1 / 42

Getting Started with the Microsoft Forefront Code Name " Stirling " Virtual Machines in Hyper-V

Getting Started with the Microsoft Forefront Code Name " Stirling " Virtual Machines in Hyper-V. Ronald Beekelaar Beekelaar Consultancy VIR301. Objectives. Goals of this session: Using and configuring Hyper-V for testing How to adapt the Hyper-V VMs to your network environment

alia
Download Presentation

Getting Started with the Microsoft Forefront Code Name " Stirling " Virtual Machines in Hyper-V

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Getting Started with the Microsoft Forefront Code Name "Stirling" Virtual Machines in Hyper-V Ronald Beekelaar Beekelaar Consultancy VIR301

  2. Objectives • Goals of this session: • Using and configuring Hyper-V for testing • How to adapt the Hyper-V VMs to your network environment • How to get started with the Forefront Stirling VMs • Forefront Stirling (beta 2) Hyper-V VMs are downloadable at www.microsoft.com/stirling

  3. About the Presenter • Presenter - Ronald Beekelaar • MVP Windows Security • MVP Virtual Machine Technology • Work • Security consultancy • Virtualization consultancy • Create many VM-based labs and demos • Including Forefront Stirling Lab • Contact • Beekelaar Consultancyronald@beekelaar.com

  4. Lab and VM Environment • Specifications • Total7VMs • Hyper-V only (x64) • Need 8 GB memory • Includes: Stirling, FCSv2, FSE, FSSP, TMG • Plus AD, NAP, Exchange, SharePoint, Outlook • Available: • Download at www.microsoft.com/stirling

  5. Hyper-V Versions • Need: • Win2008 x64 with Hyper-V • Bios supports NX and hardware VT • Use securable.exe to verify • Win2008 RTM has Hyper-V beta • hvix64.exe - build 17101 - Jan 2008 • Install Hyper-V RTM - KB 950050 • hvix64.exe - build 18016 - Jun 2008 • Install Hyper-V 24-core update - KB 956710 • hvix64.exe - build 22263 - Sep 2008 • Win2008 R2 beta 1 • hvix64.exe - build 6.1.7000 - Dec 2008 • Win2008 R2 RC • hvix64.exe - build 6.1.7100 - Apr 2009

  6. Install, Register and Run VMs • Run install-script to unpack and register VMs • Run start-page to start VMs

  7. Snapshots • Principles • Now = vhd-file in Snapshots folder • When VM is running, changes go into this vhd-file • Snapshot = Point-in-time, so that you can go back later • While VM is off, or while VM is running (includes saved state) • Snapshot files and settings will never change later • Apply = Attach new empty Now vhd-file to this snapshot • Deletes contents of existing Now vhd-file • Delete = "I don't want to go back to this snapshot, please merge" • Merges content into parent, and removes snapshot from UI • But when snapshot is not in Now vhd-file tree, then just delete content • Revert = Re-attach new empty Now vhd-file to current snapshot • Is same as: Apply on current snapshot

  8. .vhd .avhd Snapshots Snapshot Apply (= delete Now) Apply (create branch) Delete (= delete) Delete (= merge)

  9. Delete and Merge Snapshots • When deleting a Snapshot: • Is snapshot within Now-tree? • Yes - merge snapshot (A or C) with parent file • No - delete snapshot (B or D) • When deleting a VM: • Are there non-empty snapshots in Now-tree? • Yes - merge snapshots (Now+C+A) into vhd-file, before removing VM • No - delete snapshots, and remove VM

  10. Snapshot Data Inconsistency Non-runningsnapshots Runningsnapshots VM-1: VM-1: A B A B C VM-2: VM-2: Problem:- When restoring snapshot for VM-1 only, VM-1 misses communication B Problem:- Even when restoring snapshots for all VMs, VM-1 misses communication B Solution:- Always restore related snapshots for all VMs Solution:- Pause* all VMs before taking (and restoring) snapshots VM-1: VM-1: A B C A VM-2: VM-2: *Note: - You must temporarily un-pause (resume) each VM, when taking a snapshot

  11. Hyper-V Data Transfer • Problem: • How to get data or files in or out of a VM? • Non-solutions: Drag-and-Drop Shared Folders Copy/Paste through VM Connection (RDP) • Solutions: A (running) Configure host - VM networking B (offline) Use VHD mounting • Is difficult with snapshot files (avhd) • Watch out for NTFS symlinks C (Hyper-V R2) Hot add-remove vhd-files D (in-only) Create and mount ISO-file E (clipboard) Paste text (in), or copy screen (out) F (scripting) Use key-value-pair (KVP) exchange • Read/write VM registry keys from parent • Is part of Integration Components

  12. Hyper-V Data TransferOffline VHD Mounting • Exists in: • Virtual Server - vhdmount.exe • Hyper-V - wmi scripting • Win7/Win2008R2 - Native VHD • Issues with offline VHD mounting • File permissions and access control • NTFS Symlink pointers to other drives • Difficult to mount snapshot files (avhd)

  13. - physical network adapter - virtual network adapter - virtual switch Networking • Principles • Parent has physical network adapter(s) • Each guest (and parent) has virtual network adapter(s) • Each virtual network adapter is connected to a virtual switch • Type of virtual switch is: • External – connect to physical network adapter • Internal – parent and guests connections only • Private – guest connections only • Configuration • Use Virtual Network Manager to create virtual switches • Use VM Settingsto assign virtual network adapter to switch

  14. Private Parent Parent Guest Guest Guest Guest Guest Guest Guest Guest App App App App App App App App Application Application Internal Parent Application ICS - physical network adapter - virtual network adapter - virtual switch External Parent Application IP IP IP No IP NetworkingVirtual switch types

  15. Scripting Hyper-VWMI scripting • Hyper-V uses WMI for scripting • Virtual Server uses COM objects • WMI reference: http://msdn.microsoft.com/en-us/library/aa155190.aspx • Golden tip for WMI scripting: WMI object are copies, not live objects • Difficulty with Hyper-V WMI model: Need to understand what RASDs are Many operation calls are asynchronuos 'pseudo wmi code dim VM : set VM = wmihv.ExecQuery("select ...") VM.Start 'VM is running Msgbox VM.Status 'status shows not-running (!) set objOutParams = computerSystem.ExecMethod_("RequestStateChange", objInParam) if (WMIMethodStarted(objOutParams)) then if (WMIJobCompleted(objOutParams)) then WriteLog Format1("VM {0} was started successfully", computerSystem.ElementName) RequestStateChange = true end if end if

  16. Scripting Hyper-VExamples • VBScript - example from Ronald Beekelaar • Set-known-network-ID.vbs • PowerShell - example from James O'Neill • See http://www.codeplex.com/PSHyperv ... dim i for i = 0 to adapters.Count-1 dim adapter : set adapter = adapters.ItemIndex(i) adapter.VirtualSystemIdentifiers = Array(GetKnownAdapterGuid(i+1)) ModifyRasd vm, adapter next ... .. FilterGet-VMNicport {Param ($nic) if ($nic -eq $null) {$nic=$_} if ($nic -is [System.Management.ManagementObject]) { Get-WmiObject -computerName $nic.__server -NameSpace "root\virtualization" -Query "Select * From Msvm_SwitchPort where __Path='$( $nic.connection[0] )'" } $nic=$null } #Example: Get-VMNic $core -legacy -vmbus | get-vmNicPort ...

  17. Moving VMs to other computersMethod 1: Export/import • Official method: Export / Import • Issues: Base vhd-file is copied for each VM • Suggestion: delete extra copies, and relink diff-disks Requires same network (switch) name at target computer • Suggestion: use standard network name Can only import one time • Suggestion: copy configuration file (exp-file) before import

  18. Moving VMs to other computersMethod 2: Recreate VM configuration • Common method with Virtual PC/Virtual Server 1 Take vhd-file 2 Create new VM, by using vhd-file • Issues: Lose IP configuration inside VM • Due to newly detected virtual network adapter • Network adapter (synthetic) has random hardware idin configuration xml-file <?xml version="1.0" encoding="UTF-16" standalone="yes"?> <configuration> <_09bbc919-72c8-4100-89fc-1bf856fe8090_> <ChannelInstanceGuid type="string">{07f9fba5-432a-4af3-be59-b299093e15bf}</ChannelInstanceGuid> <FriendlyName type="string">Network Adapter</FriendlyName> <MacAddress type="string">00-15-5D-00-10-00</MacAddress> <MacAddressIsStatic type="bool">False</MacAddressIsStatic> <PortName type="string">137A5DBF-2B3F-447F-BEC4-3E9A5A724D01</PortName> <SwitchName type="string">8e3a359f-559a-4b6a-98a9-1690a6100ed7</SwitchName> ...

  19. Info: NetworkingVirtual network adapter types • Two types of virtual network adapters in guest • Legacy network adapter • Is common Intel 21140 PCI network adapter • Network adapter • Is synthetic adapter for VMBus • Requires Integration Components • Uses unique hardware id in xml-file

  20. Moving VMs to other computersMethod 2: Recreate VM configuration (cont'd) • Solution (1)to network adapter issue: Use same hardware id in xml-file • Only possible, if you know original hardware id • Tip: use well-known hardware id: {1111..}, {2222...}, etc • Because xml-file is locked by Hyper-V,need Hyper-V script to change hardware id in xml-file • Example: Set-known-network-ID.vbs • Solution (2) to network adapter issue: Use legacy network adapter,instead of (synthetic) network adapter <?xml version="1.0" encoding="UTF-16" standalone="yes"?> <configuration> <_09bbc919-72c8-4100-89fc-1bf856fe8090_> <ChannelInstanceGuid type="string">{11111111-1111-1111-1111-111111111111}</Chan...> ...

  21. Moving VMs to other computersMethod 3: Create symlink to register VM • For each VM, Hyper-V uses "shortcut" to xml-file • In folder:C:\ProgramData\Microsoft\Windows\Hyper-V\Virtual Machines • Shortcut is symbolic link to xml-file • Use mklink guid.xml D:\Lab\Virtual Machines\guid.xml • Issues: Completely unsupported Must have correct file permissions • Uses NT Virtual Machine "domain" Must have all xml-files, disk files (vhd), and snapshot files (avhd) in correctly named folders

  22. Permissions and AccessVM Accounts • Hyper-V assigns Read/Write permissions • To certain special VM accounts • On vhd-files and other files and folders • VM accounts • Each VM has own guid-named "user" account in"NT VIRTUAL MACHINE" domain • Example: NT VIRTUAL MACHINE\0256A619-112F-.. (guid) • Similar to "BUILTIN\Administrators" and "NT AUTHORITY\System" • You can use icacls.exe to list and assign permissions to these VM accounts

  23. Permissions and AccessDelegation of Control (Azman) • Use Azman.msc to assign roles to accounts • OpenC:\ProgramData\Microsoft\Windows\Hyper-V\InitialStore.xml • Concept: • Operations or Tasks > Role > User or Group account • See- http://blogs.msdn.com/virtual_pc_guy/archive/2008/01/17/allowing-non-administrators-to-control-hyper-v.aspx

  24. Permissions and AccessRemote Management (hvremote) • Issue: • Very difficult to configure remote management if not in domain • Steps 1 (client/server) Create duplicate user/password 2 (server) Allow WMI through firewall 3 (server) Grant DCOM permissions to user - dcomcnfg.exe 4 (server) Grant WMI permissions on root\cimv2 and root\virtualization 5 (server) Grant Hyper-V permissions to user - azman.msc 6 (client) Allow WMI and mmc.exe through firewall 7 (client) Grant DCOM permissions to anonymous (callback) - dcomcnfg.exe 8 (client) Configure "allow default credentials" - gpedit.msc • Or run hvremote.wsf - John Howard • See http://code.msdn.microsoft.com/hvremote

  25. Hyper-V book • Windows Server 2008 Hyper-V • Written by John Kelbley, Mike Sterling, Allen Stewart • Available in conference store

  26. Forefront Stirling Overview of Stirling

  27. Forefront Stirling - Versions Now Future IAG 2007 UAG UAG v2 Edge TMG 2010 ISA 2006 ForefrontClient Security FCS v2 Client Stirling v2 Stirling v1 Forefrontfor Exchange Forefrontfor Exchange Forefrontfor SharePoint Forefrontfor SharePoint Antigen Server Forefrontfor OCS Forefrontfor OCS v2 . . . Others

  28. Microsoft Update Stirling Integration Forefront Security Assessment Channel Windows Server Update Services (WSUS) Stirling Core Server Settings Stirling Data Analysis & Collection Servers Events Systems Center Operations Manager Threat Management Gateway Servers Virus &Spyware Definitions Reports Policies Settings Settings Settings Events Events Events Exchange Servers Stirling Console SharePoint Servers Desktops, Laptops and Servers

  29. Stirling Policies 1. Define Target Groups of computers Based on queries, OU, computer name, etc 2. Centrally configure settings For all Forefront products Use Policy Units within a Stirling Policy 3.Bind each Stirling Policy to a Target Group Deployed by SCOM 2007 R2 → SCOM Agent Note: does not use Group Policy for deployment

  30. Agents on Clients SCOM 2007 Agent Is only the "transport" vehicle Receives policies and tasks Sends events to Stirling Server Stirling Agent Is the "dispatcher" Communicates with SCOM Agent and with Asset Protection Technology (APT) APTs Do the "work" FCS (Host Protection) Forefront for Exchange TMG UAG Windows Firewall Group Policy Etc. Server Client SCOM 2007Agent StirlingAgent EventLogs FCS(Host Protection) FW GPO . . .

  31. Group Policies vs Stirling Policies Differences: FCSv1 uses GPO to deploy policies Stirling/FCSv2 use SCOM 2007 agent (management packs) Reasons for change Speed of deployment Reporting successful deployment Single "policy unit" UI combined withremediation and network access restriction Question: What if both Group Policies and Stirling Policies are defined forsimilar settings (example: Windows firewall configuration)? Answer: Stirling Agent configure Local GPO,and then triggers GPO processing on client

  32. Levels of reaction Security State Assessment (on the client) Policy specifies "desired" settings a)Report current setting to Stirling Collect current IE security settings b)Change setting to desired value (remediate) When FCS service stops, start it again When guest is enabled, disable guest c)Restrict network access (uses NAP) When IE setting is insecure, block network access Assessment sharing and dynamic response Client detects vulnerability or compromise Client sends "assessment" to Stirling server Stirling combines assessments d)Dynamic response send to other assets For currently logged-on user (user) on client computer (client), that performs suspicious port scan (TMG), block outgoing email (FSE), and trigger full AM-scan (client)

  33. Security Assessments Channel Security Assessment Sharing ( ) With Dynamic Response ( ) Compromised User: MARCO Fidelity: Low Severity: High Expire: Wed Alert Responses Security Admin Compromised Computer: VENICE Fidelity: High Severity: High Expire: Wed FCS identifies MARCO has logged on to VENICE TMG identifies malware on VENICE computer attempting to propagate (PortScan) Forefront TMG Stirling Core Client Security Web ADNAP Scan Computer Malicious Web Site Quarantine Block Email Marco (user) Reset Account Venice (computer)

  34. Update Signatures • Signatures: • FCS – antivirus, antispyware • TMG – antivirus (HTTP+SMTP), NIS • FSE/FSSP – antivirus • Connect VMs to Internet

  35. TMG: Outbound SSL Filtering • For Web publishing, inbound SSL Bridging iswell-known (ISA Server 2000) • Issue: • Cannot inspect outbound traffic in encrypted tunnel (SSL) • Solution: • Use SSL Bridging on outbound SSL connections • Difference with Web publishing is that client can go to many different Web sites

  36. TMG: Outbound SSL Filtering www.fabrikam.com www.fabrikam.com Request Request Certificate Certificate SSL SSL In Web browser: https://www.fabrikam.com In TMG request: https://www.fabrikam.com

  37. question & answer ronald@beekelaar.com

  38. Resources • www.microsoft.com/teched Sessions On-Demand & Community • www.microsoft.com/learning • Microsoft Certification & Training Resources • http://microsoft.com/technet • Resources for IT Professionals • http://microsoft.com/msdn Resources for Developers www.microsoft.com/learning Microsoft Certification and Training Resources

  39. Resources For more information on Microsoft Virtualization including: • Whitepapers • Product Downloads • Case Studies • ROI Calculators • Solutions with Partners Visit: www.microsoft.com/virtualization Be sure to stop by the TLC area to speak with subject-matter-experts and see live product demos

  40. Complete an evaluation on CommNet and enter to win!

  41. © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

More Related