Understanding AzMan In Hyper-V

5,962 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
5,962
On SlideShare
0
From Embeds
0
Number of Embeds
525
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Understanding AzMan In Hyper-V

  1. 1. Understanding AzMan in Hyper-V<br />Lai YoongSeng<br />MVP : Virtual Machine www.ms4u.info<br />Technical Consultant, Redynamics<br />
  2. 2. Agenda<br />Who is AzMan?<br />How AzMan Works?<br />Configure AzMan<br />Why use AzMan?<br />Auditing<br />Troubleshooting<br />
  3. 3. Who is AzMan?<br />Not who but “ What is AzMan ?”<br />AzMan also known as “Authorization Manager”<br />Is a GUI interface for configuring security in Hyper-V<br />Role Based Access and Control (RBAC) is what is used<br />
  4. 4. How AzMan Work?<br />Access to resources is based on Role Definitions and not Access Control List (ACL)<br />Roles are based on a list of Tasks that are defined in a Role Definition. The Role Definition is then associated with a Role Assignment<br />Only one Default Role defined in Hyper-V:- Administrator<br />Built in Local Administrator Group is automatically added to the Administrator Role Assignment<br />
  5. 5. Access AzMan<br />To access<br />Start | Run | Type Azman.msc<br />Azman.msc is the primary method for defining and managing permissions for Hyper-V<br />Open Authorization Stores<br />
  6. 6. Configure AzMan<br />Note: Backup InitialStore.xml before modify<br />Configure Role Assignment<br />Add non administrator to full permission on Hyper-V server<br />
  7. 7. Configure AzMan<br />Create Task. A task is a grouping of operation. Example: Control VM task and assign start, stop, restart vm operation. <br />1<br />2<br />
  8. 8. Configure AzMan<br />Create Role Definition- to limit operation on Hyper-V Server. Example: Operator Role which assign to control VM operation.<br />1<br />2<br />
  9. 9. Configure AzMan<br />Create new roles – to assign user to tasks or operation<br />1<br />2<br />
  10. 10. Configure AzMan<br />demo <br />
  11. 11. Why use Azman?<br />More secure and limit operation can perform on Hyper-V Hosts<br />Secure either entire Hyper-V host or based on Virtual Machine<br />Note:-<br />
  12. 12. Secure by Virtual Machine<br />Step 1: Create Scope<br />Step 2: Create Role <br />Step 3: Assign Role<br />Step 4: Create New VM<br />Step 5: Set the scope of the VM by using 4 scripts – Contributed by Tony Super<br />GUI ? Sorry no GUI.<br />
  13. 13. Script #1:- CreateVMInScope.vbs<br />Option Explicit<br />Dim WMIService<br />Dim VMManagementService<br />Dim VMName<br />Dim VMScope<br />Dim VMSystemGlobalSettingData<br />Dim Result<br />Dim inParameters<br />VMName = InputBox(“Specify the name for the new virtual machine:”)<br />VMScope = InputBox(“Specify the scope to be used for the new virtual<br />machine:”)<br />‘Get an instance of the WMI Service in the virtualization namespace.<br />Set WMIService = GetObject(“winmgmts:.rootvirtualization”)<br />‘Get a VMManagementService object<br />Set VMManagementService = WMIService.ExecQuery(“SELECT * FROM<br />Msvm_VirtualSystemManagementService”).ItemIndex(0)<br />‘ Initialize the global settings for the VM<br />Set VMSystemGlobalSettingData =<br />WMIService.Get(“Msvm_VirtualSystemGlobalSettingData”).SpawnInstance_()<br />‘Set the name and scope<br />VMSystemGlobalSettingData.ElementName = VMName<br />VMSystemGlobalSettingData.ScopeOfResidence = VMScope<br />‘ Create the VM<br />VMManagementService.DefineVirtualSystem(VMSystemGlobalSettingData.GetText_(1<br />)<br />
  14. 14. Script #2:DisplayVMScopes.vbs<br />Option Explicit<br />Dim WMIService<br />Dim VMList<br />Dim VM<br />Dim VMSystemGlobalSettingData<br />Dim Message<br />‘Setup start of message string<br />Message = “Virtual Machines and their scope of residence” & chr(10) _<br />& “========================================”<br />‘Get instance of ‘virtualization’ WMI service on the local computer<br />Set WMIService = GetObject(“winmgmts:.rootvirtualization”)<br />‘Get all the MSVM_ComputerSystem object<br />Set VMList = WMIService.ExecQuery(“SELECT * FROM Msvm_ComputerSystem”)<br />For Each VM In VMList<br />if VM.Caption = “Virtual Machine” then<br />Set VMSystemGlobalSettingData =<br />(VM.Associators_(“MSVM_ElementSettingData”,<br />“Msvm_VirtualSystemGlobalSettingData”)).ItemIndex(0)<br />Message = Message & chr(10) & “VM: “ & VM.ElementName<br />Message = Message & chr(10) & “Scope: “ &<br />VMSystemGlobalSettingData.ScopeOfResidence<br />Message = Message & chr(10)<br />end if<br />Next<br />wscript.echo Message<br />
  15. 15. Script #3:ClearVMScope.vbs<br />Option Explicit<br />Dim WMIService<br />Dim VMList<br />Dim VM<br />Dim VMSystemGlobalSettingData<br />Dim VMManagementService<br />Dim Result<br />‘Get instance of ‘virtualization’ WMI service on the local computer<br />Set WMIService = GetObject(“winmgmts:.rootvirtualization”)<br />‘Get a VMManagementService object<br />Set VMManagementService = WMIService.ExecQuery(“SELECT * FROM<br />Msvm_VirtualSystemManagementService”).ItemIndex(0)<br />‘Get all the MSVM_ComputerSystem object<br />Set VMList = WMIService.ExecQuery(“SELECT * FROM Msvm_ComputerSystem”)<br />For Each VM In VMList<br />if VM.Caption = “Virtual Machine” then<br />Set VMSystemGlobalSettingData =<br />(VM.Associators_(“MSVM_ElementSettingData”,<br />“Msvm_VirtualSystemGlobalSettingData”)).ItemIndex(0)<br />VMSystemGlobalSettingData.ScopeOfResidence = “”<br />Result = VMManagementService.ModifyVirtualSystem(VM.Path_.Path,<br />VMSystemGlobalSettingData.GetText_(1))<br />end if<br />Next<br />
  16. 16. Script #4:ChangeVMScope.vbs<br />Dim WMIService<br />Dim VM<br />Dim VMManagementService<br />Dim VMSystemGlobalSettingData<br />Dim VMName<br />Dim VMScope<br />Dim Result<br />‘Setup variables for the VM we are looking for, and the scope to assign it to<br />VMName = InputBox(“Specify the virtual machine to change scope on:”)<br />VMScope = InputBox(“Specify the new scope to be used:”)<br />‘Get an instance of the WMI Service in the virtualization namespace.<br />Set WMIService = GetObject(“winmgmts:.rootvirtualization”)<br />‘Get a VMManagementService object<br />Set VMManagementService = WMIService.ExecQuery(“SELECT * FROM<br />Msvm_VirtualSystemManagementService”).ItemIndex(0)<br />‘Get the VM object that we want to modify<br />Set VM = (WMIService.ExecQuery(“SELECT * FROM Msvm_ComputerSystem WHERE<br />ElementName=’” & VMName & “‘“)).ItemIndex(0)<br />‘Get the VirtualSystemGlobalSettingsData of the VM we want to modify<br />Set VMSystemGlobalSettingData = (VM.Associators_(“MSVM_ElementSettingData”,<br />“Msvm_VirtualSystemGlobalSettingData”)).ItemIndex(0)<br />‘Change the ScopeOfResidence property<br />VMSystemGlobalSettingData.ScopeOfResidence = VMScope<br />‘Update the VM with ModifyVirtualSystem<br />Result = VMManagementService.ModifyVirtualSystem(VM.Path_.Path,<br />VMSystemGlobalSettingData.GetText_(1))<br />
  17. 17. Function of Each Scripts<br />
  18. 18. What Happen When Host Join To Domain?<br />Domain Admin Group will have full permission to create and manage VM on host servers.<br />Administrator Role Assignment is set to<br /> domain admin<br />
  19. 19. What Happen When Host Added into VMM? <br />VMM create a copy and store in ProgramDataMicrosoftVirtual Machine ManagerHyperVAuthStore.xml<br />By default, VMM will <br />VMM Administrators are given full access to the VM/Hyper-V, including console access to the VM<br />VMM Delegated administrators have no access to the VM or Hyper-V<br />End User Role members are given console access to the VM if their User Roles has this privilege defined<br />This means that any privileges defined in the old AzManfile will be lost once VMM takes control of the host.<br />When remove Hyper-V host from management, will revert to InitialStore.xml<br />
  20. 20. Auditing<br />Must enabled on Authorization Manager<br />1<br />2<br />
  21. 21. Auditing<br />On Local Hosts. Use Local Security Policy | Audit Policy and Enable object access.<br />On domain, enable on GPO | Computer Configuration, Windows Settings, Security Settings, Local Policies, Audit Policy, and then double-click Audit directory service access.<br />
  22. 22. Troubleshooting AzMan<br />Refer to Event Viewer.<br />Open Windows Log | Security<br />Open Applications and Services Log | Microsoft | Windows<br />Hyper-V-VMMS<br />Hyper-V-Workers<br />More information:- http://technet.microsoft.com/en-us/library/dd581761(WS.10).aspx<br />
  23. 23. Event Viewer<br />
  24. 24. Summary<br /><ul><li>AzMan is a Role Based Access and Control
  25. 25. Security in Hyper-V</li></li></ul><li>Questions & Answers<br /><ul><li>Post – MVUG page @ Facebook</li></li></ul><li>Resources<br />Understand more about AzMan<br />http://technet.microsoft.com/en-us/library/cc726036(WS.10).aspx<br />http://blogs.technet.com/b/m2/archive/2009/01/12/azman-permissions-for-vmm-managed-hyper-v-hosts.aspx<br />http://blogs.technet.com/b/jhoward/archive/2009/08/31/explaining-the-hyper-v-authorization-model-part-one.aspx<br />http://blogs.technet.com/b/jhoward/archive/2009/09/02/explaining-the-hyper-v-authorization-model-part-two.aspx<br />http://blogs.technet.com/b/jhoward/archive/2009/09/09/explaining-the-hyper-v-authorization-model-part-three.aspx<br />http://blogs.technet.com/b/jhoward/archive/2009/09/18/explaining-the-hyper-v-authorization-model-part-four.aspx<br />MVUG (Malaysia Virtualization User Group) – Join us !<br />http://www.facebook.com/group.php?gid=216237734803 @ Search “MVUG” in Facebook <br />Lai’s Blog –Virtualization & System Center related, etc<br />http://www.ms4u.info<br />

×