Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Security best practices for hyper v and server virtualisation [svr307]


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Security best practices for hyper v and server virtualisation [svr307]

  1. 1.
  2. 2. Microsoft Assessment & Planning Toolkit 5.0 Customer Technology Preview<br />announcing<br />
  3. 3. MAP: User Interface & ReportsServer Migration & Virtualization Candidates<br />Windows Server 2008<br />Virtualization<br />Windows 7<br /><ul><li>Heterogeneous Server Environment Inventory Linux, Unix & VMware
  4. 4. Windows 7 & Server 2008 R2 HW & Device Compatibility Assessment
  5. 5. Speed up Planning with Actionable Proposals and Assessments
  6. 6. Collect Inventory of Servers, Desktops and Applications Agentlessly
  7. 7. Offers Recommendations for Server/Application Virtualization
  8. 8. Works with the Virtualization ROI Tool to generate ROI calculations
  9. 9. More on MAP:</li></li></ul><li>Visual Studio Team System 2010 Lab Management Beta 2<br />announcing<br />
  10. 10. VSTS Lab Management Beta 2<br />Scenarios<br />Create and manage virtual or physical environments<br />Take environment snapshots or revert to existing snapshots for virtual environments<br />Interact with the virtual machines in the environments through environment viewer<br />Define test settings for the environments<br />New Beta 2 Features<br />Simplified Environment creation & edit experience<br />Full-screen environment viewer<br />Out of the box template for application build-deploy-test workflow<br />Network isolation with support for domain controller Virtual Machines<br />“In-Use” support for shared environments<br />
  11. 11. VSTS “Environments”<br />Typical multi-tier application consist of multiple roles Database Server, Web Server, Client, etc.<br />An environment is a set of roles that are required to run a specific application and the lab machines to be used for each role. <br />Managing environments for multi-tier applications is an error prone task today. Replicating the same environment at same or another site is even a bigger problem. <br />
  12. 12. Windows Server 2008 R2 Hyper-V Security & Best Practices<br />Jeff Woolsey<br />Principal Group Program Mgr<br />Windows Server, Hyper-V<br />SVR307<br />
  13. 13. Agenda<br />Virtualization Requirements<br />Hyper-V Security<br />Hyper-V & Storage<br />Windows Server 2008 R2: SCONFIG<br />Designing a Windows Server 2008 Hyper V & System Center Infrastructure<br />Deployment Considerations<br />Best Practices & Tips and Tricks<br />Microsoft Hyper-V Server 2008 R2<br />
  14. 14. Virtualization Requirements<br />Scheduler<br />Memory Management<br />VM State Machine<br />Virtualized Devices<br />Storage Stack<br />Network Stack<br />Ring Compression (optional)<br />Drivers<br />Management API<br />
  15. 15. Virtualization Stack<br />Provided by:<br />Rest of <br />Windows<br />Hyper-V<br />ISV<br />WindowsKernel<br />OSKernel<br />DeviceDrivers<br />Windows hypervisor<br />VirtualizationServiceClients(VSCs)<br />Enlightenments<br />VMBus<br />Hyper-V Architecture<br />Parent Partition <br />Child Partition<br />Guest Applications<br />VM WorkerProcesses<br />WMI Provider<br />VMService<br />Ring 3: User Mode<br />VirtualizationServiceProviders(VSPs)<br />Server Core<br />Ring 0: Kernel Mode<br />Server Hardware<br />
  16. 16. Virtualization Attacks<br />Virtualization Stack<br />Provided by:<br />Rest of <br />Windows<br />Hyper-V<br />VM WorkerProcesses<br />WMI Provider<br />ISV<br />VMService<br />WindowsKernel<br />DeviceDrivers<br />Windows hypervisor<br />VirtualizationServiceClients(VSCs)<br />VirtualizationServiceClients(VSCs)<br />Enlightenments<br />Enlightenments<br />VMBus<br />Parent Partition<br />Child Partition<br />Guest Applications<br />Ring 3: User Mode<br />Hackers<br />OSKernel<br />VirtualizationServiceProviders(VSPs)<br />Server Core<br />VMBus<br />Ring 0: Kernel Mode<br />Server Hardware<br />
  17. 17. What if there was no parent partition?<br />No defense in depth<br />Entire hypervisor running in the most privileged mode of the system<br />Virtual<br />Machine<br />Virtual<br />Machine<br />Virtual<br />Machine<br />User<br />Mode<br />User<br />Mode<br />User<br />Mode<br />Ring 3<br />Kernel<br />Mode<br />Kernel<br />Mode<br />Kernel<br />Mode<br />Ring 0<br />Ring -1<br />Scheduler<br />Memory Management<br />Storage Stack<br />Network Stack<br />VM State Machine<br />Virtualized Devices<br />Drivers<br />Management API<br />Hardware<br />
  18. 18. Hyper-V Hypervisor<br />Defense in depth<br />Hyper-V doesn’t use ring compression uses hardware instead (VT/AMD-V)<br />Further reduces the attack surface<br />Parent<br />Partition<br />Virtual<br />Machine<br />Virtual<br />Machine<br />VM State Machine<br />Virtualized Devices<br />Management API<br />User<br />Mode<br />User<br />Mode<br />Ring 3<br />Storage Stack<br />Network Stack<br />Drivers<br />Kernel<br />Mode<br />Kernel<br />Mode<br />Ring 0<br />Ring -1<br />Scheduler<br />Memory Management<br />Hardware<br />
  19. 19. Hyper-V Security<br />
  20. 20. Security Assumptions<br />Guests are untrusted<br />Trust relationships<br />Parent must be trusted by hypervisor<br />Parent must be trusted by children<br />Code in guests can run in all available processor modes, rings, and segments<br />Hypercall interface will be well documented and widely available to attackers<br />All hypercalls can be attempted by guests<br />Can detect you are running on a hypervisor<br />We’ll even give you the version<br />The internal design of the hypervisor will be well understood<br />
  21. 21. Security Goals<br />Strong isolation between partitions<br />Protect confidentiality and integrity of guest data<br />Separation<br />Unique hypervisor resource pools per guest<br />Separate worker processes per guest<br />Guest-to-parent communications over unique channels<br />Non-interference<br />Guests cannot affect the contents of other guests, parent, hypervisor<br />Guest computations protected from other guests<br />Guest-to-guest communications not allowed through VM interfaces<br />
  22. 22. Hyper-V & SDL<br />Hypervisor built with <br />Stack guard cookies (/GS)<br />Address Space Layout Randomization (ASLR)<br />HW Data Execution Prevention<br />No Execute (NX) AMD<br />Execute Disable (XD) Intel<br />Code pages marked read only<br />Memory guard pages<br />Hypervisor binary is signed<br />Entire stack through SDL<br />Threat modeling<br />Static Analysis<br />Fuzz testing & Penetration testing<br />
  23. 23. Hyper-V Security Model<br />Uses Authorization Manager (AzMan)<br />Fine grained authorization and access control<br />Department and role based<br />Segregate who can manage groups of VMs<br />Define specific functions for individuals or roles<br />Start, stop, create, add hardware, change drive image<br />VM administrators don’t have to be Server 2008 administrators<br />Guest resources are controlled by per VM configuration files<br />Shared resources are protected<br />Read-only (CD ISO file)<br />Copy on write (differencing disks)<br />
  24. 24. BitLocker– Persistent Protection<br />Mitigating Against External Threats…<br />Very Real Threat of Data Theft When a System is Stolen, Lost,or Otherwise Compromised (Hacker Tools Exist!)<br />Decommissioned Systems are not Guaranteed Clean<br />Increasing Regulatory Compliance on Storage Devices Drives Safeguards(HIPPA, SBA, PIPEDA, GLBA, etc…)<br />BitLocker Drive Encryption Support in Windows Server 2008/2008 R2<br />Addresses Leading External Threats by Combining Drive Level Encryptionwith Boot Process Integrity Validation<br />Leverages Trusted Platform Model (TPM) Technology (Hardware Module)<br />Integrates with Enterprise Ecosystem Maintaining Keys in Active Directory<br />Protects Data While a System is Offline<br />Entire Windows Volume is Encrypted (Hibernation and Page Files)<br />Delivers Umbrella Protection to Applications (On Encrypted Volume)<br />Ensures Boot Process Integrity<br />Protects Against Root Kits – Boot Sector Viruses<br />Automatically Locks System when Tampering Occurs<br />Simplifies Equipment Recycling<br />One Step Data Wipe – Deleting Access Keys Renders Disk Drive Useless<br />
  25. 25. Physical Security<br />Device installation group policies: "no removable devices allowed on this system"<br />BitLocker: encrypts drives, securing<br />laptops<br />branch office servers<br />BitLocker To Go: encrypts removable devices like USB sticks<br />Includes group policies that say, "don't let the user save data onto a USB stick unless the stick's been encrypted"<br />
  26. 26. McAfee: VirusScan Enterprise for Offline Virtual Images<br />Reduce IT management overhead for virtual environmentsAnti-malware security profiles of offline virtual machines are updated automatically without having to bring virtual machines online, reducing the risk of infecting the rest of the virtual environment. <br />Ensure security for virtual machines.Automatically scan, clean and update virtual machines while offline, to eliminate the risk of dormant virtual machines threatening the corporate network. <br />Achieve efficiencies with security management.Minimize IT efforts and reduce operating costs with common security management for both physical and virtual environments.<br />Improve disaster recovery.Ensure that backup virtual images are up-to-date with respect to malware signatures before they go into production. <br />
  27. 27. VHD Performance<br />
  28. 28. Hyper-V R1 Performance<br />Focused on Fixed Disk Performance<br />Why?<br />Allocating storage resources upfront and prevent surprises<br />Result:<br />Excellent near native performance for Fixed VHDs<br />Dynamic VHDs performance had room for improvement<br />Let’s take a look at R2 performance…<br />
  29. 29. Fixed VHD vs Raw Disk Throughput Comparison<br />
  30. 30. Fixed VHD vs Raw Disk Latency Comparison<br />
  31. 31. WS2008 vs WS2008R2Dynamic VHD Throughput Comparison<br />Up to 15x Performance Improvement with R2<br />
  32. 32. Dynamic VHD vs Raw DiskThroughput Comparison<br />
  33. 33. Dynamic VHD vs Raw DiskLatency Comparison<br />
  34. 34. VHD Types Throughput Comparison<br />
  35. 35. VHD Types Latency Comparison<br />
  36. 36. Hyper-V R2 Storage Key Takeaways<br />Fixed Disks are on par with Native Disk Performance<br />Dynamic and Differencing Disks are up to 15x times faster than Hyper-V and ~15% performance delta from native<br />
  37. 37. Multi-Path I/O (MPIO) & Adv. Storage<br />
  38. 38. Multipath I/O (MPIO)<br />What is it?<br />Provides logical facility for routing I/O over redundant hardware paths connecting the server to storage<br />Works with a variety of storage types (iSCSI, SCSI, SAS, Fibre Channel)<br />Many hardware vendors provide MPIO capable drivers<br />How do I enable it?<br />Windows Server 2008 Full: Server Manager -> Features<br />Windows Server 2008 Core: start /w ocsetupMultipathIo<br />
  39. 39. Enabling MPIO with iSCSI<br />Open iscsicpl.exe (iSCSI configuration)<br />Set up (discover 2 connections to iSCSI target<br />Open mpiocpl.exe (MPIO configuration)<br />Discover Multi-Path tab, “Add support for iSCSI Devices”<br />In iscsicpl.exe, Targets tab, Connect<br />Check “Enable multi-path”<br />Under Advanced, specify Target Portal IP<br />Repeat, choosing other Target Portal IP<br />
  40. 40. iSCSI Quick ConnectNew in Windows 7/Windows Server 2008 R2<br />
  41. 41. Advanced Storage Capabilities<br />Is there a Hyper-V Storage Certification?<br />What about storage De-duplication?<br />What about Storage Replication?<br />Hyper-V is compatible with block based de-duplication and replication solutions that are certified for Windows Server 2008/2008 R2.<br />Solutions from: NetApp, HP, EMC, Hitachi, NEC, Compellent and more…<br /><br />
  42. 42. Hyper-V Networking<br />
  43. 43. Hyper-V Networking<br />Don’t forget the parent is a VM<br />Two physical network adapters at minimum<br />One for management<br />One (or more) for VM networking<br />Dedicated NIC(s) for iSCSI<br />Connect parent to back-end management network<br />Only expose guests to internet traffic<br />
  44. 44. Hyper-V Network Configurations<br />Example 1:<br />Physical Server has 4 network adapters<br />NIC 1: Assigned to parent partition for management<br />NICs 2/3/4: Assigned to virtual switches for virtual machine networking<br />Storage is non-iSCSI such as:<br />Direct attach<br />SAS or Fibre Channel<br />
  45. 45. Hyper-V Setup & Networking 1<br />
  46. 46. Hyper-V Setup & Networking 2<br />
  47. 47. Hyper-V Setup & Networking 3<br />
  48. 48. Each VM on its own Switch…<br />VM Worker Processes<br />Child Partitions<br />Parent Partition<br />Applications<br />Applications<br />Applications<br />User Mode<br />WMI Provider<br />VM 3<br />Windows Server 2008<br />VM 2<br />VM 1<br />VM Service<br />Windows Kernel<br />Linux Kernel<br />Windows Kernel<br />VSC<br />VSC<br />VSC<br />Kernel<br />Mode<br />VSP<br />VMBus<br />VMBus<br />VMBus<br />VMBus<br />VSP<br />VSP<br />Windows hypervisor<br />Ring -1<br />“Designed for Windows” Server Hardware<br />Mgmt<br />NIC 1<br />VSwitch 1<br />NIC 2<br />VSwitch 2<br />NIC 3<br />VSwitch 3<br />NIC 4<br />
  49. 49. Hyper-V Network Configurations<br />Example 2:<br />Server has 4 physical network adapters<br />NIC 1: Assigned to parent partition for management<br />NIC 2: Assigned to parent partition for iSCSI<br />NICs 3/4: Assigned to virtual switches for virtual machine networking<br />
  50. 50. Hyper-V Setup, Networking & iSCSI<br />
  51. 51. Now with iSCSI…<br />VM Worker Processes<br />Child Partitions<br />Parent Partition<br />Applications<br />Applications<br />Applications<br />User Mode<br />WMI Provider<br />VM 3<br />Windows Server 2008<br />VM 2<br />VM 1<br />VM Service<br />Windows Kernel<br />Linux<br />Kernel<br />Windows Kernel<br />VSC<br />VSC<br />VSC<br />Kernel<br />Mode<br />VMBus<br />VMBus<br />VMBus<br />VMBus<br />VSP<br />VSP<br />Windows hypervisor<br />Ring -1<br />“Designed for Windows” Server Hardware<br />Mgmt<br />NIC 1<br />iSCSI NIC 2<br />VSwitch 1<br />NIC 3<br />VSwitch 2<br />NIC 4<br />
  52. 52. Legacy vs. Synthetic NIC<br />Legacy Network Adapter<br />Up to 4 per virtual machine<br />Pros: Needed for PXE/RIS/WDS installation<br />Cons: Slow<br />Synthetic Network Adapter<br />Up to 8 per virtual machine!<br />Pros: Blazing fast<br />Both:<br />Support VLANs<br />Dynamic or Static MAC addresses<br />
  53. 53. Hyper-V R2 Networking with VMQ<br />
  54. 54. Virtualized Network I/O Data PathWithout VMQ<br />VM1<br />VM2<br />Parent Partition<br />Parent Partition<br />Virtual Machine Switch<br />Virtual Machine Switch (VSP)<br />Routing,VLAN Filtering, Data Copy<br />Ethernet<br />TCP/IP<br />TCP/IP<br />Routing<br />VLAN filtering<br />Data Copy<br />Port 1<br />Port 2<br />VM NIC 1<br />VM NIC 2<br />Port 1<br />Port 2<br />Miniport<br />Driver<br />Miniport<br />Driver<br />VM BUS<br />NIC<br />
  55. 55. Networking Virtual Machine Queues<br />Hyper-V uses virtual machine queue (VMQ) support in new NICs to offload processing to hardware <br />VMQ operation:<br />Each VM is assigned a hardware-managed receive queue<br />Hardware performs MAC address lookup and VLAN ID validation<br />Places receive packets in appropriate queue<br />Queues are mapped into VM address space to avoid copy operations<br />
  56. 56. Network I/O Data PathWith VMQ<br />Parent Partition<br />VM1<br />VM2<br />Parent Partition<br />Virtual Machine Switch<br />Virtual Machine Switch (VSP)<br />Routing,VLAN Filtering, Data Copy<br />Ethernet<br />TCP/IP<br />TCP/IP<br />Routing<br />VLAN filtering<br />Data Copy<br />Port 1<br />Port 2<br />VM NIC 1<br />VM NIC 2<br />Port 1<br />Port 2<br />Miniport<br />Driver<br />Miniport<br />Driver<br />Q2<br />Q1<br />Default<br />Queue<br />VM BUS<br />Switch/Routing unit<br />NIC<br />
  57. 57. VMQ Partner Support<br />Intel<br />Gigabit ET/EF<br />Dual Port ~$170<br />Alacritech<br />Broadcom<br />Neterion<br />ServerEngines<br />Solarflare<br />…and many more…<br />
  58. 58. Windows Server 2008 R2: SCONFIG<br />
  59. 59. Windows Server Core<br />Windows Server frequently deployed for a single role<br />Must deploy and service the entire OS in earlier Windows Server releases<br />Server Core: minimal installation option<br />Provides essential server functionality<br />Command Line Interface only, no GUI Shell<br />Benefits<br />Less code results in fewer patches and reduced servicing burden<br />Low surface area server for targeted roles<br />Windows Server 2008 Feedback<br />Love it, but…steep learning curve<br />Windows Server 2008 R2 Introducing “SCONFIG”<br />
  60. 60. Windows Server Core<br />Server Core: CLI<br />
  61. 61. Easy Server Configuration<br />
  62. 62. DEMO<br />
  63. 63. Manage Remotely…<br />
  64. 64. Hyper-V MMC for Win 7<br />Install the Win 7 RSAT<br />Turn Windows features on/off<br />Under Remote Server Admin Tools<br />Failover Clustering Tools<br />Hyper-V Tools<br />Go to Start Menu->Admin Tools<br />
  65. 65. Hyper-V Best Practices<br />
  66. 66. Deployment<br />Minimize risk to the Parent Partition<br />Use Server Core<br />Don’t run arbitrary apps, no web surfing<br />Run your apps and services in guests<br />Two physical 1 Gb/E network adapters @minimum<br />One for management (use a VLAN too)<br />One (or more) for vmnetworking<br />Dedicated NIC(s) for iSCSI<br />Connect parentto back-end management network<br />Only expose guests to internet traffic<br />
  67. 67. Windows Server 2003Cluster Creation<br />
  68. 68. Cluster Hyper-V Servers<br />
  69. 69. Use Cluster Shared Volumes<br />Hyper-V high availability and migration scenarios are supported by the new Cluster Shared Volumes in Windows Server 2008 R2<br />Concurrent access to a single file system<br />Technology within Failover Cluster feature<br />Single consistent name space<br />Compatible: NTFS volume<br />Simplified LUN management<br />Multiple data stores supported<br />Enhanced storage availability due to built in redundancy<br />Scalable as I/O is written directly by each node to the shared volume<br />Transparent to the VM<br />SAN<br />Single Volume<br />VHD<br />VHD<br />VHD<br />
  70. 70. Don't forget the ICs!Emulated vs. VSC<br />
  71. 71. Installing Integration Components<br />
  72. 72. Hyper-V & Localization…<br />
  73. 73. Hyper-V/AV Software Configuration<br />Host: If you are running antivirus software on the physical server, exclude:<br />the Vmms.exe and Vmswp.exe processes<br />the directories that contain the virtual machine configuration files and virtual hard disks from active scanning. An added benefit of using pass-through disks in your virtual machines is that you can use the antivirus software running on the physical server to protect that virtual machine<br />Guest: Run AV within guest<br />
  74. 74. Storage<br />BitLocker<br />Great for branch office<br />VHDs<br />Use fixed virtual hard disks in production<br />VHD Compaction/Expansion<br />Run it on a non-production system<br />Use .isos<br />Great performance<br />Can be mounted and unmounted remotely<br />Physical DVD can’t be shared across multiple vms<br />Having them in SCVMM Library fast & convenient<br />
  75. 75. Jumbo Frames<br />Offers significant performance for TCP connections including iSCSI<br />Max frame size 9K<br />Reduces TCP/IP overhead by up to 84%<br />Must be enabled at all end points (switches, NICs, target devices<br />Virtual switch is defined as an end point<br />Virtual NIC is defined as an end point<br />
  76. 76. Jumbo Frames in Hyper-V R2<br />Added support in virtual switch<br />Added support in virtual NIC<br />Integration components required<br />How to validate if jumbo frames is configured end to end<br />Ping –n 1 –l 8000 –f (hostname)<br />-l (length)<br />-f (don’t fragment packet into multiple Ethernet frames)<br />-n (count)<br />
  77. 77. More Tips…<br />Mitigate Bottlenecks<br />Processors<br />Memory<br />Storage<br />Networking<br />Turn off screen savers in guests<br />Windows Server 2003<br />Create vms using 2-way to ensure an MP HAL<br />
  78. 78. Creating Virtual Machines<br />Use SCVMM Library<br />Templates help standardize configurations<br />Steps:<br />Create virtual machine<br />Install guest operating system & latest SP<br />Install integration components<br />Install anti-virus<br />Install management agents<br />SYSPREP<br />Add it to the VMM Library<br />
  79. 79. Microsoft Hyper-V ServerR2<br />
  80. 80. Microsoft Hyper-V Server R2New Features<br />Live Migration<br />High Availability<br />New Processor Support<br />Second Level Address Translation<br />Core Parking<br />Networking Enhancements<br />TCP/IP Offload Support<br />VMQ & Jumbo Frame Support<br />Hot Add/Remove virtual storage<br />Enhanced scalability<br />Free download:<br /><ul><li></li></li></ul><li>Microsoft Virtualization:Customers Win<br />November 2005<br />June 2008<br />July 2009<br />Greater Performance<br />High Availability Built-In<br />Live Migration Built-In<br />More Capabilities<br />Increased Scalability<br />Ready for Next Gen Servers<br />
  81. 81. Online Resources<br />Microsoft Virtualization Home/Case Studies from customers around the world:<br /><br />Windows Server Virtualization Blog Site:<br /><br />Windows Server Virtualization TechNet Site:<br /><br />MSDN & TechNet Powered by Hyper-V<br /><br />Virtualization Solution Accelerators<br /><br />How to install the Hyper-V role<br /><br />Windows Server 2008 Hyper-V Performance Tuning Guide<br /><br />Using Hyper-V & BitLocker White Paper<br /><br />
  82. 82. Related Content<br />Required Slide<br />Speakers, <br />please list the Breakout Sessions, TLC Interactive Theaters and Labs that are related to your session.<br />MGT220 - Virtualization 360: Microsoft Virtualization Strategy, Products, and Solutions for the New Economy<br />SVR314 - From Zero to Live Migration. How to Set Up a Live Migration<br />SVR308 - Storage and Hyper-V: The Choices You Can Make and the Things You Need to Know<br />SVR307 - Security Best Practices for Hyper-V and Server Virtualization<br />SVR09-IS - Windows Server 2008 R2 Hyper-V Deployment Considerations<br />
  83. 83. Required Slide<br />Speakers, <br />TechEd 2009 is not producing <br />a DVD. Please announce that <br />attendees can access session <br />recordings at TechEd Online. <br /><br />Sessions On-Demand & Community<br /><br />Microsoft Certification & Training Resources<br /><br />Resources for IT Professionals<br /><br />Resources for Developers<br />Resources<br />
  84. 84. Complete an evaluation on CommNet and enter to win an Xbox 360 Elite!<br />