Security Basics for VMM
Security Basics for
VMM
Security Basics for VMM
Role-Based Security in SCVMM ............................................................................................................... 2
Available Targets ................................................................................................................................ 2
Role Types in VMM.............................................................................................................................. 3
Administrator Role .............................................................................................................................. 4
Delegated Administrator Roles ........................................................................................................... 4
Self-Service User Roles ........................................................................................................................ 5
Access to Virtual Machine Resources.................................................................................................. 7
Placing a Quota on Users’ Virtual Machines ....................................................................................... 7
Ownership of Virtual Machines...................................................................................................... 7
Sharing Virtual Machines................................................................................................................ 8
Administering Virtual Machine Self-Service ........................................................................................ 8
Required Rights and Permissions for VMM Administrative Tasks .......................................................... 8
VMM Ports and Protocols ..................................................................................................................... 10
/ Available Targets
Page 1
Security Basics for VMM
Role-Based Security in SCVMM
Beginning with System Center Virtual Machine Manager (VMM) 2008, VMM implements role-based security to
provide finer control over who can do what within the virtualized environment. This security model supports
delegated administration, which was not available in VMM 2007. Self-service user roles replace the self-service
policies that were used to administer virtual machine self-service in VMM 2007.
A user role defines a set of operations (grouped in a profile) that can be performed on a selected set of objects
(defined by the user role’s scope). Within that framework, an organization can create delegated administrator
roles that allow, for example, a high-level administrator to manage all operations in a New York office, a
specialized administrator to manage all library servers, or an advanced user to set up complex virtual
environments within a single lab. An organization also can create self-service user roles that allow users to
perform a specified set of operations on their own virtual machines.
A user role consists of the following parts:
•
•
•
A profile defines the set of available operations that a role member can perform.
The scope defines the set of objects that the operations can target.
The membership list specifies the Active Directory user accounts and security groups that are assigned
to the role.
Important
When you add a Hyper-V host to VMM 2008 R2, VMM preserves changes to role definitions and role memberships in the root
scope of the Hyper-V authorization store. The VMM agent overwrites all changes to other scopes. As a result, while a Hyper-V
host is managed by VMM 2008 R2, access is determined by the union of all roles in the root scope plus the VMM role assigned
to each virtual machine’s scope.
This is a change from the way that VMM 2008 handles Hyper-V role definitions and scopes. When a Hyper-V host is added to
VMM 2008, VMM creates its own authorization store without importing any role and membership settings from initialstore.xml
on the Hyper-V computer, and then updates the registry so that Hyper-V points to the VMM authorization store.
For more information, see security considerations for Hyper-V hosts in Hardening Virtual Machine Hosts Managed by VMM.
Available Targets
In role-based security, dynamic collections of instances of objects (such as hosts or virtual machines), known as
groups, determine the available targets for a particular operation that a user performs. For example, when a
user attempts to start a virtual machine, VMM first checks whether the user has permission to perform the
Start action on virtual machines and then verifies that the user has the right to start the selected virtual
machine.
These groups are hierarchical: providing access to a particular instance provides access to all instances
contained in that instance. For example, providing access to a host group provides access to all hosts within the
host group and to all virtual networks on the hosts.
The following illustration shows the hierarchy of instances within the groups that apply to VMM user roles.
When a user role provides access to an instance in the outer ring, it automatically provides access to all
instances in the inner rings. Virtual machines are pictured separately because the flow of access works
Role-Based Security in SCVMM / Available Targets
Page 2
Security Basics for VMM
somewhat differently for them. For all administrator roles, host group rights flow to all virtual machines that
are deployed on the hosts. However, that is not true for members of self-service user roles. The rights of selfservice users are limited to virtual machines that they own.
Group hierarchies for role-based security
Role Types in VMM
The following user role types, based on profiles of the same name, are defined for VMM:
•
•
•
Administrator role—Members of the Administrator role can perform all VMM actions on all objects
that are managed by the VMM server. Only one role can be associated with this profile. At least one
administrator should be a member of the role.
Delegated Administrator role—Members of a role based on the Delegated Administrator profile have
full VMM administrator rights, with a few exceptions, on all objects in the scope defined by the host
groups and library that are assigned to the role. A delegated administrator cannot modify VMM
settings or add or remove members of the Administrator role.
Self-Service User role—Members of a role based on the Self-Service User profile can manage their
own virtual machines within a restricted environment. Self-service users use the VMM Self-Service
Web Portal to manage their virtual machines. The portal provides a simplified view of only the virtual
machines that the user owns and the operations that the user is allowed to perform on them. A selfservice user role specifies the operations that members can perform on their own virtual machines
(these can include creating virtual machines) and the templates and ISO image files that they can use
to create virtual machines. The user role also can place a quota on the virtual machines that a user can
deploy at any one time. Self-service users’ virtual machines are deployed transparently on the most
suitable host in the host group that is assigned to the user role.
VMM does not support the creation of custom user profiles.
Users can be a member of more than one user role, in which case VMM grants them the rights associated with
all their roles.
The following illustration shows a simple schema for delegating administration within a virtualized environment
that supports virtual machine self-service.
Role-Based Security in SCVMM / Role Types in VMM
Page 3
Security Basics for VMM
Sample topology for
delegated administration
Administrator Role
Members of the Administrator role can perform all VMM actions on all hosts, library servers, and virtual
machines that are managed by the VMM server. The actions and scope cannot be changed.
To add members to the Administrator role, expand the User Roles node in Administration view of the VMM
Administrator Console, right-click Administrator in the list, and then click Properties.
The following table summarizes the features of the Administrator role.
Settings
Description
Profile
All VMM operations
Scope
All objects managed by the VMM server
VMM Administrator Console: Yes
Client access
Windows PowerShell – VMM command shell: Yes
VMM Self-Service Portal: No
Delegated Administrator Roles
Role-Based Security in SCVMM / Administrator Role
Page 4
Security Basics for VMM
A delegated administrator role assigns broad administrator rights within a scope that is defined by host groups
and library servers assigned to the role. The efficiency with which you delegate administration in VMM
depends on careful planning of the host groups and library servers within your virtualized environment. For
information about creating Delegated Administrator roles, see How to Create a Delegated Administrator User
Role (http://go.microsoft.com/fwlink/?LinkId=162941).
The following table describes the features of delegated administrator roles.
Settings
Description
The Delegated Administrator profile allows the following operations on objects within the scope of the user role.
These operations cannot be changed.
View, create, and manage host groups, hosts, and virtual networks within the scope of their user role.
Create, view, modify, and migrate virtual machines within the scope of their user role.
Add library servers to VMM.
Manage virtual machine resources on all specified library shares on library servers within the scope of
the user role.
• Create user roles within the scope of their user role.
• View, modify, or remove user roles that they created.
• Perform all administrator operations within the scope of their user role except for the following
operations:
o Cannot view, modify, or remove user roles created by members of the Administrator user role
or by other members of a Delegated Administrator user role.
o Cannot modify global VMM settings or System Center settings in VMM.
•
•
•
•
Profile
Scope
n host groups—Administrator rights on all objects within host groups, hosts, and virtual networks contained in
the assigned host groups. This includes virtual hard disks, virtual network adapters, SCSI adapters, and so forth
configured on virtual machines on the hosts.
n library servers—Virtual hard disks, virtual floppy disks, ISO image files, Windows PowerShell scripts, SysPrep
answer files, and VMware templates stored on all library shares on the library servers.
VMM Administrator Console: Yes
Windows PowerShell – VMM command shell: Yes
Client
access
VMM Self-Service Portal: No
Note
To access the VMM Self-Service Portal, an administrator must be added to a self-service user role.
Self-Service User Roles
Self-service user roles allow users to manage their own virtual machines—that is, virtual machines for which
they are the specified owner—within a restricted environment. Self-service users view, operate, and manage
their virtual machines by using the VMM Self-Service Web Portal. The portal provides a simplified view of only
the virtual machines that the self-service user owns and the operations that are allowed on each virtual
machine. In VMM 2008, self-service users can perform the same operations on the objects within the scope of
their user role in the Windows PowerShell – VMM command shell.
Role-Based Security in SCVMM / Self-Service User Roles
Page 5
Security Basics for VMM
A self-service user role defines the operations that the users can perform on their own virtual machines, the
templates that they can use to create virtual machines, the host groups in which their virtual machines are
deployed, and the library path where the ISO images that they use are stored.
If you have been using virtual machine self-service in VMM 2007, you can automatically convert your existing
self-service policies to user roles, retaining the host group structure under which they are administered, when
you upgrade to VMM 2008. Many self-service features are implemented slightly differently in user roles than in
self-service policies. For a detailed comparison, see Comparison of Self-Service User Roles with Self-Service
Policies.
Important
While managing a Hyper-V host, VMM uses the permissions in the self-service user profiles instead of the role-based access
controls that are configured in Hyper-V to authorize operations on virtual machines. For more information, see Hardening
Virtual Machine Hosts Managed by VMM.
The following table describes the features of self-service user roles. For information about creating self-service
user roles, see How to Create a Self-Service User Role (http://go.microsoft.com/fwlink/?LinkId=162946).
Settings
Description
A self-service user role can grant members permission to perform any or all of the following operations on the
virtual machines that they own:
Profile
Create.
Start.
Stop.
Pause and resume.
Checkpoint—Create and remove checkpoints. Restore a virtual machine to a previous checkpoint.
Remove.
Local administrator—Set the local Administrator password while creating a virtual machine, which
enables the user to be an administrator on the virtual machine. If you do not allow this operation,
VMM takes the credentials from the SysPrep answer file instead of prompting them during virtual
machine creation.
• Remote connection.
• Store in library—Allows the user to store unused virtual machines in the VMM library. Virtual machines
that are stored in the library do not count against the virtual machine quota.
•
•
•
•
•
•
•
n host groups—Self-service users’ virtual machines are deployed automatically on the most suitable host in the
assigned host groups based on the virtual machine’s requirements and the organization’s placement preferences.
This is transparent to the user, who does not know where the virtual machine is deployed.
1 library path—The library path assigned to a self-service user role serves the following purposes:
Scope
• Makes ISO images available to role members during virtual machine creation.
• Stores virtual machines that role members with the required permission choose to store in the library.
Self-service users have Read access to the virtual hard disks and ISO image files used during virtual machine
creation, but they are not aware of the location of the files.
Client
access
VMM Administrator Console: No
Role-Based Security in SCVMM / Self-Service User Roles
Page 6
Security Basics for VMM
Windows PowerShell – VMM command shell: Yes (within the scope of the self-service user role)
VMM Self-Service Portal: Yes
Note
To access the VMM Self-Service Portal, an administrator must be added to a self-service user role.
Access to Virtual Machine Resources
To create virtual machines, self-service users use templates that the VMM administrator assigns to the role. To
make ISO images available to self-service users during virtual machine creation, the image files must be stored
on the library path that is specified in the user role.
Self-service users can use these resources only through the Self-Service Portal. They have no other access to
the files unless the administrator grants permissions through the file system.
As an added security measure, self-service users are not aware of which hosts their virtual machines are
deployed on, the location of their virtual machine configuration files, the library path that stores the ISO images
that they use, and their stored virtual machines.
Placing a Quota on Users’ Virtual Machines
To limit the volume of virtual machines that members of a self-service user role can deploy at any one time,
you can configure a quota for a self-service user role.
A virtual machine quota is simply a value that can be assigned to a self-service user role to limit the volume of
virtual machines that role members can deploy at any given time. The quota can apply to all virtual machines
deployed by all role members, or it can apply individually to the virtual machines deployed by each role
member.
Because virtual machines can vary greatly in the resources that they consume on a host, rather than allocate
one quota point for each virtual machine, VMM allows the administrator to assign a specific number of quota
points to each virtual machine template based on its requirements. The points apply against the quota while
any virtual machine based on the template is deployed—regardless of whether it is running—but not while the
virtual machine is stored in the library.
Ownership of Virtual Machines
In virtual machine self-service, a virtual machine has an owner (by default, the user who created the virtual
machine) and a self-service user role (by default, the self-service user role under which the virtual machine was
created).
The virtual machine’s owner is the only person who can see and perform operations on a virtual machine in the
VMM Self-Service Portal.
Role-Based Security in SCVMM / Access to Virtual Machine Resources
Page 7
Security Basics for VMM
A self-service user can change the owner of his own virtual machine to any other member of the self-service
user role.
If the owner is a member of more than one self-service user role, the user can change the virtual machine
owner to any member of his other roles if the following requirements are met:
•
•
The current owner must belong to the self-service user role that is being assigned.
The virtual machine must be within the scope (host or library path) of that user role.
Sharing Virtual Machines
To enable users to share virtual machines, use a security group to add the users to a self-service user role, and
then specify the group as the owner of the virtual machines you want group members to share. When a group
member creates a virtual machine, the default owner is the person’s user account. However, the user can
reassign ownership to the group. If the virtual machine quota is being applied to individual users, quote points
assigned to a group-owned virtual machine apply to the individual quotas of all members of the group.
Administering Virtual Machine Self-Service
To gain access to the VMM Self-Service Portal, a VMM administrator must be a member of a self-service user
role. VMM administrators can, of course, perform all operations on virtual machines within the scope of their
role in the VMM Administrator Console and in Windows PowerShell – VMM.
Required Rights and Permissions for VMM
Administrative Tasks
The following table is a reference to the rights and permissions, both within and outside System Center Virtual Machine Manager (VMM),
that are required to perform common administrative tasks. Within VMM, role-based security determines the VMM operations that a
person can perform and the objects on which the operations can be performed. For more information, see Role-Based Security in VMM.
VMM Administrative
Task
Required Rights and Permissions
Install the VMM server
Domain account that is a member of the local Administrators group.
Configure a remote
instance of SQL Server
for the VMM database
Domain account that is a member of the sysadmin server role on the remote instance of
SQL Server.
Install a VMM
Administrator Console
Member of the local Administrators group on client computer.
Use the VMM
Administrator Console
Member of the Administrator role or a Delegated Administrator role in VMM. Delegated
administrators see only objects with the host groups (and child host groups) and library
servers assigned to their role. Members of Self-Service User roles do not have access to
the VMM Administrator Console.
Use a Windows
PowerShell – Virtual
Machine Manager
Member of any user role in VMM. Delegated administrators perform operations on
objects within the scope of their role (host groups and their children, and library servers).
Members of a self-service user role can perform allowed operations on their own virtual
Required Rights and Permissions for VMM Administrative Tasks / Sharing Virtual Machines Page
8
Security Basics for VMM
command shell
machines by using templates assigned to the role and ISO images that are stored on the
library path assigned to the role.
Install the VMM SelfService Portal
Administrator account on the local computer and a domain account that is a member of
the VMM Administrator role.
Log on to the VMM SelfService Portal
Member of a Self-Service User role in VMM. VMM administrators do not have access to
the Self-Service Portal.
The VMM Self-Service Portal gives self-service users a restricted view of the virtual
machines that they own and the operations that their user role allows them to perform. If
the role allows virtual machine creation, they see only the templates assigned to their role
and ISO images stored on the library share assigned to the role.
Install a VMM agent
locally on a virtual
machine host
Administrator account on the virtual machine host computer.
Add a Hyper-V or Virtual
Server host
Domain account that is a member of the Administrator role or a Delegated Administrator
role in VMM and that also is a member of the local Administrators group on the host.
Delegated administrators can add hosts to the host groups assigned to their role or child
host groups of those host groups. For more information about Delegated Administrator
roles, see Role-Based Security in VMM.
Add a VMware
VirtualCenter server
Domain account that is a member of the Administrator user role in VMM and a member of
the local Administrators group on the library server.
Configure security for a
managed VMware
ESX Server host
Member of the Administrator role or a Delegated Administrator role in VMM. Domain or
local account must have virtual machine delegate credentials on the host.
Secure mode also requires the following:
•
ESX Server 3i: Encryption using Secure Sockets Layer (SSL) requires certificate
authentication.
•
ESX Server 3.5 or ESX Server 3.0.1: Encryption using Secure Shell (SSH) requires RSA
public key authentication.
Add a VMM library
server
Domain account that is an Administrator on the library server and is a member of the
Administrator role or a Delegated Administrator role in VMM.
Add files to a VMM
library share
Write permission on the library share folder (set outside VMM). To add resources to the
VMM library, add the files to the library share and then refresh the share in VMM or wait
for the next scheduled refresh (by default, once per hour).
Manually refresh a VMM
library share or library
server
VMM Administrator role or a Delegated Administrator role to which the library server is
assigned.
Import VMware
templates into the VMM
library
Member of the Administrator role or a Delegated Administrator role in VMM. Security
must have been configured for the VMware ESX Server host. For delegated administrators,
the ESX Server host and destination library server must be within the scope of their role.
Convert a physical server
to a virtual machine
(P2V)
Administrator account on the source computer that is a member of the Administrator role
or a Delegated Administrator role in VMM.
View and order reports
in Reporting view
Domain account that is a member of the Administrator role or a Delegated Administrator
role in VMM and is a member of the Report Operator role in System Center Operations
Manager 2007.
Required Rights and Permissions for VMM Administrative Tasks / Administering Virtual
Machine Self-Service
Page 9
Security Basics for VMM
VMM Ports and Protocols
When you install the System Center Virtual Machine Manager (VMM) server, you can assign some of the ports that it will use for
communications and file transfers between the VMM components. While it is a best security practice to change the default ports, not all of
the ports can be changed through VMM. The default settings for the ports are listed in the following table.
Connection type
Protocol
Default port
Where to change the port
setting
VMM server to VMM agent on Windows Server–
based host (control)
WSManagement
80
During VMM setup, registry
VMM server to VMM agent on Windows Server–
based host (file transfers)
HTTPS (using
BITS)
443 (Maximum
value: 32768)
Registry
VMM server to remote Microsoft SQL Server
database
TDS
1433
Registry
VMM server to P2V source agent
DCOM
135
Registry
VMM Administrator Console to VMM server
WCF
8100
During VMM setup, registry
VMM Self-Service Portal Web server to VMM
server
WCF
8100
During VMM setup
VMM Self-Service Portal to VMM self-service
Web server
HTTPS
443
During VMM setup
VMM library server to hosts
BITS
443 (Maximum
value: 32768)
During VMM setup, registry
VMM host-to-host file transfer
BITS
443 (Maximum
value: 32768)
Registry
VMRC connection to Virtual Server host
VMRC
5900
VMM Administrator
Console, registry
VMConnect (RDP) to Hyper-V hosts
RDP
2179
VMM Administrator
Console, registry
Remote Desktop to virtual machines
RDP
3389
Registry
VMware Web Services communication
HTTPS
443
VMM Administrator
Console, registry
SFTP file transfer from VMWare ESX Server 3.0
and VMware ESX Server 3.5 hosts
SFTP
22
Registry
SFTP file transfer from VMM server to VMWare
ESX Server 3i hosts
HTTPS
443
Registry
VMM Ports and Protocols / Administering Virtual Machine Self-Service
Page 10
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertising