Security best practices for hyper v and server virtualisation [svr307]


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Security best practices for hyper v and server virtualisation [svr307]

  1. 1.
  2. 2. Microsoft Assessment & Planning Toolkit 5.0 Customer Technology Preview<br />announcing<br />
  3. 3. MAP: User Interface & ReportsServer Migration & Virtualization Candidates<br />Windows Server 2008<br />Virtualization<br />Windows 7<br /><ul><li>Heterogeneous Server Environment Inventory Linux, Unix & VMware
  4. 4. Windows 7 & Server 2008 R2 HW & Device Compatibility Assessment
  5. 5. Speed up Planning with Actionable Proposals and Assessments
  6. 6. Collect Inventory of Servers, Desktops and Applications Agentlessly
  7. 7. Offers Recommendations for Server/Application Virtualization
  8. 8. Works with the Virtualization ROI Tool to generate ROI calculations
  9. 9. More on MAP:</li></li></ul><li>Visual Studio Team System 2010 Lab Management Beta 2<br />announcing<br />
  10. 10. VSTS Lab Management Beta 2<br />Scenarios<br />Create and manage virtual or physical environments<br />Take environment snapshots or revert to existing snapshots for virtual environments<br />Interact with the virtual machines in the environments through environment viewer<br />Define test settings for the environments<br />New Beta 2 Features<br />Simplified Environment creation & edit experience<br />Full-screen environment viewer<br />Out of the box template for application build-deploy-test workflow<br />Network isolation with support for domain controller Virtual Machines<br />“In-Use” support for shared environments<br />
  11. 11. VSTS “Environments”<br />Typical multi-tier application consist of multiple roles Database Server, Web Server, Client, etc.<br />An environment is a set of roles that are required to run a specific application and the lab machines to be used for each role. <br />Managing environments for multi-tier applications is an error prone task today. Replicating the same environment at same or another site is even a bigger problem. <br />
  12. 12. Windows Server 2008 R2 Hyper-V Security & Best Practices<br />Jeff Woolsey<br />Principal Group Program Mgr<br />Windows Server, Hyper-V<br />SVR307<br />
  13. 13. Agenda<br />Virtualization Requirements<br />Hyper-V Security<br />Hyper-V & Storage<br />Windows Server 2008 R2: SCONFIG<br />Designing a Windows Server 2008 Hyper V & System Center Infrastructure<br />Deployment Considerations<br />Best Practices & Tips and Tricks<br />Microsoft Hyper-V Server 2008 R2<br />
  14. 14. Virtualization Requirements<br />Scheduler<br />Memory Management<br />VM State Machine<br />Virtualized Devices<br />Storage Stack<br />Network Stack<br />Ring Compression (optional)<br />Drivers<br />Management API<br />
  15. 15. Virtualization Stack<br />Provided by:<br />Rest of <br />Windows<br />Hyper-V<br />ISV<br />WindowsKernel<br />OSKernel<br />DeviceDrivers<br />Windows hypervisor<br />VirtualizationServiceClients(VSCs)<br />Enlightenments<br />VMBus<br />Hyper-V Architecture<br />Parent Partition <br />Child Partition<br />Guest Applications<br />VM WorkerProcesses<br />WMI Provider<br />VMService<br />Ring 3: User Mode<br />VirtualizationServiceProviders(VSPs)<br />Server Core<br />Ring 0: Kernel Mode<br />Server Hardware<br />
  16. 16. Virtualization Attacks<br />Virtualization Stack<br />Provided by:<br />Rest of <br />Windows<br />Hyper-V<br />VM WorkerProcesses<br />WMI Provider<br />ISV<br />VMService<br />WindowsKernel<br />DeviceDrivers<br />Windows hypervisor<br />VirtualizationServiceClients(VSCs)<br />VirtualizationServiceClients(VSCs)<br />Enlightenments<br />Enlightenments<br />VMBus<br />Parent Partition<br />Child Partition<br />Guest Applications<br />Ring 3: User Mode<br />Hackers<br />OSKernel<br />VirtualizationServiceProviders(VSPs)<br />Server Core<br />VMBus<br />Ring 0: Kernel Mode<br />Server Hardware<br />
  17. 17. What if there was no parent partition?<br />No defense in depth<br />Entire hypervisor running in the most privileged mode of the system<br />Virtual<br />Machine<br />Virtual<br />Machine<br />Virtual<br />Machine<br />User<br />Mode<br />User<br />Mode<br />User<br />Mode<br />Ring 3<br />Kernel<br />Mode<br />Kernel<br />Mode<br />Kernel<br />Mode<br />Ring 0<br />Ring -1<br />Scheduler<br />Memory Management<br />Storage Stack<br />Network Stack<br />VM State Machine<br />Virtualized Devices<br />Drivers<br />Management API<br />Hardware<br />
  18. 18. Hyper-V Hypervisor<br />Defense in depth<br />Hyper-V doesn’t use ring compression uses hardware instead (VT/AMD-V)<br />Further reduces the attack surface<br />Parent<br />Partition<br />Virtual<br />Machine<br />Virtual<br />Machine<br />VM State Machine<br />Virtualized Devices<br />Management API<br />User<br />Mode<br />User<br />Mode<br />Ring 3<br />Storage Stack<br />Network Stack<br />Drivers<br />Kernel<br />Mode<br />Kernel<br />Mode<br />Ring 0<br />Ring -1<br />Scheduler<br />Memory Management<br />Hardware<br />
  19. 19. Hyper-V Security<br />
  20. 20. Security Assumptions<br />Guests are untrusted<br />Trust relationships<br />Parent must be trusted by hypervisor<br />Parent must be trusted by children<br />Code in guests can run in all available processor modes, rings, and segments<br />Hypercall interface will be well documented and widely available to attackers<br />All hypercalls can be attempted by guests<br />Can detect you are running on a hypervisor<br />We’ll even give you the version<br />The internal design of the hypervisor will be well understood<br />
  21. 21. Security Goals<br />Strong isolation between partitions<br />Protect confidentiality and integrity of guest data<br />Separation<br />Unique hypervisor resource pools per guest<br />Separate worker processes per guest<br />Guest-to-parent communications over unique channels<br />Non-interference<br />Guests cannot affect the contents of other guests, parent, hypervisor<br />Guest computations protected from other guests<br />Guest-to-guest communications not allowed through VM interfaces<br />
  22. 22. Hyper-V & SDL<br />Hypervisor built with <br />Stack guard cookies (/GS)<br />Address Space Layout Randomization (ASLR)<br />HW Data Execution Prevention<br />No Execute (NX) AMD<br />Execute Disable (XD) Intel<br />Code pages marked read only<br />Memory guard pages<br />Hypervisor binary is signed<br />Entire stack through SDL<br />Threat modeling<br />Static Analysis<br />Fuzz testing & Penetration testing<br />
  23. 23. Hyper-V Security Model<br />Uses Authorization Manager (AzMan)<br />Fine grained authorization and access control<br />Department and role based<br />Segregate who can manage groups of VMs<br />Define specific functions for individuals or roles<br />Start, stop, create, add hardware, change drive image<br />VM administrators don’t have to be Server 2008 administrators<br />Guest resources are controlled by per VM configuration files<br />Shared resources are protected<br />Read-only (CD ISO file)<br />Copy on write (differencing disks)<br />
  24. 24. BitLocker– Persistent Protection<br />Mitigating Against External Threats…<br />Very Real Threat of Data Theft When a System is Stolen, Lost,or Otherwise Compromised (Hacker Tools Exist!)<br />Decommissioned Systems are not Guaranteed Clean<br />Increasing Regulatory Compliance on Storage Devices Drives Safeguards(HIPPA, SBA, PIPEDA, GLBA, etc…)<br />BitLocker Drive Encryption Support in Windows Server 2008/2008 R2<br />Addresses Leading External Threats by Combining Drive Level Encryptionwith Boot Process Integrity Validation<br />Leverages Trusted Platform Model (TPM) Technology (Hardware Module)<br />Integrates with Enterprise Ecosystem Maintaining Keys in Active Directory<br />Protects Data While a System is Offline<br />Entire Windows Volume is Encrypted (Hibernation and Page Files)<br />Delivers Umbrella Protection to Applications (On Encrypted Volume)<br />Ensures Boot Process Integrity<br />Protects Against Root Kits – Boot Sector Viruses<br />Automatically Locks System when Tampering Occurs<br />Simplifies Equipment Recycling<br />One Step Data Wipe – Deleting Access Keys Renders Disk Drive Useless<br />
  25. 25. Physical Security<br />Device installation group policies: "no removable devices allowed on this system"<br />BitLocker: encrypts drives, securing<br />laptops<br />branch office servers<br />BitLocker To Go: encrypts removable devices like USB sticks<br />Includes group policies that say, "don't let the user save data onto a USB stick unless the stick's been encrypted"<br />
  26. 26. McAfee: VirusScan Enterprise for Offline Virtual Images<br />Reduce IT management overhead for virtual environmentsAnti-malware security profiles of offline virtual machines are updated automatically without having to bring virtual machines online, reducing the risk of infecting the rest of the virtual environment. <br />Ensure security for virtual machines.Automatically scan, clean and update virtual machines while offline, to eliminate the risk of dormant virtual machines threatening the corporate network. <br />Achieve efficiencies with security management.Minimize IT efforts and reduce operating costs with common security management for both physical and virtual environments.<br />Improve disaster recovery.Ensure that backup virtual images are up-to-date with respect to malware signatures before they go into production. <br />
  27. 27. VHD Performance<br />
  28. 28. Hyper-V R1 Performance<br />Focused on Fixed Disk Performance<br />Why?<br />Allocating storage resources upfront and prevent surprises<br />Result:<br />Excellent near native performance for Fixed VHDs<br />Dynamic VHDs performance had room for improvement<br />Let’s take a look at R2 performance…<br />
  29. 29. Fixed VHD vs Raw Disk Throughput Comparison<br />
  30. 30. Fixed VHD vs Raw Disk Latency Comparison<br />
  31. 31. WS2008 vs WS2008R2Dynamic VHD Throughput Comparison<br />Up to 15x Performance Improvement with R2<br />
  32. 32. Dynamic VHD vs Raw DiskThroughput Comparison<br />
  33. 33. Dynamic VHD vs Raw DiskLatency Comparison<br />
  34. 34. VHD Types Throughput Comparison<br />
  35. 35. VHD Types Latency Comparison<br />
  36. 36. Hyper-V R2 Storage Key Takeaways<br />Fixed Disks are on par with Native Disk Performance<br />Dynamic and Differencing Disks are up to 15x times faster than Hyper-V and ~15% performance delta from native<br />
  37. 37. Multi-Path I/O (MPIO) & Adv. Storage<br />
  38. 38. Multipath I/O (MPIO)<br />What is it?<br />Provides logical facility for routing I/O over redundant hardware paths connecting the server to storage<br />Works with a variety of storage types (iSCSI, SCSI, SAS, Fibre Channel)<br />Many hardware vendors provide MPIO capable drivers<br />How do I enable it?<br />Windows Server 2008 Full: Server Manager -> Features<br />Windows Server 2008 Core: start /w ocsetupMultipathIo<br />
  39. 39. Enabling MPIO with iSCSI<br />Open iscsicpl.exe (iSCSI configuration)<br />Set up (discover 2 connections to iSCSI target<br />Open mpiocpl.exe (MPIO configuration)<br />Discover Multi-Path tab, “Add support for iSCSI Devices”<br />In iscsicpl.exe, Targets tab, Connect<br />Check “Enable multi-path”<br />Under Advanced, specify Target Portal IP<br />Repeat, choosing other Target Portal IP<br />
  40. 40. iSCSI Quick ConnectNew in Windows 7/Windows Server 2008 R2<br />
  41. 41. Advanced Storage Capabilities<br />Is there a Hyper-V Storage Certification?<br />What about storage De-duplication?<br />What about Storage Replication?<br />Hyper-V is compatible with block based de-duplication and replication solutions that are certified for Windows Server 2008/2008 R2.<br />Solutions from: NetApp, HP, EMC, Hitachi, NEC, Compellent and more…<br /><br />
  42. 42. Hyper-V Networking<br />
  43. 43. Hyper-V Networking<br />Don’t forget the parent is a VM<br />Two physical network adapters at minimum<br />One for management<br />One (or more) for VM networking<br />Dedicated NIC(s) for iSCSI<br />Connect parent to back-end management network<br />Only expose guests to internet traffic<br />
  44. 44. Hyper-V Network Configurations<br />Example 1:<br />Physical Server has 4 network adapters<br />NIC 1: Assigned to parent partition for management<br />NICs 2/3/4: Assigned to virtual switches for virtual machine networking<br />Storage is non-iSCSI such as:<br />Direct attach<br />SAS or Fibre Channel<br />
  45. 45. Hyper-V Setup & Networking 1<br />
  46. 46. Hyper-V Setup & Networking 2<br />
  47. 47. Hyper-V Setup & Networking 3<br />
  48. 48. Each VM on its own Switch…<br />VM Worker Processes<br />Child Partitions<br />Parent Partition<br />Applications<br />Applications<br />Applications<br />User Mode<br />WMI Provider<br />VM 3<br />Windows Server 2008<br />VM 2<br />VM 1<br />VM Service<br />Windows Kernel<br />Linux Kernel<br />Windows Kernel<br />VSC<br />VSC<br />VSC<br />Kernel<br />Mode<br />VSP<br />VMBus<br />VMBus<br />VMBus<br />VMBus<br />VSP<br />VSP<br />Windows hypervisor<br />Ring -1<br />“Designed for Windows” Server Hardware<br />Mgmt<br />NIC 1<br />VSwitch 1<br />NIC 2<br />VSwitch 2<br />NIC 3<br />VSwitch 3<br />NIC 4<br />
  49. 49. Hyper-V Network Configurations<br />Example 2:<br />Server has 4 physical network adapters<br />NIC 1: Assigned to parent partition for management<br />NIC 2: Assigned to parent partition for iSCSI<br />NICs 3/4: Assigned to virtual switches for virtual machine networking<br />
  50. 50. Hyper-V Setup, Networking & iSCSI<br />
  51. 51. Now with iSCSI…<br />VM Worker Processes<br />Child Partitions<br />Parent Partition<br />Applications<br />Applications<br />Applications<br />User Mode<br />WMI Provider<br />VM 3<br />Windows Server 2008<br />VM 2<br />VM 1<br />VM Service<br />Windows Kernel<br />Linux<br />Kernel<br />Windows Kernel<br />VSC<br />VSC<br />VSC<br />Kernel<br />Mode<br />VMBus<br />VMBus<br />VMBus<br />VMBus<br />VSP<br />VSP<br />Windows hypervisor<br />Ring -1<br />“Designed for Windows” Server Hardware<br />Mgmt<br />NIC 1<br />iSCSI NIC 2<br />VSwitch 1<br />NIC 3<br />VSwitch 2<br />NIC 4<br />
  52. 52. Legacy vs. Synthetic NIC<br />Legacy Network Adapter<br />Up to 4 per virtual machine<br />Pros: Needed for PXE/RIS/WDS installation<br />Cons: Slow<br />Synthetic Network Adapter<br />Up to 8 per virtual machine!<br />Pros: Blazing fast<br />Both:<br />Support VLANs<br />Dynamic or Static MAC addresses<br />
  53. 53. Hyper-V R2 Networking with VMQ<br />
  54. 54. Virtualized Network I/O Data PathWithout VMQ<br />VM1<br />VM2<br />Parent Partition<br />Parent Partition<br />Virtual Machine Switch<br />Virtual Machine Switch (VSP)<br />Routing,VLAN Filtering, Data Copy<br />Ethernet<br />TCP/IP<br />TCP/IP<br />Routing<br />VLAN filtering<br />Data Copy<br />Port 1<br />Port 2<br />VM NIC 1<br />VM NIC 2<br />Port 1<br />Port 2<br />Miniport<br />Driver<br />Miniport<br />Driver<br />VM BUS<br />NIC<br />
  55. 55. Networking Virtual Machine Queues<br />Hyper-V uses virtual machine queue (VMQ) support in new NICs to offload processing to hardware <br />VMQ operation:<br />Each VM is assigned a hardware-managed receive queue<br />Hardware performs MAC address lookup and VLAN ID validation<br />Places receive packets in appropriate queue<br />Queues are mapped into VM address space to avoid copy operations<br />
  56. 56. Network I/O Data PathWith VMQ<br />Parent Partition<br />VM1<br />VM2<br />Parent Partition<br />Virtual Machine Switch<br />Virtual Machine Switch (VSP)<br />Routing,VLAN Filtering, Data Copy<br />Ethernet<br />TCP/IP<br />TCP/IP<br />Routing<br />VLAN filtering<br />Data Copy<br />Port 1<br />Port 2<br />VM NIC 1<br />VM NIC 2<br />Port 1<br />Port 2<br />Miniport<br />Driver<br />Miniport<br />Driver<br />Q2<br />Q1<br />Default<br />Queue<br />VM BUS<br />Switch/Routing unit<br />NIC<br />
  57. 57. VMQ Partner Support<br />Intel<br />Gigabit ET/EF<br />Dual Port ~$170<br />Alacritech<br />Broadcom<br />Neterion<br />ServerEngines<br />Solarflare<br />…and many more…<br />
  58. 58. Windows Server 2008 R2: SCONFIG<br />
  59. 59. Windows Server Core<br />Windows Server frequently deployed for a single role<br />Must deploy and service the entire OS in earlier Windows Server releases<br />Server Core: minimal installation option<br />Provides essential server functionality<br />Command Line Interface only, no GUI Shell<br />Benefits<br />Less code results in fewer patches and reduced servicing burden<br />Low surface area server for targeted roles<br />Windows Server 2008 Feedback<br />Love it, but…steep learning curve<br />Windows Server 2008 R2 Introducing “SCONFIG”<br />
  60. 60. Windows Server Core<br />Server Core: CLI<br />
  61. 61. Easy Server Configuration<br />
  62. 62. DEMO<br />
  63. 63. Manage Remotely…<br />
  64. 64. Hyper-V MMC for Win 7<br />Install the Win 7 RSAT<br />Turn Windows features on/off<br />Under Remote Server Admin Tools<br />Failover Clustering Tools<br />Hyper-V Tools<br />Go to Start Menu->Admin Tools<br />
  65. 65. Hyper-V Best Practices<br />
  66. 66. Deployment<br />Minimize risk to the Parent Partition<br />Use Server Core<br />Don’t run arbitrary apps, no web surfing<br />Run your apps and services in guests<br />Two physical 1 Gb/E network adapters @minimum<br />One for management (use a VLAN too)<br />One (or more) for vmnetworking<br />Dedicated NIC(s) for iSCSI<br />Connect parentto back-end management network<br />Only expose guests to internet traffic<br />
  67. 67. Windows Server 2003Cluster Creation<br />
  68. 68. Cluster Hyper-V Servers<br />
  69. 69. Use Cluster Shared Volumes<br />Hyper-V high availability and migration scenarios are supported by the new Cluster Shared Volumes in Windows Server 2008 R2<br />Concurrent access to a single file system<br />Technology within Failover Cluster feature<br />Single consistent name space<br />Compatible: NTFS volume<br />Simplified LUN management<br />Multiple data stores supported<br />Enhanced storage availability due to built in redundancy<br />Scalable as I/O is written directly by each node to the shared volume<br />Transparent to the VM<br />SAN<br />Single Volume<br />VHD<br />VHD<br />VHD<br />
  70. 70. Don't forget the ICs!Emulated vs. VSC<br />
  71. 71. Installing Integration Components<br />
  72. 72. Hyper-V & Localization…<br />
  73. 73. Hyper-V/AV Software Configuration<br />Host: If you are running antivirus software on the physical server, exclude:<br />the Vmms.exe and Vmswp.exe processes<br />the directories that contain the virtual machine configuration files and virtual hard disks from active scanning. An added benefit of using pass-through disks in your virtual machines is that you can use the antivirus software running on the physical server to protect that virtual machine<br />Guest: Run AV within guest<br />
  74. 74. Storage<br />BitLocker<br />Great for branch office<br />VHDs<br />Use fixed virtual hard disks in production<br />VHD Compaction/Expansion<br />Run it on a non-production system<br />Use .isos<br />Great performance<br />Can be mounted and unmounted remotely<br />Physical DVD can’t be shared across multiple vms<br />Having them in SCVMM Library fast & convenient<br />
  75. 75. Jumbo Frames<br />Offers significant performance for TCP connections including iSCSI<br />Max frame size 9K<br />Reduces TCP/IP overhead by up to 84%<br />Must be enabled at all end points (switches, NICs, target devices<br />Virtual switch is defined as an end point<br />Virtual NIC is defined as an end point<br />
  76. 76. Jumbo Frames in Hyper-V R2<br />Added support in virtual switch<br />Added support in virtual NIC<br />Integration components required<br />How to validate if jumbo frames is configured end to end<br />Ping –n 1 –l 8000 –f (hostname)<br />-l (length)<br />-f (don’t fragment packet into multiple Ethernet frames)<br />-n (count)<br />
  77. 77. More Tips…<br />Mitigate Bottlenecks<br />Processors<br />Memory<br />Storage<br />Networking<br />Turn off screen savers in guests<br />Windows Server 2003<br />Create vms using 2-way to ensure an MP HAL<br />
  78. 78. Creating Virtual Machines<br />Use SCVMM Library<br />Templates help standardize configurations<br />Steps:<br />Create virtual machine<br />Install guest operating system & latest SP<br />Install integration components<br />Install anti-virus<br />Install management agents<br />SYSPREP<br />Add it to the VMM Library<br />
  79. 79. Microsoft Hyper-V ServerR2<br />
  80. 80. Microsoft Hyper-V Server R2New Features<br />Live Migration<br />High Availability<br />New Processor Support<br />Second Level Address Translation<br />Core Parking<br />Networking Enhancements<br />TCP/IP Offload Support<br />VMQ & Jumbo Frame Support<br />Hot Add/Remove virtual storage<br />Enhanced scalability<br />Free download:<br /><ul><li></li></li></ul><li>Microsoft Virtualization:Customers Win<br />November 2005<br />June 2008<br />July 2009<br />Greater Performance<br />High Availability Built-In<br />Live Migration Built-In<br />More Capabilities<br />Increased Scalability<br />Ready for Next Gen Servers<br />
  81. 81. Online Resources<br />Microsoft Virtualization Home/Case Studies from customers around the world:<br /><br />Windows Server Virtualization Blog Site:<br /><br />Windows Server Virtualization TechNet Site:<br /><br />MSDN & TechNet Powered by Hyper-V<br /><br />Virtualization Solution Accelerators<br /><br />How to install the Hyper-V role<br /><br />Windows Server 2008 Hyper-V Performance Tuning Guide<br /><br />Using Hyper-V & BitLocker White Paper<br /><br />
  82. 82. Related Content<br />Required Slide<br />Speakers, <br />please list the Breakout Sessions, TLC Interactive Theaters and Labs that are related to your session.<br />MGT220 - Virtualization 360: Microsoft Virtualization Strategy, Products, and Solutions for the New Economy<br />SVR314 - From Zero to Live Migration. How to Set Up a Live Migration<br />SVR308 - Storage and Hyper-V: The Choices You Can Make and the Things You Need to Know<br />SVR307 - Security Best Practices for Hyper-V and Server Virtualization<br />SVR09-IS - Windows Server 2008 R2 Hyper-V Deployment Considerations<br />
  83. 83. Required Slide<br />Speakers, <br />TechEd 2009 is not producing <br />a DVD. Please announce that <br />attendees can access session <br />recordings at TechEd Online. <br /><br />Sessions On-Demand & Community<br /><br />Microsoft Certification & Training Resources<br /><br />Resources for IT Professionals<br /><br />Resources for Developers<br />Resources<br />
  84. 84. Complete an evaluation on CommNet and enter to win an Xbox 360 Elite!<br />