Securing Virtual Server

Securing Virtual Server

When securing Virtual Server 2005, you must do so in multiple areas:

Secure the file governing the configuration of the Virtual Server service.
Secure the individual configuration files and resource files associated with the Virtual Server components, such as virtual machines, virtual networks, and virtual disks.
Secure Internet Information Services (IIS) and the Administration Website.

Certain steps, described later in this topic, must also be taken when using the Virtual Machine Remote Control (VMRC) client behind a firewall.

Note
Some procedures described for Virtual Server require users to have administrative credentials. For improved security, however, it is good practice for administrators to use an account with restrictive permissions to perform routine, nonadministrative tasks, and to use an account with broader permissions only when performing specific administrative tasks. To avoid logging on and off with different accounts, you can log on with a regular user account, and then use the runas command to perform the tasks that require the broader permissions. For more information about runas, see the documentation for the Windows Server 2003 operating systems.

Note

Some procedures described for Virtual Server require users to have administrative credentials. For improved security, however, it is good practice for administrators to use an account with restrictive permissions to perform routine, nonadministrative tasks, and to use an account with broader permissions only when performing specific administrative tasks. To avoid logging on and off with different accounts, you can log on with a regular user account, and then use the runas command to perform the tasks that require the broader permissions. For more information about runas, see the documentation for the Windows Server 2003 operating systems.

Securing the Virtual Server configuration file

Virtual Server is configured to be secure by default. For example, by default only members of the local Administrators group can configure Virtual Server or create and manage its resources (virtual machines, virtual networks, and virtual disks). Security for the Virtual Server configuration options can be managed on the Virtual Server Security Properties page. This page allows you to configure permissions for managing Virtual Server. The permissions that you set on this page apply to the parent folder of the Virtual Server configuration file (Options.xml). By default, the files in the folder inherit the folder's permissions. On the Virtual Server Security Properties page you can change the owner of the folder, add a permission entry for a user account or group and configure permissions for it, or you can remove a permission entry. For more information, see Configuring Virtual Server security settings.

Note
The Administration Website uses a Common Gateway Interface (CGI) application for data transfer. This CGI application is VSWebApp.exe and is referred to as the Virtual Server "Web Application." To use the Administration Website and access the Virtual Server Security Properties page, user accounts must have Execute permissions on the folder containing the Virtual Server Web Application, VSWebApp.exe. By default, the folder is Program Files\Microsoft Virtual Server\Website\VirtualServer.

Note

The Administration Website uses a Common Gateway Interface (CGI) application for data transfer. This CGI application is VSWebApp.exe and is referred to as the Virtual Server "Web Application." To use the Administration Website and access the Virtual Server Security Properties page, user accounts must have Execute permissions on the folder containing the Virtual Server Web Application, VSWebApp.exe. By default, the folder is Program Files\Microsoft Virtual Server\Website\VirtualServer.

Securing other configuration and resource files

The configuration information for virtual machines and related components are stored in a variety of separate data files, as shown in the following table.

Data type	File name
Virtual machine general configuration	Virtual machine name.vmc
Virtual network configuration	Name.vnc
Virtual hard disk	Name.vhd

In order to turn on a virtual machine, a user must have both Read and Execute permissions and Write permissions on each of these files. By default, the local Administrators group and the creator of the virtual machine are granted full control of each file.

These files cannot be secured directly from Virtual Server, but must instead be secured by configuring the appropriate permissions on the files themselves, or on their parent directories. The way you secure these files will vary depending on the needs of your organization. Typically, the virtual machine configuration (.vmc) file and virtual hard disk (.vhd) file should be located in the same folder. The folder should have the same name as the virtual machine. That folder as a whole should be configured with the appropriate permissions. Note that the account under which a virtual machine is running (either the account of the user who started the virtual machine or the Virtual Machine Helper account) must have Read and Execute permissions on the virtual network configuration (.vnc) file.

Examples of security configurations for data files

The security configuration options of Virtual Server are designed to be flexible and to accommodate a variety of scenarios. By default, security is configured to best suit an environment in which there is one set of trusted administrators. You can, however, change this configuration to accommodate environments with multiple levels of administration.

The following figures show how security on the Virtual Server files is configured by default, followed by two examples of how you might configure the security of each of these files in two different scenarios with multiple layers of administration. These are presented as examples only. You should secure the files as appropriate for your environment.

Default security configuration

Three virtual machines have been created, each with their own folder. This figure depicts the default security configuration. The appropriate .vmc file and the related .vhd files are within each virtual machine's folder (Windows 2000 Server, Windows NT Server 4.0, and Windows 2000 Advanced Server) and these files inherit the permissions given to those folders. Administrators have full control over all folders and the files within those folders. This scenario, in which all administrators are trusted, is typically the only situation in which you would use the Shared virtual machines folder. As shown in the last two figures in this topic, the other scenarios do not use the Shared virtual machines folder and security is more closely customized to the departmental organization.

Default network security configuration

This figure depicts the default security configuration for the virtual network configuration (.vnc) files. Note that you may have to change this default configuration. The account under which a virtual machine is running (either the account of the user who started the virtual machine or the Virtual Machine Helper account) must have Read and Execute permissions on the .vnc file.

Departmental security configuration

This figure depicts the security configuration that might be used in an environment in which each department has its own virtual machine. The virtual machine folders (which contain the .vmc and .vhd files) are contained within each department's folder. Security on these folders and files is configured to restrict access to the appropriate personnel within each department. Note that the folders are configured to not inherit the permissions of their parent folder and also that they do not use the Shared virtual machines folder.

Test security configuration

This figure depicts the security configuration that might be used in an environment in which each tester and each developer has their own set of virtual machines. The folders are organized by department, and then by each individual. The virtual machine folders (which contain the .vmc and .vhd files) are contained within each department's folder. Security on these folders and files is configured to restrict access to the appropriate individual or department. Note that the folders are configured to not inherit the permissions of their parent folder and also that they do not use the Shared virtual machines folder.

In addition to securing these folders, you can also configure security on the individual files themselves. Securing the files individually is not necessary unless you want want to define access permissions more precisely than at the folder level. For more information, see Configuring virtual machine security and Configuring virtual disk security.

Securing IIS and the Administration Website

Virtual Server does not require any additional Internet Information Services (IIS) security configuration beyond the security model that you have determined appropriate for your environment. You should configure IIS to allow access to the Administration Website as is appropriate for your needs.

By default, Virtual Server uses Integrated Windows authentication with anonymous access disabled. This is the preferred method of authentication and typically you should not make changes to this setting. However, if a computer running Virtual Server is in an untrusted domain, you will not be able to access the Administration Website using Integrated Windows authentication. You instead will need to use Basic authentication. Certain risks are involved with using Basic authentication. For more information about these authentication methods, see the documentation for IIS.

Important
We strongly recommend that you implement Secure Sockets Layer (SSL) security for Administration Website and Virtual Machine Remote Control (VMRC) connections, particularly if you use Basic authentication. This is because with Basic authentication, passwords are transmitted in plaintext. You configure SSL for the Administration Website from within IIS. For instructions, see the documentation for IIS. You can configure SSL for VMRC from the Administration Website. You can also change the authentication type for VMRC connections to NTLM, Kerberos, or Automatic from within the Administration Website. For more information, see Configuring Virtual Machine Remote Control.

Important

We strongly recommend that you implement Secure Sockets Layer (SSL) security for Administration Website and Virtual Machine Remote Control (VMRC) connections, particularly if you use Basic authentication. This is because with Basic authentication, passwords are transmitted in plaintext. You configure SSL for the Administration Website from within IIS. For instructions, see the documentation for IIS. You can configure SSL for VMRC from the Administration Website. You can also change the authentication type for VMRC connections to NTLM, Kerberos, or Automatic from within the Administration Website. For more information, see Configuring Virtual Machine Remote Control.

Using VMRC behind a firewall

If you are using the VMRC client behind a firewall, you must open several ports:

Port 5900, which is the default port for the VMRC server
Port 1024, which is the default port for the Administration Website
Ports 137 and 138, the TCP and User Datagram Protocol (UDP) ports, for the Kerberos V5 ticket-granting authority

For more information, see Using the VMRC client to access virtual machines.

Note
Be aware that firewall software running on the host operating system will not protect guest operating systems. To obtain this protection, you must install firewall software directly on the guest operating systems.