MCTS Self-Paced Training Kit (Exam 70-652): Securing Hosts and Virtual Machines
- 6/17/2009
Chapter Summary
Virtual environments need a different security approach. When you are running host servers and virtual machines that rely on the same operating system, you need to segregate the security context of the resource pool from the virtual environment.
It is important to maintain the integrity of the installed files, installed services, and firewall rules of the Windows Server 2008 installation when adding the Hyper-V role for the security implementation.
The Security Configuration Wizard in Windows Server 2008 generates security profiles based on the role of a server within the network and allows you to configure service configurations through predefined, role-based configurations; network security; and registry settings; as well as implement an audit policy.
Windows Vista added a new capability for the Windows operating system—being able to configure removable device controls through the use of Group Policy. This is done through the control of device installations. To increase the security context in the resource pool, this GPO should be applied on both servers and PCs so that no unauthorized user can connect a USB drive.
BitLocker Full Drive Encryption allows you to encrypt the contents of the operating system volume and is often used for mobile systems, but can be also used to protect server drives.
To be able to audit an object you need to enable the auditing policy within a Group Policy object, and you must turn on auditing for the object itself.
In a distributed management resource pool, you rely on Authorization Manager to manage Hyper-V hosts. In a centrally managed resource pool, you rely on a host server and virtual machine management tool—for example SCVMM—to assign least-privilege access rights.
The Hyper-V authorization stores are made up of four components: store scope, store tasks, store roles, and assigned users or groups. AzMan can operate in Administrator mode to modify an existing policy and in Developer mode to create new policies and to modify the structure of an existing policy.
Virtual Service Offering’s scope of protection depends on the size of the organization. You should rely on the various virtual networks supported by Hyper-V to segregate traffic between virtual machines of different sensitivity.
Time synchronization in virtual machines is very important when working in Active Directory forests and domains, and is also essential if you want Kerberos authentication to work properly.
The Offline Virtual Machine Servicing Tool (OVMST) is designed to automatically update all virtual machines whether they are on or off.