Secure Server Virtualization Using Hyper-V

This is the final installment in our series of articles about Hype-V security. Thus far, we have looked at how to configure Hyper-V security using Authorization Manager and how to use Hyper-V and Authorization Manager together for maximum security. This article will explain in greater detail how to secure Hyper-V Server and virtual machines using Authorization Manager and best practices. It will focus on Hyper-V security best practices and provide an example of Hyper-V security using Authorization Manager.

An Example of When to Provide Hyper-V Security Using Authorization Manager

Authorization Manger makes secure server virtualization more than a pipe dream. These best practices show you the two best ways to secure Hyper-V Server and virtual machines using Authorization Manager.

We will focus on two ways to use Authorization Manager to control Hyper-V resources:

  • Delegating Monitoring Operations
  • Delegating Modify Operations

In both cases, you would use Authorization Manager's default operations list. You must configure the following sets of operations for Monitoring Delegation. You can also reduce the number of Monitoring Operations dependent on your requirement. As shown in Figure 1, all of the operations starting with "Read" or "View" indicate the user or role configuration for these operations can only "Read" or "View" the Hyper-V or virtual machine configuration. They cannot change or modify anything on the Hyper-V or virtual machines.

Delegating Monitoring Operations

Monitor Scope View
Figure 1
Monitor Scope View

In this example, we will assign the following permissions to a Security Group called Monitor Group. This article assumes you have already created the security group in the Active Directory Domain.

  • View Virtual Machine Configuration
  • Read Service Configuration
  • View VLAN Settings

The Security Group Monitor Group contains two members: Jack and Smith.

  1. Open Authorization Manager
  2. Load the InitialStore.XML file for Hyper-V from the above mentioned path.
  3. Create a new Scope called Monitor Scope as shown in Figure 1:
  • Expand the Definitions; right-click on this; and click "New Role Definition." Type as shown below in the "New Role Definition" dialog box,seen in Figure 2:

    New Role Definition dialogue box
    Figure 2
    New Role Definition dialogue box
  • Click on Add and go to the "Operations" Tab and add the following operations:
    1. Read Service Configuration
    2. View Virtual Machine Configuration
    3. View VLAN Settings
  • Right-click on "Role Assignments," select "New Role Assignment" and select "Monitor Administrators," as shown below in Figure 3:

    New Role Assignments
    Figure 3
    New Role Assignments
  • Click Ok to add the “Monitor Administrators” as the Role Assignment. Now, right-click on the "Monitor Administrators," select "Assign Users and Groups" > "From Windows and Active Directory" > add "Monitor Group" security group from Active Directory, and then click OK.
  • Close the Authorization Manager Snap-in.

    Now, log on to the Hyper-V server with a user who is member of the Security Group Monitor Group. The members will have the read access on the Hyper-V Server and virtual machines. They can read, but they cannot modify anything. This is how you design the Monitoring Role in Hyper-V.

    Now, when user members of "Monitor Group" security group try to perform any modify operations on the Hyper-V Server or virtual machines, they will get the error message saying that the requested operation cannot be performed.

    Delegating Modify Operations

    The delegating example is as above except you must add the Modify Operations to the Operations list. In this example, we have created a Security Group called Hyper-V Modify Operators and added Robin and Hick as the member of this group.

    The end result would be that you will have two role assignments in the Authorization Manager to provide security to Hyper-V Server and virtual machines running on it. It should look as shown in Figure 4:

    Authorization Manager
    Figure 4
    Authorization Manager

    Note: The Operations are cumulative. A user who is member of a security group that is part of Hyper-V Modify and Monitor will have both operations assigned to him.

    The Authorization Manager can be used to provide the security to Hyper-V Server and virtual machines running on it. Authorization Manager uses the RBAC Model, which is more robust than the DACL model.

    Securing Virtual Machine Access Using DACLs

    Hyper-V uses the Authorization Manager Policy store to provide security for the Hyper-V parent partition and the virtual machines running on it. To tighten the controls, assign permissions to the virtual machine folders that contain the VHD and XML files. At a minimum, Hyper-V Server creates the following files when you create a virtual machine:

    • GUID.XML
    • Virtual Machine.VHD

    These two files are kept in separate folders. Apart from that, the following files are also created:

    GUID.AVHD Created when you take the snapshot
    GUID.VSV Created when you take the snapshot of an online virtual machine
    GUID.BIN Created when you take the snapshot of an online Virtual Machine. This file stores the contents from memory of running virtual machine

    Hyper-V Security Best Practices

    As a best practice, you should provide the security at the folder level also. This section of the article provides an example to secure Virtual Machine access using the DACLs.

    • Install Hyper-V Role on Server Core: Installing Hyper-V Role on Server Core reduces attack surface and also only required ports are opened.
    • Do not change Default Context of Hyper-V Services: Avoid changing the default security context of Hyper-V Services.
    • Default Configuration of Hyper-V: Always check the default configuration of Hyper-V before rolling it out to a production environment.
    • Block unnecessary Ports on Hyper-V Partition: Always review the ports listening on Hyper-V parent partition and block them. Installing ClientServer applications will result in listening on a static port.
    • Using Bit-Locker Encryption on Parent Partition: Always consider encrypting Hyper-V Server volumes using BitLocker Technology.
    • Avoid using Built-in Administrators account for Hyper-V Administration: By default, when you install Hyper-V role, the local administrator is given full control permissions in Authorization Manager to manage Hyper-V Server and virtual machines running on it. Avoid using this user account. Instead, use Authorization Manager Role Model to create separate security groups and then assign permissions to them.
    • Always create Groups rather than creating user accounts and assigning permissions in the Authorization Manager.


    This article explained Authorization Model to provide security for virtual machines running on Hyper-V Server. We also discussed about the best practices when securing Hyper-V Server and virtual machines running on it.

    Follow ServerWatch on Twitter

  • This article was originally published on Mar 10, 2010
    Page 1 of 1

    Thanks for your registration, follow us on our social networks to keep up-to-date