Hyper-V Security

Table of Contents

Hyper-V Security

Credits

About the Authors

About the Reviewers

www.PacktPub.com

Support files, eBooks, discount offers, and more

Why subscribe?

Free access for Packt account holders

Instant updates on new Packt books

Preface

What this book covers

What you need for this book

Who this book is for

Conventions

Reader feedback

Customer support

Downloading the example code

Errata

Piracy

Questions

1. Introducing Hyper-V Security

The importance of Hyper-V security

Your clients expect it

Your stakeholders expect it

Your employees and volunteers expect it

Experience has taught us that security is important

Weak points aren't always obvious

The costs of repair exceeds the costs of prevention

Basic security concerns

Attack motivations

Untargeted attacks

Targeted attacks

The computing device

The network

Data-processing points

Data storage

People

A starting point to security

Hyper-V terminology

Acquiring Hyper-V

Hyper-V Server

Windows Server

Client Hyper-V

Summary

2. Securing the Host

Understanding Hyper-V's architecture

Choosing a management operating system

Hyper-V Server

Windows Server – full GUI installation

Windows Server – Core installation

Windows Server – Minimal Server Interface installation

Switching between Windows Server modes

Practical guidance to chose a deployment

Disabling unnecessary components

Using the Windows Firewall

Relying on domain security

Leveraging Group Policy

Exporting SCM baselines

Importing a policy into Group Policy Management Console

Applying SCM baselines to Local Group Policy

Enabling LocalGPO in Windows and Hyper-V Server 2012 R2

Using security software

Configuring Windows Update

Manual patching

Fully automated patching

Staggered patching

Guinea pig systems

Employing remote management tools

Following general best practices

Microsoft baseline security analyzer

Hyper-V Best Practices Analyzer

Running the Hyper-V BPA from Server Manager

Running the Hyper-V BPA from PowerShell

Other practices

Summary

3. Securing Virtual Machines from the Hypervisor

Using the Hyper-V Administrators group

Using Group Policy to control Hyper-V Administrators

Powers of Hyper-V Administrators

Leveraging PowerShell Remoting

Configuring PowerShell Remoting and its basic usage

Workgroup and inter-domain PowerShell Remoting

Certificate-based PowerShell Remoting

Configuring the Host SSL certificate

Configuring the Remote System

TrustedHosts-based PowerShell Remoting

Choosing between SSL and TrustedHosts

Example – PowerShell Remoting with Invoke-Command

Using custom PowerShell Remoting endpoints

Practical custom PowerShell Remoting endpoints

Summary

4. Securing Virtual Machines

Understanding the security environment of VMs

Process isolation

Memory isolation

Hard disk isolation

Network isolation

Other hardware

Practical approaches to isolation security

Leveraging Generation 2 virtual machines

Employing anti-malware on a virtual machine

Considering intrusion prevention and detection strategies

Using Group Policy with virtual machines

Limiting exposure with resource limitations

Virtual processor limits

Memory limits

Hard drive I/O limits

Virtual network limits

Applying general best practices

Summary

5. Securing the Network

Understanding SSL encryption

Leveraging network hardware

Hardware firewalls

Using the virtual switch's isolating technologies

Multiple switch types

Virtual LAN

Using PowerShell to control VLANs on virtual adapters

Private VLAN

Using PowerShell to configure private VLANs

Network virtualization

Employing Hyper-V virtual switch ACLs

Using basic port ACLs

Using extended port ACLs

Practical ACL usage

Configuring the Windows Firewall

Using management tools remotely

Enabling Remote Desktop

Enabling other remote management tools

Remote access for non-domain-joined machines

Using Hyper-V with IPsec

Configuring virtual network adapter protections

MAC address settings

DHCP guard

Router guard

Port mirroring

Setting Hyper-V protections using Powershell

Encrypting cluster communications

Securing Hyper-V Replica traffic

Summary

6. Securing Hyper-V Storage

Configuring NTFS security for VM storage

Securing SMB 3.0 shares for VM storage

Administrative and hidden shares

Securing iSCSI connections

Physical and logical isolation

iSCSI security options

Using Secure Boot

Using BitLocker

Understanding the role of backup

Summary

7. Hyper-V Security and System Center VMM

Enhancing Hyper-V host security through VMM

The user role group descriptions

Run as accounts

Securing the VMM installation

VMM library shares

Anything else?

Network virtualization and multi-tenancy

Providing secure self-service with the Windows Azure Pack

DOS and DDOS attacks

Summary

8. Secure Hybrid Cloud Management through App Controller

System requirements

Installing App Controller

Connecting clouds to App Controller

App Controller's role-based security model

Summary

Index

Hyper-V Security

Hyper-V Security

Copyright © 2014 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the authors, nor Packt Publishing, and its dealers and distributors will be held liable for any damages caused or alleged to be caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

First published: December 2014

Production reference: 1191214

Published by Packt Publishing Ltd.

Livery Place

35 Livery Street

Birmingham B3 2PB, UK.

ISBN 978-1-78217-549-0

www.packtpub.com

Credits

Authors

Eric Siron

Andy Syrewicze

Reviewers

Daniel Clarke

Milton Goh

Eric Mann

Lai Yoong Seng

Acquisition Editor

Sam Wood

Content Development Editor

Arwa Manasawala

Technical Editors

Shiny Poojary

Sebastian Rodrigues

Copy Editors

Pranjali Chury

Alfida Paiva

Project Coordinator

Danuta Jones

Proofreaders

Simran Bhogal

Maria Gould

Ameesha Green

Indexer

Tejal Soni

Graphics

Abhinash Sahu

Production Coordinator

Aparna Bhagat

Cover Work

Aparna Bhagat

About the Authors

Eric Siron has over 15 years of professional experience in the information technology field. He has architected solutions across the spectrum, from two-user home offices to thousand-user enterprises. He began working with Microsoft Hyper-V Server in 2010, and has focused on Microsoft Virtualization technologies ever since. He is currently employed as a senior system administrator at The University of Iowa Hospitals and Clinics in Iowa City, Iowa. He is a regular contributor to the Hyper-V Portal blog hosted by Altaro Software. In addition to this book, he is the author of Microsoft Hyper-V Cluster Design, Packt Publishing, and the creator of the screencast series, Building and Managing a Virtual Environment with Hyper-V Server 2012 R2, Packt Publishing.

My work in this book is dedicated to my wife and daughter, who sacrificed so much of their time while I was writing it. Thanks to my co-author Andrew Syrewicze for juggling this in his busy schedule. Very special thanks to Ulrike Carlson for rushing to the aid of an author in distress.

Andy Syrewicze has spent the last 11 years and more in providing technology solutions across several industry verticals, including education, healthcare, and professional services, and Fortune 500 manufacturing companies. His skills include VMware, Linux, and Network Security, but his focus over the last 7 years has been on Virtualization, Cloud Services, and the Microsoft Server Stack, with a focus on Hyper-V. That said, he has become quite involved in the Microsoft IT community over the last 2 years via a number of different mediums, such as various blogs, IT boot camps, and podcasts. He has also been named an MVP by Microsoft specifically for his contributions to the Hyper-V community. He has been featured as a co-host of the Technet Radio shows Hyper-V from a VMware Admin's Perspective and Building your Hybrid Cloud, which have been syndicated on Microsoft's channel9.msdn.com website. His other notable skills are professional blogging and public speaking, both of which he participates in on a regular basis. He has a passion for technology, and greatly enjoys sharing his knowledge with peers, customers, and the IT community at large.

I would first like to thank my wife, son, and family, for always inspiring me to be better than what I am. I would also like to thank my co-author Eric for giving me the opportunity to work on this project, and the team at Packt Publishing, for their continuous patience with my (at times) crazy schedule.

About the Reviewers

Daniel Clarke has worked in the IT field for more than 10 years, thereby working with various Microsoft products with a specialization in Hyper-V and System Center Virtual Machine Manager. He has designed and implemented several Microsoft Virtualization platforms, two of which have been recognized with the Management & Virtualization Partner of the Year (2012 and 2013) and Server Platform Partner of the Year (2013) awards by Microsoft, New Zealand. He currently works in New Zealand as a senior infrastructure consultant. His previous roles include that of a consulting engineer, acting as a Tech Lead for a Managed Services department, and various Systems Engineer and support-based roles. His primary work these days usually involves Hyper-V and the System Center Suite, primarily Virtual Machine Manager, Operations Manager, and Orchestrator.

I would like to thank Laura for always encouraging me and supporting me through my career.

Milton Goh started out in the IT industry in 2005, where he began as a software developer, meddling with various programming languages that range from Visual Basic to Visual C#. He has always focused on the Microsoft suite of products and technologies, and is an avid fan of Microsoft technologies. Since the start of his career, he has ventured into different roles within the industry, ranging from a developer and consultant to an architect, where he helps to resolve the pain points of his clients. He is one of the leaders for the Singapore PowerShell User Group community, where he plays an important role of spreading the word about PowerShell to everyone. He possesses a strong will to evangelize PowerShell technologies to IT professionals and developers in the industry. He spends his free time meddling with various technologies in his home lab or the lab that is built on Microsoft Azure. This is the second Hyper-V book that he has reviewed for Packt Publishing; his first book was Hyper-V Replica Essentials.

I would like to thank the team at Packt Publishing for choosing me again as a technical reviewer, which forces me to relook at the technical details that various authors have written. No one is perfect in this world; everyone is bound to make mistakes in life. Therefore, it is definitely a learning opportunity to be able to refresh my knowledge that I gained over the years in the industry. I would like to thank my family and my girlfriend Cindy Askara for being there in my life, supporting me while I was being a nerd, and spending most of my time on technical stuff.

Eric Mann is a seasoned web developer with experience in languages ranging from JavaScript and Ruby to C#. He has been building websites of all shapes and sizes for the better part of a decade and continues to experiment with new technologies and techniques. Eric is a senior web engineer at 10up (http://10up.com), where he focuses on developing high-end web solutions powered by WordPress. He also blogs frequently on software techniques, security, and development practices at https://eamann.com.

Lai Yoong Seng was awarded Microsoft Most Valuable Professional (MVP) in Hyper-V in 2010. He has more than 14 years of IT experience, and recently joined Hyper-V and System Center Specialist Infront Consulting in Malaysia. He specializes in Microsoft Virtualization, and has started blogging (www.ms4u.info) and presenting for local and regional events. He is the founder of Malaysia Virtualization User Group (MVUG), which provides a one-stop center for people to learn about Hyper-V, System Center, and Azure. Previously, he was actively engaged as a Technology Early Adopter (TAP) and a tester for System Center Virtual Machine Manager 2012, System Center 2012 SP1, Windows Server 2012 R2, System Center 2012 R2, and Azure Site Recovery. He was a technical reviewer for Windows Server 2012 Hyper-V: Deploying Hyper-V Enterprise Server Virtualization Platform, Packt Publishing, Hyper-V Network Virtualization Cookbook, Packt Publishing and for the video Building and Managing a Virtual Environment with Hyper-V Server 2012 R2, Packt Publishing.

Reviewing a book takes a lot of effort and is a difficult process. It would not have been possible without help from family, colleagues, and friends. I would like to thank my parents for being understanding and patient, and helping to keep all the other stuff together while I was reviewing a book. In addition, a very special thanks to Packt Publishing for giving me the opportunity to contribute to this book.

www.PacktPub.com

Support files, eBooks, discount offers, and more

For support files and downloads related to your book, please visit www.PacktPub.com.

Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at www.PacktPub.com and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at for more details.

At www.PacktPub.com, you can also read a collection of free technical articles, sign up for a range of free newsletters and receive exclusive discounts and offers on Packt books and eBooks.

https://www2.packtpub.com/books/subscription/packtlib

Do you need instant solutions to your IT questions? PacktLib is Packt's online digital book library. Here, you can search, access, and read Packt's entire library of books.

Why subscribe?

Fully searchable across every book published by Packt

Copy and paste, print, and bookmark content

On demand and accessible via a web browser

Free access for Packt account holders

If you have an account with Packt at www.PacktPub.com, you can use this to access PacktLib today and view 9 entirely free books. Simply use your login credentials for immediate access.

Instant updates on new Packt books

Get notified! Find out when new books are published by following @PacktEnterprise on Twitter or the Packt Enterprise Facebook page.

Preface

The reality of computing in today's world is that nothing is safe. Securing a network of computer systems is a never-ending quest that involves constant vigilance. The explosion of virtualization technologies has introduced a new set of complexities for administrators to master. This book's purpose is to navigate through the tools available to lock down your Hyper-V environment. It includes high-level examinations of concepts as well as practical guidance for implementation.

What this book covers

Chapter 1, Introducing Hyper-V Security, starts by discussing the important concepts of security in a Hyper-V environment.

Chapter 2, Securing the Host, deals with securing the management operating system. A Hyper-V system runs a critical hypervisor, but it also runs a server operating system that has its own security requirements.

Chapter 3, Securing Virtual Machines from the Hypervisor, focuses on Hyper-V security from the perspective of the hypervisor.

Chapter 4, Securing Virtual Machines, turns the attention from the hypervisor to its guests. This includes not only securing them as virtual machines, but as computers that run typical operating systems and applications with security needs of their own.

Chapter 5, Securing the Network, covers a variety of methods that are at your disposal to secure network communications for both hosts and guests.

Chapter 6, Securing Hyper-V Storage, details the considerations and techniques involved for the protection of your virtual machines' data.

Chapter 7, Hyper-V Security and System Center VMM, explores System Center Virtual Machine Manager