wms07 - hyper-v security and best practices dan stolts microsoft
TRANSCRIPT
![Page 1: WMS07 - Hyper-V Security and Best Practices Dan Stolts Microsoft](https://reader031.vdocument.in/reader031/viewer/2022032705/56649d8b5503460f94a7285b/html5/thumbnails/1.jpg)
WMS07 - Hyper-V Security and Best Practices
Dan Stolts
Microsoft
http://blogs.technet.com/danstolts
![Page 2: WMS07 - Hyper-V Security and Best Practices Dan Stolts Microsoft](https://reader031.vdocument.in/reader031/viewer/2022032705/56649d8b5503460f94a7285b/html5/thumbnails/2.jpg)
Microsoft Assessment and Planning Toolkit 3.1 Beta
http://www.microsoft.com/MAP
https://connect.microsoft.com/InvitationUse.aspx?ProgramID=2307&InvitationID=MP31-GT76-X98X&SiteID=297
Announcing…
![Page 3: WMS07 - Hyper-V Security and Best Practices Dan Stolts Microsoft](https://reader031.vdocument.in/reader031/viewer/2022032705/56649d8b5503460f94a7285b/html5/thumbnails/3.jpg)
MAP: User Interface & ReportsServer Migration & Virtualization Candidates
Windows Vista
Windows Server 2008
Virtualization
New User Interface
• Speed up Planning with Actionable Proposals and Assessments• Collect Inventory of Servers, Desktops and Applications
Agentlessly• Offers Recommendations for Server/Application Virtualization• Works with the Virtualization ROI Tool to generate ROI
calculations
GET BETA CLICK HERE
![Page 4: WMS07 - Hyper-V Security and Best Practices Dan Stolts Microsoft](https://reader031.vdocument.in/reader031/viewer/2022032705/56649d8b5503460f94a7285b/html5/thumbnails/4.jpg)
Agenda
• Virtualization Requirements• Hyper-V Security• Microsoft Secure Development Lifecycle• Server Core• Enabling Hyper-V with Server Core• Designing a Windows Server 2008 Hyper V &
System Center Infrastructure• Hyper-V Storage & Pass Through Disks• Deployment Considerations• Best Practices & Tips and Tricks
![Page 5: WMS07 - Hyper-V Security and Best Practices Dan Stolts Microsoft](https://reader031.vdocument.in/reader031/viewer/2022032705/56649d8b5503460f94a7285b/html5/thumbnails/5.jpg)
Virtualization Requirements
• Scheduler• Memory Management• VM State Machine• Virtualized Devices• Storage Stack• Network Stack• Ring Compression (optional)• Drivers• Management API
![Page 6: WMS07 - Hyper-V Security and Best Practices Dan Stolts Microsoft](https://reader031.vdocument.in/reader031/viewer/2022032705/56649d8b5503460f94a7285b/html5/thumbnails/6.jpg)
Old: Virtual Server Architecture
Windows Server 2003/Windows XP
Kernel VMM Kernel
Virtual ServerServiceIIS
Virtual ServerWebApp
Provided by:
Windows
ISV
Virtual Server
Server Hardware
Host
Ring 1: Guest Kernel Mode
Windows (NT4, 2000, 2003)
VM Additions
Ring 0: Kernel Mode
Ring 3: User Mode
Guest Applications
Guests
DeviceDrivers
![Page 7: WMS07 - Hyper-V Security and Best Practices Dan Stolts Microsoft](https://reader031.vdocument.in/reader031/viewer/2022032705/56649d8b5503460f94a7285b/html5/thumbnails/7.jpg)
Parent Partition
VirtualizationService
Providers(VSPs)
WindowsKernel
Server Core
DeviceDrivers
Windows hypervisor
Virtualization Stack
VM WorkerProcessesVM
Service
WMI Provider
Child Partition
Ring 0: Kernel Mode
Ring 3: User Mode
VirtualizationServiceClients(VSCs)
OSKernel
EnlightenmentsVMBus
Guest Applications
Server Hardware
Provided by:
Rest of Windows
ISV
Hyper-V
New: Hyper-V Architecture
![Page 8: WMS07 - Hyper-V Security and Best Practices Dan Stolts Microsoft](https://reader031.vdocument.in/reader031/viewer/2022032705/56649d8b5503460f94a7285b/html5/thumbnails/8.jpg)
Virtualization AttacksParent Partition
Virtualization Stack
VM WorkerProcessesVM
Service
WMI Provider
Child Partition
Ring 0: Kernel Mode
VirtualizationServiceClients(VSCs)
EnlightenmentsVMBus
Server Hardware
Provided by:
Rest of Windows
ISV
Hyper-VGuest Applications
Hackers
OSKernel
VirtualizationServiceClients(VSCs)
Enlightenments
Ring 3: User Mode
Windows hypervisor
VMBus
VirtualizationService
Providers(VSPs)
WindowsKernel
Server Core
DeviceDrivers
![Page 9: WMS07 - Hyper-V Security and Best Practices Dan Stolts Microsoft](https://reader031.vdocument.in/reader031/viewer/2022032705/56649d8b5503460f94a7285b/html5/thumbnails/9.jpg)
Why not get rid of the parent?• No defense in depth• Entire hypervisor running in the most privileged mode of the system
• Scheduler• Memory Management• Storage Stack• Network Stack• VM State Machine• Virtualized Devices• Drivers• Management API
Hardware
Ring -1
UserMode
KernelMode
UserMode
KernelMode
UserMode
KernelMode Ring 0
Ring 3
VirtualMachin
e
VirtualMachin
e
VirtualMachin
e
![Page 10: WMS07 - Hyper-V Security and Best Practices Dan Stolts Microsoft](https://reader031.vdocument.in/reader031/viewer/2022032705/56649d8b5503460f94a7285b/html5/thumbnails/10.jpg)
Micro-kernelized Hypervisor
• Defense in depth• Using hardware to protect• Hyper-V doesn’t use ring compression translation
● Further reduces the attack surface
SchedulerMemory Management
Hardware
VM State MachineVirtualized DevicesManagement API
Ring -1
Storage StackNetwork Stack
Drivers
UserMode
KernelMode
UserMode
KernelMode Ring 0
Ring 3
Parent PartitionVirtualMachin
e
VirtualMachin
e
![Page 11: WMS07 - Hyper-V Security and Best Practices Dan Stolts Microsoft](https://reader031.vdocument.in/reader031/viewer/2022032705/56649d8b5503460f94a7285b/html5/thumbnails/11.jpg)
Hyper-V Security
![Page 12: WMS07 - Hyper-V Security and Best Practices Dan Stolts Microsoft](https://reader031.vdocument.in/reader031/viewer/2022032705/56649d8b5503460f94a7285b/html5/thumbnails/12.jpg)
Security Assumptions
• Guests are untrusted• Trust relationships
● Parent must be trusted by hypervisor
● Parent must be trusted by children• Code in guests can run in all
available processor modes, rings, and segments
• Hypercall interface will be well documented and widely available to attackers
• All hypercalls can be attempted by guests
• Can detect you are running on a hypervisor● We’ll even give you the version
• The internal design of the hypervisor will be well understood
![Page 13: WMS07 - Hyper-V Security and Best Practices Dan Stolts Microsoft](https://reader031.vdocument.in/reader031/viewer/2022032705/56649d8b5503460f94a7285b/html5/thumbnails/13.jpg)
Security Goals
• Strong isolation between partitions
• Protect confidentiality and integrity of guest data
• Separation• Unique hypervisor resource pools
per guest• Separate worker processes per
guest• Guest-to-parent communications
over unique channels
• Non-interference• Guests cannot affect the contents
of other guests, parent, hypervisor• Guest computations protected from
other guests• Guest-to-guest communications
not allowed through VM interfaces
![Page 14: WMS07 - Hyper-V Security and Best Practices Dan Stolts Microsoft](https://reader031.vdocument.in/reader031/viewer/2022032705/56649d8b5503460f94a7285b/html5/thumbnails/14.jpg)
Isolation
• We’re serious folks● No sharing of virtualized
devices● Separate VMBus per vm to the
parent ● No sharing of memory
• Each has its own address space
● VMs cannot communicate with each other, except through traditional networking
● Guests can’t perform DMA attacks because they’re never mapped to physical devices
● Guests cannot write to the hypervisor
● Parent partition cannot write to the hypervisor
![Page 15: WMS07 - Hyper-V Security and Best Practices Dan Stolts Microsoft](https://reader031.vdocument.in/reader031/viewer/2022032705/56649d8b5503460f94a7285b/html5/thumbnails/15.jpg)
Microsoft Secure Development Lifecycle
![Page 16: WMS07 - Hyper-V Security and Best Practices Dan Stolts Microsoft](https://reader031.vdocument.in/reader031/viewer/2022032705/56649d8b5503460f94a7285b/html5/thumbnails/16.jpg)
Hyper-V & SDL
• Hypervisor built with ● Stack guard cookies (/GS)● Address Space Layout
Randomization (ASLR)● Hardware Data Execution
Prevention• No Execute (NX) AMD• Execute Disable (XD) Intel
● Code pages marked read only● Memory guard pages● Hypervisor binary is signed
• Hypervisor and Parent going through SDL
● Threat modeling● Static Analysis● Fuzz testing & Penetration
testing
![Page 17: WMS07 - Hyper-V Security and Best Practices Dan Stolts Microsoft](https://reader031.vdocument.in/reader031/viewer/2022032705/56649d8b5503460f94a7285b/html5/thumbnails/17.jpg)
Hyper-V Security Model• Uses Authorization Manager
(AzMan)● Fine grained authorization and
access control● Department and role based● Segregate who can manage groups
of VMs
• Define specific functions for individuals or roles
● Start, stop, create, add hardware, change drive image
• VM administrators don’t have to be Server 2008 administrators
• Guest resources are controlled by per VM configuration files
• Shared resources are protected● Read-only (CD ISO file)● Copy on write (differencing disks)
![Page 18: WMS07 - Hyper-V Security and Best Practices Dan Stolts Microsoft](https://reader031.vdocument.in/reader031/viewer/2022032705/56649d8b5503460f94a7285b/html5/thumbnails/18.jpg)
Server Core
![Page 19: WMS07 - Hyper-V Security and Best Practices Dan Stolts Microsoft](https://reader031.vdocument.in/reader031/viewer/2022032705/56649d8b5503460f94a7285b/html5/thumbnails/19.jpg)
Windows Server Core
• Windows Server frequently deployed for a single role● Must deploy and service the entire OS in earlier
Windows Server releases• Server Core a new minimal installation option
● Provides essential server functionality● Command Line Interface only, no GUI Shell
• Benefits● Fundamentally improves availability● Less code results in fewer patches and reduced
servicing burden● Low surface area server for targeted roles● More secure and reliable with less management
![Page 20: WMS07 - Hyper-V Security and Best Practices Dan Stolts Microsoft](https://reader031.vdocument.in/reader031/viewer/2022032705/56649d8b5503460f94a7285b/html5/thumbnails/20.jpg)
Windows Server Core
![Page 21: WMS07 - Hyper-V Security and Best Practices Dan Stolts Microsoft](https://reader031.vdocument.in/reader031/viewer/2022032705/56649d8b5503460f94a7285b/html5/thumbnails/21.jpg)
Enabling Hyper-V with Server Core
Step-by-step instructions…
![Page 22: WMS07 - Hyper-V Security and Best Practices Dan Stolts Microsoft](https://reader031.vdocument.in/reader031/viewer/2022032705/56649d8b5503460f94a7285b/html5/thumbnails/22.jpg)
Installing Hyper-V Role on Core
Install Windows Server 2008 and select a Server Core installation option
![Page 23: WMS07 - Hyper-V Security and Best Practices Dan Stolts Microsoft](https://reader031.vdocument.in/reader031/viewer/2022032705/56649d8b5503460f94a7285b/html5/thumbnails/23.jpg)
Set Admin Password
● net user administrator <new_password>● shutdown /r /t 0
![Page 24: WMS07 - Hyper-V Security and Best Practices Dan Stolts Microsoft](https://reader031.vdocument.in/reader031/viewer/2022032705/56649d8b5503460f94a7285b/html5/thumbnails/24.jpg)
Rename Computer
● netdom renamecomputer %computername% /newname:<new_computername>
● shutdown /r /t 0
![Page 25: WMS07 - Hyper-V Security and Best Practices Dan Stolts Microsoft](https://reader031.vdocument.in/reader031/viewer/2022032705/56649d8b5503460f94a7285b/html5/thumbnails/25.jpg)
Join Domain
● netdom join %computername% /domain:<domain> /userd:<username> /passwordd:*
● enter password when prompted● shutdown /r /t 0
![Page 26: WMS07 - Hyper-V Security and Best Practices Dan Stolts Microsoft](https://reader031.vdocument.in/reader031/viewer/2022032705/56649d8b5503460f94a7285b/html5/thumbnails/26.jpg)
Add domain account to local admin group
● net localgroup administrators /add <domain_account>● logoff
![Page 27: WMS07 - Hyper-V Security and Best Practices Dan Stolts Microsoft](https://reader031.vdocument.in/reader031/viewer/2022032705/56649d8b5503460f94a7285b/html5/thumbnails/27.jpg)
Add Hyper-V Role
● ocsetup Microsoft-Hyper-V● Restart when prompted
![Page 28: WMS07 - Hyper-V Security and Best Practices Dan Stolts Microsoft](https://reader031.vdocument.in/reader031/viewer/2022032705/56649d8b5503460f94a7285b/html5/thumbnails/28.jpg)
Connect remotely via MMC
![Page 29: WMS07 - Hyper-V Security and Best Practices Dan Stolts Microsoft](https://reader031.vdocument.in/reader031/viewer/2022032705/56649d8b5503460f94a7285b/html5/thumbnails/29.jpg)
Enabling Remote Desktop
• OPTIONAL● cscript \windows\system32\scregedit.wsf /ar 0● cscript \windows\system32\scregedit.wsf /cs 0
![Page 30: WMS07 - Hyper-V Security and Best Practices Dan Stolts Microsoft](https://reader031.vdocument.in/reader031/viewer/2022032705/56649d8b5503460f94a7285b/html5/thumbnails/30.jpg)
Hyper-V Networking
![Page 31: WMS07 - Hyper-V Security and Best Practices Dan Stolts Microsoft](https://reader031.vdocument.in/reader031/viewer/2022032705/56649d8b5503460f94a7285b/html5/thumbnails/31.jpg)
Hyper-V Networking• Don’t forget the parent
is a VM• Two physical network
adapters at minimum● One for management● One (or more) for VM
networking● Dedicated NIC(s) for
iSCSI● Connect parent to
back-end management network• Only expose guests to
internet traffic
![Page 32: WMS07 - Hyper-V Security and Best Practices Dan Stolts Microsoft](https://reader031.vdocument.in/reader031/viewer/2022032705/56649d8b5503460f94a7285b/html5/thumbnails/32.jpg)
Hyper-V Network Configurations
• Example 1:● Physical Server has 4 network adapters● NIC 1: Assigned to parent partition for
management● NICs 2/3/4: Assigned to virtual switches for
virtual machine networking● Storage is non-iSCSI such as:
• Direct attach• SAS or Fibre Channel
![Page 33: WMS07 - Hyper-V Security and Best Practices Dan Stolts Microsoft](https://reader031.vdocument.in/reader031/viewer/2022032705/56649d8b5503460f94a7285b/html5/thumbnails/33.jpg)
Hyper-V Setup & Networking 1
![Page 34: WMS07 - Hyper-V Security and Best Practices Dan Stolts Microsoft](https://reader031.vdocument.in/reader031/viewer/2022032705/56649d8b5503460f94a7285b/html5/thumbnails/34.jpg)
Hyper-V Setup & Networking 2
![Page 35: WMS07 - Hyper-V Security and Best Practices Dan Stolts Microsoft](https://reader031.vdocument.in/reader031/viewer/2022032705/56649d8b5503460f94a7285b/html5/thumbnails/35.jpg)
Hyper-V Setup & Networking 3
![Page 36: WMS07 - Hyper-V Security and Best Practices Dan Stolts Microsoft](https://reader031.vdocument.in/reader031/viewer/2022032705/56649d8b5503460f94a7285b/html5/thumbnails/36.jpg)
Windows Server 2008
Each VM on its own Switch…
VM 2VM 1
“Designed for Windows” Server Hardware
Windows hypervisor
VM 3
Parent Partition
Child Partitions
User Mode
KernelMode
Ring -1Mgmt
NIC 1
VSwitch 1
NIC 2
VSPVSP
VSP
VSwitch 2
NIC 3
VSwitch 3
NIC 4
Applications
Applications
Applications
VM Service
WMI Provider
VM Worker
Processes
Windows Kernel VSC Window
s KernelVSC Linux
Kernel VSC
VMBus VMBus VMBusVMBu
s
![Page 37: WMS07 - Hyper-V Security and Best Practices Dan Stolts Microsoft](https://reader031.vdocument.in/reader031/viewer/2022032705/56649d8b5503460f94a7285b/html5/thumbnails/37.jpg)
Hyper-V Network Configurations
• Example 2:● Server has 4 physical network adapters● NIC 1: Assigned to parent partition for
management● NIC 2: Assigned to parent partition for iSCSI● NICs 3/4: Assigned to virtual switches for
virtual machine networking
![Page 38: WMS07 - Hyper-V Security and Best Practices Dan Stolts Microsoft](https://reader031.vdocument.in/reader031/viewer/2022032705/56649d8b5503460f94a7285b/html5/thumbnails/38.jpg)
Hyper-V Setup, Networking & iSCSI
![Page 39: WMS07 - Hyper-V Security and Best Practices Dan Stolts Microsoft](https://reader031.vdocument.in/reader031/viewer/2022032705/56649d8b5503460f94a7285b/html5/thumbnails/39.jpg)
Windows Server 2008
Now with iSCSI…
VM 2VM 1
“Designed for Windows” Server Hardware
Windows hypervisor
VM 3
Parent Partition
Child Partitions
User Mode
KernelMode
Ring -1Mgmt
NIC 1iSCSI NIC
2
VSPVSP
VSwitch 1
NIC 3
VSwitch 2
NIC 4
Applications
Applications
Applications
VM Service
WMI Provider
VM Worker
Processes
Windows Kernel VSC Window
s KernelVSC Linux
Kernel VSC
VMBus VMBus VMBusVMBu
s
![Page 40: WMS07 - Hyper-V Security and Best Practices Dan Stolts Microsoft](https://reader031.vdocument.in/reader031/viewer/2022032705/56649d8b5503460f94a7285b/html5/thumbnails/40.jpg)
Networking: Parent Partition
![Page 41: WMS07 - Hyper-V Security and Best Practices Dan Stolts Microsoft](https://reader031.vdocument.in/reader031/viewer/2022032705/56649d8b5503460f94a7285b/html5/thumbnails/41.jpg)
Networking: Virtual Switches
![Page 42: WMS07 - Hyper-V Security and Best Practices Dan Stolts Microsoft](https://reader031.vdocument.in/reader031/viewer/2022032705/56649d8b5503460f94a7285b/html5/thumbnails/42.jpg)
Legacy vs. Synthetic NIC
• Legacy Network Adapter● Up to 4 per virtual machine● Pros: Needed for PXE/RIS/WDS installation● Cons: Slow
• Synthetic Network Adapter● Up to 8 per virtual machine!● Pros: Blazing fast
• Both:● Support VLANs● Dynamic or Static MAC addresses
![Page 43: WMS07 - Hyper-V Security and Best Practices Dan Stolts Microsoft](https://reader031.vdocument.in/reader031/viewer/2022032705/56649d8b5503460f94a7285b/html5/thumbnails/43.jpg)
VM with Legacy & Synthetic NIC
![Page 44: WMS07 - Hyper-V Security and Best Practices Dan Stolts Microsoft](https://reader031.vdocument.in/reader031/viewer/2022032705/56649d8b5503460f94a7285b/html5/thumbnails/44.jpg)
Hyper-V Storage & Pass Through…
Step by Step Instructions
![Page 45: WMS07 - Hyper-V Security and Best Practices Dan Stolts Microsoft](https://reader031.vdocument.in/reader031/viewer/2022032705/56649d8b5503460f94a7285b/html5/thumbnails/45.jpg)
Hyper-V Storage...
• Performance wise from fastest to slowest…● Fixed Disk VHDs/Pass Through Disks
• About the same in terms of performance
● Dynamically Expanding VHDs• Grow as needed
• Pass Through Disks● Pro: VM writes directly to a disk/LUN without
encapsulation in a VHD● Cons:
• You can’t use VM snapshots• Dedicating a disk to a vm
![Page 46: WMS07 - Hyper-V Security and Best Practices Dan Stolts Microsoft](https://reader031.vdocument.in/reader031/viewer/2022032705/56649d8b5503460f94a7285b/html5/thumbnails/46.jpg)
VM Setting No Pass Through
![Page 47: WMS07 - Hyper-V Security and Best Practices Dan Stolts Microsoft](https://reader031.vdocument.in/reader031/viewer/2022032705/56649d8b5503460f94a7285b/html5/thumbnails/47.jpg)
Computer Management: Disk
![Page 48: WMS07 - Hyper-V Security and Best Practices Dan Stolts Microsoft](https://reader031.vdocument.in/reader031/viewer/2022032705/56649d8b5503460f94a7285b/html5/thumbnails/48.jpg)
Taking a disk offline
![Page 49: WMS07 - Hyper-V Security and Best Practices Dan Stolts Microsoft](https://reader031.vdocument.in/reader031/viewer/2022032705/56649d8b5503460f94a7285b/html5/thumbnails/49.jpg)
Disk is offline…
![Page 50: WMS07 - Hyper-V Security and Best Practices Dan Stolts Microsoft](https://reader031.vdocument.in/reader031/viewer/2022032705/56649d8b5503460f94a7285b/html5/thumbnails/50.jpg)
Pass Through Configured
![Page 51: WMS07 - Hyper-V Security and Best Practices Dan Stolts Microsoft](https://reader031.vdocument.in/reader031/viewer/2022032705/56649d8b5503460f94a7285b/html5/thumbnails/51.jpg)
Best Practices & Tips and Tricks
![Page 52: WMS07 - Hyper-V Security and Best Practices Dan Stolts Microsoft](https://reader031.vdocument.in/reader031/viewer/2022032705/56649d8b5503460f94a7285b/html5/thumbnails/52.jpg)
Deployment Considerations
• Minimize risk to the Parent Partition● Use Server Core● Don’t run arbitrary apps, no web surfing
• Run your apps and services in guests
• Moving VMs from Virtual Server to Hyper-V● FIRST: Uninstall the VM Additions
• Two physical network adapters at minimum● One for management (use a VLAN too)● One (or more) for vm networking● Dedicated NIC(s) for iSCSI● Connect parent to back-end management network
• Only expose guests to internet traffic
![Page 53: WMS07 - Hyper-V Security and Best Practices Dan Stolts Microsoft](https://reader031.vdocument.in/reader031/viewer/2022032705/56649d8b5503460f94a7285b/html5/thumbnails/53.jpg)
Windows Server 2003 (today)Cluster Creation
![Page 54: WMS07 - Hyper-V Security and Best Practices Dan Stolts Microsoft](https://reader031.vdocument.in/reader031/viewer/2022032705/56649d8b5503460f94a7285b/html5/thumbnails/54.jpg)
Cluster Hyper-V Servers
![Page 55: WMS07 - Hyper-V Security and Best Practices Dan Stolts Microsoft](https://reader031.vdocument.in/reader031/viewer/2022032705/56649d8b5503460f94a7285b/html5/thumbnails/55.jpg)
Don't forget the ICs!Emulated vs. VSC
![Page 56: WMS07 - Hyper-V Security and Best Practices Dan Stolts Microsoft](https://reader031.vdocument.in/reader031/viewer/2022032705/56649d8b5503460f94a7285b/html5/thumbnails/56.jpg)
Anti-Virus & BitLocker…
• Parent partition● Run AV software and exclude .vhd
• Child partitions● Run AV software within each VM
• BitLocker● Great for branch office● Protects data while a system is offline
![Page 57: WMS07 - Hyper-V Security and Best Practices Dan Stolts Microsoft](https://reader031.vdocument.in/reader031/viewer/2022032705/56649d8b5503460f94a7285b/html5/thumbnails/57.jpg)
Protects Data While a System is OfflineEntire Windows Volume is Encrypted (Hibernation and Page Files)Delivers Umbrella Protection to Applications (On Encrypted Volume)
Ensures Boot Process IntegrityProtects Against Root Kits – Boot Sector VirusesAutomatically Locks System when Tampering Occurs
Simplifies Equipment RecyclingOne Step Data Wipe – Deleting Access Keys Renders Disk Drive Useless
Mitigating Against External Threats…Very Real Threat of Data Theft When a System is Stolen, Lost,or Otherwise Compromised (Hacker Tools Exist!)Decommissioned Systems are not Guaranteed CleanIncreasing Regulatory Compliance on Storage Devices Drives Safeguards(HIPPA, SBA, PIPEDA, GLBA, etc…)
BitLocker Drive Encryption Support in Windows Server 2008Addresses Leading External Threats by Combining Drive Level Encryptionwith Boot Process Integrity ValidationLeverages Trusted Platform Model (TPM) Technology (Hardware Module)Integrates with Enterprise Ecosystem Maintaining Keys in Active Directory
Bitlocker – Persistent Protection
![Page 58: WMS07 - Hyper-V Security and Best Practices Dan Stolts Microsoft](https://reader031.vdocument.in/reader031/viewer/2022032705/56649d8b5503460f94a7285b/html5/thumbnails/58.jpg)
More…
• Mitigate Bottlenecks● Processors● Memory● Storage
• Don't run everything off a single spindle…
● Networking• VHD Compaction/Expansion
● Run it on a non-production system• Use .isos
● Great performance● Can be mounted and unmounted remotely● Physical DVD can’t be shared across multiple vms● Having them in SCVMM Library fast & convenient
![Page 59: WMS07 - Hyper-V Security and Best Practices Dan Stolts Microsoft](https://reader031.vdocument.in/reader031/viewer/2022032705/56649d8b5503460f94a7285b/html5/thumbnails/59.jpg)
Creating Virtual Machines
• Use SCVMM Library• Steps:
1. Create virtual machine
2. Install guest operating system & latest SP
3. Install integration components
4. Install anti-virus
5. Install management agents
6. SYSPREP
7. Add it to the VMM Library• Windows Server 2003
● Create vms using 2-way to ensure an MP HAL
![Page 60: WMS07 - Hyper-V Security and Best Practices Dan Stolts Microsoft](https://reader031.vdocument.in/reader031/viewer/2022032705/56649d8b5503460f94a7285b/html5/thumbnails/60.jpg)
Online Resources
• Microsoft Virtualization Home:
http://www.microsoft.com/virtualization
• Windows Server Virtualization Blog Site:
http://blogs.technet.com/virtualization/default.aspx
• Windows Server Virtualization TechNet Site:
http://technet2.microsoft.com/windowsserver2008/en/servermanager/virtu
alization.mspx
• Windows Server 2008 with Hyper-V RC1:
● http://www.microsoft.com/downloads/details.aspx?FamilyId=7EDAA89
F-9F64-488D-93C0-858D2D8799DF&displaylang=en
• Windows Hyper-V Installation Guide:
● http://www.microsoft.com/windowsserver2008/virtualization/install.msp
x
![Page 61: WMS07 - Hyper-V Security and Best Practices Dan Stolts Microsoft](https://reader031.vdocument.in/reader031/viewer/2022032705/56649d8b5503460f94a7285b/html5/thumbnails/61.jpg)
© 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the
date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
![Page 62: WMS07 - Hyper-V Security and Best Practices Dan Stolts Microsoft](https://reader031.vdocument.in/reader031/viewer/2022032705/56649d8b5503460f94a7285b/html5/thumbnails/62.jpg)
Your Feedback is Important
Please fill out a session evaluation form and either put them in the basket near the exit or drop them off at the conference registration desk.
Thank you!
WMS07 - Hyper-V Security and Best Practices
Dan Stolts
Microsofthttp://blogs.technet.com/DanStolts