Joint Business LaunchWINDOWS SERVER 2008 R2 HYPER-V SECURITY & BEST PRACTICES
VIJAY TEWARI, PRINCIPAL PROGRAM MANAGER, WINDOWS SERVER NOV 17, 2009
Microsoft Assessment & Planning Toolkit 5.0 Customer Technology
Previewhttp://connect.microsoft.com
announcing
MAP: User Interface & ReportsServer Migration & Virtualization Candidates
Windows 7
Windows Server 2008 R2
Virtualization
•Heterogeneous Server Environment Inventory Linux, Unix & VMware•Windows 7 & Server 2008 R2 HW & Device Compatibility Assessment•Speed up Planning with Actionable Proposals and Assessments•Agentless operation•Collect Inventory of Servers, Desktops and Applications•Offers Recommendations for Server/Application Virtualization•Works with the Virtualization ROI Tool to generate ROI calculations•More on MAP: http://www.microsoft.com/map
Visual Studio Team System 2010 Lab Management Beta 2
announcing
VSTS Lab Management Beta 2
Scenarios
Create and manage virtual or physical environments
Take environment snapshots or revert to existing snapshots for virtual environments
Interact with the virtual machines in the environments through environment viewer
Define test settings for the environments
New Beta 2 Features
Simplified Environment creation & edit experience
Full-screen environment viewer
Out of the box template for application build-deploy-test workflow
Network isolation with support for domain controller Virtual Machines
“In-Use” support for shared environments
VSTS “Environments”
Typical multi-tier application consist of multiple roles Database Server, Web Server, Client, etc.An environment is a set of roles that are required to run a specific application and the lab machines to be used for each role. Managing environments for multi-tier applications is an error prone task today. Replicating the same environment at same or another site is even a bigger problem.
Agenda
Virtualization RequirementsHyper-V SecurityHyper-V & StorageWindows Server 2008 R2: SCONFIGBest Practices & Tips and TricksMicrosoft Hyper-V Server 2008 R2
Virtualization Requirements
SchedulerMemory ManagementVM State MachineVirtualized DevicesStorage StackNetwork StackRing Compression (optional)DriversManagement API
Parent Partition
VirtualizationService
Providers(VSPs)
WindowsKernel
Server Core
DeviceDrivers
Windows hypervisor
Virtualization Stack
VM WorkerProcessesVM
Service
WMI Provider
Child Partition
Ring 0: Kernel Mode
Ring 3: User Mode
VirtualizationServiceClients(VSCs)
OSKernel
EnlightenmentsVMBus
Guest Applications
Server Hardware
Provided by:
Rest of Windows
ISV
Hyper-V
Hyper-V Architecture
Virtualization Attacks
Parent Partition
Virtualization Stack
VM WorkerProcessesVM
Service
WMI Provider
Child Partition
Ring 0: Kernel Mode
VirtualizationServiceClients(VSCs)
EnlightenmentsVMBus
Server Hardware
Provided by:
Rest of Windows
ISV
Hyper-VGuest Applications
Hackers
OSKernel
VirtualizationServiceClients(VSCs)
Enlightenments
Ring 3: User Mode
Windows hypervisor
VMBus
VirtualizationService
Providers(VSPs)
WindowsKernel
Server Core
DeviceDrivers
What if there was no parent partition?No defense in depth
Entire hypervisor running in the most privileged mode of the system
Ring -1
Ring 0
Ring 3
VirtualMachin
e
VirtualMachin
e
VirtualMachin
e
SchedulerMemory Management
Storage StackNetwork Stack
VM State MachineVirtualized Devices
DriversManagement API
User
Mode
Kernel
Mode
User
Mode
User
Mode
Kernel
Mode
Kernel
Mode
Hardware
UserMod
e
Kernel
Mode
UserMod
e
UserMod
e
Kernel
Mode
Hyper-V Hypervisor
Defense in depthHyper-V doesn’t use ring compression uses hardware instead (VT/AMD-V)
Further reduces the attack surface
Ring -1
Ring 0
Ring 3
VirtualMachin
e
VirtualMachin
e
ParentPartition
SchedulerMemory Management
VM State MachineVirtualized
DevicesManagement API
Kernel
Mode
UserMod
e
UserMod
e
Storage StackNetwork Stack
Drivers
Kernel
Mode
Hardware
Hyper-V Security
EAL4+ Certification for Hyper-V
Windows Server 2008 Hyper-V certified at the Common Criteria level EAL4 augmented by ALC_FLR.3 (also known as EAL4+)The Common Criteria certification is vital to our customers (especially government agencies) worldwide. It provides them reassurance to know that Hyper-V has gone through a rigorous and internationally-accepted security review.http://www.bsi.de/zertifiz/zert/reporte.htm#Midsize_Systems
Security Assumptions
Guests are untrusted
Trust relationships
Parent must be trusted by hypervisor
Parent must be trusted by children
Code in guests can run in all available processor modes, rings, and segments
Hypercall interface will be well documented and widely available to attackers
All hypercalls can be attempted by guests
Can detect you are running on a hypervisor
We’ll even give you the version
The internal design of the hypervisor will be well understood
Security Goals
Strong isolation between partitions
Protect confidentiality and integrity of guest data
SeparationUnique hypervisor resource pools per guest
Separate worker processes per guest
Guest-to-parent communications over unique channels
Non-interferenceGuests cannot affect the contents of other guests, parent, hypervisor
Guest computations protected from other guests
Guest-to-guest communications not allowed through VM interfaces
Hyper-V & SDL
Hypervisor built with
Stack guard cookies (/GS)
Address Space Layout Randomization (ASLR)
HW Data Execution Prevention
No Execute (NX) AMD
Execute Disable (XD) Intel
Code pages marked read only
Memory guard pages
Hypervisor binary is signed
Entire stack through SDL
Threat modeling
Static Analysis
Fuzz testing & Penetration testing
Hyper-V Security Model
Uses Authorization Manager (AzMan)
Fine grained authorization and access control
Department and role based
Segregate who can manage groups of VMs
Define specific functions for individuals or roles
Start, stop, create, add hardware, change drive image
VM administrators don’t have to be Server 2008 administrators
Guest resources are controlled by per VM configuration files
Shared resources are protected
Read-only (CD ISO file)
Copy on write (differencing disks)
Protects Data While a System is OfflineEntire Windows Volume is Encrypted (Hibernation and Page Files)Delivers Umbrella Protection to Applications (On Encrypted Volume)
Ensures Boot Process IntegrityProtects Against Root Kits – Boot Sector VirusesAutomatically Locks System when Tampering Occurs
Simplifies Equipment RecyclingOne Step Data Wipe – Deleting Access Keys Renders Disk Drive Useless
Mitigating Against External Threats…Very Real Threat of Data Theft When a System is Stolen, Lost,or Otherwise Compromised (Hacker Tools Exist!)Decommissioned Systems are not Guaranteed CleanIncreasing Regulatory Compliance on Storage Devices Drives Safeguards(HIPPA, SBA, PIPEDA, GLBA, etc…)
BitLocker Drive Encryption Support in Windows Server 2008/2008 R2Addresses Leading External Threats by Combining Drive Level Encryptionwith Boot Process Integrity ValidationLeverages Trusted Platform Model (TPM) Technology (Hardware Module)Integrates with Enterprise Ecosystem Maintaining Keys in Active Directory
BitLocker – Persistent Protection
Physical Security
Device installation group policies: "no removable devices allowed on this system"BitLocker: encrypts drives, securing
laptopsbranch office servers
BitLocker To Go: encrypts removable devices like USB sticks
Includes group policies that say, "don't let the user save data onto a USB stick unless the stick's been encrypted"
Windows Server 2008 R2: SCONFIG
Windows Server Core
Windows Server frequently deployed for a single role
Must deploy and service the entire OS in earlier Windows Server releases
Server Core: minimal installation option
Provides essential server functionality
Command Line Interface only, no GUI Shell
Benefits
Less code results in fewer patches and reduced servicing burden
Low surface area server for targeted roles
Windows Server 2008 Feedback
Love it, but…steep learning curveWindows Server 2008 R2 Introducing “SCONFIG”
Windows Server Core
Server Core: CLI
Easy Server Configuration
demo
SCONFIG
Hyper-V Best Practices
Parent partition configurationUse a Server Core installation for the management operating system
Minimize attack surface for the parent partition
Don’t run arbitrary apps, no web surfing
Run your apps and services in guests
Reduced footprint, improved system uptime because there are fewer components that require updates
Keep the management operating system up to date with the latest security updates Use a separate network with a dedicated network adapter for the management operating system of the physical Hyper-V computer.
Parent partition configuration (cont’d)
Harden the management operating system using the baseline security setting recommendations described in the Windows Server 2008 Security Compliance Management Toolkit.Configure any real-time scanning antivirus software components installed on the management operating system to exclude Hyper-V resources.Do not grant virtual machine administrators permissions on the management operating system. Use the security level of your virtual machines to determine the security level of your management operating system. Use BitLocker Drive Encryption to protect resources (when not using CSV)
Antivirus and Hyper-VExclude
VHDs & AVHDs (or directories)VM configuration directoryVMMS.exe and VMWP.exeCSV directory (%systemdrive%\clusterstorage)
Run Antivirus in virtual machines as you would normally for a physical machine
Virtual Machine Configuration
Configure virtual machines to use fixed-sized virtual hard disks (preferred).Store virtual hard disks and snapshot files in a secure location.Decide how much memory to assign to a virtual machine.Impose limits on processor usage.Configure the virtual network adapters of each virtual machine to connect to the correct type of virtual network to isolate network traffic as required. Configure only required storage devices for a virtual machine.
Virtual Machine Configuration (cont’d)
Harden the operating system running in each virtual machine according to the server role it performs using the baseline security setting recommendations described in the Windows Server 2008 Security Compliance Management Toolkit.Configure antivirus, firewall, and intrusion detection software within virtual machines as appropriate based on server role.Ensure that virtual machines have all the latest security updates before they are turned on in a production environment. Ensure that your virtual machines have integration services installed.
Cluster Hyper-V Servers
Windows Server 2003Cluster Creation
Single Volume VHD
SAN
Concurrent access to a single file system
VHD VHD
Hyper-V high availability and migration scenarios are supported by the new Cluster Shared Volumes in Windows Server 2008 R2
Technology within Failover Cluster feature
Single consistent name space
Compatible: NTFS volume
Simplified LUN management
Multiple data stores supported
Enhanced storage availability due to built in redundancy
Scalable as I/O is written directly by each node to the shared volume
Transparent to the VM
Use Cluster Shared Volumes
Don't forget the ICs!Emulated vs. VSC
Installing Integration Components
Storage
BitLockerGreat for branch office
VHDsUse fixed virtual hard disks in production
VHD Compaction/ExpansionRun it on a non-production system
Use .isosGreat performanceCan be mounted and unmounted remotelyPhysical DVD can’t be shared across multiple vmsHaving them in SCVMM Library fast & convenient
Antivirus and Hyper-V
Exclude VHDs & AVHDs (or directories)VM configuration directoryVMMS.exe and VMWP.exeCSV directory (%systemdrive%\clusterstorage)
Run Antivirus in virtual machines as you would normally for a physical machine
More Tips…
Mitigate BottlenecksProcessorsMemoryStorageNetworking
Turn off screen savers in guestsWindows Server 2003
Create vms using 2-way to ensure an MP HAL
Creating Virtual Machines
Use SCVMM LibraryTemplates help standardize configurations
Steps:1. Create virtual machine2. Install guest operating system & latest SP3. Install integration components4. Install anti-virus5. Install management agents6. SYSPREP7. Add it to the VMM Library
Microsoft Hyper-V Server 2008 R2
Microsoft Hyper-V Server R2New Features
Live Migration
High Availability
New Processor Support
Second Level Address Translation
Core Parking
Networking Enhancements
TCP/IP Offload Support
VMQ & Jumbo Frame Support
Hot Add/Remove virtual storage
Enhanced scalability
Free download: www.microsoft.com/hvs
Microsoft Virtualization:Customers Win
Virtual
Server 2005 R2
32-bit Guests: Up to 4 GB per VMUni-Processor GuestsHigh Availability via scriptsUp to 8 Cluster Nodes
Wi
ndows Server 2008
Hyper-V R116 LP Support/Up to 128 VMs1 Terabyte Memory32-bit/64-bit (Up to 64 GB per VM)SMP GuestsHigh Performance I/O (VSP/VSC/VMBus)HA Integrated/IncludedQuick Migration IncludedUp to 16 Cluster Nodes
Wi
ndows Server 2008 R2
Hyper-V R264 LP Support/Up to 384 VMs/Up to 512 VPsLive MigrationCluster Shared VolumesProcessor FlexibilityPower Enhancements10 Gb/E ReadyHot Add Virtual StorageConnection Broker for Hosted DesktopsQuick Storage Migration with SCVMM R2
Greater Performance
More Capabilities
High Availability
Built-InIncreased Scalability
Live Migration Built-InReady for
Next Gen Servers
November 2005 June 2008 July 2009
Online Resources
Microsoft Virtualization Home/Case Studies from customers around the world:
http://www.microsoft.com/virtualization
Windows Server Virtualization Blog Site:
http://blogs.technet.com/virtualization/default.aspx
Windows Server Virtualization TechNet Site:
http://technet2.microsoft.com/windowsserver2008/en/servermanager/virtualization.mspx
MSDN & TechNet Powered by Hyper-V
http://blogs.technet.com/virtualization/archive/2008/05/20/msdn-and-technet-powered-by-hyper-v.aspx
Virtualization Solution Accelerators
http://technet.microsoft.com/en-us/solutionaccelerators/cc197910.aspx
How to install the Hyper-V role
http://www.microsoft.com/windowsserver2008/en/us/hyperv-install.aspx
Windows Server 2008 Hyper-V Performance Tuning Guide
http://www.microsoft.com/whdc/system/sysperf/Perf_tun_srv.mspx
Using Hyper-V & BitLocker White Paper
http://www.microsoft.com/downloads/details.aspx?FamilyID=2c3c0615-baf4-4a9c-b613-3fda14e84545&DisplayLang=en
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the
date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Top Related