8/3/2019 Hyper-V Security by Kevin Lim
http://slidepdf.com/reader/full/hyper-v-security-by-kevin-lim 1/44
Windows Server 2008 R2 Hyper-V Security
Kevin Lim(CISSP, Microsoft: MCT, MCITP, MCTS Citrix: CCA
Enterprise Consultant, RefineNetworks
Blog: http://Kevin.RefineNetworks.com
8/3/2019 Hyper-V Security by Kevin Lim
http://slidepdf.com/reader/full/hyper-v-security-by-kevin-lim 2/44
Agenda• Common Criteria Certification
• Hyper-V Architecture• Implementing Hyper-V
•
Security Control & Drive Encryption• Networking
• Prevent Denial-of-Service (DoS)
• Implementing Security Policy• Q&A
8/3/2019 Hyper-V Security by Kevin Lim
http://slidepdf.com/reader/full/hyper-v-security-by-kevin-lim 3/44
Common Criteria Certification:Hyper-V & Windows Server
• Common Criteria for IT Security Evaluation is anInternational Standard (ISO/IEC 15408) forcomputer security certification
• Windows Platform Common Criteria Certification –
Windows 7 and Windows Server 2008 R2 – Windows Vista and Windows Server 2008 at EAL4+ – Microsoft Windows Server 2008 Hyper-V Role – Windows Vista and Windows Server 2008 at EAL1
• Windows Server 2008 R2 Hyper-V will shortlycomplete its EAL 4+ certification (Windows Serverand Hyper-V are currently certified separately)
8/3/2019 Hyper-V Security by Kevin Lim
http://slidepdf.com/reader/full/hyper-v-security-by-kevin-lim 4/44
Hyper-V Architecture
Windows Hypervisor
VM Service
WMI Provider
Applications
VM Worker
Processes
Parent Partition
(Management OS)Child Partitions (Virtual Machines)
Applications Applications Applications
U s e
r M o d e
Windows
Kernel VSP
IHV
Drivers
Windows Server2008 R2
VMBus
Windows
KernelVSC
Windows Server
2003, 2008, R2
VMBus
Non-Hypervisor
Aware OS
Emulation HypercallAdapter
VMBus
Linux VSC
K e r n e l M o d e
“Designed for Windows” Server Hardware
R i n g-1
Provided by:
Microsoft Hyper-V
ISV/IHV/OEM
OS
Microsoft / XenSource
8/3/2019 Hyper-V Security by Kevin Lim
http://slidepdf.com/reader/full/hyper-v-security-by-kevin-lim 5/44
Security in Hyper-V: Isolation• No sharing of virtualized
devices
•
Separate VMBus instance perVM to the parent
• No Sharing of Memory
– Each has its own address space
• VMs cannot communicate with
each other, except throughtraditional networking
• Guests can’t perform DMAattacks because they’re never
mapped to physical devices• Guests cannot write to the
hypervisor
• Parent partition cannot write tothe hypervisor
8/3/2019 Hyper-V Security by Kevin Lim
http://slidepdf.com/reader/full/hyper-v-security-by-kevin-lim 6/44
Implementing
Hyper-V
8/3/2019 Hyper-V Security by Kevin Lim
http://slidepdf.com/reader/full/hyper-v-security-by-kevin-lim 7/44
Implementing Hyper-V Host• Apply the Latest Service Pack & Hotfixes
• Use Server Core for the Parent Partition
– Benefits:
• Smallest attack surface and reduces the number of patches, updates, and restarts required for maintenance
• Reduced memory and disk requirements
• Performance: 20%-40% better performance than Full Installation
– Remote Administration:
• Use PowerShell or Microsoft Remote Server Administration Tools (RSAT)
•
Do not run any application on Hyper-V Parent Partition – Benefits:
• Stability
• Performance
• More secure
• Fewer patches
• Minimum Maintenance & Less Downtime
• Have a dedicated network adapter(s) for the following networks
– For Security and Performance Reasons
• Hyper-V Management
• iSCSI Traffics
• Backup & Recovery
•
Live Migration
8/3/2019 Hyper-V Security by Kevin Lim
http://slidepdf.com/reader/full/hyper-v-security-by-kevin-lim 8/44
Virtual Machine• Use Enlightened Guest
Operating System wheneveris possible
• Install Integration Serviceson Virtual Machine – Time
• For Computer Forensics &Compliance
– Accuracy of Timestamps – Audit Log Entries
– Performance – Backup / Snapshot – Reliability / Availability
8/3/2019 Hyper-V Security by Kevin Lim
http://slidepdf.com/reader/full/hyper-v-security-by-kevin-lim 9/44
Securing Hyper-V Host• Enforcing Security Policy
• Apply the latest service pack & hotfixes•
Remove unnecessary application• Disable unnecessary services• Enable strong password policy• Enable audit trails (file & object access, file creation, file deletion)• Install antivirus software• Don’t use your server for web browsing•
Use vulnerability scanner to perform security assessment on a regular basis• Enforce File System Access Control Lists (ACLs)• Regular backups and archiving
• Use Microsoft Windows Server 2008 Security Guide as your baselinepolicy, modify the policy according to your corporate security policy
• Secure the Virtual Machine: Configuration Files, Snapshot, Virtual HardDisk
8/3/2019 Hyper-V Security by Kevin Lim
http://slidepdf.com/reader/full/hyper-v-security-by-kevin-lim 10/44
Patch Management• Patch Hyper-V Host and Virtual Machines
before deploy to a production
environment
• Patch Regularly: – Automatically Patch (Recommended)
• Windows Update Services (WSUS)• Microsoft System Center Configuration Manager
(SCCM)•
Any software distribution method – Manually Patch
Don’t forget to patch your application on your virtual machine!
8/3/2019 Hyper-V Security by Kevin Lim
http://slidepdf.com/reader/full/hyper-v-security-by-kevin-lim 11/44
Antivirus Exclusion Policy for Hyper-V Host• Files
– Virtual machine configuration files directory. By default, it isC:\ProgramData\Microsoft\Windows\Hyper-V.
– Virtual machine virtual hard disk files directory. By default, it isC:\Users\Public\Documents\Hyper-V\Virtual Hard Disks.
– Snapshot files directory. By default, it is%systemdrive%\ProgramData\Microsoft\Windows\Hyper-V\Snapshots.
• Processes – Virtual Machine Worker (Vmwp.exe)
– Virtual Machine Management Service (Vmms.exe)
8/3/2019 Hyper-V Security by Kevin Lim
http://slidepdf.com/reader/full/hyper-v-security-by-kevin-lim 12/44
Security Control &Disk Encryption
8/3/2019 Hyper-V Security by Kevin Lim
http://slidepdf.com/reader/full/hyper-v-security-by-kevin-lim 13/44
Security Control & Drive Encryption
• Enforcing Security Control on Hyper-V
• Role Based Access Control (RBAC)
• Authorization Manager (AzMan)
• SCVMM Self-Service Portal (SSP 2.0)
• Enable Drive Encryption
•
BitLocker Drive Encryption
8/3/2019 Hyper-V Security by Kevin Lim
http://slidepdf.com/reader/full/hyper-v-security-by-kevin-lim 14/44
Access Control• Least Privilege
– Hyper-V administrator doesn’t requireWindows Administrator rights
– Use Authorization Manager policies for role-
based access control
– Use SCVMM Self-Service Portal (SSP 2.0)for Business Unit IT Administrator to self-
administrate virtual machine for applicationfunctional testing
8/3/2019 Hyper-V Security by Kevin Lim
http://slidepdf.com/reader/full/hyper-v-security-by-kevin-lim 15/44
Authorization Manager (AzMan)• Authorization Manager uses a role-based access control (RBAC) model
• The default authorization policy is XML-based and stored at – Hyper-V X:\ProgramData\Microsoft\Windows\Hyper-V\InitialStore.xml – Hyper-V managed by SCVMM:
• Query Registry key to find out the policy locationHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization\StoreLocation
• Use azman.msc to configure the policy
• Enable Auditing on – Authorization Manager
• InitialStore.xml Properties Auditing Authorization store change auditing
– Local Security Policy or Domain GPO• Local: Local Security Policy Audit Policy Enable Audit Object Access (Success & Failure)• Domain: GPO Computer Configuration Windows Settings Security Settings Local
Policies Audit Policy Enable Audit directory service access (Success & Failure)
– Event will write to Windows Security Log
8/3/2019 Hyper-V Security by Kevin Lim
http://slidepdf.com/reader/full/hyper-v-security-by-kevin-lim 16/44
Steps for Setting Up Role-BasedAccess Control for Hyper-V
1) Define Scope according to your organizationneeds Scope is the boundary for that particular role
2) Define Tasks
Tasks are a collection of operations
3) Create Roles
Role Assignment contains the users to which Tasks
and Operators are assigned4) Assign Users or Groups to Roles
8/3/2019 Hyper-V Security by Kevin Lim
http://slidepdf.com/reader/full/hyper-v-security-by-kevin-lim 17/44
Demo #1:Demo #1:
Authorization ManagerAuthorization Manager
8/3/2019 Hyper-V Security by Kevin Lim
http://slidepdf.com/reader/full/hyper-v-security-by-kevin-lim 18/44
Assign AzMan Scopes for VMs• Use AzMan to assign VM to scope
• Scripts available to assign VM to scope – CreateVMInScope – DisplayVMScopes – ClearVMScopes – ChangeVMScope
Scripts can be downloaded from :http://social.technet.microsoft.com/Forums/en-US/ITCG/thread/3d0888e2-7538-4578-b16c-97b73c8e0f96/
8/3/2019 Hyper-V Security by Kevin Lim
http://slidepdf.com/reader/full/hyper-v-security-by-kevin-lim 19/44
SCVMM Self-Service Portal(SSP 2.0)
• Administrators: Full access to
SCVMM for administration
• Delegated Administrators: Scopecan be limited by host groups and
library servers
• Self-Service Users: Limited access toa subset of actions. Scope can be
limited by host groups, library sharesand VM ownership
• All activities are logged for audit trails
8/3/2019 Hyper-V Security by Kevin Lim
http://slidepdf.com/reader/full/hyper-v-security-by-kevin-lim 20/44
BitLocker Drive Encryption• Encrypt Disk Drive
– Benefits• Protect disk content when the virtual server is not
powered on
• Ensure Confidentiality & Integrity
• Encryption Algorithm
- Advanced Encryption Standard (AES) 128 or256 bits – Diffuser (optional)
8/3/2019 Hyper-V Security by Kevin Lim
http://slidepdf.com/reader/full/hyper-v-security-by-kevin-lim 21/44
BitLocker Drive Encryption• Hardware Requirement
–
Trusted Platform Module (TPM) version 1.2 OR – Password and USB thumb drive
• Use Trusted Platform Module (TPM) hardware,if possible
• Use an existing Active Directory Domain
Services (AD DS) infrastructure to remotelystore BitLocker recovery keys
8/3/2019 Hyper-V Security by Kevin Lim
http://slidepdf.com/reader/full/hyper-v-security-by-kevin-lim 22/44
Demo #2:Demo #2:
BitLocker Drive EncryptionBitLocker Drive Encryption
8/3/2019 Hyper-V Security by Kevin Lim
http://slidepdf.com/reader/full/hyper-v-security-by-kevin-lim 23/44
iSCSI Storage• Enable Multi-Factors
Authentication on iSCSI storage:- –
CHAP Secret – IP Address – IQN – IPSec – RADIUS
• SAN Storage should place on asegregated segment – Benefits:
•
Security• Performance• Reliability
8/3/2019 Hyper-V Security by Kevin Lim
http://slidepdf.com/reader/full/hyper-v-security-by-kevin-lim 24/44
Hyper-V
Networking
8/3/2019 Hyper-V Security by Kevin Lim
http://slidepdf.com/reader/full/hyper-v-security-by-kevin-lim 25/44
Hyper-V Virtual Switch
Windows Hypervisor
Parent Partition
(Hyper-V Host)
Child Partitions (Virtual Machine)
VM Service
WMI Provider
Applications
VM Worker
Processes
Applications Applications Applications
U s e r M
o d e
K e r n e l M o d e
“Designed for Windows” Server Hardware
R i n g-1
Windows Server
2008 R2
Windows
KernelVSC
VM1
VMBus
VM2
VMBus
VSPVSP
VM3
Windows
KernelVSC
VMBus
Linux
KernelVSC
Mgt. NIC 1 Vswitch 1 NIC 2 Vswitch 2 NIC 3 Vswitch 3 NIC 4
VSP
VMBus
8/3/2019 Hyper-V Security by Kevin Lim
http://slidepdf.com/reader/full/hyper-v-security-by-kevin-lim 26/44
Network Adapter Types• Use Synthetic Network
Adapters whenever ispossible (Enlighten OS) – Benefits
• Ethernet Speed: 10GB
Ethernet• Use Legacy Network
Adapter when nosupported driver – For legacy OS & PXE boot – Ethernet Speed: 100MB
only
8/3/2019 Hyper-V Security by Kevin Lim
http://slidepdf.com/reader/full/hyper-v-security-by-kevin-lim 27/44
Hyper-V Virtual Networks• External
– Bound to a network adapter in the physical computer –
Accessible from physical network
• Internal – Virtual Machines can communicate with parent Partition and Virtual
machines that resides on the same host –
Not bound to a network adapter in the physical computer – Inaccessible from physical network
• Private
– Virtual Machines can communicate between virtual machines thatresides on the same host – Not bound to a network adapter in the physical computer – Isolated from Parent partition. Inaccessible from physical network
8/3/2019 Hyper-V Security by Kevin Lim
http://slidepdf.com/reader/full/hyper-v-security-by-kevin-lim 28/44
Securing Hyper-V Host Networking• Use a dedicated
network adapterfor managingHyper-V host – Benefits:
•Dedicated formanagement use andno disruption of network
• Security: Did not
expose Hyper-V hostto untrusted networktraffic
8/3/2019 Hyper-V Security by Kevin Lim
http://slidepdf.com/reader/full/hyper-v-security-by-kevin-lim 29/44
Securing Hyper-V Host Networking• Enforce Security Policy Based on
Segment
–
DMZ segment – Internal segment
– Extranet segment, etc
•
Virtual Machines on Differentsegments can securely run on thesame Hyper-V host
– Properly assess the risks & regulationcompliance
– Use dedicated network interface
– Consider to use VLAN
– Use Dynamic MAC Address, if notusing with 3rd party security control
(i.e firewall, router, etc)
8/3/2019 Hyper-V Security by Kevin Lim
http://slidepdf.com/reader/full/hyper-v-security-by-kevin-lim 30/44
Prevent
Denial-of-Service
(DoS)
8/3/2019 Hyper-V Security by Kevin Lim
http://slidepdf.com/reader/full/hyper-v-security-by-kevin-lim 31/44
Protecting Virtual Machine Workload• Since there is many virtual machines reside on a
same Hyper-V host, it may affect one and another
• It is important to Limit the resources available oneach virtual machine
• When possible, use Microsoft System CenterOperations Manager (SCOM) for service
monitoring and Intelligent Placement of virtualmachines. Various SCOM Management Packs areavailable for compliance monitoring as well
8/3/2019 Hyper-V Security by Kevin Lim
http://slidepdf.com/reader/full/hyper-v-security-by-kevin-lim 32/44
Boot Sequence
8/3/2019 Hyper-V Security by Kevin Lim
http://slidepdf.com/reader/full/hyper-v-security-by-kevin-lim 33/44
Processor Protection
8/3/2019 Hyper-V Security by Kevin Lim
http://slidepdf.com/reader/full/hyper-v-security-by-kevin-lim 34/44
Memory Protection
8/3/2019 Hyper-V Security by Kevin Lim
http://slidepdf.com/reader/full/hyper-v-security-by-kevin-lim 35/44
MAC Address Range
8/3/2019 Hyper-V Security by Kevin Lim
http://slidepdf.com/reader/full/hyper-v-security-by-kevin-lim 36/44
Securing Virtual Machine• Secure your virtual machine like the way you secure your
physical server•
Apply the latest service pack & hotfixes• Remove unnecessary application• Disable unnecessary services• Enable strong password policy• Enable audit trails• Install antivirus software• Don’t use your server for web browsing• Use vulnerability scanner to perform security assessment on a
regular basis
• Use Microsoft Security Guides as your baseline policy,modify the policy according to your Corporate IT Securitypolicy
8/3/2019 Hyper-V Security by Kevin Lim
http://slidepdf.com/reader/full/hyper-v-security-by-kevin-lim 37/44
Implementing
Security Policy
8/3/2019 Hyper-V Security by Kevin Lim
http://slidepdf.com/reader/full/hyper-v-security-by-kevin-lim 38/44
Microsoft Security Compliance Manager
• Enforce Security Policy through Active Directory
Group Policy
• Configure Security Policy on Stand-alone
machines
• Updated Security Guides
• Compare Policy Against Industry Best Practices
8/3/2019 Hyper-V Security by Kevin Lim
http://slidepdf.com/reader/full/hyper-v-security-by-kevin-lim 39/44
Demo # 3:Demo # 3:Security Compliance ManagerSecurity Compliance Manager
8/3/2019 Hyper-V Security by Kevin Lim
http://slidepdf.com/reader/full/hyper-v-security-by-kevin-lim 40/44
Active Directory Design for Multi-Tenancy
• Group Policy
enforcementbased on serverroles
• Enforce through
respective OUs
8/3/2019 Hyper-V Security by Kevin Lim
http://slidepdf.com/reader/full/hyper-v-security-by-kevin-lim 41/44
1)1) What tool to implement Role Based Access Control onWhat tool to implement Role Based Access Control onHyperHyper--V?V?
2) What tool to2) What tool to compare security policy against industrycompare security policy against industry
Best Practices?Best Practices?
Questions
8/3/2019 Hyper-V Security by Kevin Lim
http://slidepdf.com/reader/full/hyper-v-security-by-kevin-lim 42/44
Take Away• Apply security hotfixes regularly• Reduce the attack surface on the Hyper-V host by not
installing unnecessary applications and services• Use Least Privilege Access• Enable Audit Trails• Secure VM hard disk, configuration files, including backups
and archives• Use virtual networks, VLANs, IPSec to isolate machines• Take advantage of backups, snapshots, and redundancy to
reduce impact of host/guest maintenance• Perform vulnerability assessment on a regular basis
Remember: Security is a Journey, NOT a one-time off exercise!
8/3/2019 Hyper-V Security by Kevin Lim
http://slidepdf.com/reader/full/hyper-v-security-by-kevin-lim 43/44
Resources• My Blog: http://Kevin.RefineNetworks.com
• Facebook: MVUG and MVUGv2 (Malaysia Virtualization User Group)
• Windows Server 2008 Security Guidehttp://go.microsoft.com/fwlink/?LinkId=134200
• Windows BitLocker Drive Encryption Design and Deployment Guideshttp://go.microsoft.com/fwlink/?LinkId=134201
• Server Core Installation Option of Windows Server 2008 Step-By-StepGuide http://go.microsoft.com/fwlink/?LinkId=134202
• Microsoft Security Compliance Managerhttp://www.microsoft.com/download/en/details.aspx?id=16776