Tag: Security

Virtual Machine Servicing Tool 2012 Beta

Microsoft has launched the beta for VMST 2012.  This tool is used in conjunction with System Center 2012 Virtual Machine Manager (VMM) to update offline virtual machine resources from ConfigMgr/WSUS.

VMST 2012 helps you more effectively—and safely—manage the workflow of updating you offline virtualization environment. Using VMST 2012, you can now service:

– Offline virtual machines in a SCVMM library.

– Stopped and saved state virtual machines on a host.

– Virtual machine templates.

– Offline virtual hard disks in a SCVMM library by injecting update packages.

Post-TechEd North America 2012 Additions To My WS2012 Hyper-V Features List

A number of new Windows Server 2012 Hyper-V and related features were made public last week at TechEd NA 2012.  I have updated my list to include those features.

Hyper-V Is NOT Affected By VU#649219 VM “Break Out”

It was reported by the media earlier this week that an issue on Intel based servers could lead to a “break out” from a VM to the host in certain virtualisation products, including Microsoft.  Obviously this would be a huge concern, especially in environments where security and isolation are an issue, e.g. public cloud/hosting.

I asked the Hyper-V product group if Hyper-V was actually affected.  They group allowed us to share that:

  • The problem does affect the 64-bit OS’s on Intel hardware, but Hyper-V is not affected.
  • This problem will not lead to break outs from Hyper-V VMs.
  • Windows 8/Server 2012 are not affected.

So that’s put that one to bed.

SYSRET 64-bit OS Privilege Escalation Vulnerability On Intel CPU Hardware

CERT reported that:

Some 64-bit operating systems and virtualization software running on Intel CPU hardware are vulnerable to a local privilege escalation attack. The vulnerability may be exploited for local privilege escalation or a guest-to-host virtual machine escape.

That last bit is the piece that should concern you. Microsoft responded with one of this month’s Patch Tuesday updates (thanks to Patrick Lownds for the link).  MS12-042 fixes this issue and is distributed through the normal Windows Updates catalogue.

An elevation of privilege vulnerability exists in the way that the Windows User Mode Scheduler handles system requests. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full administrative rights.

Mitigating factors for user mode scheduler memory corruption vulnerability:

  • An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users.
  • This vulnerability only affects Intel x64-based versions of Windows 7 and Windows Server 2008 R2.
  • Systems with AMD or ARM-based CPUs are not affected by this vulnerability.

Update your servers, including Hyper-V hosts with this update.  System Center 2012 VMM will automate this for you if you have it and configured the updates feature.

Windows Server 2012 Hyper-V Port ACLs

There are many reasons why you might want to isolate virtual machines at the NIC level in Hyper-V.  Maybe you have different tenants on a cloud.  Maybe you have some stuff that has high security requirements.  If so, then there’s a new feature in Windows Server 2012 Hyper-V that you’ll like: Port ACLs (access control lists).

Port ACLs allow you to set rules as follows:

  • Local MAC/IP address: what local address does this apply to?
  • Remote IP/MAC address: what remote address does this apply to?  Can be a specific IP address or network address or a wildcard.
  • Action: Do you want to block, allow, or measure traffic that this rule applies to?
  • Direction: Are you apply this rule to inbound traffic, outbound traffic, or traffic in both directions?

It’s important to note that Port ACLs works at the address level and not at the port or protocol level.  If you need that level of granularity, then check out one of the certified Hyper-V Switch extensions that MSFT partners such as Cisco and 5Nine are producing.

Here’s a pair of sample scripts that I use to demo Port ACLs:

Add-VMNetworkAdapterAcl -VMName VM60 -RemoteIPAddress * -Direction BOTH -Action Deny
Add-VMNetworkAdapterAcl -VMName VM60 -RemoteIPAddress 192.168.1.20 -Direction BOTH -Action Allow
Get-VMNetworkAdapterAcl -VMName VM60

The above script will:

  • Block all traffic to and from a VM called VM60.
  • Allow traffic to and from 192.168.160 for VM60.  The allow rule overrides the block rule.
  • The third line displays the Port ACL rules that are applied to VM60

In the demo, I ping the default gateway (192.168.1.1).  That stops working when I run this script on the host.  And remember, I can move this VM to another switch or another host, and these Port ACLs should still apply.  I then ping 192.168.1.20 and that works fine.  I return to pinging 192.168.1.1 (which fails) and run this script:

Remove-VMNetworkAdapterAcl -VMName VM60 -RemoteIPAddress * -Direction BOTH -Action Deny
Remove-VMNetworkAdapterAcl -VMName VM60 -RemoteIPAddress 192.168.1.20 -Direction BOTH -Action Allow
Get-VMNetworkAdapterAcl -VMName VM60

The above script will remove the rules that I previously added and displays the remaining rules (none).  Suddenly the failing ping to 192.168.1.1 starts to work.

Rather than just blocking/allowing traffic, you could choose to measure it.  For example, in a hosting environment you might create a rule to meter for traffic to/from the Internet and bill the customer based on that.

With Port ACLs, you have basic built in firewalling for virtual machines, and you have a way to measure traffic.

Patching A Windows Server 2012 Failover Cluster, Including Hyper-V

Cluster Aware Updating (CAU) is a new feature that makes running Windows or Automatic Updates on a Hyper-V cluster easier than ever, as well as any other WS2012 cluster.

If you currently have a Windows Server 2008/R2 Hyper-V cluster, then you have a few options for patching it with no VM downtime:

  • Manually Live Migrate VM workloads (Maintenance Mode in VMM 2008 R2makes this easier), patch, and reboot each host in turn, which is a time consuming manual task.
  • Use System Center Opalis/Orchestrator to perform a runbook against each cluster node in turn that drains the cluster node of it’s roles (VMs), patches it and reboots it.
  • Use the patching feature of System Center 2012 Virtual Machine Manager – which is limited to Hyper-V clusters and adds more management to your patching process.

CAU is actually pretty simple:

  1. Have some patching mechanism configured: e.g. enable Automatic Updates on the cluster nodes (e.g. Hyper-V hosts), approve updates in WSUS/ConfigMgr/etc.  Make sure that you exempt your cluster nodes from automatic installation/rebooting in your patching policy; CAU will do this work.
  2. Log into Failover Clustering from a machine that is not a cluster node (Hyper-V host) member.  Run the CAU wizard.
  3. Here, you can either manually kick off a patching job for the cluster nodes or schedule it to run automatically.  The scheduled automatic option requires that you have deployed a CAU role on the cluster in question to orchestrate the patching.

When a patching job runs the following will happen:

  1. Determine the patches to install per node.
  2. Put node 1 in a paused state (maintenance mode).  This drains it of clustered roles – in other words your Hyper-V VMs will Live Migrate to the “best possible” hosts.  Failover Clustering uses amount of RAM to determine the best possible host.  VMM’s advantage is that it uses more information to perform Intelligent Placement.
  3. Node 1 is removed from a paused state, enabling it to host roles (VMs) once again.
  4. CAU will wait then patch and reboot Node 1.
  5. When Node 1 is safely back online, CAU will move onto Node 2 to repeat the operation.

VMs are Live Migrated throughout the cluster as the CAU job runs and each host is put into a paused state (automatically Live Migrating VMs off), patching, rebooting, and un-pausing.  It’s a nice simple operation.

The process is actually quite configurable, enabling you to definite variables for decisions, execute scripts at different points, and define a reboot timeout (for those monster hosts).

Something to think of is how long it will take to drain a host of VMs.  A 1 GbE Live Migration network will take an eternity to LM (or vMotion for that matter) 192 GB RAM of VMs, even with concurrent LMs (as we have in Windows Server 2012).

Sounds nice, eh?  How about you see it in action:

 

 

 

I have edited the video to clip out lots of waiting:

  • These were physical nodes (Hyper-V hosts) and a server’s POST takes forever
  • CAU is pretty careful, and seems to deliberately wait for a while when a server changes state before CAU continues with the task sequence.

 

 

Why Hyper-V Fixed VHD Creation Takes “So Long” – Preventing A Genuine Security Risk

Every now and then I hear someone complaining about how long it takes to create a fixed VHD/VHDX.  There’s a very good reason, as this story on NetworkWorld shows:

A forensic IT study by a U.K. security consultancy found that some multi-tenant public cloud providers have "dirty disks" that are not fully wiped clean after each use by a customer, leaving potentially sensitive data exposed to other users.

FYI, AFAIK most of the mentioned companies are using some variant of Xen or vSphere.  The issue here is that Customer A buys a VM and uses it to store data in a virtual disk.  That virtual disk is a file that is stored on physical disk.  Customer A eventually decommissions the VM or their storage is relocated.  Now think about what a delete really is; it’s not a secure delete.  Deleting a file simply removes the entries from the file system table.  The 1’s and 0’s are still there, waiting to be read.

Now along comes Hacker B who buys a VM and deploys it.  Their VHD is placed over the same location of physical disk as Customer A’s old VM.  Without any security measures, Hacker B can simply run a disk scan tool, from within their VM, and find those 1’s and 0’s, pretty much doing some disk forensics to restore the “deleted” data that Customer A previously stored in their VM.  And that’s exactly what that study found was possible with a number of public cloud providers:

… Rackspace and VSP.net had the vulnerability.

The Microsoft developers VHD/VHDX were aware of this and took measures to prevent it.  When you create a VHD/VHDX it securely wipes the contents of the file as it is created.  This prevents access to data that was previously on the underlying physical disk.  Disk forensics will get you nowhere.

A number of 3rd party tools are out there to instantly create fixed VHDs but they fail to implement this secure wipe so the process can be speeded up, thus putting the hosting company at risk of this threat.  In this case, it is a matter of balancing a genuine security risk (especially in a public cloud) versus performance (of deploying new virtual machine storage while the customer watches a progress bar on a web portal).

The story continues to report that the mentioned affected hosting companies resolved the issue after they were informed.

Microsoft Updates The Free Security Essentials Antivirus

According to Neowin, Microsoft has released a new version of Microsoft Security Essentials (MSE), their free antivirus protection for PCs.  It supports:

  • Windows XP Service Pack 3 (SP3)
  • Windows Vista (Service Pack 1, or Service Pack 2)
  • Windows 7

Yes, Windows XP and Windows Vista are both still supported for this new development, even though they are both in extended support.  You can understand this exception when you consider the reason for MSE’s existence.  It exists to help prevent the spread of malware on PCs that otherwise would not be protected:

  • People who get free 90 days of AV with an OEM PC but never buy the subscription
  • People who can’t afford to or won’t buy AV

One of the best stories we have of MSE locally was when we did a community launch event for Windows 7 in Belfast.  We talked about MSE and how it could help defend against Conficker which was all the rage with unpatched PCs at the time (and unfortunately still is thanks to negligent [IMO] admins/managers).  Irish DPE, Dave Northey, saw a photographer was taking photos on behalf of the venue and asked for a copy of some of the photos.  The photographer came over at the end of the event with a USB stick.  Dave joked that he hoped that Conficker wasn’t on the stick – MSE was on Dave’s laptop and screamed about finding Conficker on the photographer’s USB device Smile

You might ask about support for Windows 8.  Good question.  Windows 8 comes with Defender built in (more later).  Defender in Windows 8 is not the Defender of old.  It actually is anti-spyware and antivirus, meaning that you don’t need to download/install MSE on it.

Built-in AV, eh?  Imagine what Symantec’s lawyers, the EU, and so on will think of that!  Many of us are presented with a browser chooser when we setup Windows 7 for the first time.  I wouldn’t be surprised if we see something similar for AV.  Personally, I’d stick with Windows 8 Defender, but there’s nothing to stop you from choosing an alternative.  I wouldn’t be surprised if OEMs continue to ship subsidised trial copies of AV and retail stores continue to push AV boxes on customers with their PC/laptop/tablet purchase.  You still have a choice, but at least with Windows 8, you have protection by default.

Adobe Acrobat Update Service And Adobe Flash Player Update Service, You Gotta Be Kidding Me!

When you did the recent update for Adobe products, did you require a reboot?  Wonder why? 

image

Look what’s turned up on my PC at work!  I’ve now got two services for updating a minor utility and a plugin that I cannot wait for HTML5 to kill off.

Think about it: Adobe is one of the most attacked software vendors out there, and probably their products are the ones that I update most often on my own and work machines.  Why the hell would I trust them to run a service on my computer?  Hackers must love the presence of these services.

I have uninstalled Adobe Reader (removed the Adobe Acrobat Update Service) from my work computer and switched to Foxit, a product that understands that it is a minor utility.  I’ve also disabled the Adobe Flash Player Update Service.

BTW, we don’t need an Adobe update service at work – we’ve been pushing out Adobe updates via System Center.

Technorati Tags:

Will Windows 8 Metro & Microsoft Store Increase Our Security?

As yet another Java update (only thing more frequent is Adobe) is installed on my work PC, I wonder how many people have disabled auto updates or fail to deploy updates in a “managed” environment.  This morning, I woke up, checked my iPad *gasp* and noticed there was an update to the Netflix app to solve a login problem I’d been having.  Nice, and a bunch of other apps wanted updates too.  Sure, why not?  I’d update the lot with a click.

If you’ve spent some time with the Windows 8 Consumer Preview then you’ve seen something similar.  The Store tile updates with a number to show how many updates are available, which you can then install with a tap/click.

Metro apps van only be installed/updated via the Store.  That means as soon as a publisher has a new version, they load it into the store, and we just update.  So in theory, if they fix something (a bug or security issue), we can update with a click.

That should increase our security levels.  We’ll be aware of updates via the tile, just like when the AppStore icon on iOS shows a red number in the corner.  The question is, will the users click that?  Remember that rule #1 says users are stupid. 

I hope businesses get a way to force updates.  I’d love to see the Windows Update service pull down and install Metro app updates.  We can force that nicely, and it would give us a single update mechanism.  But the flaw there is those consumer focused WOA (Windows on ARM) tablets with no domain membership.  We’ve heard whispers of a business friendly app store.  Maybe that will exist, and maybe it’ll give us an update policy engine.  Who knows!?!?!?  I guess we’ll learn more in the coming months.

But what I do know is, that updates will be easier and quicker for publisher and user alike, and will make the app on the desktop more secure.

Technorati Tags: ,