Professional Documents
Culture Documents
Version 1.0
Published: March 2009 For the latest information, please see microsoft.com/technet/SolutionAccelerators
Copyright 2009 Microsoft Corporation. All rights reserved. Complying with the applicable copyright laws is your responsibility. By using or providing feedback on this documentation, you agree to the license agreement below. If you are using this documentation solely for non-commercial purposes internally within YOUR company or organization, then this documentation is licensed to you under the Creative Commons AttributionNonCommercial License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc/2.5/ or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA. This documentation is provided to you for informational purposes only, and is provided to you entirely "AS IS". Your use of the documentation cannot be understood as substituting for customized service and information that might be developed by Microsoft Corporation for a particular user based upon that users particular environment. To the extent permitted by law, MICROSOFT MAKES NO WARRANTY OF ANY KIND, DISCLAIMS ALL EXPRESS, IMPLIED AND STATUTORY WARRANTIES, AND ASSUMES NO LIABILITY TO YOU FOR ANY DAMAGES OF ANY TYPE IN CONNECTION WITH THESE MATERIALS OR ANY INTELLECTUAL PROPERTY IN THEM. Microsoft may have patents, patent applications, trademarks, or other intellectual property rights covering subject matter within this documentation. Except as provided in a separate agreement from Microsoft, your use of this document does not give you any license to these patents, trademarks or other intellectual property. Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, email addresses, logos, people, places and events depicted herein are fictitious. Microsoft, Active Directory, BitLocker, Hyper-V, Windows, Windows Server, and Windows Vista are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. You have no obligation to give Microsoft any suggestions, comments or other feedback ("Feedback") relating to the documentation. However, if you do provide any Feedback to Microsoft then you provide to Microsoft, without charge, the right to use, share and commercialize your Feedback in any way and for any purpose. You also give to third parties, without charge, any patent rights needed for their products, technologies and services to use or interface with any specific parts of a Microsoft software or service that includes the Feedback. You will not give Feedback that is subject to a license that requires Microsoft to license its software or documentation to third parties because we include your Feedback in them.
Solution Accelerators
microsoft.com/technet/SolutionAccelerators
Contents
Overview............................................................................................1 Who Should Read This Guide..............................................................1 Skills and Readiness Style Conventions 3 More Information 3 Support and Feedback 3 Acknowledgements...........................................................................4 Chapter 1: Hardening Hyper-V............................................................7 Attack Surface.................................................................................7 Server Role Security Configuration......................................................8 Management Operating System Security Host Network Configuration 11 Securing Dedicated Storage Devices Security Setting Recommendations 15 Virtual Machine Security 16 16 Virtual Machine Configuration 14 10 Default Installation Recommendations 10 2 Chapter Summaries..........................................................................2
More Information............................................................................18 Chapter 2: Delegating Virtual Machine Management..........................19 Using Tools to Delegate Access.........................................................19 Delegating Access with Authorization Manager....................................20 System Center Virtual Machine Manager 2008.....................................24 Delegated Administrator Role Self Service Portal 27 More Information............................................................................29 Chapter 3: Protecting Virtual Machines.............................................31 Methods for Protecting VMs..............................................................31 Hardening the Virtual Machine Operating System and Applications 31 Firewall and Antivirus Requirements Group Policy Considerations 31 32 31 26
Using File System Security to Protect Virtual Machine Resources Using Encryption to Protect Virtual Machine Resources 33 Using Auditing to Track Access to Virtual Machine Resources 34
Maintaining Virtual Machines............................................................35 Hyper-V Security Best Practice Checklist............................................35 Management Operating System Configuration Virtual Machine Configuration 36 36
More Information............................................................................37
More Information
Solution Accelerators
microsoft.com/technet/SolutionAccelerators
Guide Title
Solution Accelerators
microsoft.com/technet/SolutionAccelerators
Over view
Welcome to the Hyper-V Security Guide. This guide provides instructions and recommendations to help strengthen the security of computers running the Hyper-V role on Windows Server 2008. Microsoft engineering teams, consultants, support engineers, partners, and customers have reviewed and approved this prescriptive guidance to make it: Proven. Based on field experience. Authoritative. Offers the best advice available. Accurate. Technically validated and tested. Actionable. Provides the steps to success. Relevant. Addresses real-world security concerns. Microsoft has published security guides for Windows Server 2008 and Windows Server 2003. This guide references significant new capabilities and security enhancements in Windows Server 2008. The guide was developed and tested with computers running the Hyper-V role on Windows Server 2008 that were joined to a domain that uses Active Directory Domain Services (AD DS). As Hyper-V continues to evolve through future releases, you can expect updated versions of this guidance to include more security recommendations. Solution Accelerators are also available to assist you with the deployment and operation of Windows Server 2008 as well as other Microsoft technologies. For more information about all available accelerators, visit Solution Accelerators on Microsoft TechNet.
security and controlling change in the deployment process, and deployment personnel focus on administering security updates quickly. Systems architect and planner. Individuals in this role drive the architecture efforts for computer systems in their organizations. Consultant. Individuals in this role are aware of security scenarios that span all the business levels of an organization. IT consultants from both Microsoft Services and partners take advantage of knowledge transfer tools for enterprise customers and partners.
Chapter Summaries
This release of the Hyper-V Security Guide consists of this Overview and three chapters that discuss methods and best practices that will help you secure your Hyper-V environment. Brief descriptions follow for each chapter.
Overview
The overview states the purpose and scope of the guide, defines the guide audience, and describes the guide's structure to help you locate the information that is relevant to you. It also describes the user prerequisites for the guidance.
Solution Accelerators
microsoft.com/technet/SolutionAccelerators
Overview
Style Conventions
This guidance uses the style conventions that are described in the following table. Element Bold font Meaning Signifies characters typed exactly as shown, including commands, switches, and file names. User interface elements also appear in bold. Titles of books and other substantial publications appear in italic. Placeholders set in italic and angle brackets <Italic> represent variables. Defines code and script samples.
Alerts the reader to supplementary information. Alerts the reader to essential supplementary information.
More Information
The following resources provide additional information about security topics and detailed discussion of the concepts and security prescriptions in this guide on Microsoft.com: Hyper-V Planning and Deployment Guide: Planning for Hyper-V Security Windows Server 2008 Security Compliance Management Toolkit GPOAccelerator tool and guidance Infrastructure Planning and Design guides Microsoft Deployment Toolkit 2008 page on Microsoft TechNet Microsoft Windows Security Resource Kit Security Solution Accelerator page on Microsoft TechNet
Solution Accelerators
microsoft.com/technet/SolutionAccelerators
Overview
Solution Accelerators
microsoft.com/technet/SolutionAccelerators
Overview
Acknowledgements
The SA-SC team would like to acknowledge and thank the team that produced the Hyper-V Security Guide. The following people were either directly responsible or made a substantial contribution to the writing, development, and testing of this solution.
Development Team
Authors Kurt Dillard KurtDillard.com Richard Harrison Content Master Ltd Paul Henry Wadeware LLC Developement Lead Jos Maldonado Editor Steve Wacker Wadeware LLC Product Manager Shruti Kala Program Manager Tom Cloward Release Managers Karina Larson Shealagh Whittle Aquent LLC Test Manager Sumit Parikh Testers Raxit Gajjar Infosys Technologies Ltd Tushar Vijay Lunawat Infosys Technologies Ltd
Overview
Carsten Kinder Kathy Lambert David Lef Patrick Lownds Hewlett-Packard Jason Missildine Keith Pawson Bhaskar Rastogi Enrique Saggese Tony Soper Pat Telford Elton Tucker Gary Verster Anand.V.V.N Xinfotainment Kiyoshi Watanabe
Solution Accelerators
microsoft.com/technet/SolutionAccelerators
Attack Surface
As with other roles in Windows Server 2008, adding the Hyper-V role changes the attack surface of the computer. To determine the attack surface of this role, you need to identify the following: Installed files. The files that are installed as part of the Hyper-V role. Installed services. The services that are installed as part of the Hyper-V role. Firewall rules. The firewall rules that are installed or enabled as a part of the Hyper-V role. For an up-to-date list of the files, services, and firewall rules that the Hyper-V role installs, see the Hyper-V Attack Surface Reference Workbook on the Microsoft Download Center.
Solution Accelerators
microsoft.com/technet/SolutionAccelerators
Figure 1.1. Basic Hyper-V virtualization technology architecture After you install the Hyper-V role, all of the operating system instances on the physical computer run as virtual machines. Even the instance of Windows Server 2008 that you use to create and manage the virtual machines is a virtual machine; this instance is the management operating system. You use the management operating system specifically to create and manage virtual machines. Hyper-V uses a microkernelized approach in which the hypervisor is very small and allows no third-party code to run within it. The hypervisor, which is a core component of Hyper-V, is a thin layer of software between the hardware and the operating system. The hypervisor allows multiple operating systems to run unmodified on a single physical computer at the same time. Because any unknown security vulnerabilities included in Hyper-V could compromise the security of the management operating system and the virtual machines, Microsoft has carefully reviewed and tested the Hyper-V source code to minimize this risk. In addition, the hypervisor component was designed with minimal configuration requirements to reduce its complexity and attack surface. (For more information on the Hyper-V virtualization architecture, see An Introduction to Hyper-V in Windows Server 2008 on Microsoft TechNet.) The remainder of this chapter focuses on the steps you need to perform to protect the management operating system and the virtual machines. There are two categories of countermeasures: Management operating system security. The configuration of the physical computer itself, including discrete network interfaces for accessing the management operating system and virtual machines. Virtual machine security. The configuration of the virtual machines.
Solution Accelerators
microsoft.com/technet/SolutionAccelerators
If you do not see kbid=950050, download the Hyper-V updates and then enter the following command at a command prompt: wusa.exe Windows6.0-KB950050-x64.msu /quiet There are three update packages. After you install the updates, you must restart the server. You must update the management operating system with the Update for Windows Server 2008 x64 Edition (KB 950050) and Language Pack for Hyper-V (KB951636). The Update for Windows Server 2008 (KB952627) is for remote management of the Server Core installation if you are managing the server from a computer running Windows Vista Service Pack 1 (SP1). It must be installed on the computer running Windows Vista SP1.
Important Before you enable the Hyper-V role, ensure that you have enabled the required hardware-assisted virtualization and hardware-enforced Data Execution Prevention (DEP) BIOS settings. Checks for these settings are performed before you enable the Hyper-V role on a full installation, but not on a Server Core installation.
After you make the BIOS configuration changes to enable the required hardware features, you might need to turn off the power to the computer and then turn it back on (because restarting the computer might not apply the changes to the settings). If you enable the Hyper-V role without modifying the BIOS settings, the Windows hypervisor might not function as expected. If the Windows hypervisor malfunctions, check the event log for details, modify the BIOS settings according to the server hardware manufacturer instructions, turn off and turn on the computer running a Server Core installation, and then install Hyper-V again. To check if your server hardware is compatible, see the Windows Server catalog. Click the list of Certified Servers, and then click By additional qualifications Hyper-V. For instructions about how to enable the BIOS settings, check with your hardware manufacturer. After you install Hyper-V, ensure that all appropriate updates are installed. A comprehensive list of Hyper-V updates is available in the Hyper-V Update List on Microsoft TechNet. The Microsoft Remote Server Administration Tools are included with Windows Server 2008; a version of the tools for Windows Vista is also available through the Microsoft Help and Support article Description of the Windows Vista Service Pack 1 Management Tools update for the release version of Hyper-V. These tools include the Hyper-V Manager console, which enables authorized administrators to manage Hyper-V servers remotely from their workstations. The console also allows administrators to manage Hyper-V on Server Core without using command-line tools. The rest of this section discusses how to configure the physical computer using the Hyper-V Manager and other GUI management tools.
Note You can perform the same tasks on the local console of Server Core using scripts for Windows Management Instrumentation (WMI). For more information, see Virtualization WMI Provider in the MSDN Library.
adapter for the exclusive use of the management operating system, and then allow the other virtual machines to use the other network adapters. The following figure illustrates this concept.
Figure 1.2. Physical Hyper-V architecture in an enterprise network When you install the Hyper-V role using the Add Roles Wizard on a full installation of Windows Server 2008 Enterprise, the wizard prompts you to reserve one network adapter for remote access to the management operating system, as shown in the following figure.
Solution Accelerators
microsoft.com/technet/SolutionAccelerators
10
Figure 1.3. The Create Virtual Networks page of the Add Roles Wizard If you leave a network adapter unselected on this page of the wizard, the network adapter will be dedicated for use by the management operating system exclusively. After installation, you can reconfigure the physical network adapters using the Hyper-V Manager. To use the Hyper-V Manager to configure virtual networks 1. On the physical Hyper-V computer or from a remote management workstation, click Start, point to Administrative Tools, and then click HyperV Manager. 1. In the tree pane, select the server that you want to manage. 2. In the Actions pane, click Virtual Network Manager. 3. In the Virtual Network Manager dialog box, add, modify, or remove virtual network switches to be used by the management operating system and the virtual machines. Each virtual network you define results in the creation of a virtual network switch. You can connect the virtual network adapters inside your virtual machines to the virtual networks you create. There are three different types of virtual networks: External virtual networks use virtual network switches that are bound to a network adapter in the physical computer. Any virtual machines attached to an external virtual network can access the same networks to which the physical adapter is connected. Internal virtual networks use virtual network switches that are not bound to a network adapter in the physical computer. An internal virtual network is isolated from networks external to the physical computer. However, virtual
Solution Accelerators
microsoft.com/technet/SolutionAccelerators
11
machines connected to an internal virtual network can communicate with the management operating system. Private virtual networks use virtual network switches that are not bound to a network adapter in the physical computer, as with internal virtual networks. However, network traffic from virtual machines connected to a private network is completely isolated from network traffic in the management operating system and in the external networks. These different virtual network configurations support some interesting scenarios. Consider a multi-tier application that includes Web, database, and application servers, as shown in the following figure.
Figure 1.4. Network configuration for multi-tier Web application The physical Hyper-V computer has two network adapters. The first network adapter connects the physical computer to a physical network (labeled Management network) for management. The second network adapter connects the physical computer to a separate public network (labeled Front-end network) where the client systems and other servers are located; the Web server virtual machine is connected to this network adapter through an external virtual network. There is also a private virtual network that connects the Web server virtual machine to the applications server virtual machines and the database management system (DBMS) virtual machine. This configuration isolates all of the traffic between the Web server and the other virtual machines from the publicly accessible network, and it also provides a dedicated network connection for administration of the management operating system. Although isolating the virtual and physical networks from each other protects the virtual network from outside attacks, it also renders the virtual network segment invisible to any security tools that are deployed on the physical network, such as network intrusion detection systems (NIDS). For additional protection, deploy virtual network-capable versions of these tools on the virtual segment. For more information, see Configuring Virtual Networks on Microsoft TechNet.
Solution Accelerators
microsoft.com/technet/SolutionAccelerators
12
Virtual hard disk (VHD) files can be dynamic or fixed-size. A dynamic VHD file is the size required by the data stored in it and can grow as the data changes. A fixed-size VHD file takes up the amount of space configured for the virtual disk, including any free space. For example, a dynamic VHD and a fixed-size VHD might both appear as 80 GB volumes when mounted inside a virtual machine, but the dynamic VHD only takes up as much space on the physical disk as the data stored in it requires; the fixed-size VHD always takes up about 80 GB on the physical disk. Microsoft recommends using fixed-sized VHD files for best performance, and to prevent virtual machines from unexpectedly running out of storage space. By default, new VHD files in the Public profile are stored in the %users %\Public\Documents\Hyper-V\Virtual Hard Disks directory. You can change the default storage location for VHDs by selecting Hyper-V Settings in the Hyper-V Manager. If you specify a different storage location, assign permissions as follows for the new folder: Table 1.1. Permission Settings for VHD Storage Folder Names Administrators System Creator Owner Interactive Service Batch Permissions Full Control Full Control Apply to This folder, subfolders, and files Subfolders and files only
Create files/write data This folder, subfolders, and files Create folders/append data Delete Delete subfolders and files Read attributes Read extended attributes Read permissions Write attributes Write extended attributes
To simplify management, you might want to store all of the VFD and ISO files in separate folders on the same logical volume as the VHDs. For example, a typical folder structure might be: W:\Virtualization Resources\Virtual Machines W:\Virtualization Resources\Virtual Hard Disks W:\Virtualization Resources\Virtual Floppy Disks W:\Virtualization Resources\ISO files
Solution Accelerators
microsoft.com/technet/SolutionAccelerators
13
When installing antivirus software in the management operating system, configure any real-time scanning components to exclude the directories where virtual machine files are stored, as well as the program files vmms.exe and vmwp.exe in C:\Windows\System32. If you do not create these exclusion rules, you might encounter errors when creating and starting virtual machines.
14
Solution Accelerators
microsoft.com/technet/SolutionAccelerators
15
Place virtual machines of a similar trust level on the same physical computer. To maintain security in your organization, deploy your virtual machines in such a way that all the VMs on a given physical computer share a similar level of trust, and then configure the computer to be at least as secure as the most secure VM. Virtual machines that are exposed to external access, such as Web servers, or that must be accessed widely require different security precautions than servers to which access is tightly controlled or limited to a small number of users. Delete decommissioned high-security VHDs. For high-security VMs that contain sensitive information, establish a process for securely deleting the VHD files after decommissioning. Tools such as SDelete v 1.51, available for download from Microsoft TechNet, can help with this process. Store snapshot files securely. A snapshot is a point in time image of a virtual machines state that you can return the machine to later. It is conceptually similar to the System Restore feature of Windows XP and Windows Vista, or the undo disks used by Virtual PC and Virtual Server. Store any snapshots you create together with their associated VHDs in an equally secure location.
More Information
The following resources on Microsoft.com provide more information about some of the concepts and techniques described in this chapter. Windows Server 2008 Security Compliance Management Toolkit Windows Server 2008 Hyper-V overview white paper Windows Server 2008 Virtualization with Hyper-V: FAQ Microsoft Hyper-V Server 2008 FAQ Hyper-V Planning and Deployment Guide Performance and Capacity Requirements for Hyper-V Performance Tuning Guidelines for Windows Server 2008 Planning for Hyper-V Security Hyper-V Attack Surface Reference Workbook Virtualization with Hyper-V: Supported Guest Operating Systems Virtualization WMI Provider Infrastructure Planning and Design
Solution Accelerators
microsoft.com/technet/SolutionAccelerators
17
Figure 2.1. The Hyper-V Manager user interface Restricting Hyper-V management capability to server administrators can make it difficult to manage a large Hyper-V deployment efficiently and securely. Granting server administrative access to many people can put critical computing resources at risk, but limiting access can create administrative bottlenecks. Managing administrative access individually for each physical Hyper-V computer can also be time-consuming and difficult to track. Fortunately, tools such as Authorization Manager and System Center Virtual Machine Manager make it possible to securely delegate and decentralize Hyper-V administrative functions.
Solution Accelerators
microsoft.com/technet/SolutionAccelerators
18
Table 2.2. Hyper-V Network Operations Name Bind External Ethernet Port
Solution Accelerators
19
Name Connect Virtual Switch Port Create Internal Ethernet Port Create Virtual Switch Create Virtual Switch Port Delete Internal Ethernet Port Delete Virtual Switch Delete Virtual Switch Port Disconnect Virtual Switch Port Modify Internal Ethernet Port Modify Switch Port Settings Modify Switch Settings Change VLAN Configuration on Port Unbind External Ethernet Port View External Ethernet Ports View Internal Ethernet Ports View LAN Endpoints View Switch Ports View Switches View Virtual Switch Management Service View VLAN Settings
Description Ethernet port Authorizes connecting to a virtual switch port Authorizes creating an internal Ethernet port Authorizes creating a new virtual switch Authorizes creating a new virtual switch port Authorizes deleting an internal Ethernet port Authorizes deleting a virtual switch Authorizes deleting a virtual switch port Authorizes disconnecting from a virtual switch port Authorizes modifying the internal Ethernet port settings Authorizes modifying the switch port settings Authorizes modifying the switch settings Authorizes modifying VLAN settings Authorizes unbinding from an external Ethernet port Authorizes viewing the available external Ethernet ports Authorizes viewing the available internal Ethernet ports Authorizes viewing the LAN endpoints Authorizes viewing the available switch ports Authorizes viewing the available switches Authorizes viewing the Virtual Switch Management Service Authorizes viewing the VLAN settings
Solution Accelerators
microsoft.com/technet/SolutionAccelerators
20
Table 2.3. Hyper-V Virtual Machine Operations Name Allow Input to Virtual Machine Allow Output from Virtual Machine Change Virtual Machine Authorization Scope Create Virtual Machine Delete Virtual Machine Pause and Restart Virtual Machine Reconfigure Virtual Machine Start Virtual Machine Stop Virtual Machine View Virtual Machine Configuration Description Authorizes user to give input to the virtual machine Authorizes viewing the output from a virtual machine Authorizes changing the scope of a virtual machine Authorizes creating a virtual machine Authorizes deleting a virtual machine Authorizes pause and restart of a virtual machine Authorizes reconfiguring a virtual machine Authorizes starting the virtual machine Authorizes stopping the virtual machine Authorizes viewing the virtual machine configuration
Figure 2.2. Authorization Manager Any users who are assigned the Administrator role through Authorization Manager (shown in the preceding figure) have full access to Hyper-V Manager and all of the virtual machines deployed on the physical computer, and can access all 33 of the Hyper-V operations listed in the three preceding tables.
Solution Accelerators
microsoft.com/technet/SolutionAccelerators
21
To use Authorization Manager to assign the Administrator role to users and groups 1. From the management console of the physical computer or from a remote workstation, click Start, type azman.msc, and then press Enter. The Authorization Manager console snap-in appears. 1. Right-click Authorization Manager in the tree pane and select Open Authorization Store. 2. The Open Authorization Store dialog box appears with XML file selected as the store type. 3. Do one of the following: If you are on the physical computer being managed, specify %programdata%\Microsoft\Windows\Hyper-V\InitialStore.xml in the Store Name text box and click OK.
Note By default, only local administrators have access to this directory.
If you are on a remote workstation, specify the path to the InitialStore.xml file on the physical computer in the Store Name text box and click OK. For example, if Windows Server 2008 is installed on the C: drive, you might specify \\<server name>\C$\ProgramData\Microsoft\Windows\HyperV\InitialStore.xml. 1. Expand Hyper-V services under InitialStore.xml, expand Role Assignments, and then click the Administrator role. 2. Click Action, point to Assign Users and Groups, and then click From Windows and Active Directory. 3. In the Select Users, Computers, or Groups dialog box, select the user accounts and groups to which you want to assign the role, and click OK.
Note These steps only work with Hyper-V physical computers that are not being managed by System Center Virtual Machine Manager 2008 (VMM 2008). The advanced delegation capabilities of VMM 2008 are described in the next section.
Users who are assigned the Administrator role can install the Hyper-V management tools on a full installation of Windows Server 2008 and on Windows Vista Service Pack 1 (SP1) and administer Hyper-V servers remotely. (Remote administration is the only way to use Authorization Manager to manage an authorization store on a Server Core installation.) See Install and Configure Hyper-V Tools for Remote Administration on Microsoft TechNet for instructions.
Note Hyper-V Remote Management Configuration Utility on the Microsoft Developer Network (MSDN) is a tool that partially automates the process of setting up Hyper-V remote management.
22
allocate your virtual computing resources more efficiently and to monitor them for potentially troublesome situations.
To use VMM 2008, you must install the Hyper-V Update for Windows Server 2008 x64 Edition (KB 956589) and Background Intelligent Transfer Service (BITS) update (KB 956774) on all of your Hyper-V physical computers. See VMM System Important Requirements on Microsoft TechNet for a full list of prerequisites.
Figure 2.3. System Center Virtual Machine Manager 2008 VMM 2008 is a comprehensive solution that offers many tools for managing virtual machine resources. In a security context, however, the most important features of VMM 2008 involve its ability to delegate virtual machine administrative permissions. VMM 2008 allows you to create groups of physical Hyper-V computers, or hosts, and manage administrative access to them individually. VMM 2008 also allows you to create libraries that can be used to store virtual machines when they are not in use, and to store resources for creating new virtual machines based on templates and standard profiles. As with host groups, you can control which users have access to different libraries, which allows you to deploy sensitive library resources in a secure manner. VMM 2008 also enables you to create self-service users who have limited, Webbased administrative access to selected virtual machines. In VMM 2008 you can create user roles to delegate permissions for individual groups of hosts, virtual machines, and library servers. Each user role includes a profile that determines the level of access granted by the role, and one or more host groups and library servers that the role is allowed to manage. You can add Active Directory Domain Services (AD DS) user accounts and groups as members of each user role as needed. VMM 2008 defines three profiles that can be applied to user roles:
Solution Accelerators
microsoft.com/technet/SolutionAccelerators
23
The Administrator profile is the highest level of access available in VMM 2008. A single Administrator role is created by default when you install VMM 2008, and you cannot assign the Administrator profile to any new user roles that you create. Users who are assigned to the Administrator role have complete administrative access to all the hosts, virtual machines, and library servers in VMM 2008. The Delegated Administrator profile grants administrative access to a defined set of host groups and library servers. Users who belong to a Delegated Administrator role can use the VMM Administrator Console to modify the configuration of all virtual machines defined on any Hyper-V hosts that they control. It is not possible to use the Delegated Administrator role to delegate access to specific virtual machines. Delegated administrators can also be granted access to resources stored on library servers defined in VMM 2008. The Self-Service User profile grants administrative access to a defined set of virtual machines through the Web-based Virtual Machine Manager SelfService Portal. Self-service users cannot use the VMM 2008 console to manage virtual machine resources. You can also limit the virtual machine management tasks that users who belong to a Self-Service User role can perform. These profiles make it possible to deploy Hyper-V within your organization in a way that is both flexible and secure. By using VMM 2008 to define virtual machine user roles and limit their access appropriately, you can give people throughout your organization control over their own Hyper-V resources without compromising the security of any servers managed by other groups.
Solution Accelerators
microsoft.com/technet/SolutionAccelerators
24
Figure 2.4. The Select Scope page of the Create User Role Wizard 4. On the Summary page, review the user role settings and click Create.
Solution Accelerators
microsoft.com/technet/SolutionAccelerators
25
Figure 2.5. The Web-based Virtual Machine Manager Self-Service Portal To add a Self-Service User role in VMM 2008 1. In the User Roles view in the VMM Administrator Console, click New User Role in the Actions pane. The New User Role Wizard appears. 1. On the General page, type a User role name and Description, and then select Self-Service User in the User Role Profile list. Click Next. 2. On the Add Members page, click Add, and then type the names of the Active Directory users or groups you want to add to this role. Click Next. 3. On the Select Scope page, select the host groups and library servers that you want to enable members of the user role to manage. Click Next. 4. As shown on the Virtual Machine Permissions page in the following screen shot, select the actions that you want to allow the members of this group to perform on virtual machines. You can select All actions, or grant a set of actions by selecting one or more of the following: Start Stop Pause and resume Checkpoint. Allows users to create and remove checkpoints, and to restore their virtual machines to a previous checkpoint. A checkpoint saves the state of each virtual hard disk that is attached to a virtual machine and all of the hard disk's contents, including application data files. Creating checkpoints for a virtual machine provides the ability to restore the virtual machine to a previous state.
Note Assign this action with care. Creating and restoring checkpoints is a resource intensive operation that can affect the performance of a Hyper-V server. Checkpoints can consume considerable amounts of disk space, and reverting a VM to a previous state could lead to unwanted data loss.
Solution Accelerators
microsoft.com/technet/SolutionAccelerators
26
Remove. Allows users to remove virtual machines, which deletes the configuration files. Local Administrator. Allows users to set the local administrator password when creating a virtual machine so that they have administrator rights and permissions on the virtual machine. Remote connection. Allows users to remotely control a virtual machine. Shut down
Figure 2.6. Specifying permitted actions for a user role with the SelfService User profile 1. On the Virtual Machine Creation Settings page, specify whether users are allowed to create virtual machines. You can specify the templates that users can choose from when creating their virtual machines, and set the quota for deployed virtual machines. See Working with Virtual Machine Templates on Microsoft TechNet for more information about templates. 2. On the Library Share page, specify whether users are allowed to store virtual machines in a library. You can select the library server, share, and path for the virtual machines. In addition, you can allow users to attach ISO images to their virtual machines by selecting a Library path that contains ISO images. See Configuring the VMM Library on Microsoft TechNet for more information about libraries. 3. On the Summary page, review the user role settings and click Create. Users assigned to a Self-Service User role can visit the portal using a Web browser and perform any actions permitted by the role. They cannot access any servers to which the role has not been granted access. This feature can be used to provide an enhanced level of access control that cannot be easily configured using Authorization Manager. For example, a Hyper-V deployment might include hosts used by several different departments within an organization, some of which might be used to manage sensitive data. Delegating full administrative access to designated users
Solution Accelerators
microsoft.com/technet/SolutionAccelerators
27
within each department would give all such users control over any VMs that belong to the other departments, including the ability to perform such operations as deleting or duplicating existing VMs. Such a configuration could risk the disclosure, alteration, or loss of sensitive data. You can mitigate this risk by using VMM 2008 to configure groups of self-service users with access to specific virtual machines. This approach makes it possible to host VMs that belong to different groups on the same physical server while minimizing risk to sensitive data.
More Information
The following resources on Microsoft.com provide more information about some of the concepts and techniques described in this chapter. Authorization Manager For remote management of Hyper-V, see: Install and Configure Hyper-V Tools for Remote Administration Hyper-V Remote Management Configuration Utility For System Center Virtual Machine Manager 2008 information, see: System Center Virtual Machine Manager 2008 VMM System Requirements Hyper-V Update for Windows Server 2008 x64 Edition (KB 956589) Background Intelligent Transfer Service (BITS) update (KB 956774) Working with Virtual Machine Templates Configuring the VMM Library Scripting in VMM 2008 with Windows PowerShell
Solution Accelerators
microsoft.com/technet/SolutionAccelerators
29
For more information on reducing the attack surface and hardening the security of the operating systems that run inside VMs, consult the following Microsoft Solution Accelerator guidance: Windows Server 2008 Security Compliance Management Toolkit Windows Server 2003 Security Compliance Management Toolkit Windows Vista Security Compliance Management Toolkit Windows XP Security Compliance Management Toolkit
30
W:\Virtualization Resources\Project C\Virtual Floppy Disks W:\Virtualization Resources\Project C\ISO files The ACLs for all of the folders would need to include the default permissions described in the "Securing Dedicated Storage Devices" section in Chapter 1 of this guide. In addition, if you want to allow virtual machine administrators to copy resource files to and from the physical computer, you should grant them Full Control for the subdirectories of their respective projects and create a network share that provides them with access to the parent Virtualization Resources folder. If you are running VMM 2008, consider using VMM libraries to store resources like ISO files. See Virtual Machine Manager Library on Microsoft TechNet for more information.
BitLocker helps prevent unauthorized access to data on lost or stolen computers by combining two major data-protection procedures: Encrypting the entire Windows operating system volume and other data volumes. Verifying the integrity of early boot components and boot configuration data. In addition to protecting business-critical information and databases as well as other incidental data that is created during business transactions, BitLocker can protect virtual machine configurations and their VHDs. Any configurations and VHDs that are created and stored on a BitLockerencrypted physical disk volume receive BitLocker protection, regardless of the operating systems that run on those virtual machines. This capability means that non-Windows and legacy Microsoft operating systems benefit from the same BitLocker protection when they run as guest operating systems of Windows Server 2008 Hyper-V. Before you attempt to configure BitLocker and Hyper-V on the same server, however, there are a few issues you should consider. BitLocker is designed to work with a Trusted Platform Module (TPM), a hardware device that can store and process cryptographic keys to provide enhanced security through pre-startup system integrity verification. Hyper-V does not provide virtual machines with access to the TPM, so you cannot use BitLocker with TPM to encrypt virtual machines independently. However, you can use BitLocker with TPM from a physical Hyper-V computers management operating system to encrypt an entire physical drive connected to the Hyper-V computer, including the VHD files and
Solution Accelerators
microsoft.com/technet/SolutionAccelerators
31
other configuration files used by virtual machines. This method provides all of the virtual machines on the encrypted disk with the same level of protection. However, it will not help isolate the virtual machines and their resource files from the other virtual machines running on the same physical computer.
Note Although using Hyper-V in a clustered environment is outside the scope of this guide, it is worthwhile to point out that BitLocker does not work with Windows Failover Clustering. For information on using Hyper-V and Failover Clustering see Hyper-V Step-by-Step Guide: Hyper-V and Failover Clustering on Microsoft TechNet.
For instructions about how to use BitLocker to encrypt Windows Server 2008 Hyper-V physical computers, see Windows Server 2008 Hyper-V and BitLocker Drive Encryption on the Microsoft Download Center.
Important Do not use Encrypting File System (EFS) to encrypt folders in which virtual machine files are stored. Hyper-V does not support the use of storage media if EFS has been used to encrypt the VHD file. To encrypt virtual machine files, use BitLocker.
To define an audit rule for a file or folder 1. On the physical computer, use Windows Explorer to locate and select the file or folder. 1. On the File menu, click Properties. 2. Click the Security tab, and then click the Advanced button. 3. Click the Auditing tab. 4. If prompted for administrative credentials, click Continue, type your username and password, and then press Enter. 5. Click the Add button to make the Select User, Computer, or Group dialog box display. 6. Click the Object Types button, and then in the Object Types dialog box, select the object types you want to find.
Note The User, Group, and Built-in security principal object types are selected by default.
7. Click the Locations button, and then in the Location dialog box, select either your domain or local computer. 8. In the Select User or Group dialog box, type the name of the group or user you want to audit. Then, in the Enter the object names to select dialog box, type Authenticated Users (to audit the access of all authenticated users) and then click OK. The Auditing Entry dialog box displays.
Solution Accelerators
microsoft.com/technet/SolutionAccelerators
32
9. Determine the type of access you want to audit on the file or folder using the Auditing Entry dialog box.
Note Remember that each object access may generate multiple events in the event log and cause it to grow rapidly.
10. In the Auditing Entry dialog box, next to List Folder/Read Data, select Successful and Failed, and then click OK. You can view the audit entries you enabled under the Auditing tab of the Advanced Security Settings dialog box. 11. Click OK to close the Properties dialog box. To test an audit rule for a file or folder 1. On the physical computer, in Windows Explorer, open the file or folder being audited. 1. Close the file or folder. 2. Start the Event Viewer. Several Object Access events with Event ID 4663 will appear in the Security event log. 3. Double-click the events as needed to view their details. Microsoft recommends enabling object access auditing on VHD files for every user or group that has access to the files through the file system. This approach will ensure that every attempt by a user to open, copy, modify, or delete an audited file will be recorded, which can be useful in a number of scenarios. For example, if a malicious administrator makes an unauthorized copy of a sensitive VHD file, the audit log can be used to trace the action back to the person responsible. For additional security, a monitoring product like Microsoft System Center Operations Manager can be configured to issue alerts when access attempts are made under certain circumstances, which could help prevent security breaches.
33
Wakes the virtual machine (deploys it to a servicing host and starts it). Triggers the appropriate software update cycle (Configuration Manager or WSUS). Shuts down the updated virtual machine and returns it to the library. The servicing hosts used for updating virtual machines reside on a dedicated private virtual network, so the VMs are protected from attacks while they are serviced. The Offline Virtual Machine Servicing Tool 2.0.1 is a free download from the Microsoft Download Center.
34
Decide how much memory to assign to a virtual machine. Impose limits on processor usage. Configure the virtual network adapters of each virtual machine to connect to the correct type of virtual network to isolate network traffic as required. Configure only required storage devices for a virtual machine. Harden the operating system running in each virtual machine according to the server role it performs using the baseline security setting recommendations described in the Windows Server 2008 Security Compliance Management Toolkit. Configure antivirus, firewall, and intrusion detection software within virtual machines as appropriate based on server role. Ensure that virtual machines have all the latest security updates before they are turned on in a production environment. Ensure that your virtual machines have integration services installed.
Solution Accelerators
microsoft.com/technet/SolutionAccelerators
35
More Information
The following resources on Microsoft.com provide more information about some of the concepts and techniques described in this chapter. Windows Server 2008 Security Compliance Management Toolkit Windows Server 2003 Security Compliance Management Toolkit Windows Vista Security Compliance Management Toolkit Windows XP Security Compliance Management Toolkit Windows Server 2008 Hyper-V and BitLocker Drive Encryption Offline Virtual Machine Servicing Tool
Solution Accelerators
microsoft.com/technet/SolutionAccelerators