• Like
  • Save
Understanding AzMan In Hyper-V
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Understanding AzMan In Hyper-V

  • 4,716 views
Published

 

Published in Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
4,716
On SlideShare
0
From Embeds
0
Number of Embeds
1

Actions

Shares
Downloads
0
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Understanding AzMan in Hyper-V
    Lai YoongSeng
    MVP : Virtual Machine www.ms4u.info
    Technical Consultant, Redynamics
  • 2. Agenda
    Who is AzMan?
    How AzMan Works?
    Configure AzMan
    Why use AzMan?
    Auditing
    Troubleshooting
  • 3. Who is AzMan?
    Not who but “ What is AzMan ?”
    AzMan also known as “Authorization Manager”
    Is a GUI interface for configuring security in Hyper-V
    Role Based Access and Control (RBAC) is what is used
  • 4. How AzMan Work?
    Access to resources is based on Role Definitions and not Access Control List (ACL)
    Roles are based on a list of Tasks that are defined in a Role Definition. The Role Definition is then associated with a Role Assignment
    Only one Default Role defined in Hyper-V:- Administrator
    Built in Local Administrator Group is automatically added to the Administrator Role Assignment
  • 5. Access AzMan
    To access
    Start | Run | Type Azman.msc
    Azman.msc is the primary method for defining and managing permissions for Hyper-V
    Open Authorization Stores
  • 6. Configure AzMan
    Note: Backup InitialStore.xml before modify
    Configure Role Assignment
    Add non administrator to full permission on Hyper-V server
  • 7. Configure AzMan
    Create Task. A task is a grouping of operation. Example: Control VM task and assign start, stop, restart vm operation.
    1
    2
  • 8. Configure AzMan
    Create Role Definition- to limit operation on Hyper-V Server. Example: Operator Role which assign to control VM operation.
    1
    2
  • 9. Configure AzMan
    Create new roles – to assign user to tasks or operation
    1
    2
  • 10. Configure AzMan
    demo
  • 11. Why use Azman?
    More secure and limit operation can perform on Hyper-V Hosts
    Secure either entire Hyper-V host or based on Virtual Machine
    Note:-
  • 12. Secure by Virtual Machine
    Step 1: Create Scope
    Step 2: Create Role
    Step 3: Assign Role
    Step 4: Create New VM
    Step 5: Set the scope of the VM by using 4 scripts – Contributed by Tony Super
    GUI ? Sorry no GUI.
  • 13. Script #1:- CreateVMInScope.vbs
    Option Explicit
    Dim WMIService
    Dim VMManagementService
    Dim VMName
    Dim VMScope
    Dim VMSystemGlobalSettingData
    Dim Result
    Dim inParameters
    VMName = InputBox(“Specify the name for the new virtual machine:”)
    VMScope = InputBox(“Specify the scope to be used for the new virtual
    machine:”)
    ‘Get an instance of the WMI Service in the virtualization namespace.
    Set WMIService = GetObject(“winmgmts:.rootvirtualization”)
    ‘Get a VMManagementService object
    Set VMManagementService = WMIService.ExecQuery(“SELECT * FROM
    Msvm_VirtualSystemManagementService”).ItemIndex(0)
    ‘ Initialize the global settings for the VM
    Set VMSystemGlobalSettingData =
    WMIService.Get(“Msvm_VirtualSystemGlobalSettingData”).SpawnInstance_()
    ‘Set the name and scope
    VMSystemGlobalSettingData.ElementName = VMName
    VMSystemGlobalSettingData.ScopeOfResidence = VMScope
    ‘ Create the VM
    VMManagementService.DefineVirtualSystem(VMSystemGlobalSettingData.GetText_(1
    )
  • 14. Script #2:DisplayVMScopes.vbs
    Option Explicit
    Dim WMIService
    Dim VMList
    Dim VM
    Dim VMSystemGlobalSettingData
    Dim Message
    ‘Setup start of message string
    Message = “Virtual Machines and their scope of residence” & chr(10) _
    & “========================================”
    ‘Get instance of ‘virtualization’ WMI service on the local computer
    Set WMIService = GetObject(“winmgmts:.rootvirtualization”)
    ‘Get all the MSVM_ComputerSystem object
    Set VMList = WMIService.ExecQuery(“SELECT * FROM Msvm_ComputerSystem”)
    For Each VM In VMList
    if VM.Caption = “Virtual Machine” then
    Set VMSystemGlobalSettingData =
    (VM.Associators_(“MSVM_ElementSettingData”,
    “Msvm_VirtualSystemGlobalSettingData”)).ItemIndex(0)
    Message = Message & chr(10) & “VM: “ & VM.ElementName
    Message = Message & chr(10) & “Scope: “ &
    VMSystemGlobalSettingData.ScopeOfResidence
    Message = Message & chr(10)
    end if
    Next
    wscript.echo Message
  • 15. Script #3:ClearVMScope.vbs
    Option Explicit
    Dim WMIService
    Dim VMList
    Dim VM
    Dim VMSystemGlobalSettingData
    Dim VMManagementService
    Dim Result
    ‘Get instance of ‘virtualization’ WMI service on the local computer
    Set WMIService = GetObject(“winmgmts:.rootvirtualization”)
    ‘Get a VMManagementService object
    Set VMManagementService = WMIService.ExecQuery(“SELECT * FROM
    Msvm_VirtualSystemManagementService”).ItemIndex(0)
    ‘Get all the MSVM_ComputerSystem object
    Set VMList = WMIService.ExecQuery(“SELECT * FROM Msvm_ComputerSystem”)
    For Each VM In VMList
    if VM.Caption = “Virtual Machine” then
    Set VMSystemGlobalSettingData =
    (VM.Associators_(“MSVM_ElementSettingData”,
    “Msvm_VirtualSystemGlobalSettingData”)).ItemIndex(0)
    VMSystemGlobalSettingData.ScopeOfResidence = “”
    Result = VMManagementService.ModifyVirtualSystem(VM.Path_.Path,
    VMSystemGlobalSettingData.GetText_(1))
    end if
    Next
  • 16. Script #4:ChangeVMScope.vbs
    Dim WMIService
    Dim VM
    Dim VMManagementService
    Dim VMSystemGlobalSettingData
    Dim VMName
    Dim VMScope
    Dim Result
    ‘Setup variables for the VM we are looking for, and the scope to assign it to
    VMName = InputBox(“Specify the virtual machine to change scope on:”)
    VMScope = InputBox(“Specify the new scope to be used:”)
    ‘Get an instance of the WMI Service in the virtualization namespace.
    Set WMIService = GetObject(“winmgmts:.rootvirtualization”)
    ‘Get a VMManagementService object
    Set VMManagementService = WMIService.ExecQuery(“SELECT * FROM
    Msvm_VirtualSystemManagementService”).ItemIndex(0)
    ‘Get the VM object that we want to modify
    Set VM = (WMIService.ExecQuery(“SELECT * FROM Msvm_ComputerSystem WHERE
    ElementName=’” & VMName & “‘“)).ItemIndex(0)
    ‘Get the VirtualSystemGlobalSettingsData of the VM we want to modify
    Set VMSystemGlobalSettingData = (VM.Associators_(“MSVM_ElementSettingData”,
    “Msvm_VirtualSystemGlobalSettingData”)).ItemIndex(0)
    ‘Change the ScopeOfResidence property
    VMSystemGlobalSettingData.ScopeOfResidence = VMScope
    ‘Update the VM with ModifyVirtualSystem
    Result = VMManagementService.ModifyVirtualSystem(VM.Path_.Path,
    VMSystemGlobalSettingData.GetText_(1))
  • 17. Function of Each Scripts
  • 18. What Happen When Host Join To Domain?
    Domain Admin Group will have full permission to create and manage VM on host servers.
    Administrator Role Assignment is set to
    domain admin
  • 19. What Happen When Host Added into VMM?
    VMM create a copy and store in ProgramDataMicrosoftVirtual Machine ManagerHyperVAuthStore.xml
    By default, VMM will
    VMM Administrators are given full access to the VM/Hyper-V, including console access to the VM
    VMM Delegated administrators have no access to the VM or Hyper-V
    End User Role members are given console access to the VM if their User Roles has this privilege defined
    This means that any privileges defined in the old AzManfile will be lost once VMM takes control of the host.
    When remove Hyper-V host from management, will revert to InitialStore.xml
  • 20. Auditing
    Must enabled on Authorization Manager
    1
    2
  • 21. Auditing
    On Local Hosts. Use Local Security Policy | Audit Policy and Enable object access.
    On domain, enable on GPO | Computer Configuration, Windows Settings, Security Settings, Local Policies, Audit Policy, and then double-click Audit directory service access.
  • 22. Troubleshooting AzMan
    Refer to Event Viewer.
    Open Windows Log | Security
    Open Applications and Services Log | Microsoft | Windows
    Hyper-V-VMMS
    Hyper-V-Workers
    More information:- http://technet.microsoft.com/en-us/library/dd581761(WS.10).aspx
  • 23. Event Viewer
  • 24. Summary
    • AzMan is a Role Based Access and Control
    • 25. Security in Hyper-V
  • Questions & Answers
    • Post – MVUG page @ Facebook
  • Resources
    Understand more about AzMan
    http://technet.microsoft.com/en-us/library/cc726036(WS.10).aspx
    http://blogs.technet.com/b/m2/archive/2009/01/12/azman-permissions-for-vmm-managed-hyper-v-hosts.aspx
    http://blogs.technet.com/b/jhoward/archive/2009/08/31/explaining-the-hyper-v-authorization-model-part-one.aspx
    http://blogs.technet.com/b/jhoward/archive/2009/09/02/explaining-the-hyper-v-authorization-model-part-two.aspx
    http://blogs.technet.com/b/jhoward/archive/2009/09/09/explaining-the-hyper-v-authorization-model-part-three.aspx
    http://blogs.technet.com/b/jhoward/archive/2009/09/18/explaining-the-hyper-v-authorization-model-part-four.aspx
    MVUG (Malaysia Virtualization User Group) – Join us !
    http://www.facebook.com/group.php?gid=216237734803 @ Search “MVUG” in Facebook
    Lai’s Blog –Virtualization & System Center related, etc
    http://www.ms4u.info