• Save
Security best practices for hyper v and server virtualisation [svr307]
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

Security best practices for hyper v and server virtualisation [svr307]

on

  • 4,993 views

 

Statistics

Views

Total Views
4,993
Views on SlideShare
4,964
Embed Views
29

Actions

Likes
0
Downloads
0
Comments
0

1 Embed 29

http://www.slideshare.net 29

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Security best practices for hyper v and server virtualisation [svr307] Presentation Transcript

  • 1.
  • 2. Microsoft Assessment & Planning Toolkit 5.0 Customer Technology Previewhttp://connect.microsoft.com
    announcing
  • 3. MAP: User Interface & ReportsServer Migration & Virtualization Candidates
    Windows Server 2008
    Virtualization
    Windows 7
    • Heterogeneous Server Environment Inventory Linux, Unix & VMware
    • 4. Windows 7 & Server 2008 R2 HW & Device Compatibility Assessment
    • 5. Speed up Planning with Actionable Proposals and Assessments
    • 6. Collect Inventory of Servers, Desktops and Applications Agentlessly
    • 7. Offers Recommendations for Server/Application Virtualization
    • 8. Works with the Virtualization ROI Tool to generate ROI calculations
    • 9. More on MAP: http://www.microsoft.com/map
  • Visual Studio Team System 2010 Lab Management Beta 2
    announcing
  • 10. VSTS Lab Management Beta 2
    Scenarios
    Create and manage virtual or physical environments
    Take environment snapshots or revert to existing snapshots for virtual environments
    Interact with the virtual machines in the environments through environment viewer
    Define test settings for the environments
    New Beta 2 Features
    Simplified Environment creation & edit experience
    Full-screen environment viewer
    Out of the box template for application build-deploy-test workflow
    Network isolation with support for domain controller Virtual Machines
    “In-Use” support for shared environments
  • 11. VSTS “Environments”
    Typical multi-tier application consist of multiple roles Database Server, Web Server, Client, etc.
    An environment is a set of roles that are required to run a specific application and the lab machines to be used for each role.
    Managing environments for multi-tier applications is an error prone task today. Replicating the same environment at same or another site is even a bigger problem.
  • 12. Windows Server 2008 R2 Hyper-V Security & Best Practices
    Jeff Woolsey
    Principal Group Program Mgr
    Windows Server, Hyper-V
    SVR307
  • 13. Agenda
    Virtualization Requirements
    Hyper-V Security
    Hyper-V & Storage
    Windows Server 2008 R2: SCONFIG
    Designing a Windows Server 2008 Hyper V & System Center Infrastructure
    Deployment Considerations
    Best Practices & Tips and Tricks
    Microsoft Hyper-V Server 2008 R2
  • 14. Virtualization Requirements
    Scheduler
    Memory Management
    VM State Machine
    Virtualized Devices
    Storage Stack
    Network Stack
    Ring Compression (optional)
    Drivers
    Management API
  • 15. Virtualization Stack
    Provided by:
    Rest of
    Windows
    Hyper-V
    ISV
    WindowsKernel
    OSKernel
    DeviceDrivers
    Windows hypervisor
    VirtualizationServiceClients(VSCs)
    Enlightenments
    VMBus
    Hyper-V Architecture
    Parent Partition
    Child Partition
    Guest Applications
    VM WorkerProcesses
    WMI Provider
    VMService
    Ring 3: User Mode
    VirtualizationServiceProviders(VSPs)
    Server Core
    Ring 0: Kernel Mode
    Server Hardware
  • 16. Virtualization Attacks
    Virtualization Stack
    Provided by:
    Rest of
    Windows
    Hyper-V
    VM WorkerProcesses
    WMI Provider
    ISV
    VMService
    WindowsKernel
    DeviceDrivers
    Windows hypervisor
    VirtualizationServiceClients(VSCs)
    VirtualizationServiceClients(VSCs)
    Enlightenments
    Enlightenments
    VMBus
    Parent Partition
    Child Partition
    Guest Applications
    Ring 3: User Mode
    Hackers
    OSKernel
    VirtualizationServiceProviders(VSPs)
    Server Core
    VMBus
    Ring 0: Kernel Mode
    Server Hardware
  • 17. What if there was no parent partition?
    No defense in depth
    Entire hypervisor running in the most privileged mode of the system
    Virtual
    Machine
    Virtual
    Machine
    Virtual
    Machine
    User
    Mode
    User
    Mode
    User
    Mode
    Ring 3
    Kernel
    Mode
    Kernel
    Mode
    Kernel
    Mode
    Ring 0
    Ring -1
    Scheduler
    Memory Management
    Storage Stack
    Network Stack
    VM State Machine
    Virtualized Devices
    Drivers
    Management API
    Hardware
  • 18. Hyper-V Hypervisor
    Defense in depth
    Hyper-V doesn’t use ring compression uses hardware instead (VT/AMD-V)
    Further reduces the attack surface
    Parent
    Partition
    Virtual
    Machine
    Virtual
    Machine
    VM State Machine
    Virtualized Devices
    Management API
    User
    Mode
    User
    Mode
    Ring 3
    Storage Stack
    Network Stack
    Drivers
    Kernel
    Mode
    Kernel
    Mode
    Ring 0
    Ring -1
    Scheduler
    Memory Management
    Hardware
  • 19. Hyper-V Security
  • 20. Security Assumptions
    Guests are untrusted
    Trust relationships
    Parent must be trusted by hypervisor
    Parent must be trusted by children
    Code in guests can run in all available processor modes, rings, and segments
    Hypercall interface will be well documented and widely available to attackers
    All hypercalls can be attempted by guests
    Can detect you are running on a hypervisor
    We’ll even give you the version
    The internal design of the hypervisor will be well understood
  • 21. Security Goals
    Strong isolation between partitions
    Protect confidentiality and integrity of guest data
    Separation
    Unique hypervisor resource pools per guest
    Separate worker processes per guest
    Guest-to-parent communications over unique channels
    Non-interference
    Guests cannot affect the contents of other guests, parent, hypervisor
    Guest computations protected from other guests
    Guest-to-guest communications not allowed through VM interfaces
  • 22. Hyper-V & SDL
    Hypervisor built with
    Stack guard cookies (/GS)
    Address Space Layout Randomization (ASLR)
    HW Data Execution Prevention
    No Execute (NX) AMD
    Execute Disable (XD) Intel
    Code pages marked read only
    Memory guard pages
    Hypervisor binary is signed
    Entire stack through SDL
    Threat modeling
    Static Analysis
    Fuzz testing & Penetration testing
  • 23. Hyper-V Security Model
    Uses Authorization Manager (AzMan)
    Fine grained authorization and access control
    Department and role based
    Segregate who can manage groups of VMs
    Define specific functions for individuals or roles
    Start, stop, create, add hardware, change drive image
    VM administrators don’t have to be Server 2008 administrators
    Guest resources are controlled by per VM configuration files
    Shared resources are protected
    Read-only (CD ISO file)
    Copy on write (differencing disks)
  • 24. BitLocker– Persistent Protection
    Mitigating Against External Threats…
    Very Real Threat of Data Theft When a System is Stolen, Lost,or Otherwise Compromised (Hacker Tools Exist!)
    Decommissioned Systems are not Guaranteed Clean
    Increasing Regulatory Compliance on Storage Devices Drives Safeguards(HIPPA, SBA, PIPEDA, GLBA, etc…)
    BitLocker Drive Encryption Support in Windows Server 2008/2008 R2
    Addresses Leading External Threats by Combining Drive Level Encryptionwith Boot Process Integrity Validation
    Leverages Trusted Platform Model (TPM) Technology (Hardware Module)
    Integrates with Enterprise Ecosystem Maintaining Keys in Active Directory
    Protects Data While a System is Offline
    Entire Windows Volume is Encrypted (Hibernation and Page Files)
    Delivers Umbrella Protection to Applications (On Encrypted Volume)
    Ensures Boot Process Integrity
    Protects Against Root Kits – Boot Sector Viruses
    Automatically Locks System when Tampering Occurs
    Simplifies Equipment Recycling
    One Step Data Wipe – Deleting Access Keys Renders Disk Drive Useless
  • 25. Physical Security
    Device installation group policies: "no removable devices allowed on this system"
    BitLocker: encrypts drives, securing
    laptops
    branch office servers
    BitLocker To Go: encrypts removable devices like USB sticks
    Includes group policies that say, "don't let the user save data onto a USB stick unless the stick's been encrypted"
  • 26. McAfee: VirusScan Enterprise for Offline Virtual Images
    Reduce IT management overhead for virtual environmentsAnti-malware security profiles of offline virtual machines are updated automatically without having to bring virtual machines online, reducing the risk of infecting the rest of the virtual environment.
    Ensure security for virtual machines.Automatically scan, clean and update virtual machines while offline, to eliminate the risk of dormant virtual machines threatening the corporate network.
    Achieve efficiencies with security management.Minimize IT efforts and reduce operating costs with common security management for both physical and virtual environments.
    Improve disaster recovery.Ensure that backup virtual images are up-to-date with respect to malware signatures before they go into production.
  • 27. VHD Performance
  • 28. Hyper-V R1 Performance
    Focused on Fixed Disk Performance
    Why?
    Allocating storage resources upfront and prevent surprises
    Result:
    Excellent near native performance for Fixed VHDs
    Dynamic VHDs performance had room for improvement
    Let’s take a look at R2 performance…
  • 29. Fixed VHD vs Raw Disk Throughput Comparison
  • 30. Fixed VHD vs Raw Disk Latency Comparison
  • 31. WS2008 vs WS2008R2Dynamic VHD Throughput Comparison
    Up to 15x Performance Improvement with R2
  • 32. Dynamic VHD vs Raw DiskThroughput Comparison
  • 33. Dynamic VHD vs Raw DiskLatency Comparison
  • 34. VHD Types Throughput Comparison
  • 35. VHD Types Latency Comparison
  • 36. Hyper-V R2 Storage Key Takeaways
    Fixed Disks are on par with Native Disk Performance
    Dynamic and Differencing Disks are up to 15x times faster than Hyper-V and ~15% performance delta from native
  • 37. Multi-Path I/O (MPIO) & Adv. Storage
  • 38. Multipath I/O (MPIO)
    What is it?
    Provides logical facility for routing I/O over redundant hardware paths connecting the server to storage
    Works with a variety of storage types (iSCSI, SCSI, SAS, Fibre Channel)
    Many hardware vendors provide MPIO capable drivers
    How do I enable it?
    Windows Server 2008 Full: Server Manager -> Features
    Windows Server 2008 Core: start /w ocsetupMultipathIo
  • 39. Enabling MPIO with iSCSI
    Open iscsicpl.exe (iSCSI configuration)
    Set up (discover 2 connections to iSCSI target
    Open mpiocpl.exe (MPIO configuration)
    Discover Multi-Path tab, “Add support for iSCSI Devices”
    In iscsicpl.exe, Targets tab, Connect
    Check “Enable multi-path”
    Under Advanced, specify Target Portal IP
    Repeat, choosing other Target Portal IP
  • 40. iSCSI Quick ConnectNew in Windows 7/Windows Server 2008 R2
  • 41. Advanced Storage Capabilities
    Is there a Hyper-V Storage Certification?
    What about storage De-duplication?
    What about Storage Replication?
    Hyper-V is compatible with block based de-duplication and replication solutions that are certified for Windows Server 2008/2008 R2.
    Solutions from: NetApp, HP, EMC, Hitachi, NEC, Compellent and more…
    www.windowsservercatalog.com
  • 42. Hyper-V Networking
  • 43. Hyper-V Networking
    Don’t forget the parent is a VM
    Two physical network adapters at minimum
    One for management
    One (or more) for VM networking
    Dedicated NIC(s) for iSCSI
    Connect parent to back-end management network
    Only expose guests to internet traffic
  • 44. Hyper-V Network Configurations
    Example 1:
    Physical Server has 4 network adapters
    NIC 1: Assigned to parent partition for management
    NICs 2/3/4: Assigned to virtual switches for virtual machine networking
    Storage is non-iSCSI such as:
    Direct attach
    SAS or Fibre Channel
  • 45. Hyper-V Setup & Networking 1
  • 46. Hyper-V Setup & Networking 2
  • 47. Hyper-V Setup & Networking 3
  • 48. Each VM on its own Switch…
    VM Worker Processes
    Child Partitions
    Parent Partition
    Applications
    Applications
    Applications
    User Mode
    WMI Provider
    VM 3
    Windows Server 2008
    VM 2
    VM 1
    VM Service
    Windows Kernel
    Linux Kernel
    Windows Kernel
    VSC
    VSC
    VSC
    Kernel
    Mode
    VSP
    VMBus
    VMBus
    VMBus
    VMBus
    VSP
    VSP
    Windows hypervisor
    Ring -1
    “Designed for Windows” Server Hardware
    Mgmt
    NIC 1
    VSwitch 1
    NIC 2
    VSwitch 2
    NIC 3
    VSwitch 3
    NIC 4
  • 49. Hyper-V Network Configurations
    Example 2:
    Server has 4 physical network adapters
    NIC 1: Assigned to parent partition for management
    NIC 2: Assigned to parent partition for iSCSI
    NICs 3/4: Assigned to virtual switches for virtual machine networking
  • 50. Hyper-V Setup, Networking & iSCSI
  • 51. Now with iSCSI…
    VM Worker Processes
    Child Partitions
    Parent Partition
    Applications
    Applications
    Applications
    User Mode
    WMI Provider
    VM 3
    Windows Server 2008
    VM 2
    VM 1
    VM Service
    Windows Kernel
    Linux
    Kernel
    Windows Kernel
    VSC
    VSC
    VSC
    Kernel
    Mode
    VMBus
    VMBus
    VMBus
    VMBus
    VSP
    VSP
    Windows hypervisor
    Ring -1
    “Designed for Windows” Server Hardware
    Mgmt
    NIC 1
    iSCSI NIC 2
    VSwitch 1
    NIC 3
    VSwitch 2
    NIC 4
  • 52. Legacy vs. Synthetic NIC
    Legacy Network Adapter
    Up to 4 per virtual machine
    Pros: Needed for PXE/RIS/WDS installation
    Cons: Slow
    Synthetic Network Adapter
    Up to 8 per virtual machine!
    Pros: Blazing fast
    Both:
    Support VLANs
    Dynamic or Static MAC addresses
  • 53. Hyper-V R2 Networking with VMQ
  • 54. Virtualized Network I/O Data PathWithout VMQ
    VM1
    VM2
    Parent Partition
    Parent Partition
    Virtual Machine Switch
    Virtual Machine Switch (VSP)
    Routing,VLAN Filtering, Data Copy
    Ethernet
    TCP/IP
    TCP/IP
    Routing
    VLAN filtering
    Data Copy
    Port 1
    Port 2
    VM NIC 1
    VM NIC 2
    Port 1
    Port 2
    Miniport
    Driver
    Miniport
    Driver
    VM BUS
    NIC
  • 55. Networking Virtual Machine Queues
    Hyper-V uses virtual machine queue (VMQ) support in new NICs to offload processing to hardware
    VMQ operation:
    Each VM is assigned a hardware-managed receive queue
    Hardware performs MAC address lookup and VLAN ID validation
    Places receive packets in appropriate queue
    Queues are mapped into VM address space to avoid copy operations
  • 56. Network I/O Data PathWith VMQ
    Parent Partition
    VM1
    VM2
    Parent Partition
    Virtual Machine Switch
    Virtual Machine Switch (VSP)
    Routing,VLAN Filtering, Data Copy
    Ethernet
    TCP/IP
    TCP/IP
    Routing
    VLAN filtering
    Data Copy
    Port 1
    Port 2
    VM NIC 1
    VM NIC 2
    Port 1
    Port 2
    Miniport
    Driver
    Miniport
    Driver
    Q2
    Q1
    Default
    Queue
    VM BUS
    Switch/Routing unit
    NIC
  • 57. VMQ Partner Support
    Intel
    Gigabit ET/EF
    Dual Port ~$170
    Alacritech
    Broadcom
    Neterion
    ServerEngines
    Solarflare
    …and many more…
  • 58. Windows Server 2008 R2: SCONFIG
  • 59. Windows Server Core
    Windows Server frequently deployed for a single role
    Must deploy and service the entire OS in earlier Windows Server releases
    Server Core: minimal installation option
    Provides essential server functionality
    Command Line Interface only, no GUI Shell
    Benefits
    Less code results in fewer patches and reduced servicing burden
    Low surface area server for targeted roles
    Windows Server 2008 Feedback
    Love it, but…steep learning curve
    Windows Server 2008 R2 Introducing “SCONFIG”
  • 60. Windows Server Core
    Server Core: CLI
  • 61. Easy Server Configuration
  • 62. DEMO
  • 63. Manage Remotely…
  • 64. Hyper-V MMC for Win 7
    Install the Win 7 RSAT
    Turn Windows features on/off
    Under Remote Server Admin Tools
    Failover Clustering Tools
    Hyper-V Tools
    Go to Start Menu->Admin Tools
  • 65. Hyper-V Best Practices
  • 66. Deployment
    Minimize risk to the Parent Partition
    Use Server Core
    Don’t run arbitrary apps, no web surfing
    Run your apps and services in guests
    Two physical 1 Gb/E network adapters @minimum
    One for management (use a VLAN too)
    One (or more) for vmnetworking
    Dedicated NIC(s) for iSCSI
    Connect parentto back-end management network
    Only expose guests to internet traffic
  • 67. Windows Server 2003Cluster Creation
  • 68. Cluster Hyper-V Servers
  • 69. Use Cluster Shared Volumes
    Hyper-V high availability and migration scenarios are supported by the new Cluster Shared Volumes in Windows Server 2008 R2
    Concurrent access to a single file system
    Technology within Failover Cluster feature
    Single consistent name space
    Compatible: NTFS volume
    Simplified LUN management
    Multiple data stores supported
    Enhanced storage availability due to built in redundancy
    Scalable as I/O is written directly by each node to the shared volume
    Transparent to the VM
    SAN
    Single Volume
    VHD
    VHD
    VHD
  • 70. Don't forget the ICs!Emulated vs. VSC
  • 71. Installing Integration Components
  • 72. Hyper-V & Localization…
  • 73. Hyper-V/AV Software Configuration
    Host: If you are running antivirus software on the physical server, exclude:
    the Vmms.exe and Vmswp.exe processes
    the directories that contain the virtual machine configuration files and virtual hard disks from active scanning. An added benefit of using pass-through disks in your virtual machines is that you can use the antivirus software running on the physical server to protect that virtual machine
    Guest: Run AV within guest
  • 74. Storage
    BitLocker
    Great for branch office
    VHDs
    Use fixed virtual hard disks in production
    VHD Compaction/Expansion
    Run it on a non-production system
    Use .isos
    Great performance
    Can be mounted and unmounted remotely
    Physical DVD can’t be shared across multiple vms
    Having them in SCVMM Library fast & convenient
  • 75. Jumbo Frames
    Offers significant performance for TCP connections including iSCSI
    Max frame size 9K
    Reduces TCP/IP overhead by up to 84%
    Must be enabled at all end points (switches, NICs, target devices
    Virtual switch is defined as an end point
    Virtual NIC is defined as an end point
  • 76. Jumbo Frames in Hyper-V R2
    Added support in virtual switch
    Added support in virtual NIC
    Integration components required
    How to validate if jumbo frames is configured end to end
    Ping –n 1 –l 8000 –f (hostname)
    -l (length)
    -f (don’t fragment packet into multiple Ethernet frames)
    -n (count)
  • 77. More Tips…
    Mitigate Bottlenecks
    Processors
    Memory
    Storage
    Networking
    Turn off screen savers in guests
    Windows Server 2003
    Create vms using 2-way to ensure an MP HAL
  • 78. Creating Virtual Machines
    Use SCVMM Library
    Templates help standardize configurations
    Steps:
    Create virtual machine
    Install guest operating system & latest SP
    Install integration components
    Install anti-virus
    Install management agents
    SYSPREP
    Add it to the VMM Library
  • 79. Microsoft Hyper-V ServerR2
  • 80. Microsoft Hyper-V Server R2New Features
    Live Migration
    High Availability
    New Processor Support
    Second Level Address Translation
    Core Parking
    Networking Enhancements
    TCP/IP Offload Support
    VMQ & Jumbo Frame Support
    Hot Add/Remove virtual storage
    Enhanced scalability
    Free download:
    • www.microsoft.com/hvs
  • Microsoft Virtualization:Customers Win
    November 2005
    June 2008
    July 2009
    Greater Performance
    High Availability Built-In
    Live Migration Built-In
    More Capabilities
    Increased Scalability
    Ready for Next Gen Servers
  • 81. Online Resources
    Microsoft Virtualization Home/Case Studies from customers around the world:
    http://www.microsoft.com/virtualization
    Windows Server Virtualization Blog Site:
    http://blogs.technet.com/virtualization/default.aspx
    Windows Server Virtualization TechNet Site:
    http://technet2.microsoft.com/windowsserver2008/en/servermanager/virtualization.mspx
    MSDN & TechNet Powered by Hyper-V
    http://blogs.technet.com/virtualization/archive/2008/05/20/msdn-and-technet-powered-by-hyper-v.aspx
    Virtualization Solution Accelerators
    http://technet.microsoft.com/en-us/solutionaccelerators/cc197910.aspx
    How to install the Hyper-V role
    http://www.microsoft.com/windowsserver2008/en/us/hyperv-install.aspx
    Windows Server 2008 Hyper-V Performance Tuning Guide
    http://www.microsoft.com/whdc/system/sysperf/Perf_tun_srv.mspx
    Using Hyper-V & BitLocker White Paper
    http://www.microsoft.com/downloads/details.aspx?FamilyID=2c3c0615-baf4-4a9c-b613-3fda14e84545&DisplayLang=en
  • 82. Related Content
    Required Slide
    Speakers,
    please list the Breakout Sessions, TLC Interactive Theaters and Labs that are related to your session.
    MGT220 - Virtualization 360: Microsoft Virtualization Strategy, Products, and Solutions for the New Economy
    SVR314 - From Zero to Live Migration. How to Set Up a Live Migration
    SVR308 - Storage and Hyper-V: The Choices You Can Make and the Things You Need to Know
    SVR307 - Security Best Practices for Hyper-V and Server Virtualization
    SVR09-IS - Windows Server 2008 R2 Hyper-V Deployment Considerations
  • 83. Required Slide
    Speakers,
    TechEd 2009 is not producing
    a DVD. Please announce that
    attendees can access session
    recordings at TechEd Online.
    www.microsoft.com/teched
    Sessions On-Demand & Community
    www.microsoft.com/learning
    Microsoft Certification & Training Resources
    http://microsoft.com/technet
    Resources for IT Professionals
    http://microsoft.com/msdn
    Resources for Developers
    Resources
  • 84. Complete an evaluation on CommNet and enter to win an Xbox 360 Elite!