部署4HyperV 安全解决方案加速器指南.docx

1、部署4HyperV 安全解决方案加速器指南Hyper-V Security GuideVersion 1.0 Published: March 2009For the latest information, please see Copyright 2009 Microsoft Corporation. All rights reserved. Complying with the applicable copyright laws is your responsibility. By using or providing feedback on this documentation, you

2、 agree to the license agreement below.If you are using this documentation solely for non-commercial purposes internally within YOUR company or organization, then this documentation is licensed to you under the Creative Commons Attribution-NonCommercial License. To view a copy of this license, visit

3、http:/creativecommons.org/licenses/by-nc/2.5/ or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.This documentation is provided to you for informational purposes only, and is provided to you entirely AS IS. Your use of the documentation cannot b

4、e understood as substituting for customized service and information that might be developed by Microsoft Corporation for a particular user based upon that users particular environment. To the extent permitted by law, MICROSOFT MAKES NO WARRANTY OF ANY KIND, DISCLAIMS ALL EXPRESS, IMPLIED AND STATUTO

5、RY WARRANTIES, AND ASSUMES NO LIABILITY TO YOU FOR ANY DAMAGES OF ANY TYPE IN CONNECTION WITH THESE MATERIALS OR ANY INTELLECTUAL PROPERTY IN THEM. Microsoft may have patents, patent applications, trademarks, or other intellectual property rights covering subject matter within this documentation. Ex

6、cept as provided in a separate agreement from Microsoft, your use of this document does not give you any license to these patents, trademarks or other intellectual property.Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless

7、 otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places and events depicted herein are fictitious. Microsoft, Active Directory, BitLocker, Hyper-V, Windows, Windows Server, and Windows Vista are either registered trademarks or trademark

8、s of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.You have no obligation to give Microsoft any suggestions, comments or other feedback (Feedback) relating to the documen

9、tation. However, if you do provide any Feedback to Microsoft then you provide to Microsoft, without charge, the right to use, share and commercialize your Feedback in any way and for any purpose. You also give to third parties, without charge, any patent rights needed for their products, technologie

10、s and services to use or interface with any specific parts of a Microsoft software or service that includes the Feedback. You will not give Feedback that is subject to a license that requires Microsoft to license its software or documentation to third parties because we include your Feedback in them

11、.ContentsOverviewWelcome to the Hyper-V Security Guide. This guide provides instructions and recommendations to help strengthen the security of computers running the Hyper-V role on Windows Server2008.Microsoft engineering teams, consultants, support engineers, partners, and customers have reviewed

12、and approved this prescriptive guidance to make it: Proven. Based on field experience. Authoritative. Offers the best advice available. Accurate. Technically validated and tested. Actionable. Provides the steps to success. Relevant. Addresses real-world security concerns.Microsoft has published secu

13、rity guides for Windows Server 2008 and Windows Server2003. This guide references significant new capabilities and security enhancements in Windows Server2008. The guide was developed and tested with computers running the Hyper-V role on Windows Server2008 that were joined to a domain that uses Acti

14、ve Directory Domain Services (ADDS).As Hyper-V continues to evolve through future releases, you can expect updated versions of this guidance to include more security recommendations. Solution Accelerators are also available to assist you with the deployment and operation of Windows Server2008 as wel

15、l as other Microsoft technologies. For more information about all available accelerators, visit Solution Accelerators on Microsoft TechNet.Who Should Read This GuideThe Hyper-V Security Guide is primarily for IT professionals, security professionals, systems architects, computer engineers, and other

16、 IT consultants who plan application or infrastructure development and deployments of Windows Server2008 for servers in an enterprise environment. The guide is not intended for home users. This guide is for individuals whose jobs may include one or more of the following roles: Security professional.

17、 Individuals in this role focus on how to provide security across computing platforms within an organization. Security professionals require a reliable reference guide that addresses the security needs of all segments of their organizations and also offers proven methods to implement security counte

18、rmeasures. They identify security features and settings, and then provide recommendations on how their customers can most effectively use them in high risk environments. IT operations, help desk, and deployment staff. Individuals in all of these roles troubleshoot security issues as well as applicat

19、ion installation, configuration, usability, and manageability issues. They monitor these types of issues to define measurable security improvements with minimal impact on critical business applications. Individuals in IT operations focus on integrating security and controlling change in the deployme

20、nt process, and deployment personnel focus on administering security updates quickly. Systems architect and planner. Individuals in this role drive the architecture efforts for computer systems in their organizations. Consultant. Individuals in this role are aware of security scenarios that span all

21、 the business levels of an organization. IT consultants from both Microsoft Services and partners take advantage of knowledge transfer tools for enterprise customers and partners.Skills and ReadinessThe following knowledge and skills are required for consultants, operations, help desk and deployment

22、 staff, and security professionals who develop, deploy, and secure server systems running Windows Server2008 in an enterprise organization: MCSE on Microsoft Windows Server2003 or a later certification and two or more years of security-related experience, or equivalent knowledge. Experience using Hy

23、per-V Manager and System Center Virtual Machine Manager 2008 (VMM 2008). Detailed knowledge of the organizations domain and Active Directory environments. Experience in the administration of Group Policy using the Group Policy Management Console (GPMC), which provides a single solution for managing

24、all Group Policyrelated tasks. Experience using management tools including Microsoft Management Console (MMC), Gpupdate, and Gpresult. Experience using the Security Configuration Wizard (SCW). Experience deploying applications and server computers in enterprise environments.Chapter SummariesThis rel

25、ease of the Hyper-V Security Guide consists of this Overview and three chapters that discuss methods and best practices that will help you secure your Hyper-V environment. Brief descriptions follow for each chapter.OverviewThe overview states the purpose and scope of the guide, defines the guide aud

26、ience, and describes the guides structure to help you locate the information that is relevant to you. It also describes the user prerequisites for the guidance.Chapter 1: Hardening Hyper-VThis chapter provides prescriptive guidance for hardening the Hyper-V role. It discusses several best practices

27、for installing and configuring Hyper-V on Windows Server 2008 server with a focus on security. These best practices include measures for reducing the attack surface of a server running Hyper-V and recommendations for properly configuring secure network and storage devices on a server running Hyper-V

28、.Chapter 2: Delegating Virtual Machine ManagementThis chapter discusses several available methods for delegating virtual machine management so that virtual machine administrators only have the minimum permissions they require. It describes common delegation scenarios, and includes detailed steps to

29、guide you through using Authorization Manager (AzMan) and System Center VMM 2008 to separate virtual machine administrators from virtualization host administrators. Chapter 3: Protecting Virtual MachinesThis chapter provides prescriptive guidance for securing virtual machine resources. It discusses

30、best practices and includes detailed steps for protecting virtual machines by using a combination of file system permissions, encryption, and auditing. Also included are resources for hardening and updating the operating system instances running within your virtual machines. Style ConventionsThis gu

31、idance uses the style conventions that are described in the following table.ElementMeaningBold fontSignifies characters typed exactly as shown, including commands, switches, and file names. User interface elements also appear in bold. Italic fontTitles of books and other substantial publications app

32、ear in italic. Placeholders set in italic and angle brackets represent variables. Monospace font Defines code and script samples. Note Alerts the reader to supplementary information. Important Alerts the reader to essential supplementary information. More InformationThe following resources provide additional information about security topics and detailed discussion of the concepts and security prescriptions in this guide on M: Hyper-V P