Hyper-VVirtual Machines:
SYSTEM Account-Full Control
Administrators-Full Control
Virtual Machines -Special Permissions
Default security privileges on the Virtual Machines folder
At the very least, keep the security groups mentioned below in the property of the directory
Hyper-VVirtual Machines:
SYSTEM Account-Full Control
Administrators-Full Control
Virtual Machines -Special Permissions
By default, Hyper-V does not allow anyone to access virtual machines except the SYSTEM Account and Local Administrators Account. This is completely clear in the picture above. The Local Administrators Security Group is added to Authorization Manager's policy repository and it is given full control over Hyper-V, including virtual machines running on it.
The same security settings, shown in the image above, are used for the Hyper-Vsnapshots folder.
Tip : If you want to prevent users or administrators from creating virtual machines on the Hyper-V Server, remove the special security group "Virtual Machines" from the directory:
Hyper-VVirtual Machines
The next directory that needs security on Hyper-V is
Hyper-VVirtual Hard Disks
Securing this directory is more important than the directory containing XML files because Hyper-V supports virtual machines in VHD format. These VHD formats can be used with previous versions of virtualization software. Users who do not authenticate access to VHD files can copy the VHD file and use it with Virtual Server or Virtual PC. The default settings on the folder
Hyper-VVirtual Hard Disks
shown as below:
To further tighten the security issue for a folder containing VHD, you can remove the Users security group that was added when the initial Hyper-V Role was activated. At a minimum, you should keep the security groups below in the Security tab:
SYSTEM - Full Control
Administrators - Full Control
Authentic Users - Read & Execute
How to secure virtual machine access with DACL
Authorization Manager, which will be covered later, is a key tool for securing virtual machine access. However, you can also configure DACL on virtual machine directory to secure virtual machines running on Hyper-V. This type of security is done using NTFS privileges.
As you can see in the image above, the organization shows two groups: the development team and the Test team. Two security groups have been created for each team - Dev Team and Test Team. The Development team is responsible for writing code, then handing them over to the Test team for testing. The development team must access all 10 virtual machines (for example). At the same time, make sure the Test team does not have access to their virtual machines, except TVM1 to TVM5. To do so, assign NTFS privileges on virtual machine folders.
In this example, there are three virtual machine directories:
The development team is given full control privileges on folders 2 and 3, and the Test group is assigned full privileges only on directory 3. Sometimes the Test team does not even have read privileges on directory 3.
Overview of Hyper-V services and security services
Hyper-V is a client / server application. Hyper-V has three default services below:
service nameFunction
Security content
Configuration should be set
Virtual Machine Management Service
Manages overall Hyper-V environment
SYSTEM Account
Default
Hyper-V Image Management Service
Management of Virtual Hard Disks
Network Service
Default
Hyper-V Network Management Service
Management of Hyper-V Virtual Networking
SYSTEM Account
Default
The above services are configured to start automatically under the security contents of SYSTEM Account. The account under which these services run has the highest privileges on the system. You should not change the account below the content they run. If changed, hackers or malicious code can attack virtual machines or Parent Partition of Hyper-V. SYSTEM account password also needs to be kept secret. Running these services in a domain user account is not safe at all because hackers can now find passwords using software.
Conclude
In this article, I have explained how Hyper-V stores VHD files and XML files on the system drive. One point to emphasize in this article is that you should change the default location to save VHD and XML to SAN Drive, then perform security by assigning NTFS permissions. We also provided an example of how to secure virtual machine access using NTFS privileges.