Hyper-V Security and Authorization Manager, Keys to a Successful Config

By Nirmal Sharma (Send Email)
Posted Dec 11, 2009


Securing virtual machines (VMs) running on Hyper-V is a critical task. This article is the second in a series on configuring and securing Hyper-V using Authorization Manager. (Part 1 can be found, here.) This article explains how you can secure VMs access when running on Hyper-V. Authorization Manager is a component built into Windows. Hyper-V uses its store to provide security to the Hyper-V Parent Partition and VMs running on it. The policy settings for Hyper-V are kept in a XML-based file. By default, the Local Administrator is part of this and can manage all the aspects of Hyper-V.

Are your Hyper-V virtual machines secure? Learn how to secure them using Authorization Manager.

This article will focus on the following topics:

  • Securing Hyper-V Resources Using Authorization Manager
  • Step-by-Step using Authorization Manager
  • Hyper-V Operations Tasks and Categories
  • A simple example using Authorization Manager

Hyper-V uses Authorization Manager to provide security to the Hyper-V Parent Partition and VMs. Before you play with it, you must be familiar with the basic terms used in Authorization Manager, starting with the following:


Authorization Manager RABC Model
Figure 1
Authorization Manager RABC Model

Authorization Manager uses a role-based access control (RBAC) model. In this model, roles are granted access to the operations or tasks to perform an action listed in the operations. Figure 1 defines the following terms:

Scope: Scope is the boundary for that particular Role. You can create Scope by right-clicking on the Hyper-V Services in Authorization Manager or by using a small script. When you create a new scope, the three things are associated with every Scope you create in the Authorization Manager as shown in Figure 2:

  • Groups
  • Definitions
  • Role Assignments

Authorization Manager Screen Shot
Figure 2
Authorization Manager Screen Shot
Operation: Operation is a basic unit of permission. For example, stopping and starting the VM
Tasks and Role Definitions: Tasks are a collection of operations, and Role Definitions is actually the Permission assigned to the Role Assignment
Role Assignment: Role Assignment contains the users to which Tasks and Operators are assigned

As Figure 1 shows, two scopes are created: SCOPE 1 and SCOPE 2. Both scopes contain Operations, Tasks and Role, but the permissions are different. The Roles defined in Scope 1 are User 1 and User 2, and Operations assigned to these Roles are: "Start Virtual Machine" and "Stop Virtual Machine." Similarly, as you see in SCOPE 2, Roles are different: User 3 and User 4. Scope 2 has only one Operation defined for User 3 and User 4: "Configure Virtual Machine Settings."

The Operations, Tasks and Roles are defined in a XML-based file stored at

%SystemRoot%ProgramDataMicrosoftWindowsHyper-VInitialStore.XML

Note: The ProgramData folder is hidden by default on Windows Server 2008. You might need to unhide this folder to view the above path.

Hyper-V Server uses this store. If the file is missing, then Hyper-V services will fail to start. The Hyper-V initialization includes reading this file to get the permissions assigned to the VM. Hyper-V then queries a registry entry shown below to get the path of the InitialStore.XML file:

HKLMSoftwareMicrosoftWindows NTCurrentVersionVirtualization

The above registry key stores two registry entries: StoreLocation and ServiceApplication. The StoreLocation registry entry defines the path of InitialStore.XML file and ServiceApplication registry entry defines which application in the policy the InitialStore.XML file is used. In this case it is Hyper-V Services always.

Tip: The InitialStore.XML file is installed only when you enable the Hyper-V Role. If this file is missing or corrupted, you have got two options with you:

- Copy the file from a working Hyper-V Server
OR
- Mount the Install.WIM from Windows Server 2008 ISO and then search for InitialStore.XML. Copy this file to the Hyper-V Server

The scope of this article is limited to Hyper-V Security. It doesn't explain everything about Authorization Manager and its features. More information on Authorization Manager can be found, here.

By default, Hyper-V Server defines one Scope, 33 Operations and a single Role, and this is stored in the above mentioned XML File. By default, the Local Administrator on Parent partition is configured as a Default Role and assigned all the permissions to configure Hyper-V and VMs running on it. You can view and configure these using the Authorization Manager MMC. The MMC name is AzMan.MSC. You must be a member of Local Administrators Group on Parent Partition to use Authorization Manager.

Page 2: Step-by-Step Guidelines for Authorization Manager

Follow ServerWatch on Twitter

Page 1 of 2


Comment and Contribute

Your name/nickname

Your email

(Maximum characters: 1200). You have characters left.