That Was The First Security Fix For Hyper-V

By the way, when I posted about the security fix for Hyper-V last night, I should have mentioned that it was the first such on for the hypervisor itself in the 18 or so months since it RTM’d in Windows Server 2008.  Not bad!

There’s some debate about how important it is.  Basically, if someone can log into a VM running on a host and has admin rights in that VM, then they can run a DOS attack on the hypervisor on that host.  Most scenarios will probably be safe enough.

I would guess that most companies that deployed virtualisation are running it for internal server virtualisation purposes.  The people who log into those machines are trusted administrators and extremely unlikely to go postal.

Funny phrase that.  I once worked with a guy who was the son of post employees and he didn’t know what it meant.  He got highly offended!

Virtualised “terminal services”, or to put it correctly using the current phrase, Remote Desktop Services Session Hosts *gasps for air*,  will likely only have users logging in with limited rights so they will be safe.

Some VDI implementations will have users logging in with administrative rights.  That means that they are vulnerable.  And those operating cloud services (server hosting) based on Hyper-V are vulnerable.  Those operating private clouds with large numbers of unknown administrators also face a risk.  It’s inevitable that someone will write an attack script/program for this.

I fall into one of those vulnerable scenarios so our normal patching process was put to one side today.  The update was approved in WSUS for all groups, not just our testing group.  Using Operations Manager and VMM we put clustered hosts into maintenance mode.  This allows VMM to use Live Migration to move VM’s from the host that will be worked on to another host.  If you don’t have VMM then you need to Live Migrate each of the VM’s, one by one.  OpsMgr maintenance mode prevents false alarms.  This is done in turn with all hosts in the cluster.  No customers have down time and the security fix gets deployed.  Nice and tidy.

Technorati Tags: ,

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.