Manage Learn to apply best practices and optimize your operations.

Understanding the role of management partitions in virtual platforms

Virtualization hypervisors use two kinds of partitions: full-operating system instances or minimal-OS partitions. Each offers benefits but also poses security risks.

On its own, a hypervisor is like a car without a steering wheel; it doesn't navigate for you. It can schedule resource allocations, but only alongside another management mechanism. Today's virtualization technologies use virtual machine (VM) partitions to handle management tasks, provide add-on capabilities and more. There are two types of partitions: a full instance of an operating system or a minimal OS partition.

Full instance of an OS. Microsoft's Hyper-V and, arguably, VMware ESX use the first approach, which essentially involves a "full" instance of an operating system to handle management tasks. With Hyper-V, that partition exists as an instance of Windows Server 2008. With ESX, that management partition exists as a modified form of Red Hat Linux.

These partitions benefit from functionality within an OS itself. With ESX, you can manage a server with many of the common commands used to manage a Red Hat Linux distribution. You can manage Hyper-V with Windows Server as well.

These partitions also provide extensibility for add-on technologies. If your corporate security rules require anti-malware systems to be installed on every server, for example, you'll need that server's partition as a location where that software can be installed. The same holds true for third-party virtualization products that require on-board agents. Without an operating system, there's no place to store an agent.

Minimal OS partitions. A good example of this second kind of partition is VMware's ESXi, although Microsoft's Hyper-V Server -- which runs on top of Windows Server Core -- also falls into this group. With this kind of architecture, the partition is an extremely limited and proprietary interface. If you've ever powered on a server running ESXi, you're familiar with its exceptionally lightweight interface. Using ESXi's management partition, you can change passwords and networking settings, but not really much else. With Hyper-V Server, you can install some software, but the OS innards simply aren't there for many software packages to correctly deploy.

The second method gives the appearance of simplicity; it is easy to manage a hypervisor when there is only a handful of settings to configure. But minimal OS partitions add risk to virtualization environments as well, such as the inability to install and run other products that could make administration easier or more effective.

The industry features several disagreements regarding the trustworthiness of these two models. ESXi's nearly zero-management partition indeed eliminates the potential for many kinds of external attacks. If there is no traditional OS on a virtual host, there are no vectors for attack. At the same time, with no traditional OS, the hypervisor's vendor maintains a complete stranglehold on external product's interaction with that hypervisor.

On the other hand, the full-OS route has its share of attack vectors. While ESX's management partition is technically a modified version of Red Hat Enterprise Linux Version 3, reports that between 2004 and 2009, 1,286 vulnerabilities have been found in the operating system, or an average of 214 per year. While only on the market since mid-2008, Microsoft Windows Server 2008 has been on the market for part of 2008 and 2009, but some 69 vulnerabilities have been found, or approximately 34 per year.

In effect, any additional functionality in a system adds exposure to attack. This is why virtualization vendors such as VMware and Microsoft have both created comprehensive patching products for updating their operating systems and related services.

In the debate over which management partition is more useful or less prone to attack, you can argue that they're all about the same. Each requires some element of functionality, enabled through its management partition, and that partition is one area of risk in each. It's up to the administrator to decide how best to manage that risk.

About the expert

Greg Shields
Greg Shields is an independent author, instructor, Microsoft MVP and IT consultant based in Denver. He is a co-founder of Concentrated Technology LLC and has nearly 15 years of experience in IT architecture and enterprise administration. Shields specializes in Microsoft administration, systems management and monitoring, and virtualization. He is the author of several books including Windows Server 2008: What's New/What's Changed , available from Sapien Press.

Dig Deeper on Virtual machine performance management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.