Joint Business LaunchWINDOWS SERVER 2008 R2 HYPER-V SECURITY & BEST PRACTICES

VIJAY TEWARI, PRINCIPAL PROGRAM MANAGER, WINDOWS SERVER NOV 17, 2009

Microsoft Assessment & Planning Toolkit 5.0 Customer Technology

Previewhttp://connect.microsoft.com

announcing

MAP: User Interface & ReportsServer Migration & Virtualization Candidates

Windows 7

Windows Server 2008 R2

Virtualization

•Heterogeneous Server Environment Inventory Linux, Unix & VMware•Windows 7 & Server 2008 R2 HW & Device Compatibility Assessment•Speed up Planning with Actionable Proposals and Assessments•Agentless operation•Collect Inventory of Servers, Desktops and Applications•Offers Recommendations for Server/Application Virtualization•Works with the Virtualization ROI Tool to generate ROI calculations•More on MAP: http://www.microsoft.com/map

Visual Studio Team System 2010 Lab Management Beta 2

announcing

VSTS Lab Management Beta 2

Scenarios

Create and manage virtual or physical environments

Take environment snapshots or revert to existing snapshots for virtual environments

Interact with the virtual machines in the environments through environment viewer

Define test settings for the environments

New Beta 2 Features

Simplified Environment creation & edit experience

Full-screen environment viewer

Out of the box template for application build-deploy-test workflow

Network isolation with support for domain controller Virtual Machines

“In-Use” support for shared environments

VSTS “Environments”

Typical multi-tier application consist of multiple roles Database Server, Web Server, Client, etc.An environment is a set of roles that are required to run a specific application and the lab machines to be used for each role. Managing environments for multi-tier applications is an error prone task today. Replicating the same environment at same or another site is even a bigger problem.

Agenda

Virtualization RequirementsHyper-V SecurityHyper-V & StorageWindows Server 2008 R2: SCONFIGBest Practices & Tips and TricksMicrosoft Hyper-V Server 2008 R2

Virtualization Requirements

SchedulerMemory ManagementVM State MachineVirtualized DevicesStorage StackNetwork StackRing Compression (optional)DriversManagement API

Parent Partition

VirtualizationService

Providers(VSPs)

WindowsKernel

Server Core

DeviceDrivers

Windows hypervisor

Virtualization Stack

VM WorkerProcessesVM

Service

WMI Provider

Child Partition

Ring 0: Kernel Mode

Ring 3: User Mode

VirtualizationServiceClients(VSCs)

OSKernel

EnlightenmentsVMBus

Guest Applications

Server Hardware

Provided by:

Rest of Windows

ISV

Hyper-V

Hyper-V Architecture

Virtualization Attacks

Parent Partition

Virtualization Stack

VM WorkerProcessesVM

Service

WMI Provider

Child Partition

Ring 0: Kernel Mode

VirtualizationServiceClients(VSCs)

EnlightenmentsVMBus

Server Hardware

Provided by:

Rest of Windows

ISV

Hyper-VGuest Applications

Hackers

OSKernel

VirtualizationServiceClients(VSCs)

Enlightenments

Ring 3: User Mode

Windows hypervisor

VMBus

VirtualizationService

Providers(VSPs)

WindowsKernel

Server Core

DeviceDrivers

What if there was no parent partition?No defense in depth

Entire hypervisor running in the most privileged mode of the system

Ring -1

Ring 0

Ring 3

VirtualMachin

e

VirtualMachin

e

VirtualMachin

e

SchedulerMemory Management

Storage StackNetwork Stack

VM State MachineVirtualized Devices

DriversManagement API

User

Mode

Kernel

Mode

User

Mode

User

Mode

Kernel

Mode

Kernel

Mode

Hardware

UserMod

e

Kernel

Mode

UserMod

e

UserMod

e

Kernel

Mode

Hyper-V Hypervisor

Defense in depthHyper-V doesn’t use ring compression uses hardware instead (VT/AMD-V)

Further reduces the attack surface

Ring -1

Ring 0

Ring 3

VirtualMachin

e

VirtualMachin

e

ParentPartition

SchedulerMemory Management

VM State MachineVirtualized

DevicesManagement API

Kernel

Mode

UserMod

e

UserMod

e

Storage StackNetwork Stack

Drivers

Kernel

Mode

Hardware

Hyper-V Security

EAL4+ Certification for Hyper-V

Windows Server 2008 Hyper-V certified at the Common Criteria level EAL4 augmented by ALC_FLR.3 (also known as EAL4+)The Common Criteria certification is vital to our customers (especially government agencies) worldwide.  It provides them reassurance to know that Hyper-V has gone through a rigorous and internationally-accepted security review.http://www.bsi.de/zertifiz/zert/reporte.htm#Midsize_Systems

Security Assumptions

Guests are untrusted

Trust relationships

Parent must be trusted by hypervisor

Parent must be trusted by children

Code in guests can run in all available processor modes, rings, and segments

Hypercall interface will be well documented and widely available to attackers

All hypercalls can be attempted by guests

Can detect you are running on a hypervisor

We’ll even give you the version

The internal design of the hypervisor will be well understood

Security Goals

Strong isolation between partitions

Protect confidentiality and integrity of guest data

SeparationUnique hypervisor resource pools per guest

Separate worker processes per guest

Guest-to-parent communications over unique channels

Non-interferenceGuests cannot affect the contents of other guests, parent, hypervisor

Guest computations protected from other guests

Guest-to-guest communications not allowed through VM interfaces

Hyper-V & SDL

Hypervisor built with

Stack guard cookies (/GS)

Address Space Layout Randomization (ASLR)

HW Data Execution Prevention

No Execute (NX) AMD

Execute Disable (XD) Intel

Code pages marked read only

Memory guard pages

Hypervisor binary is signed

Entire stack through SDL

Threat modeling

Static Analysis

Fuzz testing & Penetration testing

Hyper-V Security Model

Uses Authorization Manager (AzMan)

Fine grained authorization and access control

Department and role based

Segregate who can manage groups of VMs

Define specific functions for individuals or roles

Start, stop, create, add hardware, change drive image

VM administrators don’t have to be Server 2008 administrators

Guest resources are controlled by per VM configuration files

Shared resources are protected

Read-only (CD ISO file)

Copy on write (differencing disks)

Protects Data While a System is OfflineEntire Windows Volume is Encrypted (Hibernation and Page Files)Delivers Umbrella Protection to Applications (On Encrypted Volume)

Ensures Boot Process IntegrityProtects Against Root Kits – Boot Sector VirusesAutomatically Locks System when Tampering Occurs

Simplifies Equipment RecyclingOne Step Data Wipe – Deleting Access Keys Renders Disk Drive Useless

Mitigating Against External Threats…Very Real Threat of Data Theft When a System is Stolen, Lost,or Otherwise Compromised (Hacker Tools Exist!)Decommissioned Systems are not Guaranteed CleanIncreasing Regulatory Compliance on Storage Devices Drives Safeguards(HIPPA, SBA, PIPEDA, GLBA, etc…)

BitLocker Drive Encryption Support in Windows Server 2008/2008 R2Addresses Leading External Threats by Combining Drive Level Encryptionwith Boot Process Integrity ValidationLeverages Trusted Platform Model (TPM) Technology (Hardware Module)Integrates with Enterprise Ecosystem Maintaining Keys in Active Directory

BitLocker – Persistent Protection

Physical Security

Device installation group policies: "no removable devices allowed on this system"BitLocker: encrypts drives, securing

laptopsbranch office servers

BitLocker To Go: encrypts removable devices like USB sticks

Includes group policies that say, "don't let the user save data onto a USB stick unless the stick's been encrypted"

Windows Server 2008 R2: SCONFIG

Windows Server Core

Windows Server frequently deployed for a single role

Must deploy and service the entire OS in earlier Windows Server releases

Server Core: minimal installation option

Provides essential server functionality

Command Line Interface only, no GUI Shell

Benefits

Less code results in fewer patches and reduced servicing burden

Low surface area server for targeted roles

Windows Server 2008 Feedback

Love it, but…steep learning curveWindows Server 2008 R2 Introducing “SCONFIG”

Windows Server Core

Server Core: CLI

Easy Server Configuration

demo

SCONFIG

Hyper-V Best Practices

Parent partition configurationUse a Server Core installation for the management operating system

Minimize attack surface for the parent partition

Don’t run arbitrary apps, no web surfing

Run your apps and services in guests

Reduced footprint, improved system uptime because there are fewer components that require updates

Keep the management operating system up to date with the latest security updates Use a separate network with a dedicated network adapter for the management operating system of the physical Hyper-V computer.

Parent partition configuration (cont’d)

Harden the management operating system using the baseline security setting recommendations described in the Windows Server 2008 Security Compliance Management Toolkit.Configure any real-time scanning antivirus software components installed on the management operating system to exclude Hyper-V resources.Do not grant virtual machine administrators permissions on the management operating system. Use the security level of your virtual machines to determine the security level of your management operating system. Use BitLocker Drive Encryption to protect resources (when not using CSV)

Antivirus and Hyper-VExclude

VHDs & AVHDs (or directories)VM configuration directoryVMMS.exe and VMWP.exeCSV directory (%systemdrive%\clusterstorage)

Run Antivirus in virtual machines as you would normally for a physical machine

Virtual Machine Configuration

Configure virtual machines to use fixed-sized virtual hard disks (preferred).Store virtual hard disks and snapshot files in a secure location.Decide how much memory to assign to a virtual machine.Impose limits on processor usage.Configure the virtual network adapters of each virtual machine to connect to the correct type of virtual network to isolate network traffic as required. Configure only required storage devices for a virtual machine.

Virtual Machine Configuration (cont’d)

Harden the operating system running in each virtual machine according to the server role it performs using the baseline security setting recommendations described in the Windows Server 2008 Security Compliance Management Toolkit.Configure antivirus, firewall, and intrusion detection software within virtual machines as appropriate based on server role.Ensure that virtual machines have all the latest security updates before they are turned on in a production environment. Ensure that your virtual machines have integration services installed.

Cluster Hyper-V Servers

Windows Server 2003Cluster Creation

Single Volume VHD

SAN

Concurrent access to a single file system

VHD VHD

Hyper-V high availability and migration scenarios are supported by the new Cluster Shared Volumes in Windows Server 2008 R2

Technology within Failover Cluster feature

Single consistent name space

Compatible: NTFS volume

Simplified LUN management

Multiple data stores supported

Enhanced storage availability due to built in redundancy

Scalable as I/O is written directly by each node to the shared volume

Transparent to the VM

Use Cluster Shared Volumes

Don't forget the ICs!Emulated vs. VSC

Installing Integration Components

Storage

BitLockerGreat for branch office

VHDsUse fixed virtual hard disks in production

VHD Compaction/ExpansionRun it on a non-production system

Use .isosGreat performanceCan be mounted and unmounted remotelyPhysical DVD can’t be shared across multiple vmsHaving them in SCVMM Library fast & convenient

Antivirus and Hyper-V

Exclude VHDs & AVHDs (or directories)VM configuration directoryVMMS.exe and VMWP.exeCSV directory (%systemdrive%\clusterstorage)

Run Antivirus in virtual machines as you would normally for a physical machine

More Tips…

Mitigate BottlenecksProcessorsMemoryStorageNetworking

Turn off screen savers in guestsWindows Server 2003

Create vms using 2-way to ensure an MP HAL

Creating Virtual Machines

Use SCVMM LibraryTemplates help standardize configurations

Steps:1. Create virtual machine2. Install guest operating system & latest SP3. Install integration components4. Install anti-virus5. Install management agents6. SYSPREP7. Add it to the VMM Library

Microsoft Hyper-V Server 2008 R2

Microsoft Hyper-V Server R2New Features

Live Migration

High Availability

New Processor Support

Second Level Address Translation

Core Parking

Networking Enhancements

TCP/IP Offload Support

VMQ & Jumbo Frame Support

Hot Add/Remove virtual storage

Enhanced scalability

Free download: www.microsoft.com/hvs

Microsoft Virtualization:Customers Win

Virtual

Server 2005 R2

32-bit Guests: Up to 4 GB per VMUni-Processor GuestsHigh Availability via scriptsUp to 8 Cluster Nodes

Wi

ndows Server 2008

Hyper-V R116 LP Support/Up to 128 VMs1 Terabyte Memory32-bit/64-bit (Up to 64 GB per VM)SMP GuestsHigh Performance I/O (VSP/VSC/VMBus)HA Integrated/IncludedQuick Migration IncludedUp to 16 Cluster Nodes

Wi

ndows Server 2008 R2

Hyper-V R264 LP Support/Up to 384 VMs/Up to 512 VPsLive MigrationCluster Shared VolumesProcessor FlexibilityPower Enhancements10 Gb/E ReadyHot Add Virtual StorageConnection Broker for Hosted DesktopsQuick Storage Migration with SCVMM R2

Greater Performance

More Capabilities

High Availability

Built-InIncreased Scalability

Live Migration Built-InReady for

Next Gen Servers

November 2005 June 2008 July 2009

Online Resources

Microsoft Virtualization Home/Case Studies from customers around the world:

http://www.microsoft.com/virtualization

Windows Server Virtualization Blog Site:

http://blogs.technet.com/virtualization/default.aspx

Windows Server Virtualization TechNet Site:

http://technet2.microsoft.com/windowsserver2008/en/servermanager/virtualization.mspx

MSDN & TechNet Powered by Hyper-V

http://blogs.technet.com/virtualization/archive/2008/05/20/msdn-and-technet-powered-by-hyper-v.aspx

Virtualization Solution Accelerators

http://technet.microsoft.com/en-us/solutionaccelerators/cc197910.aspx

How to install the Hyper-V role

http://www.microsoft.com/windowsserver2008/en/us/hyperv-install.aspx

Windows Server 2008 Hyper-V Performance Tuning Guide

http://www.microsoft.com/whdc/system/sysperf/Perf_tun_srv.mspx

Using Hyper-V & BitLocker White Paper

http://www.microsoft.com/downloads/details.aspx?FamilyID=2c3c0615-baf4-4a9c-b613-3fda14e84545&DisplayLang=en

© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.

The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the

date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.