Hyper-V Security and Authorization Manager, Keys to a Successful Config

by Nirmal Sharma

Are your Hyper-V virtual machines secure? Learn how to secure them using Authorization Manager.

Securing virtual machines (VMs) running on Hyper-V is a critical task. This article is the second in a series on configuring and securing Hyper-V using Authorization Manager. (Part 1 can be found, here.) This article explains how you can secure VMs access when running on Hyper-V. Authorization Manager is a component built into Windows. Hyper-V uses its store to provide security to the Hyper-V Parent Partition and VMs running on it. The policy settings for Hyper-V are kept in a XML-based file. By default, the Local Administrator is part of this and can manage all the aspects of Hyper-V.

This article will focus on the following topics:

  • Securing Hyper-V Resources Using Authorization Manager
  • Step-by-Step using Authorization Manager
  • Hyper-V Operations Tasks and Categories
  • A simple example using Authorization Manager

Hyper-V uses Authorization Manager to provide security to the Hyper-V Parent Partition and VMs. Before you play with it, you must be familiar with the basic terms used in Authorization Manager, starting with the following:

Authorization Manager RABC Model
Figure 1
Authorization Manager RABC Model

Authorization Manager uses a role-based access control (RBAC) model. In this model, roles are granted access to the operations or tasks to perform an action listed in the operations. Figure 1 defines the following terms:

Scope: Scope is the boundary for that particular Role. You can create Scope by right-clicking on the Hyper-V Services in Authorization Manager or by using a small script. When you create a new scope, the three things are associated with every Scope you create in the Authorization Manager as shown in Figure 2:

  • Groups
  • Definitions
  • Role Assignments

Authorization Manager Screen Shot
Figure 2
Authorization Manager Screen Shot
Operation: Operation is a basic unit of permission. For example, stopping and starting the VM
Tasks and Role Definitions: Tasks are a collection of operations, and Role Definitions is actually the Permission assigned to the Role Assignment
Role Assignment: Role Assignment contains the users to which Tasks and Operators are assigned

As Figure 1 shows, two scopes are created: SCOPE 1 and SCOPE 2. Both scopes contain Operations, Tasks and Role, but the permissions are different. The Roles defined in Scope 1 are User 1 and User 2, and Operations assigned to these Roles are: "Start Virtual Machine" and "Stop Virtual Machine." Similarly, as you see in SCOPE 2, Roles are different: User 3 and User 4. Scope 2 has only one Operation defined for User 3 and User 4: "Configure Virtual Machine Settings."

The Operations, Tasks and Roles are defined in a XML-based file stored at


Note: The ProgramData folder is hidden by default on Windows Server 2008. You might need to unhide this folder to view the above path.

Hyper-V Server uses this store. If the file is missing, then Hyper-V services will fail to start. The Hyper-V initialization includes reading this file to get the permissions assigned to the VM. Hyper-V then queries a registry entry shown below to get the path of the InitialStore.XML file:

HKLMSoftwareMicrosoftWindows NTCurrentVersionVirtualization

The above registry key stores two registry entries: StoreLocation and ServiceApplication. The StoreLocation registry entry defines the path of InitialStore.XML file and ServiceApplication registry entry defines which application in the policy the InitialStore.XML file is used. In this case it is Hyper-V Services always.

Tip: The InitialStore.XML file is installed only when you enable the Hyper-V Role. If this file is missing or corrupted, you have got two options with you:

- Copy the file from a working Hyper-V Server
- Mount the Install.WIM from Windows Server 2008 ISO and then search for InitialStore.XML. Copy this file to the Hyper-V Server

The scope of this article is limited to Hyper-V Security. It doesn't explain everything about Authorization Manager and its features. More information on Authorization Manager can be found, here.

By default, Hyper-V Server defines one Scope, 33 Operations and a single Role, and this is stored in the above mentioned XML File. By default, the Local Administrator on Parent partition is configured as a Default Role and assigned all the permissions to configure Hyper-V and VMs running on it. You can view and configure these using the Authorization Manager MMC. The MMC name is AzMan.MSC. You must be a member of Local Administrators Group on Parent Partition to use Authorization Manager.

Page 2: Step-by-Step Guidelines for Authorization Manager

Follow ServerWatch on Twitter

Step-by-Step Guidelines for Authorization Manager

1. Go to Start Menu > Type "AzMan.MSC"
2. Right click the Red Cross > click "Open Authorization Store"
3. Point to the %SystemRoot%ProgramDataMicrosoftWindowsHyper-VInitialStore.XML > click Ok.
4. When you click Ok, the Authorization Manager will read the InitialStore.XML and load the contents from the file to be displayed in the snap-in as shown below:

Authorization Manager Snap-in
Figure 3
Authorization Manager Snap-in

Three major categories are defined in the Authorization Manager to control Hyper-V Server and VMs. These categories are:

  • Hyper-V Services Operations
  • Hyper-V Network Operations
  • Hyper-V Virtual Machine Operations

As stated earlier, there are 33 operations. These operations are divided into above categories. The below table shows the Operations included with these categories:

Hyper-V Operations Categories in Authorization Manager
Figure 4
Hyper-V Operations Categories in Authorization Manager

As shown in Figure 1.4, using Authorization Manager, you can delegate two types of operations for Hyper-V and VMs Configuration. These operations are: Modify or Read. These delegations are required in a large organization where one team is responsible for modifying the Hyper-V Configuration and one team is responsible for monitoring the Hyper-V VMs and other things. These are the available Operations included in Authorization Manager. You cannot get anything above 33.

The Administrator Role is the only role defined in Authorization Manager that includes all 33 operations by default. This role is complete enough to control all the aspects of Hyper-V including VMs and its configuration.

A simple example would be allowing a user other than the Local Administrator to manage Hyper-V Server and VMs.

By default, Local Administrator on Hyper-V server is allowed to control the Hyper-V Server and all the VMs running on it. You can delegate this control to a user who is member of an Active Directory Domain. This is a simple example to grant someone in your organization to control Hyper-V Server and VMs rather than using the Local Administrator account on the Hyper-V Server. You will use Local Store of Authorization Manager for this example.

  1. Open AzMan.MSC
  2. Right Click on "Open Authorization Store" > select the XML File from this location: ProgramDataMicrosoftWindowsHyper-VInitialStore.XML.
  3. Click OK to open the InitialStore.XML Policy settings in Authorization Manager.
  4. Expand Microsoft Hyper-V Services > Role Assignments.
  5. In Right Pane, right click on "Administrator" select "Assign Users and Groups" and then select "From Windows and Active Directory".
  6. Enter the name of User or Security Group you want to allow them to control the Hyper-V and VMs.
  7. Click OK and then close the Authorization Manager snap-in.

That's it. The above examples enable a user in Active Directory Domain to control the Hyper-V Server and VMs running on it.

The next article in this series will explain the more granular control over Hyper-V and VMs running on it.


This article explained Authorization Model to provide security for VMs running on Hyper-V Server. We also explored the Tasks available with Authorization Manager. We also provided a simple example on how to configure a different user other than Administrator to control Hyper-V Server and virtual machines.

Follow ServerWatch on Twitter

This article was originally published on Friday Dec 11th 2009
Mobile Site | Full Site