Presentation is loading. Please wait.

Presentation is loading. Please wait.

WMS07 - Hyper-V Security and Best Practices

Published byMeghan Nash Modified over 9 years ago

Similar presentations

Presentation on theme: "WMS07 - Hyper-V Security and Best Practices"— Presentation transcript:

1 WMS07 - Hyper-V Security and Best Practices
Windows Connections WMS07 - Hyper-V Security and Best Practices Dan Stolts Microsoft Updates will be available at

2 4/19/2017 4:06 AM Microsoft Assessment and Planning Toolkit 3.1 Beta Announcing… © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

3 4/19/2017 4:06 AM MAP: User Interface & Reports Server Migration & Virtualization Candidates Windows Server 2008 New User Interface Virtualization Windows Vista Speed up Planning with Actionable Proposals and Assessments Collect Inventory of Servers, Desktops and Applications Agentlessly Offers Recommendations for Server/Application Virtualization Works with the Virtualization ROI Tool to generate ROI calculations GET BETA CLICK HERE © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

4 Agenda Virtualization Requirements Hyper-V Security
Microsoft Secure Development Lifecycle Server Core Enabling Hyper-V with Server Core Designing a Windows Server 2008 Hyper V & System Center Infrastructure Hyper-V Storage & Pass Through Disks Deployment Considerations Best Practices & Tips and Tricks

5 Virtualization Requirements
Scheduler Memory Management VM State Machine Virtualized Devices Storage Stack Network Stack Ring Compression (optional) Drivers Management API

6 Old: Virtual Server Architecture
Provided by: Windows ISV Virtual Server Host Guests Virtual Server Service IIS Virtual Server WebApp Ring 3: User Mode Guest Applications Ring 1: Guest Kernel Mode Windows (NT4, 2000, 2003) VM Additions Windows Server 2003/Windows XP Ring 0: Kernel Mode Kernel VMM Kernel Device Drivers Server Hardware

7 New: Hyper-V Architecture
Parent Partition Child Partition Provided by: Rest of Windows ISV Hyper-V Virtualization Stack Guest Applications VM Worker Processes WMI Provider VM Service Ring 3: User Mode OS Kernel Virtualization Service Clients (VSCs) Virtualization Service Providers (VSPs) Server Core Windows Kernel Device Drivers VMBus Enlightenments Ring 0: Kernel Mode Windows hypervisor Server Hardware

8 Virtualization Attacks
Parent Partition Child Partition Provided by: Rest of Windows ISV Hyper-V Virtualization Stack VM Worker Processes VM Service WMI Provider Guest Applications Ring 3: User Mode Hackers Virtualization Service Clients (VSCs) Virtualization Service Clients (VSCs) OS Kernel Virtualization Service Providers (VSPs) Server Core Windows Kernel Device Drivers VMBus Enlightenments Enlightenments VMBus Ring 0: Kernel Mode Windows hypervisor Server Hardware

9 Why not get rid of the parent?
No defense in depth Entire hypervisor running in the most privileged mode of the system Virtual Machine Virtual Machine Virtual Machine User Mode User Mode User Mode Ring 3 Kernel Mode Kernel Mode Kernel Mode Ring 0 Scheduler Memory Management Storage Stack Network Stack VM State Machine Virtualized Devices Drivers Management API Ring -1 Hardware

10 Micro-kernelized Hypervisor
Defense in depth Using hardware to protect Hyper-V doesn’t use ring compression translation Further reduces the attack surface Virtual Machine Virtual Machine Parent Partition VM State Machine Virtualized Devices Management API User Mode User Mode Ring 3 Storage Stack Network Stack Drivers Kernel Mode Kernel Mode Ring 0 Scheduler Memory Management Ring -1 Hardware

11 Hyper-V Security

12 Security Assumptions Guests are untrusted Trust relationships
Parent must be trusted by hypervisor Parent must be trusted by children Code in guests can run in all available processor modes, rings, and segments Hypercall interface will be well documented and widely available to attackers All hypercalls can be attempted by guests Can detect you are running on a hypervisor We’ll even give you the version The internal design of the hypervisor will be well understood

13 Security Goals Strong isolation between partitions
Protect confidentiality and integrity of guest data Separation Unique hypervisor resource pools per guest Separate worker processes per guest Guest-to-parent communications over unique channels Non-interference Guests cannot affect the contents of other guests, parent, hypervisor Guest computations protected from other guests Guest-to-guest communications not allowed through VM interfaces

14 Isolation We’re serious folks No sharing of virtualized devices
Separate VMBus per vm to the parent No sharing of memory Each has its own address space VMs cannot communicate with each other, except through traditional networking Guests can’t perform DMA attacks because they’re never mapped to physical devices Guests cannot write to the hypervisor Parent partition cannot write to the hypervisor

15 Microsoft Secure Development Lifecycle

16 Hyper-V & SDL Hypervisor built with
Stack guard cookies (/GS) Address Space Layout Randomization (ASLR) Hardware Data Execution Prevention No Execute (NX) AMD Execute Disable (XD) Intel Code pages marked read only Memory guard pages Hypervisor binary is signed Hypervisor and Parent going through SDL Threat modeling Static Analysis Fuzz testing & Penetration testing

17 Hyper-V Security Model
Uses Authorization Manager (AzMan) Fine grained authorization and access control Department and role based Segregate who can manage groups of VMs Define specific functions for individuals or roles Start, stop, create, add hardware, change drive image VM administrators don’t have to be Server 2008 administrators Guest resources are controlled by per VM configuration files Shared resources are protected Read-only (CD ISO file) Copy on write (differencing disks)

18 Server Core

19 Windows Server Core Windows Server frequently deployed for a single role Must deploy and service the entire OS in earlier Windows Server releases Server Core a new minimal installation option Provides essential server functionality Command Line Interface only, no GUI Shell Benefits Fundamentally improves availability Less code results in fewer patches and reduced servicing burden Low surface area server for targeted roles More secure and reliable with less management

20 Windows Server Core 4/19/2017 4:06 AM
MICROSOFT CONFIDENTIAL © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

21 Enabling Hyper-V with Server Core
Step-by-step instructions…

22 Installing Hyper-V Role on Core
Install Windows Server 2008 and select a Server Core installation option

23 Set Admin Password net user administrator <new_password>
shutdown /r /t 0

24 Rename Computer netdom renamecomputer %computername% /newname:<new_computername> shutdown /r /t 0

25 Join Domain netdom join %computername% /domain:<domain> /userd:<username> /passwordd:* enter password when prompted shutdown /r /t 0

26 Add domain account to local admin group
net localgroup administrators /add <domain_account> logoff

27 Add Hyper-V Role ocsetup Microsoft-Hyper-V Restart when prompted

28 Connect remotely via MMC

29 Enabling Remote Desktop
OPTIONAL cscript \windows\system32\scregedit.wsf /ar 0 cscript \windows\system32\scregedit.wsf /cs 0

30 Hyper-V Networking

31 Hyper-V Networking Don’t forget the parent is a VM
Two physical network adapters at minimum One for management One (or more) for VM networking Dedicated NIC(s) for iSCSI Connect parent to back-end management network Only expose guests to internet traffic

32 Hyper-V Network Configurations
Example 1: Physical Server has 4 network adapters NIC 1: Assigned to parent partition for management NICs 2/3/4: Assigned to virtual switches for virtual machine networking Storage is non-iSCSI such as: Direct attach SAS or Fibre Channel

33 Hyper-V Setup & Networking 1

34 Hyper-V Setup & Networking 2

35 Hyper-V Setup & Networking 3

36 Each VM on its own Switch…
4/19/2017 4:06 AM Each VM on its own Switch… Parent Partition Child Partitions VM Service WMI Provider VM Worker Processes Applications Applications Applications User Mode Windows Server 2008 VM 1 VM 2 VM 3 Windows Kernel VSP VSC Windows Kernel VSC Linux Kernel VSC Kernel Mode VMBus VMBus VMBus VMBus Windows hypervisor Ring -1 “Designed for Windows” Server Hardware Mgmt NIC 1 VSwitch 1 NIC 2 VSwitch 2 NIC 3 VSwitch 3 NIC 4 MICROSOFT CONFIDENTIAL © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

37 Hyper-V Network Configurations
Example 2: Server has 4 physical network adapters NIC 1: Assigned to parent partition for management NIC 2: Assigned to parent partition for iSCSI NICs 3/4: Assigned to virtual switches for virtual machine networking

38 Hyper-V Setup, Networking & iSCSI

39 “Designed for Windows” Server Hardware
4/19/2017 4:06 AM Now with iSCSI… Parent Partition Child Partitions VM Service WMI Provider VM Worker Processes Applications Applications Applications User Mode Windows Server 2008 VM 1 VM 2 VM 3 Windows Kernel VSC Windows Kernel VSC Linux Kernel VSC VSP Kernel Mode VMBus VMBus VMBus VMBus Windows hypervisor Ring -1 “Designed for Windows” Server Hardware Mgmt NIC 1 iSCSI NIC 2 VSwitch 1 NIC 3 VSwitch 2 NIC 4 MICROSOFT CONFIDENTIAL © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

40 Networking: Parent Partition

41 Networking: Virtual Switches

42 Legacy vs. Synthetic NIC
Legacy Network Adapter Up to 4 per virtual machine Pros: Needed for PXE/RIS/WDS installation Cons: Slow Synthetic Network Adapter Up to 8 per virtual machine! Pros: Blazing fast Both: Support VLANs Dynamic or Static MAC addresses

43 VM with Legacy & Synthetic NIC

44 Hyper-V Storage & Pass Through…
Step by Step Instructions

45 Hyper-V Storage... Performance wise from fastest to slowest…
Fixed Disk VHDs/Pass Through Disks About the same in terms of performance Dynamically Expanding VHDs Grow as needed Pass Through Disks Pro: VM writes directly to a disk/LUN without encapsulation in a VHD Cons: You can’t use VM snapshots Dedicating a disk to a vm

46 VM Setting No Pass Through

47 Computer Management: Disk

48 Taking a disk offline

49 Disk is offline…

50 Pass Through Configured

51 Best Practices & Tips and Tricks

52 Deployment Considerations
Minimize risk to the Parent Partition Use Server Core Don’t run arbitrary apps, no web surfing Run your apps and services in guests Moving VMs from Virtual Server to Hyper-V FIRST: Uninstall the VM Additions Two physical network adapters at minimum One for management (use a VLAN too) One (or more) for vm networking Dedicated NIC(s) for iSCSI Connect parent to back-end management network Only expose guests to internet traffic

53 Windows Server 2003 (today) Cluster Creation
4/19/2017 4:06 AM Windows Server 2003 (today) Cluster Creation MICROSOFT CONFIDENTIAL © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

54 Cluster Hyper-V Servers
4/19/2017 4:06 AM Cluster Hyper-V Servers © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

55 Don't forget the ICs! Emulated vs. VSC

56 Anti-Virus & BitLocker…
Parent partition Run AV software and exclude .vhd Child partitions Run AV software within each VM BitLocker Great for branch office Protects data while a system is offline

57 Bitlocker – Persistent Protection
Mitigating Against External Threats… Very Real Threat of Data Theft When a System is Stolen, Lost, or Otherwise Compromised (Hacker Tools Exist!) Decommissioned Systems are not Guaranteed Clean Increasing Regulatory Compliance on Storage Devices Drives Safeguards (HIPPA, SBA, PIPEDA, GLBA, etc…) BitLocker Drive Encryption Support in Windows Server 2008 Addresses Leading External Threats by Combining Drive Level Encryption with Boot Process Integrity Validation Leverages Trusted Platform Model (TPM) Technology (Hardware Module) Integrates with Enterprise Ecosystem Maintaining Keys in Active Directory Protects Data While a System is Offline Entire Windows Volume is Encrypted (Hibernation and Page Files) Delivers Umbrella Protection to Applications (On Encrypted Volume) Ensures Boot Process Integrity Protects Against Root Kits – Boot Sector Viruses Automatically Locks System when Tampering Occurs Simplifies Equipment Recycling One Step Data Wipe – Deleting Access Keys Renders Disk Drive Useless

58 More… Mitigate Bottlenecks VHD Compaction/Expansion Use .isos
Processors Memory Storage Don't run everything off a single spindle… Networking VHD Compaction/Expansion Run it on a non-production system Use .isos Great performance Can be mounted and unmounted remotely Physical DVD can’t be shared across multiple vms Having them in SCVMM Library fast & convenient

59 Creating Virtual Machines
Use SCVMM Library Steps: Create virtual machine Install guest operating system & latest SP Install integration components Install anti-virus Install management agents SYSPREP Add it to the VMM Library Windows Server 2003 Create vms using 2-way to ensure an MP HAL

60 Online Resources Microsoft Virtualization Home:
Windows Server Virtualization Blog Site: Windows Server Virtualization TechNet Site: Windows Server 2008 with Hyper-V RC1: Windows Hyper-V Installation Guide:

61 4/19/2017 4:06 AM Q & A © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

62 © 2008 Microsoft Corporation. All rights reserved
© 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. © 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

63 Your Feedback is Important
Windows Connections Your Feedback is Important Please fill out a session evaluation form and either put them in the basket near the exit or drop them off at the conference registration desk. Thank you! WMS07 - Hyper-V Security and Best Practices Dan Stolts Microsoft Updates will be available at h

Download ppt "WMS07 - Hyper-V Security and Best Practices"

Similar presentations

Device Virtualization Architecture

Device Virtualization Architecture
Ljubomir Ivaniš CPU d.o.o.

Ljubomir Ivaniš CPU d.o.o.
Jeff Woolsey Principal Group Program Manager Windows Server, Hyper-V WSV315.

Jeff Woolsey Principal Group Program Manager Windows Server, Hyper-V WSV315.
The System Center Family Microsoft. Mobile Device Manager 2008.

The System Center Family Microsoft. Mobile Device Manager 2008.
Fluffy’s Safe Right? If you want to limit a user’s functionality, don’t make them an administrator.

Fluffy’s Safe Right? If you want to limit a user’s functionality, don’t make them an administrator.
Jeff McCashland. Agenda Supported Deployment Scenarios System Requirements Installing DTM Controller Installing the DTM Logo Tests Installing DTM Studio.

Jeff McCashland. Agenda Supported Deployment Scenarios System Requirements Installing DTM Controller Installing the DTM Logo Tests Installing DTM Studio.
TechNet and Community Tour - Dynamic IT Dynamic Desktop Deployment Level 300 - Advanced.

TechNet and Community Tour - Dynamic IT Dynamic Desktop Deployment Level Advanced.
Lesson 9: Creating and Configuring Virtual Networks

Lesson 9: Creating and Configuring Virtual Networks
© 2008 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED,

© 2008 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED,
Hypervisor, Virtualization Stack, And Device Virtualization Architectures Mike Neil Product Unit Manager Windows Virtualization Microsoft Corporation.

Hypervisor, Virtualization Stack, And Device Virtualization Architectures Mike Neil Product Unit Manager Windows Virtualization Microsoft Corporation.
Windows Server Virtualization Scenarios And Features Jeff Woolsey Lead Program Manager Windows Virtualization Microsoft Corporation.

Windows Server Virtualization Scenarios And Features Jeff Woolsey Lead Program Manager Windows Virtualization Microsoft Corporation.
Christopher Samson Senior Hosting Technology Specialist Microsoft.

Christopher Samson Senior Hosting Technology Specialist Microsoft.
Windows 7 Windows Server 2008 R2 VirtualizationVirtualization Heterogeneous Server Environment Inventory Linux, Unix & VMware Windows 7 & Server 2008.

Windows 7 Windows Server 2008 R2 VirtualizationVirtualization Heterogeneous Server Environment Inventory Linux, Unix & VMware Windows 7 & Server 2008.
Rob Hwacinski Sr. Program Manager Lead Microsoft Corporation WEM206 Ashwin Kulkarni Sr. Product Manager Microsoft Corporation.

Rob Hwacinski Sr. Program Manager Lead Microsoft Corporation WEM206 Ashwin Kulkarni Sr. Product Manager Microsoft Corporation.
Ran Oelgiesser, Sr. Product Manager Praveen Vijayaraghavan, Program Manager (Virtual PC) Yigal Edery, Group Program Manager (MED-V)

Ran Oelgiesser, Sr. Product Manager Praveen Vijayaraghavan, Program Manager (Virtual PC) Yigal Edery, Group Program Manager (MED-V)
Name Title Microsoft Windows Azure: Migrating Web Applications.

Name Title Microsoft Windows Azure: Migrating Web Applications.
Windows Server 2008 R2 CSIT 320 (Blum) 1. Server Consolidation – Today’s chips have enhanced capabilities compared to those of the past. In particular.

Windows Server 2008 R2 CSIT 320 (Blum) 1. Server Consolidation – Today’s chips have enhanced capabilities compared to those of the past. In particular.
Hardware Platform (CPU, AMD-V or Intel – VT) Hypervisor Parent partition (Windows with Hyper-V Role enabled) VM Worker processes VMBUS Device Driver.

Hardware Platform (CPU, AMD-V or Intel – VT) Hypervisor Parent partition (Windows with Hyper-V Role enabled) VM Worker processes VMBUS Device Driver.
Purpose Intended Audience and Presenter Contents Proposed Presentation Length Intended audience is all distributor partners and VARs Content may be customized.

Purpose Intended Audience and Presenter Contents Proposed Presentation Length Intended audience is all distributor partners and VARs Content may be customized.
Real Security for Server Virtualization Rajiv Motwani 2 nd October 2010.

Real Security for Server Virtualization Rajiv Motwani 2 nd October 2010.

Similar presentations

Ads by Google