Article
Search:
RSS
Improving Microsoft Virtual Server security: Preventing and detecting rogue virtual machines

This is the fifth and final installment on Harley Stagner's look at securing Microsoft Virtual Server over at SearchServerVirtualization.com.

In it, he writes:

Are you a security administrator worried about rogue Microsoft Virtual Server 2005 virtual machines showing up on your network? The last article instructed you how to examine the compromised host server. This article will go through detecting rogue virtual machines on your network. Also, find out why the potent combination of Alternate Data Streams and virtual machines could make searching for rogue virtual machines more difficult.

While virtual machines can be very useful, the thought of rogue virtual machines running on the network is enough to make any systems administrator very nervous. There are a couple of steps that you can take to discourage the unauthorized installation and use of Virtual Server 2005 on your network.

First, limit the number of users that need to be in the Administrators group on their local machines. You have to be an administrator to install the Virtual Server 2005 software. I know there are some cases where a user must absolutely have administrator access to a system, especially if they are running some questionably coded software (vendors, you know who you are). However, limiting this as much as possible will help to mitigate unauthorized software.

Second, to limit the possibility of someone bringing a computer into the network with Virtual Server 2005 pre-installed, consider using MAC Address filtering on your desktop switches. Depending on how large the environment is and how well staffed it is, this may not be feasible. However, if it can be managed, MAC Address filtering secures more than just the possibility of a rogue virtual machine. An attacker cannot do much to your network, if your switches will not even allow connectivity.

You could also put software restriction policies in place. However, these are easily circumvented if you rename the executable that installs Virtual Server 2005. Also, you cannot, practically, block access to all *.exe files. This is simply not feasible.

I always contend that proactive network monitoring will help resolve many issues before they become issues. With that said, it would be nice if you could monitor your network periodically for Virtual Server 2005 Host Machines. One of the first things that come to mind for this task is a query script. What should we query for on our network? You could look for common Virtual Server 2005 files like virtual disk files. However, this might not be the most reliable item to look for. This is because of three words: Alternate Data Stream.

Read the entire article, here.

Published Sunday, March 18, 2007 7:58 PM by David Marshall
Share this post: del.ici.ousDel.ici.ous Digg ThisDigg Newsvine ThisNewsvine Reddit ThisReddit Slashdot It!Slashdot TechnoratiTechnorati
Comments
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
Click me!
Calendar
<March 2007>
SuMoTuWeThFrSa
25262728123
45678910
11121314151617
18192021222324
25262728293031
1234567
Tags
Archives
Links
Events
Platform Technology
Virtualization Books
Virtualization Sites