Security Basics for VMM

Security Basics for

VMM

Security Basics for VMM

Role-Based Security in SCVMM ............................................................................................................... 2

Available Targets ................................................................................................................................ 2

Role Types in VMM.............................................................................................................................. 3

Administrator Role .............................................................................................................................. 4

Delegated Administrator Roles ........................................................................................................... 4

Self-Service User Roles ........................................................................................................................ 5

Access to Virtual Machine Resources .................................................................................................. 7

Placing a Quota on Users’ Virtual Machines ....................................................................................... 7

Ownership of Virtual Machines...................................................................................................... 7

Sharing Virtual Machines................................................................................................................ 8

Administering Virtual Machine Self-Service ........................................................................................ 8

Required Rights and Permissions for VMM Administrative Tasks .......................................................... 8

VMM Ports and Protocols ..................................................................................................................... 10

/ Available Targets Page 1

Security Basics for VMM

Role-Based Security in SCVMM

Beginning with System Center Virtual Machine Manager (VMM) 2008, VMM implements role-based security to provide finer control over who can do what within the virtualized environment. This security model supports delegated administration, which was not available in VMM 2007. Self-service user roles replace the self-service policies that were used to administer virtual machine self-service in VMM 2007.

A user role defines a set of operations (grouped in a profile) that can be performed on a selected set of objects

(defined by the user role’s scope). Within that framework, an organization can create delegated administrator roles that allow, for example, a high-level administrator to manage all operations in a New York office, a specialized administrator to manage all library servers, or an advanced user to set up complex virtual environments within a single lab. An organization also can create self-service user roles that allow users to perform a specified set of operations on their own virtual machines.

A user role consists of the following parts:

A profile defines the set of available operations that a role member can perform.

The scope defines the set of objects that the operations can target.

The membership list specifies the Active Directory user accounts and security groups that are assigned to the role.

Important

When you add a Hyper-V host to VMM 2008 R2, VMM preserves changes to role definitions and role memberships in the root scope of the Hyper-V authorization store. The VMM agent overwrites all changes to other scopes. As a result, while a Hyper-V host is managed by VMM 2008 R2, access is determined by the union of all roles in the root scope plus the VMM role assigned to each virtual machine’s scope.

This is a change from the way that VMM 2008 handles Hyper-V role definitions and scopes. When a Hyper-V host is added to

VMM 2008, VMM creates its own authorization store without importing any role and membership settings from initialstore.xml on the Hyper-V computer, and then updates the registry so that Hyper-V points to the VMM authorization store.

For more information, see security considerations for Hyper-V hosts in Hardening Virtual Machine Hosts Managed by VMM .

Available Targets

In role-based security, dynamic collections of instances of objects (such as hosts or virtual machines), known as groups, determine the available targets for a particular operation that a user performs. For example, when a user attempts to start a virtual machine, VMM first checks whether the user has permission to perform the

Start action on virtual machines and then verifies that the user has the right to start the selected virtual machine.

These groups are hierarchical: providing access to a particular instance provides access to all instances contained in that instance. For example, providing access to a host group provides access to all hosts within the host group and to all virtual networks on the hosts.

The following illustration shows the hierarchy of instances within the groups that apply to VMM user roles.

When a user role provides access to an instance in the outer ring, it automatically provides access to all instances in the inner rings. Virtual machines are pictured separately because the flow of access works

Role-Based Security in SCVMM / Available Targets Page 2

Security Basics for VMM somewhat differently for them. For all administrator roles, host group rights flow to all virtual machines that are deployed on the hosts. However, that is not true for members of self-service user roles. The rights of selfservice users are limited to virtual machines that they own.

Group hierarchies for role-based security

Role Types in VMM

The following user role types, based on profiles of the same name, are defined for VMM:

Administrator role—Members of the Administrator role can perform all VMM actions on all objects that are managed by the VMM server. Only one role can be associated with this profile. At least one administrator should be a member of the role.

Delegated Administrator role—Members of a role based on the Delegated Administrator profile have full VMM administrator rights, with a few exceptions, on all objects in the scope defined by the host groups and library that are assigned to the role. A delegated administrator cannot modify VMM settings or add or remove members of the Administrator role.

Self-Service User role—Members of a role based on the Self-Service User profile can manage their own virtual machines within a restricted environment. Self-service users use the VMM Self-Service

Web Portal to manage their virtual machines. The portal provides a simplified view of only the virtual machines that the user owns and the operations that the user is allowed to perform on them. A selfservice user role specifies the operations that members can perform on their own virtual machines

(these can include creating virtual machines) and the templates and ISO image files that they can use to create virtual machines. The user role also can place a quota on the virtual machines that a user can deploy at any one time. Self-service users’ virtual machines are deployed transparently on the most suitable host in the host group that is assigned to the user role.

VMM does not support the creation of custom user profiles.

Users can be a member of more than one user role, in which case VMM grants them the rights associated with all their roles.

The following illustration shows a simple schema for delegating administration within a virtualized environment that supports virtual machine self-service.

Role-Based Security in SCVMM / Role Types in VMM Page 3

Security Basics for VMM

Sample topology for delegated administration

Administrator Role

Members of the Administrator role can perform all VMM actions on all hosts, library servers, and virtual machines that are managed by the VMM server. The actions and scope cannot be changed.

To add members to the Administrator role, expand the User Roles node in Administration view of the VMM

Administrator Console, right-click Administrator in the list, and then click Properties.

The following table summarizes the features of the Administrator role.

Settings

Profile

Description

All VMM operations

Scope All objects managed by the VMM server

VMM Administrator Console: Yes

Client access

Windows PowerShell – VMM command shell: Yes

VMM Self-Service Portal: No

Delegated Administrator Roles

Role-Based Security in SCVMM / Administrator Role Page 4

Security Basics for VMM

A delegated administrator role assigns broad administrator rights within a scope that is defined by host groups and library servers assigned to the role. The efficiency with which you delegate administration in VMM depends on careful planning of the host groups and library servers within your virtualized environment. For information about creating Delegated Administrator roles, see How to Create a Delegated Administrator User

Role (http://go.microsoft.com/fwlink/?LinkId=162941).

The following table describes the features of delegated administrator roles.

Settings Description

The Delegated Administrator profile allows the following operations on objects within the scope of the user role.

These operations cannot be changed.

Profile

View, create, and manage host groups, hosts, and virtual networks within the scope of their user role.

Create, view, modify, and migrate virtual machines within the scope of their user role.

Add library servers to VMM.

Manage virtual machine resources on all specified library shares on library servers within the scope of the user role.

Create user roles within the scope of their user role.

View, modify, or remove user roles that they created.

Perform all administrator operations within the scope of their user role except for the following operations: o

Cannot view, modify, or remove user roles created by members of the Administrator user role or by other members of a Delegated Administrator user role. o

Cannot modify global VMM settings or System Center settings in VMM.

Scope

Client access n

host groups—Administrator rights on all objects within host groups, hosts, and virtual networks contained in the assigned host groups. This includes virtual hard disks, virtual network adapters, SCSI adapters, and so forth configured on virtual machines on the hosts. n

library servers—Virtual hard disks, virtual floppy disks, ISO image files, Windows PowerShell scripts, SysPrep answer files, and VMware templates stored on all library shares on the library servers.

VMM Administrator Console: Yes

Windows PowerShell – VMM command shell: Yes

VMM Self-Service Portal: No

Note

To access the VMM Self-Service Portal, an administrator must be added to a self-service user role.

Self-Service User Roles

Self-service user roles allow users to manage their own virtual machines—that is, virtual machines for which they are the specified owner—within a restricted environment. Self-service users view, operate, and manage their virtual machines by using the VMM Self-Service Web Portal. The portal provides a simplified view of only the virtual machines that the self-service user owns and the operations that are allowed on each virtual machine. In VMM 2008, self-service users can perform the same operations on the objects within the scope of their user role in the Windows PowerShell – VMM command shell.

Role-Based Security in SCVMM / Self-Service User Roles Page 5

Security Basics for VMM

A self-service user role defines the operations that the users can perform on their own virtual machines, the templates that they can use to create virtual machines, the host groups in which their virtual machines are deployed, and the library path where the ISO images that they use are stored.

If you have been using virtual machine self-service in VMM 2007, you can automatically convert your existing self-service policies to user roles, retaining the host group structure under which they are administered, when you upgrade to VMM 2008. Many self-service features are implemented slightly differently in user roles than in self-service policies. For a detailed comparison, see Comparison of Self-Service User Roles with Self-Service

Policies .

Important

While managing a Hyper-V host, VMM uses the permissions in the self-service user profiles instead of the role-based access controls that are configured in Hyper-V to authorize operations on virtual machines. For more information, see Hardening

Virtual Machine Hosts Managed by VMM .

The following table describes the features of self-service user roles. For information about creating self-service user roles, see How to Create a Self-Service User Role (http://go.microsoft.com/fwlink/?LinkId=162946).

Settings Description

A self-service user role can grant members permission to perform any or all of the following operations on the virtual machines that they own:

Profile

Create.

Start.

Stop.

Pause and resume.

Checkpoint—Create and remove checkpoints. Restore a virtual machine to a previous checkpoint.

Remove.

Local administrator—Set the local Administrator password while creating a virtual machine, which enables the user to be an administrator on the virtual machine. If you do not allow this operation,

VMM takes the credentials from the SysPrep answer file instead of prompting them during virtual machine creation.

Remote connection.

Store in library—Allows the user to store unused virtual machines in the VMM library. Virtual machines that are stored in the library do not count against the virtual machine quota.

Scope

Client access n

host groups—Self-service users’ virtual machines are deployed automatically on the most suitable host in the assigned host groups based on the virtual machine’s requirements and the organization’s placement preferences.

This is transparent to the user, who does not know where the virtual machine is deployed.

1 library path—The library path assigned to a self-service user role serves the following purposes:

Makes ISO images available to role members during virtual machine creation.

Stores virtual machines that role members with the required permission choose to store in the library.

Self-service users have Read access to the virtual hard disks and ISO image files used during virtual machine creation, but they are not aware of the location of the files.

VMM Administrator Console: No

Role-Based Security in SCVMM / Self-Service User Roles Page 6

Security Basics for VMM

Windows PowerShell – VMM command shell: Yes (within the scope of the self-service user role)

VMM Self-Service Portal: Yes

Note

To access the VMM Self-Service Portal, an administrator must be added to a self-service user role.

Access to Virtual Machine Resources

To create virtual machines, self-service users use templates that the VMM administrator assigns to the role. To make ISO images available to self-service users during virtual machine creation, the image files must be stored on the library path that is specified in the user role.

Self-service users can use these resources only through the Self-Service Portal. They have no other access to the files unless the administrator grants permissions through the file system.

As an added security measure, self-service users are not aware of which hosts their virtual machines are deployed on, the location of their virtual machine configuration files, the library path that stores the ISO images that they use, and their stored virtual machines.

Placing a Quota on Users’ Virtual Machines

To limit the volume of virtual machines that members of a self-service user role can deploy at any one time, you can configure a quota for a self-service user role.

A virtual machine quota is simply a value that can be assigned to a self-service user role to limit the volume of virtual machines that role members can deploy at any given time. The quota can apply to all virtual machines deployed by all role members, or it can apply individually to the virtual machines deployed by each role member.

Because virtual machines can vary greatly in the resources that they consume on a host, rather than allocate one quota point for each virtual machine, VMM allows the administrator to assign a specific number of quota points to each virtual machine template based on its requirements. The points apply against the quota while any virtual machine based on the template is deployed—regardless of whether it is running—but not while the virtual machine is stored in the library.

Ownership of Virtual Machines

In virtual machine self-service, a virtual machine has an owner (by default, the user who created the virtual machine) and a self-service user role (by default, the self-service user role under which the virtual machine was created).

The virtual machine’s owner is the only person who can see and perform operations on a virtual machine in the

VMM Self-Service Portal.

Role-Based Security in SCVMM / Access to Virtual Machine Resources Page 7

Security Basics for VMM

A self-service user can change the owner of his own virtual machine to any other member of the self-service user role.

If the owner is a member of more than one self-service user role, the user can change the virtual machine owner to any member of his other roles if the following requirements are met:

The current owner must belong to the self-service user role that is being assigned.

The virtual machine must be within the scope (host or library path) of that user role.

Sharing Virtual Machines

To enable users to share virtual machines, use a security group to add the users to a self-service user role, and then specify the group as the owner of the virtual machines you want group members to share. When a group member creates a virtual machine, the default owner is the person’s user account. However, the user can reassign ownership to the group. If the virtual machine quota is being applied to individual users, quote points assigned to a group-owned virtual machine apply to the individual quotas of all members of the group.

Administering Virtual Machine Self-Service

To gain access to the VMM Self-Service Portal, a VMM administrator must be a member of a self-service user role. VMM administrators can, of course, perform all operations on virtual machines within the scope of their role in the VMM Administrator Console and in Windows PowerShell – VMM.

Required Rights and Permissions for VMM

Administrative Tasks

The following table is a reference to the rights and permissions, both within and outside System Center Virtual Machine Manager (VMM), that are required to perform common administrative tasks. Within VMM, role-based security determines the VMM operations that a person can perform and the objects on which the operations can be performed. For more information, see Role-Based Security in VMM .

VMM Administrative

Task

Install the VMM server

Configure a remote instance of SQL Server for the VMM database

Install a VMM

Administrator Console

Use the VMM

Administrator Console

Required Rights and Permissions

Domain account that is a member of the local Administrators group.

Domain account that is a member of the sysadmin server role on the remote instance of

SQL Server.

Member of the local Administrators group on client computer.

Use a Windows

PowerShell – Virtual

Machine Manager

Member of the Administrator role or a Delegated Administrator role in VMM. Delegated administrators see only objects with the host groups (and child host groups) and library servers assigned to their role. Members of Self-Service User roles do not have access to the VMM Administrator Console.

Member of any user role in VMM. Delegated administrators perform operations on objects within the scope of their role (host groups and their children, and library servers).

Members of a self-service user role can perform allowed operations on their own virtual

Required Rights and Permissions for VMM Administrative Tasks / Sharing Virtual Machines Page

8

Security Basics for VMM command shell

Install the VMM Self-

Service Portal

Log on to the VMM Self-

Service Portal machines by using templates assigned to the role and ISO images that are stored on the library path assigned to the role.

Administrator account on the local computer and a domain account that is a member of the VMM Administrator role.

Member of a Self-Service User role in VMM. VMM administrators do not have access to the Self-Service Portal.

The VMM Self-Service Portal gives self-service users a restricted view of the virtual machines that they own and the operations that their user role allows them to perform. If the role allows virtual machine creation, they see only the templates assigned to their role and ISO images stored on the library share assigned to the role.

Administrator account on the virtual machine host computer. Install a VMM agent locally on a virtual machine host

Add a Hyper-V or Virtual

Server host

Domain account that is a member of the Administrator role or a Delegated Administrator role in VMM and that also is a member of the local Administrators group on the host.

Delegated administrators can add hosts to the host groups assigned to their role or child host groups of those host groups. For more information about Delegated Administrator roles, see Role-Based Security in VMM .

Add a VMware

VirtualCenter server

Configure security for a managed VMware

ESX Server host

Domain account that is a member of the Administrator user role in VMM and a member of the local Administrators group on the library server.

Member of the Administrator role or a Delegated Administrator role in VMM. Domain or local account must have virtual machine delegate credentials on the host.

Secure mode also requires the following:

ESX Server 3i: Encryption using Secure Sockets Layer (SSL) requires certificate authentication.

ESX Server 3.5 or ESX Server 3.0.1: Encryption using Secure Shell (SSH) requires RSA public key authentication.

Add a VMM library server

Add files to a VMM library share

Domain account that is an Administrator on the library server and is a member of the

Administrator role or a Delegated Administrator role in VMM.

Write permission on the library share folder (set outside VMM). To add resources to the

VMM library, add the files to the library share and then refresh the share in VMM or wait for the next scheduled refresh (by default, once per hour).

Manually refresh a VMM library share or library server

VMM Administrator role or a Delegated Administrator role to which the library server is assigned.

Import VMware templates into the VMM library

Member of the Administrator role or a Delegated Administrator role in VMM. Security must have been configured for the VMware ESX Server host. For delegated administrators, the ESX Server host and destination library server must be within the scope of their role.

Convert a physical server to a virtual machine

(P2V)

Administrator account on the source computer that is a member of the Administrator role or a Delegated Administrator role in VMM.

View and order reports in Reporting view

Domain account that is a member of the Administrator role or a Delegated Administrator role in VMM and is a member of the Report Operator role in System Center Operations

Manager 2007.

Required Rights and Permissions for VMM Administrative Tasks / Administering Virtual

Machine Self-Service Page 9

Security Basics for VMM

VMM Ports and Protocols

When you install the System Center Virtual Machine Manager (VMM) server, you can assign some of the ports that it will use for communications and file transfers between the VMM components. While it is a best security practice to change the default ports, not all of the ports can be changed through VMM. The default settings for the ports are listed in the following table.

Connection type Protocol

VMM server to VMM agent on Windows Server– based host (control)

WS-

Management

VMM server to VMM agent on Windows Server– based host (file transfers)

VMM server to remote Microsoft SQL Server database

HTTPS (using

BITS)

TDS

VMM server to P2V source agent

VMM Administrator Console to VMM server

VMM Self-Service Portal Web server to VMM server

VMM Self-Service Portal to VMM self-service

Web server

DCOM

WCF

WCF

HTTPS

VMM library server to hosts BITS

VMM host-to-host file transfer

VMRC connection to Virtual Server host

BITS

VMRC

Default port

80

443 (Maximum value: 32768)

1433

135

8100

8100

443

443 (Maximum value: 32768)

443 (Maximum value: 32768)

5900

VMConnect (RDP) to Hyper-V hosts

Remote Desktop to virtual machines

VMware Web Services communication

RDP

RDP

HTTPS

SFTP file transfer from VMWare ESX Server 3.0 and VMware ESX Server 3.5 hosts

SFTP file transfer from VMM server to VMWare

ESX Server 3i hosts

SFTP

HTTPS

2179

3389

443

22

443

Where to change the port setting

During VMM setup, registry

Registry

Registry

Registry

During VMM setup, registry

During VMM setup

During VMM setup

During VMM setup, registry

Registry

VMM Administrator

Console, registry

VMM Administrator

Console, registry

Registry

VMM Administrator

Console, registry

Registry

Registry

VMM Ports and Protocols / Administering Virtual Machine Self-Service Page 10

Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertisement