Hardening the VMM Database Server
Applies To: Virtual Machine Manager 2008, Virtual Machine Manager 2008 R2, Virtual Machine Manager 2008 R2 SP1
This topic explains security requirements and security best practices for using a remote instance of Microsoft SQL Server 2008 or Microsoft SQL Server 2005 with System Center Virtual Machine Manager (VMM). Database settings for VMM are configured when you install the VMM server. If you plan to use a remote SQL Server instance, you must perform configuration updates in SQL Server before you install the VMM server to enable remote access, enable encryption, and provide the required credentials in SQL Server.
Preparing SQL Server
If you plan to use a remote instance of SQL Server for the VMM database, you will need to update the following configurations in SQL Server before you install the VMM server.
Ensure that remote access is enabled on the remote SQL Server instance.
By default, many versions of Microsoft SQL Server 2005 and Microsoft SQL Server 2008, such as the Express Edition and the Evaluation Edition, are configured to allow only local connections.
For information about configuring remote connections for SQL Server 2008, see the following topics: Connecting to the SQL Server Database Engine (https://go.microsoft.com/fwlink/?LinkId=127719) and Configuring the Windows Firewall to Allow SQL Server Access (https://go.microsoft.com/fwlink/?LinkId=128365).
For information about configuring remote connections for SQL Server 2005, see How to configure SQL Server 2005 to allow remote connections (https://go.microsoft.com/fwlink/?LinkId=119974).
Note
If you have not yet decided which version of SQL Server to use for VMM, see System Requirements: VMM Database (https://go.microsoft.com/fwlink/?LinkID=162993) for a list of supported SQL Server versions and scaling recommendations.
Add the domain account that VMM Server Setup Wizard will use for communicating with SQL Server to the sysadmin server role in SQL Server.
Before you run the VMM Server Setup Wizard, ensure that either the user account with which you log on to run the wizard or the credentials that you will provide on the SQL Server Settings page of the wizard is a member of the sysadmin server role in the remote SQL Server instance that you will specify. This is required to enable the Setup Wizard to create the VMM database on the remote instance of SQL Server.
Note
The credentials that you provide during setup should not be the VMM service account.
For information about adding an account to the sysadmin server role, see one of the following topics:
If the remote SQL Server instance is not running under Local System, create an SPN for the SQL Server service.
If the remote SQL Server instance is running under the Network Service account or a domain account rather than the default Local System account, you must create a Service Principal Name (SPN) for the SQL Server service. For more information and configuration instructions, see Microsoft Knowledge Base article 811889 (https://go.microsoft.com/fwlink/?LinkId=88057).
Enable Secure Sockets Layer (SSL) encryption.
To enhance security, it is strongly recommended that you enable SSL encryption for communications between VMM and the remote SQL Server instance. To configure this, modify the connection string as described in Microsoft Knowledge Base article 316898 (https://go.microsoft.com/fwlink/?LinkId=89722).
Configuring a Remote Database Server in VMM
When you install the VMM server, you will specify credentials for VMM on the remote instance of SQL Server and the port to use for communications between VMM and SQL Server. For complete installation instructions, see Installing the VMM Server (https://go.microsoft.com/fwlink/?LinkID=162988).
Account requirements—As noted earlier, for a remote SQL Server instance, during setup, you must use a domain account that is a member of the sysadmin server role on the remote instance of SQL Server for communications between VMM and SQL Server. This either can be the account with which you log on to run the VMM Server Setup Wizard, or it can be the credentials that you provide on the SQL Server Settings page of the wizard. You should not use the VMM service account for this purpose.
Specifying a port—SQL Server uses the Tabular Data Stream (TDS) protocol over default port 1433 to communicate with the VMM server. To change the default port used on the VMM server, while installing the VMM server, append the port number after the SQL Server instance by using the following syntax:
instance name, port.Note
During Setup, VMM uses TCP port 445 on the remote server that is running SQL Server to populate the database instances from the remote server. If a firewall is blocking port 445, you can enter the name of the SQL Server instance manually.
Important
During VMM server installation, VMM adds the VMM service account to the db_owner fixed database role for the Virtual Machine Manager database (by default, VirtualManagerDB). If you later change the VMM service account and you are using a remote instance of SQL Server, you must add the account to the db_owner role manually. For instructions, see Database-Level Roles (SQL Server 2008) (https://go.microsoft.com/fwlink/?LinkId=143202) or Database-Level Roles (SQL Server 2005) (https://go.microsoft.com/fwlink/?LinkId=143203).
Security Best Practices for Using a Remote Instance of SQL Server
To help enhance security when you are using a remote instance of SQL Server for VMM, follow these security best practices:
Enable Single Sockets Layer (SSL) encryption for communications between VMM and the remote instance of SQL Server.
As a security best practice, do not use the default port (port 1433) for communications between VMM and the remote instance of SQL Server.
It is strongly recommended that you create a new, dedicated VMM service account that you can use for as long as the VMM server is in use, and that you not change the identity of the VMM service account after setup. If you change the identity of the VMM service account, all encrypted data in the VMM database will be lost. If you do need to change the service account, you must afterwards re-associate the VMM agents on all hosts and library servers with the VMM server. If you are using a remote instance of SQL Server for VMM, you also must manually add the new account to the db_owner role for the VMM database. For information about adding accounts to a db_owner role, see Database-Level Roles (SQL Server 2008) (https://go.microsoft.com/fwlink/?LinkId=143202).
Follow security best practices for SQL Server, as described in the following topics: