ru_sysadmins | Сходил на курсы по Windows server 2016

Сходил тут на курсы по Windows server 2016

У MS появилось ~~жалкое подобие левой~~ что-то типа VMware Hands on Labs
http://labs.hol.vmware.com
https://labs.vmware.com/

- Windows Server 2016 virtual labs
https://info.microsoft.com/WindowsServer2016VirtualLabs
https://www.microsoft.com/en-us/cloud-platform/virtual-labs

Подобие регулярно повисает (таймаут – час), ругается на недостаток памяти, требует MS ID – но работает.

Включает в себя темы:
Implementing Breach Resistance Security in Windows Server 2016
Shielded Virtual Machines
Building a Storage Infrastructure on Windows Server 2016
Installing and Managing Nano Server
Exploring Virtualization on Windows 10 and Windows Server 2016
Failover Clustering and Rolling Cluster Upgrades
Implementing a Software Defined Network with Windows Server 2016

Implementing Breach Resistance Security in Windows Server 2016 – интересная тема:
In this lab, you will get hands-on experience configuring and observing the protection benefits of the following security features in Windows Server 2016:
Credential Guard
Remote Credential Guard
Device Guard
Scenario

Credential Guard helps prevent Pass-the-Hash attacks. Windows systems have long used credential derivatives like NTLM hash or Kerberos tickets so that raw passwords are never sent over the network; however, these credential derivatives are susceptible to credential theft attacks such as Pass-the-Hash or Pass-the-tickets. Credential Guard in Windows Server 2016 and Windows 10 uses virtualization-based security to isolate secrets so that only privileged system software can access them, and prevents these credential theft attacks.

Remote Credential Guard helps you protect credentials when using Remote Desktop Connection by keeping the user credential on the originating device—theRDP client—and redirecting the Kerberos requests back to the device that is requesting the connection. Remote Credential Guard also provides single sign on experiences for Remote Desktop sessions. If the target device—the RDP server—is compromised, your credentials are not exposed because both the credential and credential derivatives are never sent to the target device.

Device Guard is a combination of enterprise-related hardware and software security features that, when configured together, will lock a device so that it can only run trusted applications. One aspect of Device Guard enables you to define a code integrity policy—Whitelisting. If the app is not trusted in the policy, it cannot run. This is referred to as Config CI. Device Guard also enables Hypervisor-enforced Code Integrity (HVCI). Used in conjunction with hardware that meets basic requirements, HVCI provides stronger hypervisor-based protection against malicious executables that attempt to modify the Windows kernel.

Плюсом идет Privileged Access Workstations
https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/privileged-access-workstations

планирование среды бастиона
https://docs.microsoft.com/ru-ru/microsoft-identity-manager/pam/planning-bastion-environment
https://docs.microsoft.com/ru-ru/microsoft-identity-manager/pam/principles-of-operation

и сам credential guard
https://technet.microsoft.com/en-us/itpro/windows/keep-secure/credential-guard
https://technet.microsoft.com/ru-ru/library/mt621547(v=vs.85).aspx
https://technet.microsoft.com/ru-ru/library/mt483740(v=vs.85).aspx