Server virtualization allows hosting of different virtual guest computer environments on one physical host computer. Organizations can use server virtualization to consolidate servers; build more cost-efficient and effective development, test, and preproduction environments; simplify disaster recovery; and easily port virtual servers across different hardware platforms.
Microsoft provides two server-virtualization solutions. The first is Microsoft Virtual Server—a free software package that you can use to build virtual servers on top of Windows Server 2003, Windows XP, and Windows Vista. Microsoft's most recent server virtualization solution is Hyper-V—an integral part of Windows Server 2008. Like Microsoft Virtual Server, Hyper-V allows for the virtualization of both Windows and non-Windows OSs.
This article focuses on the security aspects of the Hyper-V virtualization solution. It explains how securing virtual servers is different from the way you secure physical servers. With the guidance and best practices offered in the article, you'll be better able to protect your Hyper-V virtualization infrastructure. To start, let's look at the defenses Microsoft built into the Hyper-V architecture.
Hyper-V Architectural Defenses
When Hyper-V loads, it creates a thin abstraction layer (less than 1MB) called the hypervisor. It operates between the physical server hardware and the host OS. The hypervisor interfaces directly with the server hardware and loads before the host OS starts. You could also define the hypervisor as a mini OS that allows for the virtualization of other OSs on top of it. All OSs that run on a Hyper-V server (both the virtualized ones and the host OS) always run inside a virtual machine (VM) that's under the watchful eye of the hypervisor. Virtual Server uses a different approach in which the host OS runs beside the virtualization layer, and the host OS also directly interfaces with the hardware.
To support hypervisor-based virtualization, your system's processor must support what is referred to as hardware-assisted virtualization. This feature is commonly supported on state-of-the-art processors, such as the Intel VT and AMD-V processor lines. Processors that support hardware-assisted virtualization provide a highly privileged layer in the processor ring architecture that keeps the execution environment of the hypervisor fully separated and isolated from the rest of the system.
The hypervisor performs critical tasks such as memory management and ensures security isolation between the host OS and the different virtualized OSs. In Hyper-V, the environment in which the host OS or a virtual OS runs is known as a partition. You could also define a partition as a basic unit of isolation. The partition that runs the host OS is called the parent partition, and the partitions that run virtualized OSs are called child partitions.
The parent partition is a privileged partition. It creates and manages child partitions, owns the resources not owned by the hypervisor, and takes care of power management and the management of hardware-failure events.
The parent partition must run 64-bit Server 2008. Microsoft's choice of 64-bit for the parent partition is primarily driven by 64-bit platform's expanded memory and processing facilities. More memory simply allows for more VMs on one platform. But 64-bit Windows also brings security advantages: 64-bit Windows doesn't include legacy code and has been built from the ground up using the Microsoft Security Development Lifecycle (SDL) methodology. Microsoft developed SDL for building more secure software and to add more repeatability and predictability to the software development process. SDL tries to make software development more of a science than an art. You can find more information about SDL at the Microsoft Security Development Lifecycle site.
Given the important role of the hypervisor from a partition isolation point of view, and to further reduce the hypervisor's attack surface, Microsoft limits the code and services that run inside the hypervisor. The hypervisor doesn't include I/O stacks or device drivers. Child partitions communicate with the physical hardware through device drivers that are running in the parent partition. This approach to dealing with device drivers is referred to as a micro-kernelized hypervisor architecture. Although this architecture reduces the security risks for the hypervisor, it creates extra risks for the parent partition. For example, faulty or malicious device drivers might expose the parent partition. In the section titled "Protecting the Parent Partition," I give some advice on how you can harden the Hyper-V parent partition.