Who is restore guard

What do we actually know in scientific terms? How much of these ecosystems remain, and how likely are they to disappear? Adopting a trans-disciplinary approach for social and natural scientists, humanity scholars, managers, decision makers and society at large to learn about systemic change for sustainability. IUCN spurs restoration action and monitoring by launching a typology of restoration interventions for ALL terrestrial ecosystem types including coasts and inland waters.

Photo: Daisy Hessenberger. Commission on Ecosystem Management. How we engage The Commission on Ecosystem Management CEM promotes ecosystem-based approaches for the management of landscapes and seascapes, provides guidance and support for ecosystem-based management and promotes resilient socio-ecological systems to address global challenges.

Section Slider. Photo: Ben Brown. When patching your guarded fabric, it is strongly recommended that you first upgrade all Hyper-V hosts before upgrading HGS. This is to ensure that any changes to the attestation policies on HGS are made after the Hyper-V hosts have been updated to provide the information needed for them.

If an update is going to change the behavior of policies, they will not automatically be enabled to avoid disrupting your fabric. Such updates require that you follow the guidance in the following section to activate the new or changed attestation policies. We encourage you to read the release notes for Windows Server and any cumulative updates you install to check if the policy updates are required.

If an update for HGS introduces or significantly changes the behavior of an attestation policy, an additional step is required to activate the changed policy. Policy changes are only enacted after exporting and importing the HGS state. You should only activate the new or changed policies after you have applied the cumulative update to all hosts and all HGS nodes in your environment. Once every machine has been updated, run the following commands on any HGS node to trigger the upgrade process:.

If a new policy was introduced, it will be disabled by default. HGS maintains several attestation policies which define the minimum set of requirements a host must meet in order to be deemed "healthy" and allowed to run shielded VMs. Some of these policies are defined by Microsoft, others are added by you to define the allowable code integrity policies, TPM baselines, and hosts in your environment.

Regular maintenance of these policies is necessary to ensure hosts can continue attesting properly as you update and replace them, and to ensure any untrusted hosts or configurations are blocked from successfully attesting.

For admin-trusted attestation, there is only one policy which determines if a host is healthy: membership in a known, trusted security group. TPM attestation is more complicated, and involves various policies to measure the code and configuration of a system before determining if it is healthy. A single HGS can be configured with both Active Directory and TPM policies at once, but the service will only check the policies for the current mode which it is configured for when a host tries attesting.

Some of these policies are "locked" -- meaning that they cannot be disabled for security reasons. The table below explains the purpose of each default policy. To authorize a new host to become a guarded host e.

The steps to authorize a new host differ based on the attestation mode for which HGS is currently configured. Windows Server Standard cannot run shielded VMs in a guarded fabric. The host may be installed Desktop Experience or Server Core.

To register a new host in HGS when using admin-trusted attestation, you must first add the host to a security group in the domain to which it's joined. Typically, each domain will have one security group for guarded hosts.

If you have already registered that group with HGS, the only action you need to take is to restart the host to refresh its group membership. Instructions on how to set up the trust between the host domain and HGS are available in the deployment guide.

As long as the host is running the same software and has the same code integrity policy applied and TPM baseline as another host in your environment, you will not need to add new CI policies or baselines. Be sure to specify a unique name for the host that will help you look it up on HGS.

You will need this information if you decommission the host or want to prevent it from running shielded VMs in HGS. Adding a new TPM baseline If the new host is running a new hardware or firmware configuration for your environment, you may need to take a new TPM baseline. To do this, run the following command on the host. If you receive an error saying your host failed validation and will not successfully attest, do not worry.

This is a prerequisite check to make sure your host can run shielded VMs, and likely means that you have not yet applied a code integrity policy or other required setting. Read the error message, make any changes suggested by it, then try again. Alternatively, you can skip the validation at this time by adding the -SkipValidation flag to the command.

We encourage you to use a naming convention that helps you understand the hardware and firmware configuration of this class of Hyper-V host. Adding a new code integrity policy If you have changed the code integrity policy running on your Hyper-V hosts, you will need to register the new policy with HGS before those hosts can successfully attest. On a reference host, which serves as a master image for the trusted Hyper-V machines in your environment, capture a new CI policy using the New-CIPolicy command.

You should first create a CI policy in audit mode to ensure that everything is working as expected. After validating a sample workload on the system, you can enforce the policy and copy the enforced version to HGS. For a complete list of code integrity policy configuration options, consult the Device Guard documentation. Once you have your policy created, tested and enforced, copy the binary file.

Guarded hosts will only pass attestation if they either have memory dumps disabled or are encrypting them with a key known to HGS. By default, no dump encryption keys are configured on HGS. Be sure to add each unique dump encryption key to HGS if you choose to use different keys across your guarded fabric.

Hosts that are encrypting memory dumps with a key not known to HGS will not pass attestation. Consult the Hyper-V documentation for more information about configuring dump encryption on hosts.

After registering the necessary information with HGS, you should check if the host passes attestation. If the resulting status does not indicate "IsHostGuarded : True" you will need to troubleshoot the configuration. On the host that failed attestation, run the following command to get a detailed report about issues that may help you resolve the failed attestation. If you're using Windows Server or Windows 10, version and are using code integrity policies, Get-HgsTrace may return a failure for the Code Integrity Policy Active diagnostic.

You can safely ignore this result when it is the only failing diagnostic. If you find a policy enabled that no longer meets your security requirement e. If you started your guarded fabric using admin-trusted attestation, you will likely want to upgrade to the much-stronger TPM attestation mode as soon as you have enough TPM 2.

To do this, simply follow the instruction in the authorizing a new guarded host section. Once you've added all of your policies to HGS, the next step is to run a synthetic attestation attempt on your hosts to see if they would pass attestation in TPM mode. This does not affect the current operational state of HGS. The commands below must be run on a machine that has access to all of the hosts in the environment and at least one HGS node.

If your firewall or other security policies prevent this, you can skip this step. When possible, we recommend running the synthetic attestation to give you a good indication of whether "flipping" to TPM mode will cause downtime for your VMs. After the diagnostics complete, review the outputted information to determine if any hosts would have failed attestation in TPM mode.

Changing to TPM mode takes just a second to complete. Run the following command on any HGS node to update the attestation mode. Once you have confirmed everything is working as expected, you should remove all trusted Active Directory host groups from HGS and remove the trust between the HGS and fabric domains. If you leave the Active Directory trust in place, you risk someone re-enabling the trust and switching HGS to Active Directory mode, which could allow untrusted code to run unchecked on your guarded hosts.

The Host Guardian Service is configured with at least two certificates with public and private keys , which are used for signing and encrypting the keys used to start up shielded VMs. Those keys must be carefully managed.

If the private key is acquired by an adversary, they will be able to unshield any VMs running on your fabric or set up an imposter HGS cluster that uses weaker attestation policies to bypass the protections you put in place. Should you lose the private keys during a disaster and not find them in a backup, you will need to set up a new pair of keys and have each VM re-keyed to authorize your new certificates.

This section covers general key management topics to help you configure your keys so they are functional and secure. The two most common reasons why you would add new keys to HGS are:. HSMs ensure use of your keys is tied to physical access to a security-sensitive device in your datacenter. The steps below are intended to provide rough guidance for using HSM backed certificates. Consult your HSM vendor's documentation for exact steps and capabilities.

Depending on whether you have a network or local HSM device, you may need to configure the HSM to grant your machine access to its key store.

If your HSM uses granular permissions to grant specific applications or users permission to use the private key, you will need to grant your HGS group managed service account access to the certificate. Add the signing and encryption certificates to HGS by replacing the thumbprints with those of your certificates' in the following commands:. If you have a software-backed certificate issued by your company's or a public certificate authority that has a non-exportable private key, you will need to add your certificate to HGS using its thumbprint.

Grant the HGS group managed service account read-access to the private key of the certificate. Register the certificate with HGS using the following command and substituting in your certificate's thumbprint change Encryption to Signing for signing certificates :.

HGS cannot automatically replicate private keys for any certificate registered by its thumbprint. If you have a software-backed certificate with an exportable private key that can be stored in the PFX file format and secured with a password, HGS can automatically manage your certificates for you. Identifying and changing the primary certificates While HGS can support multiple signing and encryption certificates, it uses one pair as its "primary" certificates.

These are the certificates that will be used if someone downloads the guardian metadata for that HGS cluster. To check which certificates are currently marked as your primary certificates, run the following command:.

To set a new primary encryption or signing certificate, find the thumbprint of the desired certificate and mark it as primary using the following commands:. Index aliases are thus transparent to Search Guard. The same is true for. In practice this means that you do not need to grant permissions on index aliases in addition to granting permission on the concrete index names.

For example, if you have an index alias myalias pointing to an index myindex , you only need to configure permissions for myindex.