{"id":10326,"date":"2010-02-02T17:47:00","date_gmt":"2010-02-02T17:47:00","guid":{"rendered":"https:\/\/aidanfinn.com\/?p=10326"},"modified":"2010-02-02T17:47:00","modified_gmt":"2010-02-02T17:47:00","slug":"analyse-memory-of-saved-state-vms-and-host-security","status":"publish","type":"post","link":"https:\/\/aidanfinn.com\/?p=10326","title":{"rendered":"Analyse Memory Of Saved State VM\u2019s \u2013 And Host Security"},"content":{"rendered":"<p>Ben Armstrong (MS virtualisation whiz, The Virtual PC Guy) <a href=\"http:\/\/blogs.msdn.com\/virtual_pc_guy\/archive\/2010\/02\/01\/hyper-v-vm-state-to-memory-dump-converter.aspx\" target=\"_blank\">blogged<\/a> overnight about a tool that allows administrators or developers to get at and analyse the contents of RAM in a saved state Hyper-V VM.&#160; The tool is called <a href=\"http:\/\/code.msdn.microsoft.com\/vm2dmp\" target=\"_blank\">VM2DMP<\/a>.&#160; It will convert a Hyper-V saved state memory to a DMP file that DMP analysis tools can load up.<\/p>\n<p>This brings up a question: security.&#160; Lets forget about TV shows like 24 and movies like the Net.&#160; That stuff <em>can<\/em> be fun.&#160; Sit back and think: what is the easiest way to gain access to some piece of data or files?&#160; The answer is simple.&#160; Gain physical access and literally steal the disks.<\/p>\n<p>If I had access to a saved state VM then in theory (if I had the skills) I could use that tool to convert the memory, poke around and gain access to sensitive items that were stored in RAM.<\/p>\n<p>Virtualisation makes this even easier.&#160; You don\u2019t have to remove the disks because they\u2019re files.&#160; Gain access to the host and away you go.&#160; I remember when I started working on server virtualisation and having a chat with my cousin who is a senior security consultant with a major international company.&#160; His previous role had him working in a lab and projects were to think up scenarios and find threats.&#160; So he asked me: \u201chow do you secure VM\u2019s when they are only files?\u201d.<\/p>\n<p>It\u2019s possible.&#160; But you\u2019ve got to do all the right things.<\/p>\n<p>Security starts and ends with physical access.&#160; Control access to the computer room(s) and monitor that access.&#160; Be very strict about it.&#160; The data centre I work in doesn\u2019t care if they see you every day.&#160; If you are not expected or not properly processed then you don\u2019t get past the front door.&#160; It sounds inflexible and it is.&#160; But damn is that place secure!<\/p>\n<p>Hyper-V run on Windows Server 2008 and Windows Server 2008 R2.&#160; You have the option of enabling BitLocker on the host.&#160; That\u2019ll work on standalone hosts but <a href=\"http:\/\/support.microsoft.com\/default.aspx\/kb\/947302\" target=\"_blank\">not on a cluster<\/a>.<\/p>\n<p>Maintain control of who can log into the host.&#160; You\u2019ve got to treat host logon permissions the same way as you would treat computer room access.&#160; That logon prompt and those drive access rights must be at least as important as access through the door.&#160; If you can log into a host or gain access to drives remotely then the door is wide open to play.&#160; <\/p>\n<p>There is no need to give access (administrative or interactive logon) to a host beyond the virtualisation team.&#160; Rights can be delegated.&#160; The ideal solution for that is VMM.&#160; You can allow delegated administrators to do admin work via the VMM console.&#160; Members of self-service roles can use the portal to deploy and manage VM\u2019s.&#160; If you don\u2019t have VMM then you can use the <a href=\"http:\/\/technet.microsoft.com\/en-us\/library\/dd283030(WS.10).aspx\" target=\"_blank\">Hyper-V authorisation manager<\/a> to delegate access.<\/p>\n<p>And yes, you <em>can<\/em> enable and RDP into a VM.<\/p>\n<p>Most of this stuff goes back to the basics of what you should be doing already.&#160; Membership of domain admins should be very limited.&#160; Nested groups and local group population via Group Policy (restricted groups) allows delegation.&#160; Give only the access that is required.&#160; Treat physical access like getting into somewhere like the NSA.&#160; Use the right tools for the right reasons and don\u2019t be lazy.&#160; And the stuff I\u2019m talking about here is not unique to Hyper-V.&#160; You need to take precautions with all hardware virtualisation solutions.<\/p>\n<p>The tool that Ben blogged about has legitimate uses; just be sure that only the right people get to use it on your Hyper-V hosts.<\/p>\n<div style=\"padding-bottom: 0px; margin: 0px; padding-left: 0px; padding-right: 0px; display: inline; float: none; padding-top: 0px\" id=\"scid:0767317B-992E-4b12-91E0-4F059A8CECA8:946455aa-c542-4b83-8f33-fb895fe325f6\" class=\"wlWriterEditableSmartContent\">Technorati Tags: <a href=\"http:\/\/technorati.com\/tags\/Hyper-V\" rel=\"tag\">Hyper-V<\/a>,<a href=\"http:\/\/technorati.com\/tags\/Virtualisation\" rel=\"tag\">Virtualisation<\/a>,<a href=\"http:\/\/technorati.com\/tags\/VMM\" rel=\"tag\">VMM<\/a><\/div>\n","protected":false},"excerpt":{"rendered":"<p>Ben Armstrong (MS virtualisation whiz, The Virtual PC Guy) blogged overnight about a tool that allows administrators or developers to get at and analyse the contents of RAM in a saved state Hyper-V VM.&#160; The tool is called VM2DMP.&#160; It will convert a Hyper-V saved state memory to a DMP file that DMP analysis tools &hellip; <a href=\"https:\/\/aidanfinn.com\/?p=10326\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;Analyse Memory Of Saved State VM\u2019s \u2013 And Host Security&#8221;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"_uf_show_specific_survey":0,"_uf_disable_surveys":false,"footnotes":""},"categories":[20],"tags":[181,195,196],"class_list":["post-10326","post","type-post","status-publish","format-standard","hentry","category-hyper-v","tag-hyper-v","tag-virtualisation","tag-vmm"],"aioseo_notices":[],"jetpack_featured_media_url":"","amp_enabled":true,"_links":{"self":[{"href":"https:\/\/aidanfinn.com\/index.php?rest_route=\/wp\/v2\/posts\/10326","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/aidanfinn.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/aidanfinn.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/aidanfinn.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/aidanfinn.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=10326"}],"version-history":[{"count":0,"href":"https:\/\/aidanfinn.com\/index.php?rest_route=\/wp\/v2\/posts\/10326\/revisions"}],"wp:attachment":[{"href":"https:\/\/aidanfinn.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=10326"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/aidanfinn.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=10326"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/aidanfinn.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=10326"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}