0
Rohit Gulati | Partner Technical Consultant
               Microsoft
Agenda
 Virtualization Overview
 Hyper-V Architecture
 Hyper-V Security Overview
 Hyper-V Security Guide
 Summary!
Virtualization Today
 Machine virtualization requires control of
 privileged operations
   CPU registers and memory manage...
Virtual Machine Monitor Arrangements

 Hosted Virtualization             Hypervisor Virtualization

              Guest 1 ...
Monolithic Versus Microkernel Hypervisor

 Monolithic Hypervisor            Microkernel Hypervisor
                       ...
Agenda
 Virtualization Overview
 Hyper-V Architecture
 Hyper-V Security Overview
 Hyper-V Security Guide
 Summary!
Hyper-V Background
 Three major components
    Hypervisor
    Virtualization Stack
    Virtual Devices

 Windows based vir...
Hyper-V Architecture
           Root Partition                        Guest Partitions             Provided by:
          ...
Hypervisor
 Partitioning Kernel
   Partition is an isolation boundary
   Few virtualization functions; relies on virtualiz...
Virtualization Stack
 Runs within the root partition
 Portion of traditional hypervisor that has been pushed
 up and out t...
Agenda
 Virtualization Overview
 Hyper-V Architecture
 Hyper-V Security Overview
 Hyper-V Security Guide
 Summary!
VM “Aware” Threats
New technologies can introduce new types of attacks




       Guest OS   {            SAP             ...
Top Virtualization Security Concerns
 The loss of separation of duties for administrative tasks, which
 can lead to a brea...
Security Assumptions
 Guests are un-trusted
 Root must be trusted by hypervisor; guests
 must trust the root
 Code in gues...
Security Goals
 Strong isolation between partitions
 Protect confidentiality and integrity of guest
 data
 Separation
   U...
Hyper-V Security
 No sharing of virtualized devices
 Separate VMBus per guest to the parent
 No sharing of memory
   Each ...
Virtualization Attacks
         Root Partition                       Guest Partitions               Provided by:
Virtualiz...
Agenda
 Virtualization Overview
 Hyper-V Architecture
 Hyper-V Security Overview
 Hyper-V Security Guide
 Summary!
Hyper-V Security Guide
 Chapter 1: Hardening Hyper-V
    Attack Surface
    Server Role Security Considerations
    Virtua...
Attack Surface
 Adding the Hyper-V role service changes the
 attack surface
 The increased attack surface includes:
    In...
Server Role Security Configuration
 Two main considerations:
    Parent partition (root) security
    Child partition (gue...
Architecture of an Enterprise Network
Network Configuration for Multi-tier Web
Application
Delegating VM Management
 Hyper-V management console
    Requires admin account
    Manage VMs
 Authorization Manager (AzM...
Hyper-V Ecosystem
Delegating VM Management
What is Authorization Manager?
 A Role-Based Access Control (RBAC) framework
 composed of:
    AzMan administration tool (...
AzMan Terminology
     Scope
     • A collection of similar resources with the same authorization policy
     • Virtual ma...
Hyper-V and AzMan
 One default role defined: Administrators
 Defines specific functions for users or roles
    Start, Stop...
Hyper-V Operations at-a-Glance
VM Management Operations
Read Service                              Reconfigure Service



V...
Hyper-V Operations at-a-Glance
Networking Operations
Create virtual   Delete virtual    Create virtual   Delete virtual   ...
Hyper-V Authorization Scenarios
 Departmental or Service Administrators

    A Hyper-V server hosts virtual machines for t...
Hyper-V Authorization Scenarios
 Departmental or Service Administrators

    The help desk and, after hours, the Operation...
Using AD as an Auth Store
 AzMan supports other auth stores such as
 Active Directory and SQL Server
 Useful for creating ...
System Center Virtual Machine Manager
Delegation and Self Service
 Administrators control access
 through policies which designate
 capabilities
 Delegated Admi...
Understanding User Roles
                  Membership
     Membership      Determines which users
                     are...
Built-In Profiles
 Administrators
    Full access to all actions
    Full access to all objects
    Can use the Admin cons...
Customizing Scopes
 Administrators
   No scope customization available,
   Administrators have access to all objects

 Del...
Delegating Administration


           Virtualized Environment
                          Delegated Administration




    ...
Protecting Virtual Machines
 File system security
 Encryption
 Auditing
 Maintaining virtual machines
 Best practices
Summary
 Virtualization introduces new security concerns
 Hyper-V was designed to achieve strong security
 goals
 Use the ...
Online Resources
Virtualization Home Page: www.microsoft.com/virtualization



Virtualization Solution Accelerators: www.m...
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be...
Security Best Practices For Hyper V And Server Virtualization
Upcoming SlideShare
Loading in...5
×

Security Best Practices For Hyper V And Server Virtualization

4,786

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
4,786
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
264
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • AzMan is a role-based access control (RBAC) framework that provides an administrative tool to manage authorization policy and a runtime that allows applications to perform access checks against that policy. The AzMan administration tool (AzMan.msc) is supplied as a Microsoft Management Console (MMC) snap-in.Role-based authorization policy specifies access in terms of user roles that reflect an application's authorization requirements. Users are assigned to roles based on their job functions and these roles are granted permissions to perform related tasks.Authorization policy is managed separately from an application’s code. The application designer defines the set of low-level operations that are considered security sensitive and then defines a set of tasks that map onto those operations. The tasks, but not the operations, are designed to be understandable by administrators and business analysts.Administrators use the AzMan snap-in to manage which roles should have access to which tasks. As the business evolves and roles need to be modified, the administrator makes changes to the authorization policy; the underlying business application does not need to be changed. Federation-aware applications employ AzMan for access control decisions by mapping federation claims to AzMan roles.
  • By default Hyper-V is configured such that only members of the administrators group can create and control virtual machines. Hyper-V uses the new authorization management framework in Windows to allow you to configure what users can and cannot do with virtual machines.  This is very powerful and allows for some useful and interesting configuration options - but I will explore those on another day.  To set the stage I need to explain some terms from the authorization management framework world:Operation This is the basic building block of authorization manager - and represents some action that the user can perform.  Some operations that exist in our authorization store include op_Create_VM (the act of creating a new virtual machine) or op_Start_VM (the act of starting a virtual machine). TaskA task is a grouping of operations.  We do not create any tasks by default - but you could create a task that was labeled 'control_VM' and then add the operations for starting, stopping, pausing and restarting a virtual machine to that task. RoleA role defines a job / position / responsibility that is held by a user.  For instance, you might have a role called 'Virtual_Network_Admin'.  This role would have all the tasks and operations that relate to virtual networks.  Users are then assigned to roles as needed. ScopeA scope allows you to define which objects are owned by which roles.  If you had a system where you wanted to grant administrative access to a subset of the virtual machines to a specific user - you would create a scope for those virtual machines and apply your configuration change to only that scope. Default Scope The default scope is where virtual machines are stored by default.  It is the equivalent of having no scope defined. Hyper-V can be configured to store it's authorization configuration in Active Directory or in a local XML file.  After initial installation it will always be configured to use a local XML file located at \\programdata\\Microsoft\\Windows\\Hyper-V\\InitialStore.xml on the system partition.  To edit this file you will need to:
  • Transcript of "Security Best Practices For Hyper V And Server Virtualization"

    1. 1. Rohit Gulati | Partner Technical Consultant Microsoft
    2. 2. Agenda Virtualization Overview Hyper-V Architecture Hyper-V Security Overview Hyper-V Security Guide Summary!
    3. 3. Virtualization Today Machine virtualization requires control of privileged operations CPU registers and memory management hardware Hardware devices Virtualization usually means emulation, but can also mean controlled access to privileged state The core virtualization software is called a Virtual Machine Monitor (VMM) There are two approaches to machine virtualization: Hosted virtualization Hypervisor virtualization
    4. 4. Virtual Machine Monitor Arrangements Hosted Virtualization Hypervisor Virtualization Guest 1 Guest 2 Guest 1 Guest 2 Host OS VMM VMM Hardware Hardware Examples: Examples: VMware Workstation VMware ESX KVM Xen Virtual PC & Virtual Server Hyper-V
    5. 5. Monolithic Versus Microkernel Hypervisor Monolithic Hypervisor Microkernel Hypervisor VM 1 VM 1 (Parent) VM 2 VM 3 (Admin) Virtual- VM 2 VM 3 ization (Child) (Child) Virtualization Stack Stack Drivers Drivers Drivers Hypervisor Drivers Hypervisor Hardware Hardware More simple than a modern Simple partitioning functionality kernel, but still complex Increase reliability and minimizes TCB Implements a driver model No third-party code Drivers run within guests
    6. 6. Agenda Virtualization Overview Hyper-V Architecture Hyper-V Security Overview Hyper-V Security Guide Summary!
    7. 7. Hyper-V Background Three major components Hypervisor Virtualization Stack Virtual Devices Windows based virtualization platform Windows Server 2008 x64 Edition technology (32/64 bit guest support) Standard, Enterprise, and Datacenter Editions Standards based Packaged as a Server Role Requires hardware assisted virtualization AMD AMD-V Intel VT Data Execution Prevention (DEP) should be enabled
    8. 8. Hyper-V Architecture Root Partition Guest Partitions Provided by: Windows Virtualization Stack Hyper-V WMI Provider Guest Applications VM Worker ISV VM Processes Service Ring 3: User Mode Virtualization Service OS Server Core Virtualization Kernel Clients Service (VSCs) Windows Kernel Device Providers Drivers (VSPs) VMBus Enlightenments Ring 0: Kernel Mode Windows Hypervisor Server Hardware
    9. 9. Hypervisor Partitioning Kernel Partition is an isolation boundary Few virtualization functions; relies on virtualization stack Very thin layer of software Microkernel Highly reliable No device drivers Two versions, one for Intel and one for AMD Drivers run in the root partition Leverage the large base of Windows drivers Well-defined interface Allow others to create support for their OSes as guests
    10. 10. Virtualization Stack Runs within the root partition Portion of traditional hypervisor that has been pushed up and out to make a micro-hypervisor Manages guest partitions Handles intercepts Emulates devices
    11. 11. Agenda Virtualization Overview Hyper-V Architecture Hyper-V Security Overview Hyper-V Security Guide Summary!
    12. 12. VM “Aware” Threats New technologies can introduce new types of attacks Guest OS { SAP Dept File / Print VM Host Guest VMs can not see/detect threats in the VM host due to the virtualizing behavior of the host. This attack approach is similar, yet much more insidious, than the approach rootkits take to hide their presence.
    13. 13. Top Virtualization Security Concerns The loss of separation of duties for administrative tasks, which can lead to a breakdown of defense in depth Patching, signature updates, and protection from tampering for offline virtual machine and virtual machine appliance images Patching and secure confirmation management of VM appliances where the underlying OS and configuration aren’t accessible Limited visibility into the host OS and virtual network to find vulnerabilities and access correct configuration Restricted view into inter-VM traffic for inspection by intrusion- prevention systems Mobile VMs will require security policy and settings to migrate with them Immature and incomplete security and management tools
    14. 14. Security Assumptions Guests are un-trusted Root must be trusted by hypervisor; guests must trust the root Code in guests will run in all available processor modes, rings, and segments Hypercall interface will be well documented and widely available to attackers All hypercalls can be attempted by guests Can detect you are running on a hypervisor We’ll even give you the version The internal design of the hypervisor will be well understood
    15. 15. Security Goals Strong isolation between partitions Protect confidentiality and integrity of guest data Separation Unique hypervisor resource pools per guest Separate per-guest worker processes manage state Guest-to-root communications over unique channels Non-interference Guests cannot affect the contents of other guests, root, hypervisor Guest computations protected from other guests Guest-to-guest communications not allowed through VM interfaces
    16. 16. Hyper-V Security No sharing of virtualized devices Separate VMBus per guest to the parent No sharing of memory Each has its own address space Guests cannot communicate with each other, except through traditional networking Guests can’t perform DMA attacks because they’re never mapped to physical devices No partition can write into hypervisor memory
    17. 17. Virtualization Attacks Root Partition Guest Partitions Provided by: Virtualization Stack Windows WMI Provider Guest Applications Hyper-V VM Worker VM Processes ISV Service Ring 3: User Mode Malicious User Virtualization Service OS Server Core Virtualization Kernel Clients Service (VSCs) Windows Kernel Device Providers Drivers (VSPs) VMBus VMBus Enlightenments Ring 0: Kernel Mode Windows hypervisor Server Hardware
    18. 18. Agenda Virtualization Overview Hyper-V Architecture Hyper-V Security Overview Hyper-V Security Guide Summary!
    19. 19. Hyper-V Security Guide Chapter 1: Hardening Hyper-V Attack Surface Server Role Security Considerations Virtual Machine Configuration Checklist Chapter 2: Delegating Virtual Machine Management Using Tools to Delegate Access Delegating Access with Authorization Manager (AzMan) System Center Virtual Machine Manager (SCVMM) Protecting Virtual Machines Methods for Protecting Virtual Machines Maintaining Virtual Machines Best Practices
    20. 20. Attack Surface Adding the Hyper-V role service changes the attack surface The increased attack surface includes: Installed files Installed services Firewall rules The attack surface for Hyper-V is documented
    21. 21. Server Role Security Configuration Two main considerations: Parent partition (root) security Child partition (guest, VM) security Parent partition Default installation recommendations Host network configuration Secure dedicated storage devices Host management configuration (admin privileges) Virtual Machines Configuration recommendations Hardening the OS Checklist
    22. 22. Architecture of an Enterprise Network
    23. 23. Network Configuration for Multi-tier Web Application
    24. 24. Delegating VM Management Hyper-V management console Requires admin account Manage VMs Authorization Manager (AzMan) Microsoft Management Console snap-in Users assigned to roles Roles granted permissions to perform operations Hyper-V defines 33 different operations System Center Virtual Machine Manager Comprehensive management solution for data centers Manage VMware ESX Server 3 defined profiles
    25. 25. Hyper-V Ecosystem
    26. 26. Delegating VM Management
    27. 27. What is Authorization Manager? A Role-Based Access Control (RBAC) framework composed of: AzMan administration tool (AzMan.msc) Runtime that allows access checks against policy RBAC specifies access in terms of user roles, which are administrator-defined Authorization policy is managed separately from application code
    28. 28. AzMan Terminology Scope • A collection of similar resources with the same authorization policy • Virtual machines; virtual networks Role • A job category or responsibility • “Administrators” or “Self-Service Users” (in SCVMM) Task • A collection of operations or other actions • None are defined by default Operation • A specific action that a user can perform • “Start virtual machine”; “Stop virtual machine”
    29. 29. Hyper-V and AzMan One default role defined: Administrators Defines specific functions for users or roles Start, Stop, Allow Input, Allow Output, etc. 32 operations are defined in the Auth store Hyper-V admins do not need Administrator access to parent partition OS Default authorization data stored in XML: %ProgramData%MicrosoftWindowsHyper- VInitialStore.xml Authorization data can be stored in Active Directory
    30. 30. Hyper-V Operations at-a-Glance VM Management Operations Read Service Reconfigure Service Virtual Machine Operations Allow input to a Allow output Create virtual Delete virtual Change virtual virtual machine from a virtual machine machine machine machine authorization scope Stop virtual Start virtual Pause and Reconfigure View virtual machine machine restart virtual virtual machine machine machine configuration
    31. 31. Hyper-V Operations at-a-Glance Networking Operations Create virtual Delete virtual Create virtual Delete virtual Disconnect switch switch switch port switch port virtual switch port Create Delete internal Bind external Unbind external Change VLAN internal Ethernet port Ethernet port Ethernet port configuration Ethernet port on port Modify switch Modify switch View switches View switch View external settings port settings ports Ethernet ports View internal View VLAN View LAN View virtual Modify Ethernet ports settings endpoints switch internal management Ethernet port service
    32. 32. Hyper-V Authorization Scenarios Departmental or Service Administrators A Hyper-V server hosts virtual machines for two different LOB applications. Admins for each application needs to have full control over their own virtual machines, but should have no access to the other application’s virtual machines, or to Hyper-V.
    33. 33. Hyper-V Authorization Scenarios Departmental or Service Administrators The help desk and, after hours, the Operations Center, perform some first level analysis of issues that are called in by end-users. They need to be able to view virtual machine configuration information and interact virtual machines. They should not be able to start, stop or save any virtual machines or change any configuration information.
    34. 34. Using AD as an Auth Store AzMan supports other auth stores such as Active Directory and SQL Server Useful for creating standardized auth policies across several servers Use of AD requires WS 2003 domain functional level or better Auth policies cannot be created in non-domain partitions Hyper-V host computer accounts require READ access to the auth store
    35. 35. System Center Virtual Machine Manager
    36. 36. Delegation and Self Service Administrators control access through policies which designate capabilities Delegated Administrators Manage a scoped environment Self service user Web user interface Manage their own VMs Quota to limit VMs Scripting through PowerShell
    37. 37. Understanding User Roles Membership Membership Determines which users are part of a particular user role Members may be individual users or groups Members may be in multiple user roles Profile including user roles based on different profiles Profile determines Scope Which actions are permitted Which user interface is accessible How the scope is defined Scope determines User Role Which objects a user may take actions on
    38. 38. Built-In Profiles Administrators Full access to all actions Full access to all objects Can use the Admin console or PowerShell interface Delegated Administrators Full access to most actions Scope can be limited by host groups and Library servers Can use the Admin console or PowerShell interface Self-Service Users Limited access to a subset of actions Scope can be limited by host groups and Library share Can use the Self-Service Portal or PowerShell interface
    39. 39. Customizing Scopes Administrators No scope customization available, Administrators have access to all objects Delegated Administrators Can be limited to one or more host groups including all child objects Can be limited to one or more Library servers including all child objects Self-Service Users Can be limited to a single host group where new virtual machines may be created Can be limited to a single Library share where new virtual machines can be stored Can be limited to specific templates to use for new virtual machines
    40. 40. Delegating Administration Virtualized Environment Delegated Administration Seattle New York Delegated Administration Production Dev/Test Self Service Self Service Self Service Users Users Users
    41. 41. Protecting Virtual Machines File system security Encryption Auditing Maintaining virtual machines Best practices
    42. 42. Summary Virtualization introduces new security concerns Hyper-V was designed to achieve strong security goals Use the Hyper-V Security Guide to: Install and configure Hyper-V with a strong focus on security Reduce the attack surface of Hyper-V host servers Secure virtual networks and storage devices on a Hyper-V host server Delegate administrative access to virtual machine resources within an organization Protect Virtual Machines - via file system permissions, encryption, and auditing
    43. 43. Online Resources Virtualization Home Page: www.microsoft.com/virtualization Virtualization Solution Accelerators: www.microsoft.com/vsa MAP tool : http://microsoft.com/map Hyper-V Green Tool : http://hyper-green.com
    44. 44. © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×