Hardening the VMM Server
Applies To: Virtual Machine Manager 2008, Virtual Machine Manager 2008 R2, Virtual Machine Manager 2008 R2 SP1
This topic explains how to configure security for the VMM server in System Center Virtual Machine Manager (VMM) 2008 and provides security best practices for hardening the VMM server. The discussion provides the following information:
Describes the ports and protocols that VMM uses for communications with clients, virtual machine hosts, and library servers.
Describes account requirements for the VMM service account.
Recommends security best practices for the VMM server.
Ports and Protocols Used on the VMM Server
The following table provides information about the default ports used for communications between the VMM server and the components that it manages.
Important
You should decide which ports to use before you install the VMM server. The settings cannot be changed through VMM after setup.
| Connection Type | Protocol | Default Port | Configurable |
|---|---|---|---|
VMM server to VMM agent on Windows Server–based hosts and library servers (control) |
WS-Management |
80 |
Yes, during VMM server installation |
Transfer of VMM agent to Windows Server–based hosts and library servers |
SMB |
445 |
Yes, during VMM setup |
File transfers between the VMM server and Windows Server–based hosts |
BITS |
443 (Maximum value: 32768) |
Yes, during VMM setup |
VMM server to remote Microsoft SQL Server database |
TDS |
1433 |
Yes, during VMM Setup |
VMM server to VMM agent on P2V source machines |
DCOM |
135 |
No |
Clients to VMM server:
|
WCF |
8100 |
No |
VMM server to Operations Manager (SDK) |
TCP |
5724 |
No |
VMM server to Operations Manager (Connector Framework) |
TCP |
51905 |
No |
VMM Administrator Console to SQL Server Reporting Services server |
HTTP |
80 |
Yes, by updating the VMM reporting server setting |
VMM server to VMware VirtualCenter server (WebServices API) |
TCP/IP |
443 |
Yes, while adding the VMware VirtualCenter server to VMM |
VMM server to hosts running VMware ESX Server 3.0 or VMware ESX Server 3.5 (file transfers) |
SFTP |
22 |
No |
VMM server to hosts running VMware ESX Server 3i (WebServices API) (file transfers) |
HTTPS |
443 |
No |
Note
For communications to support Performance and Resource Optimization (PRO) and Diagram View in the VMM Administrator Console, VMM uses a software-based connection to the root management server of System Center Operations Manager 2007, which is built into the VMM server. For information about security for these communications, see Configuring Security for Operations Manager Integration and PRO in VMM.
VMM Server to VMM Agents on Hosts and Library Servers
For communications with the VMM agents on Hyper-V and Virtual Server hosts and on library servers, VMM uses the WS-Management protocol over default port 80 for controls.
For library servers and for hosts in an Active Directory domain that has a two-way trust relationship with the VMM server, Kerberos is used for authentication and encryption.
For hosts in a non-trusted Active Directory domain or on a perimeter network, VMM uses NTLM for encryption, using credentials generated during VMM agent installation. Host authentication uses credentials generated on the host computer during VMM agent installation.
Note
To implement client authentication on a perimeter network, set up Internet Protocol security (IPsec) between the intranet and the perimeter network.
To copy the VMM agent to hosts, VMM uses the Server Message Block (SMB) protocol over default port 445. Kerberos authentication is used.
For file transfers to the agents on all Hyper-V and Virtual Server hosts, VMM uses BITS 2.5 over default port 443. Data is encrypted using Secure Sockets Layer (SSL). The port number must not exceed 32768.
Port assignments on hosts and library servers must match the port assignments on the VMM server. The port assignments on the VMM server are specified during setup and are stored in the registry. When a host or library server is added to VMM, VMM configures those ports on the agent-managed computer.
VMM Server to a Remote Database Server
If you use a remote instance of Microsoft SQL Server for the VMM database, VMM uses the Tabular Data Stream (TDS) protocol over default port 1433 for communications with SQL Server.
Note
If you use a remote instance of SQL Server, configuration updates to SQL Server are required before you can install the VMM server. For more information, see Hardening the VMM Database Server.
Client to VMM Server
For connections to the VMM server from a VMM Administrator Console, Windows PowerShell – Virtual Machine Manager command shell, or VMM Self-Service Web Portal, VMM uses Windows Communication Framework (WCF), which uses TCP internally, on default port 8100, with encryption enabled. Kerberos is used for authentication.
The client uses the user’s credentials to connect to VMM. VMM determines the type of client and any group memberships and then checks VMM user role memberships to determine the VMM operations that the user is allowed to perform and the objects on which the user can perform them. For more information about user roles, see Role-Based Security in VMM.
VMM Server to VirtualCenter Server and ESX Server Hosts
VMM performs most management tasks through VirtualCenter, communicating with the VirtualCenter server using the WebServices API on default port 443. Encryption is performed through HTTPS using Secure Sockets Layer (SSL).
For file transfers, VMM connects directly to the ESX Server host. The security configuration for those connections depends on the version of ESX Server and whether or not you choose to manage your VMware environment in secure mode.
In secure mode, VMM authenticates each ESX Server host on all protocols used for communication. In secure mode, SSL over HTTPS (for ESX Server 3i) requires certificate authentication, and SFTP over Secure Shell (SSH) (for ESX Server 3.5 and ESX Server 3.0.1) requires host public key authentication. VMM retrieves and verifies both.
For more information about configuring security for managed VMware components, see Configuring Security for a Managed VMware Environment in VMM.
Account Requirements for the VMM Service Account
For the VMM service account, you can use either Local System (the default) or an Active Directory domain account.
When to Use a Domain Account for the VMM Service
In the following environments, you must use an Active Directory domain account as the VMM service account:
If you plan to share ISO images among Hyper-V virtual machines, you must use a domain account for the VMM service account. For additional configuration requirements, see How to Enable Shared ISO Images for Hyper-V Virtual Machines in VMM (https://go.microsoft.com/fwlink/?LinkId=161975).
In more restrictive Active Directory environments in which a Restricted Groups group policy is in effect, you must use a domain account instead of Local System for the VMM service account. The Restricted Groups policy does not allow machine accounts to be a member of the local Administrators group. Under a Restricted Groups group policy, the VMM machine account will be removed from the computer, leaving VMM unable to communicate with the host. In that situation, VMM places the host in a Needs Attention state and places the VMM agents on hosts and library servers in Not Responding status in VMM.
If VMM will manage hosts in a disjointed namespace environment, where the FQDN of a Windows Server–based host in Active Directory Domain Services does not match the server’s FQDN in DNS, it is recommended that you use an Active Directory domain account as the VMM service account. To be able to add hosts by using the Add Hosts Wizard in VMM, you also must add the SPNs of the DNS host FQDNs to Active Directory Domain Services.
Domain Account Requirements for the VMM Service
The domain account that you use for the VMM service account should meet the following requirements:
Use a dedicated account that is not used for any other purpose. In particular, avoid using an account that is used for any other purpose on your host computers. When a host is removed from VMM, VMM removes the account that the VMM service was running under from the local Administrators group on the host. If the same account is used for other purposes on the host, unexpected results can occur.
Note
You cannot use the same domain account that is used as the VMM service account to add or remove a Hyper-V or Virtual Server host from VMM. For more information, see Hardening Virtual Machine Hosts Managed by VMM. You also should not use the VMM service account as the credentials for installing a remote instance of SQL Server during the VMM server setup. For more information, see Configuring a Remote Instance of SQL Server for VMM (https://go.microsoft.com/fwlink/?LinkID=134060).
To support Performance and Resource Optimization (PRO), the VMM service account must be a member of the Administrator role in System Center Operations Manager 2007. When you configure Operations Manager integration with VMM during setup, VMM adds the VMM service account to the local Administrators group on the Operations Manager root management server, which by default populates the Administrator role in Operations Manager. If your organization uses a different group to populate that role, you must add the VMM service account to that group on the root management server. For additional information, see Configuring Security for Operations Manager Integration and PRO in VMM. For setup procedures, see Configuring Operations Manager Integration with VMM (https://go.microsoft.com/fwlink/?LinkID=125948).
Specifying the VMM Service Account
The VMM service account is specified during VMM server installation. VMM adds the account to the db_owner fixed database role for the VMM database (by default, VirtualManagerDB).
To update the password for the VMM service, use Service Manager on the VMM server and then restart the VMM service.
Warning
It is recommended that you choose a new, dedicated domain account for your VMM service account and that you not change the identity of the VMM service account after setup. When you change the identity, you lose any encrypted data that was added to the VMM database under the previous service account, which includes credential information and licensing keys. If you do change the service account, you must afterwards re-associate the VMM agents on all hosts and library servers with the VMM server. If you are using a remote instance of SQL Server for VMM, you also must manually add the new account to the db_owner role for the VMM database. For instructions for adding an account to a db_owner role in SQL Server, see either Database-Level Roles (SQL Server 2008) (https://go.microsoft.com/fwlink/?LinkId=143202) or Database-Level Roles (SQL Server 2005) (https://go.microsoft.com/fwlink/?LinkId=143203).
Troubleshooting Issues with a Restricted Groups Group Policy
When a Restricted Groups group policy is causing the removal of the VMM Server machine account from the local Administrators group on the host computer, host refresher jobs fail with Error 2027 (“A Hardware Management error has occurred trying to contact server servername.domainname.com. (Unknown error (0x80338104)”).
To resolve this issue, you can make any of the following changes to the Group Policy settings:
Disable the Restricted Groups policy setting.
Modify the group setting to allow the VMM machine account in the local Administrators group.
Move the VMM Server machine account to its own organizational unit (OU), and block the group policy from being applied to that OU.
If modifying the group policy is not acceptable to your IT security team, your only option is to reinstall the VMM server and specify a domain account with Administrator rights on the VMM server computer. If you choose to retain data from your previous installation when you reinstall VMM, you will need to remove and re-add all your virtual machine hosts.
Security Best Practices for the VMM Server
To help improve security for VMM operations, the following security practices are recommended for the VMM server:
Before you install the VMM server into a production environment, evaluate your IT security policies in Active Directory Domain Services to ensure that your VMM service account enables VMM to perform all required operations. The choice of the VMM service account affects the ability of VMM ability to perform operations throughout your virtualized environment. If you have a restrictive Active Directory environment in which a Restrictive Groups group policy is in effect or if you are managing hosts in a disjointed namespace, you must use a domain account rather than the default Local System account as the VMM service account. For more information, see Account Requirements for the VMM Service Account, earlier in this topic.
Enforce role separation to limit administrative exposure. Not all administrators need full administrative access to VMM. Use delegated administration in VMM to limit the Administrator role to as few people as possible. Use Delegated Administrator roles to delegate administration of specific host groups and library servers to administrators who manage a limited virtualized environment. For example, you might delegate administration for a branch office, department, project, or virtual machine self-service, or you might use a delegated administrator to maintain virtual machine templates, stored virtual machines, and other resources on all library servers within the organization.
Delegated administrators can perform all administrative tasks on all objects within the scope of their role. However, they cannot update VMM global settings. For more information, see Role-Based Security in VMM.
Note
To further restrict administrative access, create self-service user roles for customers who need only to create and administer their own virtual machines. A self-service user role enables members to perform a specified set of operations on their own virtual machines by using a VMM Self-Service Portal, which provides a limited view of only the virtual machines they own, the operations they are allowed to perform, and the virtual machine resources an administrator has provided for their use.
Consider using non-default port numbers for communications with managed VMM components. Using non-default port settings for protocols such as HTTP and HTTPS might slow down an attacker. Not all port settings in VMM are configurable. When you install the VMM server, you can configure the default ports for communications with VMM agents on Windows Server–based hosts.
Important
You need to decide which ports to use before you install the VMM server. The ports cannot be changed afterwards. The ports that VMM uses for communications with managed hosts and library servers must match the port settings used on those servers. VMM configures those ports automatically when you add a host or library server to VMM.
See Also
Concepts
Configuring Security for a Managed VMware Environment in VMM
Configuring Security for Operations Manager Integration and PRO in VMM
Hardening the VMM Database Server
Hardening Virtual Machine Hosts Managed by VMM
Hardening VMM Self-Service Web Servers
Role-Based Security in VMM
Other Resources
How to Enable Shared ISO Images for Hyper-V Virtual Machines in VMM