Hyper-V Security Guide

Hyper-V Security Guide
Version 1.0
Published: March 2009 For the latest information, please see microsoft.com/technet/SolutionAccelerators
Copyright 2009 Microsoft Corporation. All rights reserved. Complying with the applicable copyright laws is your responsibility. By using or providing feedback on this documentation, you agree to the license agreement below. If you are using this documentation solely for non-commercial purposes internally within YOUR company or organization, then this documentation is licensed to you under the Creative Commons AttributionNonCommercial License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc/2.5/ or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA. This documentation is provided to you for informational purposes only, and is provided to you entirely "AS IS". Your use of the documentation cannot be understood as substituting for customized service and information that might be developed by Microsoft Corporation for a particular user based upon that users particular environment. To the extent permitted by law, MICROSOFT MAKES NO WARRANTY OF ANY KIND, DISCLAIMS ALL EXPRESS, IMPLIED AND STATUTORY WARRANTIES, AND ASSUMES NO LIABILITY TO YOU FOR ANY DAMAGES OF ANY TYPE IN CONNECTION WITH THESE MATERIALS OR ANY INTELLECTUAL PROPERTY IN THEM. Microsoft may have patents, patent applications, trademarks, or other intellectual property rights covering subject matter within this documentation. Except as provided in a separate agreement from Microsoft, your use of this document does not give you any license to these patents, trademarks or other intellectual property. Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, email addresses, logos, people, places and events depicted herein are fictitious. Microsoft, Active Directory, BitLocker, Hyper-V, Windows, Windows Server, and Windows Vista are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. You have no obligation to give Microsoft any suggestions, comments or other feedback ("Feedback") relating to the documentation. However, if you do provide any Feedback to Microsoft then you provide to Microsoft, without charge, the right to use, share and commercialize your Feedback in any way and for any purpose. You also give to third parties, without charge, any patent rights needed for their products, technologies and services to use or interface with any specific parts of a Microsoft software or service that includes the Feedback. You will not give Feedback that is subject to a license that requires Microsoft to license its software or documentation to third parties because we include your Feedback in them.
Solution Accelerators
microsoft.com/technet/SolutionAccelerators
Contents
Overview............................................................................................1 Who Should Read This Guide..............................................................1 Skills and Readiness Style Conventions 3 More Information 3 Support and Feedback 3 Acknowledgements...........................................................................4 Chapter 1: Hardening Hyper-V............................................................7 Attack Surface.................................................................................7 Server Role Security Configuration......................................................8 Management Operating System Security Host Network Configuration 11 Securing Dedicated Storage Devices Security Setting Recommendations 15 Virtual Machine Security 16 16 Virtual Machine Configuration 14 10 Default Installation Recommendations 10 2 Chapter Summaries..........................................................................2
More Information............................................................................18 Chapter 2: Delegating Virtual Machine Management..........................19 Using Tools to Delegate Access.........................................................19 Delegating Access with Authorization Manager....................................20 System Center Virtual Machine Manager 2008.....................................24 Delegated Administrator Role Self Service Portal 27 More Information............................................................................29 Chapter 3: Protecting Virtual Machines.............................................31 Methods for Protecting VMs..............................................................31 Hardening the Virtual Machine Operating System and Applications 31 Firewall and Antivirus Requirements Group Policy Considerations 31 32 31 26
Using File System Security to Protect Virtual Machine Resources Using Encryption to Protect Virtual Machine Resources 33 Using Auditing to Track Access to Virtual Machine Resources 34
Maintaining Virtual Machines............................................................35 Hyper-V Security Best Practice Checklist............................................35 Management Operating System Configuration Virtual Machine Configuration 36 36
More Information............................................................................37
More Information
Guide Title
Over view
Welcome to the Hyper-V Security Guide. This guide provides instructions and recommendations to help strengthen the security of computers running the Hyper-V role on Windows Server 2008. Microsoft engineering teams, consultants, support engineers, partners, and customers have reviewed and approved this prescriptive guidance to make it: Proven. Based on field experience. Authoritative. Offers the best advice available. Accurate. Technically validated and tested. Actionable. Provides the steps to success. Relevant. Addresses real-world security concerns. Microsoft has published security guides for Windows Server 2008 and Windows Server 2003. This guide references significant new capabilities and security enhancements in Windows Server 2008. The guide was developed and tested with computers running the Hyper-V role on Windows Server 2008 that were joined to a domain that uses Active Directory Domain Services (AD DS). As Hyper-V continues to evolve through future releases, you can expect updated versions of this guidance to include more security recommendations. Solution Accelerators are also available to assist you with the deployment and operation of Windows Server 2008 as well as other Microsoft technologies. For more information about all available accelerators, visit Solution Accelerators on Microsoft TechNet.
Who Should Read This Guide

The Hyper-V Security Guide is primarily for IT professionals, security professionals, systems architects, computer engineers, and other IT consultants who plan application or infrastructure development and deployments of Windows Server 2008 for servers in an enterprise environment. The guide is not intended for home users. This guide is for individuals whose jobs may include one or more of the following roles: Security professional. Individuals in this role focus on how to provide security across computing platforms within an organization. Security professionals require a reliable reference guide that addresses the security needs of all segments of their organizations and also offers proven methods to implement security countermeasures. They identify security features and settings, and then provide recommendations on how their customers can most effectively use them in high risk environments. IT operations, help desk, and deployment staff. Individuals in all of these roles troubleshoot security issues as well as application installation, configuration, usability, and manageability issues. They monitor these types of issues to define measurable security improvements with minimal impact on critical business applications. Individuals in IT operations focus on integrating
security and controlling change in the deployment process, and deployment personnel focus on administering security updates quickly. Systems architect and planner. Individuals in this role drive the architecture efforts for computer systems in their organizations. Consultant. Individuals in this role are aware of security scenarios that span all the business levels of an organization. IT consultants from both Microsoft Services and partners take advantage of knowledge transfer tools for enterprise customers and partners.
Skills and Readiness

The following knowledge and skills are required for consultants, operations, help desk and deployment staff, and security professionals who develop, deploy, and secure server systems running Windows Server 2008 in an enterprise organization: MCSE on Microsoft Windows Server 2003 or a later certification and two or more years of security-related experience, or equivalent knowledge. Experience using Hyper-V Manager and System Center Virtual Machine Manager 2008 (VMM 2008). Detailed knowledge of the organizations domain and Active Directory environments. Experience in the administration of Group Policy using the Group Policy Management Console (GPMC), which provides a single solution for managing all Group Policyrelated tasks. Experience using management tools including Microsoft Management Console (MMC), Gpupdate, and Gpresult. Experience using the Security Configuration Wizard (SCW). Experience deploying applications and server computers in enterprise environments.
Chapter Summaries
This release of the Hyper-V Security Guide consists of this Overview and three chapters that discuss methods and best practices that will help you secure your Hyper-V environment. Brief descriptions follow for each chapter.
Overview
The overview states the purpose and scope of the guide, defines the guide audience, and describes the guide's structure to help you locate the information that is relevant to you. It also describes the user prerequisites for the guidance.
Chapter 1: Hardening Hyper-V

This chapter provides prescriptive guidance for hardening the Hyper-V role. It discusses several best practices for installing and configuring Hyper-V on Windows Server 2008 server with a focus on security. These best practices include measures for reducing the attack surface of a server running Hyper-V and recommendations for properly configuring secure network and storage devices on a server running Hyper-V.
Overview
Chapter 2: Delegating Virtual Machine Management

This chapter discusses several available methods for delegating virtual machine management so that virtual machine administrators only have the minimum permissions they require. It describes common delegation scenarios, and includes detailed steps to guide you through using Authorization Manager (AzMan) and System Center VMM 2008 to separate virtual machine administrators from virtualization host administrators.
Chapter 3: Protecting Virtual Machines

This chapter provides prescriptive guidance for securing virtual machine resources. It discusses best practices and includes detailed steps for protecting virtual machines by using a combination of file system permissions, encryption, and auditing. Also included are resources for hardening and updating the operating system instances running within your virtual machines.
Style Conventions
This guidance uses the style conventions that are described in the following table. Element Bold font Meaning Signifies characters typed exactly as shown, including commands, switches, and file names. User interface elements also appear in bold. Titles of books and other substantial publications appear in italic. Placeholders set in italic and angle brackets <Italic> represent variables. Defines code and script samples.
Italic font <Italic> Monospace font Note Important
Alerts the reader to supplementary information. Alerts the reader to essential supplementary information.
More Information
The following resources provide additional information about security topics and detailed discussion of the concepts and security prescriptions in this guide on Microsoft.com: Hyper-V Planning and Deployment Guide: Planning for Hyper-V Security Windows Server 2008 Security Compliance Management Toolkit GPOAccelerator tool and guidance Infrastructure Planning and Design guides Microsoft Deployment Toolkit 2008 page on Microsoft TechNet Microsoft Windows Security Resource Kit Security Solution Accelerator page on Microsoft TechNet
Overview
Support and Feedback

The Solution Accelerators Security and Compliance (SASC) team would appreciate your thoughts about this and other Solution Accelerators. Please contribute comments and feedback to secwish@microsoft.com. We look forward to hearing from you. Solution Accelerators provide prescriptive guidance and automation for crossproduct integration. They present proven tools and content to help you plan, build, deploy, and operate information technology with confidence. To view the extensive range of Solution Accelerators and for additional information, visit the Solution Accelerators page on Microsoft TechNet. We would appreciate your taking a few moments to complete this short survey. Doing so will help us continue to improve the quality of Solution Accelerators and ensure that they address customer needs. Thank you in advance for completing the survey, and thank you for purchasing Microsoft products.
Overview
Acknowledgements
The SA-SC team would like to acknowledge and thank the team that produced the Hyper-V Security Guide. The following people were either directly responsible or made a substantial contribution to the writing, development, and testing of this solution.
Development Team
Authors Kurt Dillard KurtDillard.com Richard Harrison Content Master Ltd Paul Henry Wadeware LLC Developement Lead Jos Maldonado Editor Steve Wacker Wadeware LLC Product Manager Shruti Kala Program Manager Tom Cloward Release Managers Karina Larson Shealagh Whittle Aquent LLC Test Manager Sumit Parikh Testers Raxit Gajjar Infosys Technologies Ltd Tushar Vijay Lunawat Infosys Technologies Ltd
Contributors and Reviewers

Kai Axford Brandon Baker Yung Chou Defense Information System Agency (DISA) Martin Herbener Kentucky Department of Education Dung K Hoang Hewlett-Packard Siegfried Jagott Siemens AG
Overview
Carsten Kinder Kathy Lambert David Lef Patrick Lownds Hewlett-Packard Jason Missildine Keith Pawson Bhaskar Rastogi Enrique Saggese Tony Soper Pat Telford Elton Tucker Gary Verster Anand.V.V.N Xinfotainment Kiyoshi Watanabe
Chapter 1: Har dening Hyper-V

This chapter focuses on how to harden servers that run Microsoft Hyper-V, the hypervisor-based virtualization functionality included as a role of Windows Server 2008, in both Full and Server Core installations. The chapter includes security best practice recommendations for configuring servers running the Hyper-V role. These recommendations can help maintain your servers desired configuration, and help protect against unauthorized access and resource tampering. Significant changes were introduced with the Hyper-V role in Windows Server 2008 that enhanced the capabilities and functionality of virtualization on the Windows platform. For more information about the new features introduced in Windows Server 2008 Hyper-V, see the Windows Server 2008 Hyper-V product overview white paper. It's important to note that this guide is written for Windows Server 2008 with the Hyper-V role enabled. It is not written for the stand-alone Microsoft Hyper-V Server 2008 product, although much of the guidance here should apply to that product as well. For information about the differences between Windows Server 2008 with the Hyper-V role enabled and Hyper-V Server 2008, see the Microsoft Hyper-V Server 2008 FAQ. Similarly, although the security recommendations in this guide were tested only on the Windows Server 2008 Enterprise operating system, the recommendations should also apply to Windows Server 2008 Standard and Windows Server 2008 Datacenter. To install the Hyper-V role and take advantage of the virtualization capabilities requires the following: A server computer running a Full or Server Core installation of the 64-bit edition of Windows Server 2008 (Standard, Enterprise, or Datacenter). Hardware-Assisted Virtualization must be enabled on the hardware you plan to use before you install the Hyper-V role. A number of processors currently on the market include instruction sets, such as AMD-V and Intel VT, that provide the ability to load a hypervisor virtualization platform between the computer hardware and the operating system layer. Data Execution Prevention (DEP) must be enabled in the BIOS. DEP is a security feature that is available on all processors that support virtualization assistance. It prevents a process from executing code from a non-executable memory region. DEP is supported by processors that can mark memory pages as non-executable, such as Intel processors that support the XD (Execute Disable) bit and AMD processors that support the NX (No-Execute) bit.
Important If your server does not support hardware virtualization assistance, the Hyper-V role will not display in the list of roles you can install. For system requirements, see Windows Server 2008 Virtualization with Hyper-V: FAQ.
Attack Surface
As with other roles in Windows Server 2008, adding the Hyper-V role changes the attack surface of the computer. To determine the attack surface of this role, you need to identify the following: Installed files. The files that are installed as part of the Hyper-V role. Installed services. The services that are installed as part of the Hyper-V role. Firewall rules. The firewall rules that are installed or enabled as a part of the Hyper-V role. For an up-to-date list of the files, services, and firewall rules that the Hyper-V role installs, see the Hyper-V Attack Surface Reference Workbook on the Microsoft Download Center.
Server Role Security Configuration

This section of the guide provides guidance for securing the physical Hyper-V computer (the physical server that runs one or more virtual machines). It describes the security measures that you can incorporate into your Hyper-V server configuration to help protect it against malicious attacks. This section does not provide guidance on the specific security configurations of the virtual machines that the Hyper-V server can support. For help securing the virtual operating environment that runs inside a virtual machine, consult the following Microsoft Solution Accelerator guidance: Windows Server 2008 Security Compliance Management Toolkit Windows Server 2003 Security Compliance Management Toolkit Windows Vista Security Compliance Management Toolkit Windows XP Security Compliance Management Toolkit The Windows Server 2008 Security Compliance Management Toolkit also provides guidance about security settings for other Windows Server 2008 roles. To secure other supported guest operating systems, see the appropriate documentation from the operating system vendors. See Virtualization with HyperV: Supported Guest Operating Systems for an up-to-date list. A basic familiarity with the Hyper-V architecture can help you understand the kinds of countermeasures that you can implement to better secure Hyper-V. The following figure illustrates this architecture.
Figure 1.1. Basic Hyper-V virtualization technology architecture After you install the Hyper-V role, all of the operating system instances on the physical computer run as virtual machines. Even the instance of Windows Server 2008 that you use to create and manage the virtual machines is a virtual machine; this instance is the management operating system. You use the management operating system specifically to create and manage virtual machines. Hyper-V uses a microkernelized approach in which the hypervisor is very small and allows no third-party code to run within it. The hypervisor, which is a core component of Hyper-V, is a thin layer of software between the hardware and the operating system. The hypervisor allows multiple operating systems to run unmodified on a single physical computer at the same time. Because any unknown security vulnerabilities included in Hyper-V could compromise the security of the management operating system and the virtual machines, Microsoft has carefully reviewed and tested the Hyper-V source code to minimize this risk. In addition, the hypervisor component was designed with minimal configuration requirements to reduce its complexity and attack surface. (For more information on the Hyper-V virtualization architecture, see An Introduction to Hyper-V in Windows Server 2008 on Microsoft TechNet.) The remainder of this chapter focuses on the steps you need to perform to protect the management operating system and the virtual machines. There are two categories of countermeasures: Management operating system security. The configuration of the physical computer itself, including discrete network interfaces for accessing the management operating system and virtual machines. Virtual machine security. The configuration of the virtual machines.
Management Operating System Security

When provisioning the physical computer, you can do several things to increase the overall security of the management operating system and virtual machines. For example, you can reduce the attack surface of the management operating system by installing Hyper-V on a computer running Windows Server 2008 Server Core, as explained in the following subsection. Other techniques you can use that are discussed in this section include installing separate network adapters for the management operating system and virtual machines, and using the management operating system to configure separate logical storage volumes for each virtual machine.
Default Installation Recommendations

You can install Hyper-V with either the Full or the Server Core installation options of the 64-bit editions of Windows Server 2008 (Standard, Enterprise, or Datacenter). Server Core is a minimal server installation option that provides a low-maintenance server environment with limited functionality. With a Server Core installation (as with Hyper-V Server 2008), only the minimal components that are necessary to support core functionality and key server roles are installed, including Hyper-V (if selected). Using Server Core for Hyper-V physical computers provides three main security benefits: A minimized attack surface for the management operating system. A reduced computer footprint. Improved system uptime because there are fewer components that require updates. Potential drawbacks of using Server Core include the following: Server Core cannot be managed locally using the traditional graphical user interfaces (GUIs) such as Server Manager. Remote administration consoles and specialized WMI command-line scripts are required to manage the server, which might require additional training for administrative staff. Some drivers, software agents, and applications are not compatible with a Server Core management operating system. In particular, the Microsoft .NET Framework is not included with Server Core installations, so you will not be able to run any .NET applications with the management operating system. Validating all applications, drivers, and software agents is especially important when deploying a Server Core installation. Apart from the differences between the Full and Server Core options, the attack surface for the Hyper-V component is the same in the Standard, Enterprise, and Datacenter SKUs of Windows Server 2008. To install the Windows Server 2008 Hyper-V role using the Server Core option 1. You must perform a Server Core installation before you install the Hyper-V role. For instructions, see the Server Core Installation Option of Windows Server 2008 Step-By-Step Guide on Microsoft TechNet. 2. Install the Hyper-V update packages for Windows Server 2008 (KB950050). To view the list of software updates and check whether any are missing, enter the following command at a command prompt: wmic qfe list
If you do not see kbid=950050, download the Hyper-V updates and then enter the following command at a command prompt: wusa.exe Windows6.0-KB950050-x64.msu /quiet There are three update packages. After you install the updates, you must restart the server. You must update the management operating system with the Update for Windows Server 2008 x64 Edition (KB 950050) and Language Pack for Hyper-V (KB951636). The Update for Windows Server 2008 (KB952627) is for remote management of the Server Core installation if you are managing the server from a computer running Windows Vista Service Pack 1 (SP1). It must be installed on the computer running Windows Vista SP1.
Important Before you enable the Hyper-V role, ensure that you have enabled the required hardware-assisted virtualization and hardware-enforced Data Execution Prevention (DEP) BIOS settings. Checks for these settings are performed before you enable the Hyper-V role on a full installation, but not on a Server Core installation.
After you make the BIOS configuration changes to enable the required hardware features, you might need to turn off the power to the computer and then turn it back on (because restarting the computer might not apply the changes to the settings). If you enable the Hyper-V role without modifying the BIOS settings, the Windows hypervisor might not function as expected. If the Windows hypervisor malfunctions, check the event log for details, modify the BIOS settings according to the server hardware manufacturer instructions, turn off and turn on the computer running a Server Core installation, and then install Hyper-V again. To check if your server hardware is compatible, see the Windows Server catalog. Click the list of Certified Servers, and then click By additional qualifications Hyper-V. For instructions about how to enable the BIOS settings, check with your hardware manufacturer. After you install Hyper-V, ensure that all appropriate updates are installed. A comprehensive list of Hyper-V updates is available in the Hyper-V Update List on Microsoft TechNet. The Microsoft Remote Server Administration Tools are included with Windows Server 2008; a version of the tools for Windows Vista is also available through the Microsoft Help and Support article Description of the Windows Vista Service Pack 1 Management Tools update for the release version of Hyper-V. These tools include the Hyper-V Manager console, which enables authorized administrators to manage Hyper-V servers remotely from their workstations. The console also allows administrators to manage Hyper-V on Server Core without using command-line tools. The rest of this section discusses how to configure the physical computer using the Hyper-V Manager and other GUI management tools.
Note You can perform the same tasks on the local console of Server Core using scripts for Windows Management Instrumentation (WMI). For more information, see Virtualization WMI Provider in the MSDN Library.
Host Network Configuration

The configuration of the physical network interfaces of the computer running Hyper-V can help to improve the isolation of the management operating system from other virtual machines. Microsoft recommends that you install at least two network adapters on the computer hosting Hyper-V. Dedicate the first network
adapter for the exclusive use of the management operating system, and then allow the other virtual machines to use the other network adapters. The following figure illustrates this concept.
Figure 1.2. Physical Hyper-V architecture in an enterprise network When you install the Hyper-V role using the Add Roles Wizard on a full installation of Windows Server 2008 Enterprise, the wizard prompts you to reserve one network adapter for remote access to the management operating system, as shown in the following figure.
10
Figure 1.3. The Create Virtual Networks page of the Add Roles Wizard If you leave a network adapter unselected on this page of the wizard, the network adapter will be dedicated for use by the management operating system exclusively. After installation, you can reconfigure the physical network adapters using the Hyper-V Manager. To use the Hyper-V Manager to configure virtual networks 1. On the physical Hyper-V computer or from a remote management workstation, click Start, point to Administrative Tools, and then click HyperV Manager. 1. In the tree pane, select the server that you want to manage. 2. In the Actions pane, click Virtual Network Manager. 3. In the Virtual Network Manager dialog box, add, modify, or remove virtual network switches to be used by the management operating system and the virtual machines. Each virtual network you define results in the creation of a virtual network switch. You can connect the virtual network adapters inside your virtual machines to the virtual networks you create. There are three different types of virtual networks: External virtual networks use virtual network switches that are bound to a network adapter in the physical computer. Any virtual machines attached to an external virtual network can access the same networks to which the physical adapter is connected. Internal virtual networks use virtual network switches that are not bound to a network adapter in the physical computer. An internal virtual network is isolated from networks external to the physical computer. However, virtual
11
machines connected to an internal virtual network can communicate with the management operating system. Private virtual networks use virtual network switches that are not bound to a network adapter in the physical computer, as with internal virtual networks. However, network traffic from virtual machines connected to a private network is completely isolated from network traffic in the management operating system and in the external networks. These different virtual network configurations support some interesting scenarios. Consider a multi-tier application that includes Web, database, and application servers, as shown in the following figure.
Figure 1.4. Network configuration for multi-tier Web application The physical Hyper-V computer has two network adapters. The first network adapter connects the physical computer to a physical network (labeled Management network) for management. The second network adapter connects the physical computer to a separate public network (labeled Front-end network) where the client systems and other servers are located; the Web server virtual machine is connected to this network adapter through an external virtual network. There is also a private virtual network that connects the Web server virtual machine to the applications server virtual machines and the database management system (DBMS) virtual machine. This configuration isolates all of the traffic between the Web server and the other virtual machines from the publicly accessible network, and it also provides a dedicated network connection for administration of the management operating system. Although isolating the virtual and physical networks from each other protects the virtual network from outside attacks, it also renders the virtual network segment invisible to any security tools that are deployed on the physical network, such as network intrusion detection systems (NIDS). For additional protection, deploy virtual network-capable versions of these tools on the virtual segment. For more information, see Configuring Virtual Networks on Microsoft TechNet.
12
Securing Dedicated Storage Devices

Files that contain configuration information about each virtual machine are stored in the %programdata%\Microsoft\Windows\Hyper-V\ directory by default. Virtual machine configuration files stored in this directory are relatively small, and the default storage location should be acceptable for many scenarios.
Important If you specify a different storage location, ensure that both the System account and the Administrators group have Full Control permissions for the new folder, and that access by other accounts is strictly limited as appropriate.
Virtual hard disk (VHD) files can be dynamic or fixed-size. A dynamic VHD file is the size required by the data stored in it and can grow as the data changes. A fixed-size VHD file takes up the amount of space configured for the virtual disk, including any free space. For example, a dynamic VHD and a fixed-size VHD might both appear as 80 GB volumes when mounted inside a virtual machine, but the dynamic VHD only takes up as much space on the physical disk as the data stored in it requires; the fixed-size VHD always takes up about 80 GB on the physical disk. Microsoft recommends using fixed-sized VHD files for best performance, and to prevent virtual machines from unexpectedly running out of storage space. By default, new VHD files in the Public profile are stored in the %users %\Public\Documents\Hyper-V\Virtual Hard Disks directory. You can change the default storage location for VHDs by selecting Hyper-V Settings in the Hyper-V Manager. If you specify a different storage location, assign permissions as follows for the new folder: Table 1.1. Permission Settings for VHD Storage Folder Names Administrators System Creator Owner Interactive Service Batch Permissions Full Control Full Control Apply to This folder, subfolders, and files Subfolders and files only
Create files/write data This folder, subfolders, and files Create folders/append data Delete Delete subfolders and files Read attributes Read extended attributes Read permissions Write attributes Write extended attributes
To simplify management, you might want to store all of the VFD and ISO files in separate folders on the same logical volume as the VHDs. For example, a typical folder structure might be: W:\Virtualization Resources\Virtual Machines W:\Virtualization Resources\Virtual Hard Disks W:\Virtualization Resources\Virtual Floppy Disks W:\Virtualization Resources\ISO files
13
When installing antivirus software in the management operating system, configure any real-time scanning components to exclude the directories where virtual machine files are stored, as well as the program files vmms.exe and vmwp.exe in C:\Windows\System32. If you do not create these exclusion rules, you might encounter errors when creating and starting virtual machines.
Security Setting Recommendations

The Windows Server 2008 Security Guide (part of the Windows Server 2008 Security Compliance Management Toolkit) includes high-level security design recommendations that you can follow to implement either the Enterprise Client (EC) baseline settings or the Specialized Security Limited Functionality (SSLF) baseline settings. To help reduce the attack surface and harden the security configuration of your servers running the Hyper-V role, Microsoft recommends applying the baseline settings described in the Windows Server 2008 Security Guide. During the development of this guide, the security settings prescribed in the Windows Server 2008 Security Guide were tested on servers running the HyperV role. Servers that were configured with the settings recommended for the SSLF environment encountered errors related to VHD creation, snapshotting, and importing. Correcting these errors requires modifying the recommended settings included in the Windows Server 2008 Security Guide. Servers that were configured with the settings recommended for the EC environment encountered no issues. The issues encountered all pertain to the configuration of the Create symbolic links user right setting. The Windows Server 2008 Security Guide recommends configuring this setting in the WS08 SSLF Member Server Baseline Policy to only include the Administrators group. However, this user right must also be granted to the Virtual Machines group. If you apply the WS08 SSLF Member Server Baseline Policy to any of your servers running the Hyper-V role, perform the steps in the following procedure to modify the baseline policy: To modify the WS08 SSLF Member Server Baseline Policy GPO 1. Use Notepad.exe to create an .INF file that includes the following text: [Unicode] Unicode=yes [Version] signature="$CHICAGO$" Revision=1 [Privilege Rights] SeCreateSymbolicLinkPrivilege = *S-1-5-32-544,*S-1-5-83-0 2. Open GPMC.msc, right-click the WS08 SSLF Member Server Baseline Policy GPO, and click Edit. 3. Under Computer Configuration, expand Policies, and then expand Windows Settings. 4. Right-click Security Settings, and click Import Policy. 5. Select the .INF file created in step 1, and click Open. This procedure will modify the WS08 SSLF Member Server Baseline Policy as required for use with servers running Hyper-V. Note that simply adding the Virtual Machines group to the Create symbolic links Group Policy setting will not result in the required configuration.
14
Virtual Machine Security

Several virtual machine settings have security implications. You can configure some of these settings by using the Virtual Machine Wizard, and you can access all of the settings after creating a virtual machine through the Hyper-V Manager.
Virtual Machine Configuration

The following considerations and recommendations relate to configuring virtual machines on a computer running Windows Server 2008 Hyper-V. Determine where to store the virtual machine files and the VHDs. See Securing Dedicated Storage Devices earlier in this chapter for guidance. Decide how much memory to assign to a virtual machine. Memory on the physical computer is apportioned to all of the virtual machines on the server, including the virtual machine running the management operating system, so assigning an appropriate amount of memory to each virtual machine is important to ensure the continuing availability of all virtual machine resources. The amount of memory to assign will depend on the workload of the virtual machine, how much physical memory is available on the computer, and how much memory other virtual machines running on the same computer are using. Impose limits on processor usage. By default, Hyper-V does not limit the amount of processing power used by virtual machines. A compromised virtual machine that can use all of the processing power on the physical computer could cause the computer and other virtual machines running on it to become unresponsive. The precise number of logical processors to use and the limits that you should impose on them depend on the workload they perform, the number of physical processors and cores installed on the physical computer, and the amount of processor power required by other virtual machines running on the same computer. To ensure continuing availability of all VM resources, monitor processor usage and adjust the limits accordingly. Configure only required storage devices for a virtual machine. Give each virtual machine access to the physical hard disks, VHDs, and removable storage devices that it needs, and no others. If a virtual machine does not require access to a resource like a CD/DVD drive except when you are installing software, for example, remove the virtual drive or select None as the media when it is not in use. Enable support for time synchronization. Time synchronization can be important in some auditing scenarios, because the system time of virtual machines can drift out of sync with the management operating system for virtual machines that are under constant heavy load. For time synchronization to work you need to install the Hyper-V Integration Services on the virtual machines. For information about installing and using Integration Services, see the Hyper-V Getting Started Guide on Microsoft TechNet.
Note If any virtual machines on a physical computer belong to a domain but the computer itself does not, ensure that the physical computer synchronizes with the same time source used by the domain to eliminate synchronization conflicts between the physical computer and domain. For virtual machines that are configured as domain controllers, Microsoft recommends disabling time synchronization with the physical computer through Integration Services, so that domain controllers use the default Windows Time service (W32time) domain hierarchy time synchronization. If domain controllers synchronize time from their own source and also synchronize time from the physical computer, the domain controller time can change frequently. Because many domain controller tasks are tied to the system time, a jump in the system time could cause lingering objects to be left in the directory and replication to be stopped.
15
Place virtual machines of a similar trust level on the same physical computer. To maintain security in your organization, deploy your virtual machines in such a way that all the VMs on a given physical computer share a similar level of trust, and then configure the computer to be at least as secure as the most secure VM. Virtual machines that are exposed to external access, such as Web servers, or that must be accessed widely require different security precautions than servers to which access is tightly controlled or limited to a small number of users. Delete decommissioned high-security VHDs. For high-security VMs that contain sensitive information, establish a process for securely deleting the VHD files after decommissioning. Tools such as SDelete v 1.51, available for download from Microsoft TechNet, can help with this process. Store snapshot files securely. A snapshot is a point in time image of a virtual machines state that you can return the machine to later. It is conceptually similar to the System Restore feature of Windows XP and Windows Vista, or the undo disks used by Virtual PC and Virtual Server. Store any snapshots you create together with their associated VHDs in an equally secure location.
More Information
The following resources on Microsoft.com provide more information about some of the concepts and techniques described in this chapter. Windows Server 2008 Security Compliance Management Toolkit Windows Server 2008 Hyper-V overview white paper Windows Server 2008 Virtualization with Hyper-V: FAQ Microsoft Hyper-V Server 2008 FAQ Hyper-V Planning and Deployment Guide Performance and Capacity Requirements for Hyper-V Performance Tuning Guidelines for Windows Server 2008 Planning for Hyper-V Security Hyper-V Attack Surface Reference Workbook Virtualization with Hyper-V: Supported Guest Operating Systems Virtualization WMI Provider Infrastructure Planning and Design
Chapter 2: Dele gating Vir tual Machine Management

This chapter provides guidance to help safely and securely delegate administrative access to virtual machine (VM) resources within an organization. A number of tools are available to administer VMs, physical computers, and other aspects of a virtual machine infrastructure. This chapter explains how these tools work, and how to control administrative access to different servers and at different levels. When a single physical server is configured to support multiple operating system instances, its important to correctly assign administrative permissions to each instance to properly secure the Hyper-V environment. The scope of operations available to an administrator account depends on where you establish administrative access for an account: Hyper-V administrators are administrative accounts that have full administrative access to the storage and network configuration of all the virtual machines on a physical Hyper-V computer. They can make global configuration changes that could affect all virtual machines on the physical computers. Virtual machine administrators are administrative accounts that only have administrative access to the virtual machine on which the account has been established. Hyper-V creates a security boundary between the management operating system and virtual machines that prevents virtual machine administrators from administering the management operating system. Microsoft recommends that you closely control administrative access to the management operating system and only assign it to staff members with a valid business need to manage both the management operating system and all the virtual machines on a physical Hyper-V server. For typical operations, Microsoft recommends that you maintain a clear separation between those administrators who are responsible for the operation of the physical server and the management operating system, and those administrators who are responsible for managing individual virtual machines. By default, virtual machine administrators are not granted administrative access to the management operating system and cannot log on to the management operating system to view the Hyper-V configuration or make any changes to it. Although this configuration is suitable for many situations, your organization might want to provide those administrators who are responsible for managing the virtual machines with a limited ability to manage a Hyper-V installation without actually using the management operating system to make them Hyper-V administrators. To do so, provide each affected user with an account that can log on to the management operating system, and use Authorization Manager as described in the following sections to assign appropriate permissions to the users accounts.
17
Using Tools to Delegate Access

The Hyper-V Manager user interface in Windows Server 2008 Server Manager is shown in the following screen shot. It is provided as part of the Hyper-V role, and allows users designated as administrators of the management operating system to manage the virtual machines on the physical computer. Administrators can use Hyper-V Manager to perform a variety of management tasks on the physical computer, including starting and stopping VMs, importing and deploying VMs on the computer, and managing snapshots. By default, anyone who is a local administrator of the management operating system can use Hyper-V Manager on the physical computer. In addition, a user can also use Hyper-V Manager to remotely manage Hyper-V on other servers in a domain to which the user has administrative access.
Figure 2.1. The Hyper-V Manager user interface Restricting Hyper-V management capability to server administrators can make it difficult to manage a large Hyper-V deployment efficiently and securely. Granting server administrative access to many people can put critical computing resources at risk, but limiting access can create administrative bottlenecks. Managing administrative access individually for each physical Hyper-V computer can also be time-consuming and difficult to track. Fortunately, tools such as Authorization Manager and System Center Virtual Machine Manager make it possible to securely delegate and decentralize Hyper-V administrative functions.
18
Delegating Access with Authorization Manager

By default, access to Hyper-V Manager on a physical computer is restricted to members of the local Administrators group on the server. The default configuration helps maintain virtual machine security by limiting control of virtual machines to the users who already have full administrative user rights on the physical computer. However, in some scenarios you might want additional trusted users to have the appropriate permissions to administer virtual machines using Hyper-V Manager. For example, you might want to delegate Hyper-V management to a group of assistants to better accommodate a large, decentralized Hyper-V deployment, but your organization might have security policies in place that discourage granting server administrative access to people outside a small group of administrators. Limiting administrative access to the management operating system also enables you to use access control lists (ACLs) to prevent unauthorized users from accessing VHDs and other critical files through the file system. You can use Authorization Manager (AzMan), a snap-in for the Microsoft Management Console (MMC), to assign selected users and groups to the HyperV Administrator role so they can use Hyper-V Manager without being administrators of the physical computer itself. Authorization Manager is an administrative tool for defining and using rolebased authorization in applications that are designed to support it. Rolebased authorization policy specifies access in terms of user roles that reflect an application's authorization requirements. Users are assigned roles based on their job functions, and these roles are granted permissions to perform related tasks or operations. The roles and tasks for an application are defined and saved in an authorization store, which can be accessed and edited using Authorization Manager. The default authorization store included with Hyper-V defines 33 different operations and an Administrator role that can access all of them. You can create other roles that can access a subset of allowable operations. Roles are listed in Role Assignments in Authorization Manager, and also in the Role Definitions node below the Definitions node. The following three tables categorize all of the Hyper-V operations that can be assigned to roles. Table 2.1. Hyper-V Service Operations Name Read service configuration Reconfigure Service Description Authorizes reading configuration of the Virtual Machine Management Service Authorizes reconfiguration of Virtual Machine Management Service
Table 2.2. Hyper-V Network Operations Name Bind External Ethernet Port
Description Authorizes binding to an external

19
Name Connect Virtual Switch Port Create Internal Ethernet Port Create Virtual Switch Create Virtual Switch Port Delete Internal Ethernet Port Delete Virtual Switch Delete Virtual Switch Port Disconnect Virtual Switch Port Modify Internal Ethernet Port Modify Switch Port Settings Modify Switch Settings Change VLAN Configuration on Port Unbind External Ethernet Port View External Ethernet Ports View Internal Ethernet Ports View LAN Endpoints View Switch Ports View Switches View Virtual Switch Management Service View VLAN Settings
Description Ethernet port Authorizes connecting to a virtual switch port Authorizes creating an internal Ethernet port Authorizes creating a new virtual switch Authorizes creating a new virtual switch port Authorizes deleting an internal Ethernet port Authorizes deleting a virtual switch Authorizes deleting a virtual switch port Authorizes disconnecting from a virtual switch port Authorizes modifying the internal Ethernet port settings Authorizes modifying the switch port settings Authorizes modifying the switch settings Authorizes modifying VLAN settings Authorizes unbinding from an external Ethernet port Authorizes viewing the available external Ethernet ports Authorizes viewing the available internal Ethernet ports Authorizes viewing the LAN endpoints Authorizes viewing the available switch ports Authorizes viewing the available switches Authorizes viewing the Virtual Switch Management Service Authorizes viewing the VLAN settings
20
Table 2.3. Hyper-V Virtual Machine Operations Name Allow Input to Virtual Machine Allow Output from Virtual Machine Change Virtual Machine Authorization Scope Create Virtual Machine Delete Virtual Machine Pause and Restart Virtual Machine Reconfigure Virtual Machine Start Virtual Machine Stop Virtual Machine View Virtual Machine Configuration Description Authorizes user to give input to the virtual machine Authorizes viewing the output from a virtual machine Authorizes changing the scope of a virtual machine Authorizes creating a virtual machine Authorizes deleting a virtual machine Authorizes pause and restart of a virtual machine Authorizes reconfiguring a virtual machine Authorizes starting the virtual machine Authorizes stopping the virtual machine Authorizes viewing the virtual machine configuration
Figure 2.2. Authorization Manager Any users who are assigned the Administrator role through Authorization Manager (shown in the preceding figure) have full access to Hyper-V Manager and all of the virtual machines deployed on the physical computer, and can access all 33 of the Hyper-V operations listed in the three preceding tables.
21
To use Authorization Manager to assign the Administrator role to users and groups 1. From the management console of the physical computer or from a remote workstation, click Start, type azman.msc, and then press Enter. The Authorization Manager console snap-in appears. 1. Right-click Authorization Manager in the tree pane and select Open Authorization Store. 2. The Open Authorization Store dialog box appears with XML file selected as the store type. 3. Do one of the following: If you are on the physical computer being managed, specify %programdata%\Microsoft\Windows\Hyper-V\InitialStore.xml in the Store Name text box and click OK.
Note By default, only local administrators have access to this directory.
If you are on a remote workstation, specify the path to the InitialStore.xml file on the physical computer in the Store Name text box and click OK. For example, if Windows Server 2008 is installed on the C: drive, you might specify \\<server name>\C$\ProgramData\Microsoft\Windows\HyperV\InitialStore.xml. 1. Expand Hyper-V services under InitialStore.xml, expand Role Assignments, and then click the Administrator role. 2. Click Action, point to Assign Users and Groups, and then click From Windows and Active Directory. 3. In the Select Users, Computers, or Groups dialog box, select the user accounts and groups to which you want to assign the role, and click OK.
Note These steps only work with Hyper-V physical computers that are not being managed by System Center Virtual Machine Manager 2008 (VMM 2008). The advanced delegation capabilities of VMM 2008 are described in the next section.
Users who are assigned the Administrator role can install the Hyper-V management tools on a full installation of Windows Server 2008 and on Windows Vista Service Pack 1 (SP1) and administer Hyper-V servers remotely. (Remote administration is the only way to use Authorization Manager to manage an authorization store on a Server Core installation.) See Install and Configure Hyper-V Tools for Remote Administration on Microsoft TechNet for instructions.
Note Hyper-V Remote Management Configuration Utility on the Microsoft Developer Network (MSDN) is a tool that partially automates the process of setting up Hyper-V remote management.
System Center Virtual Machine Manager 2008

Microsoft System Center VMM 2008, which is available as a separate product, is a comprehensive management solution for virtualized data centers. Shown in the following screen shot, VMM 2008 enables increased physical server utilization, centralized management of virtual machine infrastructure and rapid provisioning of new virtual machines by the administrator, delegated administrators, and authorized end-users. VMM 2008 supports Windows Server 2008 Hyper-V, Microsoft Virtual Server 2005, and adds support for virtual machines running on VMware ESX Server, which makes it possible to centrally manage virtual machine environments from different vendors. The new Performance and Resource Optimization (PRO) and Intelligent Placement features help you
22
allocate your virtual computing resources more efficiently and to monitor them for potentially troublesome situations.
To use VMM 2008, you must install the Hyper-V Update for Windows Server 2008 x64 Edition (KB 956589) and Background Intelligent Transfer Service (BITS) update (KB 956774) on all of your Hyper-V physical computers. See VMM System Important Requirements on Microsoft TechNet for a full list of prerequisites.
Figure 2.3. System Center Virtual Machine Manager 2008 VMM 2008 is a comprehensive solution that offers many tools for managing virtual machine resources. In a security context, however, the most important features of VMM 2008 involve its ability to delegate virtual machine administrative permissions. VMM 2008 allows you to create groups of physical Hyper-V computers, or hosts, and manage administrative access to them individually. VMM 2008 also allows you to create libraries that can be used to store virtual machines when they are not in use, and to store resources for creating new virtual machines based on templates and standard profiles. As with host groups, you can control which users have access to different libraries, which allows you to deploy sensitive library resources in a secure manner. VMM 2008 also enables you to create self-service users who have limited, Webbased administrative access to selected virtual machines. In VMM 2008 you can create user roles to delegate permissions for individual groups of hosts, virtual machines, and library servers. Each user role includes a profile that determines the level of access granted by the role, and one or more host groups and library servers that the role is allowed to manage. You can add Active Directory Domain Services (AD DS) user accounts and groups as members of each user role as needed. VMM 2008 defines three profiles that can be applied to user roles:
23
The Administrator profile is the highest level of access available in VMM 2008. A single Administrator role is created by default when you install VMM 2008, and you cannot assign the Administrator profile to any new user roles that you create. Users who are assigned to the Administrator role have complete administrative access to all the hosts, virtual machines, and library servers in VMM 2008. The Delegated Administrator profile grants administrative access to a defined set of host groups and library servers. Users who belong to a Delegated Administrator role can use the VMM Administrator Console to modify the configuration of all virtual machines defined on any Hyper-V hosts that they control. It is not possible to use the Delegated Administrator role to delegate access to specific virtual machines. Delegated administrators can also be granted access to resources stored on library servers defined in VMM 2008. The Self-Service User profile grants administrative access to a defined set of virtual machines through the Web-based Virtual Machine Manager SelfService Portal. Self-service users cannot use the VMM 2008 console to manage virtual machine resources. You can also limit the virtual machine management tasks that users who belong to a Self-Service User role can perform. These profiles make it possible to deploy Hyper-V within your organization in a way that is both flexible and secure. By using VMM 2008 to define virtual machine user roles and limit their access appropriately, you can give people throughout your organization control over their own Hyper-V resources without compromising the security of any servers managed by other groups.
Delegated Administrator Role

Users who belong to a Delegated Administrator role can use the VMM Administrator Console to access all of the hosts and library servers they are entitled to manage, as determined by the role settings. Other hosts and library servers do not display in the console and cannot be managed by the user. To add a Delegated Administrator user role in VMM 2008 1. In the User Roles view in the VMM Administrator Console, click New User Role in the Actions pane. The New User Role Wizard appears. 1. On the General page, type a User role name and Description, and then select Delegated Administrator in the User Role Profile list. Click Next. 2. On the Add Members page, click Add, and then type the names of the Active Directory users or groups you want to add to this role. Click Next. 3. As shown on the Select Scope page in the following screen shot, select the host groups and library servers that you want to enable members of the user role to manage. Click Next.
24
Figure 2.4. The Select Scope page of the Create User Role Wizard 4. On the Summary page, review the user role settings and click Create.
Self Service Portal

The Virtual Machine Manager Self-Service Portal is a Web site through which self-service users can create and operate their own virtual machines within a controlled environment. Using the Self-Service Portal, self-service users can see only the virtual machines that they own, and they are allowed to perform only the actions that the user role associated with the virtual machine allows. For example, you might want to create a group of self-service users who are allowed to start, stop, pause, and resume virtual machines on a host group, but not to perform other administrative actions such as managing virtual machine checkpoints or removing virtual machines from hosts.
25
Figure 2.5. The Web-based Virtual Machine Manager Self-Service Portal To add a Self-Service User role in VMM 2008 1. In the User Roles view in the VMM Administrator Console, click New User Role in the Actions pane. The New User Role Wizard appears. 1. On the General page, type a User role name and Description, and then select Self-Service User in the User Role Profile list. Click Next. 2. On the Add Members page, click Add, and then type the names of the Active Directory users or groups you want to add to this role. Click Next. 3. On the Select Scope page, select the host groups and library servers that you want to enable members of the user role to manage. Click Next. 4. As shown on the Virtual Machine Permissions page in the following screen shot, select the actions that you want to allow the members of this group to perform on virtual machines. You can select All actions, or grant a set of actions by selecting one or more of the following: Start Stop Pause and resume Checkpoint. Allows users to create and remove checkpoints, and to restore their virtual machines to a previous checkpoint. A checkpoint saves the state of each virtual hard disk that is attached to a virtual machine and all of the hard disk's contents, including application data files. Creating checkpoints for a virtual machine provides the ability to restore the virtual machine to a previous state.
Note Assign this action with care. Creating and restoring checkpoints is a resource intensive operation that can affect the performance of a Hyper-V server. Checkpoints can consume considerable amounts of disk space, and reverting a VM to a previous state could lead to unwanted data loss.
26
Remove. Allows users to remove virtual machines, which deletes the configuration files. Local Administrator. Allows users to set the local administrator password when creating a virtual machine so that they have administrator rights and permissions on the virtual machine. Remote connection. Allows users to remotely control a virtual machine. Shut down
Figure 2.6. Specifying permitted actions for a user role with the SelfService User profile 1. On the Virtual Machine Creation Settings page, specify whether users are allowed to create virtual machines. You can specify the templates that users can choose from when creating their virtual machines, and set the quota for deployed virtual machines. See Working with Virtual Machine Templates on Microsoft TechNet for more information about templates. 2. On the Library Share page, specify whether users are allowed to store virtual machines in a library. You can select the library server, share, and path for the virtual machines. In addition, you can allow users to attach ISO images to their virtual machines by selecting a Library path that contains ISO images. See Configuring the VMM Library on Microsoft TechNet for more information about libraries. 3. On the Summary page, review the user role settings and click Create. Users assigned to a Self-Service User role can visit the portal using a Web browser and perform any actions permitted by the role. They cannot access any servers to which the role has not been granted access. This feature can be used to provide an enhanced level of access control that cannot be easily configured using Authorization Manager. For example, a Hyper-V deployment might include hosts used by several different departments within an organization, some of which might be used to manage sensitive data. Delegating full administrative access to designated users
27
within each department would give all such users control over any VMs that belong to the other departments, including the ability to perform such operations as deleting or duplicating existing VMs. Such a configuration could risk the disclosure, alteration, or loss of sensitive data. You can mitigate this risk by using VMM 2008 to configure groups of self-service users with access to specific virtual machines. This approach makes it possible to host VMs that belong to different groups on the same physical server while minimizing risk to sensitive data.
More Information
The following resources on Microsoft.com provide more information about some of the concepts and techniques described in this chapter. Authorization Manager For remote management of Hyper-V, see: Install and Configure Hyper-V Tools for Remote Administration Hyper-V Remote Management Configuration Utility For System Center Virtual Machine Manager 2008 information, see: System Center Virtual Machine Manager 2008 VMM System Requirements Hyper-V Update for Windows Server 2008 x64 Edition (KB 956589) Background Intelligent Transfer Service (BITS) update (KB 956774) Working with Virtual Machine Templates Configuring the VMM Library Scripting in VMM 2008 with Windows PowerShell
Chapter 3: Pr otecting Vir tual Machines

This chapter provides guidance for securing the files that are used to create and run virtual machines (VMs), such as virtual hard disk (VHD) files and configuration files. It includes best practice recommendations for properly implementing file system permissions, encryption, and auditing that help protect your VMs and related configuration files from unauthorized access and malicious tampering. The chapter also includes best practice information and resources designed to help you safeguard the operating systems running within a VM against common threats.
Methods for Protecting VMs

A virtual machine consists of a set of files, including VHD files and files that define how the VM is configured. Some VM scenarios can include files that are not typically associated with physical computers, such as the contents of the memory of a running server stored on disk. Applications that store sensitive information such as passwords or hashes in memory but not typically to disk can therefore be more at risk if run in virtualized environments, because of the possibility of sensitive information being stored to disk as state information. As files on disk, VM resources can be secured using many of the same techniques that are commonly used to store other files in Windows Server environments, including file system security, encryption, and object access auditing.
Hardening the Virtual Machine Operating System and Applications

The same security measures and hardening you would apply to a physical computer should be applied to virtual machines. You should perform hardening steps for the virtual machine's server role as indicated in the Server Role Security Configuration section in chapter 1, including consulting the appropriate Microsoft Solution Accelerator guidance for the specific operating system.
Firewall and Antivirus Requirements

Each operating system running on a virtual machine needs its own firewall, antivirus, and intrusion detection software as appropriate for the environment.
Group Policy Considerations

Like physical servers, virtual machines should be added to the appropriate organizational units (OUs) so that Group Policy settings apply correctly.
29
For more information on reducing the attack surface and hardening the security of the operating systems that run inside VMs, consult the following Microsoft Solution Accelerator guidance: Windows Server 2008 Security Compliance Management Toolkit Windows Server 2003 Security Compliance Management Toolkit Windows Vista Security Compliance Management Toolkit Windows XP Security Compliance Management Toolkit
Using File System Security to Protect Virtual Machine Resources

You can use access control lists (ACLs) to help protect VHD files and virtual machine configuration files from unauthorized file system-level access. This approach can prevent scenarios such as an unauthorized person copying a VHD from a Hyper-V computer or library server to another location, or replacing an existing virtual machine file with an altered version. However, using ACLs to restrict access to files or folders is not an effective way to manage administrative access to VMs themselves. Each virtual machine runs in the context of a virtual machine worker process (vmwp.exe), which runs under the NETWORK SERVICE account and which is able to access the file system resources that make up the virtual machine. This functionality enables any user who has the necessary permissions to use HyperV Manager to stop and start virtual machines, mount virtual hard disks, and perform other management tasks regardless of whether they can access the files in the file system with their own user accounts. A comprehensive Hyper-V security plan involves a combination of ACLs and tools such as Virtual Machine Manager 2008 (VMM 2008) that can be used to restrict VM management capabilities. If several administrators manage different virtual machines on the same physical computer, consider granting their individual accounts permissions to access the folders in which the resource files are stored. This approach allows them to perform management tasks at the level of the physical computers file system, such as moving their virtual machines and the resource files they use to a different physical computer, or copying ISO files (CD or DVD image files that usually have the extension .iso) and virtual floppy disks to an appropriate file system location so that they can mount them within their virtual machines. A flexible system might involve adding a layer of subdirectories to the folder structure suggested in Chapter 1, such as the following: W:\Virtualization Resources\Project A\Virtual Machines W:\Virtualization Resources\Project A\Virtual Hard Disks W:\Virtualization Resources\Project A\Virtual Floppy Disks W:\Virtualization Resources\Project A\ISO files W:\Virtualization Resources\Project B\Virtual Machines W:\Virtualization Resources\Project B\Virtual Hard Disks W:\Virtualization Resources\Project B\Virtual Floppy Disks W:\Virtualization Resources\Project B\ISO files W:\Virtualization Resources\Project C\Virtual Machines W:\Virtualization Resources\Project C\Virtual Hard Disks
30
W:\Virtualization Resources\Project C\Virtual Floppy Disks W:\Virtualization Resources\Project C\ISO files The ACLs for all of the folders would need to include the default permissions described in the "Securing Dedicated Storage Devices" section in Chapter 1 of this guide. In addition, if you want to allow virtual machine administrators to copy resource files to and from the physical computer, you should grant them Full Control for the subdirectories of their respective projects and create a network share that provides them with access to the parent Virtualization Resources folder. If you are running VMM 2008, consider using VMM libraries to store resources like ISO files. See Virtual Machine Manager Library on Microsoft TechNet for more information.
Using Encryption to Protect Virtual Machine Resources

Windows BitLocker Drive Encryption (BitLocker) is a data protection feature included with Windows Server 2008. BitLocker is an operating systembased software capability that works with features in server hardware and firmware to provide secure operating system boot and disk drive encryption. This encryption physically safeguards operating system integrity and data. BitLockerbased physical protection is present even when the server is not powered or operating, which means that data is protected even if a disk is stolen and mounted on another machine for data mining purposes. BitLocker also protects data if an attacker uses a different operating system or runs a software hacking tool to access a disk.
Important Use BitLocker Drive Encryption in the Hyper-V management operating system only. Do not run BitLocker Drive Encryption within a virtual machine. BitLocker Drive Encryption is not supported within virtual machines.
BitLocker helps prevent unauthorized access to data on lost or stolen computers by combining two major data-protection procedures: Encrypting the entire Windows operating system volume and other data volumes. Verifying the integrity of early boot components and boot configuration data. In addition to protecting business-critical information and databases as well as other incidental data that is created during business transactions, BitLocker can protect virtual machine configurations and their VHDs. Any configurations and VHDs that are created and stored on a BitLockerencrypted physical disk volume receive BitLocker protection, regardless of the operating systems that run on those virtual machines. This capability means that non-Windows and legacy Microsoft operating systems benefit from the same BitLocker protection when they run as guest operating systems of Windows Server 2008 Hyper-V. Before you attempt to configure BitLocker and Hyper-V on the same server, however, there are a few issues you should consider. BitLocker is designed to work with a Trusted Platform Module (TPM), a hardware device that can store and process cryptographic keys to provide enhanced security through pre-startup system integrity verification. Hyper-V does not provide virtual machines with access to the TPM, so you cannot use BitLocker with TPM to encrypt virtual machines independently. However, you can use BitLocker with TPM from a physical Hyper-V computers management operating system to encrypt an entire physical drive connected to the Hyper-V computer, including the VHD files and
31
other configuration files used by virtual machines. This method provides all of the virtual machines on the encrypted disk with the same level of protection. However, it will not help isolate the virtual machines and their resource files from the other virtual machines running on the same physical computer.
Note Although using Hyper-V in a clustered environment is outside the scope of this guide, it is worthwhile to point out that BitLocker does not work with Windows Failover Clustering. For information on using Hyper-V and Failover Clustering see Hyper-V Step-by-Step Guide: Hyper-V and Failover Clustering on Microsoft TechNet.
For instructions about how to use BitLocker to encrypt Windows Server 2008 Hyper-V physical computers, see Windows Server 2008 Hyper-V and BitLocker Drive Encryption on the Microsoft Download Center.
Important Do not use Encrypting File System (EFS) to encrypt folders in which virtual machine files are stored. Hyper-V does not support the use of storage media if EFS has been used to encrypt the VHD file. To encrypt virtual machine files, use BitLocker.
Using Auditing to Track Access to Virtual Machine Resources

File system security can prevent unauthorized access to critical virtual machine resources, such as VHD files. Object access auditing can help detect potentially harmful activity by users. Enabling object access auditing on a physical computer causes it to log every attempt by a user to access the audited files. Successful and unsuccessful access attempts can be audited. If the security or integrity of the data stored in a VHD file is breached, the audit trail will reveal who has accessed the file and when, which can be used to determine who was responsible for the breach. The following procedures describe how to configure audit rules for a file or folder, and how to test each audit rule for each object in the specified file or folder.
Note You must use Auditpol.exe to configure the File System subcategory to audit Success and Failure events. Then you can use the following procedure to log events in the Security event log.
To define an audit rule for a file or folder 1. On the physical computer, use Windows Explorer to locate and select the file or folder. 1. On the File menu, click Properties. 2. Click the Security tab, and then click the Advanced button. 3. Click the Auditing tab. 4. If prompted for administrative credentials, click Continue, type your username and password, and then press Enter. 5. Click the Add button to make the Select User, Computer, or Group dialog box display. 6. Click the Object Types button, and then in the Object Types dialog box, select the object types you want to find.
Note The User, Group, and Built-in security principal object types are selected by default.
7. Click the Locations button, and then in the Location dialog box, select either your domain or local computer. 8. In the Select User or Group dialog box, type the name of the group or user you want to audit. Then, in the Enter the object names to select dialog box, type Authenticated Users (to audit the access of all authenticated users) and then click OK. The Auditing Entry dialog box displays.
32
9. Determine the type of access you want to audit on the file or folder using the Auditing Entry dialog box.
Note Remember that each object access may generate multiple events in the event log and cause it to grow rapidly.
10. In the Auditing Entry dialog box, next to List Folder/Read Data, select Successful and Failed, and then click OK. You can view the audit entries you enabled under the Auditing tab of the Advanced Security Settings dialog box. 11. Click OK to close the Properties dialog box. To test an audit rule for a file or folder 1. On the physical computer, in Windows Explorer, open the file or folder being audited. 1. Close the file or folder. 2. Start the Event Viewer. Several Object Access events with Event ID 4663 will appear in the Security event log. 3. Double-click the events as needed to view their details. Microsoft recommends enabling object access auditing on VHD files for every user or group that has access to the files through the file system. This approach will ensure that every attempt by a user to open, copy, modify, or delete an audited file will be recorded, which can be useful in a number of scenarios. For example, if a malicious administrator makes an unauthorized copy of a sensitive VHD file, the audit log can be used to trace the action back to the person responsible. For additional security, a monitoring product like Microsoft System Center Operations Manager can be configured to issue alerts when access attempts are made under certain circumstances, which could help prevent security breaches.
Maintaining Virtual Machines

Ensuring that virtual machines are kept up to date with operating system, application, and antivirus updates can present challenges. Virtual machines might be left offline (stored in a non-operating state) for extended periods of time when not needed to free up physical computing resources for other purposes. However, if a virtual machine is offline it cannot automatically receive updates through mechanisms such as Windows Update or Windows Software Update Services (WSUS). If deployed and started, the out-of-date virtual machine might be vulnerable to attack or could be capable of attacking other network resources. The Offline Virtual Machine Servicing Tool 2.0.1, a Solution Accelerator available for download at no cost from Microsoft, provides a way to automate the process of updating virtual machines. To use the tool, you must have VMM 2007 or 2008 and one of the following software update management systems: WSUS 3.0 (including WSUS 3.0 SP1) System Center Configuration Manager 2007, Configuration Manager 2007 SP1, or Configuration Manager 2007 R2. The Offline Virtual Machine Servicing Tool uses servicing jobs to manage the update operations based on lists of existing virtual machines and virtual machine templates stored in VMM 2008. Using Windows Workflow Foundation technology, a servicing job runs snippets of Windows PowerShell scripts to work with virtual machines. For each virtual machine, the servicing job performs the following functions:
33
Wakes the virtual machine (deploys it to a servicing host and starts it). Triggers the appropriate software update cycle (Configuration Manager or WSUS). Shuts down the updated virtual machine and returns it to the library. The servicing hosts used for updating virtual machines reside on a dedicated private virtual network, so the VMs are protected from attacks while they are serviced. The Offline Virtual Machine Servicing Tool 2.0.1 is a free download from the Microsoft Download Center.
Hyper-V Security Best Practice Checklist

Securing Hyper-V involves all the measures that are required to safeguard any Windows Server 2008 server role, plus a few extra to help secure the VMs, configuration files, and data. The following list of recommended best practices serves as a checklist to help you enhance the security of your Hyper-V environment. These best practices summarize many of the recommendations described in this guide. Additional information on several of these best practices is available on the Planning for Hyper-V Security page on Technet.
Management Operating System Configuration

Microsoft recommends paying close attention to the following best practices for securing Hyper-V when configuring the management operating system: Use a Server Core installation for the management operating system. Keep the management operating system up to date with the latest security updates Use a separate network with a dedicated network adapter for the management operating system of the physical Hyper-V computer. Secure the storage devices where you keep virtual machine resource files. Harden the management operating system using the baseline security setting recommendations described in the Windows Server 2008 Security Compliance Management Toolkit. Configure any real-time scanning antivirus software components installed on the management operating system to exclude Hyper-V resources. Do not use the management operating system to run applications. Do not grant virtual machine administrators permissions on the management operating system. Use the security level of your virtual machines to determine the security level of your management operating system. Use BitLocker Drive Encryption to protect resources.
Virtual Machine Configuration

The following recommended best practices can help you enhance security when configuring virtual machines on servers running the Hyper-V role: Configure virtual machines to use fixed-sized virtual hard disks. Store virtual hard disks and snapshot files in a secure location.
34
Decide how much memory to assign to a virtual machine. Impose limits on processor usage. Configure the virtual network adapters of each virtual machine to connect to the correct type of virtual network to isolate network traffic as required. Configure only required storage devices for a virtual machine. Harden the operating system running in each virtual machine according to the server role it performs using the baseline security setting recommendations described in the Windows Server 2008 Security Compliance Management Toolkit. Configure antivirus, firewall, and intrusion detection software within virtual machines as appropriate based on server role. Ensure that virtual machines have all the latest security updates before they are turned on in a production environment. Ensure that your virtual machines have integration services installed.
35
More Information
The following resources on Microsoft.com provide more information about some of the concepts and techniques described in this chapter. Windows Server 2008 Security Compliance Management Toolkit Windows Server 2003 Security Compliance Management Toolkit Windows Vista Security Compliance Management Toolkit Windows XP Security Compliance Management Toolkit Windows Server 2008 Hyper-V and BitLocker Drive Encryption Offline Virtual Machine Servicing Tool

Hyper-V Security Guide

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Hyper-V Security Guide

Uploaded by

Copyright:

Available Formats

Hyper-V Security Guide

Who Should Read This Guide