dcsimg
 

Configuring Hyper-V Security Using Authorization Manager

Friday Nov 20th 2009 by Nirmal Sharma

When deploying virtualization technologies, key choices must be made to ensure the environment is secure. This article explains how to use Authorization Manager to make Hyper-V as secure as it can be.

If you're deploying Hyper-V and virtual machines, key choices must be made to ensure your environment is secure. This article will explain how to configure Hyper-V security using Authorization Manager, what to secure and what to look at. It will also examine Hyper-V security best practices and offer examples on how to implement Hyper-V security using Authorization Manager.

Most of this article talks about Hyper-V security. It assumes, therefore, that you have a working Hyper-V server in your environment. It does not explain how to create and configure virtual machines on Hyper-V. Instead, the article focuses on how to provide security to virtual machines running on Hyper-V and how to implement a secure Hyper-V environment and best practices.

Terms Used Throughout This Article

Parent Partition: A Windows Server 2008 running Hyper-V role is called the Parent Partition. Parent Partition is responsible to create Child Partition and also controls the communications between all the virtual machines.

Child Partition: A virtual machine running on Hyper-V Server is called the Child Partition. A Parent Partition creates the Child Partitions.

Authorization Manager: Authorization Manager provides security to the resources. Hyper-V leverages the Authorization Manager to provide security to virtual machines.

The first task of an IT administrator is to provide the security of infrastructure servers before they are actually implemented in the production environment. Hyper-V is one of them. Most IT administrators do not know how to implement a secure Hyper-V environment. This is chiefly because Hyper-V is new to the virtualization world. On other hand, VMware has been involved with virtualization for several years. New technology will always differ from its competitors. As an example, VMware uses Monolithic VMM Architecture, whereas Hyper-V uses Microkernelized VMM Architecture. The difference could be in security architecture as well.

That is where this article is useful for IT Administrators interested in knowing how to provide security to virtual machines running on Hyper-V and Hyper-V in all.

Hyper-V does not ship with a built-in tool that can be used to secure a virtual machine. Instead, it uses a Windows component called Authorization Manager to provide the security for virtual machines and Hyper-V. The Authorization Manager ships with Windows Server 2008 enabled by default. Security involves each and every aspect. As an example, securing operating systems involves securing operating system files (e.g., DLL, and OCX). Similarly, for Hyper-V you should know what to secure when it comes to secure your Hyper-V and virtual machines (e.g., are you planning to secure virtual machines or the overall Hyper-V environment?)

Securing virtual machines do not involve much administrative overhead. You just need to know how to use Authorization Manager and perform a couple of tasks to provide security. To provide security to overall Hyper-V environment, you must know everything about Hyper-V. You need have an idea on where Hyper-V copies all its files, what all ports are opened for different services running on Hyper-V and the default configuration of Hyper-V.

We will discuss the below-mentioned topics in detail in this series of article:

  • Hyper-V Default Configuration and Securing Files and Folders
  • Virtual Machine and NTFS Permissions
  • Hyper-V Services Overview & Security
  • Hyper-V Firewall Rules and Configuration
  • Securing Hyper-V & Virtual Machines using Authorization Manager
  • An example to provide Hyper-V Security using Authorization Manager
  • Hyper-V Security Best Practices

Hyper-V Default Configuration and Securing Files and Folders

It is necessary to know the default configuration of Hyper-V. First, we will look at securing the folders that contain virtual Machine VHDs and the Configuration files (XML).

When you initially enable Hyper-V role on Windows Server 2008, it creates a few directories and copies many files in it. It is necessary to understand the default location for storing virtual machines and configuration files before you can tighten the security for Hyper-V.

%SystemRoot%ProgramDataMicrosoftWindowsHyper-VVirtual Machines
%SystemRoot%ProgramDataMicrosoftWindowsHyper-VVirtual Hard Disks 
%SystemRoot%ProgramDataMicrosoftWindowsHyper-VSnapshots

By default, Hyper-V uses the above directories to store the virtual machine configuration files, VHDs and the snapshots associated with the virtual machines. You must change the default location before you move Hyper-V to the production environment. It is recommended to change the default location for storing VHDs, XMLs and Snapshot files to a SAN drive.

When you install Hyper-V Role, a special security group called "Virtual Machines" is created. This security group contains GUIDs of all the virtual machines registered with the Hyper-V Server, and it has access to the

%SystemRoot%ProgramDataMicrosoftWindowsHyper-VVirtual Machines
folder, which stores the configuration files (XML Files) of the virtual machines. If this Security Group is removed or missing from the Security Tab of the virtual machines folder then you can't access virtual machines running on the Hyper-V. The VMMS.EXE process, which is responsible for managing access to all the virtual machines, uses the "Virtual Machines" Security Group to gain access to virtual machines on Hyper-V Server.

By default, the Security Permissions on the

Hyper-VVirtual Machines
folder looks like:

Alt text
Default Security Permissions on Hyper-VVirtual Machines Folder

At a minimum, keep the below mentioned Security Groups on property of

Hyper-VVirtual Machines
folder:
SYSTEM Account 		-Full Control
	Administrators 		-Full Control
	Virtual Machines		-Special Permissions

By default, Hyper-V does not allow anyone to access virtual machines except the SYSTEM Account and the Local Administrators Account. This is very clear from the above figure. The Local Administrators Security Group is added to the policy store of Authorization Manager, and it is given full control over Hyper-V, including the virtual machines running on it.

The same security settings, shown in the figure above, apply to the Hyper-VSnapshots folder.

Tip: If you want to prevent users or Administrators from creating new virtual machines on the Hyper-V Server, remove the "Virtual Machines" special Security Group from

Hyper-VVirtual Machines
folder.

The next folder to secure on Hyper-V is the

Hyper-VVirtual Hard Disks
. It's more important to secure this folder than the folder that contains the XML files because Hyper-V supports virtual machines in the VHD format. These VHDs can be used with earlier versions of virtualization software. An unauthenticated user who has read access to the VHD files can still copy the VHD file and use it with Virtual Server or Virtual PC. The default settings on
Hyper-VVirtual Hard Disks
look as shown below:

Alt text
Default Security Permissions on Hyper-VVirtual Hard Disks folder

To make security tighter for the folder that contains VHDs, you can remove the Users Security Group which is added when you initially enable the Hyper-V Role. At a minimum, you should keep the following Security Groups on the Security Tab:

SYSTEM - Full Control
Administrators - Full Control
Authenticated Users - Read & Execute 


Page 2: Secure Virtual Machine Access Using DACLs

How to Secure Virtual Machine Access using DACLs

Authorization Manager, which will be discussed in a future article in this series, is the main tool for securing virtual machine access. You can also configure DACLs on the virtual machine folder to provide security to virtual machines running on the Hyper-V. This is basically done by applying the NTFS permissions.


Alt text
Securing Virtual Machine Access Using DACLs

As you can see in the above figure, an organization has two teams: development and test. Two security groups are already created for these teams — Dev Team and Test Team. The Development Team is responsible for designing the codes and then handing them over to the Test Team for testing. The Development Team must access all 10, for example, virtual machines. At the same time, they must make sure the Test Team does not have access to their virtual machines, except TVM1 through TVM5. To achieve this, assign the NTFS Permissions on the virtual machine folders.

In this example, there are three virtual machine folders:

  1. X:Virtual Machines
  2. X:Virtual MachinesDevelopmentTeamVirtualMachines
  3. X:Virtual MachinesTestTeamVirtualMachines

Dev Team Security Group is assigned full control permissions on 2 and 3 folders. On other hand, Test Team is assigned Full Control permissions only on 3 folder. Test Team does not even have Read permissions on 3.

Hyper-V Services Overview & Securing Hyper-V Services

Hyper-V is a client/server application. Hyper-V comes with three services by default, as mentioned below:

Service Name Functions Security Context Recommendation Configuration
Virtual Machine Management Service Manages overall Hyper-V environment SYSTEM Account Default
Hyper-V Image Management Service Management of Virtual Hard Disks Network Service Default
Hyper-V Network Management Service Management of Hyper-V Virtual Networking SYSTEM Account Default

The services shown above are configured to start automatically under the security context of SYSTEM Account. The account under which these services run has got the highest privileges on the system. You should never change the account under which they run. If you do so, a hacker or malicious can cause harm to virtual machines or Hyper-V Parent Partition. The SYSTEM account password is not known by a malicious code or hacker. It is not safe to run these services under a domain user account, as a malicious user or hacker might try to get the password using the brute force applications.

Conclusion

This article explained how Hyper-V stores VHDs and XML files on the system drive. It is always recommended to change the default location for storing VHDs and XMLs to a SAN Drive and then provide the security by assigning NTFS Permissions. We also provided an example of how to secure virtual machine access using the NTFS Permissions.

The later part of this article will explore:

  • Hyper-V Firewall Rules and Configuration
  • Securing Hyper-V & Virtual Machines using Authorization Manager
  • An example to provide Hyper-V Security using Authorization Manager
  • Hyper-V Security Best Practices

Follow ServerWatch on Twitter

Home
Mobile Site | Full Site