Virtualization Security Primer: Patch up your VMs

  • Article

In this podcast with Hyper-V Senior dev lead Brandon Baker he discussed security best practices, including making sure that all your VMs, especially the ones that are “frozen”, waiting in the library, or otherwise offline are patched up before you turn them on.

Splogbane: If you are reading this on a blog other than https://blogs.technet.com/tonyso , why not stop patronizing a splog and come over to the original?

To improve security you should:

  1. Reduce your attack surface by running Hyper-V on Windows Server 2008 core
  2. Run your apps in a VM, not the parent partition
  3. Use a NIC dedicated to management of the root partition (host) that is separate from the NIC your VMs will use
  4. Observe the principals of least privilege and do not give administrators of the VMs administrative rights on the host.  Use AzMan to configure roles that allow you to grant rights to  perform actions on a VM (such as start/stop/configure network settings and so on) without granting rights to perform actions on the host. This “role based access control” allows you to ensure that the administrator of one VM does not interfere with the administrator of another VM, or with the host.
  5. Consider using Bitlocker on the drives that you use for VMs, all the VHDs will be encrypted in case that drive goes walkabout.
  6. Ensure that stale VMs are patched up before they are brought back-online.

Today (till 8/1/2008) you can use the free Offline Virtual Machine Servicing Tool (Beta) to take care of this.

Offline VM Servicing Overview

This Solution Accelerator depends on other Microsoft Software:

  • Microsoft System Center Virtual Machine Manager 2007
  • Microsoft System Center Configuration Manager 2007 or Microsoft Windows Server Update Services

And requires hardware in the form of a “maintenance host”, with the following minspecs:

  1. CPU: 2.0 GHz dual core processor, or multiple processors
  2. Memory: 4 GB
  3. Network: 1 GB Ethernet adapter
  4. Disk space: 100 GB available

Other requirements include:

  • Active Directory® directory service domain structure configured
  • DNS infrastructure configured
  • Software update management system in place
  • Virtual Machine Manager 2007 (VMM) in place
    • Administrator Console and server component installed
    • Windows® PowerShell execution policy set to remotesigned
    • VMM Library configured
    • VMM Maintenance host groups created
    • Maintenance hosts configured to use a common virtual network
  • Virtual machines configured
  • DHCP enabled
  • VMM client agent installed
  • Virtual Machine Additions installed and registering heartbeats
  • Agent for software update management system installed
  • Windows Server Update Service (WSUS): group policy for intranet update service location defined
  • WSUS: computer groups for updates defined
  • Configuration Manager 2007: virtual machines accounted for in the Configuration Manager inventory database
  • Updates configured
    • WSUS: Update metadata downloaded, updates approved
    • Configuration Manager: Updates downloaded and packaged, collections created for virtual machines, and deployment created

Recommended

  • Fibre Channel SAN, 2GB or faster, in place
  • Isolated VLAN in place