Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Understanding AzMan In Hyper-V

7,690 views

Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Understanding AzMan In Hyper-V

  1. 1. Understanding AzMan in Hyper-V<br />Lai YoongSeng<br />MVP : Virtual Machine www.ms4u.info<br />Technical Consultant, Redynamics<br />
  2. 2. Agenda<br />Who is AzMan?<br />How AzMan Works?<br />Configure AzMan<br />Why use AzMan?<br />Auditing<br />Troubleshooting<br />
  3. 3. Who is AzMan?<br />Not who but “ What is AzMan ?”<br />AzMan also known as “Authorization Manager”<br />Is a GUI interface for configuring security in Hyper-V<br />Role Based Access and Control (RBAC) is what is used<br />
  4. 4. How AzMan Work?<br />Access to resources is based on Role Definitions and not Access Control List (ACL)<br />Roles are based on a list of Tasks that are defined in a Role Definition. The Role Definition is then associated with a Role Assignment<br />Only one Default Role defined in Hyper-V:- Administrator<br />Built in Local Administrator Group is automatically added to the Administrator Role Assignment<br />
  5. 5. Access AzMan<br />To access<br />Start | Run | Type Azman.msc<br />Azman.msc is the primary method for defining and managing permissions for Hyper-V<br />Open Authorization Stores<br />
  6. 6. Configure AzMan<br />Note: Backup InitialStore.xml before modify<br />Configure Role Assignment<br />Add non administrator to full permission on Hyper-V server<br />
  7. 7. Configure AzMan<br />Create Task. A task is a grouping of operation. Example: Control VM task and assign start, stop, restart vm operation. <br />1<br />2<br />
  8. 8. Configure AzMan<br />Create Role Definition- to limit operation on Hyper-V Server. Example: Operator Role which assign to control VM operation.<br />1<br />2<br />
  9. 9. Configure AzMan<br />Create new roles – to assign user to tasks or operation<br />1<br />2<br />
  10. 10. Configure AzMan<br />demo <br />
  11. 11. Why use Azman?<br />More secure and limit operation can perform on Hyper-V Hosts<br />Secure either entire Hyper-V host or based on Virtual Machine<br />Note:-<br />
  12. 12. Secure by Virtual Machine<br />Step 1: Create Scope<br />Step 2: Create Role <br />Step 3: Assign Role<br />Step 4: Create New VM<br />Step 5: Set the scope of the VM by using 4 scripts – Contributed by Tony Super<br />GUI ? Sorry no GUI.<br />
  13. 13. Script #1:- CreateVMInScope.vbs<br />Option Explicit<br />Dim WMIService<br />Dim VMManagementService<br />Dim VMName<br />Dim VMScope<br />Dim VMSystemGlobalSettingData<br />Dim Result<br />Dim inParameters<br />VMName = InputBox(“Specify the name for the new virtual machine:”)<br />VMScope = InputBox(“Specify the scope to be used for the new virtual<br />machine:”)<br />‘Get an instance of the WMI Service in the virtualization namespace.<br />Set WMIService = GetObject(“winmgmts:.rootvirtualization”)<br />‘Get a VMManagementService object<br />Set VMManagementService = WMIService.ExecQuery(“SELECT * FROM<br />Msvm_VirtualSystemManagementService”).ItemIndex(0)<br />‘ Initialize the global settings for the VM<br />Set VMSystemGlobalSettingData =<br />WMIService.Get(“Msvm_VirtualSystemGlobalSettingData”).SpawnInstance_()<br />‘Set the name and scope<br />VMSystemGlobalSettingData.ElementName = VMName<br />VMSystemGlobalSettingData.ScopeOfResidence = VMScope<br />‘ Create the VM<br />VMManagementService.DefineVirtualSystem(VMSystemGlobalSettingData.GetText_(1<br />)<br />
  14. 14. Script #2:DisplayVMScopes.vbs<br />Option Explicit<br />Dim WMIService<br />Dim VMList<br />Dim VM<br />Dim VMSystemGlobalSettingData<br />Dim Message<br />‘Setup start of message string<br />Message = “Virtual Machines and their scope of residence” & chr(10) _<br />& “========================================”<br />‘Get instance of ‘virtualization’ WMI service on the local computer<br />Set WMIService = GetObject(“winmgmts:.rootvirtualization”)<br />‘Get all the MSVM_ComputerSystem object<br />Set VMList = WMIService.ExecQuery(“SELECT * FROM Msvm_ComputerSystem”)<br />For Each VM In VMList<br />if VM.Caption = “Virtual Machine” then<br />Set VMSystemGlobalSettingData =<br />(VM.Associators_(“MSVM_ElementSettingData”,<br />“Msvm_VirtualSystemGlobalSettingData”)).ItemIndex(0)<br />Message = Message & chr(10) & “VM: “ & VM.ElementName<br />Message = Message & chr(10) & “Scope: “ &<br />VMSystemGlobalSettingData.ScopeOfResidence<br />Message = Message & chr(10)<br />end if<br />Next<br />wscript.echo Message<br />
  15. 15. Script #3:ClearVMScope.vbs<br />Option Explicit<br />Dim WMIService<br />Dim VMList<br />Dim VM<br />Dim VMSystemGlobalSettingData<br />Dim VMManagementService<br />Dim Result<br />‘Get instance of ‘virtualization’ WMI service on the local computer<br />Set WMIService = GetObject(“winmgmts:.rootvirtualization”)<br />‘Get a VMManagementService object<br />Set VMManagementService = WMIService.ExecQuery(“SELECT * FROM<br />Msvm_VirtualSystemManagementService”).ItemIndex(0)<br />‘Get all the MSVM_ComputerSystem object<br />Set VMList = WMIService.ExecQuery(“SELECT * FROM Msvm_ComputerSystem”)<br />For Each VM In VMList<br />if VM.Caption = “Virtual Machine” then<br />Set VMSystemGlobalSettingData =<br />(VM.Associators_(“MSVM_ElementSettingData”,<br />“Msvm_VirtualSystemGlobalSettingData”)).ItemIndex(0)<br />VMSystemGlobalSettingData.ScopeOfResidence = “”<br />Result = VMManagementService.ModifyVirtualSystem(VM.Path_.Path,<br />VMSystemGlobalSettingData.GetText_(1))<br />end if<br />Next<br />
  16. 16. Script #4:ChangeVMScope.vbs<br />Dim WMIService<br />Dim VM<br />Dim VMManagementService<br />Dim VMSystemGlobalSettingData<br />Dim VMName<br />Dim VMScope<br />Dim Result<br />‘Setup variables for the VM we are looking for, and the scope to assign it to<br />VMName = InputBox(“Specify the virtual machine to change scope on:”)<br />VMScope = InputBox(“Specify the new scope to be used:”)<br />‘Get an instance of the WMI Service in the virtualization namespace.<br />Set WMIService = GetObject(“winmgmts:.rootvirtualization”)<br />‘Get a VMManagementService object<br />Set VMManagementService = WMIService.ExecQuery(“SELECT * FROM<br />Msvm_VirtualSystemManagementService”).ItemIndex(0)<br />‘Get the VM object that we want to modify<br />Set VM = (WMIService.ExecQuery(“SELECT * FROM Msvm_ComputerSystem WHERE<br />ElementName=’” & VMName & “‘“)).ItemIndex(0)<br />‘Get the VirtualSystemGlobalSettingsData of the VM we want to modify<br />Set VMSystemGlobalSettingData = (VM.Associators_(“MSVM_ElementSettingData”,<br />“Msvm_VirtualSystemGlobalSettingData”)).ItemIndex(0)<br />‘Change the ScopeOfResidence property<br />VMSystemGlobalSettingData.ScopeOfResidence = VMScope<br />‘Update the VM with ModifyVirtualSystem<br />Result = VMManagementService.ModifyVirtualSystem(VM.Path_.Path,<br />VMSystemGlobalSettingData.GetText_(1))<br />
  17. 17. Function of Each Scripts<br />
  18. 18. What Happen When Host Join To Domain?<br />Domain Admin Group will have full permission to create and manage VM on host servers.<br />Administrator Role Assignment is set to<br /> domain admin<br />
  19. 19. What Happen When Host Added into VMM? <br />VMM create a copy and store in ProgramDataMicrosoftVirtual Machine ManagerHyperVAuthStore.xml<br />By default, VMM will <br />VMM Administrators are given full access to the VM/Hyper-V, including console access to the VM<br />VMM Delegated administrators have no access to the VM or Hyper-V<br />End User Role members are given console access to the VM if their User Roles has this privilege defined<br />This means that any privileges defined in the old AzManfile will be lost once VMM takes control of the host.<br />When remove Hyper-V host from management, will revert to InitialStore.xml<br />
  20. 20. Auditing<br />Must enabled on Authorization Manager<br />1<br />2<br />
  21. 21. Auditing<br />On Local Hosts. Use Local Security Policy | Audit Policy and Enable object access.<br />On domain, enable on GPO | Computer Configuration, Windows Settings, Security Settings, Local Policies, Audit Policy, and then double-click Audit directory service access.<br />
  22. 22. Troubleshooting AzMan<br />Refer to Event Viewer.<br />Open Windows Log | Security<br />Open Applications and Services Log | Microsoft | Windows<br />Hyper-V-VMMS<br />Hyper-V-Workers<br />More information:- http://technet.microsoft.com/en-us/library/dd581761(WS.10).aspx<br />
  23. 23. Event Viewer<br />
  24. 24. Summary<br /><ul><li>AzMan is a Role Based Access and Control
  25. 25. Security in Hyper-V</li></li></ul><li>Questions & Answers<br /><ul><li>Post – MVUG page @ Facebook</li></li></ul><li>Resources<br />Understand more about AzMan<br />http://technet.microsoft.com/en-us/library/cc726036(WS.10).aspx<br />http://blogs.technet.com/b/m2/archive/2009/01/12/azman-permissions-for-vmm-managed-hyper-v-hosts.aspx<br />http://blogs.technet.com/b/jhoward/archive/2009/08/31/explaining-the-hyper-v-authorization-model-part-one.aspx<br />http://blogs.technet.com/b/jhoward/archive/2009/09/02/explaining-the-hyper-v-authorization-model-part-two.aspx<br />http://blogs.technet.com/b/jhoward/archive/2009/09/09/explaining-the-hyper-v-authorization-model-part-three.aspx<br />http://blogs.technet.com/b/jhoward/archive/2009/09/18/explaining-the-hyper-v-authorization-model-part-four.aspx<br />MVUG (Malaysia Virtualization User Group) – Join us !<br />http://www.facebook.com/group.php?gid=216237734803 @ Search “MVUG” in Facebook <br />Lai’s Blog –Virtualization & System Center related, etc<br />http://www.ms4u.info<br />

×