Hyper-V Security

Microsoft IT Camps - Virtualization

Hyper-V Security Overview

Microsoft Hyper-V was designed to minimize the attack surface on the virtual environment The hypervisor itself is isolated to a microkernel, independent of third-party drivers Host portions of the Hyper-V activities are isolated in a parent partition, separate from each guest The parent partition itself is a virtual machine Each guest virtual machine operates in its own child partition Use Server Core installation of Windows Server 2008 R2 for host computers

Security Best Practices - Host

Apply standard security policies to both host computers and VMs Secure VHDs and snapshots files Use BitLocker Drive Encryption to protect resources Define networks or VLANs to isolate traffic Leverage firewalls, anti-virus and intrusion protection as appropriate Firewall rules configured during Hyper-V role installation or when adding a host via VMM Consider using domain isolation with IP Security (IPSec) for both hosts and guests Secure the communications between the Hyper-V server and its administrators and users

Security Best Practices - Guest

Only add required hardware to VM Harden the OS in the VMs using security compliance toolkits Install the latest Integration Services Do not give VM administrators permissions on the management operating system Keep VMs patched
Remember VMs that are offline or templates

Role Based Security

Membership
Determines which users are part of a particular user role Members may be individual users or groups Members maybe in multiple user roles including user roles based on different profiles
Membership

Profile
Which actions are permitted Which user interface is accessible How the scope is defined

Profile

Scope

Scope
On which objects a user may take actions
Host groups, Library Servers, VMs
User Role

Role Types
Administrator
Full access to all actions and all objects Use Admin console or PowerShell interface

Delegated Administrator
Full access to most actions Scope can be limited by host groups and Library servers Can use the Admin console or PowerShell interface

Self-Service User
Limited access to a subset of actions Scope can be limited by host groups and Library share Can use the Self-Service Portal or PowerShell interface Can apply quotas, such as on the number of VMs

Authorization Manager (AzMan)

Allows Role Based Access Control (RBAC) and the delegation of access to Hyper-V
Role based access for Hyper-V enables auditing for actions performed

AzMan needs an Authorization Policy Data Store to define access to Roles, Tasks & Groups
Hyper-V xml file InitialStore.xml for defining access rights

Advanced security auditing policies available under the Group Policy Object Editor

Authorization Policy
Create Task Definitions Select operations for those tasks Authorize Roles to be able to perform those tasks Actions
Operation - Some action the user can perform Task - Grouping of operations Role - A job, position or responsibility
The only default Role that is pre-defined is Administrator

Scope - Define which objects are owned by which roles

Takeaways
Hyper-V was designed to be secure Apply standard security policies to both host computers and VMs Consider role based security to isolate access Use Authorization Manager to specify operations, tasks, roles and scope