LiveKD 5.0 Kernel Debugging Running Hyper-V Virtual Machines

Microsoft Sysinternals has updated their LiveKD kernel debugging utility so you can analyse and troubleshoot running VMs on a Hyper-V host.  That’s pretty impressive!  Mark Russinovich has blogged about it, giving some basic instructions.  Now you can start poking around what’s happening in a VM that is running on the host, including the current memory.  It’s unlikely that you might need to do this by yourself, but you may be asked to do some of this stuff by MS support.

This brings up an important point.  Security for virtualisation is not like normal server security, mainly because of the flexibility and mobility of VMs.  In my opinion, you need to treat a virtualisation infrastructure (no matter what brand it is) like an Active Directory.  There should be a few overall administrators (domain admins) and you can delegate on a granular basis.  This can be done with Windows and AzMan in Hyper-V.  I prefer using Virtual Machine Manager delegation. 

Think about this: you have a large organisation and you have contracted in helpdesk operators.  They have some minor role to do with VM management.  You don’t think too much about security or delegationa dn just give them admin rights on the Hyper-V hosts/parent partitions.  They can install LiveKD and then start poking around in VMs and their memory, able to access sensitive information.  In reality they can do much more. 

However, implement your delegation model correctly and they cannot access anything “above their pay grade”.   That means you are using the idea of physical access but applying it using virtual machine placement.  For example, all helpdesk VM’s would be placed on hosts in a helpdesk host group (managed in VMM).  The helpdesk people would be members of a delegated administrator group in VMM that only has the ability to manage members of that host group.  That means any new VMs they’d create could only be placed there.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.