Securing virtual machines (VMs) running on Hyper-V is a critical task. This article is the second in a series on configuring and securing Hyper-V using Authorization Manager. (Part 1 can be found, here.) This article explains how you can secure VMs access when running on Hyper-V. Authorization Manager is a component built into Windows. Hyper-V uses its store to provide security to the Hyper-V Parent Partition and VMs running on it. The policy settings for Hyper-V are kept in a XML-based file. By default, the Local Administrator is part of this and can manage all the aspects of Hyper-V.
This article will focus on the following topics:
- Securing Hyper-V Resources Using Authorization Manager
- Step-by-Step using Authorization Manager
- Hyper-V Operations Tasks and Categories
- A simple example using Authorization Manager
Hyper-V uses Authorization Manager to provide security to the Hyper-V Parent Partition and VMs. Before you play with it, you must be familiar with the basic terms used in Authorization Manager, starting with the following:
Authorization Manager RABC Model
Authorization Manager uses a role-based access control (RBAC) model. In this model, roles are granted access to the operations or tasks to perform an action listed in the operations. Figure 1 defines the following terms:
Scope: Scope is the boundary for that particular Role. You can create Scope by right-clicking on the Hyper-V Services in Authorization Manager or by using a small script. When you create a new scope, the three things are associated with every Scope you create in the Authorization Manager as shown in Figure 2:
- Role Assignments
Authorization Manager Screen Shot
Tasks and Role Definitions: Tasks are a collection of operations, and Role Definitions is actually the Permission assigned to the Role Assignment
Role Assignment: Role Assignment contains the users to which Tasks and Operators are assigned
As Figure 1 shows, two scopes are created: SCOPE 1 and SCOPE 2. Both scopes contain Operations, Tasks and Role, but the permissions are different. The Roles defined in Scope 1 are User 1 and User 2, and Operations assigned to these Roles are: "Start Virtual Machine" and "Stop Virtual Machine." Similarly, as you see in SCOPE 2, Roles are different: User 3 and User 4. Scope 2 has only one Operation defined for User 3 and User 4: "Configure Virtual Machine Settings."
The Operations, Tasks and Roles are defined in a XML-based file stored at
Note: The ProgramData folder is hidden by default on Windows Server 2008. You might need to unhide this folder to view the above path.
Hyper-V Server uses this store. If the file is missing, then Hyper-V services will fail to start. The Hyper-V initialization includes reading this file to get the permissions assigned to the VM. Hyper-V then queries a registry entry shown below to get the path of the InitialStore.XML file:
The above registry key stores two registry entries: StoreLocation and ServiceApplication. The StoreLocation registry entry defines the path of InitialStore.XML file and ServiceApplication registry entry defines which application in the policy the InitialStore.XML file is used. In this case it is Hyper-V Services always.
Tip: The InitialStore.XML file is installed only when you enable the Hyper-V Role. If this file is missing or corrupted, you have got two options with you:- Copy the file from a working Hyper-V Server
- Mount the Install.WIM from Windows Server 2008 ISO and then search for InitialStore.XML. Copy this file to the Hyper-V Server
The scope of this article is limited to Hyper-V Security. It doesn't explain everything about Authorization Manager and its features. More information on Authorization Manager can be found, here.
By default, Hyper-V Server defines one Scope, 33 Operations and a single Role, and this is stored in the above mentioned XML File. By default, the Local Administrator on Parent partition is configured as a Default Role and assigned all the permissions to configure Hyper-V and VMs running on it. You can view and configure these using the Authorization Manager MMC. The MMC name is AzMan.MSC. You must be a member of Local Administrators Group on Parent Partition to use Authorization Manager.