In this article by Ryan Boud, author of Hyper-V Network Virtualization Cookbook, we will learn to lock down a VM for security access.
(For more resources related to this topic, see here.)
Locking down a VM for security access
This article will show you how to apply ACLs to VMs to protect them from unauthorized access.
Getting ready
You will need to start two VMs in the Tenant A VM Network: in this case, Tenant A – VM 10, to test the gateway and as such should have IIS installed) and Tenant A – VM 11.
How to do it...
Perform the following steps to lock down a VM:
- In the VMM console, click on the Home tab in the ribbon bar and click on the PowerShell button. This will launch PowerShell with the VMM module already loaded and the console connected to the current VMM instance. To obtain the Virtual Subnet IDs for all subnets in the Tenant A VM Network, enter the following PowerShell:
$VMNetworkName = "Tenant A"
$VMNetwork = Get-SCVMNetwork | Where-Object -Property Name
-EQ $VMNetworkName
Get-SCVMSubnet -VMNetwork $VMNetwork | Select-Object
VMNetwork,Name,SubnetVlans,VMSubnetID
- You will be presented with the list of subnets and the VMSubnetID for each. The VMSubnetID will used later in this article; in this case, the VMSubnetID is 4490741, as shown in the following screenshot:
Your VMSubnet ID value may be different to the one obtained here; this is normal behavior.
- In the PowerShell Console, run the following PowerShell to get the IP addresses of Tenant A – VM 10 and Tenant A – VM 11:
$VMs = @()
$VMs += Get-SCVirtualMachine -Name "Tenant A - VM 10"
$VMs += Get-SCVirtualMachine -Name "Tenant A - VM 11"
ForEach($VM in $VMs){
Write-Output "$($VM.Name): $($VM.VirtualNetworkAdapters.IPv4Addresses)"
Write-Output "Host name: $($VM.HostName)"
}
- You will be presented with the IPv4 addresses for the two VMs as shown in the following screenshot:
Please leave this PowerShell console open.
Your IP addresses and host names may differ from those shown here; this is normal behavior.
- In the VMM console, open the VMs and Services workspace and navigate to All Hosts | Hosts | hypvclus01.
- Right-click on Tenant A – VM 11, navigate to Connect or View, and then click on Connect via Console.
- Log in to the VM via the Remote Console.
- Open Internet Explorer and go to the URL http://10.0.0.14, where 10.0.0.14 is the IP address of Tenant A – VM 10, as we discussed in step 4.
- You will be greeted with default IIS page. This shows that there are currently no ACLs preventing Tenant A – VM 11 accessing Tenant A – VM 10 within Hyper-V or within the Windows Firewall.
- Open a PowerShell console on Tenant A – VM 11 and enter the following command:
Ping 10.0.0.14 –t
- Here, 10.0.0.14 is the IP address of Tenant A – VM 10. This will run a continuous ping against Tenant A – VM10.
- In the PowerShell console left open in Step 4, enter the following PowerShell:
Invoke-Command -ComputerName HYPVCH1.ad.demo.com -
ScriptBlock{
Add-VMNetworkAdapterExtendedAcl -Action Deny -Direction
Inbound -VMName "Tenant A - VM 10" -Weight 1 -
IsolationID 4490741
}
Here, HYPVCH1.ad.demo.com is the name of the host where Tenant A – VM 10 is running, as obtained in step 4 and the Isolation ID needs to be VMSubnetID as obtained in step 2.
Please leave this PowerShell console open.
When adding base rules such as a Deny All, it is suggested to apply a weight of 1 to allow other rules to override it if appropriate.
- Return to the PowerShell console left open on Tenant A – VM 11 in step 10. You will see that Tenant A – VM 10 has stopped responding to pings.
This has created a Hyper-V Port ACL that will deny all inbound traffic to Tenant A – VM10.
Unlock access to the largest independent learning library in Tech for FREE!
Get unlimited access to 7500+ expert-authored eBooks and video courses covering every tech area you can think of.
Renews at ₹800/month. Cancel anytime
- In the same PowerShell console, enter the following PowerShell:
Test-NetConnection -CommonTCPPort HTTP -ComputerName
10.0.0.14 -InformationLevel Detailed
- Here, 10.0.0.14 is the IP address of Tenant A – VM 10. This shows that you cannot access the IIS website on Tenant A – VM 10.
- Return to the PowerShell console left open on the VMM console in step 11 and enter the following PowerShell cmdlets:
Invoke-Command -ComputerName HYPVCH1.ad.demo.com -
ScriptBlock{
Add-VMNetworkAdapterExtendedAcl -Action Allow -
Direction Inbound -VMName "Tenant A - VM 10" -Weight
10 -IsolationID 4490741 -LocalPort 80
}
Here, HYPVCH1.ad.demo.com is the name of the host where Tenant A – VM 10 is running, as obtained in step 4, and the Isolation ID needs to be set to VMSubnetID as obtained in step 2.
Please leave this PowerShell console open.
When adding rules it is suggested to use weight increments of 10 to allow other rules to be inserted between rules if necessary.
- On Tenant A – VM 11, repeat step 13. You will see that TCPTestSucceeded has changed to True.
- Return to the PowerShell console left open on the VMM console in step 14, and enter the following PowerShell cmdlets:
Invoke-Command -ComputerName HYPVCH1.ad.demo.com -
ScriptBlock{
Add-VMNetworkAdapterExtendedAcl -Action Deny -Direction
Outbound -VMName "Tenant A - VM 10" -Weight 1 -
IsolationID 4490741
}
Here, HYPVCH1.ad.demo.com is the name of the host where Tenant A – VM 10 is running, as obtained in step 4, and the Isolation ID needs to be set to VMSubnetID as obtained in step 2.
Please leave this PowerShell console open.
When adding base rules such as a Deny All, it is suggested to apply a weight of 1 to allow other rules to override it if appropriate.
- On Tenant A – VM 11 repeat step 14. You will see that TCPTestSucceeded has changed to False. This is because all outbound connections have been denied.
- Return to the PowerShell console left open on the VMM console in step 17, and enter the following PowerShell cmdlets:
Invoke-Command -ComputerName HYPVCH1.ad.demo.com -
ScriptBlock{
Remove-VMNetworkAdapterExtendedAcl -Direction Inbound -
VMName "Tenant A - VM 10" -Weight 10
}
This removes the inbound rule for port 80. In the same PowerShell console enter the following cmdlets:
Invoke-Command -ComputerName HYPVCH1.ad.demo.com -
ScriptBlock{
Add-VMNetworkAdapterExtendedAcl -Action Allow -
Direction Inbound -VMName "Tenant A - VM 10" -Weight
10 -IsolationID 4490741 -LocalPort 80 -Stateful
$True -Protocol TCP
}
This adds a stateful ACL rule; this ensures that the switch dynamically creates an outbound rule to allow the traffic to return to the requestor.
- On Tenant A – VM 11 repeat step 14. You will see that the TCPTestSucceeded has changed to True. This is because the stateful ACL is now in place.
How it works...
Extended ACLs are applied as traffic ingresses and egresses the VM into and out of the Hyper-V switch. As the ACLs are VM-specific, they are stored in the VM's configuration file. This ensures that the ACLs are moved with the VM ensuring continuity of ACL.
For the complete range of options, it is advisable to review the TechNet article at http://technet.microsoft.com/en-us/library/dn464289.aspx.
Summary
In this article we learned how to lock down a VM for security access.
Resources for Article:
Further resources on this subject:
Germany
Slovakia
Canada
Brazil
Singapore
Hungary
Philippines
Mexico
Thailand
Ukraine
Luxembourg
Estonia
Lithuania
Norway
Chile
United States
Great Britain
India
Spain
South Korea
Ecuador
Colombia
Taiwan
Switzerland
Indonesia
Cyprus
Denmark
Finland
Poland
Malta
Czechia
New Zealand
Austria
Turkey
France
Sweden
Italy
Egypt
Belgium
Portugal
Slovenia
Ireland
Romania
Greece
Argentina
Malaysia
South Africa
Netherlands
Bulgaria
Latvia
Australia
Japan
Russia
