Chapter 3. Configuring Virtual Machine Security

In this chapter, we will cover the following recipes:

• Configuring administrative access options
• Securing the guest OS
• Configuring virtual machine hardening
• Configuring virtual machine resource isolation
• Configuring the standard image templates
• Managing snapshots

Securing the guest OS

A VM and its associated guest operating system should be treated the same as a physical machine with regard to a proper security stance given the location and the function of the machine. Standard practices including up-to-date antivirus, anti-malware, and firewall rules should all be implemented. The lack of standard security practices often makes VMs an easy target for attackers. However, vShield Endpoint provides the offloading of traditional AV from each guest OS to a specialized appliance that runs at the hypervisor level. We'll configure vShield Endpoint and a third-party AV solution in a later chapter.

Getting ready

The ease with which a VM can be provisioned by a user leads to the use of a said machine without the user taking the time to install a proper antivirus software. Ideally, a template will be created and this image will include the requisite security software prior to the actual VM being created. By utilizing such a template, any VM created is secure by default in its initial configuration

How to do it…

In order to install an antivirus software, follow the instructions provided by the particular vendor. Typically, a software installation requires an elevated user permission. A specific example of a firewall configuration is given in the following section.

Configuring the Windows 7 guest OS security

A typical enterprise workstation will be domain joined. In most cases, this workstation will have the built-in firewall disabled unless the infrastructure is highly optimized. If such a case occurs, the firewalls are configured to account for the various applications and unique network settings. The Windows 7 firewall should be turned on by default unless a specific deployment scenario requires unrestricted access to the VM.

Getting ready

In order to proceed with this set of steps, we must be logged in to vSphere Web Client with a user account in the administrators group. There must also be a VM in the inventory to perform the configuration steps.

How to do it…

Perform the following steps:

1. Navigate to the VMs and Templates view.
2. Select a VM.
3. Click on Launch Console in the Summary tab.
4. Log in to the guest Windows 7 operating system.
5. Right-click on the network icon from the lower-right notification area.
6. Select Open Network and Sharing Center.
7. Select Windows Firewall from the lower-left corner of the network information screen.
8. Verify that Windows Firewall is enabled, as shown in the following screenshot:
   

   Tip

   Windows Firewall can also be enabled and disabled by using the netsh.exe command via the command line. To enable the firewall, we can use Netsh firewall set opmode enable, and to disable it, we can use Netsh firewall set opmode disable.

How it works…

In previous versions of Windows, the firewall functionality was often turned off by users or administrators to cut down on helpdesk calls due to often-blocked applications. The Windows 7 firewall default action notifies the user when a port is being blocked that is required by an application and allows the user to enable the port through the firewall. As you can imagine, it is not a secure by default stance, which is why the firewall is controlled by the domain administrator via a group policy in most cases.

To create a highly secure Windows 7 VM template, start with the Microsoft Security Compliance Manager (SCM). This tool provides local security policy templates based on best practices to secure not only Windows 7, but also commonly deployed Windows client and server configurations.

Configuring the Windows Server 2008 R2 guest OS security

In addition to a firewall and antivirus on the guest operating system, remote access is likely needed beyond the use of the vCenter console for administrators of the VM. As an example, Windows Server 2008 R2 offers additional security options when establishing a desktop connection.

Getting ready

In order to proceed with this set of steps, we must be logged in to vSphere Web Client with a user account in the administrators group. There also must be a VM in the inventory to perform the configuration steps.

How to do it…

Similar to Windows 7, the Windows Server 2008 R2 Remote Desktop Protocol connection supports Network Level Authentication (NLA), which is always recommended. Most Windows options will make proper changes to the local firewall policy to enable the desired functionality seen when selecting NLA for remote desktop connections. Perform the following steps to configure NLA:

1. Navigate to the VMs and Templates view.
2. Select a VM.
3. Click Launch Console in the Summary tab.
4. Log in to the guest Windows 2008 R2 operating system.
5. Open the start menu and right-click on the Computer object after selecting Properties.
6. Select Remote Settings from the configuration options on the left-hand side of the screen.
7. Select the NLA option, as shown in the following screenshot:
   

When selecting users for a remote desktop, it is recommended to provide a group of users instead of individual users if at all possible for easy manageability.

How it works…

The NLA setting requires a client that supports it. A user is authenticated prior to being served a logon screen by the server. This reduces the likelihood of a denial of service attack taking down the server.

The server manager provides a quick overview of key security settings, specifically the firewall status and enhanced security configuration, which is on by default. This is shown in the following screenshot:

Windows 2008 R2 and higher also include a security configuration wizard that will assist in configuring local policies in a secure manner based on the roles and features installed in the operating system.

Both the host-based firewall and the Enhanced Security Configuration (ESC) within the Windows server provide separate security controls, which can be used as part of a defense-in-depth strategy to provide multiple barriers to attackers from within or outside the organization boundary.

There's more...

Antivirus software and proper firewall configurations are two of the core methods to keep a VM protected against threats from both virtual and physical networks alike. There are multiple ways to implement both these types of protection, and additional forms of defense should also be implemented as a rule.

Virtual machine antivirus

Basic protection against viruses and malware has become standard in today's modern computing environments. The key differences in the virtual environment include the scheduling of antivirus scans. With physical machines, hardware was separate and concurrent scans occurring at a certain hour were not an issue on the workstation or server. In a virtual environment where resources are shared, concurrent scans can potentially cripple the host given enough load.

Ideally, antivirus can be offloaded to the hypervisor where it is much less resource intensive. vShield Endpoint provides this capability for third-party antivirus vendors. See Chapter 10, Configuring vShield Endpoint, for more information on this.

Firewalls

Host-based firewalls are common on most current Windows client and server operating systems. While host-based firewalls are not always necessary and in some cases will generate issues with applications when not configured correctly, they are recommended as a protection layer in the defense-in-depth framework.

The location of the VM must be considered when setting up the firewall. For example, if the VM is connected to both an internal network and a Demilitarized Zone (DMZ) network, the firewall settings will be very different than a VM on an internal only network behind a firewall. As always, basic risk management should be applied to all the components of the virtual environment.

For a virtual firewall solution, refer to Chapter 9, Configuring vShield Edge.

See also

• Find out more about Security Compliance Manager at http://technet.microsoft.com/en-us/solutionaccelerators/cc835245.aspx