1 julius davies architectural technology specialist microsoft
TRANSCRIPT
1
Microsoft's Approach To Virtualization
SecurityJulius DaviesArchitectural Technology SpecialistMicrosoft
2
Security will ultimately enable virtualization
Reality
Myth Red Pill and Blue Pill programs make virtualization insecure
Security is the primary driver for desktop virtualization
Reality Security will drive more secure server environments
3
Common Platform & Infrastructure
Value Of Infrastructure IntegrationMicrosoft’s Integrated,
Simplified Solutions
Client OS 3rd PartyServer OS
Security
Access Management
Identity
Physical Virtual
Customer Benefits
Lower cost of ownership
Save time
Gain greater visibility
Protect IT
From the desktop to the data center…
Across physical and virtual environments…
And covering all virtual elements: application, presentation, and hardware
4
Microkernelized HypervisorOnly partitioning memory & CPU
Increase reliability and minimize trusted computing base
No third-party code
Drivers run within guests
Monolithic Vs. MicrokernelizedVirtualization: Hypervisor + Drivers + Virt software stack + Mgmt interface
Monolithic HypervisorIncludes all virtualization components, including drivers
Runs all code in most privileged part of the processor
Patching may be more likely given code included
Hypervisor
VM 1(Admin
)VM 2 VM 3
HardwareHardware
Hypervisor
VM 1(“Root”)
VM 2(“Guest”)
VM 3(“Guest”)
Virtualization Stack
DriversDriversDriversDriversDriversDrivers
DriversDriversDrivers
DriversDriversDrivers
5
Very Thin Layer of Software
Microkernel
Highly reliable
Optimized for hardware virtualization features from Intel & AMD
Only runs in most privileged part of processor, where execution context is enforced by the processor
Minimized Attack SurfaceNo drivers, extensible code, or 3rd party code included in Hyper-V
Minimal size (only ~600 kilobytes)
Drivers run in the root partition
Simplifies Management& Maintenance
Because of microkernel architecture, the Microsoft hypervisor can be fully updated where needed via Windows Update
Easily replacing the existing installation with a new one without the need for patching.
The hypervisor update can also be rolled back through the control panel
Microsoft’s Hypervisor
Windows Hypervisor
Server Hardware
6
Virtualization Stack
What is a Root Partition?
Portion of hypervisor that has been pushed up and out
Virtualization stack runs within the root partition
Manages guest partitions
Lock it down and minimize its size by using WS 2008 server core
Separation of components by privilege and process
Code signing helps ensure that the hypervisor has not been modified
Before Windows Server 2008 engages Hyper-V through the root partition, it checks to ensure Hyper-V has the proper signature
User Mode (“Ring 3”)
Kernel Mode (“Ring 0”)
Guest PartitionsVM
1VM
2
Root Partition
Root Partition
VirtualizationService
Providers(VSPs)
WindowsKernel
Server Core
DeviceDrivers
VM WorkerProcessesVM Mgmt
Service
WMI Provider. . .
Windows Hypervisor
Server Hardware
Provided by:
Windows 3rd Party ISVsHyper-V
(“Ring -1”)
7
Guest-to-guest isolation mitigates risks
VMs can be configured to only communicate through networks where policies can be enforced
If compromised, limits damage because of architecture and hardware
Enables use all of management tools for Windows environment
No need to learn additional tools to manage or secure
Use all device drivers for Windows environment
Created using Microsoft’s Security Development Lifecycle
Readily enables security ecosystem via published VHD standard
The Complete Architecture
Provided by:
Windows 3rd Party ISVsHyper-V
Virtualization StackUser Mode (“Ring 3”)
Kernel Mode (“Ring 0”)
Guest PartitionsRoot Partition
VirtualizationService
Providers(VSPs)
WindowsKernel
Server Core
DeviceDrivers
VM WorkerProcessesVM Mgmt
Service
WMI Provider
Windows Hypervisor
Server Hardware
VirtualizationServiceClients(VSCs)
OSKernel
EnlightenmentsVMBus
Guest Applications
8
Virtualization Attacks
Virtualization StackUser Mode (“Ring 3”)
Kernel Mode (“Ring 0”)
Guest PartitionsRoot Partition
VirtualizationService
Providers(VSPs)
WindowsKernel
Server Core
DeviceDrivers
VM WorkerProcessesVM Mgmt
Service
WMI Provider
Windows Hypervisor
Server Hardware
VirtualizationServiceClients(VSCs)
OSKernel
VMBus
Guest Applications
Enlightenments
Windows
3rd Party ISVs
Hyper-V
Hackers
Attack Vectors
9
Non-interference
Guest computations protected from other guests
Guest-to-guest communications not allowed through VM interfaces
SeparationSeparate worker processes per guestGuest-to-parent communications over unique channels
SDLThreat modeling, penetration testing, and secure code review of all components
Attack Mitigation
10
Best Practices To Securing Hyper-VDeployment Considerations
Patching the hypervisorWindows Update
Managing lots of virtual machinesSystem Center – Policy Driven Systems
Minimize risk to the Root PartitionUtilize Server Core
Don’t run arbitrary apps, no web surfingRun your apps and services in guests
Use AzMan to reduce admin privilegeConnect to back-end management network
Only expose guests to internet traffic
11
Hyper-VSecurity Features
Network Access Protection with
IPSecControl access and enforce compliance for physical and virtual clients based on consistent policy
Individual health certificates are associated with each virtual client
Compliance can be enforced on a per virtual session basis
Server & Domain Isolation
Enables trusted relationships between devices
Dynamically segment the network based on policy
When used with Hyper-V, each virtual machine can be set to only communicate with trusted virtual machines on a network
Enforced by IPSec and Active Directory
Hyper-V also enables creation of virtual LANs for network
segmentation within the virtual
environment
Integrated ProtectionWindows Server 2008 and Windows Vista
12
Presentation Virtualization
User StateVirtualization
Folder RedirectionOffline files
Application Virtualization
Microsoft Virtualization ProductsA comprehensive set of virtualization products, from the data center to the desktop.Assets – both virtual and physical – are managed from a single platform.
Desktop Virtualization
Server Virtualization
13
Client & Server OS
Server Applications
Network Edge
Comprehensive line of business security products that helps you gain greater protection and secure access
through deep integration and simplified management
Complementary Security Solutions
14
Management & Visibility
Dynamic Response
Network EdgeServer ApplicationsClient and Server OS
vNext
An Integrated Security
System
15
Simplified Management . . .
Enables management of Hyper-V virtual machines while supporting heterogeneous environments
Integrates with Active Directory and other System Center solutions for coordinated management across physical and virtual environments.
Microsoft Identity Lifecycle Manager
Provides a single view of a user’s identity and its privileges across the heterogeneous enterprise
Enable end-users to request access to physical and virtual assets through a definedworkflow
Physical Environment
Virtual EnvironmentWS08 and
Hyper-VAuthorization Manager (AzMan) for Role-Based Access Control
16
Virtualization
Microsoft App Virt
Terminal ServicesHyper-V
Hardware Presentation Application
Network Access Protection
Server & Domain Isolation
Forefront security solutions
System Center Virtual Machine Manager
Microsoft Identity Lifecycle Manager
Act
ive
Dir
ecto
ry
Active Directory enables a single identity store for virtualization
Virtual machines based on Hyper-V are treated as a file on the file system.
Across physical / virtual environments, file access can then be granted through user groups
Across different forms of virtualization
... And Enabled By Active Directory
17
Summary
Security is an enabler of virtualization• Many things are similar in securing the virtual
environment, but there are key considerations
Microsoft is delivering an integrated, simplified approach to IT security across physical and virtual environments
Secure computing platform: Hyper-V’s architecture
Integrated protection: WS08 + complementary Microsoft solutions (Terminal Services, Softgrid, Forefront)
Simplified management: Hyper-V + System Center + Identity Lifecycle Manager + tools / guidance
Customers at every stage of IT maturity can use this approach through Core IO guidance
18
For More Information• Virtualization: www.microsoft.com/virtualization
• Windows Server: www.microsoft.com/windowsserver
• Forefront: www.microsoft.com/forefront
• Identity & Access: www.microsoft.com/ida
• System Center: www.microsoft.com/systemcenter
19
© 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after
the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.