Hardening VMM Library Servers
Applies To: Virtual Machine Manager 2008, Virtual Machine Manager 2008 R2, Virtual Machine Manager 2008 R2 SP1
This topic describes security requirements and security best practices for library servers that are used by System Center Virtual Machine Manager (VMM) 2008 and Virtual Machine Manager 2008 R2. VMM manages the resources that are used to create virtual machines centrally through the VMM library. The library is a catalog of resources that are stored on library servers that have been added to VMM. This topic describes the ports and protocols that VMM uses for all types of communication with library servers, explains how VMM manages access to library resources, and provides security best practices for library servers.
Connections to Library Servers
The protocols and ports described in the following table are used for communications between VMM agent on the library server and the VMM server, and for file transfers between a library server and virtual machine hosts and other library servers.
| Connection Type | Protocol | Default Port | Authentication | Encryption |
|---|---|---|---|---|
VMM agent on library server to VMM server |
WS-Management |
80 |
Kerberos |
Kerberos |
File transfers to Windows Server-based host (Hyper-V or Virtual Server) |
BITS 2.5 |
433 (Maximum value: 32768) |
Kerberos |
SSL |
File transfers to library servers |
BITS 2.5 |
443 (Maximum value: 32768) |
Kerberos |
SSL |
File transfers to VMware ESX Server 3i hosts |
HTTPS |
443 |
VMM must have virtual machine delegate credentials on the host. In secure mode, authentication requires a certificate. |
Yes |
File transfers to VMware ESX Server 3.5 and VMware ESX Server 3.0.1 hosts |
SFTP |
22 |
VMM must have virtual machine delegate credentials on the host. In secure mode, authentication requires a certificate and public key. |
Yes |
Note
While a host cluster or a highly available library server is being added to VMM 2008, port 135 (DCOM port) must be open on the target computer (that is, the cluster node that was specified in the Add Hosts or Add Library Server wizard) to enable VMM to send remote WMI calls to that computer. The port needs to be open only while the cluster is being added to VMM. For information, see Connecting to WMI Remotely Starting with Windows Vista (https://go.microsoft.com/fwlink/?LinkId=153786).
Note
Before you can add a highly available library server in a disjointed namespace to a VMM server that is not in a disjointed namespace, you must add the DNS suffix for the host cluster to the TCP/IP connection settings on the VMM server.
VMM Agent to VMM Server
For communications with the VMM agents on library servers, VMM uses WS-Management over port 80 for controls. Kerberos is used for authentication and encryption. A library server must be in an Active Directory domain that has a two-way trust relationship with the domain of the VMM server.
File Transfers to a Virtual Machine Host
File transfers to ESX Server hosts in a managed VMware environment require different ports and protocols than VMM uses for file transfers to Hyper-V or Virtual Server hosts.
Hyper-V and Virtual Server Hosts
For file transfers between a library server and a Hyper-V or Virtual Server host, VMM uses the BITS 2.5 protocol over default port 433. The port number must not exceed 32768. Encryption is performed using Secure Sockets Layer (SSL). Authentication is based on a randomly generated URL that is passed by the VMM server at the time of the communication setup. The URL incorporates a session key that is transferred in encrypted form using Windows Remote Management (WinRM).
If a library server also serves as a virtual machine host in VMM, VMM does not encrypt local file transfers from library shares to other locations on the same computer during virtual machine creation and deployment.
Note
If you have implemented another form of encryption, such as IPsec, or have otherwise secured your virtualized environment, you might want to take advantage of the new option in VMM 2008 R2 to allow unencrypted file transfers for individual library servers and individual host groups. Allowing unencrypted file transfers can improve performance during virtual machine creation and migration. For files to be transferred unencrypted, unencrypted file transfers must be allowed on both the source and destination computer. This option is available by updating the properties of a library server. For a procedure, see How to Allow Unencrypted File Transfers for a Library Server.
ESX Server Hosts
To perform file transfer operations between a Windows Server–based library server and a host that is running a non-embedded version of ESX Server (either VMware ESX Server 3.5 or VMware ESX Server 3.0.1), VMM must have virtual machine delegate credentials in ESX Server. This type of file transfer is required for operations such as creating a virtual machine with a virtual hard disk stored on a VMM library server or storing a VMware virtual machine in the VMM library. For account requirements and configuration instructions, see Configuring Security for a Managed VMware Environment in VMM.
The security configuration for file transfers is different depending on the ESX Server version and whether the VMM is managing the VMware environment in secure mode. In secure mode, VMM authenticates each ESX Server host on all protocols used for communication. The file transfer protocol, port, and authentication methods vary depending on the ESX Server version that is running on the host:
Embedded ESX Server (ESX Server 3i)—VMM uses HTTPS over default port 443 for file transfers. In secure mode, encryption using Secure Sockets Layer (SSL) requires certificate authentication.
Non-embedded ESX Server (ESX Server 3.5 and 3.0.1)—VMM uses SFTP over default port 22. In secure mode, encryption using Secure Shell (SSH) requires RSA public key authentication.
Until the required security information is entered for an ESX Server host, the host has OK (Limited) status in VMM, and no operations that require file transfers between the host and a library server are allowed.
After providing the needed security information for a VMware ESX Server host, you can import existing VMware templates into the VMM library to be used in virtual machine creation on ESX Server hosts. For instructions, in VMM 2008 Help, see How to Import VMware Templates (https://go.microsoft.com/fwlink/?LinkID=162956).
File Transfers to Library Servers
File transfers between VMM library servers use the same type of connection used for file transfers to Hyper-V and Virtual Server hosts. For more information, see File Transfers to a Virtual Machine Host.
Managing Access to Library Resources
All resources that are used to create virtual machines—including virtual hard disks, ISO image files, SysPrep answer files, and other scripts—must be stored in the VMM library. That is, the files must be added to a share that is a designated library share on a file server that has been added to VMM as a library server. VMM indexes the files stored on library shares on a periodic basis (by default, once per hour) and adds the resources to the VMM database, making them available for use during virtual machine creation.
The rights and permissions described in the following table are required for management tasks performed in the VMM library.
| Library Task | Account Requirements |
|---|---|
Add a library server to VMM |
Member of the local Administrators group on the file server and a member of the Administrator user role or a delegated administrator role in VMM |
Add or remove a library share Refresh a library share or library server Disable or enable individual resources on a library share |
Administrator role in VMM or a delegated administrator role that has the library server within its scope |
Add files to a library share |
Write access to the share, configured outside VMM |
All user roles in VMM grant Read permission for resources stored on library servers that are within the scope of the user role:
Administrator—Members of the Administrator user role can perform all VMM operations on all resources on all VMM library servers. That includes creating virtual machines, profiles, and templates based on the stored resources. The Administrator user role does not grant the Write permission required to add files to the shares. That operation is performed externally, and the permissions must be configured in the file system.
Delegated administration—To be available to delegated administrators, the resources must be stored on a library server that is within the scope of their delegated administrator role. Delegated administrators can perform all VMM operations on the resources on assigned library servers.
Self-service resources—To be available to self-service users, virtual machine templates and ISO images must be stored on a single library path that is specified in their self-service user role. The resources are visible and available only if the user role allows users to create their own virtual machines. Self-service users see only templates that have been assigned to the user role and ISO images that are stored on the designated library path. They cannot add or alter these resources. For additional security, self-service users are not aware of the physical location of the resources.
Enabling Shared ISO Image Files for Hyper-V Virtual Machines
To enable sharing of ISO image files on Hyper-V virtual machines, you must perform the following configurations:
You must specify an Active Directory domain account for the VMM Server service account.
You must store the ISO images in the VMM library. For more information, see How to Add Files to the Library (https://go.microsoft.com/fwlink/?LinkID=162799).
You must configure share permissions and NTFS permissions on the library shares. The VMM Server service account and the machine account for each server that is running Hyper-V must have Read permission on the shares.
To allow a Hyper-V virtual machine to access an ISO file on a shared folder in a domain environment, you must configure the server running Hyper-V for constrained delegation. Configure the computer account of the server running Hyper-V to present delegated credentials for the Common Internet File System (CIFS) service type.
Note
In VMM 2008, use of a shared ISO image file is not supported for self-service users. Instead, VMM attaches a copy of the ISO image file to the new virtual machine. VMM 2008 R2 supports shared ISO images for self-service.
For procedures, see How to Enable Shared ISO Images for Hyper-V Virtual Machines in VMM.
Security Best Practices for Library Servers
To help enhance security on a VMM library server, the following practices are recommended:
When you add a library server to VMM, use either SMB packet signing or IPsec to help secure the agent deployment process. When you add a library server, VMM remotely installs a VMM agent on the managed computer. The VMM agent deployment process uses both the Server Message Block (SMB) ports and the Remote Procedure Call (RPC) port (TCP port 135) and the DCOM port range. To help secure the process, you can use either SMB packet signing or IPsec.
In the file system, restrict access to library shares to VMM administrators who manage resources used in virtual machine creation.
Use delegated administration in VMM to limit VMM administrative rights on library servers to only those administrators who manage the resources on them. You can create delegated administrator roles to delegate the administration of library servers within an organization, geographical location, department, or group. The user roles will provide full administrative rights on all objects within the assigned host groups and on assigned library servers. Alternatively, you might create a delegated administrator role that allows one administrator to maintain all library servers throughout your organization.
Apply updates to the operating systems and applications on virtual hard disks, ISO image files, and virtual machines that are stored in the library with the same rigor that you do on deployed virtual machines. Because the stored images and virtual machines are not in use, automatic update utilities such as Microsoft Update do not send update notifications.
Follow security best practices for hardening Windows Server–based file servers. For security guidelines for computers that perform the File Services role in Windows Server 2008, see Hardening File Services (https://go.microsoft.com/fwlink/?LinkId=143316).
See Also
Tasks
How to Enable Shared ISO Images for Hyper-V Virtual Machines in VMM
Concepts
Configuring Security for a Managed VMware Environment in VMM
Hardening the VMM Components