WMS07 - Hyper-V Security and Best Practices Dan Stolts Microsoft .
-
Upload
meghan-nash -
Category
Documents
-
view
215 -
download
1
Transcript of WMS07 - Hyper-V Security and Best Practices Dan Stolts Microsoft .
WMS07 - Hyper-V Security and Best Practices
Dan Stolts
Microsoft
http://blogs.technet.com/danstolts
Microsoft Assessment and Planning Toolkit 3.1 Beta
http://www.microsoft.com/MAP
https://connect.microsoft.com/InvitationUse.aspx?ProgramID=2307&InvitationID=MP31-GT76-X98X&SiteID=297
Announcing…
MAP: User Interface & ReportsServer Migration & Virtualization Candidates
Windows Vista
Windows Server 2008
Virtualization
New User Interface
• Speed up Planning with Actionable Proposals and Assessments• Collect Inventory of Servers, Desktops and Applications
Agentlessly• Offers Recommendations for Server/Application Virtualization• Works with the Virtualization ROI Tool to generate ROI
calculations
GET BETA CLICK HERE
Agenda
• Virtualization Requirements• Hyper-V Security• Microsoft Secure Development Lifecycle• Server Core• Enabling Hyper-V with Server Core• Designing a Windows Server 2008 Hyper V &
System Center Infrastructure• Hyper-V Storage & Pass Through Disks• Deployment Considerations• Best Practices & Tips and Tricks
Virtualization Requirements
• Scheduler• Memory Management• VM State Machine• Virtualized Devices• Storage Stack• Network Stack• Ring Compression (optional)• Drivers• Management API
Old: Virtual Server Architecture
Windows Server 2003/Windows XP
Kernel VMM Kernel
Virtual ServerServiceIIS
Virtual ServerWebApp
Provided by:
Windows
ISV
Virtual Server
Server Hardware
Host
Ring 1: Guest Kernel Mode
Windows (NT4, 2000, 2003)
VM Additions
Ring 0: Kernel Mode
Ring 3: User Mode
Guest Applications
Guests
DeviceDrivers
Parent Partition
VirtualizationService
Providers(VSPs)
WindowsKernel
Server Core
DeviceDrivers
Windows hypervisor
Virtualization Stack
VM WorkerProcessesVM
Service
WMI Provider
Child Partition
Ring 0: Kernel Mode
Ring 3: User Mode
VirtualizationServiceClients(VSCs)
OSKernel
EnlightenmentsVMBus
Guest Applications
Server Hardware
Provided by:
Rest of Windows
ISV
Hyper-V
New: Hyper-V Architecture
Virtualization AttacksParent Partition
Virtualization Stack
VM WorkerProcessesVM
Service
WMI Provider
Child Partition
Ring 0: Kernel Mode
VirtualizationServiceClients(VSCs)
EnlightenmentsVMBus
Server Hardware
Provided by:
Rest of Windows
ISV
Hyper-VGuest Applications
Hackers
OSKernel
VirtualizationServiceClients(VSCs)
Enlightenments
Ring 3: User Mode
Windows hypervisor
VMBus
VirtualizationService
Providers(VSPs)
WindowsKernel
Server Core
DeviceDrivers
Why not get rid of the parent?• No defense in depth• Entire hypervisor running in the most privileged mode of the system
• Scheduler• Memory Management• Storage Stack• Network Stack• VM State Machine• Virtualized Devices• Drivers• Management API
Hardware
Ring -1
UserMode
KernelMode
UserMode
KernelMode
UserMode
KernelMode Ring 0
Ring 3
VirtualMachin
e
VirtualMachin
e
VirtualMachin
e
Micro-kernelized Hypervisor
• Defense in depth• Using hardware to protect• Hyper-V doesn’t use ring compression translation
● Further reduces the attack surface
SchedulerMemory Management
Hardware
VM State MachineVirtualized DevicesManagement API
Ring -1
Storage StackNetwork Stack
Drivers
UserMode
KernelMode
UserMode
KernelMode Ring 0
Ring 3
Parent PartitionVirtualMachin
e
VirtualMachin
e
Hyper-V Security
Security Assumptions
• Guests are untrusted• Trust relationships
● Parent must be trusted by hypervisor
● Parent must be trusted by children• Code in guests can run in all
available processor modes, rings, and segments
• Hypercall interface will be well documented and widely available to attackers
• All hypercalls can be attempted by guests
• Can detect you are running on a hypervisor● We’ll even give you the version
• The internal design of the hypervisor will be well understood
Security Goals
• Strong isolation between partitions
• Protect confidentiality and integrity of guest data
• Separation• Unique hypervisor resource pools
per guest• Separate worker processes per
guest• Guest-to-parent communications
over unique channels
• Non-interference• Guests cannot affect the contents
of other guests, parent, hypervisor• Guest computations protected from
other guests• Guest-to-guest communications
not allowed through VM interfaces
Isolation
• We’re serious folks● No sharing of virtualized
devices● Separate VMBus per vm to the
parent ● No sharing of memory
• Each has its own address space
● VMs cannot communicate with each other, except through traditional networking
● Guests can’t perform DMA attacks because they’re never mapped to physical devices
● Guests cannot write to the hypervisor
● Parent partition cannot write to the hypervisor
Microsoft Secure Development Lifecycle
Hyper-V & SDL
• Hypervisor built with ● Stack guard cookies (/GS)● Address Space Layout
Randomization (ASLR)● Hardware Data Execution
Prevention• No Execute (NX) AMD• Execute Disable (XD) Intel
● Code pages marked read only● Memory guard pages● Hypervisor binary is signed
• Hypervisor and Parent going through SDL
● Threat modeling● Static Analysis● Fuzz testing & Penetration
testing
Hyper-V Security Model• Uses Authorization Manager
(AzMan)● Fine grained authorization and
access control● Department and role based● Segregate who can manage groups
of VMs
• Define specific functions for individuals or roles
● Start, stop, create, add hardware, change drive image
• VM administrators don’t have to be Server 2008 administrators
• Guest resources are controlled by per VM configuration files
• Shared resources are protected● Read-only (CD ISO file)● Copy on write (differencing disks)
Server Core
Windows Server Core
• Windows Server frequently deployed for a single role● Must deploy and service the entire OS in earlier
Windows Server releases• Server Core a new minimal installation option
● Provides essential server functionality● Command Line Interface only, no GUI Shell
• Benefits● Fundamentally improves availability● Less code results in fewer patches and reduced
servicing burden● Low surface area server for targeted roles● More secure and reliable with less management
Windows Server Core
Enabling Hyper-V with Server Core
Step-by-step instructions…
Installing Hyper-V Role on Core
Install Windows Server 2008 and select a Server Core installation option
Set Admin Password
● net user administrator <new_password>● shutdown /r /t 0
Rename Computer
● netdom renamecomputer %computername% /newname:<new_computername>
● shutdown /r /t 0
Join Domain
● netdom join %computername% /domain:<domain> /userd:<username> /passwordd:*
● enter password when prompted● shutdown /r /t 0
Add domain account to local admin group
● net localgroup administrators /add <domain_account>● logoff
Add Hyper-V Role
● ocsetup Microsoft-Hyper-V● Restart when prompted
Connect remotely via MMC
Enabling Remote Desktop
• OPTIONAL● cscript \windows\system32\scregedit.wsf /ar 0● cscript \windows\system32\scregedit.wsf /cs 0
Hyper-V Networking
Hyper-V Networking• Don’t forget the parent
is a VM• Two physical network
adapters at minimum● One for management● One (or more) for VM
networking● Dedicated NIC(s) for
iSCSI● Connect parent to
back-end management network• Only expose guests to
internet traffic
Hyper-V Network Configurations
• Example 1:● Physical Server has 4 network adapters● NIC 1: Assigned to parent partition for
management● NICs 2/3/4: Assigned to virtual switches for
virtual machine networking● Storage is non-iSCSI such as:
• Direct attach• SAS or Fibre Channel
Hyper-V Setup & Networking 1
Hyper-V Setup & Networking 2
Hyper-V Setup & Networking 3
Windows Server 2008
Each VM on its own Switch…
VM 2VM 1
“Designed for Windows” Server Hardware
Windows hypervisor
VM 3
Parent Partition
Child Partitions
User Mode
KernelMode
Ring -1Mgmt
NIC 1
VSwitch 1
NIC 2
VSPVSP
VSP
VSwitch 2
NIC 3
VSwitch 3
NIC 4
Applications
Applications
Applications
VM Service
WMI Provider
VM Worker
Processes
Windows Kernel VSC Window
s KernelVSC Linux
Kernel VSC
VMBus VMBus VMBusVMBu
s
Hyper-V Network Configurations
• Example 2:● Server has 4 physical network adapters● NIC 1: Assigned to parent partition for
management● NIC 2: Assigned to parent partition for iSCSI● NICs 3/4: Assigned to virtual switches for
virtual machine networking
Hyper-V Setup, Networking & iSCSI
Windows Server 2008
Now with iSCSI…
VM 2VM 1
“Designed for Windows” Server Hardware
Windows hypervisor
VM 3
Parent Partition
Child Partitions
User Mode
KernelMode
Ring -1Mgmt
NIC 1iSCSI NIC
2
VSPVSP
VSwitch 1
NIC 3
VSwitch 2
NIC 4
Applications
Applications
Applications
VM Service
WMI Provider
VM Worker
Processes
Windows Kernel VSC Window
s KernelVSC Linux
Kernel VSC
VMBus VMBus VMBusVMBu
s
Networking: Parent Partition
Networking: Virtual Switches
Legacy vs. Synthetic NIC
• Legacy Network Adapter● Up to 4 per virtual machine● Pros: Needed for PXE/RIS/WDS installation● Cons: Slow
• Synthetic Network Adapter● Up to 8 per virtual machine!● Pros: Blazing fast
• Both:● Support VLANs● Dynamic or Static MAC addresses
VM with Legacy & Synthetic NIC
Hyper-V Storage & Pass Through…
Step by Step Instructions
Hyper-V Storage...
• Performance wise from fastest to slowest…● Fixed Disk VHDs/Pass Through Disks
• About the same in terms of performance
● Dynamically Expanding VHDs• Grow as needed
• Pass Through Disks● Pro: VM writes directly to a disk/LUN without
encapsulation in a VHD● Cons:
• You can’t use VM snapshots• Dedicating a disk to a vm
VM Setting No Pass Through
Computer Management: Disk
Taking a disk offline
Disk is offline…
Pass Through Configured
Best Practices & Tips and Tricks
Deployment Considerations
• Minimize risk to the Parent Partition● Use Server Core● Don’t run arbitrary apps, no web surfing
• Run your apps and services in guests
• Moving VMs from Virtual Server to Hyper-V● FIRST: Uninstall the VM Additions
• Two physical network adapters at minimum● One for management (use a VLAN too)● One (or more) for vm networking● Dedicated NIC(s) for iSCSI● Connect parent to back-end management network
• Only expose guests to internet traffic
Windows Server 2003 (today)Cluster Creation
Cluster Hyper-V Servers
Don't forget the ICs!Emulated vs. VSC
Anti-Virus & BitLocker…
• Parent partition● Run AV software and exclude .vhd
• Child partitions● Run AV software within each VM
• BitLocker● Great for branch office● Protects data while a system is offline
Protects Data While a System is OfflineEntire Windows Volume is Encrypted (Hibernation and Page Files)Delivers Umbrella Protection to Applications (On Encrypted Volume)
Ensures Boot Process IntegrityProtects Against Root Kits – Boot Sector VirusesAutomatically Locks System when Tampering Occurs
Simplifies Equipment RecyclingOne Step Data Wipe – Deleting Access Keys Renders Disk Drive Useless
Mitigating Against External Threats…Very Real Threat of Data Theft When a System is Stolen, Lost,or Otherwise Compromised (Hacker Tools Exist!)Decommissioned Systems are not Guaranteed CleanIncreasing Regulatory Compliance on Storage Devices Drives Safeguards(HIPPA, SBA, PIPEDA, GLBA, etc…)
BitLocker Drive Encryption Support in Windows Server 2008Addresses Leading External Threats by Combining Drive Level Encryptionwith Boot Process Integrity ValidationLeverages Trusted Platform Model (TPM) Technology (Hardware Module)Integrates with Enterprise Ecosystem Maintaining Keys in Active Directory
Bitlocker – Persistent Protection
More…
• Mitigate Bottlenecks● Processors● Memory● Storage
• Don't run everything off a single spindle…
● Networking• VHD Compaction/Expansion
● Run it on a non-production system• Use .isos
● Great performance● Can be mounted and unmounted remotely● Physical DVD can’t be shared across multiple vms● Having them in SCVMM Library fast & convenient
Creating Virtual Machines
• Use SCVMM Library• Steps:
1. Create virtual machine
2. Install guest operating system & latest SP
3. Install integration components
4. Install anti-virus
5. Install management agents
6. SYSPREP
7. Add it to the VMM Library• Windows Server 2003
● Create vms using 2-way to ensure an MP HAL
Online Resources
• Microsoft Virtualization Home:
http://www.microsoft.com/virtualization
• Windows Server Virtualization Blog Site:
http://blogs.technet.com/virtualization/default.aspx
• Windows Server Virtualization TechNet Site:
http://technet2.microsoft.com/windowsserver2008/en/servermanager/virtu
alization.mspx
• Windows Server 2008 with Hyper-V RC1:
● http://www.microsoft.com/downloads/details.aspx?FamilyId=7EDAA89
F-9F64-488D-93C0-858D2D8799DF&displaylang=en
• Windows Hyper-V Installation Guide:
● http://www.microsoft.com/windowsserver2008/virtualization/install.msp
x
© 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the
date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Your Feedback is Important
Please fill out a session evaluation form and either put them in the basket near the exit or drop them off at the conference registration desk.
Thank you!
WMS07 - Hyper-V Security and Best Practices
Dan Stolts
Microsofthttp://blogs.technet.com/DanStolts