The 7 Things I Know About Cyber Security After 25 Years | April 2024
Understanding AzMan In Hyper-V
1. Understanding AzMan in Hyper-V Lai YoongSeng MVP : Virtual Machine www.ms4u.info Technical Consultant, Redynamics
2. Agenda Who is AzMan? How AzMan Works? Configure AzMan Why use AzMan? Auditing Troubleshooting
3. Who is AzMan? Not who but “ What is AzMan ?” AzMan also known as “Authorization Manager” Is a GUI interface for configuring security in Hyper-V Role Based Access and Control (RBAC) is what is used
4. How AzMan Work? Access to resources is based on Role Definitions and not Access Control List (ACL) Roles are based on a list of Tasks that are defined in a Role Definition. The Role Definition is then associated with a Role Assignment Only one Default Role defined in Hyper-V:- Administrator Built in Local Administrator Group is automatically added to the Administrator Role Assignment
5. Access AzMan To access Start | Run | Type Azman.msc Azman.msc is the primary method for defining and managing permissions for Hyper-V Open Authorization Stores
6. Configure AzMan Note: Backup InitialStore.xml before modify Configure Role Assignment Add non administrator to full permission on Hyper-V server
7. Configure AzMan Create Task. A task is a grouping of operation. Example: Control VM task and assign start, stop, restart vm operation. 1 2
8. Configure AzMan Create Role Definition- to limit operation on Hyper-V Server. Example: Operator Role which assign to control VM operation. 1 2
11. Why use Azman? More secure and limit operation can perform on Hyper-V Hosts Secure either entire Hyper-V host or based on Virtual Machine Note:-
12. Secure by Virtual Machine Step 1: Create Scope Step 2: Create Role Step 3: Assign Role Step 4: Create New VM Step 5: Set the scope of the VM by using 4 scripts – Contributed by Tony Super GUI ? Sorry no GUI.
13. Script #1:- CreateVMInScope.vbs Option Explicit Dim WMIService Dim VMManagementService Dim VMName Dim VMScope Dim VMSystemGlobalSettingData Dim Result Dim inParameters VMName = InputBox(“Specify the name for the new virtual machine:”) VMScope = InputBox(“Specify the scope to be used for the new virtual machine:”) ‘Get an instance of the WMI Service in the virtualization namespace. Set WMIService = GetObject(“winmgmts:.ootirtualization”) ‘Get a VMManagementService object Set VMManagementService = WMIService.ExecQuery(“SELECT * FROM Msvm_VirtualSystemManagementService”).ItemIndex(0) ‘ Initialize the global settings for the VM Set VMSystemGlobalSettingData = WMIService.Get(“Msvm_VirtualSystemGlobalSettingData”).SpawnInstance_() ‘Set the name and scope VMSystemGlobalSettingData.ElementName = VMName VMSystemGlobalSettingData.ScopeOfResidence = VMScope ‘ Create the VM VMManagementService.DefineVirtualSystem(VMSystemGlobalSettingData.GetText_(1 )
14. Script #2:DisplayVMScopes.vbs Option Explicit Dim WMIService Dim VMList Dim VM Dim VMSystemGlobalSettingData Dim Message ‘Setup start of message string Message = “Virtual Machines and their scope of residence” & chr(10) _ & “========================================” ‘Get instance of ‘virtualization’ WMI service on the local computer Set WMIService = GetObject(“winmgmts:.ootirtualization”) ‘Get all the MSVM_ComputerSystem object Set VMList = WMIService.ExecQuery(“SELECT * FROM Msvm_ComputerSystem”) For Each VM In VMList if VM.Caption = “Virtual Machine” then Set VMSystemGlobalSettingData = (VM.Associators_(“MSVM_ElementSettingData”, “Msvm_VirtualSystemGlobalSettingData”)).ItemIndex(0) Message = Message & chr(10) & “VM: “ & VM.ElementName Message = Message & chr(10) & “Scope: “ & VMSystemGlobalSettingData.ScopeOfResidence Message = Message & chr(10) end if Next wscript.echo Message
15. Script #3:ClearVMScope.vbs Option Explicit Dim WMIService Dim VMList Dim VM Dim VMSystemGlobalSettingData Dim VMManagementService Dim Result ‘Get instance of ‘virtualization’ WMI service on the local computer Set WMIService = GetObject(“winmgmts:.ootirtualization”) ‘Get a VMManagementService object Set VMManagementService = WMIService.ExecQuery(“SELECT * FROM Msvm_VirtualSystemManagementService”).ItemIndex(0) ‘Get all the MSVM_ComputerSystem object Set VMList = WMIService.ExecQuery(“SELECT * FROM Msvm_ComputerSystem”) For Each VM In VMList if VM.Caption = “Virtual Machine” then Set VMSystemGlobalSettingData = (VM.Associators_(“MSVM_ElementSettingData”, “Msvm_VirtualSystemGlobalSettingData”)).ItemIndex(0) VMSystemGlobalSettingData.ScopeOfResidence = “” Result = VMManagementService.ModifyVirtualSystem(VM.Path_.Path, VMSystemGlobalSettingData.GetText_(1)) end if Next
16. Script #4:ChangeVMScope.vbs Dim WMIService Dim VM Dim VMManagementService Dim VMSystemGlobalSettingData Dim VMName Dim VMScope Dim Result ‘Setup variables for the VM we are looking for, and the scope to assign it to VMName = InputBox(“Specify the virtual machine to change scope on:”) VMScope = InputBox(“Specify the new scope to be used:”) ‘Get an instance of the WMI Service in the virtualization namespace. Set WMIService = GetObject(“winmgmts:.ootirtualization”) ‘Get a VMManagementService object Set VMManagementService = WMIService.ExecQuery(“SELECT * FROM Msvm_VirtualSystemManagementService”).ItemIndex(0) ‘Get the VM object that we want to modify Set VM = (WMIService.ExecQuery(“SELECT * FROM Msvm_ComputerSystem WHERE ElementName=’” & VMName & “‘“)).ItemIndex(0) ‘Get the VirtualSystemGlobalSettingsData of the VM we want to modify Set VMSystemGlobalSettingData = (VM.Associators_(“MSVM_ElementSettingData”, “Msvm_VirtualSystemGlobalSettingData”)).ItemIndex(0) ‘Change the ScopeOfResidence property VMSystemGlobalSettingData.ScopeOfResidence = VMScope ‘Update the VM with ModifyVirtualSystem Result = VMManagementService.ModifyVirtualSystem(VM.Path_.Path, VMSystemGlobalSettingData.GetText_(1))
18. What Happen When Host Join To Domain? Domain Admin Group will have full permission to create and manage VM on host servers. Administrator Role Assignment is set to domain admin
19. What Happen When Host Added into VMM? VMM create a copy and store in ProgramDataicrosoftirtual Machine ManageryperVAuthStore.xml By default, VMM will VMM Administrators are given full access to the VM/Hyper-V, including console access to the VM VMM Delegated administrators have no access to the VM or Hyper-V End User Role members are given console access to the VM if their User Roles has this privilege defined This means that any privileges defined in the old AzManfile will be lost once VMM takes control of the host. When remove Hyper-V host from management, will revert to InitialStore.xml
21. Auditing On Local Hosts. Use Local Security Policy | Audit Policy and Enable object access. On domain, enable on GPO | Computer Configuration, Windows Settings, Security Settings, Local Policies, Audit Policy, and then double-click Audit directory service access.
22. Troubleshooting AzMan Refer to Event Viewer. Open Windows Log | Security Open Applications and Services Log | Microsoft | Windows Hyper-V-VMMS Hyper-V-Workers More information:- http://technet.microsoft.com/en-us/library/dd581761(WS.10).aspx