Transcript Getting Started with the Microsoft Forefront Code Name "Stirling

Ronald Beekelaar
Beekelaar Consultancy
VIR301
Objectives
Goals of this session:
Using and configuring Hyper-V for testing
How to adapt the Hyper-V VMs to your network
environment
How to get started with the Forefront Stirling VMs
Forefront Stirling (beta 2) Hyper-V VMs are
downloadable at www.microsoft.com/stirling
About the Presenter
Presenter - Ronald Beekelaar
MVP Windows Security
MVP Virtual Machine Technology
Work
Security consultancy
Virtualization consultancy
Create many VM-based labs and demos
Including Forefront Stirling Lab
Contact
Beekelaar Consultancy
[email protected]
Lab and VM Environment
Specifications
Total 7 VMs
Hyper-V only (x64)
Need 8 GB memory
Includes: Stirling, FCSv2, FSE, FSSP, TMG
Plus AD, NAP, Exchange, SharePoint, Outlook
Available:
Download at www.microsoft.com/stirling
Hyper-V Versions
Need:
Win2008 x64 with Hyper-V
Bios supports NX and hardware VT
Use securable.exe to verify
Win2008 RTM has Hyper-V beta
hvix64.exe - build 17101 - Jan 2008
Install Hyper-V RTM - KB 950050
hvix64.exe - build 18016 - Jun 2008
Install Hyper-V 24-core update - KB 956710
hvix64.exe - build 22263 - Sep 2008
Win2008 R2 beta 1
hvix64.exe - build 6.1.7000 - Dec 2008
Win2008 R2 RC
hvix64.exe - build 6.1.7100 - Apr 2009
Install, Register and Run VMs
Run install-script to unpack and register VMs
Run start-page to start VMs
Snapshots
Principles
Now = vhd-file in Snapshots folder
When VM is running, changes go into this vhd-file
Snapshot = Point-in-time, so that you can go back later
While VM is off, or while VM is running (includes saved state)
Snapshot files and settings will never change later
Apply = Attach new empty Now vhd-file to this snapshot
Deletes contents of existing Now vhd-file
Delete = "I don't want to go back to this snapshot, please merge"
Merges content into parent, and removes snapshot from UI
But when snapshot is not in Now vhd-file tree, then just delete content
Revert = Re-attach new empty Now vhd-file to current snapshot
Is same as: Apply on current snapshot
Snapshots
Snapshot
.vhd
.avhd
Apply (= delete Now)
Apply (create branch)
Delete (= merge)
Delete (= delete)
Delete and Merge Snapshots
When deleting a Snapshot:
Is snapshot within Now-tree?
Yes - merge snapshot (A or C) with parent file
No - delete snapshot (B or D)
When deleting a VM:
Are there non-empty snapshots in Now-tree?
Yes - merge snapshots (Now+C+A) into vhd-file,
before removing VM
No - delete snapshots, and remove VM
Snapshot Data Inconsistency
Non-running snapshots
VM-1:
Running snapshots
VM-1:
A
B
A
B
C
VM-2:
VM-2:
Problem:
- When restoring snapshot for VM-1 only,
VM-1 misses communication B
Problem:
- Even when restoring snapshots for all VMs,
VM-1 misses communication B
Solution:
- Always restore related snapshots
for all VMs
Solution:
- Pause* all VMs before taking (and restoring)
snapshots
VM-1:
VM-1:
A
VM-2:
B
A
C
VM-2:
* Note:
- You must temporarily un-pause (resume) each VM,
when taking a snapshot
Hyper-V Data Transfer
Problem:
How to get data or files in or out of a VM?
Non-solutions:
 Drag-and-Drop
 Shared Folders
 Copy/Paste through VM Connection (RDP)
Solutions:
A (running) Configure host - VM networking
B (offline) Use VHD mounting
C
D
E
F
Is difficult with snapshot files (avhd)
Watch out for NTFS symlinks
(Hyper-V R2) Hot add-remove vhd-files
(in-only) Create and mount ISO-file
(clipboard) Paste text (in), or copy screen (out)
(scripting) Use key-value-pair (KVP) exchange
Read/write VM registry keys from parent
Is part of Integration Components
Hyper-V Data Transfer
Offline VHD Mounting
Exists in:
Virtual Server - vhdmount.exe
Hyper-V - wmi scripting
Win7/Win2008R2 - Native VHD
Issues with offline VHD mounting
File permissions and access control
NTFS Symlink pointers to other drives
Difficult to mount snapshot files (avhd)
Networking
- physical network adapter
- virtual network adapter
- virtual switch
Principles
Parent has physical network adapter(s)
Each guest (and parent) has virtual network adapter(s)
Each virtual network adapter is connected to a virtual switch
Type of virtual switch is:
External – connect to physical network adapter
Internal – parent and guests connections only
Private – guest connections only
Configuration
Use Virtual Network Manager to create virtual switches
Use VM Settings to assign virtual network adapter to switch
Networking
Virtual switch types
Private
Parent
Guest
Application
App
Guest
App
Internal
Parent
Guest
Application
App
Parent
Guest
Guest
Application
App
App
Guest
ICS
App
External
Parent
- physical network adapter
- virtual network adapter
- virtual switch
Application
IP
Guest
App
IP
Guest
App
IP
No IP
Scripting Hyper-V
WMI scripting
Hyper-V uses WMI for scripting
Virtual Server uses COM objects
WMI reference: http://msdn.microsoft.com/en-us/library/aa155190.aspx
Golden tip for WMI scripting:
 WMI object are copies, not live objects
'pseudo wmi code
dim VM : set VM = wmihv.ExecQuery("select ...")
VM.Start
'VM is running
Msgbox VM.Status
'status shows not-running (!)
Difficulty with Hyper-V WMI model:
 Need to understand what RASDs are
 Many operation calls are asynchronuos
set objOutParams = computerSystem.ExecMethod_("RequestStateChange", objInParam)
if (WMIMethodStarted(objOutParams)) then
if (WMIJobCompleted(objOutParams)) then
WriteLog Format1("VM {0} was started successfully", computerSystem.ElementName)
RequestStateChange = true
end if
end if
Scripting Hyper-V
Examples
VBScript - example from Ronald Beekelaar
Set-known-network-ID.vbs
...
dim i
for i = 0 to adapters.Count-1
dim adapter : set adapter = adapters.ItemIndex(i)
adapter.VirtualSystemIdentifiers = Array(GetKnownAdapterGuid(i+1))
ModifyRasd vm, adapter
next
...
PowerShell - example from James O'Neill
See http://www.codeplex.com/PSHyperv
..
Filter Get-VMNicport
{Param ($nic)
if ($nic -eq $null) {$nic=$_}
if ($nic -is [System.Management.ManagementObject]) {
Get-WmiObject -computerName $nic.__server -NameSpace "root\virtualization"
-Query "Select * From Msvm_SwitchPort where __Path='$( $nic.connection[0] )'" }
$nic=$null }
#Example: Get-VMNic $core -legacy -vmbus | get-vmNicPort
...
Moving VMs to other computers
Method 1: Export/import
Official method: Export / Import
Issues:
 Base vhd-file is copied for each VM
Suggestion: delete extra copies, and relink diff-disks
 Requires same network (switch) name at target
computer
Suggestion: use standard network name
 Can only import one time
Suggestion: copy configuration file (exp-file) before
import
Moving VMs to other computers
Method 2: Recreate VM configuration
Common method with Virtual PC/Virtual Server
1 Take vhd-file
2 Create new VM, by using vhd-file
Issues:
 Lose IP configuration inside VM
Due to newly detected virtual network adapter
Network adapter (synthetic) has random hardware id
in configuration xml-file
<?xml version="1.0" encoding="UTF-16" standalone="yes"?>
<configuration>
<_09bbc919-72c8-4100-89fc-1bf856fe8090_>
<ChannelInstanceGuid type="string">{07f9fba5-432a-4af3-be59-b299093e15bf}</ChannelInstanceGuid>
<FriendlyName type="string">Network Adapter</FriendlyName>
<MacAddress type="string">00-15-5D-00-10-00</MacAddress>
<MacAddressIsStatic type="bool">False</MacAddressIsStatic>
<PortName type="string">137A5DBF-2B3F-447F-BEC4-3E9A5A724D01</PortName>
<SwitchName type="string">8e3a359f-559a-4b6a-98a9-1690a6100ed7</SwitchName>
...
Info: Networking
Virtual network adapter types
Two types of virtual network adapters in guest
Legacy network adapter
Is common Intel 21140 PCI network adapter
Network adapter
Is synthetic adapter for VMBus
Requires Integration Components
Uses unique hardware id in xml-file
Moving VMs to other computers
Method 2: Recreate VM configuration (cont'd)
Solution (1) to network adapter issue:

Use same hardware id in xml-file
Only possible, if you know original hardware id
Tip: use well-known hardware id: {1111..}, {2222...}, etc
<?xml version="1.0" encoding="UTF-16" standalone="yes"?>
<configuration>
<_09bbc919-72c8-4100-89fc-1bf856fe8090_>
<ChannelInstanceGuid type="string">{11111111-1111-1111-1111-111111111111}</Chan...>
...
Because xml-file is locked by Hyper-V,
need Hyper-V script to change hardware id in xml-file
Example: Set-known-network-ID.vbs
Solution (2) to network adapter issue:

Use legacy network adapter,
instead of (synthetic) network adapter
Moving VMs to other computers
Method 3: Create symlink to register VM
For each VM, Hyper-V uses "shortcut" to xml-file
In folder:
C:\ProgramData\Microsoft\Windows\Hyper-V\Virtual Machines
Shortcut is symbolic link to xml-file
Use mklink guid.xml D:\Lab\Virtual Machines\guid.xml
Issues:
 Completely unsupported
 Must have correct file permissions
Uses NT Virtual Machine "domain"
 Must have all xml-files, disk files (vhd), and snapshot files
(avhd) in correctly named folders
Permissions and Access
VM Accounts
Hyper-V assigns Read/Write permissions
To certain special VM accounts
On vhd-files and other files and folders
VM accounts
Each VM has own guid-named "user" account in
"NT VIRTUAL MACHINE" domain
Example: NT VIRTUAL MACHINE\0256A619-112F-.. (guid)
Similar to "BUILTIN\Administrators" and "NT AUTHORITY\System"
You can use icacls.exe to list and assign permissions to these VM
accounts
Permissions and Access
Delegation of Control (Azman)
Use Azman.msc to assign roles to accounts
Open
C:\ProgramData\Microsoft\Windows\Hyper-V\InitialStore.xml
Concept:
Operations or Tasks > Role > User or Group account
See
- http://blogs.msdn.com/virtual_pc_guy/archive/2008/01/17/allowing-non-administrators-to-control-hyper-v.aspx
Permissions and Access
Remote Management (hvremote)
Issue:
Very difficult to configure remote management if not in domain
Steps
1 (client/server) Create duplicate user/password
2 (server) Allow WMI through firewall
3 (server) Grant DCOM permissions to user - dcomcnfg.exe
4 (server) Grant WMI permissions on root\cimv2 and root\virtualization
5 (server) Grant Hyper-V permissions to user - azman.msc
6 (client) Allow WMI and mmc.exe through firewall
7 (client) Grant DCOM permissions to anonymous (callback) - dcomcnfg.exe
8 (client) Configure "allow default credentials" - gpedit.msc
Or run hvremote.wsf - John Howard
See http://code.msdn.microsoft.com/hvremote
Hyper-V book
Windows Server 2008 Hyper-V
Written by John Kelbley, Mike Sterling,
Allen Stewart
Available in conference store
Overview of Stirling
Forefront Stirling - Versions
Now
Future
IAG 2007
Edge
UAG v2
TMG 2010
ISA 2006
Forefront
Client Security
Client
UAG
FCS v2
Stirling v1
Server
Antigen
Forefront
for Exchange
Forefront
for Exchange
Forefront
for SharePoint
Forefront
for SharePoint
Forefront
for OCS
Others
Stirling v2
Forefront
for OCS v2
...
Microsoft
Update
Stirling Integration
Forefront Security Assessment Channel
Stirling Core
Server
Stirling Data
Analysis &
Collection Servers
Windows
Server
Update
Services
(WSUS)
Settings
Events
Systems
Center
Operations
Manager
Reports
Policies
Threat Management
Gateway Servers
Virus
&Spyware
Definitions
Settings
Events
Exchange Servers
Stirling
Console
Settings
Events
SharePoint Servers
Settings
Events
Desktops, Laptops and Servers
Stirling Policies
1. Define Target Groups of computers
Based on queries, OU, computer name, etc
2. Centrally configure settings
For all Forefront products
Use Policy Units within a Stirling Policy
3. Bind each Stirling Policy to a Target Group
Deployed by SCOM 2007 R2 → SCOM Agent
Note: does not use Group Policy for deployment
Agents on Clients
SCOM 2007 Agent
Is only the "transport" vehicle
Receives policies and tasks
Sends events to Stirling Server
Server
Client
Stirling Agent
Is the "dispatcher"
SCOM 2007
Agent
Communicates with SCOM Agent
and with Asset Protection Technology (APT)
Stirling
Agent
APTs
Do the "work"
FCS (Host Protection)
Forefront for Exchange
TMG
UAG
Windows Firewall
Group Policy
Etc.
FCS
(Host Protection)
FW
Event
Logs
GPO
...
Group Policies vs Stirling Policies
Differences:
FCSv1 uses GPO to deploy policies
Stirling/FCSv2 use SCOM 2007 agent (management packs)
Reasons for change
Speed of deployment
Reporting successful deployment
Single "policy unit" UI combined with
remediation and network access restriction
Question:
What if both Group Policies and Stirling Policies are defined for
similar settings (example: Windows firewall configuration)?
Answer:
Stirling Agent configure Local GPO,
and then triggers GPO processing on client
Levels of reaction
Security State Assessment (on the client)
Policy specifies "desired" settings
a) Report current setting to Stirling
Collect current IE security settings
b) Change setting to desired value (remediate)
When FCS service stops, start it again
When guest is enabled, disable guest
c) Restrict network access (uses NAP)
When IE setting is insecure, block network access
Assessment sharing and dynamic response
Client detects vulnerability or compromise
Client sends "assessment" to Stirling server
Stirling combines assessments
d) Dynamic response send to other assets
For currently logged-on user (user) on client computer (client),
that performs suspicious port scan (TMG),
block outgoing email (FSE), and trigger full AM-scan (client)
Security Assessment Sharing ( )
With Dynamic Response (
Compromised
Computer: VENICE
Fidelity: High
Severity: High
Expire: Wed
Alert
Responses
)
Compromised
User: MARCO
Fidelity: Low
Severity: High
Expire: Wed
FCS identifies
MARCO has
logged on to
VENICE
TMG identifies
malware on VENICE
computer attempting
to propagate
(PortScan)
Web
Scan Computer
Quarantine
Reset Account
Block Email
Update Signatures
Signatures:
FCS – antivirus, antispyware
TMG – antivirus (HTTP+SMTP), NIS
FSE/FSSP – antivirus
Connect VMs to Internet
TMG: Outbound SSL Filtering
For Web publishing, inbound SSL Bridging is
well-known (ISA Server 2000)
Issue:
Cannot inspect outbound traffic in encrypted tunnel
(SSL)
Solution:
Use SSL Bridging on outbound SSL connections
Difference with Web publishing is that client can go
to many different Web sites
TMG: Outbound SSL Filtering
www.fabrikam.com
Request
In Web browser:
https://www.fabrikam.com
www.fabrikam.com
Request
Certificate
Certificate
SSL
SSL
In TMG request:
https://www.fabrikam.com
[email protected]
Resources
www.microsoft.com/teched
www.microsoft.com/learning
Sessions On-Demand & Community
Microsoft Certification & Training Resources
http://microsoft.com/technet
http://microsoft.com/msdn
Resources for IT Professionals
Resources for Developers
www.microsoft.com/learning
Microsoft Certification and Training Resources
Resources
For more information on Microsoft Virtualization including:
Whitepapers
Product Downloads
Case Studies
ROI Calculators
Solutions with Partners
Visit: www.microsoft.com/virtualization
Be sure to stop by the TLC area to speak with
subject-matter-experts and see live product demos
Complete an
evaluation on
CommNet and
enter to win!
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should
not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS,
IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.