General Security Considerations

This topic provides general security considerations, recommendations, and best practices for Virtual Machine Manager (VMM).

Virtual Machine Security

The following list provides VMM security information you should consider:

  • If your Active Directory Domain Services (AD DS) installation has multiple forests, and you want to install VMM components in different forests, there must be a two-way trust relationship.

  • By default, virtual machines run under the account of the user who started the virtual machine. For enhanced security, you can specify a user account under which to run virtual machines that has a low level of privileges.

  • If you use a remote instance of SQL Server, the SQL Server must run under an account other than the Local System account.

  • VMM uses Virtual Machine Remote Control (VMRC) to control virtual machines. By default, VMRC connections are not encrypted. It is a best practice to use Secure Sockets Layer (SSL) to encrypt communications over the VMRC connection by uploading a certificate from an appropriate internal or third-party certification authority (CA). For more information about how to encrypt a VMRC connection, see the "How to Modify Virtual Machine Remote Control (VMRC) Settings on a Host" topic in VMM Help (https://go.microsoft.com/fwlink/?LinkId=102194).

    Note

    If you do not use SSL for VMRC connections, self-service users receive a message that the channel is not secure each time they connect to a virtual machine.

  • When you add a virtual machine host or library server, VMM installs the Virtual Machine Manager Servers machine account as an administrator on the managed computer. Ensure that your Group Policy settings to not remove this account or VMM will not function correctly.

Security Best Practices

Security best practices for VMM include the following:

  • Do not use the default ports when installing the VMM components.
  • Firewall software, or malicious software detection programs, such as antivirus software that is running on the host operating system, does not protect guest operating systems. To obtain this level of protection, you must install this type of software directly on the guest operating systems.
  • File system access should be limited. The access control list (ACL) for library shares should contain only VMM administrators, the Virtual Machine Manager Servers account, and, where appropriate, self-service users.
  • When you add a virtual machine host or library server, VMM remotely installs a VMM agent on the managed computer. The VMM agent deployment process uses both the Server Message Block (SMB) ports and the Remote Procedure Call (RPC) port (TCP 135) and the DCOM port range. You can use either SMB packet signing or IPSec to help secure the agent deployment process. You can also install VMM agents locally on hosts, discover them in the VMM Administrator Console, and then control the host using only the WinRM port (default port 80) and BITS port (default port 443).
  • To create and manage virtual machines on a host, an administrator needs to belong only to the Virtual Machine Manager Administrator security group, and not be a local administrator on the host. Limiting access to hosts in this manner provides greater security for the hosts.

See Also

Concepts

Security Considerations
Required User Privileges
About Assigning Ports in VMM