Hyper-V Security by Kevin Lim

8/3/2019 Hyper-V Security by Kevin Lim

http://slidepdf.com/reader/full/hyper-v-security-by-kevin-lim 1/44

Windows Server 2008 R2 Hyper-V Security

Kevin Lim(CISSP, Microsoft: MCT, MCITP, MCTS Citrix: CCA

Enterprise Consultant, RefineNetworks

Blog: http://Kevin.RefineNetworks.com

[email protected]



Agenda• Common Criteria Certification

• Hyper-V Architecture• Implementing Hyper-V

•

Security Control & Drive Encryption• Networking

• Prevent Denial-of-Service (DoS)

• Implementing Security Policy• Q&A



Common Criteria Certification:Hyper-V & Windows Server

• Common Criteria for IT Security Evaluation is anInternational Standard (ISO/IEC 15408) forcomputer security certification

• Windows Platform Common Criteria Certification –

Windows 7 and Windows Server 2008 R2 – Windows Vista and Windows Server 2008 at EAL4+ – Microsoft Windows Server 2008 Hyper-V Role – Windows Vista and Windows Server 2008 at EAL1

• Windows Server 2008 R2 Hyper-V will shortlycomplete its EAL 4+ certification (Windows Serverand Hyper-V are currently certified separately)



Hyper-V Architecture

Windows Hypervisor

VM Service

WMI Provider

Applications

VM Worker

Processes

Parent Partition

(Management OS)Child Partitions (Virtual Machines)

Applications Applications Applications

U s e

r M o d e

Windows

Kernel VSP

IHV

Drivers

Windows Server2008 R2

VMBus

Windows

KernelVSC

Windows Server

2003, 2008, R2

VMBus

Non-Hypervisor

Aware OS

Emulation HypercallAdapter

VMBus

Linux VSC

K e r n e l M o d e

“Designed for Windows” Server Hardware

R i n g-1

Provided by:

Microsoft Hyper-V

ISV/IHV/OEM

OS

Microsoft / XenSource



Security in Hyper-V: Isolation• No sharing of virtualized

devices

•

Separate VMBus instance perVM to the parent

• No Sharing of Memory

– Each has its own address space

• VMs cannot communicate with

each other, except throughtraditional networking

• Guests can’t perform DMAattacks because they’re never

mapped to physical devices• Guests cannot write to the

hypervisor

• Parent partition cannot write tothe hypervisor



Implementing

Hyper-V



Implementing Hyper-V Host• Apply the Latest Service Pack & Hotfixes

• Use Server Core for the Parent Partition

– Benefits:

• Smallest attack surface and reduces the number of patches, updates, and restarts required for maintenance

• Reduced memory and disk requirements

• Performance: 20%-40% better performance than Full Installation

– Remote Administration:

• Use PowerShell or Microsoft Remote Server Administration Tools (RSAT)

•

Do not run any application on Hyper-V Parent Partition – Benefits:

• Stability

• Performance

• More secure

• Fewer patches

• Minimum Maintenance & Less Downtime

• Have a dedicated network adapter(s) for the following networks

– For Security and Performance Reasons

• Hyper-V Management

• iSCSI Traffics

• Backup & Recovery

•

Live Migration



Virtual Machine• Use Enlightened Guest

Operating System wheneveris possible

• Install Integration Serviceson Virtual Machine – Time

• For Computer Forensics &Compliance

– Accuracy of Timestamps – Audit Log Entries

– Performance – Backup / Snapshot – Reliability / Availability



Securing Hyper-V Host• Enforcing Security Policy

• Apply the latest service pack & hotfixes•

Remove unnecessary application• Disable unnecessary services• Enable strong password policy• Enable audit trails (file & object access, file creation, file deletion)• Install antivirus software• Don’t use your server for web browsing•

Use vulnerability scanner to perform security assessment on a regular basis• Enforce File System Access Control Lists (ACLs)• Regular backups and archiving

• Use Microsoft Windows Server 2008 Security Guide as your baselinepolicy, modify the policy according to your corporate security policy

• Secure the Virtual Machine: Configuration Files, Snapshot, Virtual HardDisk



Patch Management• Patch Hyper-V Host and Virtual Machines

before deploy to a production

environment

• Patch Regularly: – Automatically Patch (Recommended)

• Windows Update Services (WSUS)• Microsoft System Center Configuration Manager

(SCCM)•

Any software distribution method – Manually Patch

Don’t forget to patch your application on your virtual machine!



Antivirus Exclusion Policy for Hyper-V Host• Files

– Virtual machine configuration files directory. By default, it isC:\ProgramData\Microsoft\Windows\Hyper-V.

– Virtual machine virtual hard disk files directory. By default, it isC:\Users\Public\Documents\Hyper-V\Virtual Hard Disks.

– Snapshot files directory. By default, it is%systemdrive%\ProgramData\Microsoft\Windows\Hyper-V\Snapshots.

• Processes – Virtual Machine Worker (Vmwp.exe)

– Virtual Machine Management Service (Vmms.exe)



Security Control &Disk Encryption



Security Control & Drive Encryption

• Enforcing Security Control on Hyper-V

• Role Based Access Control (RBAC)

• Authorization Manager (AzMan)

• SCVMM Self-Service Portal (SSP 2.0)

• Enable Drive Encryption

•

BitLocker Drive Encryption



Access Control• Least Privilege

– Hyper-V administrator doesn’t requireWindows Administrator rights

– Use Authorization Manager policies for role-

based access control

– Use SCVMM Self-Service Portal (SSP 2.0)for Business Unit IT Administrator to self-

administrate virtual machine for applicationfunctional testing



Authorization Manager (AzMan)• Authorization Manager uses a role-based access control (RBAC) model

• The default authorization policy is XML-based and stored at – Hyper-V X:\ProgramData\Microsoft\Windows\Hyper-V\InitialStore.xml – Hyper-V managed by SCVMM:

• Query Registry key to find out the policy locationHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization\StoreLocation

• Use azman.msc to configure the policy

• Enable Auditing on – Authorization Manager

• InitialStore.xml Properties Auditing Authorization store change auditing

– Local Security Policy or Domain GPO• Local: Local Security Policy Audit Policy Enable Audit Object Access (Success & Failure)• Domain: GPO Computer Configuration Windows Settings Security Settings Local

Policies Audit Policy Enable Audit directory service access (Success & Failure)

– Event will write to Windows Security Log



Steps for Setting Up Role-BasedAccess Control for Hyper-V

1) Define Scope according to your organizationneeds Scope is the boundary for that particular role

2) Define Tasks

Tasks are a collection of operations

3) Create Roles

Role Assignment contains the users to which Tasks

and Operators are assigned4) Assign Users or Groups to Roles



Demo #1:Demo #1:

Authorization ManagerAuthorization Manager



Assign AzMan Scopes for VMs• Use AzMan to assign VM to scope

• Scripts available to assign VM to scope – CreateVMInScope – DisplayVMScopes – ClearVMScopes – ChangeVMScope

Scripts can be downloaded from :http://social.technet.microsoft.com/Forums/en-US/ITCG/thread/3d0888e2-7538-4578-b16c-97b73c8e0f96/



SCVMM Self-Service Portal(SSP 2.0)

• Administrators: Full access to

SCVMM for administration

• Delegated Administrators: Scopecan be limited by host groups and

library servers

• Self-Service Users: Limited access toa subset of actions. Scope can be

limited by host groups, library sharesand VM ownership

• All activities are logged for audit trails



BitLocker Drive Encryption• Encrypt Disk Drive

– Benefits• Protect disk content when the virtual server is not

powered on

• Ensure Confidentiality & Integrity

• Encryption Algorithm

- Advanced Encryption Standard (AES) 128 or256 bits – Diffuser (optional)



BitLocker Drive Encryption• Hardware Requirement

–

Trusted Platform Module (TPM) version 1.2 OR – Password and USB thumb drive

• Use Trusted Platform Module (TPM) hardware,if possible

• Use an existing Active Directory Domain

Services (AD DS) infrastructure to remotelystore BitLocker recovery keys



Demo #2:Demo #2:

BitLocker Drive EncryptionBitLocker Drive Encryption



iSCSI Storage• Enable Multi-Factors

Authentication on iSCSI storage:- –

CHAP Secret – IP Address – IQN – IPSec – RADIUS

• SAN Storage should place on asegregated segment – Benefits:

•

Security• Performance• Reliability



Hyper-V

Networking



Hyper-V Virtual Switch

Windows Hypervisor

Parent Partition

(Hyper-V Host)

Child Partitions (Virtual Machine)

VM Service

WMI Provider

Applications

VM Worker

Processes

Applications Applications Applications

U s e r M

o d e

K e r n e l M o d e

“Designed for Windows” Server Hardware

R i n g-1

Windows Server

2008 R2

Windows

KernelVSC

VM1

VMBus

VM2

VMBus

VSPVSP

VM3

Windows

KernelVSC

VMBus

Linux

KernelVSC

Mgt. NIC 1 Vswitch 1 NIC 2 Vswitch 2 NIC 3 Vswitch 3 NIC 4

VSP

VMBus



Network Adapter Types• Use Synthetic Network

Adapters whenever ispossible (Enlighten OS) – Benefits

• Ethernet Speed: 10GB

Ethernet• Use Legacy Network

Adapter when nosupported driver – For legacy OS & PXE boot – Ethernet Speed: 100MB

only



Hyper-V Virtual Networks• External

– Bound to a network adapter in the physical computer –

Accessible from physical network

• Internal – Virtual Machines can communicate with parent Partition and Virtual

machines that resides on the same host –

Not bound to a network adapter in the physical computer – Inaccessible from physical network

• Private

– Virtual Machines can communicate between virtual machines thatresides on the same host – Not bound to a network adapter in the physical computer – Isolated from Parent partition. Inaccessible from physical network



Securing Hyper-V Host Networking• Use a dedicated

network adapterfor managingHyper-V host – Benefits:

•Dedicated formanagement use andno disruption of network

• Security: Did not

expose Hyper-V hostto untrusted networktraffic



Securing Hyper-V Host Networking• Enforce Security Policy Based on

Segment

–

DMZ segment – Internal segment

– Extranet segment, etc

•

Virtual Machines on Differentsegments can securely run on thesame Hyper-V host

– Properly assess the risks & regulationcompliance

– Use dedicated network interface

– Consider to use VLAN

– Use Dynamic MAC Address, if notusing with 3rd party security control

(i.e firewall, router, etc)



Prevent

Denial-of-Service

(DoS)



Protecting Virtual Machine Workload• Since there is many virtual machines reside on a

same Hyper-V host, it may affect one and another

• It is important to Limit the resources available oneach virtual machine

• When possible, use Microsoft System CenterOperations Manager (SCOM) for service

monitoring and Intelligent Placement of virtualmachines. Various SCOM Management Packs areavailable for compliance monitoring as well



Boot Sequence



Processor Protection



Memory Protection



MAC Address Range



Securing Virtual Machine• Secure your virtual machine like the way you secure your

physical server•

Apply the latest service pack & hotfixes• Remove unnecessary application• Disable unnecessary services• Enable strong password policy• Enable audit trails• Install antivirus software• Don’t use your server for web browsing• Use vulnerability scanner to perform security assessment on a

regular basis

• Use Microsoft Security Guides as your baseline policy,modify the policy according to your Corporate IT Securitypolicy



Implementing

Security Policy



Microsoft Security Compliance Manager

• Enforce Security Policy through Active Directory

Group Policy

• Configure Security Policy on Stand-alone

machines

• Updated Security Guides

• Compare Policy Against Industry Best Practices



Demo # 3:Demo # 3:Security Compliance ManagerSecurity Compliance Manager



Active Directory Design for Multi-Tenancy

• Group Policy

enforcementbased on serverroles

• Enforce through

respective OUs



1)1) What tool to implement Role Based Access Control onWhat tool to implement Role Based Access Control onHyperHyper--V?V?

2) What tool to2) What tool to compare security policy against industrycompare security policy against industry

Best Practices?Best Practices?

Questions



Take Away• Apply security hotfixes regularly• Reduce the attack surface on the Hyper-V host by not

installing unnecessary applications and services• Use Least Privilege Access• Enable Audit Trails• Secure VM hard disk, configuration files, including backups

and archives• Use virtual networks, VLANs, IPSec to isolate machines• Take advantage of backups, snapshots, and redundancy to

reduce impact of host/guest maintenance• Perform vulnerability assessment on a regular basis

Remember: Security is a Journey, NOT a one-time off exercise!



Resources• My Blog: http://Kevin.RefineNetworks.com

• Facebook: MVUG and MVUGv2 (Malaysia Virtualization User Group)

• Windows Server 2008 Security Guidehttp://go.microsoft.com/fwlink/?LinkId=134200

• Windows BitLocker Drive Encryption Design and Deployment Guideshttp://go.microsoft.com/fwlink/?LinkId=134201

• Server Core Installation Option of Windows Server 2008 Step-By-StepGuide http://go.microsoft.com/fwlink/?LinkId=134202

• Microsoft Security Compliance Managerhttp://www.microsoft.com/download/en/details.aspx?id=16776



Thank YouThank YouQ&AQ&A

Hyper-V Security by Kevin Lim

Documents

Transcript of Hyper-V Security by Kevin Lim