Beruflich Dokumente
Kultur Dokumente
Kevin Lim
(CISSP, Microsoft: MCT, MCITP, MCTS Citrix: CCA) Enterprise Consultant, RefineNetworks Blog: http://Kevin.RefineNetworks.com Kevin@RefineNetworks.com
Agenda
Common Criteria Certification Hyper-V Architecture Implementing Hyper-V Security Control & Drive Encryption Networking Prevent Denial-of-Service (DoS) Implementing Security Policy Q&A
Windows Server 2008 R2 Hyper-V will shortly complete its EAL 4+ certification (Windows Server and Hyper-V are currently certified separately)
Hyper-V Architecture
Parent Partition (Management OS)
VM Worker Processes
Microsoft Hyper-V
Microsoft / XenSource
User Mode
Applications
WMI Provider
Applications
Applications
Applications
VM Service
Windows Server 2008 R2
Windows Kernel
VSP VSC
Windows Kernel
Kernel Mode
IHV Drivers
VMBus
VMBus
Hypercall Adapter
Ring-1
VMs cannot communicate with each other, except through traditional networking Guests cant perform DMA attacks because theyre never mapped to physical devices Guests cannot write to the hypervisor Parent partition cannot write to the hypervisor
Implementing Hyper-V
Remote Administration:
Virtual Machine
Use Enlightened Guest Operating System whenever is possible Install Integration Services on Virtual Machine
Time
For Computer Forensics & Compliance
Accuracy of Timestamps Audit Log Entries
Use Microsoft Windows Server 2008 Security Guide as your baseline policy, modify the policy according to your corporate security policy Secure the Virtual Machine: Configuration Files, Snapshot, Virtual Hard Disk
Patch Management
Patch Hyper-V Host and Virtual Machines before deploy to a production environment Patch Regularly:
Automatically Patch (Recommended)
Windows Update Services (WSUS) Microsoft System Center Configuration Manager (SCCM) Any software distribution method
Manually Patch
Dont forget to patch your application on your virtual machine!
Processes
Virtual Machine Worker (Vmwp.exe) Virtual Machine Management Service (Vmms.exe)
Access Control
Least Privilege
Hyper-V administrator doesnt require Windows Administrator rights Use Authorization Manager policies for rolebased access control Use SCVMM Self-Service Portal (SSP 2.0) for Business Unit IT Administrator to selfadministrate virtual machine for application functional testing
2) Define Tasks
Tasks are a collection of operations
3) Create Roles
Role Assignment contains the users to which Tasks and Operators are assigned
Use Trusted Platform Module (TPM) hardware, if possible Use an existing Active Directory Domain Services (AD DS) infrastructure to remotely store BitLocker recovery keys
iSCSI Storage
Enable Multi-Factors Authentication on iSCSI storage: CHAP Secret IP Address IQN IPSec RADIUS
Hyper-V Networking
User Mode
Applications
WMI Provider VM Service
Applications
Applications
Applications
VM1
Windows Kernel
VM2 VSC
Windows Kernel
VM3
Kernel Mode
VSC
Linux Kernel
VSC
VMBus
VMBus
VMBus
VMBus
Windows Hypervisor
Mgt. NIC 1 Vswitch 1 NIC 2 Vswitch 2 NIC 3 Vswitch 3 NIC 4
Ring-1
Internal
Virtual Machines can communicate with parent Partition and Virtual machines that resides on the same host Not bound to a network adapter in the physical computer Inaccessible from physical network
Private
Virtual Machines can communicate between virtual machines that resides on the same host Not bound to a network adapter in the physical computer Isolated from Parent partition. Inaccessible from physical network
Virtual Machines on Different segments can securely run on the same Hyper-V host
Properly assess the risks & regulation compliance Use dedicated network interface Consider to use VLAN Use Dynamic MAC Address, if not using with 3rd party security control (i.e firewall, router, etc)
Boot Sequence
Processor Protection
Memory Protection
Use Microsoft Security Guides as your baseline policy, modify the policy according to your Corporate IT Security policy
Active Directory Design for Multi-Tenancy Group Policy enforcement based on server roles Enforce through respective OUs
Questions
1) What tool to implement Role Based Access Control on Hyper-V?
Take Away
Apply security hotfixes regularly Reduce the attack surface on the Hyper-V host by not installing unnecessary applications and services Use Least Privilege Access Enable Audit Trails Secure VM hard disk, configuration files, including backups and archives Use virtual networks, VLANs, IPSec to isolate machines Take advantage of backups, snapshots, and redundancy to reduce impact of host/guest maintenance Perform vulnerability assessment on a regular basis
Resources
My Blog: http://Kevin.RefineNetworks.com Facebook: MVUG and MVUGv2 (Malaysia Virtualization User Group) Windows Server 2008 Security Guide
http://go.microsoft.com/fwlink/?LinkId=134200
Server Core Installation Option of Windows Server 2008 Step-By-Step Guide http://go.microsoft.com/fwlink/?LinkId=134202 Microsoft Security Compliance Manager http://www.microsoft.com/download/en/details.aspx?id=16776