I saw this in my inbox from Jeff Woolsey and thought I’d share. Jeff is a Principal Program Manager at Microsoft for Windows Server and Cloud and the leading expert on Virtualization and Private Cloud within the company. We get questions all the time about the security of Hyper-V and Windows products in general and I love Jeff’s answer.

signature2 (100x78)

-------------------------------------------------------------------

Q: I read an article where a non-administrator was able to access VMware files such as the virtual machine disks and the virtual machine saved state and then able to view the in memory contents of the VM such as passwords. The article is here:

http://pen-testing.sans.org/blog/2012/08/03/pen-test-privilege-escalation-through-suspended-virtual-machines

I’m concerned about who has access to what virtual machines files and wondering about Hyper-V. Should I be concerned?

A: No. After 10+ years of Trustworthy and the Secure Development Lifecycle (SDL), Microsoft designs, develops and tests its products to be secure by default. In the blog post using VMware, a non-administrator is able to access the virtual machine’s files such as the in memory state (the saved state) of the virtual machine itself. The Hyper-V team long understood this could be an attack vector and ensures that Hyper-V ships secure be default. Specifically, the attack depends on reading the contents of .vhd/.vhdx files on the host with a non-administrative privilege.

This simply isn’t possible in Hyper-V without an administrator delegating access.

In ALL versions of Hyper-V, going back to the initial release of Hyper-V for Windows Server 2008, the guest data files are ACL’ed for: System Administrators and for the Specific VM. In Windows Server 2012, there is a new Hyper-V Administrators group, however, users need to be delegated access to this group by an administrator. By default, there are no users in this group. Thus, in Hyper-V a non-administrative account on the machine will NOT have permissions to read the .vhd/.vhdx files in the first place. This is secure by default.