Ronald Beekelaar Beekelaar Consultancy VIR301 Objectives Goals of this session: Using and...
-
Upload
warren-ward -
Category
Documents
-
view
217 -
download
2
Transcript of Ronald Beekelaar Beekelaar Consultancy VIR301 Objectives Goals of this session: Using and...
Getting Started with the Microsoft Forefront Code Name "Stirling" Virtual Machines in Hyper-V
Ronald BeekelaarBeekelaar ConsultancyVIR301
Objectives
Goals of this session:Using and configuring Hyper-V for testingHow to adapt the Hyper-V VMs to your network environmentHow to get started with the Forefront Stirling VMs
Forefront Stirling (beta 2) Hyper-V VMs are downloadable at www.microsoft.com/stirling
About the PresenterPresenter - Ronald Beekelaar
MVP Windows SecurityMVP Virtual Machine Technology
WorkSecurity consultancyVirtualization consultancyCreate many VM-based labs and demos
Including Forefront Stirling Lab
ContactBeekelaar [email protected]
Lab and VM Environment
SpecificationsTotal 7 VMsHyper-V only (x64)Need 8 GB memoryIncludes: Stirling, FCSv2, FSE, FSSP, TMG
Plus AD, NAP, Exchange, SharePoint, Outlook
Available:Download at www.microsoft.com/stirling
Hyper-V VersionsNeed:
Win2008 x64 with Hyper-VBios supports NX and hardware VT
Use securable.exe to verify
Win2008 RTM has Hyper-V betahvix64.exe - build 17101 - Jan 2008
Install Hyper-V RTM - KB 950050hvix64.exe - build 18016 - Jun 2008
Install Hyper-V 24-core update - KB 956710hvix64.exe - build 22263 - Sep 2008
Win2008 R2 beta 1hvix64.exe - build 6.1.7000 - Dec 2008
Win2008 R2 RChvix64.exe - build 6.1.7100 - Apr 2009
Install, Register and Run VMs
Run install-script to unpack and register VMsRun start-page to start VMs
SnapshotsPrinciples
Now = vhd-file in Snapshots folder When VM is running, changes go into this vhd-file
Snapshot = Point-in-time, so that you can go back laterWhile VM is off, or while VM is running (includes saved state)Snapshot files and settings will never change later
Apply = Attach new empty Now vhd-file to this snapshotDeletes contents of existing Now vhd-file
Delete = "I don't want to go back to this snapshot, please merge"Merges content into parent, and removes snapshot from UIBut when snapshot is not in Now vhd-file tree, then just delete content
Revert = Re-attach new empty Now vhd-file to current snapshotIs same as: Apply on current snapshot
Snapshots
Snapshot
Apply (= delete Now)
Delete (= merge)
Apply (create branch)
Delete (= delete)
.vhd.avhd
Delete and Merge Snapshots
When deleting a Snapshot:Is snapshot within Now-tree?
Yes - merge snapshot (A or C) with parent fileNo - delete snapshot (B or D)
When deleting a VM:Are there non-empty snapshots in Now-tree?
Yes - merge snapshots (Now+C+A) into vhd-file, before removing VMNo - delete snapshots, and remove VM
Snapshot Data InconsistencyRunning snapshotsNon-running snapshots
Problem:- When restoring snapshot for VM-1 only, VM-1 misses communication B
Solution:- Always restore related snapshots for all VMs
VM-1:
VM-2:BA
VM-1:
VM-2:BA
VM-1:
VM-2:BA C
Problem:- Even when restoring snapshots for all VMs, VM-1 misses communication B
Solution:- Pause* all VMs before taking (and restoring) snapshots
* Note: - You must temporarily un-pause (resume) each VM, when taking a snapshot
VM-1:
VM-2:A C
Hyper-V Data TransferProblem:
How to get data or files in or out of a VM?
Non-solutions: Drag-and-Drop Shared Folders Copy/Paste through VM Connection (RDP)
Solutions:A (running) Configure host - VM networkingB (offline) Use VHD mounting
Is difficult with snapshot files (avhd)Watch out for NTFS symlinks
C (Hyper-V R2) Hot add-remove vhd-filesD (in-only) Create and mount ISO-fileE (clipboard) Paste text (in), or copy screen (out)F (scripting) Use key-value-pair (KVP) exchange
Read/write VM registry keys from parentIs part of Integration Components
Hyper-V Data TransferOffline VHD Mounting
Exists in:Virtual Server - vhdmount.exeHyper-V - wmi scriptingWin7/Win2008R2 - Native VHD
Issues with offline VHD mountingFile permissions and access controlNTFS Symlink pointers to other drivesDifficult to mount snapshot files (avhd)
NetworkingPrinciples
Parent has physical network adapter(s)Each guest (and parent) has virtual network adapter(s)Each virtual network adapter is connected to a virtual switchType of virtual switch is:
External – connect to physical network adapterInternal – parent and guests connections onlyPrivate – guest connections only
ConfigurationUse Virtual Network Manager to create virtual switchesUse VM Settings to assign virtual network adapter to switch
- physical network adapter- virtual network adapter- virtual switch
NetworkingVirtual switch types
Parent
Application
GuestApp Guest
App
Parent
Application
GuestApp Guest
App
Private
Parent
Application
GuestApp Guest
App
Internal
ExternalParent
Application
GuestApp Guest
App
No IP
IP IP
IP
- physical network adapter- virtual network adapter- virtual switch
ICS
Scripting Hyper-VWMI scripting
Hyper-V uses WMI for scriptingVirtual Server uses COM objectsWMI reference: http://msdn.microsoft.com/en-us/library/aa155190.aspx
Golden tip for WMI scripting: WMI object are copies, not live objects
Difficulty with Hyper-V WMI model: Need to understand what RASDs are Many operation calls are asynchronuos
'pseudo wmi code
dim VM : set VM = wmihv.ExecQuery("select ...")VM.Start 'VM is running
Msgbox VM.Status 'status shows not-running (!)
set objOutParams = computerSystem.ExecMethod_("RequestStateChange", objInParam)if (WMIMethodStarted(objOutParams)) then if (WMIJobCompleted(objOutParams)) then WriteLog Format1("VM {0} was started successfully", computerSystem.ElementName) RequestStateChange = true end ifend if
Scripting Hyper-VExamples
VBScript - example from Ronald BeekelaarSet-known-network-ID.vbs
PowerShell - example from James O'NeillSee http://www.codeplex.com/PSHyperv
... dim i for i = 0 to adapters.Count-1 dim adapter : set adapter = adapters.ItemIndex(i) adapter.VirtualSystemIdentifiers = Array(GetKnownAdapterGuid(i+1)) ModifyRasd vm, adapter next...
..Filter Get-VMNicport{Param ($nic) if ($nic -eq $null) {$nic=$_} if ($nic -is [System.Management.ManagementObject]) { Get-WmiObject -computerName $nic.__server -NameSpace "root\virtualization" -Query "Select * From Msvm_SwitchPort where __Path='$( $nic.connection[0] )'" } $nic=$null }#Example: Get-VMNic $core -legacy -vmbus | get-vmNicPort...
Moving VMs to other computersMethod 1: Export/import
Official method: Export / ImportIssues: Base vhd-file is copied for each VM
Suggestion: delete extra copies, and relink diff-disks Requires same network (switch) name at target
computerSuggestion: use standard network name
Can only import one timeSuggestion: copy configuration file (exp-file) before import
Moving VMs to other computersMethod 2: Recreate VM configuration
Common method with Virtual PC/Virtual Server1 Take vhd-file2 Create new VM, by using vhd-file
Issues: Lose IP configuration inside VM
Due to newly detected virtual network adapterNetwork adapter (synthetic) has random hardware idin configuration xml-file
<?xml version="1.0" encoding="UTF-16" standalone="yes"?><configuration> <_09bbc919-72c8-4100-89fc-1bf856fe8090_> <ChannelInstanceGuid type="string">{07f9fba5-432a-4af3-be59-b299093e15bf}</ChannelInstanceGuid> <FriendlyName type="string">Network Adapter</FriendlyName> <MacAddress type="string">00-15-5D-00-10-00</MacAddress> <MacAddressIsStatic type="bool">False</MacAddressIsStatic> <PortName type="string">137A5DBF-2B3F-447F-BEC4-3E9A5A724D01</PortName> <SwitchName type="string">8e3a359f-559a-4b6a-98a9-1690a6100ed7</SwitchName>...
Info: NetworkingVirtual network adapter types
Two types of virtual network adapters in guestLegacy network adapter
Is common Intel 21140 PCI network adapterNetwork adapter
Is synthetic adapter for VMBusRequires Integration ComponentsUses unique hardware id in xml-file
Moving VMs to other computersMethod 2: Recreate VM configuration (cont'd)
Solution (1) to network adapter issue: Use same hardware id in xml-file
Only possible, if you know original hardware idTip: use well-known hardware id: {1111..}, {2222...}, etc
Because xml-file is locked by Hyper-V,need Hyper-V script to change hardware id in xml-file
Example: Set-known-network-ID.vbs
Solution (2) to network adapter issue: Use legacy network adapter,
instead of (synthetic) network adapter
<?xml version="1.0" encoding="UTF-16" standalone="yes"?><configuration> <_09bbc919-72c8-4100-89fc-1bf856fe8090_> <ChannelInstanceGuid type="string">{11111111-1111-1111-1111-111111111111}</Chan...> ...
Moving VMs to other computersMethod 3: Create symlink to register VM
For each VM, Hyper-V uses "shortcut" to xml-fileIn folder:C:\ProgramData\Microsoft\Windows\Hyper-V\Virtual MachinesShortcut is symbolic link to xml-file
Use mklink guid.xml D:\Lab\Virtual Machines\guid.xml
Issues: Completely unsupported Must have correct file permissions
Uses NT Virtual Machine "domain" Must have all xml-files, disk files (vhd), and snapshot files
(avhd) in correctly named folders
Permissions and AccessVM Accounts
Hyper-V assigns Read/Write permissionsTo certain special VM accountsOn vhd-files and other files and folders
VM accountsEach VM has own guid-named "user" account in"NT VIRTUAL MACHINE" domain
Example: NT VIRTUAL MACHINE\0256A619-112F-.. (guid)Similar to "BUILTIN\Administrators" and "NT AUTHORITY\System"
You can use icacls.exe to list and assign permissions to these VM accounts
Permissions and AccessDelegation of Control (Azman)
Use Azman.msc to assign roles to accountsOpenC:\ProgramData\Microsoft\Windows\Hyper-V\InitialStore.xml
Concept:Operations or Tasks > Role > User or Group account
See- http://blogs.msdn.com/virtual_pc_guy/archive/2008/01/17/allowing-non-administrators-to-control-hyper-v.aspx
Permissions and AccessRemote Management (hvremote)
Issue:Very difficult to configure remote management if not in domain
Steps1 (client/server) Create duplicate user/password
2 (server) Allow WMI through firewall3 (server) Grant DCOM permissions to user - dcomcnfg.exe4 (server) Grant WMI permissions on root\cimv2 and root\virtualization5 (server) Grant Hyper-V permissions to user - azman.msc
6 (client) Allow WMI and mmc.exe through firewall7 (client) Grant DCOM permissions to anonymous (callback) - dcomcnfg.exe 8 (client) Configure "allow default credentials" - gpedit.msc
Or run hvremote.wsf - John HowardSee http://code.msdn.microsoft.com/hvremote
Hyper-V book
Windows Server 2008 Hyper-VWritten by John Kelbley, Mike Sterling, Allen Stewart
Available in conference store
Overview of StirlingForefront Stirling
Forefront Stirling - Versions
Antigen
Client
Server
EdgeISA 2006
Forefrontfor Exchange
Others
Forefrontfor SharePoint
IAG 2007
Stirling v1Forefront
for Exchange
Forefrontfor SharePoint
TMG 2010
Stirling v2
ForefrontClient Security FCS v2
Forefrontfor OCS
Now Future
Forefrontfor OCS v2
UAG UAG v2
. . .
Stirling Integration
Desktops, Laptops and Servers
Stirling Core Server
Exchange Servers
SharePoint Servers
Threat Management
Gateway Servers
Microsoft Update
Virus &Spyware Definitions
Events
Settings
Events
Settings
Events
Settings
Stirling Console
Systems Center
Operations
Manager
Windows Server Update Services (WSUS)
Stirling Data Analysis & Collection Servers Events
Settings
Forefront Security Assessment Channel
Reports Policies
Stirling Policies
1. Define Target Groups of computersBased on queries, OU, computer name, etc
2. Centrally configure settingsFor all Forefront productsUse Policy Units within a Stirling Policy
3. Bind each Stirling Policy to a Target Group
Deployed by SCOM 2007 R2 → SCOM AgentNote: does not use Group Policy for deployment
Agents on Clients
SCOM 2007 AgentIs only the "transport" vehicle
Receives policies and tasksSends events to Stirling Server
Stirling AgentIs the "dispatcher"
Communicates with SCOM Agentand with Asset Protection Technology (APT)
APTsDo the "work"
FCS (Host Protection)Forefront for ExchangeTMGUAGWindows FirewallGroup PolicyEtc.
SCOM 2007Agent
StirlingAgent
FCS(Host Protection)
FW GPO . . .
Client
Server
EventLogs
Group Policies vs Stirling PoliciesDifferences:
FCSv1 uses GPO to deploy policiesStirling/FCSv2 use SCOM 2007 agent (management packs)
Reasons for changeSpeed of deploymentReporting successful deploymentSingle "policy unit" UI combined withremediation and network access restriction
Question:What if both Group Policies and Stirling Policies are defined forsimilar settings (example: Windows firewall configuration)?Answer:
Stirling Agent configure Local GPO,and then triggers GPO processing on client
Levels of reaction
Security State Assessment (on the client)Policy specifies "desired" settings
a) Report current setting to StirlingCollect current IE security settings
b) Change setting to desired value (remediate)When FCS service stops, start it againWhen guest is enabled, disable guest
c) Restrict network access (uses NAP)When IE setting is insecure, block network access
Assessment sharing and dynamic responseClient detects vulnerability or compromiseClient sends "assessment" to Stirling serverStirling combines assessments
d) Dynamic response send to other assetsFor currently logged-on user (user) on client computer (client),that performs suspicious port scan (TMG),block outgoing email (FSE), and trigger full AM-scan (client)
Security Assessments ChannelTMG identifies malware on VENICE computer attempting to propagate (PortScan)
Security Admin
Venice (computer) Marco (user)
Malicious Web Site
Web
Forefront TMG
Client Security
CompromisedComputer: VENICEFidelity: HighSeverity: HighExpire: Wed
CompromisedUser: MARCOFidelity: LowSeverity: HighExpire: Wed
Stirling Core
ADNAP
FCS identifies MARCO has logged on to
VENICE
Alert
Scan Computer
Block Email
Reset Account
Quarantine
Security Assessment Sharing ( )With Dynamic Response ( )Responses
Update Signatures
Signatures:FCS – antivirus, antispywareTMG – antivirus (HTTP+SMTP), NISFSE/FSSP – antivirus
Connect VMs to Internet
TMG: Outbound SSL Filtering
For Web publishing, inbound SSL Bridging iswell-known (ISA Server 2000)Issue:
Cannot inspect outbound traffic in encrypted tunnel (SSL)
Solution:Use SSL Bridging on outbound SSL connectionsDifference with Web publishing is that client can go to many different Web sites
TMG: Outbound SSL Filtering
In Web browser:https://www.fabrikam.com
www.fabrikam.com
In TMG request:https://www.fabrikam.com
www.fabrikam.com
SSL
Request
Certificate
SSL
Request
Certificate
question & [email protected]
www.microsoft.com/teched
Sessions On-Demand & Community
http://microsoft.com/technet
Resources for IT Professionals
http://microsoft.com/msdn
Resources for Developers
www.microsoft.com/learningMicrosoft Certification and Training Resources
www.microsoft.com/learning
Microsoft Certification & Training Resources
Resources
ResourcesFor more information on Microsoft Virtualization including:
WhitepapersProduct DownloadsCase StudiesROI CalculatorsSolutions with Partners
Visit: www.microsoft.com/virtualization
Be sure to stop by the TLC area to speak with subject-matter-experts and see live product demos
Complete an evaluation on CommNet and enter to win!
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS,
IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.