部署4HyperV 安全解决方案加速器指南.docx

部署4HyperV 安全解决方案加速器指南.docx

《部署4HyperV 安全解决方案加速器指南.docx》由会员分享，可在线阅读，更多相关《部署4HyperV 安全解决方案加速器指南.docx（49页珍藏版）》请在冰豆网上搜索。

部署4HyperV安全解决方案加速器指南

Hyper-V™SecurityGuide

Version1.0

Published:

March2009

Forthelatestinformation,pleasesee

Copyright©2009MicrosoftCorporation.Allrightsreserved.Complyingwiththeapplicablecopyrightlawsisyourresponsibility.Byusingorprovidingfeedbackonthisdocumentation,youagreetothelicenseagreementbelow.

Ifyouareusingthisdocumentationsolelyfornon-commercialpurposesinternallywithinYOURcompanyororganization,thenthisdocumentationislicensedtoyouundertheCreativeCommonsAttribution-NonCommercialLicense.Toviewacopyofthislicense,visithttp:

//creativecommons.org/licenses/by-nc/2.5/orsendalettertoCreativeCommons,543HowardStreet,5thFloor,SanFrancisco,California,94105,USA.

Thisdocumentationisprovidedtoyouforinformationalpurposesonly,andisprovidedtoyouentirely"ASIS".YouruseofthedocumentationcannotbeunderstoodassubstitutingforcustomizedserviceandinformationthatmightbedevelopedbyMicrosoftCorporationforaparticularuserbaseduponthatuser’sparticularenvironment.Totheextentpermittedbylaw,MICROSOFTMAKESNOWARRANTYOFANYKIND,DISCLAIMSALLEXPRESS,IMPLIEDANDSTATUTORYWARRANTIES,ANDASSUMESNOLIABILITYTOYOUFORANYDAMAGESOFANYTYPEINCONNECTIONWITHTHESEMATERIALSORANYINTELLECTUALPROPERTYINTHEM.

Microsoftmayhavepatents,patentapplications,trademarks,orotherintellectualpropertyrightscoveringsubjectmatterwithinthisdocumentation.ExceptasprovidedinaseparateagreementfromMicrosoft,youruseofthisdocumentdoesnotgiveyouanylicensetothesepatents,trademarksorotherintellectualproperty.

Informationinthisdocument,includingURLandotherInternetWebsitereferences,issubjecttochangewithoutnotice.Unlessotherwisenoted,theexamplecompanies,organizations,products,domainnames,e-mailaddresses,logos,people,placesandeventsdepictedhereinarefictitious.

Microsoft,ActiveDirectory,BitLocker,Hyper-V,Windows,WindowsServer,andWindowsVistaareeitherregisteredtrademarksortrademarksofMicrosoftCorporationintheUnitedStatesand/orothercountries.

Thenamesofactualcompaniesandproductsmentionedhereinmaybethetrademarksoftheirrespectiveowners.

YouhavenoobligationtogiveMicrosoftanysuggestions,commentsorotherfeedback（"Feedback"）relatingtothedocumentation.However,ifyoudoprovideanyFeedbacktoMicrosoftthenyouprovidetoMicrosoft,withoutcharge,therighttouse,shareandcommercializeyourFeedbackinanywayandforanypurpose.Youalsogivetothirdparties,withoutcharge,anypatentrightsneededfortheirproducts,technologiesandservicestouseorinterfacewithanyspecificpartsofaMicrosoftsoftwareorservicethatincludestheFeedback.YouwillnotgiveFeedbackthatissubjecttoalicensethatrequiresMicrosofttolicenseitssoftwareordocumentationtothirdpartiesbecauseweincludeyourFeedbackinthem.

Contents

Overview

WelcometotheHyper-V™SecurityGuide.ThisguideprovidesinstructionsandrecommendationstohelpstrengthenthesecurityofcomputersrunningtheHyper-VroleonWindowsServer® 2008.

Microsoftengineeringteams,consultants,supportengineers,partners,andcustomershavereviewedandapprovedthisprescriptiveguidancetomakeit:

∙Proven.Basedonfieldexperience.

∙Authoritative.Offersthebestadviceavailable.

∙Accurate.Technicallyvalidatedandtested.

∙Actionable.Providesthestepstosuccess.

∙Relevant.Addressesreal-worldsecurityconcerns.

MicrosofthaspublishedsecurityguidesforWindowsServer2008andWindowsServer 2003.ThisguidereferencessignificantnewcapabilitiesandsecurityenhancementsinWindowsServer 2008.TheguidewasdevelopedandtestedwithcomputersrunningtheHyper-VroleonWindowsServer 2008thatwerejoinedtoadomainthatusesActiveDirectory®DomainServices（AD DS）.

AsHyper-Vcontinuestoevolvethroughfuturereleases,youcanexpectupdatedversionsofthisguidancetoincludemoresecurityrecommendations.SolutionAcceleratorsarealsoavailabletoassistyouwiththedeploymentandoperationofWindowsServer 2008aswellasotherMicrosofttechnologies.Formoreinformationaboutallavailableaccelerators,visitSolutionAcceleratorsonMicrosoft®TechNet.

WhoShouldReadThisGuide

TheHyper-VSecurityGuideisprimarilyforITprofessionals,securityprofessionals,systemsarchitects,computerengineers,andotherITconsultantswhoplanapplicationorinfrastructuredevelopmentanddeploymentsofWindowsServer 2008forserversinanenterpriseenvironment.Theguideisnotintendedforhomeusers.Thisguideisforindividualswhosejobsmayincludeoneormoreofthefollowingroles:

∙Securityprofessional.Individualsinthisrolefocusonhowtoprovidesecurityacrosscomputingplatformswithinanorganization.Securityprofessionalsrequireareliablereferenceguidethataddressesthesecurityneedsofallsegmentsoftheirorganizationsandalsooffersprovenmethodstoimplementsecuritycountermeasures.Theyidentifysecurityfeaturesandsettings,andthenproviderecommendationsonhowtheircustomerscanmosteffectivelyusetheminhighriskenvironments.

∙IToperations,helpdesk,anddeploymentstaff.Individualsinalloftheserolestroubleshootsecurityissuesaswellasapplicationinstallation,configuration,usability,andmanageabilityissues.Theymonitorthesetypesofissuestodefinemeasurablesecurityimprovementswithminimalimpactoncriticalbusinessapplications.IndividualsinIToperationsfocusonintegratingsecurityandcontrollingchangeinthedeploymentprocess,anddeploymentpersonnelfocusonadministeringsecurityupdatesquickly.

∙Systemsarchitectandplanner.Individualsinthisroledrivethearchitectureeffortsforcomputersystemsintheirorganizations.

∙Consultant.Individualsinthisroleareawareofsecurityscenariosthatspanallthebusinesslevelsofanorganization.ITconsultantsfrombothMicrosoftServicesandpartnerstakeadvantageofknowledgetransfertoolsforenterprisecustomersandpartners.

SkillsandReadiness

Thefollowingknowledgeandskillsarerequiredforconsultants,operations,helpdeskanddeploymentstaff,andsecurityprofessionalswhodevelop,deploy,andsecureserversystemsrunningWindowsServer 2008inanenterpriseorganization:

∙MCSEonMicrosoftWindowsServer 2003oralatercertificationandtwoormoreyearsofsecurity-relatedexperience,orequivalentknowledge.

∙ExperienceusingHyper-VManagerandSystemCenterVirtualMachineManager2008（VMM2008）.

∙Detailedknowledgeoftheorganization’sdomainandActiveDirectoryenvironments.

∙ExperienceintheadministrationofGroupPolicyusingtheGroupPolicyManagementConsole（GPMC）,whichprovidesasinglesolutionformanagingallGroupPolicy–relatedtasks.

∙ExperienceusingmanagementtoolsincludingMicrosoftManagementConsole（MMC）,Gpupdate,andGpresult.

∙ExperienceusingtheSecurityConfigurationWizard（SCW）.

∙Experiencedeployingapplicationsandservercomputersinenterpriseenvironments.

ChapterSummaries

ThisreleaseoftheHyper-VSecurityGuideconsistsofthisOverviewandthreechaptersthatdiscussmethodsandbestpracticesthatwillhelpyousecureyourHyper-Venvironment.Briefdescriptionsfollowforeachchapter.

Overview

Theoverviewstatesthepurposeandscopeoftheguide,definestheguideaudience,anddescribestheguide'sstructuretohelpyoulocatetheinformationthatisrelevanttoyou.Italsodescribestheuserprerequisitesfortheguidance.

Chapter1:

HardeningHyper-V

ThischapterprovidesprescriptiveguidanceforhardeningtheHyper-Vrole.ItdiscussesseveralbestpracticesforinstallingandconfiguringHyper-VonWindowsServer2008serverwithafocusonsecurity.ThesebestpracticesincludemeasuresforreducingtheattacksurfaceofaserverrunningHyper-VandrecommendationsforproperlyconfiguringsecurenetworkandstoragedevicesonaserverrunningHyper-V.

Chapter2:

DelegatingVirtualMachineManagement

Thischapterdiscussesseveralavailablemethodsfordelegatingvirtualmachinemanagementsothatvirtualmachineadministratorsonlyhavetheminimumpermissionstheyrequire.Itdescribescommondelegationscenarios,andincludesdetailedstepstoguideyouthroughusingAuthorizationManager（AzMan）andSystemCenterVMM2008toseparatevirtualmachineadministratorsfromvirtualizationhostadministrators.

Chapter3:

ProtectingVirtualMachines

Thischapterprovidesprescriptiveguidanceforsecuringvirtualmachineresources.Itdiscussesbestpracticesandincludesdetailedstepsforprotectingvirtualmachinesbyusingacombinationoffilesystempermissions,encryption,andauditing.Alsoincludedareresourcesforhardeningandupdatingtheoperatingsysteminstancesrunningwithinyourvirtualmachines.

StyleConventions

Thisguidanceusesthestyleconventionsthataredescribedinthefollowingtable.

Element

Meaning

Boldfont

Signifiescharacterstypedexactlyasshown,includingcommands,switches,andfilenames.Userinterfaceelementsalsoappearinbold.

Italicfont

Titlesofbooksandothersubstantialpublicationsappearinitalic.

Placeholderssetinitalicandanglebracketsrepresentvariables.

Monospacefont

Definescodeandscriptsamples.

Note

Alertsthereadertosupplementaryinformation.

Important

Alertsthereadertoessentialsupplementaryinformation.

MoreInformation

ThefollowingresourcesprovideadditionalinformationaboutsecuritytopicsanddetaileddiscussionoftheconceptsandsecurityprescriptionsinthisguideonM:

∙Hyper-VP