Getting Started with the Microsoft Forefront Code Name "Stirling" Virtual Machines in Hyper-V

Ronald BeekelaarBeekelaar ConsultancyVIR301

Objectives

Goals of this session:Using and configuring Hyper-V for testingHow to adapt the Hyper-V VMs to your network environmentHow to get started with the Forefront Stirling VMs

Forefront Stirling (beta 2) Hyper-V VMs are downloadable at www.microsoft.com/stirling

About the PresenterPresenter - Ronald Beekelaar

MVP Windows SecurityMVP Virtual Machine Technology

WorkSecurity consultancyVirtualization consultancyCreate many VM-based labs and demos

Including Forefront Stirling Lab

ContactBeekelaar Consultancyronald@beekelaar.com

Lab and VM Environment

SpecificationsTotal 7 VMsHyper-V only (x64)Need 8 GB memoryIncludes: Stirling, FCSv2, FSE, FSSP, TMG

Plus AD, NAP, Exchange, SharePoint, Outlook

Available:Download at www.microsoft.com/stirling

Hyper-V VersionsNeed:

Win2008 x64 with Hyper-VBios supports NX and hardware VT

Use securable.exe to verify

Win2008 RTM has Hyper-V betahvix64.exe - build 17101 - Jan 2008

Install Hyper-V RTM - KB 950050hvix64.exe - build 18016 - Jun 2008

Install Hyper-V 24-core update - KB 956710hvix64.exe - build 22263 - Sep 2008

Win2008 R2 beta 1hvix64.exe - build 6.1.7000 - Dec 2008

Win2008 R2 RChvix64.exe - build 6.1.7100 - Apr 2009

Install, Register and Run VMs

Run install-script to unpack and register VMsRun start-page to start VMs

SnapshotsPrinciples

Now = vhd-file in Snapshots folder When VM is running, changes go into this vhd-file

Snapshot = Point-in-time, so that you can go back laterWhile VM is off, or while VM is running (includes saved state)Snapshot files and settings will never change later

Apply = Attach new empty Now vhd-file to this snapshotDeletes contents of existing Now vhd-file

Delete = "I don't want to go back to this snapshot, please merge"Merges content into parent, and removes snapshot from UIBut when snapshot is not in Now vhd-file tree, then just delete content

Revert = Re-attach new empty Now vhd-file to current snapshotIs same as: Apply on current snapshot

Snapshots

Snapshot

Apply (= delete Now)

Delete (= merge)

Apply (create branch)

Delete (= delete)

.vhd.avhd

Delete and Merge Snapshots

When deleting a Snapshot:Is snapshot within Now-tree?

Yes - merge snapshot (A or C) with parent fileNo - delete snapshot (B or D)

When deleting a VM:Are there non-empty snapshots in Now-tree?

Yes - merge snapshots (Now+C+A) into vhd-file, before removing VMNo - delete snapshots, and remove VM

Snapshot Data InconsistencyRunning snapshotsNon-running snapshots

Problem:- When restoring snapshot for VM-1 only, VM-1 misses communication B

Solution:- Always restore related snapshots for all VMs

VM-1:

VM-2:BA

VM-1:

VM-2:BA

VM-1:

VM-2:BA C

Problem:- Even when restoring snapshots for all VMs, VM-1 misses communication B

Solution:- Pause* all VMs before taking (and restoring) snapshots

* Note: - You must temporarily un-pause (resume) each VM, when taking a snapshot

VM-1:

VM-2:A C

Hyper-V Data TransferProblem:

How to get data or files in or out of a VM?

Non-solutions: Drag-and-Drop Shared Folders Copy/Paste through VM Connection (RDP)

Solutions:A (running) Configure host - VM networkingB (offline) Use VHD mounting

Is difficult with snapshot files (avhd)Watch out for NTFS symlinks

C (Hyper-V R2) Hot add-remove vhd-filesD (in-only) Create and mount ISO-fileE (clipboard) Paste text (in), or copy screen (out)F (scripting) Use key-value-pair (KVP) exchange

Read/write VM registry keys from parentIs part of Integration Components

Hyper-V Data TransferOffline VHD Mounting

Exists in:Virtual Server - vhdmount.exeHyper-V - wmi scriptingWin7/Win2008R2 - Native VHD

Issues with offline VHD mountingFile permissions and access controlNTFS Symlink pointers to other drivesDifficult to mount snapshot files (avhd)

NetworkingPrinciples

Parent has physical network adapter(s)Each guest (and parent) has virtual network adapter(s)Each virtual network adapter is connected to a virtual switchType of virtual switch is:

External – connect to physical network adapterInternal – parent and guests connections onlyPrivate – guest connections only

ConfigurationUse Virtual Network Manager to create virtual switchesUse VM Settings to assign virtual network adapter to switch

- physical network adapter- virtual network adapter- virtual switch

NetworkingVirtual switch types

Parent

Application

GuestApp Guest

App

Parent

Application

GuestApp Guest

App

Private

Parent

Application

GuestApp Guest

App

Internal

ExternalParent

Application

GuestApp Guest

App

No IP

IP IP

IP

- physical network adapter- virtual network adapter- virtual switch

ICS

Scripting Hyper-VWMI scripting

Hyper-V uses WMI for scriptingVirtual Server uses COM objectsWMI reference: http://msdn.microsoft.com/en-us/library/aa155190.aspx

Golden tip for WMI scripting: WMI object are copies, not live objects

Difficulty with Hyper-V WMI model: Need to understand what RASDs are Many operation calls are asynchronuos

'pseudo wmi code

dim VM : set VM = wmihv.ExecQuery("select ...")VM.Start 'VM is running

Msgbox VM.Status 'status shows not-running (!)

set objOutParams = computerSystem.ExecMethod_("RequestStateChange", objInParam)if (WMIMethodStarted(objOutParams)) then if (WMIJobCompleted(objOutParams)) then WriteLog Format1("VM {0} was started successfully", computerSystem.ElementName) RequestStateChange = true end ifend if

Scripting Hyper-VExamples

VBScript - example from Ronald BeekelaarSet-known-network-ID.vbs

PowerShell - example from James O'NeillSee http://www.codeplex.com/PSHyperv

... dim i for i = 0 to adapters.Count-1 dim adapter : set adapter = adapters.ItemIndex(i) adapter.VirtualSystemIdentifiers = Array(GetKnownAdapterGuid(i+1)) ModifyRasd vm, adapter next...

..Filter Get-VMNicport{Param ($nic) if ($nic -eq $null) {$nic=$_} if ($nic -is [System.Management.ManagementObject]) { Get-WmiObject -computerName $nic.__server -NameSpace "root\virtualization" -Query "Select * From Msvm_SwitchPort where __Path='$( $nic.connection[0] )'" } $nic=$null }#Example: Get-VMNic $core -legacy -vmbus | get-vmNicPort...

Moving VMs to other computersMethod 1: Export/import

Official method: Export / ImportIssues: Base vhd-file is copied for each VM

Suggestion: delete extra copies, and relink diff-disks Requires same network (switch) name at target

computerSuggestion: use standard network name

Can only import one timeSuggestion: copy configuration file (exp-file) before import

Moving VMs to other computersMethod 2: Recreate VM configuration

Common method with Virtual PC/Virtual Server1 Take vhd-file2 Create new VM, by using vhd-file

Issues: Lose IP configuration inside VM

Due to newly detected virtual network adapterNetwork adapter (synthetic) has random hardware idin configuration xml-file

<?xml version="1.0" encoding="UTF-16" standalone="yes"?><configuration> <_09bbc919-72c8-4100-89fc-1bf856fe8090_> <ChannelInstanceGuid type="string">{07f9fba5-432a-4af3-be59-b299093e15bf}</ChannelInstanceGuid> <FriendlyName type="string">Network Adapter</FriendlyName> <MacAddress type="string">00-15-5D-00-10-00</MacAddress> <MacAddressIsStatic type="bool">False</MacAddressIsStatic> <PortName type="string">137A5DBF-2B3F-447F-BEC4-3E9A5A724D01</PortName> <SwitchName type="string">8e3a359f-559a-4b6a-98a9-1690a6100ed7</SwitchName>...

Info: NetworkingVirtual network adapter types

Two types of virtual network adapters in guestLegacy network adapter

Is common Intel 21140 PCI network adapterNetwork adapter

Is synthetic adapter for VMBusRequires Integration ComponentsUses unique hardware id in xml-file

Moving VMs to other computersMethod 2: Recreate VM configuration (cont'd)

Solution (1) to network adapter issue: Use same hardware id in xml-file

Only possible, if you know original hardware idTip: use well-known hardware id: {1111..}, {2222...}, etc

Because xml-file is locked by Hyper-V,need Hyper-V script to change hardware id in xml-file

Example: Set-known-network-ID.vbs

Solution (2) to network adapter issue: Use legacy network adapter,

instead of (synthetic) network adapter

<?xml version="1.0" encoding="UTF-16" standalone="yes"?><configuration> <_09bbc919-72c8-4100-89fc-1bf856fe8090_> <ChannelInstanceGuid type="string">{11111111-1111-1111-1111-111111111111}</Chan...> ...

Moving VMs to other computersMethod 3: Create symlink to register VM

For each VM, Hyper-V uses "shortcut" to xml-fileIn folder:C:\ProgramData\Microsoft\Windows\Hyper-V\Virtual MachinesShortcut is symbolic link to xml-file

Use mklink guid.xml D:\Lab\Virtual Machines\guid.xml

Issues: Completely unsupported Must have correct file permissions

Uses NT Virtual Machine "domain" Must have all xml-files, disk files (vhd), and snapshot files

(avhd) in correctly named folders

Permissions and AccessVM Accounts

Hyper-V assigns Read/Write permissionsTo certain special VM accountsOn vhd-files and other files and folders

VM accountsEach VM has own guid-named "user" account in"NT VIRTUAL MACHINE" domain

Example: NT VIRTUAL MACHINE\0256A619-112F-.. (guid)Similar to "BUILTIN\Administrators" and "NT AUTHORITY\System"

You can use icacls.exe to list and assign permissions to these VM accounts

Permissions and AccessDelegation of Control (Azman)

Use Azman.msc to assign roles to accountsOpenC:\ProgramData\Microsoft\Windows\Hyper-V\InitialStore.xml

Concept:Operations or Tasks > Role > User or Group account

See- http://blogs.msdn.com/virtual_pc_guy/archive/2008/01/17/allowing-non-administrators-to-control-hyper-v.aspx

Permissions and AccessRemote Management (hvremote)

Issue:Very difficult to configure remote management if not in domain

Steps1 (client/server) Create duplicate user/password

2 (server) Allow WMI through firewall3 (server) Grant DCOM permissions to user - dcomcnfg.exe4 (server) Grant WMI permissions on root\cimv2 and root\virtualization5 (server) Grant Hyper-V permissions to user - azman.msc

6 (client) Allow WMI and mmc.exe through firewall7 (client) Grant DCOM permissions to anonymous (callback) - dcomcnfg.exe 8 (client) Configure "allow default credentials" - gpedit.msc

Or run hvremote.wsf - John HowardSee http://code.msdn.microsoft.com/hvremote

Hyper-V book

Windows Server 2008 Hyper-VWritten by John Kelbley, Mike Sterling, Allen Stewart

Available in conference store

Overview of StirlingForefront Stirling

Forefront Stirling - Versions

Antigen

Client

Server

EdgeISA 2006

Forefrontfor Exchange

Others

Forefrontfor SharePoint

IAG 2007

Stirling v1Forefront

for Exchange

Forefrontfor SharePoint

TMG 2010

Stirling v2

ForefrontClient Security FCS v2

Forefrontfor OCS

Now Future

Forefrontfor OCS v2

UAG UAG v2

. . .

Stirling Integration

Desktops, Laptops and Servers

Stirling Core Server

Exchange Servers

SharePoint Servers

Threat Management

Gateway Servers

Microsoft Update

Virus &Spyware Definitions

Events

Settings

Events

Settings

Events

Settings

Stirling Console

Systems Center

Operations

Manager

Windows Server Update Services (WSUS)

Stirling Data Analysis & Collection Servers Events

Settings

Forefront Security Assessment Channel

Reports Policies

Stirling Policies

1. Define Target Groups of computersBased on queries, OU, computer name, etc

2. Centrally configure settingsFor all Forefront productsUse Policy Units within a Stirling Policy

3. Bind each Stirling Policy to a Target Group

Deployed by SCOM 2007 R2 → SCOM AgentNote: does not use Group Policy for deployment

Agents on Clients

SCOM 2007 AgentIs only the "transport" vehicle

Receives policies and tasksSends events to Stirling Server

Stirling AgentIs the "dispatcher"

Communicates with SCOM Agentand with Asset Protection Technology (APT)

APTsDo the "work"

FCS (Host Protection)Forefront for ExchangeTMGUAGWindows FirewallGroup PolicyEtc.

SCOM 2007Agent

StirlingAgent

FCS(Host Protection)

FW GPO . . .

Client

Server

EventLogs

Group Policies vs Stirling PoliciesDifferences:

FCSv1 uses GPO to deploy policiesStirling/FCSv2 use SCOM 2007 agent (management packs)

Reasons for changeSpeed of deploymentReporting successful deploymentSingle "policy unit" UI combined withremediation and network access restriction

Question:What if both Group Policies and Stirling Policies are defined forsimilar settings (example: Windows firewall configuration)?Answer:

Stirling Agent configure Local GPO,and then triggers GPO processing on client

Levels of reaction

Security State Assessment (on the client)Policy specifies "desired" settings

a) Report current setting to StirlingCollect current IE security settings

b) Change setting to desired value (remediate)When FCS service stops, start it againWhen guest is enabled, disable guest

c) Restrict network access (uses NAP)When IE setting is insecure, block network access

Assessment sharing and dynamic responseClient detects vulnerability or compromiseClient sends "assessment" to Stirling serverStirling combines assessments

d) Dynamic response send to other assetsFor currently logged-on user (user) on client computer (client),that performs suspicious port scan (TMG),block outgoing email (FSE), and trigger full AM-scan (client)

Security Assessments ChannelTMG identifies malware on VENICE computer attempting to propagate (PortScan)

Security Admin

Venice (computer) Marco (user)

Malicious Web Site

Web

Forefront TMG

Client Security

CompromisedComputer: VENICEFidelity: HighSeverity: HighExpire: Wed

CompromisedUser: MARCOFidelity: LowSeverity: HighExpire: Wed

Stirling Core

ADNAP

FCS identifies MARCO has logged on to

VENICE

Alert

Scan Computer

Block Email

Reset Account

Quarantine

Security Assessment Sharing ( )With Dynamic Response ( )Responses

Update Signatures

Signatures:FCS – antivirus, antispywareTMG – antivirus (HTTP+SMTP), NISFSE/FSSP – antivirus

Connect VMs to Internet

TMG: Outbound SSL Filtering

For Web publishing, inbound SSL Bridging iswell-known (ISA Server 2000)Issue:

Cannot inspect outbound traffic in encrypted tunnel (SSL)

Solution:Use SSL Bridging on outbound SSL connectionsDifference with Web publishing is that client can go to many different Web sites

TMG: Outbound SSL Filtering

In Web browser:https://www.fabrikam.com

www.fabrikam.com

In TMG request:https://www.fabrikam.com

www.fabrikam.com

SSL

Request

Certificate

SSL

Request

Certificate

question & answerronald@beekelaar.com

www.microsoft.com/teched

Sessions On-Demand & Community

http://microsoft.com/technet

Resources for IT Professionals

http://microsoft.com/msdn

Resources for Developers

www.microsoft.com/learningMicrosoft Certification and Training Resources

www.microsoft.com/learning

Microsoft Certification & Training Resources

Resources

ResourcesFor more information on Microsoft Virtualization including:

WhitepapersProduct DownloadsCase StudiesROI CalculatorsSolutions with Partners

Visit: www.microsoft.com/virtualization

Be sure to stop by the TLC area to speak with subject-matter-experts and see live product demos

Complete an evaluation on CommNet and enter to win!

© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS,

IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.