Hardening the VMM Server

Applies To: Virtual Machine Manager 2008, Virtual Machine Manager 2008 R2, Virtual Machine Manager 2008 R2 SP1

This topic explains how to configure security for the VMM server in System Center Virtual Machine Manager (VMM) 2008 and provides security best practices for hardening the VMM server. The discussion provides the following information:

• Describes the ports and protocols that VMM uses for communications with clients, virtual machine hosts, and library servers.

• Describes account requirements for the VMM service account.

• Recommends security best practices for the VMM server.

The following table provides information about the default ports used for communications between the VMM server and the components that it manages.

For communications with the VMM agents on Hyper-V and Virtual Server hosts and on library servers, VMM uses the WS-Management protocol over default port 80 for controls.

For library servers and for hosts in an Active Directory domain that has a two-way trust relationship with the VMM server, Kerberos is used for authentication and encryption.

For hosts in a non-trusted Active Directory domain or on a perimeter network, VMM uses NTLM for encryption, using credentials generated during VMM agent installation. Host authentication uses credentials generated on the host computer during VMM agent installation.

To copy the VMM agent to hosts, VMM uses the Server Message Block (SMB) protocol over default port 445. Kerberos authentication is used.

For file transfers to the agents on all Hyper-V and Virtual Server hosts, VMM uses BITS 2.5 over default port 443. Data is encrypted using Secure Sockets Layer (SSL). The port number must not exceed 32768.

Port assignments on hosts and library servers must match the port assignments on the VMM server. The port assignments on the VMM server are specified during setup and are stored in the registry. When a host or library server is added to VMM, VMM configures those ports on the agent-managed computer.

If you use a remote instance of Microsoft SQL Server for the VMM database, VMM uses the Tabular Data Stream (TDS) protocol over default port 1433 for communications with SQL Server.

For connections to the VMM server from a VMM Administrator Console, Windows PowerShell – Virtual Machine Manager command shell, or VMM Self-Service Web Portal, VMM uses Windows Communication Framework (WCF), which uses TCP internally, on default port 8100, with encryption enabled. Kerberos is used for authentication.

The client uses the user’s credentials to connect to VMM. VMM determines the type of client and any group memberships and then checks VMM user role memberships to determine the VMM operations that the user is allowed to perform and the objects on which the user can perform them. For more information about user roles, see Role-Based Security in VMM.

VMM performs most management tasks through VirtualCenter, communicating with the VirtualCenter server using the WebServices API on default port 443. Encryption is performed through HTTPS using Secure Sockets Layer (SSL).

For file transfers, VMM connects directly to the ESX Server host. The security configuration for those connections depends on the version of ESX Server and whether or not you choose to manage your VMware environment in secure mode.

In secure mode, VMM authenticates each ESX Server host on all protocols used for communication. In secure mode, SSL over HTTPS (for ESX Server 3i) requires certificate authentication, and SFTP over Secure Shell (SSH) (for ESX Server 3.5 and ESX Server 3.0.1) requires host public key authentication. VMM retrieves and verifies both.

For more information about configuring security for managed VMware components, see Configuring Security for a Managed VMware Environment in VMM.

For the VMM service account, you can use either Local System (the default) or an Active Directory domain account.

In the following environments, you must use an Active Directory domain account as the VMM service account:

• If you plan to share ISO images among Hyper-V virtual machines, you must use a domain account for the VMM service account. For additional configuration requirements, see How to Enable Shared ISO Images for Hyper-V Virtual Machines in VMM (https://go.microsoft.com/fwlink/?LinkId=161975).

• In more restrictive Active Directory environments in which a Restricted Groups group policy is in effect, you must use a domain account instead of Local System for the VMM service account. The Restricted Groups policy does not allow machine accounts to be a member of the local Administrators group. Under a Restricted Groups group policy, the VMM machine account will be removed from the computer, leaving VMM unable to communicate with the host. In that situation, VMM places the host in a Needs Attention state and places the VMM agents on hosts and library servers in Not Responding status in VMM.

• If VMM will manage hosts in a disjointed namespace environment, where the FQDN of a Windows Server–based host in Active Directory Domain Services does not match the server’s FQDN in DNS, it is recommended that you use an Active Directory domain account as the VMM service account. To be able to add hosts by using the Add Hosts Wizard in VMM, you also must add the SPNs of the DNS host FQDNs to Active Directory Domain Services.

The domain account that you use for the VMM service account should meet the following requirements:

• Use a dedicated account that is not used for any other purpose. In particular, avoid using an account that is used for any other purpose on your host computers. When a host is removed from VMM, VMM removes the account that the VMM service was running under from the local Administrators group on the host. If the same account is used for other purposes on the host, unexpected results can occur.

  Note

  You cannot use the same domain account that is used as the VMM service account to add or remove a Hyper-V or Virtual Server host from VMM. For more information, see Hardening Virtual Machine Hosts Managed by VMM. You also should not use the VMM service account as the credentials for installing a remote instance of SQL Server during the VMM server setup. For more information, see Configuring a Remote Instance of SQL Server for VMM (https://go.microsoft.com/fwlink/?LinkID=134060).

• To support Performance and Resource Optimization (PRO), the VMM service account must be a member of the Administrator role in System Center Operations Manager 2007. When you configure Operations Manager integration with VMM during setup, VMM adds the VMM service account to the local Administrators group on the Operations Manager root management server, which by default populates the Administrator role in Operations Manager. If your organization uses a different group to populate that role, you must add the VMM service account to that group on the root management server. For additional information, see Configuring Security for Operations Manager Integration and PRO in VMM. For setup procedures, see Configuring Operations Manager Integration with VMM (https://go.microsoft.com/fwlink/?LinkID=125948).

The VMM service account is specified during VMM server installation. VMM adds the account to the db_owner fixed database role for the VMM database (by default, VirtualManagerDB).

To update the password for the VMM service, use Service Manager on the VMM server and then restart the VMM service.

When a Restricted Groups group policy is causing the removal of the VMM Server machine account from the local Administrators group on the host computer, host refresher jobs fail with Error 2027 (“A Hardware Management error has occurred trying to contact server servername.domainname.com. (Unknown error (0x80338104)”).

To resolve this issue, you can make any of the following changes to the Group Policy settings:

• Disable the Restricted Groups policy setting.

• Modify the group setting to allow the VMM machine account in the local Administrators group.

• Move the VMM Server machine account to its own organizational unit (OU), and block the group policy from being applied to that OU.

If modifying the group policy is not acceptable to your IT security team, your only option is to reinstall the VMM server and specify a domain account with Administrator rights on the VMM server computer. If you choose to retain data from your previous installation when you reinstall VMM, you will need to remove and re-add all your virtual machine hosts.

To help improve security for VMM operations, the following security practices are recommended for the VMM server:

• Before you install the VMM server into a production environment, evaluate your IT security policies in Active Directory Domain Services to ensure that your VMM service account enables VMM to perform all required operations.   The choice of the VMM service account affects the ability of VMM ability to perform operations throughout your virtualized environment. If you have a restrictive Active Directory environment in which a Restrictive Groups group policy is in effect or if you are managing hosts in a disjointed namespace, you must use a domain account rather than the default Local System account as the VMM service account. For more information, see Account Requirements for the VMM Service Account, earlier in this topic.

• Enforce role separation to limit administrative exposure.   Not all administrators need full administrative access to VMM. Use delegated administration in VMM to limit the Administrator role to as few people as possible. Use Delegated Administrator roles to delegate administration of specific host groups and library servers to administrators who manage a limited virtualized environment. For example, you might delegate administration for a branch office, department, project, or virtual machine self-service, or you might use a delegated administrator to maintain virtual machine templates, stored virtual machines, and other resources on all library servers within the organization.

  Delegated administrators can perform all administrative tasks on all objects within the scope of their role. However, they cannot update VMM global settings. For more information, see Role-Based Security in VMM.

  Note

  To further restrict administrative access, create self-service user roles for customers who need only to create and administer their own virtual machines. A self-service user role enables members to perform a specified set of operations on their own virtual machines by using a VMM Self-Service Portal, which provides a limited view of only the virtual machines they own, the operations they are allowed to perform, and the virtual machine resources an administrator has provided for their use.

• Consider using non-default port numbers for communications with managed VMM components.   Using non-default port settings for protocols such as HTTP and HTTPS might slow down an attacker. Not all port settings in VMM are configurable. When you install the VMM server, you can configure the default ports for communications with VMM agents on Windows Server–based hosts.

  Important

  You need to decide which ports to use before you install the VMM server. The ports cannot be changed afterwards. The ports that VMM uses for communications with managed hosts and library servers must match the port settings used on those servers. VMM configures those ports automatically when you add a host or library server to VMM.

Configuring Security for a Managed VMware Environment in VMM
Configuring Security for Operations Manager Integration and PRO in VMM
Hardening the VMM Database Server
Hardening Virtual Machine Hosts Managed by VMM
Hardening VMM Self-Service Web Servers
Role-Based Security in VMM

How to Enable Shared ISO Images for Hyper-V Virtual Machines in VMM