Do you need to secure a Microsoft Virtual Server 2005 installation for remote users? In the last article, I taught you how to secure local access to the host. In this article, we will walk through securing remote connections to Virtual Server 2005, including the administration website and the Virtual Machine Remote Connection (VMRC) client.
When we talk about securing remote access to virtual machines (VMs), we are really talking about securing two main components that are unique to a Virtual Server 2005 environment. These are the Virtual Server Administration Website and the VMRC client connection. In the previous article , we discussed securing access to the folders and files that make up the Virtual Server and Virtual Machine configuration and resource files. Proper security at this level will prevent anyone who is unauthorized from accessing the VMs.
However, unless appropriate precautions are made to secure the connection between the user and the Virtual Server Host, an unauthorized person may be able to gain access to the VMs. An improperly secured network connection could allow the electronic equivalent of looking over a person's shoulder while they put in the combination to a safe. If an attacker can eavesdrop on the wire, then it will not matter if the files are secured. The attacker can gain enough information to impersonate a user and gain access to any number of files on the Virtual Server Host. This is why it is so important to secure the connections to the Virtual Server Administration Website and the connections initiated from VMRC client.
Securing the Virtual Server Administration Website
By default, the Virtual Server Administration Website uses integrated Windows authentication. Also, anonymous access is disabled. However, there may be some cases where you will need to use basic authentication. This is especially true if users will be connecting to the Administration Website from a domain that is not trusted. In either case, you will want to take some appropriate precautions to secure the Administration Website beyond the default configuration.
The most obvious improvement to security is to require Secure Sockets Layer (SSL) connections to the Administration Website. If the Virtual Server implementation is part of a large production environment then chances are that you will have a Certificate Authority (CA) server or a third party Certificate Authority to issue the required certificate for SSL. However, if you are implementing a test or configuration lab, then you will probably not want to go through the trouble or expense of issuing a third party or CA certificate. This is where a utility called selfssl.exe can be used. Selfssl.exe can be obtained by installing the IIS 6.0 Resource Kit. Once the resource kit is installed (the easiest use is to install the resource kit on the IIS server), open a command prompt and type
selfssl.exe /?. This should have an output similar to the figure below.
Familiarize yourself with the switches and options available for selfssl.exe. Change any of these options to suit your environment or standards. However, if you installed the resource kit on the IIS server that hosts the Virtual Server Administration Website and you want to accept the default configuration of the self-signed certificate, simply type:
selfssl.exeBy default, selfssl.exe chooses the default site (site 1) as the certificate site. If the Virtual Server Administration Website is the only site that is hosted on the IIS server, then this will be fine. If there are other sites, choose the appropriate site when you run selfssl.exe. The dialogue for the default behavior of selfssl.exe is shown in the figure below.
Now that the certificate is in place for the Virtual Server Administration Website, you must set the site to require ssl using the IIS Administration Console. To do this, open the IIS Administration Console by going to Start -> Administrative Tools -> Internet Information Services. Expand the node that has the Virtual Server Administration Website installed. In this case, we will expand Default Web Site. The fully expanded list will look similar to the figure below taken from IIS 5.0. The steps for IIS 6.0 will be very similar.
Once the list is expanded, select and right-click on VirtualServer and choose properties. Select the Directory Security tab. Under the Secure Communications Section, select Edit. This screen is shown below.
On the Edit screen at the top, make sure Require Secure Channel (ssl) and Require 128-bit encryption are selected. Click OK twice and exit the IIS Administration Console. Now the Virtual Server Administration Website can only be accessed by using SSL (HTTPS://) and all traffic from the administrator to the website will be encrypted.
Securing Virtual Machine Remote Console (VMRC) connections
Securing VMRC connections requires the file level permissions that were mentioned earlier, as well as encryption of traffic coming from the VMRC client to the Virtual Server 2005 host machine. This process is even easier than requiring SSL for the Virtual Server Administration Website. Also, everything can be done right from the Virtual Server 2005 Administration Website. To begin connect to the Virtual Server 2005 Administration Website. On the left side under Virtual Server, choose the Server Properties link. On the server properties page under Hostname Properties, choose the Virtual Machine Remote Control (VMRC) Server link. This should bring you to a page that looks similar to the figure below.
Click enable next to "SSL 3.0/TLS 1.0 encryption. Click the "Request" radio button next to "SSL 3.0/TLS 1.0 certificate". Fill in the appropriate information in the certificate request fields and choose a key length. The default is 1024-bit. When you click ok you will return to the Server Properties page. Here you will notice some certificate request text that looks similar to the figure below.
At this point the Virtual Server 2005 Host Server will require SSL when communicating with the VMRC client using a self-signed certificate. This is fine for a lab environment. However, you may actually want to request a third-party trusted certificate from an internal Certificate Authority or a third party Certificate Authority. For this, you will need to copy and paste the certificate request text into a file to be sent to the third party Certificate Authority or for use with your internal Certificate Authority. Now when you use the VMRC client to connect to a VM, the traffic will be encrypted. In the next article, we'll discuss virtual machine log file monitoring.
About the author: Harley Stagner has been an IT professional for almost eight years. He has a wide range of knowledge in many areas of the IT field, including network design and administration, scripting, and troubleshooting. Of particular interest to Harley is virtualization technology. He was the technical editor for Chris Wolf and Erick M. Halter's book "Virtualization: From Desktop to the Enterprise." Harley has a bachelor's of science degree in management information systems from ECPI Technical College in Richmond, Virginia and is currently working on a Master of Business Administration at Strayer University in Midlothian, VA.
Currently, Harley is working as an IT Director for a television station in Richmond, Virginia. Harley currently has the following IT certifications: MCSE, CCNA, Network+, and A+.