Hardening VMM Self-Service Web Servers
Applies To: Virtual Machine Manager 2008, Virtual Machine Manager 2008 R2, Virtual Machine Manager 2008 R2 SP1
In System Center Virtual Machine Manager (VMM), self-service users use the VMM Self-Service Web Portal to create, operate, and connect to their own virtual machines within a restricted environment. The Self-Service Portal can be installed on a Web server that is running either Windows Server Internet Information Services (IIS) 7.0 (on a Windows Server 2008-based computer) or IIS 6.0 (on a Windows Server 2003-based computer). This topic provides guidance to help harden the Web server that hosts the Self-Service Portal.
Note
For more information about IIS and operating system requirements, see System Requirements: VMM Self-Service Portal (https://go.microsoft.com/fwlink/?LinkID=163000).
Ports and Protocols
For connections from a self-service Web server to the VMM server, VMM uses Windows Communication Foundation (WCF), which uses TCP internally, with encryption enabled. Kerberos is used for authentication.
Communications between the VMM Self-Service Portal and the IIS server are conducted using HTTPS, and authentication is performed by Active Directory Domain Services (AD DS). The Web server uses the self-service user’s credentials to connect to the VMM server. During authorization, VMM checks the type of client, all AD DS group memberships, and all user role memberships in VMM. The settings in a user’s self-service user roles determine the operations that VMM will perform on the user’s behalf on objects within the scope of the user roles. For more information, see Role-Based Security in VMM.
On the IIS server, VMM uses the default port (80) for the VMM Self-Service Portal. If another Web site is using port 80, you must either use a different dedicated port or specify a host header for the portal. For information about host headers, refer to one of the following topics:
For IIS 6.0 in Windows Server 2003, see article 190008, HOW TO: Use Host Header Names to Host Multiple Sites from One IP Address in IIS 5.0 (https://go.microsoft.com/fwlink/?LinkId=88875).
For IIS 7.0 in Windows Server 2008, see IIS 7.0: Configure a Host Header for a Web Site (https://go.microsoft.com/fwlink/?LinkId=125367).
The following lists the ports and protocols that VMM uses for communications during virtual machine self-service.
| Connection Type | Protocol | Default Setting | Where to Change the Setting |
|---|---|---|---|
VMM Self-Service Portal Web Server to VMM Server |
WCF |
8100 |
During VMM Setup |
VMM Self-Service Portal to VMM Self-Service Web Server |
HTTPS |
Without SSL: 80 With SSL: 443 |
During VMM Setup |
Important
The VMM Setup Wizard does not assign a Secure Sockets Layer (SSL) port during installation of the VMM Self-Service Portal. Instead, the SSL port on the website is left blank. You must set this port to 443. If you do not, requests for the site over SSL will be ignored.
Security Measures
To help establish a baseline of security for your self-service Web servers, follow security best practices for IIS Web servers. For guidance, see IIS 6.0 Security Best Practices (https://go.microsoft.com/fwlink/?LinkId=180412) and Security Changes in IIS 7.0 (https://go.microsoft.com/fwlink/?LinkId=180413).
The following checklist summarizes the recommended security configuration tasks for hardening IIS Web servers that host the VMM Self-Service Portal.
Security Configuration Checklist
Configure SSL for the Self-Service Portal
Enable Integrated Windows Authentication for the Self-Service Portal
Disable ISAPI Handlers That Are Not Needed
Add Self-Service User Roles
Enable Access to VMware Virtual Machines Through the Self-Service Portal
Configure SSL for the Self-Service Portal
To encrypt VMM’s communications with the Self-Service Portal, you should enable SSL security on your Web server. If the portal is on your organization’s intranet, with no public access, you can obtain the certificate from your organization’s existing public key infrastructure (PKI). However, if users can access the portal from the Internet, Microsoft recommends that you obtain a certificate from a certification authority.
If you are using IIS 6.0, see Configuring SSL on a Web Server or Web Site (IIS 6.0) (https://go.microsoft.com/fwlink/?LinkId=180419) for more information. If you are using IIS 7.0, see Securing Communications with Secure Socket Layer (SSL) (https://go.microsoft.com/fwlink/?LinkId=180417) for more information.
Enable Integrated Windows Authentication for the Self-Service Portal
By default, the VMM Self-Service Portal is configured for anonymous forms-based authentication in IIS, under which every user must enter credentials on a login page to access the Portal. By storing their credentials at logon, users can use the Connect to VM action in the Portal to connect to a virtual machine without reentering credentials as long as the virtual machine requires the same credentials.
If they use the Portal’s Remote Desktop action to connect to a virtual machine, they must either confirm their stored credentials or, if they didn’t store credentials, reenter the credentials.
To minimize the security risk associated with entering credentials on the Portal and to save time for your self-service users, you can configure the following features:
Integrated Windows Authentication—To eliminate the logon prompt when self-service users open the Self-Service Portal and when they connect to a virtual machine that requires the same credentials, by using the Portal’s Connect to VM action or thumbnails, configure Integrated Windows Authentication for the VMM Self-Service Portal. Integrated Windows Authentication uses the current Windows user information on the client and prompts for credentials only if other credentials are needed for authorization.
Note
Unless the Self-Service Portal and the VMM server are on the same computer, to implement Integrated Windows Authentication for self-service, you will need to configure constrained delegation for the VMM service account in Kerberos. For instructions for configuring Integrated Windows Authentication for virtual machine self-service, see How to Configure Integrated Windows Authentication for the VMM Self-Service Portal.
Single sign-on for Terminal Services—As a further convenience to your self-service users, you can configure single sign-on for the Remote Desktop action in the Portal. The Remote Desktop action opens a remote session with the virtual machine by using Terminal Services. To eliminate prompts for credentials, you will need to enable single sign-on for Terminal Services on the client server for each self-service user. For instructions for configuring single sign-on, see Single Sign-On for Terminal Services (https://go.microsoft.com/fwlink/?LinkId=143908).
Disable ISAPI Handlers That Are Not Needed
During installation of the VMM Self-Service Portal, IIS lays down the default ISAPI filters and handlers for common extensions such as .soap, .xoml, and .asmx. To avoid unnecessary exposure to any potential security risks, it is recommended that you disable the handlers that the Web applications on the IIS server are not using.
The VMM Self-Service Portal uses ISAPI handlers listed in the following table.
| OPTIONSVerbHandler |
|---|
PageHandlerFactory-ISAPI-2.0 |
PageHandlerFactory-ISAPI-2.0-64 |
TRACEVerbHandler |
WebServiceHandlerFactory-ISAPI-2.0 |
WebServiceHandlerFactory-ISAPI-2.0-64 |
StaticFile |
Note
On 64-bit Web server, the Self-Service Portal also requires a “-64” version of each handler that ends in “ISAPI-2.0” (for example, AXD-ISAPID-2.0-64).
The following procedures explain how to disable ISAPI handlers in IIS 7.0 and IIS 6.0.
Important
To avoid unintended effects in other Web sites, be careful to only update the handlers for the VMM Self-Service Portal Web site.
To disable ISAPI handlers for the Self-Service Portal in IIS 7.0
In Administrative Tools, open Internet Integration Services (IIS) Manager.
Expand Sites, and navigate to Microsoft System Center Virtual Machine Manager Self-Service Portal.
In the Features View pane, under IIS, open Handler Mappings.
For each handler that is not listed in the preceding table, select the handler, click Remove, and then click Yes.
To disable ISAPI handlers for the Self-Service Portal in IIS 6.0
In Administrative Tools, open Internet Integration Services (IIS) Manager.
Expand Web Sites, and navigate to Microsoft System Center Virtual Machine Manager Self-Service Portal.
Right-click the Web site, and click Properties.
On the ISAPI Filters tab, remove all displayed filters for the VMM Self-Service Portal.
The list does not display the required filters for the Web site, which are implicitly included with the ASP.NET filter.
For more information about the IIS features that the VMM Self-Service Portal uses, see System Requirements: VMM Self-Service Portal (https://go.microsoft.com/fwlink/?LinkID=163000).
Add Self-Service User Roles
To give users access to the VMM Self-Service Portal and determine the operations that users can perform on their own virtual machines, the templates and ISO images that they can use, and the host groups in which the virtual machines will be deployed, add self-service user roles.
Each self-service user role consists of the following components:
A self-service user profile that specifies the operations role members can perform on their own virtual machines. The profile can grant permission for any or all of the following virtual machine operations: Create, Start, Stop, Pause and resume, Checkpoint, Remove, Local Administrator, Remote connection, Shut down, and Store in library.
A scope that specifies the host groups on which users’ virtual machines will be deployed and the library path on which the templates and ISO image files for creating virtual machines will be stored. Members’ stored virtual machines also are stored on this path. The role also specifies the virtual machine templates that can be used to create virtual machines, and the role can set a virtual machine quota to limit the virtual machines deployed by role members at any one time.
A membership list that contains the user accounts and security groups that are members of the role. To enable sharing of virtual machines, add users via a group account.
For more information about defining and administering self-service user roles, see Role-Based Security in VMM.
User roles are added in Administration view of the VMM Administrator Console. For more information, see How to Create a Self-Service User Role (https://go.microsoft.com/fwlink/?LinkId=162946).
Enable Access to VMware Virtual Machines Through the Self-Service Portal
To manage VMware virtual machines, users of the VMM Self-Service Portal must download and install a VMware ActiveX control. This control must be downloaded through a secure SSL channel. VMM connects to the VMware host by using SSL. However, to ensure that users can download and install the ActiveX control, you must enable SSL on the VMware host computers. Alternatively, you can install the Virtual Infrastructure client on the client machine, which will also install the ActiveX control, thereby eliminating the need to download the ActiveX control from the host.
See Also
Concepts
How to Configure Integrated Windows Authentication for the VMM Self-Service Portal
Role-Based Security in VMM