Professional Documents
Culture Documents
Version 1.0
If you are using this documentation solely for non-commercial purposes internally within YOUR company or
organization, then this documentation is licensed to you under the Creative Commons Attribution-
NonCommercial License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc/2.5/ or
send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.
This documentation is provided to you for informational purposes only, and is provided to you entirely "AS IS".
Your use of the documentation cannot be understood as substituting for customized service and information
that might be developed by Microsoft Corporation for a particular user based upon that user’s particular
environment. To the extent permitted by law, MICROSOFT MAKES NO WARRANTY OF ANY KIND, DISCLAIMS
ALL EXPRESS, IMPLIED AND STATUTORY WARRANTIES, AND ASSUMES NO LIABILITY TO YOU FOR ANY
DAMAGES OF ANY TYPE IN CONNECTION WITH THESE MATERIALS OR ANY INTELLECTUAL PROPERTY IN THEM.
Microsoft may have patents, patent applications, trademarks, or other intellectual property rights covering
subject matter within this documentation. Except as provided in a separate agreement from Microsoft, your
use of this document does not give you any license to these patents, trademarks or other intellectual property.
Information in this document, including URL and other Internet Web site references, is subject to change
without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-
mail addresses, logos, people, places and events depicted herein are fictitious.
Microsoft, Active Directory, BitLocker, Hyper-V, Windows, Windows Server, and Windows Vista are either
registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their respective
owners.
You have no obligation to give Microsoft any suggestions, comments or other feedback ("Feedback") relating to
the documentation. However, if you do provide any Feedback to Microsoft then you provide to Microsoft,
without charge, the right to use, share and commercialize your Feedback in any way and for any purpose. You
also give to third parties, without charge, any patent rights needed for their products, technologies and
services to use or interface with any specific parts of a Microsoft software or service that includes the Feedback.
You will not give Feedback that is subject to a license that requires Microsoft to license its software or
documentation to third parties because we include your Feedback in them.
Chapter Summaries
This release of the Hyper-V Security Guide consists of this Overview and three
chapters that discuss methods and best practices that will help you secure your
Hyper-V environment. Brief descriptions follow for each chapter.
Overview
The overview states the purpose and scope of the guide, defines the guide
audience, and describes the guide's structure to help you locate the information
that is relevant to you. It also describes the user prerequisites for the guidance.
Style Conventions
This guidance uses the style conventions that are described in the following
table.
Element Meaning
More Information
The following resources provide additional information about security topics and
detailed discussion of the concepts and security prescriptions in this guide on
Microsoft.com:
Hyper-V Planning and Deployment Guide: Planning for Hyper-V Security
Solution Accelerators microsoft.com/technet/SolutionAccelerators
4 Hyper-V Security Guide
Acknowledgements
The SA-SC team would like to acknowledge and thank the team that produced
the Hyper-V Security Guide. The following people were either directly responsible
or made a substantial contribution to the writing, development, and testing of this
solution.
Development Team
Authors
Kurt Dillard KurtDillard.com
Richard Harrison Content Master Ltd
Paul Henry Wadeware LLC
Developement Lead
José Maldonado
Editor
Steve Wacker Wadeware LLC
Product Manager
Shruti Kala
Program Manager
Tom Cloward
Release Managers
Karina Larson
Shealagh Whittle Aquent LLC
Test Manager
Sumit Parikh
Testers
Raxit Gajjar Infosys Technologies Ltd
Tushar Vijay Lunawat Infosys Technologies Ltd
To install the Windows Server 2008 Hyper-V role using the Server Core
option
1. You must perform a Server Core installation before you install the Hyper-V
role. For instructions, see the Server Core Installation Option of Windows
Server 2008 Step-By-Step Guide on Microsoft TechNet.
2. Install the Hyper-V update packages for Windows Server 2008 (KB950050).
To view the list of software updates and check whether any are missing,
enter the following command at a command prompt:
wmic qfe list
If you do not see “kbid=950050”, download the Hyper-V updates and then
enter the following command at a command prompt:
wusa.exe Windows6.0-KB950050-x64.msu /quiet
There are three update packages. After you install the updates, you must
restart the server. You must update the management operating system with
the Update for Windows Server 2008 x64 Edition (KB 950050) and Language
Pack for Hyper-V (KB951636).
The Update for Windows Server 2008 (KB952627) is for remote management
of the Server Core installation if you are managing the server from a
computer running Windows Vista Service Pack 1 (SP1). It must be installed
on the computer running Windows Vista SP1.
Important Before you enable the Hyper-V role, ensure that you have enabled the required
hardware-assisted virtualization and hardware-enforced Data Execution Prevention (DEP)
BIOS settings. Checks for these settings are performed before you enable the Hyper-V role
on a full installation, but not on a Server Core installation.
After you make the BIOS configuration changes to enable the required
hardware features, you might need to turn off the power to the computer and
then turn it back on (because restarting the computer might not apply the
changes to the settings). If you enable the Hyper-V role without modifying the
BIOS settings, the Windows hypervisor might not function as expected. If the
Windows hypervisor malfunctions, check the event log for details, modify the
BIOS settings according to the server hardware manufacturer instructions,
turn off and turn on the computer running a Server Core installation, and then
install Hyper-V again.
To check if your server hardware is compatible, see the Windows Server
catalog. Click the list of Certified Servers, and then click By additional
qualifications – Hyper-V. For instructions about how to enable the BIOS
settings, check with your hardware manufacturer.
After you install Hyper-V, ensure that all appropriate updates are installed. A
comprehensive list of Hyper-V updates is available in the Hyper-V Update List on
Microsoft TechNet.
The Microsoft Remote Server Administration Tools are included with Windows
Server 2008; a version of the tools for Windows Vista is also available through
the Microsoft Help and Support article Description of the Windows Vista Service
Solution Accelerators microsoft.com/technet/SolutionAccelerators
12 Hyper-V Security Guide
Pack 1 Management Tools update for the release version of Hyper-V. These
tools include the Hyper-V Manager console, which enables authorized
administrators to manage Hyper-V servers remotely from their workstations. The
console also allows administrators to manage Hyper-V on Server Core without
using command-line tools.
The rest of this section discusses how to configure the physical computer using
the Hyper-V Manager and other GUI management tools.
Note You can perform the same tasks on the local console of Server Core using scripts for
Windows Management Instrumentation (WMI). For more information, see Virtualization WMI
Provider in the MSDN Library.
Figure 1.3. The Create Virtual Networks page of the Add Roles Wizard
If you leave a network adapter unselected on this page of the wizard, the network
adapter will be dedicated for use by the management operating system
exclusively.
After installation, you can reconfigure the physical network adapters using the
Hyper-V Manager.
To use the Hyper-V Manager to configure virtual networks
1. On the physical Hyper-V computer or from a remote management
workstation, click Start, point to Administrative Tools, and then click Hyper-
V Manager.
3. In the tree pane, select the server that you want to manage.
4. In the Actions pane, click Virtual Network Manager.
5. In the Virtual Network Manager dialog box, add, modify, or remove virtual
network switches to be used by the management operating system and the
virtual machines.
Each virtual network you define results in the creation of a virtual network switch.
You can connect the virtual network adapters inside your virtual machines to the
virtual networks you create.
There are three different types of virtual networks:
External virtual networks use virtual network switches that are bound to a
network adapter in the physical computer. Any virtual machines attached to
an external virtual network can access the same networks to which the
physical adapter is connected.
Internal virtual networks use virtual network switches that are not bound to
a network adapter in the physical computer. An internal virtual network is
isolated from networks external to the physical computer. However, virtual
machines connected to an internal virtual network can communicate with the
management operating system.
Private virtual networks use virtual network switches that are not bound to a
network adapter in the physical computer, as with internal virtual networks.
However, network traffic from virtual machines connected to a private
network is completely isolated from network traffic in the management
operating system and in the external networks.
These different virtual network configurations support some interesting scenarios.
Consider a multi-tier application that includes Web, database, and application
servers, as shown in the following figure.
Virtual hard disk (VHD) files can be dynamic or fixed-size. A dynamic VHD file is
the size required by the data stored in it and can grow as the data changes. A
fixed-size VHD file takes up the amount of space configured for the virtual disk,
including any free space. For example, a dynamic VHD and a fixed-size VHD
might both appear as 80 GB volumes when mounted inside a virtual machine,
but the dynamic VHD only takes up as much space on the physical disk as the
data stored in it requires; the fixed-size VHD always takes up about 80 GB on the
physical disk. Microsoft recommends using fixed-sized VHD files for best
performance, and to prevent virtual machines from unexpectedly running out of
storage space.
By default, new VHD files in the Public profile are stored in the %users
%\Public\Documents\Hyper-V\Virtual Hard Disks directory. You can change
the default storage location for VHDs by selecting Hyper-V Settings in the
Hyper-V Manager. If you specify a different storage location, assign permissions
as follows for the new folder:
Table 1.1. Permission Settings for VHD Storage Folder
To simplify management, you might want to store all of the VFD and ISO files in
separate folders on the same logical volume as the VHDs. For example, a typical
folder structure might be:
W:\Virtualization Resources\Virtual Machines
W:\Virtualization Resources\Virtual Hard Disks
W:\Virtualization Resources\Virtual Floppy Disks
W:\Virtualization Resources\ISO files
When installing antivirus software in the management operating system,
configure any real-time scanning components to exclude the directories where
virtual machine files are stored, as well as the program files vmms.exe and
vmwp.exe in C:\Windows\System32. If you do not create these exclusion rules,
you might encounter errors when creating and starting virtual machines.
More Information
The following resources on Microsoft.com provide more information about some
of the concepts and techniques described in this chapter.
Windows Server 2008 Security Compliance Management Toolkit
Windows Server 2008 Hyper-V overview white paper
Windows Server 2008 Virtualization with Hyper-V: FAQ
Microsoft Hyper-V Server 2008 FAQ
Hyper-V Planning and Deployment Guide
Performance and Capacity Requirements for Hyper-V
Performance Tuning Guidelines for Windows Server 2008
Planning for Hyper-V Security
Hyper-V Attack Surface Reference Workbook
Virtualization with Hyper-V: Supported Guest Operating Systems
Virtualization WMI Provider
Infrastructure Planning and Design
Name Description
View Switch Ports Authorizes viewing the available
switch ports
View Switches Authorizes viewing the available
switches
View Virtual Switch Management Service Authorizes viewing the Virtual
Switch Management Service
View VLAN Settings Authorizes viewing the VLAN
settings
Any users who are assigned the Administrator role through Authorization
Manager (shown in the preceding figure) have full access to Hyper-V Manager
and all of the virtual machines deployed on the physical computer, and can
access all 33 of the Hyper-V operations listed in the three preceding tables.
To use Authorization Manager to assign the Administrator role to users and
groups
1. From the management console of the physical computer or from a remote
workstation, click Start, type azman.msc, and then press Enter. The
Authorization Manager console snap-in appears.
6. Right-click Authorization Manager in the tree pane and select Open
Authorization Store.
7. The Open Authorization Store dialog box appears with XML file selected as
the store type.
8. Do one of the following:
If you are on the physical computer being managed, specify
%programdata%\Microsoft\Windows\Hyper-V\InitialStore.xml in the Store
Name text box and click OK.
Note By default, only local administrators have access to this directory.
If you are on a remote workstation, specify the path to the
InitialStore.xml file on the physical computer in the Store Name text box
and click OK. For example, if Windows Server 2008 is installed on the C:
drive, you might specify
\\<server name>\C$\ProgramData\Microsoft\Windows\Hyper-
V\InitialStore.xml.
9. Expand Hyper-V services under InitialStore.xml, expand Role
Assignments, and then click the Administrator role.
10. Click Action, point to Assign Users and Groups, and then click From
Windows and Active Directory.
11. In the Select Users, Computers, or Groups dialog box, select the user
accounts and groups to which you want to assign the role, and click OK.
Note These steps only work with Hyper-V physical computers that are not being managed by
System Center Virtual Machine Manager 2008 (VMM 2008). The advanced delegation capabilities
of VMM 2008 are described in the next section.
Users who are assigned the Administrator role can install the Hyper-V
management tools on a full installation of Windows Server 2008 and on Windows
Vista® Service Pack 1 (SP1) and administer Hyper-V servers remotely. (Remote
administration is the only way to use Authorization Manager to manage an
authorization store on a Server Core installation.) See Install and Configure
Hyper-V Tools for Remote Administration on Microsoft TechNet for instructions.
Note Hyper-V Remote Management Configuration Utility on the Microsoft Developer Network
(MSDN) is a tool that partially automates the process of setting up Hyper-V remote management.
VMM 2008 is a comprehensive solution that offers many tools for managing
virtual machine resources. In a security context, however, the most important
features of VMM 2008 involve its ability to delegate virtual machine
administrative permissions. VMM 2008 allows you to create groups of physical
Hyper-V computers, or hosts, and manage administrative access to them
individually. VMM 2008 also allows you to create libraries that can be used to
store virtual machines when they are not in use, and to store resources for
creating new virtual machines based on templates and standard profiles. As with
host groups, you can control which users have access to different libraries, which
allows you to deploy sensitive library resources in a secure manner. VMM 2008
also enables you to create self-service users who have limited, Web–based
administrative access to selected virtual machines.
In VMM 2008 you can create user roles to delegate permissions for individual
groups of hosts, virtual machines, and library servers. Each user role includes a
profile that determines the level of access granted by the role, and one or more
host groups and library servers that the role is allowed to manage. You can add
Active Directory® Domain Services (AD DS) user accounts and groups as
members of each user role as needed.
VMM 2008 defines three profiles that can be applied to user roles:
The Administrator profile is the highest level of access available in VMM
2008. A single Administrator role is created by default when you install VMM
Solution Accelerators microsoft.com/technet/SolutionAccelerators
Chapter 2: Delegating Virtual Machine Management 29
2008, and you cannot assign the Administrator profile to any new user roles
that you create. Users who are assigned to the Administrator role have
complete administrative access to all the hosts, virtual machines, and library
servers in VMM 2008.
The Delegated Administrator profile grants administrative access to a defined
set of host groups and library servers. Users who belong to a Delegated
Administrator role can use the VMM Administrator Console to modify the
configuration of all virtual machines defined on any Hyper-V hosts that they
control. It is not possible to use the Delegated Administrator role to delegate
access to specific virtual machines. Delegated administrators can also be
granted access to resources stored on library servers defined in VMM 2008.
The Self-Service User profile grants administrative access to a defined set of
virtual machines through the Web-based Virtual Machine Manager Self-
Service Portal. Self-service users cannot use the VMM 2008 console to
manage virtual machine resources. You can also limit the virtual machine
management tasks that users who belong to a Self-Service User role can
perform.
These profiles make it possible to deploy Hyper-V within your organization in a
way that is both flexible and secure. By using VMM 2008 to define virtual
machine user roles and limit their access appropriately, you can give people
throughout your organization control over their own Hyper-V resources without
compromising the security of any servers managed by other groups.
Figure 2.4. The Select Scope page of the Create User Role Wizard
15. On the Summary page, review the user role settings and click Create.
can consume considerable amounts of disk space, and reverting a VM to a previous state
could lead to unwanted data loss.
Remove. Allows users to remove virtual machines, which deletes the
configuration files.
Local Administrator. Allows users to set the local administrator
password when creating a virtual machine so that they have administrator
rights and permissions on the virtual machine.
Remote connection. Allows users to remotely control a virtual machine.
Shut down
Figure 2.6. Specifying permitted actions for a user role with the Self-
Service User profile
20. On the Virtual Machine Creation Settings page, specify whether users are
allowed to create virtual machines. You can specify the templates that users
can choose from when creating their virtual machines, and set the quota for
deployed virtual machines. See Working with Virtual Machine Templates on
Microsoft TechNet for more information about templates.
21. On the Library Share page, specify whether users are allowed to store
virtual machines in a library. You can select the library server, share, and
path for the virtual machines. In addition, you can allow users to attach ISO
images to their virtual machines by selecting a Library path that contains ISO
images. See Configuring the VMM Library on Microsoft TechNet for more
information about libraries.
22. On the Summary page, review the user role settings and click Create.
Users assigned to a Self-Service User role can visit the portal using a Web
browser and perform any actions permitted by the role. They cannot access any
servers to which the role has not been granted access. This feature can be used
More Information
The following resources on Microsoft.com provide more information about some
of the concepts and techniques described in this chapter.
Authorization Manager
For remote management of Hyper-V, see:
Install and Configure Hyper-V Tools for Remote Administration
Hyper-V Remote Management Configuration Utility
For System Center Virtual Machine Manager 2008 information, see:
System Center Virtual Machine Manager 2008
VMM System Requirements
Hyper-V Update for Windows Server 2008 x64 Edition (KB 956589)
Background Intelligent Transfer Service (BITS) update (KB 956774)
Working with Virtual Machine Templates
Configuring the VMM Library
Scripting in VMM 2008 with Windows PowerShell™
For instructions about how to use BitLocker to encrypt Windows Server 2008
Hyper-V physical computers, see Windows Server 2008 Hyper-V and BitLocker
Drive Encryption on the Microsoft Download Center.
Important Do not use Encrypting File System (EFS) to encrypt folders in which virtual machine
files are stored. Hyper-V does not support the use of storage media if EFS has been used to
encrypt the VHD file. To encrypt virtual machine files, use BitLocker.
1. On the physical computer, use Windows Explorer to locate and select the file
or folder.
23. On the File menu, click Properties.
24. Click the Security tab, and then click the Advanced button.
25. Click the Auditing tab.
26. If prompted for administrative credentials, click Continue, type your
username and password, and then press Enter.
27. Click the Add button to make the Select User, Computer, or Group dialog
box display.
28. Click the Object Types button, and then in the Object Types dialog box,
select the object types you want to find.
Note The User, Group, and Built-in security principal object types are selected by
default.
29. Click the Locations button, and then in the Location dialog box, select either
your domain or local computer.
30. In the Select User or Group dialog box, type the name of the group or user
you want to audit. Then, in the Enter the object names to select dialog box,
type Authenticated Users (to audit the access of all authenticated users)
and then click OK.
The Auditing Entry dialog box displays.
31. Determine the type of access you want to audit on the file or folder using the
Auditing Entry dialog box.
Note Remember that each object access may generate multiple events in the event log and
cause it to grow rapidly.
32. In the Auditing Entry dialog box, next to List Folder/Read Data, select
Successful and Failed, and then click OK.
You can view the audit entries you enabled under the Auditing tab of the
Advanced Security Settings dialog box.
33. Click OK to close the Properties dialog box.
To test an audit rule for a file or folder
1. On the physical computer, in Windows Explorer, open the file or folder being
audited.
34. Close the file or folder.
35. Start the Event Viewer. Several Object Access events with Event ID 4663 will
appear in the Security event log.
36. Double-click the events as needed to view their details.
Microsoft recommends enabling object access auditing on VHD files for every
user or group that has access to the files through the file system. This approach
will ensure that every attempt by a user to open, copy, modify, or delete an
audited file will be recorded, which can be useful in a number of scenarios.
For example, if a malicious administrator makes an unauthorized copy of a
sensitive VHD file, the audit log can be used to trace the action back to the
person responsible. For additional security, a monitoring product like Microsoft
System Center Operations Manager can be configured to issue alerts when
access attempts are made under certain circumstances, which could help
prevent security breaches.
More Information
The following resources on Microsoft.com provide more information about some
of the concepts and techniques described in this chapter.
Windows Server 2008 Security Compliance Management Toolkit
Windows Server 2003 Security Compliance Management Toolkit
Windows Vista Security Compliance Management Toolkit
Windows XP Security Compliance Management Toolkit
Windows Server 2008 Hyper-V and BitLocker Drive Encryption
Offline Virtual Machine Servicing Tool