VDI Security - Hardening Virtual Desktops

The same security measures and hardening you would apply to a physical computer should be applied to virtual machines. You should perform hardening steps for the virtual machine's server role as indicated in the “Server Role Security Configuration” section in chapter 1, including consulting the appropriate Microsoft Solution Accelerator guidance for the specific operating system.

Firewall and Antivirus Requirements

Each operating system running on a virtual machine needs its own firewall, antivirus, and intrusion detection software as appropriate for the environment.

Group Policy Considerations

Like physical servers, virtual machines should be added to the appropriate organizational units (OUs) so that Group Policy settings apply correctly.

For more information on reducing the attack surface and hardening the security of the operating systems that run inside VMs, consult the Windows Vista Security Compliance Management Toolkit 

 

Using File System Security to Protect Virtual Machine Resources

You can use access control lists (ACLs) to help protect VHD files and virtual machine configuration files from unauthorized file system-level access. This approach can prevent scenarios such as an unauthorized person copying a VHD from a Hyper-V™ computer or library server to another location, or replacing an existing virtual machine file with an altered version. However, using ACLs to restrict access to files or folders is not an effective way to manage administrative access to VMs themselves.

Each virtual machine runs in the context of a virtual machine worker process (vmwp.exe), which runs under the NETWORK SERVICE account and which is able to access the file system resources that make up the virtual machine. This functionality enables any user who has the necessary permissions to use Hyper-V Manager to stop and start virtual machines, mount virtual hard disks, and perform other management tasks regardless of whether they can access the files in the file system with their own user accounts. A comprehensive Hyper-V security plan involves a combination of ACLs and tools such as Virtual Machine Manager 2008 (VMM 2008) that can be used to restrict VM management capabilities.

If several administrators manage different virtual machines on the same physical computer, consider granting their individual accounts permissions to access the folders in which the resource files are stored. This approach allows them to perform management tasks at the level of the physical computer’s file system, such as moving their virtual machines and the resource files they use to a different physical computer, or copying ISO files (CD or DVD image files that usually have the extension .iso) and virtual floppy disks to an appropriate file system location so that they can mount them within their virtual machines.

A flexible system might involve adding a layer of subdirectories to the folder structure suggested in Chapter 1, such as the following:

W:\Virtualization Resources\Project A\Virtual Machines

W:\Virtualization Resources\Project A\Virtual Hard Disks

W:\Virtualization Resources\Project A\Virtual Floppy Disks

W:\Virtualization Resources\Project A\ISO files

W:\Virtualization Resources\Project B\Virtual Machines

W:\Virtualization Resources\Project B\Virtual Hard Disks

W:\Virtualization Resources\Project B\Virtual Floppy Disks

W:\Virtualization Resources\Project B\ISO files

W:\Virtualization Resources\Project C\Virtual Machines

W:\Virtualization Resources\Project C\Virtual Hard Disks

W:\Virtualization Resources\Project C\Virtual Floppy Disks

W:\Virtualization Resources\Project C\ISO files

The ACLs for all of the folders would need to include the default permissions described in the "Securing Dedicated Storage Devices" section in Chapter 1 of this guide. In addition, if you want to allow virtual machine administrators to copy resource files to and from the physical computer, you should grant them Full Control for the subdirectories of their respective projects and create a network share that provides them with access to the parent Virtualization Resources folder.

If you are running VMM 2008, consider using VMM libraries to store resources like ISO files. See Virtual Machine Manager Library on Microsoft TechNet for more information.

For more information please refer to Hyper-V Security Guide