that's found on that resource. So, when I go to access a file, it has an access control list that says who can read it, who can write to it, who can change it. And, if I match the access control list – if there is matching entries – then that's going to then be part of the calculation it goes through to determine if I have permission or not.
So for example, if I am part of the sales group, right, then my access token will say I am part of the sales group. And then I go to the sales resource. And it says "Sales group has full control." Then the security system is going to go "Oh, you've got full control because it says you're a member of the sales group in your token. Come on in." And so that's how that works. Another important point I want to make that people can misunderstand is there are different kinds of security tokens. This particular access token does not go over the network like other types of security tokens. So this one is per system. So, if I go and I want to talk to a network resource, then I am going to authenticate at that resource. So, if I go to a file server, the file server is going to use my Ticket-granting ticket from Kerberos, right. Or I should say, "I'm going to use the Ticket-granting ticket to get a session ticket and present that to the network resource." The network resource will take my session ticket and build me an access token that it will then use, as me, on that system to access resources.
That's an important clarification. The access token is not...you know, we're not flinging it around the network. Instead, we're using our local protocols like Kerberos and we're sharing credentials through the secure ticket. And then, on each individual system, I am authenticated and I have an access token residing there in memory that is then used whenever I access a resource on that system. That's where the Single Sign-On goes into effect. So, if I go and open up a folder here and then I open up another folder application on the same resource, I can use that same exact access token that resides in memory on that remote file server. So this is a distinction between user rights and permissions. User rights really have to do with system tasks. Remember, they are generated and stored in policies. Permissions on the other hand – these, my friends, are tied to a resource – an application, a file or folder, the file system, right. The access token is used in both cases to represent the authenticated entity. And inside the access token are my rights. And then the access token also contains what groups I am a part of, which ultimately will determine my level of access. So that's how the access token works in regards to authorization.
After completing this topic, you should be able to
Now one of the oldest type of accounts in Windows is the local account. So I want to talk about how to configure the local user account. Now there are essentially multiple ways to create a local user account. Probably, the basic way is good old-fashioned Control Panel. You can also create it from within Setup – a little difficult to get to from there. The default during set up is it wants you to make a Microsoft account, but we'll talk about that later. Nevertheless, if you were to select domain, join instead. If you're running the professional edition or enterprise edition, well, then it's going to give you the option to create a local account with the assumption you would finish the domain join later. In addition to that, you can create a local account from Computer Management – one of my favorite tools. In fact, when I first started using Computer Management...well, those days are gone. I still use Computer Management today, but it doesn't have the same effect that it used to. Nevertheless, we've got Control Panel, we've got command line methods. So you can create user accounts using the old-fashioned net user command. But there's also PowerShell, which is really more like power thrill because you can do so much with PowerShell. So let's look at how to create some local user accounts, shall we? Now probably the primary account that a consumer is going to use on a Windows device is going to be the Microsoft account. Now this was actually introduced back with Windows 8 and it's the primary account that a consumer is going to be prompted to actually create and use during installation and setup. And there are a lot of benefits to using the Microsoft account.
So what exactly is the Microsoft account? Well, it's kind of Microsoft's first cloud account. And it was introduced back with Windows 8. And one of the benefits to using the Microsoft account is the whole fact that it does the synchronization. So these accounts are essentially live accounts, or you might call them outlook.com accounts. Sometimes they'll have a suffix like hotmail.com as well. And they have the ability to give you that "wow" effect – you know, the effect that with Windows 10, you can synchronize your settings. I mean, Windows 10 still surprises me and the Microsoft account effect still surprises me and that I'll change my wallpaper on one device and I am often using more than one device. And at the same time...so I've got my tablet there, my yoga there and maybe I'll be even at my desktop there and I'll have multiple devices and then I might change my background on one of them. And then, a few seconds later, my background changes on the other device. And it's like, "Wow, what do that do?" And then I remember, "Oh, it's because I'm using a Microsoft account."
So the effect of those settings synchronize is fantastic. Now the Microsoft account is actually integrated to local account. So it really is meant to kind of simplify the way that authentication works. So users aren't going in and having to actually create a local account in Computer Management. Instead, they have kind of a basic provisioning step and they manage it all through that Settings tool. And so they just go into that new settings application, which is kind of replacing the Control Panel. And the other great thing about it is you can actually tie it to other types of accounts. So you could potentially log in to your domain using a Microsoft account. And so you're kind of like in both worlds at the same time being able to kind of synchronize your settings, but also accessing domain-based resources. Now some organizations may not like that. There are policy ways of kind of controlling that and preventing that if, you know, domain administrators don't want that, but I really have come to be fond of the way that the Microsoft account works. It really is kind of the preferred approach to use Windows 10, especially for the consumer and small business user and a student.
After completing this topic, you should be able to
Now I want to talk about how to configure a HomeGroup, which is one of the ways in which a device can share resources with another device and do it more securely than your conventional Workgroup configuration. Now let's be sure we understand what a HomeGroup is. You might already be familiar with this. I know I've talked about this in other places. HomeGroup is essentially a simplified, yet more secure type of Workgroup. See, back in the olden days – XP and prior – actually, getting files to be shared among devices that are owned by family members, really a challenge. So Microsoft had several efforts to simplify sharing. In fact, in an XP, they called it simple folder sharing or something like that. Nevertheless, it still – you know – had its challenges. And it was not as secure as they needed it to be. So moving forward, we wanted to...you know, Microsoft wanted to introduce HomeGroups as a way of simplifying the sharing experience for, you know, home users as well as increasing security.
So by default, the conventional Windows system can be configured in a Workgroup setting. But you can, instead, set up a HomeGroup. And that's a password. Basically you say, "I'm going to set up a HomeGroup," use a settings control if you want to. And there is also a Control Panel tool specifically designed for HomeGroup. That's the primary place you go. And then you give it a name and then you give it a password. And then anybody else who wants to participate with that simply needs to, you know, provide that same password. And then, when that happens, these guys can actually communicate to each other and easily share resources using a library feature. So, if you're familiar with Windows 7, you've seen libraries. Libraries are also part of Windows 10, but it's turned off by default. So you just turn those on. It's easy enough. And then what you do is...anything you put into those libraries, well, they're accessible for your neighbors. This is great for people who need to quickly and easily share files and folders at home, share – you know – music, share movies, that kind of thing. And what is great is HomeGroup is more secure than the traditional Workgroup because the data is encrypted and we're using actually IP version 6 technology. Now we're also not going through a lot of effort too. You know, we're not joining the cloud. We're not having to authenticate or join a domain. There's no server-based directory for HomeGroups. It really is kind of a peer-to-peer type of networking configuration – no organizational management involved. It's just as I described it. It's meant to be a simple way for home users to share files.
After completing this topic, you should be able to
Now how many of you have Active Directory in your organization? No doubt, many of you are raising your hands right now. Some of you are raising both hands. Active Directory is probably the most popular on-premise directory service in the world. And many of us, especially those of us interested in Windows, use domains as a way to provide secure, authenticated, and managed access to resources for our businesses, for our schools, some for our organizations, and some of us are for home too. Anyway, so what I want to do is talk about configuring domain account as it relates to Windows 10. And the primary point of this has to do with the device. How do we configure a Windows 10 device to participate in the domain? Now I want you to recall when you're looking at this that a Windows 10 device can participate in the domain like any other device. And I also want to remind you that it's one of many ways in which we can configure our device to participate and to align to different identity services and different management and authentication services – might be another way of putting that. So, of course our domain account – these are our domain-joined machines. And so that's the primary thing I want to focus on because – well – domain user accounts, those are created and issued through Active Directory, usually some sort of process, right. So maybe someone gets hired and the HR people fill out a form and they submit a request and then somebody creates an account or maybe it's automated that creates the user account. But then that leaves the device itself that the user is going to be issued. And that device – that Windows 10 machine – needs to actually join the domain. Now, once the machine is joined to the domain, then the user can authenticate on that machine and have access to all those luscious domain resources.
Not only can they access those resources, but they'll also be subject to those domain policies and that will be a managed system from user to keyboard. Now the domain membership allows the PC to be managed in Active Directory. When a Windows PC joins a domain, a computer account is created in Active Directory. Technically, what that does is it creates a secure relationship, what they call a mini trust. Some of you may have seen this error message before when that mini trust breaks, which means the password is not synchronized between the two and it will give you a message saying that the trust no longer exists. That's why they use the word trust. It's because that's what they technically refer to it as. So you can re-establish the trust by going through the traditional process of rejoining that machine to the domain. I'm sure many of you have done that, maybe you do it on a regular basis. And that's join your devices to the domain. And when you do, a machine password is created and assigned and maintained and, as long as the two sides agree on that shared secret, we've got a trust between them. Now there are couple of ways in which you can join your PC to the domain. One way is kind of a staged approach where the computer account is created first in Active Directory and then somebody with the appropriate permissions can attach to it by going through the join process. Even the user can actually do this, a standard user – doesn't have to be help desk or an administrator.
[Heading: Domain Membership. There are two ways a Windows PC is joined to a domain, manually and automatically.]
Another way that this can be done is all from the actual Windows 10 device. So the computer account and the actual join can be created at the same time. That's pretty common – also done through the same interface on Windows 10. And then there's another method to do this and that's called an offline domain join. Now an offline domain join is where the device cannot actually see the domain controller. So, in some cases, you might have some machines in a remote location, very remote, right. So they can't even find the domain controller. And so what you want them to do is connect to the domain or join the domain. So, on the DC over here, somebody runs the djoin.exe command. Djoin.exe then creates a kind of a provisioning package or blob. Then, over here, they actually finish the process. So we have to, you know, send the blob to them, mail it to them, or whatever. And so then they over here run Djoin.exe again. This machine then becomes a member of the domain. So it's a two-step process. There's an administrative step over here, and then there is the finishing step over here – both using the command called djoin.exe. Now one of the things I want to point out to you is that when you do Djoin.exe, what is kind of need is you can include policies with that that might set up direct access. So then it will connect using direct access or you might also include other, you know, ways for them to connect VPN, whatever your organization uses. But needless to say, there is a way to do an offline domain join. So few ways you can join the domain – you could do it manually; you can do it in kind of a staged process, potentially you could even do this from the command line as well.
After completing this topic, you should be able to
Now I want to talk about cloud accounts and the focus here isn't on the Microsoft account – it's a kind of cloud account – instead this is something new in Windows 10. This is something new in Windows 10.All right, so what we are looking at here is the ability to join the cloud using an Azure Active Directory account. Did you catch that? Windows 10 devices can now join the Azure Active Directory cloud. Now it's not quite the same as a domain join. So it's more of kind of an alliance, if you will. Now I know also that the Microsoft account is kind of a cloud account. But the problem with the Microsoft account is it's unmanaged. This, my friends, is for schools and organizations, business. See the Microsoft account is more of a personal cloud account. The Azure Active Directory account, well, that's going to be a managed account. So Windows 10 devices can join Azure Active Directory. What they do is they provide credentials for your work or for your school. And, when they do, then they have access to cloud goodness – so all the cloud services. They could also have access to on-premise resources. And this creates a Single Sign-On situation. Not only that, as I've mentioned before is that this is a managed account. So when rolling or I should say joining Azure Active Directory could also enroll you into a management service and that makes you subject to MDM policies and maybe conditional access rules.
So that begs a question – why would I want to do Azure AD join? I mean that's interesting Jason, but why? Well, that's a great question. There are several reasons why we want to consider Azure AD join. And that's because you might be one of those companies or schools or agencies that doesn't have an on-premise Active Directory. Maybe you don't want to have to invest or expand your infrastructure any further than it is. Maybe you have a situation where you have employees or customers who don't even have accounts in Active Directory. Maybe the devices you use are like tablets and phones, and those are the primary devices you use maybe on the factory floor or maybe in the field. And so it doesn't make sense for you to go and set up an on-premise data center with Active Directory domain controllers. Maybe further more your applications are all cloud-based applications that use a lot of SaaS – Software-as-a-Service. Maybe this is something where you have cloud-based apps that your users need to have access to.
You see the reason why...the answer to this question – why – is because today is different than yesterday because Azure Active Directory is an identity service designed to service all kinds of additional types of scenarios where people have a variety of different devices and need to access applications. But we might not have the infrastructure in place or want to implement the infrastructure in place to support these kind of scenarios. We have Bring Your Own Device scenarios, users with their own personal types of devices. We have Office 365 users, people working from home, and other types of environments. But we didn't have when we were talking in the 90's about Active Directory. So Azure Active Directory gives organizations choices. So let me say this, "This isn't so much as a replacement for Active Directory." So one of the first questions that people have is "Does this mean that my Active Directory investment that I already have – that I've been maintaining for 10 years, 15 years, and so forth – does that mean that Active Directory services are out of date, so Microsoft isn't going to invest in it anymore?" Well, that's not true. The answer to that is no. What Azure Active Directory does is it recognizes the need to have an identity service that can be used on the Internet, used on the cloud. The Active Directory implementation and infrastructure that we have in our corporate world, well, that's still ideally suited for managing those domain-joined devices and continuing to support our line-of-business applications where they are. However, Azure Active Directory is something that considers yet another choice that organizations have to actually extend identity services beyond the walls of their business buildings and their data center. This is exciting.
After completing this topic, you should be able to
So what I want to do now is explore some additional features around what Azure Active Directory is and what it can do for us. Now, to summarize this, remember Azure Active Directory is Microsoft's response to growing changes in the market place and growing changes in technology and growing changes in the way we use technology – mostly the whole mobile device age – and the fact we've got this cloud thing. So we need seamless access to our applications. We need simple management. We need secure access, more security, right. We're also concerned with productivity. So those are some of the guidelines or pillars behind the Azure Active Directory investment. So let's talk a little bit about some of the features that Active Directory provides. So, for one, we've got self-service. So some of the benefits here is the fact that Azure Active Directory does allow users to do some of their own management. You can of course control that. Then we've got Single Sign-On. So this is important. Azure Active Directory can act as kind of a bridge into other cloud services and it can act as a bridge into on-premise – so your already existing line of business apps or Active Directory environment. So it can actually bridge between those and create a Single Sign-On experience with that. That's pretty exciting.
Then it also supports multi-factor authentication. So that's the more security piece, the fact that it can support additional factors of authentication with conditional access means that we can respond to where the user is authenticating from – like for instance, is it a known device, is it a device that's authenticating from a coffee shop, or is it a device that's authenticating from an office site that we own. So we can actually change our authentication practices or requests based on some of these conditions. And that makes for a smarter and even a more convenient experience for the users. That all translates to goodness. And then we've got down here, Software-as-a-Service access. And I've mentioned that already and that's fact that it can bridge to other cloud services as well as Azure apps, right. Now there is another one that I want to mention and that's the fact that you can connect Azure Active Directory to your on-premise environment. And the way you do that is there is a feature called Azure Active Directory Connect or it used to be called DirSync for directory services. And there's actually a couple of ways of doing this. One is you can actually synchronize accounts between the two. And, by synchronizing the accounts, the end users can basically have a Single Sign-On experience and this includes password sync so that you have passwords in both places. And so accessing resources here, they will authenticate with the same credentials then when they're accessing resources up here. Alternatively, you can set up a Federation Service. And so you can have a Federation Service here whose job is to redirect authentication request down here. And so all authentication actually happens down here. And then there is a...federation creates a trust. So they can still access, you know, their services up here that they want, but using these credentials down here.
And you might consider that if you don't want to do the synchronization with other passwords, right. And so there is a variation of this – kind of a hybrid approach or an exclusive approach. And folks, let me tell you, I actually recently heard of an organization who had on-premise Active Directory. But, to reduce the complexity and the cost, they removed this and they are now exclusively Azure Active Directory. So even though I said earlier, Azure Active Directory is not a replacement for on-premise Active Directory, what it does – for you and I – is it gives us an additional option when it comes to the kind of business or work that we do. So it made sense for them to move to Azure Active Directory because your primary work was through Office 365 and some other cloud-based services. So, if you are one of those types of organizations, realize that you have additional choices available to you and that Windows 10 can actually directly join Azure Active Directory and participate in the Single Sign-On and multi-factor authentication for that simple management and secured access.
So the next question I want to answer that I'm sure is on everybody's mind, how do I get Azure Active Directory? Glad you asked. Azure Active Directory – like other Azure services – is subscription based. If you have Office 365, you already have Azure Active Directory. You may not have activated it yet, but it's still yours. If you don't have Office 365, well, you can subscribe to it, like I said any other Azure service. Now one of the things you should know is that there are two levels of the Azure Active Directory. There is the basic level and then there is premium, kind of like when you go up to a gas station – regular and premium. Now well, premium gives you some additional features, some scalability, and things like multi-factor authentication. But both of them are actually quite scalable. Both of them support hundreds of thousands of objects. So Azure Active Directory, you can actually try it out right now if you want to. Set up a free trial and you'll have access to basic and you can start exploring some of these features that we've been talking about.
After completing this topic, you should be able to
Now I've talked at length in other videos about the different account types and how the underlying security authority performs authentication. Now, as an extension to that conversation, what I want to do now is kind of double-click into the sign-in options topic and look at deeper into how that authentication works in Windows 10. Now there are both new and old features in this topic, all of which are important. So let's have a look. Now do you remember how authentication works? Remember, it's about providing evidence – proof of identity – that windows can turn around and validate. And so we call this login, we call it sign in. Now there are different types of proof, right. We have passwords, which are probably the most common types of proofs. And then we have picture passwords – which was introduced in Windows 8 – which is the ability to touch a screen on a picture and have that translated into, you know, a unique secure pattern for authentication.
[Heading: Configure Sign-In Options. Windows 10 supports multiple sign-in options, which can be configured in Settings or via policies.]
Then biometrics; and this is a big deal in Windows 10. We have good old smart card authentication, which is basically a certificate on a card. We have the ability to use codes, right – perhaps a phone code for, you know, accessing a networking service or PIN number, which is part of some of the underlying changes with a Microsoft Passport that I've talked about before and then certificates themselves can be used. And, in fact, a lot of these other technologies are bound or combined to create multi-factor authentication and certificates is an important part of that. In fact, if we were to just summarize these again, we do want to remember that when it comes to providing proof, there are three ways in which we can describe the types of proofs. We can describe them as the "what you know" type of proofs, which would be a username and password, right. That's just your basic type of proof. But then we have the "what you have," and so that would be like a smart card. And then there is a "who you are," which would be the biometrics, all right. Now, if you again combine these, we call those two-factor authentication or multi-factor authentication. Now Windows 10 supports, you know, multiple sign-in options. And you can configure these in your settings control – the new settings, kind of, Control Panel area – or you can manage them through policies. Let's take a look.
So let's talk about where our credentials are stored. And so this is, you know, like where you're going to put that key. Are you going to stick it out onto the match or going to tape it to the inside of your door? Where you're going to put that? You know, where are those credentials stored? Well, there are couple of places where they're stored in Windows. We've got network directories, right. So we have our authenticating database. And that can be on the network in Active Directory or Azure. Or it could be in a local security database that would be the local Security Accounts Manager or the SAM database for local accounts. But then, after you authenticate – you provide your credentials – those credentials might be required or be used for additional sign-in activities. So, in order to enable Single Sign-On, the system has to be able to recall those credentials and use those credentials. And there are some secure ways – some places – where it might...all those credentials might be stored on the system. So for instance – storing that information, the hash passwords in memory; then we've got Kerberos tickets; and maybe, depending on the application, we might have some like reversible encrypted text that also might be in memory. So we can store credentials in memory and in cache. They could be stored potentially on the hard drive, right. Now, in these particular areas, we want to be sure that we have some good protections for. We're going to talk about how Windows 10 actually applies additional protections for storing secrets in memory.
Another important part to this is Microsoft offers what is called Credential Manager. And Credential Manager is kind of an alternate location to store credentials for network- and web-based locations. Now it's not new with Windows 10, but it's still available in Windows 10 as a way of securing your credentials in kind of a lock box so that – if you visit a web site frequently – you can then turn around and refer to those credentials that are stored in Credential Manager and have those be recalled from there. And it's a matter of convenience – that's what this is about – a secure way to provide convenient access. And then that brings us to Credential Guard. Now Credential Guard is a way to protect some of these memory-based passwords or secrets.
So this is also called virtual secure mode. It's referred to as Credential Guard in Group Policy where you enable this. And the main idea here is to safely secure the sensitive parts of your operating system to keep these credentials safe from certain types of attacks. So there is a well-known attack that's called Pass-the-Hash. And, to kind of address the Pass-the-Hash type of attack, well, Credential Guard is a new feature in Windows 10 that basically puts this memory content into a virtual secure environment, which creates a barrier between it and the rest of the operating system. And the credentials aren't shared between the two different parts now, instead – in Credential Guard – a question can be sent to, you know, a Credential Guard basically. So what is the password or...and Credential Guard is not going to give up the passwords. It's not going to say the password is this. Instead, what Credential Guard will do is it will say, "Well, that is the correct password." And so there is a secure way in which a Credential Guard protects those credentials and then doesn't share those credentials even with the other parts of the OS – not essentially addresses the pass-the-hash attacks. Okay, so Credential Manager – remember – is really kind of a simple but very useful function. And what it does for us is it stores credentials. So, let's say for instance, there is a map drive or a web site application that you visit frequently, but it has alternate credentials. Well, you can go under Control Panel, and you can store those credentials in Credential Manager. And it's a way really of, kind of, backing them up, but also storing them so you can reuse those credentials.
After completing this topic, you should be able to
All right, now this is a high value topic – certificate-based authentication. And it's high value because certificates are used everywhere. So I want you to pay careful attention to this next section. And I really want to encourage you to look into this further. The additional study you do around certificates will payoff for you. The more you understand PKI or Public Key Infrastructure which relates to certificates here, the more you understand how these work and the whole certificate life cycle, the different components, et cetera, the more you'll have a better understanding of many of the Windows 10 security technologies that rely on certificates. I mean you think about where certificates are used. Certificates are used to make sure an update is secure or comes from microsoft.com. So it's used for proving point of origin, right. And it's...so to establish trust so that we know we're receiving material that hasn't been altered and that it comes from who they say they are. We use certificates for that. We use certificates for encryption, for like the encrypting file system. We use certificates for driver signing, for – you know – secure signing of PowerShell scripts. We use certificates for our SSL communications on the Web. We use certificates for Microsoft Passport. So we use certificates in a variety of different places. And so what I want to do is kind of explore certificate-based authentication. But keep in mind, I'm going to start with kind of the primary concept – so what a certificate is? So many of the things that we're going to be looking at here will relate to other technologies as well where certificates are being used.
So let's begin with this first question. And that is, what is a digital certificate? So you see this right here and this is a property page, really, of what is inside a certificate. Now you can see something similar to this. You can actually kind of follow along if you want to. If you were to go to a web site that's using SSL – I mean it has – you can often tell, right, if you're using SSL because the address bar has got a little padlock on it or something like that. And so you just go up there. And there are typically options in browsers to view the certificate. And there are other ways of actually viewing the certificate. But, when you go to look at it, you can actually explore these different fields inside of the certificate. And so – like, you know, many technologies – this is something that has been improving, so there's versioning information and then there's a usage information – intended use. There are a couple of key fields though. So I'm not going to describe and go through all of these here. But I do want to point out a couple of key fields. I'm going to start with this one right here – this subject right here – and this goes right to the heart of what a certificate does. The idea behind what a certificate does is it takes an identity and binds it to a pair of cryptographic keys.
[Heading: What is a Digital Certificate? A Certificate page includes a Certificate Serial Number, an Issuer Unique Identifier, and a Validity Period.]
Now cryptographic keys are just what they sound like. You know what a key does, right, in digital terms, well, to use some sort of key that is applied to information to encrypt it – to make it, you know, unreadable. And then we use a key to decrypt it, to make it readable again. So there are different types of keys. There are symmetric keys, which means the encrypting key and the decrypting key are the same key like a house key – lock up to the house, same key. But here with certificates, we're using what are called asymmetric keys. In an asymmetric key arrangement, we have two keys and the operations for those two keys are related to each other. But you never do the same operation with the same key. So, if you encrypt with one key, you decrypt with the other. And, if you switch that around, if you encrypt with this key, then you decrypt with the other. So whoever does the encrypting, it's the other key that does the decrypting. You cannot decrypt with the same key because these are asymmetric keys. So I think of the asymmetric keys that are tied to a certificate as like a safe deposit box. And one of the ways we describe these keys is private and public keys. I'm sure you've heard of this, right – the private key and the public key.
Now the public key is advertised in here, see it's a subject public key information right here. It's advertised inside the certificate typically. And it's available to the public. And, you know, that's kind of like the master key in a safe deposit box, you know. It's used often. But then we have the private key, and the private key belongs to the safe deposit box owner, right. No one else has a copy of that key, you know. In many cases, banks don't even have a copy of that key. And that key – that private key – is securely protected. And it's usually stored in the system. Or might even be stored...when we're doing this in servers, it might even be stored on what is called a hardware security module. Now I'm getting a little off track here with what our main focus here in regards to Windows 10. But here is the primary point. Point number one, when you're looking at this, certificate takes an identity – like a name that can be a username, it can be a computer name, it can be a service name – and it binds it to a pair of keys, okay. Now there are some another important fields in here I want to highlight to you. We have the validity period. So like, you know, other forms of identification in the real world – a passport, a license to drive – those all have kind of expiration dates, right. We put some sort of interval in it and that's part of the security. So, if it's expired, it has to be renewed. So certificates are the same way, we have a time window. And then there is the issuer, and that is who created the certificate. Now that's also important. So think about this in terms of a personal identifying information, like a driver's license, right.
So, if you have a driver's license and you go, say, to a liquor store here in the United States, we've got an age for drinking, right. And so you go to a liquor store and you might be asked to present your driver's license to prove your age, to prove you are who you say you are. So, when you present that to them, the driver's license has to follow, right. The issuers have to appear. And it might be laminated, it might have some other security technologies. But there's an aspect of the presentation of the license which proves to the person reviewing it that it was issued by the government. It was issued by that particular state and issued by that, you know, government agency, right. In other words, I can't go home and print out my own driver's license on my printer and present that to someone and expect them to treat that the same way as if I would present one that was issued to me. See whether that makes sense. So there's a difference between me presenting something that I made, that nobody doesn't really know who I am and are likely not to trust what is on my piece of paper than somebody who is kind of a trusted third party. And that's really where – this key thing here – issuer comes in. So these are some of the key ingredients to a digital certificate, right. A digital certificate remembers an identity that's bound to a pair of keys. These keys are used for cryptographic operations. And we have as well a validity period and who issued the certificate. And these come into play when we're talking about digital certificates and how we use them in authentication and how we use them in other security technologies.
After completing this topic, you should be able to
Now I touched on this a little bit and that is the issuer of a certificate. Question is where do certificates come from? Now the first time my son asked me that question I was delighted. It's different than where do babies come from because that question makes me always anxious and nervous, but where do certificates come from, no problem. Certificates come from Certificate Authorities. Now what is a Certificate Authority? Certificate Authority is anyone who is issuing a certificate. And we should kind of preface this. We should add another word to this and that is Trusted Certificate Authority. The key idea here is that Certificate Authorities issue these certificates, but what makes this work is we trust them. You see, a Certificate Authority has a certificate of their own. Now Certificate Authority is like a server – a service. And, when it's first installed, it generates a certificate. That's the point of origin for all other certificates. And so there is a pair of keys that belong to that Certificate Authority – that's bound to that CA. And so then those pair of keys are used to generate other certificates to requestors.
Now where this typically works is there are two types of CAs. There are those that are internal and those that are external. And externally, we call these Public Certificate Authority. And these are well-known Certificate Authorities that Windows 10 already trusts, so organizations like VeriSign and Thawte and government agencies and others. And what the idea here is these are well-known Certificate Authorities. And, if you wanted a certificate that you could use to do e-commerce, you could go to one of these locations – one of these vendors – you can purchase a certificate from them. You might go to like DigiCert or something and say, "Hey, I need a certificate for my web site and I now want to use it for SSL communications." And they'll issue you a certificate, and it will be digitally signed from their Certificate Authority. And then, when you present that to a customer accessing your web site, they're going to validate the certificate you present and they're going to trust it because they recognize the issuer. Just like, when you present a driver's license, a recognizer comes from – you know – a state agency and the government agency, and they trust the process of the government agency generating and issuing those certificates.
So same thing with the CA's verified requestor. So some say, when you request a certificate, depending on the type, you might have to fill out a form. It might be kind of a staged procedure where they don't generate it and issue it to you right away until they first verify you're the owner of that particular identity. So they'll check DNS records and name registration. And, if there is a, you know...if it's a sensitive certificate for secure banking or something or might be additional validations that they do. Ultimately, what we're talking about is certificates come from Certificate Authorities and the certificate that they issue is bound to the CA that issues it. And so, if you trust the CA that issued that certificate, right, then you're going to trust the certificate itself provided that that actually is not expired and provided it has not been revoked. So here's another point, this one right here, publish revocation lists. So another function of a Certificate Authority is if a certificate goes bad – that it issued – it will publish it in a revocation list. So this is actually another part of its job. So a CA's job is to issue certificates but maintain kind of their life cycles when they're no longer needed or they're no longer used, maybe they've been abused, misused, maybe they've been superseded, all right. So then what happens is CA says, "Well, I need to let everybody know that we can't use that anymore, so we're going to put it on a revocation." And that's important because then when the certificate is presented, the entity that's receiving the certificate can, as part of its validation, check to see if it's been revoked or not. So that's something that is also important, all right.
So another and final thought regarding Certificate Authorities and that is, the examples I mostly gave here are related to an external CA – that is a CA like VeriSign or DigiCert or somebody like that. Now you can also have Certificate Authorities internally, which means you can have your own CA. Your organization might opt to do that. And the reason it might opt to do that is because you're issuing a lot of certificates. See these costs money. And, depending on what you're doing, they...you know, they're not that expensive, but depending on what you're doing, they can add up. And so, if you're issuing lots of certificates for the purpose of authentication, well, then you might start thinking about actually deploying your own Public Key Infrastructure – your own Certificate Authorities – because you have your own machines, right, your own employee's machines. And, if they trust your internal Certificate Authority...you see, you don't care if the public trusts your certificate or not. If it's a matter of the public, you really should consider an external certificate. But, if it's a matter of your users and their devices using certificate-based authentication, then all we need them to do is to trust the corporation's Certificate Authority. And we can do that. We can get them to trust that certificate. And so therefore, we can issue certificates from our own internal CA, all right. So that's a look at the way Certificate Authorities function and some of their key contributions to Public Key Infrastructure and this whole certificate thing.
After completing this topic, you should be able to
Okay, so let's kind of pull this together and let's look at that from the perspective of four basic questions. So think of a situation where a certificate is presented. You're going online, you're shopping – go to Amazon.com or whatever – and they present to you a certificate, so they can set up an encrypted tunnel between you and them. So, when you give them credit card information, it's protected, right. So that's a really common example. So, in that situation, a certificate is presented to you and you ask these four questions. Well, not you per se, but your system asks these four questions. And these four questions are very important. And you want to get positive answers on these questions. Otherwise, what will happen is an error message will be thrown or the application just won't work. And so, when we talk about certificate-based services, these four questions have to be validated in order for authentication to be successful. So it starts with the question number one, "Is the certificate trusted? Okay. Now a certificate is trusted if the issuer is trusted. So this goes to what we were talking about earlier in regards to who issues the certificate or Certificate Authority. And inside Windows 10 is a couple of lists – trusted Certificate Authorities, certificate publishers. These are entities who Windows 10 already knows about. In fact, Windows 10 has their public key. It has a copy of the Certificate Authority's certificate. And that is then used to mathematically answer this question – is the certificate trusted? When I say mathematically answer the question, here's what happens. Every certificate gets a digital signature. It's a mathematical operation. And so it's digitally signed, right, by the private key. So the only entity that could actually sign it, it would be the possessor of the private key.
So, when a certificate is presented that's been digitally signed with the private key, it can be validated with a public key. And, by nature of the name, public key is not available to anybody. On request, ask a certificate authority, "Hey CA, I've got a certificate that you supposedly issued, I want to validate this. Can you give me your public key? And I'm going to validate it." And that's what essentially happens. So Windows 10 has got a set of these Certificate Authority public keys and you can add to this list. If you have your own internal Certificate Authority that's issuing certificates, you want it to give a correct answer to this question, right. And so, if a client machine – if a Windows 10 machine – presents a certificate to an authenticating service, it says "This certificate is for the user account," right. And we want to authenticate the user and this might be tied to a smart card. At that point, then the authenticating server wants to make sure, okay – is this certificate trusted, is this a trustworthy certificate, who issued this certificate, are they trusted – right. All right, so the digital signature plays a role in that. And then that brings us to this next question – if the certificate is issued by the trusted issuer, trusted Certificate Authority, we also check the validation, has it been expired or not. So remember that's an important security feature. And it's interesting, you can actually experiment this. You change the time, right, on your clock on your system and then go visit a secure site that uses certificates. You'll get error messages because the time window – the certificate – is, you know, current but your system is out of date and so if there is a mismatch there and that certificate falls outside of the system time, then it thinks that, "Oh, oh the certificate has been expired."
All right, something fun to explore when you're, you know, studying this – learning how this works. And then the third one here is "Has the certificate been revoked?" We mentioned revocation list. Now there are couple of ways in which your system can actually check for this. One is to use what is called the CRL, which is the certificate revocation list. There is also OCSP, which is an online certificate status protocol – I think it's what it stands for. And the idea with OCSP is it's an establish protocol where your machine can send a query using this protocol to an online certificate server who can then respond, supporting this protocol again, and say, "Yes, that certificate is good and has not been revoked." So you can actually have an online service validate the certificate for you or the system might download a published certificate revocation list. And then the last one is "Has the client provided proof of possession?" So this has to do with whether or not the client even has the certificate in the first place and presenting proof of possession meaning it's installed and it's valid and it meets all four of these questions. So these four essential questions are a part of the examination whenever a certificate is presented. And this has to be validated, right. It has to be trusted. It has to be within the valid period of time. It can't be revoked. It must be in the device's possession. Otherwise then authentication will fail.
After completing this topic, you should be able to
Hello, hola, ciao, bonjour, ni hao, however you like to say it, Windows Hello is a new exciting security feature in Windows 10. It's more personal than a password. It's more secure than a password. So join me as I show you how to set it up and how it works. Now, as a side node, if you ever want to say "hello" in Klingon, you would say "nuqneH." I'm glad it's not called Windows nuqneH because I would lose my voice. Now Microsoft wants to bring an end to passwords. And that's because passwords have a reputation. There is obviously too many of them and they are too easier to forget and if that one password that we use everywhere is stolen, it's disastrous. In fact, one of the known attacks today is a malicious user will go after small businesses who aren't...you know, who don't have the budget for a lot of high-end multi-factor security, who have built their web site, you know, several years ago on a template. And they'll attack that site and they'll harvest passwords from that site. And it just so happens – like so many other people – the password from that site that belongs to me is the same password I use for the bank. Well, now my bank is compromised. And so stealing one password at this low-level tier allows them access to attack higher-level services – more sensitive information. So it can be disastrous.
Microsoft wants to bring an end to passwords. Well, why? Because they're easily mishandled, they're easily lost, they're overly complex, there are too many of them. In many cases because they're overly complex, we try to reuse them. And then they're immensely vulnerable to things like social engineering and phishing types of attacks. Passwords are not the ideal security option. And so what we want to consider is something that goes beyond passwords, that's more secured than passwords. And that one of the things we like about passwords is, it's convenient. Another important security principle is this that if it's not convenient, people will not use it. And so that's the reason why we use the same password over and over and again. That's the reason why people write the passwords down. It's because they need that convenience. And so we want a security system that is both secure and convenient. And that is truly the ideal. Passwords, well, they leave us at risk.
So this brings us to why do we have Windows Hello. Windows Hello is a biometric technology that's intended to make it easy for you and I to access Windows. Now this character here is winky – they call it. And we've slowed winky down a little bit for you. And it's winky's job to look for you and to help log you in and to do that without passwords. Now the fact of the matter is a baby can identify its mother within weeks of being born. But our computer systems, well, they can't do it at all. They've got, you know – of course – limited sensory capabilities. But that's changing with a lot of new innovations that are happening in technology and Windows Hello is an example of that. Windows Hello can use sight, it can use touch as an authentication scheme. All right, so here are some additional details behind Windows Hello. As already stated, it's biometric technology. So this is "who you are" type of authentication – face, iris, fingerprint, those kinds of things, things that are unique to you, right. And one of the other key aspects to this is this is convenient because now I'm just looking at a camera and it's authenticating or I'm holding my finger over a pad – fingerprint scanner – for a brief moment. And so it's far more secure because it has in...by definition, it's just more convenient.
[Heading: What is Windows Hello? In Windows Hello, use your face to unlock your device.]
Another key factor to this is we're talking support for enterprise-level security. So this can be used to secure systems and protect even high business impact data. And one of the reasons why that's true is because it relies on Microsoft Passport, which is an important certificate-based authentication component that supports multi-factor authentication. So, combined with Windows Hello, what you have here is a user being recognized and the user's device, both of those paired together for multi-factor authentication – supported by Microsoft Passport – really cool there. The enrollment is consistent across all your different Windows devices. So the UI is a very simple and easy to configure. And it also has liveness detection and anti-spoofing. Now what does that mean? Well, it means that I can't take a picture of myself and just put it in front of the camera – nobody can pick up a picture of you and put in front of the camera and fool Windows Hello. Windows Hello actually doesn't store photo of you. That's not how this works. It relies on a special camera and that special camera technology has life measures. In fact, Windows Hello has been tested against identical twins and done some...you know, some folks have used this to try to break it with identical twins and Windows 10 with Hello can tell identical twins apart. Now I can't...I've got a good friend of mine who has got a couple of twins and we babysat them. And when they come over to our house, mom and dad put bracelets on their hands so that I can tell them apart and I don't call the one, you know, the wrong name or whatever like that. Windows Hello on the other hand, it wouldn't need those named bracelets because it could tell them apart. So the final thing I want to mention here is that Windows Hello isn't just face recognition now, it also has a support for iris scanners and fingerprint readers.
Now here is the look at the Windows biometric framework. Now biometrics actually isn't new to Windows 10, but it has been improved in Windows 10 with additional enhancements to the framework. And this is one of those boring block diagrams. But the reason I included it is because it demonstrates the extensive support that Windows 10 has for third-party devices and third-party drivers and third-party sensors and the fact that it can also be used to help me authenticate for applications. So, for example, authenticating the user when you want to go purchase an application or you can authenticate the user when you're accessing a web site. So biometric technology is not just about unlocking a device, it can also be used for application access and supports a wide variety of devices.
[Heading: Windows Biometric Framework. The OS components are Enrollment and Biometric Credential Provider. The third party application include Win32 Apps, UAP Apps, and Windows Runtime. The third party driver and companion components are Engine Adapter, Windows Biometric Device Interface Driver, and Sensor.]
After completing this topic, you should be able to
Allright, let's look now at configuring Windows Hello and there are three stages – enrollment, usage, and recovery. Now first things first – enrollment, this is where the users introduce themselves to the device. This requires some sort of biometric hardware. And that biometric hardware is going to create a vector-based map of the eye or the finger or the iris. It's not going to take a picture and store a picture, so – you know – that stuff from the movies where they're cutting off parts or they're taking pictures and that kind of thing. Well, that stuff isn't going to actually fool Windows Hello. In fact, Windows Hello supports some of the latest in terms of biometric technology. And it's extensible. So there is new stuff coming out. For instance, there are some fingerprint scanners that are being built that can actually detect a heartbeat and heat, you know, body temperature – so thermal mapping type of detection or even ultrasound scanners. Windows Hello would work with those for like a deep tissue kind of detection. And this is based again on vector generation. So it's creating a pattern that can actually be replicated regardless of whether or not I have a beard or not or I'm wearing glasses or not. So it can tell I'm the same person whether I have glasses or I shave my beard, which is pretty cool.
So here is the usage stage. So this is the process that occurs when you walk up to your device and you scan your finger or the camera just sees you. And this happens really, really quickly, especially with the facial recognition. So here's the person looking at it and what happens is the camera builds a vector representation of that, then compares that vector representation with what it created during the enrollment phase. And, if the two match, if the landmarks on the person's face matches what they have here, then what happens is it'll come up with the same representation and that will match and that will unlock the necessary keys that are stored here in Microsoft Passport. So really what we're doing is this is similar to a PIN number. So this is really just kind of replacing the PIN number entry. We're using facial recognition instead unlocking the necessary certificate information in Microsoft Passport for a secure authentication of the user.
And last but not least the recovery stage and really, what this is in reference to is we're talking about removing credentials. So the point here is the user can go in and unenroll – delete the enrollment – if they want to. So common questions for Windows Hello – does it support makeup, facial hair, and eyewear? The answer of course is yes. I've mentioned that earlier. It also supports diverse lighting conditions. And the reason for that is because of this next question – does it require additional hardware? That's implied, right. We've been talking about how you might need, you know, a fingerprint scanner if that's what you want to do. For the facial bit, you need to have a special IR camera. And Intel has this special camera called a RealSense camera, and – in theory – the Kinect for Xbox also has this kind of support for this technology. Currently it's not supported but that is anticipated that Kinect will eventually be supported. So you could actually come up to your Xbox...so check this out, this is a scenario Microsoft paints. Microsoft says, right, in theory, your friend could come over to play Xbox with you and Kinect would see their face and authenticate them without them having to store credentials into the local machine, and say, they would have their account and they would have Windows Hello enabled and so the Xbox would authenticate them as soon as it would recognize. So authenticating, you know...the authentication part on my Xbox is kind of a tedious slow process. Having facial recognition with Windows Hello built into the Xbox, that's kind of cool too.
After completing this topic, you should be able to
Let's configure virtual SmartCards. So what are virtual SmartCards? Well, let's start by describing physical smart cards. A physical smart card is where a user has a physical card with a chip on it that stores credential in information certificates. And so that user presents that certificate to the system by sliding it through a smart-card reader usually attached to a keyboard. The user supplies a PIN number in addition to the card. And so that's how they authenticate. It's two-factor authentication. What you have, that would be the smart card. And what you know, that would be the PIN number. Now we like two-factor authentication when we want that additional security that goes beyond just passwords. So what are virtual SmartCards? Well, virtual SmartCards took the same kind of concept or scheme of a physical smart card and virtualized it by storing the information – the cryptographic protections – in a TPM chip. So, instead of using a chip on a physical card, we're storing them on the device itself. Now there are several reasons why we like to do this.
First off, it gives us the two-factor authentication. So we have two authenticating schemes. We have the user providing a PIN number, like a physical smart card arrangement. We also have the actual certificate information that's authenticating the user – the device essentially. And this is stored or protected with the TPM chip – the Trusted Platform Module. So, instead of the physical card, we're using a TPM chip. Now the applications...well, they are the same type of applications we have for physical smart cards. So this can be used for authentication or it can also be used for application authentication. It can also be used for encryption like a BitLocker and S/MIME. And it can also be used for data integrity type of scenarios. So we have a variety of different uses where cryptography is needed – additional security is needed – and we can rely on the built-in TPM chip that comes with the system to enhance that security via virtual SmartCards.
[Heading: What are virtual smart cards? "Windows To Go," "S/MIME email encryption," and "BitLocker Data volumes" are some of the virtual smart card uses.]
Now the key points here are these. Virtual SmartCards are in some ways better than physical smart cards because they don't require a smart card reader – that reduces cost – and they don't require the user to keep track of a physical smart card, so that adds additional convenience. The device itself has its TPM chip – that Trusted Platform Module chip – and that's protecting, you know, what would be stored in the smart card. It's the TPM chip that's protecting those credentials. So it's hardware-based security like a smart card. Hardware-based security, which means it prevents certain types of attacks. So, for instance, if the device was stolen and there is some sort of hardware type of attack, well those are often forwarded because of the way TPM works. Cryptography is also isolated. So one of the benefits to the smart card is a lot of the cryptographic operations potentially occur at the smart-card level. Well, it's same with the TPM. Those cryptographic operations are isolated from the rest of the system, and it's performing in the TPM chip. So there is additional protection there. And TPM has anti-hammering benefit. So, if the user puts in a bad PIN number too many times, right, it's just going to delay them entering additional PIN numbers as a way of kind of locking them out to protect it against people trying to guess what the PIN number is. All of this is built into Windows 10. And these enhancements just improve the authentication scheme when you need to have that two-factor authentication and you want to use virtual SmartCards.
After completing this topic, you should be able to
So let's say you've got a Microsoft account, but you've logged into this Windows 10 machine using a local account. How do I add a Microsoft account after installation? Think about that. What are the steps and procedures to do that? Now feel free to pause the recording and resume it when you're ready.
Okay, so let me show you how to add a Microsoft account after installation. So couple of easy ways to do this; we need to eventually land inside the settings application. So I'm going to choose Start menu here and I can choose Settings from here or I can choose my existing account and select Change account settings. It will take me to the same place, and then Add a Microsoft account. Now I need to actually put in my e-mail address and my password for this account. If I don't have one, I can create one from scratch. I have one, so I'm going to type that in. And let me supply a Password and choose Sign in, and this will just take a moment for that to complete. Now for security, Microsoft wants to do an additional validation; so we can either use A phone number or An alternate email address with the code. I'm going to choose that option and select Next. And then I'm going to get a code in a moment and put that in here. So I got my Code. Choose Next. And we'll wait a moment, and there we go. So that's the procedure to add a Microsoft account after installation. And, if I had other settings associated with that account – with synchronization on – then those settings will find their way to this machine. Pretty cool.
[The presenter opens the Start menu in the Windows 10 environment. The menu includes various options including Settings, File Explorer, and "TechAdmin." "TechAdmin" is the default user. He clicks the Settings option and the Settings window is open. The window is divided into two section. On the left-hand side, various suboptions including "Your Account," "Sign-in options," and "Work access" are displayed. On the right-hand side, the contents of the selected suboption are displayed. The "Your Account" suboption is chosen by default and on the right-hand side, the contents include a link for "Add a Microsoft account." The presenter clicks this link and a sign-in page opens.]
© 2018 Skillsoft Ireland Limited