Azman permissions for VMM-managed Hyper-V hosts

When VMM starts managing a hyper-v host, it takes full control of the Azman XML file that contains the permissions for Hyper-V. In fact, VMM will create a new copy of the file in a separate directory location and point hyper-v to that file (the file name is HyperVAuthStore.xml and is located inside the installation folder of VMM).

This, however, has some implications to 3rd party software that also want to have privileges to execute WMI calls against Hyper-V (if, however, this 3rd party software runs as local system or as a local administrator then everything works fine 🙂 ). When VMM creates this new file, the only permissions listed are the ones VMM knows about and are as follows:

  1. VMM Administrators are given full access to the VM/Hyper-V, including console access to the VM

  2. VMM Delegated administrators have no access to the VM or Hyper-V

  3. End User Role members are given console access to the VM if their User Roles has this privilege defined

This means that any privileges defined in the old Azman file will be lost once VMM takes control of the host. Every 30 minutes, VMM will also run a refresher that will update this file and ensure that the only privileges to VMs are the ones that VMM knows about. However, if any 3rd party software makes any changes to role definitions or role memberships in the root scope of the file, VMM will preserve them. So if you want to integrate with a VMM managed Hyper-V host, you can make your changes as listed above after VMM takes control of the host and VMM will preserve them.

In the next release of VMM, we are making a few changes in this area. Instead of ignoring all changes from the AZMAN XML file when we add a host in VMM, we will instead import any role definitions and role memberships from the root scope of the existing XML file (initialstore.xml) and add them to HyperVAuthStore.xml’s root scope. No other scopes will be preserved.

When you remove a hyper-v host from management, in VMM 2008 we will revert the pointer from HyperVAuthStore.xml to initialstore.xml (or whatever the previous azman store was for hyper-v). This means that any changes made to HyperVAuthStore.xml while this host was under management in VMM are lost. You will need to ensure that the proper privileges are applied after the fact.

In the next release of VMM, we will solve this problem as well, making sure that any changes made to the root scope of HyperVAuthStore.xml are preserved during the removal of a host from management. The root scope changes are the only privileges that will be left behind for Hyper-V.

To find our the current Azman file that Hyper-V uses, you can query this registry key on the Hyper-V host: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization\StoreLocation



Comments (1)

  1. Anonymous says:

    Hola La semana pasada se publicó la Hyper-V Security Guide , que complementa la información ya publicada