Windows Server 2008 R2 Hyper-V Security

Kevin Lim
(CISSP, Microsoft: MCT, MCITP, MCTS Citrix: CCA) Enterprise Consultant, RefineNetworks Blog: http://Kevin.RefineNetworks.com Kevin@RefineNetworks.com

Agenda
Common Criteria Certification Hyper-V Architecture Implementing Hyper-V Security Control & Drive Encryption Networking Prevent Denial-of-Service (DoS) Implementing Security Policy Q&A

Common Criteria Certification: Hyper-V & Windows Server

Common Criteria for IT Security Evaluation is an International Standard (ISO/IEC 15408) for computer security certification Windows Platform Common Criteria Certification
Windows 7 and Windows Server 2008 R2 Windows Vista and Windows Server 2008 at EAL4+ Microsoft Windows Server 2008 Hyper-V Role Windows Vista and Windows Server 2008 at EAL1

Windows Server 2008 R2 Hyper-V will shortly complete its EAL 4+ certification (Windows Server and Hyper-V are currently certified separately)

Hyper-V Architecture
Parent Partition (Management OS)
VM Worker Processes

Provided by: OS ISV/IHV/OEM

Microsoft Hyper-V
Microsoft / XenSource

Child Partitions (Virtual Machines)

User Mode

Applications
WMI Provider

Applications

Applications

Applications

VM Service
Windows Server 2008 R2
Windows Kernel

Windows Server 2003, 2008, R2

VSP VSC
Windows Kernel

Non-Hypervisor Aware OS Linux VSC VMBus

Kernel Mode

IHV Drivers

VMBus

VMBus

Emulation Windows Hypervisor

Hypercall Adapter

Ring-1

Designed for Windows Server Hardware

Security in Hyper-V: Isolation

No sharing of virtualized devices Separate VMBus instance per VM to the parent No Sharing of Memory
Each has its own address space

VMs cannot communicate with each other, except through traditional networking Guests cant perform DMA attacks because theyre never mapped to physical devices Guests cannot write to the hypervisor Parent partition cannot write to the hypervisor

Implementing Hyper-V

Implementing Hyper-V Host

Apply the Latest Service Pack & Hotfixes Use Server Core for the Parent Partition
Benefits:
Smallest attack surface and reduces the number of patches, updates, and restarts required for maintenance Reduced memory and disk requirements Performance: 20%-40% better performance than Full Installation Use PowerShell or Microsoft Remote Server Administration Tools (RSAT)

Remote Administration:

Do not run any application on Hyper-V Parent Partition

Benefits:
Stability Performance More secure Fewer patches Minimum Maintenance & Less Downtime

Have a dedicated network adapter(s) for the following networks

For Security and Performance Reasons
Hyper-V Management iSCSI Traffics Backup & Recovery Live Migration

Virtual Machine
Use Enlightened Guest Operating System whenever is possible Install Integration Services on Virtual Machine
Time
For Computer Forensics & Compliance
Accuracy of Timestamps Audit Log Entries

Performance Backup / Snapshot Reliability / Availability

Securing Hyper-V Host

Enforcing Security Policy
Apply the latest service pack & hotfixes Remove unnecessary application Disable unnecessary services Enable strong password policy Enable audit trails (file & object access, file creation, file deletion) Install antivirus software Dont use your server for web browsing Use vulnerability scanner to perform security assessment on a regular basis Enforce File System Access Control Lists (ACLs) Regular backups and archiving

Use Microsoft Windows Server 2008 Security Guide as your baseline policy, modify the policy according to your corporate security policy Secure the Virtual Machine: Configuration Files, Snapshot, Virtual Hard Disk

Patch Management
Patch Hyper-V Host and Virtual Machines before deploy to a production environment Patch Regularly:
Automatically Patch (Recommended)
Windows Update Services (WSUS) Microsoft System Center Configuration Manager (SCCM) Any software distribution method

Manually Patch
Dont forget to patch your application on your virtual machine!

Antivirus Exclusion Policy for Hyper-V Host

Files
Virtual machine configuration files directory. By default, it is C:\ProgramData\Microsoft\Windows\Hyper-V. Virtual machine virtual hard disk files directory. By default, it is C:\Users\Public\Documents\Hyper-V\Virtual Hard Disks. Snapshot files directory. By default, it is %systemdrive%\ProgramData\Microsoft\Windows\Hyper-V\Snapshots.

Processes
Virtual Machine Worker (Vmwp.exe) Virtual Machine Management Service (Vmms.exe)

Security Control & Disk Encryption

Security Control & Drive Encryption

Enforcing Security Control on Hyper-V
Role Based Access Control (RBAC)
Authorization Manager (AzMan) SCVMM Self-Service Portal (SSP 2.0)

Enable Drive Encryption

BitLocker Drive Encryption

Access Control
Least Privilege
Hyper-V administrator doesnt require Windows Administrator rights Use Authorization Manager policies for rolebased access control Use SCVMM Self-Service Portal (SSP 2.0) for Business Unit IT Administrator to selfadministrate virtual machine for application functional testing

Authorization Manager (AzMan)

Authorization Manager uses a role-based access control (RBAC) model The default authorization policy is XML-based and stored at
Hyper-V X:\ProgramData\Microsoft\Windows\Hyper-V\InitialStore.xml Hyper-V managed by SCVMM:
Query Registry key to find out the policy location HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization\StoreLocation

Use azman.msc to configure the policy Enable Auditing on

Authorization Manager
InitialStore.xml Properties Auditing Authorization store change auditing

Local Security Policy or Domain GPO

Local: Local Security Policy Audit Policy Enable Audit Object Access (Success & Failure) Domain: GPO Computer Configuration Windows Settings Security Settings Local Policies Audit Policy Enable Audit directory service access (Success & Failure)

Event will write to Windows Security Log

Steps for Setting Up Role-Based Access Control for Hyper-V

1) Define Scope according to your organization needs
Scope is the boundary for that particular role

2) Define Tasks
Tasks are a collection of operations

3) Create Roles
Role Assignment contains the users to which Tasks and Operators are assigned

4) Assign Users or Groups to Roles

Demo #1: Authorization Manager

Assign AzMan Scopes for VMs

Use AzMan to assign VM to scope Scripts available to assign VM to scope
CreateVMInScope DisplayVMScopes ClearVMScopes ChangeVMScope

Scripts can be downloaded from : http://social.technet.microsoft.com/Forums/enUS/ITCG/thread/3d0888e2-7538-4578-b16c97b73c8e0f96/

SCVMM Self-Service Portal (SSP 2.0)

Administrators: Full access to SCVMM for administration Delegated Administrators: Scope can be limited by host groups and library servers Self-Service Users: Limited access to a subset of actions. Scope can be limited by host groups, library shares and VM ownership All activities are logged for audit trails

BitLocker Drive Encryption

Encrypt Disk Drive
Benefits
Protect disk content when the virtual server is not powered on Ensure Confidentiality & Integrity

Encryption Algorithm - Advanced Encryption Standard (AES) 128 or 256 bits

Diffuser (optional)

BitLocker Drive Encryption

Hardware Requirement
Trusted Platform Module (TPM) version 1.2 OR Password and USB thumb drive

Use Trusted Platform Module (TPM) hardware, if possible Use an existing Active Directory Domain Services (AD DS) infrastructure to remotely store BitLocker recovery keys

Demo #2: BitLocker Drive Encryption

iSCSI Storage
Enable Multi-Factors Authentication on iSCSI storage: CHAP Secret IP Address IQN IPSec RADIUS

SAN Storage should place on a segregated segment

Benefits: Security Performance Reliability

Hyper-V Networking

Hyper-V Virtual Switch

Parent Partition (Hyper-V Host)
VM Worker Processes

Child Partitions (Virtual Machine)

User Mode

Applications
WMI Provider VM Service

Applications

Applications

Applications

Windows Server 2008 R2 VSP VSP VSP

VM1
Windows Kernel

VM2 VSC
Windows Kernel

VM3

Kernel Mode

VSC

Linux Kernel

VSC

VMBus

VMBus

VMBus

VMBus

Windows Hypervisor
Mgt. NIC 1 Vswitch 1 NIC 2 Vswitch 2 NIC 3 Vswitch 3 NIC 4

Ring-1

Designed for Windows Server Hardware

Network Adapter Types

Use Synthetic Network Adapters whenever is possible (Enlighten OS)
Benefits
Ethernet Speed: 10GB Ethernet

Use Legacy Network Adapter when no supported driver

For legacy OS & PXE boot Ethernet Speed: 100MB only

Hyper-V Virtual Networks

External
Bound to a network adapter in the physical computer Accessible from physical network

Internal
Virtual Machines can communicate with parent Partition and Virtual machines that resides on the same host Not bound to a network adapter in the physical computer Inaccessible from physical network

Private
Virtual Machines can communicate between virtual machines that resides on the same host Not bound to a network adapter in the physical computer Isolated from Parent partition. Inaccessible from physical network

Securing Hyper-V Host Networking

Use a dedicated network adapter for managing Hyper-V host
Benefits:
Dedicated for management use and no disruption of network Security: Did not expose Hyper-V host to untrusted network traffic

Securing Hyper-V Host Networking

Enforce Security Policy Based on Segment
DMZ segment Internal segment Extranet segment, etc

Virtual Machines on Different segments can securely run on the same Hyper-V host
Properly assess the risks & regulation compliance Use dedicated network interface Consider to use VLAN Use Dynamic MAC Address, if not using with 3rd party security control (i.e firewall, router, etc)

Prevent Denial-of-Service (DoS)

Protecting Virtual Machine Workload

Since there is many virtual machines reside on a same Hyper-V host, it may affect one and another It is important to Limit the resources available on each virtual machine When possible, use Microsoft System Center Operations Manager (SCOM) for service monitoring and Intelligent Placement of virtual machines. Various SCOM Management Packs are available for compliance monitoring as well

Boot Sequence

Processor Protection

Memory Protection

MAC Address Range

Securing Virtual Machine

Secure your virtual machine like the way you secure your physical server
Apply the latest service pack & hotfixes Remove unnecessary application Disable unnecessary services Enable strong password policy Enable audit trails Install antivirus software Dont use your server for web browsing Use vulnerability scanner to perform security assessment on a regular basis

Use Microsoft Security Guides as your baseline policy, modify the policy according to your Corporate IT Security policy

Implementing Security Policy

Microsoft Security Compliance Manager

Enforce Security Policy through Active Directory Group Policy Configure Security Policy on Stand-alone machines Updated Security Guides Compare Policy Against Industry Best Practices

Demo # 3: Security Compliance Manager

Active Directory Design for Multi-Tenancy Group Policy enforcement based on server roles Enforce through respective OUs

Questions
1) What tool to implement Role Based Access Control on Hyper-V?

2) What tool to compare security policy against industry Best Practices?

Take Away
Apply security hotfixes regularly Reduce the attack surface on the Hyper-V host by not installing unnecessary applications and services Use Least Privilege Access Enable Audit Trails Secure VM hard disk, configuration files, including backups and archives Use virtual networks, VLANs, IPSec to isolate machines Take advantage of backups, snapshots, and redundancy to reduce impact of host/guest maintenance Perform vulnerability assessment on a regular basis

Remember: Security is a Journey, NOT a one-time off exercise!

Resources
My Blog: http://Kevin.RefineNetworks.com Facebook: MVUG and MVUGv2 (Malaysia Virtualization User Group) Windows Server 2008 Security Guide
http://go.microsoft.com/fwlink/?LinkId=134200

Windows BitLocker Drive Encryption Design and Deployment Guides

http://go.microsoft.com/fwlink/?LinkId=134201

Server Core Installation Option of Windows Server 2008 Step-By-Step Guide http://go.microsoft.com/fwlink/?LinkId=134202 Microsoft Security Compliance Manager http://www.microsoft.com/download/en/details.aspx?id=16776

Thank You Q&A