Security SolutionsMicrosoft Virtualization Solutions Marketing

2009

BusinessSolutionScenarios

HorizontalSolutionScenarios

Core PlatformCapability Scenarios

Microsoft Virtualization Solution Scenarios

Business Critical Applications

Branch Infrastructure

Small and Mid-Sized Business (SMB)

Business Continuity

IT Consolidation

Lab Automation and Stage Management

SecurityStorage

System ManagementHosting/Cloud Computing

Networking

Centralized Desktop

3

VHD Container

Security Solution Overview

What is Security Virtualization?Security virtualization refers to the following virtualized security mechanisms:

Secure Platform

Offline VM

Inter VMCommunication

Hypervisor Server Core

Security Solutions Specific to Virtual Systems

Introspection

Security Solutions for Physical and Virtual Systems

Systems ManagementPatching/Configuration

Policy/Compliance

Online Anti-Virus

Authentication & Authorization

Centralized Desktop Security

1. Platform components of the virtualization stack (hypervisor, the root and child partitions) are configured optimally and have all mechanisms in place to proactively detect and mitigate security threats

2. Authentication and authorization management is in place along with role-based access control3. Security solutions, such as anti-virus and patch updates, are in place in online and offline VMs to mitigate

threats4. Additional security mechanisms, like introspection, are available for forensic analysis and auditing

5

Security Challenges in VirtualizationScenarios in Virtualization

Capital and operational cost savings

Flexibility and cost savings

IT responsiveness

Consolidation of Server Hardware

Collapse of Switches and Servers into One Device Challenge 2

No separation-by-default of administration and elevated risk of misconfiguration

Challenge 1Higher impact of attack and increased surface area for attack

Apps

OS

Apps

OS

Apps

OS

Challenge 3Lack of adequate planning and incomplete knowledge of current state of infrastructure

Faster Deployment

6

Associated Security Challenges

Security Challenges in Virtualization

Scenarios in Virtualization

Ease of business continuity and ability to impose restrictions on systems

Improved service levels

Mobility

Challenge 5Identity divorced from physical location and security policies need to move with virtual machine

Encapsulation

Apps

OS

Apps

OS

Apps

OS

Apps

OS

Apps

OS

Apps

OS

Apps

OS

Challenge 4Additional efforts to manage offline systems

7

Associated Security Challenges

Risk Mitigation Strategy in Virtualization

Isolate, non-interference between VMs Secure the Microsoft® Hyper-V™ and the root

partition

Challenge 1 Higher impact of attack Increased surface area for attack

Use tools that provide separation-of-duties Strong change controls and meticulous log and event monitoring

Centralized security management – patch and configuration management, policy and compliance management, anti-virus scan, etc.

8

Security Challenge Solution

Use anti-virus and patching tools that can update an offline machine

Challenge 2 No separation-by-default of administration and

elevated risk of misconfiguration

Challenge 3 Lack of adequate planning Incomplete knowledge of current state of

infrastructure

Challenge 4 Additional efforts to manage offline systems

Challenge 5 Identity divorced from physical location Security policies need to move with virtual

machine

Migrate security policies along with virtual machine

Security solutions must be virtualization aware and must work after migration

Microsoft Virtualization Security Management

Microsoft Products and Technologies

Microsoft Virtualization Solutions Not just a product, but an end-to-end offering

Microsoft Partner Hardware, Software,

and Services

10

Joint ReferenceArchitecture and

Deployment Resources

Microsoft offers a fully integrated approach for virtualization security: Protects both virtual and physical environments with optimal ROI Provides an ecosystem of security solutions partners for comprehensive coverage

Microsoft + Partner Virtualization Security Strategy and Ecosystem

Offline Virtual Machine Security Tool

McAfee, Symantec, Altor Networks

McAfee, Symantec

Secure Platform

Offline VM

Inter VMCommunication

Hypervisor Server Core

Security Solutions Specific to Virtual Systems

Introspection

Security Solutions for Physical & Virtual Systems

Online Anti-Virus

Authentication & Authorization

Centralized Desktop Security

11

Systems ManagementPatching/Configuration

Policy/Compliance

Secure Platform: Microsoft + Partner Solutions

Hypervisor Server Core

Secure computing platform across both physical and virtual environments Next-generation architecture: Microsoft® Windows Server® 2008 Hyper-V™ designed for

security

12

Challenge 1 Higher impact of attack Increased surface area for attack

• Micro-kernelIsolation, non-interference between VM with secure Micro-kernel architecture

• Defense with Hyper-VEliminated risk of attack with secure architecture

Secure Platform

Microsoft + Partner Solutions for Mitigating Security Challenges

Secure Platform

Security Solutions for Physical/Virtual System

Virtualization Specific Security

Hypervisor: Micro-kernel vs. Monolithic

Virtualization: Hypervisor + Drivers + Virtualized Software Stack + Management Interface

Windows Server® 2008 Hyper-V™ uses the micro-kernel as it delivers additional security benefits:

13

Micro-kernel Hypervisor

Hardware

Hypervisor

Virtualization Stack

DriversDriversDrivers DriversDriversDrivers DriversDriversDrivers

Only partitioning memory and CPU Increase reliability and minimize trusted

computing base No third-party code Drivers run within guests

Monolithic Hypervisor

Includes all virtualization components, including drivers

Runs all code in most privileged part of the processor

Patching more likely given included code

VM 1(Admin) VM 2 VM 3

Hardware

DriversDriversDrivers

VM 1(“Root”)

VM 2(“Guest”)

VM 3(“Guest”)

Hypervisor

Secure Platform

Security Solutions for Physical/Virtual System

Virtualization Specific Security

Secure Platform

Security Solutions for Physical/Virtual System

Virtualization Specific Security

Comprehensive Defense from Risk of Attack

1

2

3

4

Main Targets of Attack Secure Microsoft® Hyper-V™ Solutions1 Virtual machines running on same box Strong isolation between partitions 2 Hypervisor Separation of components by privilege3 VSPs through the VSC-VSP communication path Validation and protection from untrusted requests4 VM worker process Separation between VM worker processes

Hyper-V™ provides secure architecture: Separation of components by privilege

and process Micro-kernel hypervisor with very small

surface area Server core – lock down the root

partition and minimize size Guest-to-guest isolation mitigates risks

malware

14

Secure Platform

Security Solutions for Physical/Virtual System

Virtualization Specific Security

Security Solutions for Physical and Virtual SystemsMicrosoft + Partner Solutions

Challenge 2No separation-by-default of administration and elevated risk of misconfiguration

Security Solutions for Physical & Virtual SystemsAuthentication Authorization

Microsoft + Partner Solutions for Mitigating Security Challenges

Challenge 3Lack of adequate planningIncomplete knowledge of current state of infrastructure

Risk mitigation from unauthorized access and misconfiguration Defense-in-depth combining Windows Server® 2008 security features with protection

tools

McAfeeSymantec

15

• Authentication Single identity store to authenticate users

• Authorization Separation of duties through role-based authorization

• Accounting/AuditingLog all administrative activity

• VM Protection Anti-Virus protection

• Patch & Configuration, Policy & Compliance

Systems ManagementPatching / Configuration

Policy / Compliance

Online Anti-Virus

Secure Platform

Security Solutions for Physical/Virtual System

Virtualization Specific Security

All Microsoft solutions for virtualization provide a single identity store to authenticate users with Microsoft® Active Directory® across physical and virtual systems.

Virtualization

Hyper-V™

Hardware Presentation Application

Network Access Protection

Server and Domain Isolation

Forefront™ Security Solutions

System Center Virtual Machine Manager

Identity Lifecycle Manager 2007

Activ

e Di

rect

ory

Integrated User Authentication

Active Directoryo Single identity store to

authenticate users o Support across physical and

virtual systems

Microsoft® Identity Lifecycle Manager 2007o Easy user provisioning reduces

high costs and risks associated with manual provisioning

o Identity synchronizationo Simplified management of new

security initiatives

16

Terminal Services

Microsoft App. Virt.

Secure Platform

Security Solutions for Physical/Virtual System

Virtualization Specific Security

Enhance security by granting role based access for physical and virtual systems

Improve administration throughActive Directory® and Hyper-V™

Remove the risk of misconfiguration Save time by delegating authority over

virtual machines without administration having authority over entire system

Microsoft Authorization Manager (AzMan) is part of Windows Server and allows role-based access control to provide separation-of-duties for virtualized environment.

AuthorizationSeparation of duties with Microsoft Authorization Manager

17

Secure Platform

Security Solutions for Physical/Virtual System

Virtualization Specific Security

Solutions for Online Virtual Machine ProtectionMicrosoft + Partner Solutions

Solutions Microsoft + Partner

Anti-Virus Online

• Anti-virus protection for online VMs

• Blocks and removes viruses

Anti-Spyware Protection

• Protection from unwanted programs

• Programs are identified and stopped before they install

Host Intrusion Prevention

• Host intrusion prevention for server monitors

18

Partner Products:

Total Protection Service

Endpoint Protection

Secure Platform

Security Solutions for Physical/Virtual System

Virtualization Specific Security

Integrated defense-in-depth security for online VM anti-virus: Integration with Microsoft applications and infrastructure to protect physical/virtual assets Line of business security products for protecting clients and server applications

• Real-time protection from viruses and spyware

• Simplify administration through integration with Active Directory® and other Microsoft infrastructure

• Real-time reporting into both threats and vulnerabilities impacting the environment

• Integration of multiple antivirus scan engines from industry-leading security firms

• Comprehensive application specific protection – messaging and collaboration

Solutions for Online Virtual Machine Protection (continued)

19

Client & Server OS Server Applications

Secure Platform

Security Solutions for Physical/Virtual System

Virtualization Specific Security

Site role changes Microsoft® Windows® deployment Software distribution Software update management Desired configuration management Asset intelligence Device management

Patching / Configuration

Baseline of IT controls for Microsoft platform offerings

Support IT compliance frameworks:o COBITo ISO 17799

Systems Management for Online Virtual Machines

Policy / Compliance

Reduce complexities of monitoring configuration changes and reduce problems associated with configuration drift.

20

Microsoft® Windows® Update Manager Planned Desired Configuration Management (DCM) Compliance Packs

GLBA, HIPPA, SOX, EUDPD, FISMA, OTHERS

Secure Platform

Security Solutions for Physical/Virtual System

Virtualization Specific Security

Security Solutions Specific to Virtual Systems Microsoft + Partner Solutions

• Offline VM Patch Management Automate patching on offline VMs

• Protection Solution for Offline VM• Virtual Machine Policy Migration - TBD• Inter VM Communication/Introspection

Microsoft + Partner Solutions for Mitigating Security Challenges

Offline VM

Inter VMCommunication

Security Solutions Specific to Virtual Systems

Introspection Centralized Desktop Security

Challenge 5• Identity divorced from physical location • Security policies need to move with virtual

machine

Challenge 4• Additional efforts to manage offline systems

• Solutions for offline protection of virtual machines with patches and security scans• Enterprise-wide view of virtual assets for planning and compliance

McAfee, Symantec, Altor Networks

21

Secure Platform

Security Solutions for Physical/Virtual System

Virtualization Specific Security

Microsoft Offline Virtual Machine Servicing Tool is a freely available solution:• Automates updating patches on virtual machines offline• Integrated with Microsoft® System Center Virtual Machine Manager (VMM) 2008 and

Microsoft® Configuration Manager 2007

Offline VMServicing Tool

Maintenance Network

Configuration Manager 2007

or WSUS

VMM 2008

Offline VM Patch Management

Automate Servicing of Dormant VMs:o Apply service patches to OSo Apply service patches to Applications

(future)o True up-configuration (future)

Integrate with System Center Products:o Virtual Machine Manager 2008o Configuration Manager 2007o Windows Server Update Service

VMM Library

22

Maintenance Hosts

Secure Platform

Security Solutions for Physical/Virtual System

Virtualization Specific Security

Protection Solutions for Offline VMsMicrosoft + Partner Solutions

Solutions Microsoft + Partner

Anti-Virus for Offline VMs

• Anti-Virus protection for offline VMs• Offline images do not need to be

brought online for protection

Anti-Spyware Protection

for Offline VMs

• Protection from unwanted programs• Programs are identified and stopped

before they install

Host Intrusion Prevention

for Offline VMs• Host intrusion prevention for server

monitors

23

Partner Products:

Total Protection Service

Endpoint Protection

Secure Platform

Security Solutions for Physical/Virtual System

Virtualization Specific Security

Microsoft does not support inter VM communication

o There is potential risk of attack as the hypervisor is extensive

o Vulnerable from third parties who share the extended interface

Inter VM Communication/Introspection

Inter VM Communication

24

Based on snapshots scan in file format Virtualization deployments can be

protected and enhanced as introspection capabilities emerge in virtualization platforms

Microsoft offers introspection by providing ISVs with a file format for the Hyper-V™ scanning snapshot file

Introspection

Additional virtualization security options

Secure Platform

Security Solutions for Physical/Virtual System

Virtualization Specific Security

Microsoft VMWareSecure Platform

Hypervisor architecture

Micro-kernel: Minimal attack surface

Root lockdown (WS08 Server Core)

Architecture SDL tested

Monolithic: Increases attack surface

Runs all code – custom OS, drivers, extensible code – in most

privileged part of processor

Ease of updating & management

Micro-kernel hypervisor easy to replaceUse all existing mgmt tools &

device drivers

Monolithic likely requires patching

Need to learn new tools. Only use drivers that ship with

hypervisor

Comprehensive virtual solution

YesHardware, presentation, and application

NoOnly hardware virtualization

Security Solutions for Physical and Virtual Systems

Common identity platform

YesActive Directory® for physical and virtual IT

NoRequires separate identity store

Infrastructure solutions

Forefront™, System Center, Identity Lifecycle Manager Management only

Readily enables security

ecosystem?

YesAdd VHD context to current AV products

Broad Windows security ecosystem

Yes, to a degreeFirst set of APIs (VMSafe); requires more AV software

adjustments

Security Solutions Specific to Virtual Complementary

technologiesNAP, Server & Domain Isolation (WS08)

Offline VM Servicing Kit Acquired Determina for HIPS

Comparison: Virtualization Security

25

Customer: Rijksmuseum AmsterdamCompany Size: Industry: Education – MuseumsCountry: The NetherlandsProfile: The Rijksmuseum Amsterdam is a museum in The Netherlands. Established in 1800, the museum’s collection includes paintings by Rembrandt, Vermeer, and other Dutch masters.

Benefits:• Strengthens security• Improves management and flexibility• Enables growth

Virtualization Security Solution Evidence

26

“Implementing Windows Server® 2008 with Network Access Protection will improve my peace of mind. I will be more confident that only managed clients can get access to corporate network resources.”

Paul van KootenNetwork ManagerRijksmuseum Amsterdam

Next Steps to Enhance Business with Microsoft Virtualization

Microsoft® Windows Server ® 2008 Hyper-V™ o http://www.microsoft.com/windowsserver2008/en/us/hyperv.aspx

Microsoft® System Centero http://www.microsoft.com/systemcenter/en/us/default.aspx

ROI Calculatoro https://roianalyst.alinean.com/msft/AutoLogin.do?d=307025591178580657

Microsoft Assessment and Planning (MAP) Toolo http://technet.microsoft.com/en-us/library/bb977556.aspx

Microsoft Virtualization

Solutions

Product Resources

Virtualization Assessment and

Planning

27

Microsoft Virtualization Solutionso http://www.microsoft.com/virtualization/solutions

Microsoft Virtualization Solution Partnerso http://www.microsoft.com/virtualization/partners

Appendix

When best practices are followed, the Microsoft® Hyper-V™ will provide increased security.

Best Practice to Secure Windows Server® Hyper-V™ and Root Partition

29

Enable NX and virtualization in BIOS Networking

o Virtual Switcheso VLANso Dedicated NIC for root partition

Storageo BitLocker o Storage CDB filtering

Device LockdownDeployment ConsiderationsPatching the hypervisor

o Windows updateMinimize risk to the root partition

o Utilize Server Core Do not run arbitrary applications, no web

surfing Run your applications and services in

guestso Use Authorization Manager (AzMan) to

reduce administrative privilegeConnect to back-end management network

o Only expose guests to internet traffic

Secure Platform

Security Solutions for Physical/Virtual System

Virtualization Specific Security

Easy user provisioning reduces high costs and risks associated with manual provisioning

Simplify management of new security initiatives

Reduce help desk costs for simple tasks like password resets

Microsoft® Identity Lifecycle Manager “2” can run on Hyper-V™ and enables you to manage identities across both virtual and physical environments

Identity Lifecycle Manager 2007 provides a single view of a user's identity across heterogeneous enterprises and enables the automation of common tasks.

Authentication: Easy User Provisioning

30

Full Certificate and Smart Card

Lifecycle Management

Active Directory

Mainframe Systems

HR SystemEmail System

Identity Synchronization

Secure Platform

Security Solutions for Physical/Virtual System

Virtualization Specific Security