Securing Virtual Machines in the Data Center

According to recent research by Gartner, 60 percent of virtual servers are less secure than their physical counterparts. Although many methods for securing physical servers also apply to virtualized workloads, additional steps need to be taken to properly secure virtual infrastructures.

Securing the Host Operating System

Although third-party code isn’t allowed to run inside Microsoft’s hypervisor, the host operating system (or parent partition) must be secured to prevent malicious code from being executed and monitored so that VMs don’t consume all the host’s resources. Hyper-V contains basic controls to limit the amount of physical memory and CPU utilization of each VM.

To minimize the attack surface as much as possible, the host OS should run Windows Server 2008 R2 Server Core with the Hyper-V role installed, or the standalone Hyper-V Server 2008 R2 product.

To isolate network traffic between the host OS and VMs, a minimum of two physical network adapters are required: one for the host machine and another for VMs. Hyper-V’s Virtual Network Manager can be used to create virtual switches to which VMs are connected. The choice of virtual network has an impact on the VM and host OS security:

• External virtual networks are connected to a physical network adapter installed on the host OS. VMs connected to external virtual networks can communicate with any networks that are connected to the physical network adapter.
• Internalvirtual networks allow VMs to communicate only with each other and the host OS.
• Privatevirtual networks are not connected to a physical network adapter on the host OS, so VMs can communicate only with other VMs installed on the same physical machine. If you isolate virtual and physical networks, consider installing a Network Intrusion Detection System (NIDS) on your virtual network segments.

To harden the standard security settings of the host OS, you can apply the Specialized Security Limited Functionality (SSLF) baseline settings that are provided as an .inf file in the Microsoft Security Compliance Manager, which is available as a free download from Microsoft. The settings can be imported into local policy or a Group Policy Object for distribution to multiple computers.

After loading the SSLF baseline settings into local policy or a Group Policy Object, you’ll need to import an additional .inf file to grant the Virtual Machines group the right to create a symbolic link. Full instructions on how to import security settings into Group Policy Objects are included with the Security Compliance Manager download. Be sure to test policy settings in a lab before applying them in a production environment.

Don’t forget to update the host OS just as you would any other server. You should also separate VM and host OS administrative functions so that only a select group of sysadmins has access to the Hyper-V server. Once the host is configured, you can use the Hyper-V Best Practices Analyzer from Microsoft, which has been updated to support Windows Server 2008 R2, to ensure your server is set up correctly.

Protecting Virtual Machine Resources

Separate logical disk volumes should be used to isolate each VM’s resources. Though BitLocker is not supported inside VMs, you should enable it on the host OS to protect system files and logical volumes that host VM resources. All the configuration data for VMs and associated snapshots is stored in the %programdata%\Microsoft\Windows\Hyper-V\ folder by default. The local System Account and Administrators group have Full Control over this folder, and the Virtual Machines group has a more limited subset of permissions.

The Virtual Hard Disk (VHD) storage folder, which defaults to C:\Users\Public\Documents\Hyper-V\Virtual Hard Disks, holds the basic disk images for each VM. Rather than using the default paths provided when you run the New Virtual Machine Wizard, you can create your own directory structure to hold VM resources — including configuration data — and assign permissions to different groups of administrators as necessary, along with the default permissions that must be set on these folders. Windows auditing can also be configured to monitor access to VM resources.

Make sure you exclude VM resources from antivirus scanning engines on the host operating system.

Updating VMs Offline

If you need to manage more than a handful of VMs, use the System Center Virtual Machine Manager. The SCVMM includes the Offline Virtual Machine Servicing Tool, which can be used to service powered-off VMs that are stored in the SCVMM library. An isolated network is used to update VMs using PowerShell scripts in conjunction with Windows Server Update Services (WSUS) or System Center Configuration Manager (SCCM). Virtual Machine Manager works with both Hyper-V and VMware virtual machines, enables fast provision of new VMs, migrates multiple physical servers to VMs and provides centralized management.

The Future of VM Security

Microsoft Research is working on a project called Bunker-V, which is intended to eliminate legacy devices that are usually required to boot VMs, reducing the attack surface. VMware offers VMsafe Application Programming Interface in vSphere 4, which allows third-parties to develop security solutions that can monitor and protect the hypervisor layer and inspect network traffic that passes through virtual switches.