The Solution Accelerator team has published the Hyper-V Security Guide, check it out. No sign-in required for the download. Includes:
See also:
· Hyper-V Planning and Deployment Guide: Planning for Hyper-V Security
· Windows Server 2008 Security Compliance Management Toolkit
· GPOAccelerator tool and guidance
· Infrastructure Planning and Design guides
· Microsoft Deployment Toolkit 2008 page on Microsoft TechNet
· Microsoft Windows Security Resource Kit
· Security Solution Accelerator page on Microsoft TechNet
Understanding the Hyper-V architecture can help you understand how to better secure Hyper-V. This excerpt from the Hyper-V Security Guide helps to explain:
“After you install the Hyper-V role, all of the operating system instances on the physical computer run as virtual machines. Even the instance of Windows Server 2008 that you use to create and manage the virtual machines is a virtual machine; this instance is the management operating system. You use the management operating system specifically to create and manage virtual machines.
Hyper-V uses a microkernelized approach in which the hypervisor is very small and allows no third-party code to run within it. The hypervisor, which is a core component of Hyper-V, is a thin layer of software between the hardware and the operating system. The hypervisor allows multiple operating systems to run unmodified on a single physical computer at the same time. Because any unknown security vulnerabilities included in Hyper-V could compromise the security of the management operating system and the virtual machines, Microsoft has carefully reviewed and tested the Hyper-V source code to minimize this risk. In addition, the hypervisor component was designed with minimal configuration requirements to reduce its complexity and attack surface. (For more information on the Hyper-V virtualization architecture, see An Introduction to Hyper-V in Windows Server 2008 on Microsoft TechNet.)”
The Hyper-V Health Model is live on TechNet. The Health Model contains troubleshooting content to help you manage Hyper-V, and covers:
For example, some of you have been searching for error ID 14050 with the string ‘Failed to register service principal name" in your error log.
The Virtual Machine Management Service (Vmms.exe) is the service that uses WMI to perform Virtual System Management related operations in Hyper-V and the Hyper-V Manager.
Event ID: 14050
Source: Microsoft-Windows-Hyper-V-VMMS
Symbolic Name: MSVM_VMMS_REGISTER_SPN_ERROR
Message: Failed to register service principal name.
Vmms.exe (by default in the %windows%\system32 directory) is the service that uses the Msvm_VirtualSystemManagementService WMI object to perform Virtual System Management related operations in Hyper-V and the Hyper-V Manager. A number of different settings and actions on virtual machines may cause the VMMS to timeout or shutdown.
Ensure a connection to a Domain Controler, and then restart the Virtual Machine Management Service (VMMS).
To restart VMMS using the Service Manager:
1. In the Hyper-V Manager click the server on which you want to stop the service, then click Action, then click Stop Service.
2. Click Action, and then click Start Service.
To restart the VMMS service using the command prompt:
1. On the computer that has the stopped service, open a command prompt as local administrator and type the following:
net stop nvpswmi
If the service is not running, you will see the error "The Hyper-V Networking Management service is not started."
3. On the command prompt type the following command to start the nvpswmi service
net start nvspwmi
If the service start starts you will see the message "The Hyper-V Networking Management service was start successfully."
To restart VMMS using PowerShell:
C:\PS>restart-service vmms
If this error occurs only with Windows Server 2008 x86 virtual machines that were created in Virtual Server or Virtual PC, then the HAL may not be set as ACPI.
To check this:
1. On the virtual machine, open an elevated Command Prompt window.
2. Type devmgmt.msc to open the Device Manager
3. Click the computer node. If you see “Advanced Configuration and Power Interface (ACPI) PC” you must change the HAL.
To change the HAL on the virtual machine:
2. Type msconfig. exe
3. Click the Boot tab
4. Click the Detect HAL checkbox
5. Click OK twice to close and restart the virtual machine.
6. After the virtual machine is restarted, open device manager and the computer node listing should be "“ACPI x86-based PC.”
Note: If you see performance issues when starting this virtual machine in the future, you should turn off the "Detect HAL" setting, since it is not longer required.
Check that the VMMS service is in the running state in the Service Control Manager and that the failed operation now succeeds.
We’d like to hear from you how we can improve this content, leave comments, and thanks in advance.
Many of you have been looking for help on the Hyper-V setup error “Hyper-V launch failed; No-execute (NX) or DEP not enabled on processor %1 (check BIOS settings).”
Hypervisor Availability: Event ID 52
Event Details
Event ID: 52
Source: Microsoft-Windows-Hyper-V-Hypervisor
Symbolic Name: HV_EVENTLOG_BAL_NOEXECUTE_NOT_ENABLED
Message: Hyper-V launch failed; No-execute (NX) or DEP not enabled on processor %1 (check BIOS settings).
Hyper-V requires hardware support, including: an x64 CPU; VT (Intel) or AMD-V (AMD) hardware extensions; No eXecute (NX)/eXecute Disable (XD) and full BIOS support for hardware virtualization.
Check your physical computer's BIOS settings to ensure that the No Execute BIOS setting is enabled, then turn off the power to your physical computer. Restart the physical computer. NOTE: resetting the physical computer is not sufficient.
You can use the Virtualization Detect (DetectVp.EXE) tool to check if the physical machine meets the requirements for Microsoft Virtualization Software. This test checks virtualization support for both Intel and AMD processors.
To download the WDK .iso file:
1 - Go to the Microsoft Connect Web site at http://go.microsoft.com/fwlink/?LinkID=100623 and sign in with your Windows Live ID.
2 - Enter the Microsoft Connect Web site. Click Connection Directory.
3 - Click Developer Tools, and then click "Windows Driver Kit (WDK), Windows Logo Kit (WLK) and Windows Driver Framework (WDF)."
4 - Click the Download link to download 6.1.6001.18002.081017-1400_wdksp-WDK18002SP_EN_DVD.iso
Hypervisor successfully starts.
The new Health Model pages are now live. Some of you seem to be having trouble with Event ID: 3112 with error message that starts “The virtual machine could not be started because the hypervisor is not running.”
The virtual machine could not be started because the hypervisor is not running. Check your BIOS settings and BCD store, then restart the physical computer.
Hyper-V requires hardware support, including: an x64 CPU; VT (Intel) or AMD-V (AMD) hardware extensions; No eXecute (NX)/eXecute Disable (XD) and full BIOS support for hardware virtualization. Check your physical computer's BIOS settings to ensure that virtualization features are enabled, and then turn off the power to your physical computer. Restart the physical machine. NOTE: Restarting the physical computer is not sufficient.
You can use the Virtualization Detect (DetectVp.EXE) tool to check if the physical computer meets the requirements for Microsoft virtualization software. This test checks virtualization support for both Intel and AMD processors. The tool is part of the Windows Driver Kit (WDK).
1 - Go to the Microsoft Connect Web site at http://go.microsoft.com/fwlink/?LinkID=100623 and sign in with your Live ID.
Check that Boot Configuration Data (BCD) store is set to start the hypervisor, and then restart your physical computer.
The BCD store contains boot configuration parameters and controls how the operating system is started in Windows Vista and Windows Server 2008 operating systems. These parameters were previously in the Boot.ini file (in BIOS-based operating systems) or in the nonvolatile RAM (NVRAM) entries (in Extensible Firmware Interface-based operating systems).
You can use the Bcdedit.exe command-line tool to update BCD store with the correct launch options as referenced in the error, and then restart the server. Bcdedit.exe is located in the \Windows\System32 directory by default.
Note: Administrative privileges are required to use bcdedit to modify the BCD store. Unless otherwise specified, bcdedit operates on the system store by default.
On PC/AT BIOS systems, the BCD store resides in the active partition's \boot folder. On EFI systems, the file is located on the EFI system partition (ESP) under \EFI\Microsoft\Boot.
Caution: The BCD data store is a registry hive, but that hive should not be accessed with the registry API. Interaction with the underlying firmware occurs in the supported BCD interfaces. For this reason, BCD stores should be accessed only through the associated tools or WMI API. Incorrectly editing the registry might severely damage your system. Before making changes to the registry, you should back up any valued data.
For further information on using Bcdedit.exe, see http://go.microsoft.com/fwlink/?LinkID=147513
If you are a dev you have Channel 9, if you are an IT Pro you have the Edge. If you are a student who might become a dev or an IT Pro, you now have http://www.microsoft.com/student/tv/
In the 12 minute video “Getting to Know Hyper-V” Windows Server UA Technical Writer Felipe Ayora shares his experiences getting to know Hyper-V while setting up HPC clusters for his technical writing assignments.
Go to http://www.microsoft.com/protect/videos/downloads.mspx and download the free-as-in-beer videos there and bring them inside your firewall (see terms of use) then tell all your users to go watch them.
No, seriously, get your users to watch these. It can help raise their awareness, and did I mention they are free?
If you suspect that an unauthorized person has used your Windows Live ID to sign into your Windows Live Hotmail acccount, or any other Windows Live service, please read this article for further help.
http://windowslivehelp.com/solutions/accounts/archive/2008/10/25/what-to-do-if-you-think-your-accounts-been-stolen.aspx.