Your Federal Quarterly Tax Payments are due April 15th Get Help Now >>

Security Basics for VMM by tlyaappjdlag

VIEWS: 10 PAGES: 11

									Security Basics for VMM


Role-Based Security in SCVMM ............................................................................................................... 2
   Available Targets ................................................................................................................................ 2
   Role Types in VMM.............................................................................................................................. 3
   Administrator Role .............................................................................................................................. 4
   Delegated Administrator Roles ........................................................................................................... 4
   Self-Service User Roles ........................................................................................................................ 5
   Access to Virtual Machine Resources.................................................................................................. 7
   Placing a Quota on Users’ Virtual Machines ....................................................................................... 7
      Ownership of Virtual Machines...................................................................................................... 7
      Sharing Virtual Machines................................................................................................................ 8
   Administering Virtual Machine Self-Service ........................................................................................ 8
Required Rights and Permissions for VMM Administrative Tasks .......................................................... 8
VMM Ports and Protocols ..................................................................................................................... 10




/ Available Targets                                                                                                                         Page 1
Security Basics for VMM



           -
Beginning with System Center Virtual Machine Manager (VMM) 2008, VMM implements role-based security to
provide finer control over who can do what within the virtualized environment. This security model supports
delegated administration, which was not available in VMM 2007. Self-service user roles replace the self-service
policies that were used to administer virtual machine self-service in VMM 2007.

A user role defines a set of operations (grouped in a profile) that can be performed on a selected set of objects
(defined by the user role’s scope). Within that framework, an organization can create delegated administrator
roles that allow, for example, a high-level administrator to manage all operations in a New York office, a
specialized administrator to manage all library servers, or an advanced user to set up complex virtual
environments within a single lab. An organization also can create self-service user roles that allow users to
perform a specified set of operations on their own virtual machines.

A user role consists of the following parts:

    •    A profile defines the set of available operations that a role member can perform.
    •    The scope defines the set of objects that the operations can target.
    •    The membership list specifies the Active Directory user accounts and security groups that are assigned
         to the role.


 Imp
 When you add a Hyper-V host to VMM 2008 R2, VMM preserves changes to role definitions and role memberships in the root
 scope of the Hyper-V authorization store. The VMM agent overwrites all changes to other scopes. As a result, while a Hyper-V
 host is managed by VMM 2008 R2, access is determined by the union of all roles in the root scope plus the VMM role assigned
 to each virtual machine’s scope.

 This is a change from the way that VMM 2008 handles Hyper-V role definitions and scopes. When a Hyper-V host is added to
 VMM 2008, VMM creates its own authorization store without importing any role and membership settings from initialstore.xml
 on the Hyper-V computer, and then updates the registry so that Hyper-V points to the VMM authorization store.

 For more information, see security considerations for Hyper-V hosts in Hardening Virtual Machine Hosts Managed by VMM.



Av          b T g
In role-based security, dynamic collections of instances of objects (such as hosts or virtual machines), known as
groups, determine the available targets for a particular operation that a user performs. For example, when a
user attempts to start a virtual machine, VMM first checks whether the user has permission to perform the
Start action on virtual machines and then verifies that the user has the right to start the selected virtual
machine.

These groups are hierarchical: providing access to a particular instance provides access to all instances
contained in that instance. For example, providing access to a host group provides access to all hosts within the
host group and to all virtual networks on the hosts.

The following illustration shows the hierarchy of instances within the groups that apply to VMM user roles.
When a user role provides access to an instance in the outer ring, it automatically provides access to all
instances in the inner rings. Virtual machines are pictured separately because the flow of access works



Role-Based Security in SCVMM / Available Targets                                                                       Page 2
Security Basics for VMM


somewhat differently for them. For all administrator roles, host group rights flow to all virtual machines that
are deployed on the hosts. However, that is not true for members of self-service user roles. The rights of self-
service users are limited to virtual machines that they own.




Group hierarchies for role-based security


Role Types in VMM
The following user role types, based on profiles of the same name, are defined for VMM:

    •    Administrator role—Members of the Administrator role can perform all VMM actions on all objects
         that are managed by the VMM server. Only one role can be associated with this profile. At least one
         administrator should be a member of the role.
    •    Delegated Administrator role—Members of a role based on the Delegated Administrator profile have
         full VMM administrator rights, with a few exceptions, on all objects in the scope defined by the host
         groups and library that are assigned to the role. A delegated administrator cannot modify VMM
         settings or add or remove members of the Administrator role.
    •    Self-Service User role—Members of a role based on the Self-Service User profile can manage their
         own virtual machines within a restricted environment. Self-service users use the VMM Self-Service
         Web Portal to manage their virtual machines. The portal provides a simplified view of only the virtual
         machines that the user owns and the operations that the user is allowed to perform on them. A self-
         service user role specifies the operations that members can perform on their own virtual machines
         (these can include creating virtual machines) and the templates and ISO image files that they can use
         to create virtual machines. The user role also can place a quota on the virtual machines that a user can
         deploy at any one time. Self-service users’ virtual machines are deployed transparently on the most
         suitable host in the host group that is assigned to the user role.

VMM does not support the creation of custom user profiles.

Users can be a member of more than one user role, in which case VMM grants them the rights associated with
all their roles.

The following illustration shows a simple schema for delegating administration within a virtualized environment
that supports virtual machine self-service.




Role-Based Security in SCVMM / Role Types in VMM                                                          Page 3
Security Basics for VMM




                                                                                Sample topology for
delegated administration


Administrator Role
Members of the Administrator role can perform all VMM actions on all hosts, library servers, and virtual
machines that are managed by the VMM server. The actions and scope cannot be changed.

To add members to the Administrator role, expand the User Roles node in Administration view of the VMM
Administrator Console, right-click Administrator in the list, and then click Properties.

The following table summarizes the features of the Administrator role.


 Settings                       Description
 Profile         All VMM operations


 Scope           All objects managed by the VMM server


                 VMM Administrator Console: Yes

 Client access   Windows PowerShell – VMM command shell: Yes

                 VMM Self-Service Portal: No



Delegated Administrator Roles

Role-Based Security in SCVMM / Administrator Role                                                          Page 4
Security Basics for VMM


A delegated administrator role assigns broad administrator rights within a scope that is defined by host groups
and library servers assigned to the role. The efficiency with which you delegate administration in VMM
depends on careful planning of the host groups and library servers within your virtualized environment. For
information about creating Delegated Administrator roles, see How to Create a Delegated Administrator User
Role (http://go.microsoft.com/fwlink/?LinkId=162941).

The following table describes the features of delegated administrator roles.


Settings                                                      Description
             The Delegated Administrator profile allows the following operations on objects within the scope of the user role.
             These operations cannot be changed.


                  • View, create, and manage host groups, hosts, and virtual networks within the scope of their user role.
                  • Create, view, modify, and migrate virtual machines within the scope of their user role.
                  • Add library servers to VMM.
                  • Manage virtual machine resources on all specified library shares on library servers within the scope of
 Profile              the user role.
                  • Create user roles within the scope of their user role.
                  • View, modify, or remove user roles that they created.
                  • Perform all administrator operations within the scope of their user role except for the following
                      operations:
                           o Cannot view, modify, or remove user roles created by members of the Administrator user role
                                 or by other members of a Delegated Administrator user role.
                           o Cannot modify global VMM settings or System Center settings in VMM.


             n host groups—Administrator rights on all objects within host groups, hosts, and virtual networks contained in
             the assigned host groups. This includes virtual hard disks, virtual network adapters, SCSI adapters, and so forth
 Scope       configured on virtual machines on the hosts.

             n library servers—Virtual hard disks, virtual floppy disks, ISO image files, Windows PowerShell scripts, SysPrep
             answer files, and VMware templates stored on all library shares on the library servers.

             VMM Administrator Console: Yes

             Windows PowerShell – VMM command shell: Yes

 Client      VMM Self-Service Portal: No
 access

                Note
                To access the VMM Self-Service Portal, an administrator must be added to a self-service user role.




Self-Service User Roles
Self-service user roles allow users to manage their own virtual machines—that is, virtual machines for which
they are the specified owner—within a restricted environment. Self-service users view, operate, and manage
their virtual machines by using the VMM Self-Service Web Portal. The portal provides a simplified view of only
the virtual machines that the self-service user owns and the operations that are allowed on each virtual
machine. In VMM 2008, self-service users can perform the same operations on the objects within the scope of
their user role in the Windows PowerShell – VMM command shell.




Role-Based Security in SCVMM / Self-Service User Roles                                                                   Page 5
Security Basics for VMM


A self-service user role defines the operations that the users can perform on their own virtual machines, the
templates that they can use to create virtual machines, the host groups in which their virtual machines are
deployed, and the library path where the ISO images that they use are stored.

If you have been using virtual machine self-service in VMM 2007, you can automatically convert your existing
self-service policies to user roles, retaining the host group structure under which they are administered, when
you upgrade to VMM 2008. Many self-service features are implemented slightly differently in user roles than in
self-service policies. For a detailed comparison, see Comparison of Self-Service User Roles with Self-Service
Policies.


 Important
 While managing a Hyper-V host, VMM uses the permissions in the self-service user profiles instead of the role-based access
 controls that are configured in Hyper-V to authorize operations on virtual machines. For more information, see Hardening
 Virtual Machine Hosts Managed by VMM.



The following table describes the features of self-service user roles. For information about creating self-service
user roles, see How to Create a Self-Service User Role (http://go.microsoft.com/fwlink/?LinkId=162946).


Settings                                                        Description
               A self-service user role can grant members permission to perform any or all of the following operations on the
               virtual machines that they own:


                    • Create.
                    • Start.
                    • Stop.
                    • Pause and resume.
                    • Checkpoint—Create and remove checkpoints. Restore a virtual machine to a previous checkpoint.
 Profile
                    • Remove.
                    • Local administrator—Set the local Administrator password while creating a virtual machine, which
                        enables the user to be an administrator on the virtual machine. If you do not allow this operation,
                        VMM takes the credentials from the SysPrep answer file instead of prompting them during virtual
                        machine creation.
                    • Remote connection.
                    • Store in library—Allows the user to store unused virtual machines in the VMM library. Virtual machines
                        that are stored in the library do not count against the virtual machine quota.



               n host groups—Self-service users’ virtual machines are deployed automatically on the most suitable host in the
               assigned host groups based on the virtual machine’s requirements and the organization’s placement preferences.
               This is transparent to the user, who does not know where the virtual machine is deployed.

               1 library path—The library path assigned to a self-service user role serves the following purposes:
 Scope
                    • Makes ISO images available to role members during virtual machine creation.
                    • Stores virtual machines that role members with the required permission choose to store in the library.

               Self-service users have Read access to the virtual hard disks and ISO image files used during virtual machine
               creation, but they are not aware of the location of the files.

 Client
               VMM Administrator Console: No
 access




Role-Based Security in SCVMM / Self-Service User Roles                                                                     Page 6
Security Basics for VMM


             Windows PowerShell – VMM command shell: Yes (within the scope of the self-service user role)

             VMM Self-Service Portal: Yes


                Note
                To access the VMM Self-Service Portal, an administrator must be added to a self-service user role.




Access to Virtual Machine Resources
To create virtual machines, self-service users use templates that the VMM administrator assigns to the role. To
make ISO images available to self-service users during virtual machine creation, the image files must be stored
on the library path that is specified in the user role.

Self-service users can use these resources only through the Self-Service Portal. They have no other access to
the files unless the administrator grants permissions through the file system.

As an added security measure, self-service users are not aware of which hosts their virtual machines are
deployed on, the location of their virtual machine configuration files, the library path that stores the ISO images
that they use, and their stored virtual machines.


Placing a Quota on Users’ Virtual Machines
To limit the volume of virtual machines that members of a self-service user role can deploy at any one time,
you can configure a quota for a self-service user role.

A virtual machine quota is simply a value that can be assigned to a self-service user role to limit the volume of
virtual machines that role members can deploy at any given time. The quota can apply to all virtual machines
deployed by all role members, or it can apply individually to the virtual machines deployed by each role
member.

Because virtual machines can vary greatly in the resources that they consume on a host, rather than allocate
one quota point for each virtual machine, VMM allows the administrator to assign a specific number of quota
points to each virtual machine template based on its requirements. The points apply against the quota while
any virtual machine based on the template is deployed—regardless of whether it is running—but not while the
virtual machine is stored in the library.


Ownership of Virtual Machines
In virtual machine self-service, a virtual machine has an owner (by default, the user who created the virtual
machine) and a self-service user role (by default, the self-service user role under which the virtual machine was
created).

The virtual machine’s owner is the only person who can see and perform operations on a virtual machine in the
VMM Self-Service Portal.




Role-Based Security in SCVMM / Access to Virtual Machine Resources                                                   Page 7
Security Basics for VMM


A self-service user can change the owner of his own virtual machine to any other member of the self-service
user role.

If the owner is a member of more than one self-service user role, the user can change the virtual machine
owner to any member of his other roles if the following requirements are met:

     •    The current owner must belong to the self-service user role that is being assigned.
     •    The virtual machine must be within the scope (host or library path) of that user role.


Sharing Virtual Machines
To enable users to share virtual machines, use a security group to add the users to a self-service user role, and
then specify the group as the owner of the virtual machines you want group members to share. When a group
member creates a virtual machine, the default owner is the person’s user account. However, the user can
reassign ownership to the group. If the virtual machine quota is being applied to individual users, quote points
assigned to a group-owned virtual machine apply to the individual quotas of all members of the group.


Administering Virtual Machine Self-Service
To gain access to the VMM Self-Service Portal, a VMM administrator must be a member of a self-service user
role. VMM administrators can, of course, perform all operations on virtual machines within the scope of their
role in the VMM Administrator Console and in Windows PowerShell – VMM.


Required Rights and Permissions for VMM
Administrative Tasks
The following table is a reference to the rights and permissions, both within and outside System Center Virtual Machine Manager (VMM),
that are required to perform common administrative tasks. Within VMM, role-based security determines the VMM operations that a
person can perform and the objects on which the operations can be performed. For more information, see Role-Based Security in VMM.



 VMM Administrative
 Task                           Required Rights and Permissions

 Install the VMM server         Domain account that is a member of the local Administrators group.

 Configure a remote             Domain account that is a member of the sysadmin server role on the remote instance of
 instance of SQL Server         SQL Server.
 for the VMM database

 Install a VMM                  Member of the local Administrators group on client computer.
 Administrator Console

 Use the VMM                    Member of the Administrator role or a Delegated Administrator role in VMM. Delegated
 Administrator Console          administrators see only objects with the host groups (and child host groups) and library
                                servers assigned to their role. Members of Self-Service User roles do not have access to
                                the VMM Administrator Console.

 Use a Windows                  Member of any user role in VMM. Delegated administrators perform operations on
 PowerShell – Virtual           objects within the scope of their role (host groups and their children, and library servers).
 Machine Manager                Members of a self-service user role can perform allowed operations on their own virtual


Required Rights and Permissions for VMM Administrative Tasks / Sharing Virtual Machines Page
8
Security Basics for VMM


 command shell               machines by using templates assigned to the role and ISO images that are stored on the
                             library path assigned to the role.

 Install the VMM Self-       Administrator account on the local computer and a domain account that is a member of
 Service Portal              the VMM Administrator role.

 Log on to the VMM Self-     Member of a Self-Service User role in VMM. VMM administrators do not have access to
 Service Portal              the Self-Service Portal.
                             The VMM Self-Service Portal gives self-service users a restricted view of the virtual
                             machines that they own and the operations that their user role allows them to perform. If
                             the role allows virtual machine creation, they see only the templates assigned to their role
                             and ISO images stored on the library share assigned to the role.

 Install a VMM agent         Administrator account on the virtual machine host computer.
 locally on a virtual
 machine host

 Add a Hyper-V or Virtual    Domain account that is a member of the Administrator role or a Delegated Administrator
 Server host                 role in VMM and that also is a member of the local Administrators group on the host.
                             Delegated administrators can add hosts to the host groups assigned to their role or child
                             host groups of those host groups. For more information about Delegated Administrator
                             roles, see Role-Based Security in VMM.

 Add a VMware                Domain account that is a member of the Administrator user role in VMM and a member of
 VirtualCenter server        the local Administrators group on the library server.

 Configure security for a    Member of the Administrator role or a Delegated Administrator role in VMM. Domain or
 managed VMware              local account must have virtual machine delegate credentials on the host.
 ESX Server host             Secure mode also requires the following:

                             •   ESX Server 3i: Encryption using Secure Sockets Layer (SSL) requires certificate
                                 authentication.


                             •   ESX Server 3.5 or ESX Server 3.0.1: Encryption using Secure Shell (SSH) requires RSA
                                 public key authentication.



 Add a VMM library           Domain account that is an Administrator on the library server and is a member of the
 server                      Administrator role or a Delegated Administrator role in VMM.

 Add files to a VMM          Write permission on the library share folder (set outside VMM). To add resources to the
 library share               VMM library, add the files to the library share and then refresh the share in VMM or wait
                             for the next scheduled refresh (by default, once per hour).

 Manually refresh a VMM      VMM Administrator role or a Delegated Administrator role to which the library server is
 library share or library    assigned.
 server

 Import VMware               Member of the Administrator role or a Delegated Administrator role in VMM. Security
 templates into the VMM      must have been configured for the VMware ESX Server host. For delegated administrators,
 library                     the ESX Server host and destination library server must be within the scope of their role.

 Convert a physical server   Administrator account on the source computer that is a member of the Administrator role
 to a virtual machine        or a Delegated Administrator role in VMM.
 (P2V)

 View and order reports      Domain account that is a member of the Administrator role or a Delegated Administrator
 in Reporting view           role in VMM and is a member of the Report Operator role in System Center Operations
                             Manager 2007.




Required Rights and Permissions for VMM Administrative Tasks / Administering Virtual
Machine Self-Service                                                                 Page 9
Security Basics for VMM



VMM Ports and Protocols
When you install the System Center Virtual Machine Manager (VMM) server, you can assign some of the ports that it will use for
communications and file transfers between the VMM components. While it is a best security practice to change the default ports, not all of
the ports can be changed through VMM. The default settings for the ports are listed in the following table.



                                                                                                           Where to change the port
 Connection type                                           Protocol              Default port              setting

 VMM server to VMM agent on Windows Server–                 WS-                  80                         During VMM setup, registry
 based host (control)                                       Management

 VMM server to VMM agent on Windows Server–                 HTTPS (using         443 (Maximum               Registry
 based host (file transfers)                                BITS)                value: 32768)

 VMM server to remote Microsoft SQL Server                  TDS                  1433                       Registry
 database

 VMM server to P2V source agent                             DCOM                 135                        Registry

 VMM Administrator Console to VMM server                    WCF                  8100                       During VMM setup, registry

 VMM Self-Service Portal Web server to VMM                  WCF                  8100                       During VMM setup
 server

 VMM Self-Service Portal to VMM self-service                HTTPS                443                        During VMM setup
 Web server

 VMM library server to hosts                                BITS                 443 (Maximum               During VMM setup, registry
                                                                                 value: 32768)

 VMM host-to-host file transfer                             BITS                 443 (Maximum               Registry
                                                                                 value: 32768)

 VMRC connection to Virtual Server host                     VMRC                 5900                       VMM Administrator
                                                                                                            Console, registry

 VMConnect (RDP) to Hyper-V hosts                           RDP                  2179                       VMM Administrator
                                                                                                            Console, registry

 Remote Desktop to virtual machines                         RDP                  3389                       Registry

 VMware Web Services communication                          HTTPS                443                        VMM Administrator
                                                                                                            Console, registry

 SFTP file transfer from VMWare ESX Server 3.0              SFTP                 22                         Registry
 and VMware ESX Server 3.5 hosts

 SFTP file transfer from VMM server to VMWare               HTTPS                443                        Registry
 ESX Server 3i hosts




VMM Ports and Protocols / Administering Virtual Machine Self-Service                                                           Page 10

								
To top