Hyper-V Security Guide: Published: March 2009 For The Latest Information, Please See

Hyper-V™ Security Guide
Version 1.0
Published: March 2009

For the latest information, please see
microsoft.com/technet/SolutionAccelerators
Copyright © 2009 Microsoft Corporation. All rights reserved. Complying with the applicable copyright laws is
your responsibility. By using or providing feedback on this documentation, you agree to the license agreement
below.
If you are using this documentation solely for non-commercial purposes internally within YOUR company or
organization, then this documentation is licensed to you under the Creative Commons Attribution-
NonCommercial License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc/2.5/ or
send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.
This documentation is provided to you for informational purposes only, and is provided to you entirely "AS IS".
Your use of the documentation cannot be understood as substituting for customized service and information
that might be developed by Microsoft Corporation for a particular user based upon that user’s particular
environment. To the extent permitted by law, MICROSOFT MAKES NO WARRANTY OF ANY KIND, DISCLAIMS
ALL EXPRESS, IMPLIED AND STATUTORY WARRANTIES, AND ASSUMES NO LIABILITY TO YOU FOR ANY
DAMAGES OF ANY TYPE IN CONNECTION WITH THESE MATERIALS OR ANY INTELLECTUAL PROPERTY IN THEM.
Microsoft may have patents, patent applications, trademarks, or other intellectual property rights covering
subject matter within this documentation. Except as provided in a separate agreement from Microsoft, your
use of this document does not give you any license to these patents, trademarks or other intellectual property.
Information in this document, including URL and other Internet Web site references, is subject to change
without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-
mail addresses, logos, people, places and events depicted herein are fictitious.
Microsoft, Active Directory, BitLocker, Hyper-V, Windows, Windows Server, and Windows Vista are either
registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their respective
owners.
You have no obligation to give Microsoft any suggestions, comments or other feedback ("Feedback") relating to
the documentation. However, if you do provide any Feedback to Microsoft then you provide to Microsoft,
without charge, the right to use, share and commercialize your Feedback in any way and for any purpose. You
also give to third parties, without charge, any patent rights needed for their products, technologies and
services to use or interface with any specific parts of a Microsoft software or service that includes the Feedback.
You will not give Feedback that is subject to a license that requires Microsoft to license its software or
documentation to third parties because we include your Feedback in them.
Solution Accelerators microsoft.com/technet/SolutionAccelerators

Contents
Overview.......................................................................................................1
Who Should Read This Guide.........................................................................1
Skills and Readiness...............................................................................2
Chapter Summaries.....................................................................................2
Style Conventions..................................................................................3
More Information...................................................................................3
Support and Feedback............................................................................3
Acknowledgements......................................................................................4
Chapter 1: Hardening Hyper-V.......................................................................7
Attack Surface............................................................................................7
Server Role Security Configuration.................................................................8
Management Operating System Security..................................................10
Default Installation Recommendations...............................................10
Host Network Configuration..............................................................11
Securing Dedicated Storage Devices..................................................14
Security Setting Recommendations...................................................15
Virtual Machine Security........................................................................16
Virtual Machine Configuration...........................................................16
More Information.......................................................................................18
Chapter 2: Delegating Virtual Machine Management.....................................19
Using Tools to Delegate Access....................................................................19
Delegating Access with Authorization Manager...............................................20
System Center Virtual Machine Manager 2008................................................24
Delegated Administrator Role.................................................................26
Self Service Portal................................................................................27
Chapter 3: Protecting Virtual Machines........................................................31
Methods for Protecting VMs.........................................................................31
Hardening the Virtual Machine Operating System and Applications..............31
Firewall and Antivirus Requirements..................................................31
Group Policy Considerations.............................................................31
Using File System Security to Protect Virtual Machine Resources.................32
Using Encryption to Protect Virtual Machine Resources...............................33
Using Auditing to Track Access to Virtual Machine Resources......................34
Maintaining Virtual Machines.......................................................................35
Hyper-V Security Best Practice Checklist.......................................................35
Management Operating System Configuration..........................................36
Virtual Machine Configuration.................................................................36

Overview
Welcome to the Hyper-V™ Security Guide. This guide provides instructions and
recommendations to help strengthen the security of computers running the
Hyper-V role on Windows Server® 2008.
Microsoft engineering teams, consultants, support engineers, partners, and
customers have reviewed and approved this prescriptive guidance to make it:
 Proven. Based on field experience.
 Authoritative. Offers the best advice available.
 Accurate. Technically validated and tested.
 Actionable. Provides the steps to success.
 Relevant. Addresses real-world security concerns.
Microsoft has published security guides for Windows Server 2008 and Windows
Server 2003. This guide references significant new capabilities and security
enhancements in Windows Server 2008. The guide was developed and tested
with computers running the Hyper-V role on Windows Server 2008 that were
joined to a domain that uses Active Directory® Domain Services (AD DS).
As Hyper-V continues to evolve through future releases, you can expect updated
versions of this guidance to include more security recommendations. Solution
Accelerators are also available to assist you with the deployment and operation
of Windows Server 2008 as well as other Microsoft technologies. For more
information about all available accelerators, visit Solution Accelerators on
Microsoft® TechNet.
Who Should Read This Guide

The Hyper-V Security Guide is primarily for IT professionals, security professionals,
systems architects, computer engineers, and other IT consultants who plan
application or infrastructure development and deployments of Windows
Server 2008 for servers in an enterprise environment. The guide is not intended
for home users. This guide is for individuals whose jobs may include one or more
of the following roles:
 Security professional. Individuals in this role focus on how to provide
security across computing platforms within an organization. Security
professionals require a reliable reference guide that addresses the security
needs of all segments of their organizations and also offers proven methods
to implement security countermeasures. They identify security features and
settings, and then provide recommendations on how their customers can
most effectively use them in high risk environments.
 IT operations, help desk, and deployment staff. Individuals in all of these
roles troubleshoot security issues as well as application installation,
configuration, usability, and manageability issues. They monitor these types
of issues to define measurable security improvements with minimal impact on
critical business applications. Individuals in IT operations focus on integrating
security and controlling change in the deployment process, and deployment
personnel focus on administering security updates quickly.
 Systems architect and planner. Individuals in this role drive the architecture
efforts for computer systems in their organizations.
 Consultant. Individuals in this role are aware of security scenarios that span
all the business levels of an organization. IT consultants from both Microsoft
Services and partners take advantage of knowledge transfer tools for
enterprise customers and partners.
Skills and Readiness

The following knowledge and skills are required for consultants, operations, help
desk and deployment staff, and security professionals who develop, deploy, and
secure server systems running Windows Server 2008 in an enterprise
organization:
 MCSE on Microsoft Windows Server 2003 or a later certification and two or
more years of security-related experience, or equivalent knowledge.
 Experience using Hyper-V Manager and System Center Virtual Machine
Manager 2008 (VMM 2008).
 Detailed knowledge of the organization’s domain and Active Directory
environments.
 Experience in the administration of Group Policy using the Group Policy
Management Console (GPMC), which provides a single solution for
managing all Group Policy–related tasks.
 Experience using management tools including Microsoft Management
Console (MMC), Gpupdate, and Gpresult.
 Experience using the Security Configuration Wizard (SCW).
 Experience deploying applications and server computers in enterprise
environments.
Chapter Summaries
This release of the Hyper-V Security Guide consists of this Overview and three
chapters that discuss methods and best practices that will help you secure your
Hyper-V environment. Brief descriptions follow for each chapter.
Overview
The overview states the purpose and scope of the guide, defines the guide
audience, and describes the guide's structure to help you locate the information
that is relevant to you. It also describes the user prerequisites for the guidance.
Chapter 1: Hardening Hyper-V

This chapter provides prescriptive guidance for hardening the Hyper-V role. It
discusses several best practices for installing and configuring Hyper-V on
Windows Server 2008 server with a focus on security. These best practices
include measures for reducing the attack surface of a server running Hyper-V

Overview 3
and recommendations for properly configuring secure network and storage

devices on a server running Hyper-V.
Chapter 2: Delegating Virtual Machine Management

This chapter discusses several available methods for delegating virtual machine
management so that virtual machine administrators only have the minimum
permissions they require. It describes common delegation scenarios, and
includes detailed steps to guide you through using Authorization Manager
(AzMan) and System Center VMM 2008 to separate virtual machine
administrators from virtualization host administrators.
Chapter 3: Protecting Virtual Machines

This chapter provides prescriptive guidance for securing virtual machine
resources. It discusses best practices and includes detailed steps for protecting
virtual machines by using a combination of file system permissions, encryption,
and auditing. Also included are resources for hardening and updating the
operating system instances running within your virtual machines.
Style Conventions
This guidance uses the style conventions that are described in the following
table.
Element Meaning
Bold font Signifies characters typed exactly as shown, including

commands, switches, and file names. User interface elements
also appear in bold.
Italic font Titles of books and other substantial publications appear in
italic.
<Italic> Placeholders set in italic and angle brackets <Italic> represent
variables.
Monospace Defines code and script samples.
font
Note Alerts the reader to supplementary information.

Important Alerts the reader to essential supplementary information.
More Information
The following resources provide additional information about security topics and
detailed discussion of the concepts and security prescriptions in this guide on
Microsoft.com:
 Hyper-V Planning and Deployment Guide: Planning for Hyper-V Security
4 Hyper-V Security Guide
 Windows Server 2008 Security Compliance Management Toolkit

 GPOAccelerator tool and guidance
 Infrastructure Planning and Design guides
 Microsoft Deployment Toolkit 2008 page on Microsoft TechNet
 Microsoft Windows Security Resource Kit
 Security Solution Accelerator page on Microsoft TechNet
Support and Feedback

The Solution Accelerators – Security and Compliance (SA–SC) team would
appreciate your thoughts about this and other Solution Accelerators. Please
contribute comments and feedback to secwish@microsoft.com. We look forward
to hearing from you.
Solution Accelerators provide prescriptive guidance and automation for cross-
product integration. They present proven tools and content to help you plan,
build, deploy, and operate information technology with confidence. To view the
extensive range of Solution Accelerators and for additional information, visit the
Solution Accelerators page on Microsoft TechNet.
We would appreciate your taking a few moments to complete this short survey.
Doing so will help us continue to improve the quality of Solution Accelerators and
ensure that they address customer needs. Thank you in advance for completing
the survey, and thank you for purchasing Microsoft products.

Overview 5
Acknowledgements
The SA-SC team would like to acknowledge and thank the team that produced
the Hyper-V Security Guide. The following people were either directly responsible
or made a substantial contribution to the writing, development, and testing of this
solution.
Development Team
Authors
Kurt Dillard KurtDillard.com
Richard Harrison Content Master Ltd
Paul Henry Wadeware LLC
Developement Lead
José Maldonado
Editor
Steve Wacker Wadeware LLC
Product Manager
Shruti Kala
Program Manager
Tom Cloward
Release Managers
Karina Larson
Shealagh Whittle Aquent LLC
Test Manager
Sumit Parikh
Testers
Raxit Gajjar Infosys Technologies Ltd
Tushar Vijay Lunawat Infosys Technologies Ltd
Contributors and Reviewers

Kai Axford
Brandon Baker
Yung Chou
Defense Information System Agency (DISA)
Martin Herbener Kentucky Department of Education

Dung K Hoang Hewlett-Packard
Siegfried Jagott Siemens AG
Carsten Kinder
Kathy Lambert
David Lef
Patrick Lownds Hewlett-Packard
Jason Missildine
Keith Pawson
Bhaskar Rastogi
Enrique Saggese
Tony Soper
Pat Telford
Elton Tucker
Gary Verster
Anand.V.V.N Xinfotainment
Kiyoshi Watanabe

Chapter 1: Hardening Hyper-V
This chapter focuses on how to harden servers that run Microsoft® Hyper-V™,
the hypervisor-based virtualization functionality included as a role of Windows
Server® 2008, in both Full and Server Core installations. The chapter includes
security best practice recommendations for configuring servers running the
Hyper-V role. These recommendations can help maintain your server’s desired
configuration, and help protect against unauthorized access and resource
tampering.
Significant changes were introduced with the Hyper-V role in Windows
Server 2008 that enhanced the capabilities and functionality of virtualization on
the Windows® platform. For more information about the new features introduced
in Windows Server 2008 Hyper-V, see the Windows Server 2008 Hyper-V
product overview white paper.
It's important to note that this guide is written for Windows Server 2008 with the
Hyper-V role enabled. It is not written for the stand-alone Microsoft Hyper-V
Server 2008 product, although much of the guidance here should apply to that
product as well. For information about the differences between Windows Server
2008 with the Hyper-V role enabled and Hyper-V Server 2008, see the Microsoft
Hyper-V Server 2008 FAQ.
Similarly, although the security recommendations in this guide were tested only
on the Windows Server 2008 Enterprise operating system, the recommendations
should also apply to Windows Server 2008 Standard and Windows Server 2008
Datacenter.
To install the Hyper-V role and take advantage of the virtualization capabilities
requires the following:
 A server computer running a Full or Server Core installation of the 64-bit
edition of Windows Server 2008 (Standard, Enterprise, or Datacenter).
 Hardware-Assisted Virtualization must be enabled on the hardware you plan
to use before you install the Hyper-V role. A number of processors currently
on the market include instruction sets, such as AMD-V and Intel VT, that
provide the ability to load a hypervisor virtualization platform between the
computer hardware and the operating system layer.
 Data Execution Prevention (DEP) must be enabled in the BIOS. DEP is a
security feature that is available on all processors that support virtualization
assistance. It prevents a process from executing code from a non-executable
memory region. DEP is supported by processors that can mark memory
pages as non-executable, such as Intel processors that support the XD
(Execute Disable) bit and AMD processors that support the NX (No-Execute)
bit.
Important If your server does not support hardware virtualization assistance, the Hyper-V role
will not display in the list of roles you can install. For system requirements, see Windows Server
2008 Virtualization with Hyper-V: FAQ.

Attack Surface
As with other roles in Windows Server 2008, adding the Hyper-V role changes
the attack surface of the computer. To determine the attack surface of this role,
you need to identify the following:
 Installed files. The files that are installed as part of the Hyper-V role.
 Installed services. The services that are installed as part of the Hyper-V
role.
 Firewall rules. The firewall rules that are installed or enabled as a part of the
Hyper-V role.
For an up-to-date list of the files, services, and firewall rules that the Hyper-V role
installs, see the Hyper-V Attack Surface Reference Workbook on the Microsoft
Download Center.
Server Role Security Configuration

This section of the guide provides guidance for securing the physical Hyper-V
computer (the physical server that runs one or more virtual machines). It
describes the security measures that you can incorporate into your Hyper-V
server configuration to help protect it against malicious attacks.
This section does not provide guidance on the specific security configurations of
the virtual machines that the Hyper-V server can support. For help securing the
virtual operating environment that runs inside a virtual machine, consult the
following Microsoft Solution Accelerator guidance:
 Windows Vista Security Compliance Management Toolkit
 Windows XP Security Compliance Management Toolkit
The Windows Server 2008 Security Compliance Management Toolkit also
provides guidance about security settings for other Windows Server 2008 roles.
To secure other supported guest operating systems, see the appropriate
documentation from the operating system vendors. See Virtualization with Hyper-
V: Supported Guest Operating Systems for an up-to-date list.
A basic familiarity with the Hyper-V architecture can help you understand the
kinds of countermeasures that you can implement to better secure Hyper-V. The
following figure illustrates this architecture.

Chapter 1: Hardening Hyper-V 9
Figure 1.1. Basic Hyper-V virtualization technology architecture

After you install the Hyper-V role, all of the operating system instances on the
physical computer run as virtual machines. Even the instance of Windows
Server 2008 that you use to create and manage the virtual machines is a virtual
machine; this instance is the management operating system. You use the
management operating system specifically to create and manage virtual machines.
Hyper-V uses a microkernelized approach in which the hypervisor is very small
and allows no third-party code to run within it. The hypervisor, which is a core
component of Hyper-V, is a thin layer of software between the hardware and the
operating system. The hypervisor allows multiple operating systems to run
unmodified on a single physical computer at the same time. Because any
unknown security vulnerabilities included in Hyper-V could compromise the
security of the management operating system and the virtual machines, Microsoft
has carefully reviewed and tested the Hyper-V source code to minimize this risk.
In addition, the hypervisor component was designed with minimal configuration
requirements to reduce its complexity and attack surface. (For more information
on the Hyper-V virtualization architecture, see An Introduction to Hyper-V in
Windows Server 2008 on Microsoft TechNet.)
The remainder of this chapter focuses on the steps you need to perform to
protect the management operating system and the virtual machines. There are
two categories of countermeasures:

 Management operating system security. The configuration of the physical

computer itself, including discrete network interfaces for accessing the
management operating system and virtual machines.
 Virtual machine security. The configuration of the virtual machines.
Management Operating System Security

When provisioning the physical computer, you can do several things to increase
the overall security of the management operating system and virtual machines.
For example, you can reduce the attack surface of the management operating
system by installing Hyper-V on a computer running Windows Server 2008
Server Core, as explained in the following subsection. Other techniques you can
use that are discussed in this section include installing separate network
adapters for the management operating system and virtual machines, and using
the management operating system to configure separate logical storage volumes
for each virtual machine.
Default Installation Recommendations

You can install Hyper-V with either the Full or the Server Core installation options
of the 64-bit editions of Windows Server 2008 (Standard, Enterprise, or
Datacenter). Server Core is a minimal server installation option that provides a
low-maintenance server environment with limited functionality. With a Server
Core installation (as with Hyper-V Server 2008), only the minimal components
that are necessary to support core functionality and key server roles are installed,
including Hyper-V (if selected).
Using Server Core for Hyper-V physical computers provides three main security
benefits:
 A minimized attack surface for the management operating system.
 A reduced computer footprint.
 Improved system uptime because there are fewer components that require
updates.
Potential drawbacks of using Server Core include the following:
 Server Core cannot be managed locally using the traditional graphical user
interfaces (GUIs) such as Server Manager. Remote administration consoles
and specialized WMI command-line scripts are required to manage the
server, which might require additional training for administrative staff.
 Some drivers, software agents, and applications are not compatible with a
Server Core management operating system. In particular, the Microsoft .NET
Framework is not included with Server Core installations, so you will not be
able to run any .NET applications with the management operating system.
Validating all applications, drivers, and software agents is especially
important when deploying a Server Core installation.
Apart from the differences between the Full and Server Core options, the attack
surface for the Hyper-V component is the same in the Standard, Enterprise, and
Datacenter SKUs of Windows Server 2008.

To install the Windows Server 2008 Hyper-V role using the Server Core
option
1. You must perform a Server Core installation before you install the Hyper-V
role. For instructions, see the Server Core Installation Option of Windows
Server 2008 Step-By-Step Guide on Microsoft TechNet.
2. Install the Hyper-V update packages for Windows Server 2008 (KB950050).
To view the list of software updates and check whether any are missing,
enter the following command at a command prompt:
wmic qfe list
If you do not see “kbid=950050”, download the Hyper-V updates and then
enter the following command at a command prompt:
wusa.exe Windows6.0-KB950050-x64.msu /quiet
There are three update packages. After you install the updates, you must
restart the server. You must update the management operating system with
the Update for Windows Server 2008 x64 Edition (KB 950050) and Language
Pack for Hyper-V (KB951636).
The Update for Windows Server 2008 (KB952627) is for remote management
of the Server Core installation if you are managing the server from a
computer running Windows Vista Service Pack 1 (SP1). It must be installed
on the computer running Windows Vista SP1.
Important Before you enable the Hyper-V role, ensure that you have enabled the required
hardware-assisted virtualization and hardware-enforced Data Execution Prevention (DEP)
BIOS settings. Checks for these settings are performed before you enable the Hyper-V role
on a full installation, but not on a Server Core installation.
After you make the BIOS configuration changes to enable the required
hardware features, you might need to turn off the power to the computer and
then turn it back on (because restarting the computer might not apply the
changes to the settings). If you enable the Hyper-V role without modifying the
BIOS settings, the Windows hypervisor might not function as expected. If the
Windows hypervisor malfunctions, check the event log for details, modify the
BIOS settings according to the server hardware manufacturer instructions,
turn off and turn on the computer running a Server Core installation, and then
install Hyper-V again.
To check if your server hardware is compatible, see the Windows Server
catalog. Click the list of Certified Servers, and then click By additional
qualifications – Hyper-V. For instructions about how to enable the BIOS
settings, check with your hardware manufacturer.
After you install Hyper-V, ensure that all appropriate updates are installed. A
comprehensive list of Hyper-V updates is available in the Hyper-V Update List on
Microsoft TechNet.
The Microsoft Remote Server Administration Tools are included with Windows
Server 2008; a version of the tools for Windows Vista is also available through
the Microsoft Help and Support article Description of the Windows Vista Service
Pack 1 Management Tools update for the release version of Hyper-V. These
tools include the Hyper-V Manager console, which enables authorized
administrators to manage Hyper-V servers remotely from their workstations. The
console also allows administrators to manage Hyper-V on Server Core without
using command-line tools.
The rest of this section discusses how to configure the physical computer using
the Hyper-V Manager and other GUI management tools.
Note You can perform the same tasks on the local console of Server Core using scripts for
Windows Management Instrumentation (WMI). For more information, see Virtualization WMI
Provider in the MSDN Library.
Host Network Configuration

The configuration of the physical network interfaces of the computer running
Hyper-V can help to improve the isolation of the management operating system
from other virtual machines. Microsoft recommends that you install at least two
network adapters on the computer hosting Hyper-V. Dedicate the first network
adapter for the exclusive use of the management operating system, and then
allow the other virtual machines to use the other network adapters. The following
figure illustrates this concept.
Figure 1.2. Physical Hyper-V architecture in an enterprise network

When you install the Hyper-V role using the Add Roles Wizard on a full
installation of Windows Server 2008 Enterprise, the wizard prompts you to
reserve one network adapter for remote access to the management operating
system, as shown in the following figure.

Figure 1.3. The Create Virtual Networks page of the Add Roles Wizard
If you leave a network adapter unselected on this page of the wizard, the network
adapter will be dedicated for use by the management operating system
exclusively.
After installation, you can reconfigure the physical network adapters using the
Hyper-V Manager.
To use the Hyper-V Manager to configure virtual networks
1. On the physical Hyper-V computer or from a remote management
workstation, click Start, point to Administrative Tools, and then click Hyper-
V Manager.
3. In the tree pane, select the server that you want to manage.
4. In the Actions pane, click Virtual Network Manager.

5. In the Virtual Network Manager dialog box, add, modify, or remove virtual
network switches to be used by the management operating system and the
virtual machines.
Each virtual network you define results in the creation of a virtual network switch.
You can connect the virtual network adapters inside your virtual machines to the
virtual networks you create.
There are three different types of virtual networks:
 External virtual networks use virtual network switches that are bound to a
network adapter in the physical computer. Any virtual machines attached to
an external virtual network can access the same networks to which the
physical adapter is connected.
 Internal virtual networks use virtual network switches that are not bound to
a network adapter in the physical computer. An internal virtual network is
isolated from networks external to the physical computer. However, virtual
machines connected to an internal virtual network can communicate with the
management operating system.
 Private virtual networks use virtual network switches that are not bound to a
network adapter in the physical computer, as with internal virtual networks.
However, network traffic from virtual machines connected to a private
network is completely isolated from network traffic in the management
operating system and in the external networks.
These different virtual network configurations support some interesting scenarios.
Consider a multi-tier application that includes Web, database, and application
servers, as shown in the following figure.
Figure 1.4. Network configuration for multi-tier Web application

The physical Hyper-V computer has two network adapters. The first network
adapter connects the physical computer to a physical network (labeled
Management network) for management. The second network adapter connects
the physical computer to a separate public network (labeled Front-end network)

where the client systems and other servers are located; the Web server virtual
machine is connected to this network adapter through an external virtual network.
There is also a private virtual network that connects the Web server virtual
machine to the applications server virtual machines and the database
management system (DBMS) virtual machine.
This configuration isolates all of the traffic between the Web server and the other
virtual machines from the publicly accessible network, and it also provides a
dedicated network connection for administration of the management operating
system.
Although isolating the virtual and physical networks from each other protects the
virtual network from outside attacks, it also renders the virtual network segment
invisible to any security tools that are deployed on the physical network, such as
network intrusion detection systems (NIDS). For additional protection, deploy
virtual network-capable versions of these tools on the virtual segment.
For more information, see Configuring Virtual Networks on Microsoft TechNet.
Securing Dedicated Storage Devices

Files that contain configuration information about each virtual machine are stored
in the %programdata%\Microsoft\Windows\Hyper-V\ directory by default.
Virtual machine configuration files stored in this directory are relatively small, and
the default storage location should be acceptable for many scenarios.
Important If you specify a different storage location, ensure that both the System account and
the Administrators group have Full Control permissions for the new folder, and that access by
other accounts is strictly limited as appropriate.
Virtual hard disk (VHD) files can be dynamic or fixed-size. A dynamic VHD file is
the size required by the data stored in it and can grow as the data changes. A
fixed-size VHD file takes up the amount of space configured for the virtual disk,
including any free space. For example, a dynamic VHD and a fixed-size VHD
might both appear as 80 GB volumes when mounted inside a virtual machine,
but the dynamic VHD only takes up as much space on the physical disk as the
data stored in it requires; the fixed-size VHD always takes up about 80 GB on the
physical disk. Microsoft recommends using fixed-sized VHD files for best
performance, and to prevent virtual machines from unexpectedly running out of
storage space.
By default, new VHD files in the Public profile are stored in the %users
%\Public\Documents\Hyper-V\Virtual Hard Disks directory. You can change
the default storage location for VHDs by selecting Hyper-V Settings in the
Hyper-V Manager. If you specify a different storage location, assign permissions
as follows for the new folder:
Table 1.1. Permission Settings for VHD Storage Folder

Names Permissions Apply to
Administrators Full Control This folder, subfolders, and files

System
Creator Owner Full Control Subfolders and files only
Interactive Create files/write data This folder, subfolders, and files
Service Create folders/append
Batch data
Delete
Delete subfolders and
files
Read attributes
Read extended attributes
Read permissions
Write attributes
Write extended attributes
To simplify management, you might want to store all of the VFD and ISO files in
separate folders on the same logical volume as the VHDs. For example, a typical
folder structure might be:
 W:\Virtualization Resources\Virtual Machines
 W:\Virtualization Resources\Virtual Hard Disks
 W:\Virtualization Resources\Virtual Floppy Disks
 W:\Virtualization Resources\ISO files
When installing antivirus software in the management operating system,
configure any real-time scanning components to exclude the directories where
virtual machine files are stored, as well as the program files vmms.exe and
vmwp.exe in C:\Windows\System32. If you do not create these exclusion rules,
you might encounter errors when creating and starting virtual machines.
Security Setting Recommendations

The Windows Server 2008 Security Guide (part of the Windows Server 2008
Security Compliance Management Toolkit) includes high-level security design
recommendations that you can follow to implement either the Enterprise Client
(EC) baseline settings or the Specialized Security Limited Functionality (SSLF)
baseline settings. To help reduce the attack surface and harden the security
configuration of your servers running the Hyper-V role, Microsoft recommends
applying the baseline settings described in the Windows Server 2008 Security
Guide.
During the development of this guide, the security settings prescribed in the
Windows Server 2008 Security Guide were tested on servers running the Hyper-
V role. Servers that were configured with the settings recommended for the SSLF
environment encountered errors related to VHD creation, snapshotting, and

importing. Correcting these errors requires modifying the recommended settings
included in the Windows Server 2008 Security Guide. Servers that were
configured with the settings recommended for the EC environment encountered
no issues.
The issues encountered all pertain to the configuration of the Create symbolic
links user right setting. The Windows Server 2008 Security Guide recommends
configuring this setting in the WS08 SSLF Member Server Baseline Policy to only
include the Administrators group. However, this user right must also be granted
to the Virtual Machines group. If you apply the WS08 SSLF Member Server
Baseline Policy to any of your servers running the Hyper-V role, perform the
steps in the following procedure to modify the baseline policy:
To modify the WS08 SSLF Member Server Baseline Policy GPO
1. Use Notepad.exe to create an .INF file that includes the following text:
[Unicode]
Unicode=yes
[Version]
signature="$CHICAGO$"
Revision=1
[Privilege Rights]
SeCreateSymbolicLinkPrivilege = *S-1-5-32-544,*S-1-5-83-0
2. Open GPMC.msc, right-click the WS08 SSLF Member Server Baseline
Policy GPO, and click Edit.
3. Under Computer Configuration, expand Policies, and then expand
Windows Settings.
4. Right-click Security Settings, and click Import Policy.
5. Select the .INF file created in step 1, and click Open.
This procedure will modify the WS08 SSLF Member Server Baseline Policy as
required for use with servers running Hyper-V.
Note that simply adding the Virtual Machines group to the Create symbolic
links Group Policy setting will not result in the required configuration.
Virtual Machine Security

Several virtual machine settings have security implications. You can configure
some of these settings by using the Virtual Machine Wizard, and you can access
all of the settings after creating a virtual machine through the Hyper-V Manager.
Virtual Machine Configuration

The following considerations and recommendations relate to configuring virtual
machines on a computer running Windows Server 2008 Hyper-V.
 Determine where to store the virtual machine files and the VHDs. See
“Securing Dedicated Storage Devices” earlier in this chapter for guidance.

 Decide how much memory to assign to a virtual machine. Memory on the

physical computer is apportioned to all of the virtual machines on the server,
including the virtual machine running the management operating system, so
assigning an appropriate amount of memory to each virtual machine is
important to ensure the continuing availability of all virtual machine resources.
The amount of memory to assign will depend on the workload of the virtual
machine, how much physical memory is available on the computer, and how
much memory other virtual machines running on the same computer are
using.
 Impose limits on processor usage. By default, Hyper-V does not limit the
amount of processing power used by virtual machines. A compromised virtual
machine that can use all of the processing power on the physical computer
could cause the computer and other virtual machines running on it to become
unresponsive. The precise number of logical processors to use and the limits
that you should impose on them depend on the workload they perform, the
number of physical processors and cores installed on the physical computer,
and the amount of processor power required by other virtual machines
running on the same computer. To ensure continuing availability of all VM
resources, monitor processor usage and adjust the limits accordingly.
 Configure only required storage devices for a virtual machine. Give each
virtual machine access to the physical hard disks, VHDs, and removable
storage devices that it needs, and no others. If a virtual machine does not
require access to a resource like a CD/DVD drive except when you are
installing software, for example, remove the virtual drive or select None as
the media when it is not in use.
 Enable support for time synchronization. Time synchronization can be
important in some auditing scenarios, because the system time of virtual
machines can drift out of sync with the management operating system for
virtual machines that are under constant heavy load. For time synchronization
to work you need to install the Hyper-V Integration Services on the virtual
machines. For information about installing and using Integration Services,
see the Hyper-V Getting Started Guide on Microsoft TechNet.
Note If any virtual machines on a physical computer belong to a domain but the computer
itself does not, ensure that the physical computer synchronizes with the same time source
used by the domain to eliminate synchronization conflicts between the physical computer
and domain.
For virtual machines that are configured as domain controllers, Microsoft recommends
disabling time synchronization with the physical computer through Integration Services, so
that domain controllers use the default Windows Time service (W32time) domain hierarchy
time synchronization. If domain controllers synchronize time from their own source and also
synchronize time from the physical computer, the domain controller time can change
frequently. Because many domain controller tasks are tied to the system time, a jump in the
system time could cause lingering objects to be left in the directory and replication to be
stopped.
 Place virtual machines of a similar trust level on the same physical
computer. To maintain security in your organization, deploy your virtual
machines in such a way that all the VMs on a given physical computer share
a similar level of trust, and then configure the computer to be at least as
secure as the most secure VM. Virtual machines that are exposed to external
access, such as Web servers, or that must be accessed widely require
different security precautions than servers to which access is tightly
controlled or limited to a small number of users.
 Delete decommissioned high-security VHDs. For high-security VMs that
contain sensitive information, establish a process for securely deleting the
VHD files after decommissioning. Tools such as SDelete v 1.51, available for
download from Microsoft TechNet, can help with this process.
 Store snapshot files securely. A snapshot is a “point in time” image of a

virtual machine’s state that you can return the machine to later. It is
conceptually similar to the System Restore feature of Windows XP and
Windows Vista, or the undo disks used by Virtual PC and Virtual Server.
Store any snapshots you create together with their associated VHDs in an
equally secure location.
More Information
The following resources on Microsoft.com provide more information about some
of the concepts and techniques described in this chapter.
 Windows Server 2008 Hyper-V overview white paper
 Windows Server 2008 Virtualization with Hyper-V: FAQ
 Microsoft Hyper-V Server 2008 FAQ
 Hyper-V Planning and Deployment Guide
 Performance and Capacity Requirements for Hyper-V
 Performance Tuning Guidelines for Windows Server 2008
 Planning for Hyper-V Security
 Hyper-V Attack Surface Reference Workbook
 Virtualization with Hyper-V: Supported Guest Operating Systems
 Virtualization WMI Provider
 Infrastructure Planning and Design

Chapter 2: Delegating Virtual Machine
Management
This chapter provides guidance to help safely and securely delegate
administrative access to virtual machine (VM) resources within an organization. A
number of tools are available to administer VMs, physical computers, and other
aspects of a virtual machine infrastructure. This chapter explains how these tools
work, and how to control administrative access to different servers and at
different levels.
When a single physical server is configured to support multiple operating system
instances, it’s important to correctly assign administrative permissions to each
instance to properly secure the Hyper-V™ environment. The scope of operations
available to an administrator account depends on where you establish
administrative access for an account:
 Hyper-V administrators are administrative accounts that have full
administrative access to the storage and network configuration of all the
virtual machines on a physical Hyper-V computer. They can make global
configuration changes that could affect all virtual machines on the physical
computers.
 Virtual machine administrators are administrative accounts that only have
administrative access to the virtual machine on which the account has been
established. Hyper-V creates a security boundary between the management
operating system and virtual machines that prevents virtual machine
administrators from administering the management operating system.
Microsoft recommends that you closely control administrative access to the
management operating system and only assign it to staff members with a valid
business need to manage both the management operating system and all the
virtual machines on a physical Hyper-V server. For typical operations, Microsoft
recommends that you maintain a clear separation between those administrators
who are responsible for the operation of the physical server and the management
operating system, and those administrators who are responsible for managing
individual virtual machines.
By default, virtual machine administrators are not granted administrative access
to the management operating system and cannot log on to the management
operating system to view the Hyper-V configuration or make any changes to it.
Although this configuration is suitable for many situations, your organization
might want to provide those administrators who are responsible for managing the
virtual machines with a limited ability to manage a Hyper-V installation without
actually using the management operating system to make them Hyper-V
administrators. To do so, provide each affected user with an account that can log
on to the management operating system, and use Authorization Manager as

described in the following sections to assign appropriate permissions to the
users’ accounts.
Using Tools to Delegate Access

The Hyper-V Manager user interface in Windows Server® 2008 Server Manager
is shown in the following screen shot. It is provided as part of the Hyper-V role,
and allows users designated as administrators of the management operating
system to manage the virtual machines on the physical computer. Administrators
can use Hyper-V Manager to perform a variety of management tasks on the
physical computer, including starting and stopping VMs, importing and deploying
VMs on the computer, and managing snapshots. By default, anyone who is a
local administrator of the management operating system can use Hyper-V
Manager on the physical computer. In addition, a user can also use Hyper-V
Manager to remotely manage Hyper-V on other servers in a domain to which the
user has administrative access.
Figure 2.1. The Hyper-V Manager user interface
Restricting Hyper-V management capability to server administrators can make it

difficult to manage a large Hyper-V deployment efficiently and securely. Granting
server administrative access to many people can put critical computing resources
at risk, but limiting access can create administrative bottlenecks. Managing
administrative access individually for each physical Hyper-V computer can also

Chapter 2: Delegating Virtual Machine Management 23
be time-consuming and difficult to track. Fortunately, tools such as Authorization

Manager and System Center Virtual Machine Manager make it possible to
securely delegate and decentralize Hyper-V administrative functions.
Delegating Access with Authorization

Manager
By default, access to Hyper-V Manager on a physical computer is restricted to
members of the local Administrators group on the server. The default
configuration helps maintain virtual machine security by limiting control of virtual
machines to the users who already have full administrative user rights on the
physical computer. However, in some scenarios you might want additional
trusted users to have the appropriate permissions to administer virtual machines
using Hyper-V Manager.
For example, you might want to delegate Hyper-V management to a group of
assistants to better accommodate a large, decentralized Hyper-V deployment,
but your organization might have security policies in place that discourage
granting server administrative access to people outside a small group of
administrators. Limiting administrative access to the management operating
system also enables you to use access control lists (ACLs) to prevent
unauthorized users from accessing VHDs and other critical files through the file
system.
You can use Authorization Manager (AzMan), a snap-in for the Microsoft®
Management Console (MMC), to assign selected users and groups to the Hyper-
V Administrator role so they can use Hyper-V Manager without being
administrators of the physical computer itself. Authorization Manager is an
administrative tool for defining and using role–based authorization in applications
that are designed to support it. Role–based authorization policy specifies access
in terms of user roles that reflect an application's authorization requirements.
Users are assigned roles based on their job functions, and these roles are
granted permissions to perform related tasks or operations. The roles and tasks
for an application are defined and saved in an authorization store, which can be
accessed and edited using Authorization Manager.
The default authorization store included with Hyper-V defines 33 different
operations and an Administrator role that can access all of them. You can create
other roles that can access a subset of allowable operations. Roles are listed in
Role Assignments in Authorization Manager, and also in the Role Definitions
node below the Definitions node.
The following three tables categorize all of the Hyper-V operations that can be
assigned to roles.

Table 2.1. Hyper-V Service Operations

Name Description
Read service configuration Authorizes reading configuration
of the Virtual Machine
Management Service
Reconfigure Service Authorizes reconfiguration of
Virtual Machine Management
Service
Table 2.2. Hyper-V Network Operations

Name Description
Bind External Ethernet Port Authorizes binding to an external
Ethernet port
Connect Virtual Switch Port Authorizes connecting to a virtual
switch port
Create Internal Ethernet Port Authorizes creating an internal
Ethernet port
Create Virtual Switch Authorizes creating a new virtual
switch
Create Virtual Switch Port Authorizes creating a new virtual
switch port
Delete Internal Ethernet Port Authorizes deleting an internal
Ethernet port
Delete Virtual Switch Authorizes deleting a virtual switch
Delete Virtual Switch Port Authorizes deleting a virtual switch
port
Disconnect Virtual Switch Port Authorizes disconnecting from a
virtual switch port
Modify Internal Ethernet Port Authorizes modifying the internal
Ethernet port settings
Modify Switch Port Settings Authorizes modifying the switch
port settings
Modify Switch Settings Authorizes modifying the switch
settings
Change VLAN Configuration on Port Authorizes modifying VLAN
settings
Unbind External Ethernet Port Authorizes unbinding from an
external Ethernet port
View External Ethernet Ports Authorizes viewing the available
external Ethernet ports
View Internal Ethernet Ports Authorizes viewing the available
internal Ethernet ports
View LAN Endpoints Authorizes viewing the LAN
endpoints

Name Description
View Switch Ports Authorizes viewing the available
switch ports
View Switches Authorizes viewing the available
switches
View Virtual Switch Management Service Authorizes viewing the Virtual
Switch Management Service
View VLAN Settings Authorizes viewing the VLAN
settings
Table 2.3. Hyper-V Virtual Machine Operations

Name Description
Allow Input to Virtual Machine Authorizes user to give input to
the virtual machine
Allow Output from Virtual Machine Authorizes viewing the output from
a virtual machine
Change Virtual Machine Authorization Authorizes changing the scope of
Scope a virtual machine
Create Virtual Machine Authorizes creating a virtual

machine
Delete Virtual Machine Authorizes deleting a virtual
machine
Pause and Restart Virtual Machine Authorizes pause and restart of a
virtual machine
Reconfigure Virtual Machine Authorizes reconfiguring a virtual
machine
Start Virtual Machine Authorizes starting the virtual
machine
Stop Virtual Machine Authorizes stopping the virtual
machine
View Virtual Machine Configuration Authorizes viewing the virtual
machine configuration

Figure 2.2. Authorization Manager
Any users who are assigned the Administrator role through Authorization
Manager (shown in the preceding figure) have full access to Hyper-V Manager
and all of the virtual machines deployed on the physical computer, and can
access all 33 of the Hyper-V operations listed in the three preceding tables.
To use Authorization Manager to assign the Administrator role to users and
groups
1. From the management console of the physical computer or from a remote
workstation, click Start, type azman.msc, and then press Enter. The
Authorization Manager console snap-in appears.
6. Right-click Authorization Manager in the tree pane and select Open
Authorization Store.
7. The Open Authorization Store dialog box appears with XML file selected as
the store type.
8. Do one of the following:
 If you are on the physical computer being managed, specify
%programdata%\Microsoft\Windows\Hyper-V\InitialStore.xml in the Store
Name text box and click OK.
Note By default, only local administrators have access to this directory.
 If you are on a remote workstation, specify the path to the
InitialStore.xml file on the physical computer in the Store Name text box
and click OK. For example, if Windows Server 2008 is installed on the C:
drive, you might specify
\\<server name>\C$\ProgramData\Microsoft\Windows\Hyper-
V\InitialStore.xml.
9. Expand Hyper-V services under InitialStore.xml, expand Role
Assignments, and then click the Administrator role.
10. Click Action, point to Assign Users and Groups, and then click From
Windows and Active Directory.
11. In the Select Users, Computers, or Groups dialog box, select the user
accounts and groups to which you want to assign the role, and click OK.

Note These steps only work with Hyper-V physical computers that are not being managed by
System Center Virtual Machine Manager 2008 (VMM 2008). The advanced delegation capabilities
of VMM 2008 are described in the next section.
Users who are assigned the Administrator role can install the Hyper-V
management tools on a full installation of Windows Server 2008 and on Windows
Vista® Service Pack 1 (SP1) and administer Hyper-V servers remotely. (Remote
administration is the only way to use Authorization Manager to manage an
authorization store on a Server Core installation.) See Install and Configure
Hyper-V Tools for Remote Administration on Microsoft TechNet for instructions.
Note Hyper-V Remote Management Configuration Utility on the Microsoft Developer Network
(MSDN) is a tool that partially automates the process of setting up Hyper-V remote management.
System Center Virtual Machine

Manager 2008
Microsoft System Center VMM 2008, which is available as a separate product, is
a comprehensive management solution for virtualized data centers. Shown in the
following screen shot, VMM 2008 enables increased physical server utilization,
centralized management of virtual machine infrastructure and rapid provisioning
of new virtual machines by the administrator, delegated administrators, and
authorized end-users. VMM 2008 supports Windows Server 2008 Hyper-V,
Microsoft Virtual Server 2005, and adds support for virtual machines running on
VMware ESX Server, which makes it possible to centrally manage virtual
machine environments from different vendors. The new Performance and
Resource Optimization (PRO) and Intelligent Placement features help you
allocate your virtual computing resources more efficiently and to monitor them for
potentially troublesome situations.
Important To use VMM 2008, you must install the Hyper-V Update for Windows
Server 2008 x64 Edition (KB 956589) and Background Intelligent Transfer Service (BITS)
update (KB 956774) on all of your Hyper-V physical computers. See VMM System
Requirements on Microsoft TechNet for a full list of prerequisites.

Figure 2.3. System Center Virtual Machine Manager 2008
VMM 2008 is a comprehensive solution that offers many tools for managing
virtual machine resources. In a security context, however, the most important
features of VMM 2008 involve its ability to delegate virtual machine
administrative permissions. VMM 2008 allows you to create groups of physical
Hyper-V computers, or hosts, and manage administrative access to them
individually. VMM 2008 also allows you to create libraries that can be used to
store virtual machines when they are not in use, and to store resources for
creating new virtual machines based on templates and standard profiles. As with
host groups, you can control which users have access to different libraries, which
allows you to deploy sensitive library resources in a secure manner. VMM 2008
also enables you to create self-service users who have limited, Web–based
administrative access to selected virtual machines.
In VMM 2008 you can create user roles to delegate permissions for individual
groups of hosts, virtual machines, and library servers. Each user role includes a
profile that determines the level of access granted by the role, and one or more
host groups and library servers that the role is allowed to manage. You can add
Active Directory® Domain Services (AD DS) user accounts and groups as
members of each user role as needed.
VMM 2008 defines three profiles that can be applied to user roles:
 The Administrator profile is the highest level of access available in VMM
2008. A single Administrator role is created by default when you install VMM
2008, and you cannot assign the Administrator profile to any new user roles
that you create. Users who are assigned to the Administrator role have
complete administrative access to all the hosts, virtual machines, and library
servers in VMM 2008.
 The Delegated Administrator profile grants administrative access to a defined
set of host groups and library servers. Users who belong to a Delegated
Administrator role can use the VMM Administrator Console to modify the
configuration of all virtual machines defined on any Hyper-V hosts that they
control. It is not possible to use the Delegated Administrator role to delegate
access to specific virtual machines. Delegated administrators can also be
granted access to resources stored on library servers defined in VMM 2008.
 The Self-Service User profile grants administrative access to a defined set of
virtual machines through the Web-based Virtual Machine Manager Self-
Service Portal. Self-service users cannot use the VMM 2008 console to
manage virtual machine resources. You can also limit the virtual machine
management tasks that users who belong to a Self-Service User role can
perform.
These profiles make it possible to deploy Hyper-V within your organization in a
way that is both flexible and secure. By using VMM 2008 to define virtual
machine user roles and limit their access appropriately, you can give people
throughout your organization control over their own Hyper-V resources without
compromising the security of any servers managed by other groups.
Delegated Administrator Role

Users who belong to a Delegated Administrator role can use the VMM
Administrator Console to access all of the hosts and library servers they are
entitled to manage, as determined by the role settings. Other hosts and library
servers do not display in the console and cannot be managed by the user.
To add a Delegated Administrator user role in VMM 2008
1. In the User Roles view in the VMM Administrator Console, click New User
Role in the Actions pane. The New User Role Wizard appears.
12. On the General page, type a User role name and Description, and then
select Delegated Administrator in the User Role Profile list. Click Next.
13. On the Add Members page, click Add, and then type the names of the
Active Directory users or groups you want to add to this role. Click Next.
14. As shown on the Select Scope page in the following screen shot, select the
host groups and library servers that you want to enable members of the user
role to manage. Click Next.

Figure 2.4. The Select Scope page of the Create User Role Wizard
15. On the Summary page, review the user role settings and click Create.
Self Service Portal

The Virtual Machine Manager Self-Service Portal is a Web site through which
self-service users can create and operate their own virtual machines within a
controlled environment. Using the Self-Service Portal, self-service users can see
only the virtual machines that they own, and they are allowed to perform only the
actions that the user role associated with the virtual machine allows. For
example, you might want to create a group of self-service users who are allowed
to start, stop, pause, and resume virtual machines on a host group, but not to
perform other administrative actions such as managing virtual machine
checkpoints or removing virtual machines from hosts.

Figure 2.5. The Web-based Virtual Machine Manager Self-Service Portal
To add a Self-Service User role in VMM 2008

1. In the User Roles view in the VMM Administrator Console, click New User
Role in the Actions pane. The New User Role Wizard appears.
16. On the General page, type a User role name and Description, and then
select Self-Service User in the User Role Profile list. Click Next.
17. On the Add Members page, click Add, and then type the names of the
Active Directory users or groups you want to add to this role. Click Next.
18. On the Select Scope page, select the host groups and library servers that
you want to enable members of the user role to manage. Click Next.
19. As shown on the Virtual Machine Permissions page in the following screen
shot, select the actions that you want to allow the members of this group to
perform on virtual machines. You can select All actions, or grant a set of
actions by selecting one or more of the following:
 Start
 Stop
 Pause and resume
 Checkpoint. Allows users to create and remove checkpoints, and to
restore their virtual machines to a previous checkpoint. A checkpoint
saves the state of each virtual hard disk that is attached to a virtual
machine and all of the hard disk's contents, including application data
files. Creating checkpoints for a virtual machine provides the ability to
restore the virtual machine to a previous state.
Note Assign this action with care. Creating and restoring checkpoints is a resource
intensive operation that can affect the performance of a Hyper-V server. Checkpoints

can consume considerable amounts of disk space, and reverting a VM to a previous state
could lead to unwanted data loss.
 Remove. Allows users to remove virtual machines, which deletes the
configuration files.
 Local Administrator. Allows users to set the local administrator
password when creating a virtual machine so that they have administrator
rights and permissions on the virtual machine.
 Remote connection. Allows users to remotely control a virtual machine.
 Shut down
Figure 2.6. Specifying permitted actions for a user role with the Self-
Service User profile
20. On the Virtual Machine Creation Settings page, specify whether users are
allowed to create virtual machines. You can specify the templates that users
can choose from when creating their virtual machines, and set the quota for
deployed virtual machines. See Working with Virtual Machine Templates on
Microsoft TechNet for more information about templates.
21. On the Library Share page, specify whether users are allowed to store
virtual machines in a library. You can select the library server, share, and
path for the virtual machines. In addition, you can allow users to attach ISO
images to their virtual machines by selecting a Library path that contains ISO
images. See Configuring the VMM Library on Microsoft TechNet for more
information about libraries.
22. On the Summary page, review the user role settings and click Create.
Users assigned to a Self-Service User role can visit the portal using a Web
browser and perform any actions permitted by the role. They cannot access any
servers to which the role has not been granted access. This feature can be used

to provide an enhanced level of access control that cannot be easily configured

using Authorization Manager.
For example, a Hyper-V deployment might include hosts used by several
different departments within an organization, some of which might be used to
manage sensitive data. Delegating full administrative access to designated users
within each department would give all such users control over any VMs that
belong to the other departments, including the ability to perform such operations
as deleting or duplicating existing VMs. Such a configuration could risk the
disclosure, alteration, or loss of sensitive data. You can mitigate this risk by using
VMM 2008 to configure groups of self-service users with access to specific virtual
machines. This approach makes it possible to host VMs that belong to different
groups on the same physical server while minimizing risk to sensitive data.
More Information
 Authorization Manager
 For remote management of Hyper-V, see:
 Install and Configure Hyper-V Tools for Remote Administration
 Hyper-V Remote Management Configuration Utility
 For System Center Virtual Machine Manager 2008 information, see:
 System Center Virtual Machine Manager 2008
 VMM System Requirements
 Hyper-V Update for Windows Server 2008 x64 Edition (KB 956589)
 Background Intelligent Transfer Service (BITS) update (KB 956774)
 Working with Virtual Machine Templates
 Configuring the VMM Library
 Scripting in VMM 2008 with Windows PowerShell™

Chapter 3: Protecting Virtual Machines
This chapter provides guidance for securing the files that are used to create and
run virtual machines (VMs), such as virtual hard disk (VHD) files and
configuration files. It includes best practice recommendations for properly
implementing file system permissions, encryption, and auditing that help protect
your VMs and related configuration files from unauthorized access and malicious
tampering. The chapter also includes best practice information and resources
designed to help you safeguard the operating systems running within a VM
against common threats.
Methods for Protecting VMs

A virtual machine consists of a set of files, including VHD files and files that
define how the VM is configured. Some VM scenarios can include files that are
not typically associated with physical computers, such as the contents of the
memory of a running server stored on disk. Applications that store sensitive
information such as passwords or hashes in memory but not typically to disk can
therefore be more at risk if run in virtualized environments, because of the
possibility of sensitive information being stored to disk as state information.
As files on disk, VM resources can be secured using many of the same
techniques that are commonly used to store other files in Windows Server®
environments, including file system security, encryption, and object access
auditing.
Hardening the Virtual Machine Operating

System and Applications
The same security measures and hardening you would apply to a physical
computer should be applied to virtual machines. You should perform hardening
steps for the virtual machine's server role as indicated in the “Server Role
Security Configuration” section in chapter 1, including consulting the appropriate
Microsoft Solution Accelerator guidance for the specific operating system.
Firewall and Antivirus Requirements

Each operating system running on a virtual machine needs its own firewall,
antivirus, and intrusion detection software as appropriate for the environment.
Group Policy Considerations

Like physical servers, virtual machines should be added to the appropriate
organizational units (OUs) so that Group Policy settings apply correctly.
For more information on reducing the attack surface and hardening the security
of the operating systems that run inside VMs, consult the following Microsoft®
Solution Accelerator guidance:
Using File System Security to Protect Virtual

Machine Resources
You can use access control lists (ACLs) to help protect VHD files and virtual
machine configuration files from unauthorized file system-level access. This
approach can prevent scenarios such as an unauthorized person copying a VHD
from a Hyper-V™ computer or library server to another location, or replacing an
existing virtual machine file with an altered version. However, using ACLs to
restrict access to files or folders is not an effective way to manage administrative
access to VMs themselves.
Each virtual machine runs in the context of a virtual machine worker process
(vmwp.exe), which runs under the NETWORK SERVICE account and which is
able to access the file system resources that make up the virtual machine. This
functionality enables any user who has the necessary permissions to use Hyper-
V Manager to stop and start virtual machines, mount virtual hard disks, and
perform other management tasks regardless of whether they can access the files
in the file system with their own user accounts. A comprehensive Hyper-V
security plan involves a combination of ACLs and tools such as Virtual Machine
Manager 2008 (VMM 2008) that can be used to restrict VM management
capabilities.
If several administrators manage different virtual machines on the same physical
computer, consider granting their individual accounts permissions to access the
folders in which the resource files are stored. This approach allows them to
perform management tasks at the level of the physical computer’s file system,
such as moving their virtual machines and the resource files they use to a
different physical computer, or copying ISO files (CD or DVD image files that
usually have the extension .iso) and virtual floppy disks to an appropriate file
system location so that they can mount them within their virtual machines.
A flexible system might involve adding a layer of subdirectories to the folder
structure suggested in Chapter 1, such as the following:
W:\Virtualization Resources\Project A\Virtual Machines
W:\Virtualization Resources\Project A\Virtual Hard Disks
W:\Virtualization Resources\Project A\Virtual Floppy Disks
W:\Virtualization Resources\Project A\ISO files
W:\Virtualization Resources\Project B\Virtual Machines

Chapter 3: Protecting Virtual Machines 37
W:\Virtualization Resources\Project B\Virtual Hard Disks

W:\Virtualization Resources\Project B\Virtual Floppy Disks
W:\Virtualization Resources\Project B\ISO files
W:\Virtualization Resources\Project C\Virtual Machines
W:\Virtualization Resources\Project C\Virtual Hard Disks
W:\Virtualization Resources\Project C\Virtual Floppy Disks
W:\Virtualization Resources\Project C\ISO files
The ACLs for all of the folders would need to include the default permissions
described in the "Securing Dedicated Storage Devices" section in Chapter 1 of
this guide. In addition, if you want to allow virtual machine administrators to copy
resource files to and from the physical computer, you should grant them Full
Control for the subdirectories of their respective projects and create a network
share that provides them with access to the parent Virtualization Resources
folder.
If you are running VMM 2008, consider using VMM libraries to store resources
like ISO files. See Virtual Machine Manager Library on Microsoft TechNet for
more information.
Using Encryption to Protect Virtual Machine

Resources
Windows® BitLocker™ Drive Encryption (BitLocker) is a data protection feature
included with Windows Server 2008. BitLocker is an operating system–based
software capability that works with features in server hardware and firmware to
provide secure operating system boot and disk drive encryption. This encryption
physically safeguards operating system integrity and data. BitLocker–based
physical protection is present even when the server is not powered or operating,
which means that data is protected even if a disk is stolen and mounted on
another machine for data mining purposes. BitLocker also protects data if an
attacker uses a different operating system or runs a software hacking tool to
access a disk.
Important Use BitLocker Drive Encryption in the Hyper-V management operating system only.
Do not run BitLocker Drive Encryption within a virtual machine. BitLocker Drive Encryption is not
supported within virtual machines.
BitLocker helps prevent unauthorized access to data on lost or stolen computers

by combining two major data-protection procedures:
 Encrypting the entire Windows operating system volume and other data
volumes.
 Verifying the integrity of early boot components and boot configuration data.
In addition to protecting business-critical information and databases as well as
other incidental data that is created during business transactions, BitLocker can
protect virtual machine configurations and their VHDs. Any configurations and
VHDs that are created and stored on a BitLocker–encrypted physical disk volume
receive BitLocker protection, regardless of the operating systems that run on

those virtual machines. This capability means that non-Windows and legacy
Microsoft operating systems benefit from the same BitLocker protection when
they run as guest operating systems of Windows Server 2008 Hyper-V.
Before you attempt to configure BitLocker and Hyper-V on the same server,
however, there are a few issues you should consider. BitLocker is designed to
work with a Trusted Platform Module (TPM), a hardware device that can store
and process cryptographic keys to provide enhanced security through pre-startup
system integrity verification. Hyper-V does not provide virtual machines with
access to the TPM, so you cannot use BitLocker with TPM to encrypt virtual
machines independently. However, you can use BitLocker with TPM from a
physical Hyper-V computer’s management operating system to encrypt an entire
physical drive connected to the Hyper-V computer, including the VHD files and
other configuration files used by virtual machines. This method provides all of the
virtual machines on the encrypted disk with the same level of protection.
However, it will not help isolate the virtual machines and their resource files from
the other virtual machines running on the same physical computer.
Note Although using Hyper-V in a clustered environment is outside the scope of this guide, it is
worthwhile to point out that BitLocker does not work with Windows Failover Clustering. For
information on using Hyper-V and Failover Clustering see Hyper-V Step-by-Step Guide: Hyper-V
and Failover Clustering on Microsoft TechNet.
For instructions about how to use BitLocker to encrypt Windows Server 2008
Hyper-V physical computers, see Windows Server 2008 Hyper-V and BitLocker
Drive Encryption on the Microsoft Download Center.
Important Do not use Encrypting File System (EFS) to encrypt folders in which virtual machine
files are stored. Hyper-V does not support the use of storage media if EFS has been used to
encrypt the VHD file. To encrypt virtual machine files, use BitLocker.
Using Auditing to Track Access to Virtual

Machine Resources
File system security can prevent unauthorized access to critical virtual machine
resources, such as VHD files. Object access auditing can help detect potentially
harmful activity by users.
Enabling object access auditing on a physical computer causes it to log every
attempt by a user to access the audited files. Successful and unsuccessful
access attempts can be audited. If the security or integrity of the data stored in a
VHD file is breached, the audit trail will reveal who has accessed the file and
when, which can be used to determine who was responsible for the breach.
The following procedures describe how to configure audit rules for a file or folder,
and how to test each audit rule for each object in the specified file or folder.
Note You must use Auditpol.exe to configure the File System subcategory to audit Success and
Failure events. Then you can use the following procedure to log events in the Security event log.
To define an audit rule for a file or folder

1. On the physical computer, use Windows Explorer to locate and select the file
or folder.
23. On the File menu, click Properties.
24. Click the Security tab, and then click the Advanced button.
25. Click the Auditing tab.
26. If prompted for administrative credentials, click Continue, type your
username and password, and then press Enter.
27. Click the Add button to make the Select User, Computer, or Group dialog
box display.
28. Click the Object Types button, and then in the Object Types dialog box,
select the object types you want to find.
Note The User, Group, and Built-in security principal object types are selected by
default.
29. Click the Locations button, and then in the Location dialog box, select either
your domain or local computer.
30. In the Select User or Group dialog box, type the name of the group or user
you want to audit. Then, in the Enter the object names to select dialog box,
type Authenticated Users (to audit the access of all authenticated users)
and then click OK.
The Auditing Entry dialog box displays.
31. Determine the type of access you want to audit on the file or folder using the
Auditing Entry dialog box.
Note Remember that each object access may generate multiple events in the event log and
cause it to grow rapidly.
32. In the Auditing Entry dialog box, next to List Folder/Read Data, select
Successful and Failed, and then click OK.
You can view the audit entries you enabled under the Auditing tab of the
Advanced Security Settings dialog box.
33. Click OK to close the Properties dialog box.
To test an audit rule for a file or folder
1. On the physical computer, in Windows Explorer, open the file or folder being
audited.
34. Close the file or folder.
35. Start the Event Viewer. Several Object Access events with Event ID 4663 will
appear in the Security event log.
36. Double-click the events as needed to view their details.
Microsoft recommends enabling object access auditing on VHD files for every
user or group that has access to the files through the file system. This approach
will ensure that every attempt by a user to open, copy, modify, or delete an
audited file will be recorded, which can be useful in a number of scenarios.
For example, if a malicious administrator makes an unauthorized copy of a
sensitive VHD file, the audit log can be used to trace the action back to the
person responsible. For additional security, a monitoring product like Microsoft
System Center Operations Manager can be configured to issue alerts when
access attempts are made under certain circumstances, which could help
prevent security breaches.

Maintaining Virtual Machines

Ensuring that virtual machines are kept up to date with operating system,
application, and antivirus updates can present challenges. Virtual machines
might be left offline (stored in a non-operating state) for extended periods of time
when not needed to free up physical computing resources for other purposes.
However, if a virtual machine is offline it cannot automatically receive updates
through mechanisms such as Windows Update or Windows Software Update
Services (WSUS). If deployed and started, the out-of-date virtual machine might
be vulnerable to attack or could be capable of attacking other network resources.
The Offline Virtual Machine Servicing Tool 2.0.1, a Solution Accelerator available
for download at no cost from Microsoft, provides a way to automate the process
of updating virtual machines. To use the tool, you must have VMM 2007 or 2008
and one of the following software update management systems:
 WSUS 3.0 (including WSUS 3.0 SP1)
 System Center Configuration Manager 2007, Configuration Manager 2007
SP1, or Configuration Manager 2007 R2.
The Offline Virtual Machine Servicing Tool uses servicing jobs to manage the
update operations based on lists of existing virtual machines and virtual machine
templates stored in VMM 2008. Using Windows Workflow Foundation
technology, a servicing job runs snippets of Windows PowerShell™ scripts to
work with virtual machines. For each virtual machine, the servicing job performs
the following functions:
 “Wakes” the virtual machine (deploys it to a servicing host and starts it).
 Triggers the appropriate software update cycle (Configuration Manager or
WSUS).
 Shuts down the updated virtual machine and returns it to the library.
The servicing hosts used for updating virtual machines reside on a dedicated
private virtual network, so the VMs are protected from attacks while they are
serviced.
The Offline Virtual Machine Servicing Tool 2.0.1 is a free download from the
Microsoft Download Center.
Hyper-V Security Best Practice

Checklist
Securing Hyper-V involves all the measures that are required to safeguard any
Windows Server 2008 server role, plus a few extra to help secure the VMs,
configuration files, and data. The following list of recommended best practices
serves as a checklist to help you enhance the security of your Hyper-V
environment.
These best practices summarize many of the recommendations described in this
guide. Additional information on several of these best practices is available on
the Planning for Hyper-V Security page on Technet.

Management Operating System

Configuration
Microsoft recommends paying close attention to the following best practices for
securing Hyper-V when configuring the management operating system:
 Use a Server Core installation for the management operating system.
 Keep the management operating system up to date with the latest security
updates
 Use a separate network with a dedicated network adapter for the
management operating system of the physical Hyper-V computer.
 Secure the storage devices where you keep virtual machine resource files.
 Harden the management operating system using the baseline security setting
recommendations described in the Windows Server 2008 Security
Compliance Management Toolkit.
 Configure any real-time scanning antivirus software components installed on
the management operating system to exclude Hyper-V resources.
 Do not use the management operating system to run applications.
 Do not grant virtual machine administrators permissions on the management
operating system.
 Use the security level of your virtual machines to determine the security level
of your management operating system.
 Use BitLocker Drive Encryption to protect resources.
Virtual Machine Configuration

The following recommended best practices can help you enhance security when
configuring virtual machines on servers running the Hyper-V role:
 Configure virtual machines to use fixed-sized virtual hard disks.
 Store virtual hard disks and snapshot files in a secure location.
 Decide how much memory to assign to a virtual machine.
 Impose limits on processor usage.
 Configure the virtual network adapters of each virtual machine to connect to
the correct type of virtual network to isolate network traffic as required.
 Configure only required storage devices for a virtual machine.
 Harden the operating system running in each virtual machine according to the
server role it performs using the baseline security setting recommendations
described in the Windows Server 2008 Security Compliance Management
Toolkit.
 Configure antivirus, firewall, and intrusion detection software within virtual
machines as appropriate based on server role.
 Ensure that virtual machines have all the latest security updates before they
are turned on in a production environment.
 Ensure that your virtual machines have integration services installed.

More Information
 Windows Server 2008 Hyper-V and BitLocker Drive Encryption
 Offline Virtual Machine Servicing Tool

Hyper-V Security Guide: Published: March 2009 For The Latest Information, Please See

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Hyper-V Security Guide: Published: March 2009 For The Latest Information, Please See

Uploaded by

Copyright:

Available Formats

Hyper-V™ Security Guide

Published: March 2009

Solution Accelerators microsoft.com/technet/SolutionAccelerators

Solution Accelerators microsoft.com/technet/SolutionAccelerators

Who Should Read This Guide

Skills and Readiness

Chapter 1: Hardening Hyper-V

Solution Accelerators microsoft.com/technet/SolutionAccelerators

and recommendations for properly configuring secure network and storage

Chapter 2: Delegating Virtual Machine Management

Chapter 3: Protecting Virtual Machines

Bold font Signifies characters typed exactly as shown, including

Note Alerts the reader to supplementary information.

 Windows Server 2008 Security Compliance Management Toolkit

Support and Feedback

Solution Accelerators microsoft.com/technet/SolutionAccelerators

Contributors and Reviewers

Martin Herbener Kentucky Department of Education

Solution Accelerators microsoft.com/technet/SolutionAccelerators

Solution Accelerators microsoft.com/technet/SolutionAccelerators

Server Role Security Configuration

Solution Accelerators microsoft.com/technet/SolutionAccelerators

Figure 1.1. Basic Hyper-V virtualization technology architecture

Solution Accelerators microsoft.com/technet/SolutionAccelerators

 Management operating system security. The configuration of the physical

Management Operating System Security

Default Installation Recommendations

Solution Accelerators microsoft.com/technet/SolutionAccelerators

Host Network Configuration

Figure 1.2. Physical Hyper-V architecture in an enterprise network

Solution Accelerators microsoft.com/technet/SolutionAccelerators

Solution Accelerators microsoft.com/technet/SolutionAccelerators

Figure 1.4. Network configuration for multi-tier Web application

the physical computer to a separate public network (labeled Front-end network)

Securing Dedicated Storage Devices

Solution Accelerators microsoft.com/technet/SolutionAccelerators

Names Permissions Apply to

Administrators Full Control This folder, subfolders, and files

Security Setting Recommendations

environment encountered errors related to VHD creation, snapshotting, and

Virtual Machine Security

Virtual Machine Configuration

Solution Accelerators microsoft.com/technet/SolutionAccelerators

 Decide how much memory to assign to a virtual machine. Memory on the

 Store snapshot files securely. A snapshot is a “point in time” image of a

Solution Accelerators microsoft.com/technet/SolutionAccelerators

Solution Accelerators microsoft.com/technet/SolutionAccelerators

Using Tools to Delegate Access

Figure 2.1. The Hyper-V Manager user interface

Restricting Hyper-V management capability to server administrators can make it

Solution Accelerators microsoft.com/technet/SolutionAccelerators

be time-consuming and difficult to track. Fortunately, tools such as Authorization

Delegating Access with Authorization

Solution Accelerators microsoft.com/technet/SolutionAccelerators

Table 2.1. Hyper-V Service Operations

Table 2.2. Hyper-V Network Operations

Solution Accelerators microsoft.com/technet/SolutionAccelerators

Table 2.3. Hyper-V Virtual Machine Operations

Create Virtual Machine Authorizes creating a virtual

Solution Accelerators microsoft.com/technet/SolutionAccelerators

Figure 2.2. Authorization Manager

Solution Accelerators microsoft.com/technet/SolutionAccelerators

System Center Virtual Machine