You are browsing the archive for 2015 July.

Critical Hyper-V Security Update MS15-068

9:44 pm in Hyper-V by Wim Matthyssen

Today Microsoft released a critical security update MS15-068that fixes a vulnerability which could allow remote code execution in a Hyper-V host.

Hyper-V-Security-Tutorial

All of the following operating systems running Hyper-V are affected: Windows Server 2008, Windows Server 2008 R2, Windows 8, Windows 8.1, Windows Server 2012 and Windows Server 2012 R2.

You can find more information and the download links concerning this update in the security bulletin over here: https://technet.microsoft.com/en-us/library/security/ms15-068.aspx

So test it out and deploy it as soon as possible to your Hyper-V production environment.

Hope it helps.

Wim Matthyssen (@wmatthyssen)

Configure SCVMM 2012 R2 Distributed Key Management

8:31 pm in DKM, scvmm by Wim Matthyssen

Before going into the practical part, first a little bit of information about Distributed Key Management (DKM). DKM is used to store VMM encryption keys (for example all sensitive data like administrator passwords, Run As Account credentials and license key information) in a special container in Active Directory Domain Services (AD DS), instead of locally on the VMM server. This is the kind of information you don’t want unauthorized people to access!

It can be used for a standalone VMM server setup (optional but recommended). However, when you deploy a clustered installation of VMM (HA VMM) it is required. Why? Because both cluster nodes (in case of a failover from one node to another) need to be able to securely access those encryption keys to decrypt the data in the VMM database.

image

Herewith some tip and tricks before you start:

  • DKM is required when installing a HA VMM
  • I always manually configure the DKM container before starting the VMM installation (you can do it during the setup also, but make sure that the account with which you’re installing has rights to create a new container in AD. Easiest is that the user has domain administrator rights).
  • You need domain administrator rights to use ADSI Edit.
  • The VMDK container and the VMM service account should be created in the same domain as the VMM Management server.
  • Make sure to have a reliable AD backup in place to protect and recover all AD data, so those sensitive encryption keys don’t get lost in case of a disaster.
  • The domain I use in this example is contoso.local.
  • Following users and groups are created prior running the VMM Management server setup: sa-scvmm – SCVMM service account, scvmmadmin – SCVMM RunAs account, SCVMM-Admins – SCVMM Administrators security group. The user’s sa-scvmm and scvmmadmin are made members of the SCVMM-admins global security group. SCVMM-Admins is added to the local administrators group on the VMM Management server(s).

1) Log on into a Domain Controller (DC) with domain admin privileges, open Run and type adsiedit.msc to start Active Directory Service Interfaces Editor

image

2) In the ADSI Edit console, right-click ADSI Edit and select Connect to. On the Connection Settings page select OK (as name Default naming context should be filled in)

image

3) Right-click the domain’s container (or another container you desire as a logical place) which in my case is DC=contoso, DC=local, select New and then select Object

image

4) In the Create Object windows select container as the class and click on Next

image

5) In the Value textbox, fill in VMMDKM and click on Next (I’ve you prefer to use another name be sure not to use spaces and special characters in it)

image

6) In the Active Directory Users and Computers window, click on View and select Advanced Features.

image

7) Now you’re able to see the VMMDKM container. The last thing to do is to set the proper AD permissions. By default the AD groups domain admins, enterprise admins, and the AD user SYSTEM have full permissions to this object and its descendant objects. In my case VMM will be granted the necessary rights based on the SCVMM-Admins security group. So right-click the container and choose Properties

image

8) Click on the Security tab and click on Add

image

9) Type the name of the VMM Administrators groups: scvmm-admins

image

10) Check the Read, Write, and Create all child objects options

image

11) Next click on the Advanced tab

image

12) Select scvmm-admins and choose Edit

image

13) In the Applies to drop-down menu, select This object and all descendant objects

image

14) Right-click the VMMDKM container and select Properties. Select the attribute distinguishedName and click View. Now copy the Value which you will need later during the installation of VMM

image

image

15) When you install the VMM Management Server, on the Configure Service account and distributed key management page, you must specify the location of the container in AD DS, in my example CN=VMMDKM, DC=contoso, DC=local (the copied data from above)

image

16) After the VMM installation, you can see some data is added to the DKM container

image

We have now finished preparing to use DKM management for either a standalone or a HA VMM installation.

So this concludes this blog post, hope it’s useful and helps!

Wim Matthyssen (@wmatthyssen)