5nine Cloud Security for Hyper-V Free Edition Version 4.0 February 2014 11
Table of Contents 5nine Cloud Security for Hyper-V Free Edition... 5 Summary... 5 System Requirements... 5 Permissions... 5 Features and Benefits... 6 Installation... 7 vfirewall Silent Installation... 18 5nine Security Operations... 19 Adding and RemovingH... 19 Setting v-firewall Rules... 19 Setting Virtual Firewall... 27 Antivirus... 28 5nine Security Configuration File and PowerShell API... 38 5nine Security and Compliance Scanner for Hyper-V... 44 Summary... 44 Installation... 44 Interface... 47 Operation... 49 Checking Scan Results... 52 VMs Firewalling... 52 Intrusion Detection... 53 Performance... 54 Antivirus Protection... 55 Overall Report... 56 2
2014 5nine Software. All rights reserved. All trademarks are the property of their respective owners. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form by any means, without written permission from 5nine Software Inc (5nine). The information contained in this document represents the current view of 5nine on the issue discussed as of the date of publication and is subject to change without notice. 5nine shall not be liable for technical or editorial errors or omissions contained herein. 5nine makes no warranties, express or implied, in this document. 5nine may have patents, patent applications, trademark, copyright, or other intellectual property rights covering the subject matter of this document. All other trademarks mentioned herein are the property of their respective owners. Except as expressly provided in any written license agreement from 5nine, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. 3
Contacting 5nine Software We are always welcome your feedback on the product as well as your user experience. In case you would like to help us improve the product, please contact us at info@5nine.com. Customer Support Please contact techsupport@5nine.com if you have encountered any issue using 5nine Cloud Security for Hyper-V Free Edition. 4
5nine Cloud Security for Hyper-V Free Edition Summary 5nine Cloud Security Free Edition is a Virtual Infrastructure monitoring tool with the ability to define network traffic rules for Hyper-V Virtual Machines and harden your Virtual Infrastructure from a security perspective; both programmatically using a PowerShell API and via the Management Console. Security allows to review network traffic logs for each of the monitored Virtual machines and generates related reports. 5nine Cloud Security Free Edition is designed for the monitoring and control of the traffic between Hyper-V Virtual machines and between Virtual machines and external networks (Virtual Firewall). It also includes an Intrusion Detection System (IDS) as well as antivirus. 5nine Cloud Security Free Edition is designed for evaluation purposes as it includes less functionality when compared to the capabilities of the Datacenter Edition, which supports the full functionality of Security. For instance IDS is not available in the Free Edition and the Virtual Firewall settings offer less flexibility. 5nine Cloud Security Free Edition also includes 5nine Security and Compliance Scanner for Hyper-V. The description for this functionality is given in the 5
5nine Security and Compliance Scanner for Hyper-V section. System Requirements OS: Host: Windows Server 2012 or Windows 8 with enabled Hyper-V; Guest VM: any.net 4.0; SQL 2008 Express edition on Management server/vm (in case DB logging is required); MS PowerShell; IIS. Permissions For both domain and workgroup configurations: TCP port 8788 should be opened on managed host. 5nine Cloud Security should be installed on each Hyper-V host monitored and protected (in case several hosts are managed from one Management console). Same with the 5nine Security service for SC VMM 5nine Security plugins. WMI access (http://technet.microsoft.com/en-us/library/cc787533(ws.10).aspx ) SQL database or file access (read/write). Allow to control Hyper-V (http://blogs.msdn.com/b/virtual_pc_guy/archive/2008/01/17/allowing-nonadministrators-to-control-hyper-v.aspx) User should be a local administrator. If the host is managed remotely from the centralized management console, there should also be an account with similar permissions used in Server Settings. The best practice recommendation is to use the same account for the service on the managed host and in Server Settings in the management console. For workgroup/mixed domain environments: Account for workgroup environment should also have similar permissions for current managed hosts. Managed and management servers should be marked as trusted hosts in the case where the workgroup environment is used on several domains environments. 6
Features and Benefits Simple installation. 5nine Cloud Security Free Edition has one component that is required to be installed intuitive Management interface (DLL) that supports PowerShell API (described below) to set and change traffic rules. Management API has a simple-to-use GUI application that allows to set traffic rules between the virtual machines and external networks. Management interface can be installed either on a server or a Virtual machine, and allows the System Administrator to access rules, logs and reports: Installation To setup 5nine Cloud Security Free Edition (DLL and Management GUI application) administrator needs to run setup.exe application from the downloaded 5nine Cloud Security Free Edition archive on the server that matches 5nine Cloud Security Free Edition section. section. System Requirements No license is required for the Free Edition. 7
Then the 5nine Cloud Security Free Edition Setup Wizard will be opened: Read the SQL server information (you have to make sure it is available on your host for 5nine Cloud Security Free Edition successful installation) and click Next: 8
Choose the path where 5nine Cloud Security Free Edition is to be installed and the users who will be able to work with the product: You can check the physical space available on your drives and the space required for the installation by pressing the Disc Cost button on the window shown above: The 5nine Cloud Security Free Edition Information window will then appear: 9
Select MS SQL data source: vfirewall remote installation is one step of the installation process. Installing vfw on some machine locally you can define servers on which you want to install vfw remotely. After the data source selection page you will see the page where you can select include remote setup stem to setup process or not. Warnings! 1. When using the remote installation, make sure, that all the servers have the same user credentials as the local server. Credentials will be requested during further installation process only once. It is currently impossible to enter different user credentials for the remote servers and installation will fail, if there is a credentials mismatch. 2. Be sure, that the similar SQL data sources are used on all the servers. You will be requested to select the MS SQL data source only once (if the Existing MS SQL Server instance option has been selected) as described above, and you will not be able to select a different one for the other servers. This will cause a serious problem. The installation will be accomplished on all the servers, but the product may not function properly. If remote setup checkbox is cleared setup goes with a common scenario: 10
Specify if a remote installation step is required in the setup process: If the checkbox is checked you can select servers for the remote installation. Remote installation server selection dialog goes after user credentials dialog. That dialog is similar to monitored servers discovery dialog. For remote management Security uses WinRM service and it should be available. For cases listed below trusted hosts should be configured: - Client and remote servers are in different domains and there is no trust between the two domains; - Client or remote server is located in a domain and the other one is located in a workgroup; - Both client and remote server are located in a workgroup. Trusted hosts should be configured on both client and remote server sides. It can be done with the command below: Set-Item wsman: localhost\client\trustedhosts -Value "{CompureName}" Or manuallyconfigured with gpedit.msc console: gpedit.msc console -> Local Computer Policy/Computer Configuration/Administrative Templates/Windows Components/Windows Remote Management (WinRM)/WinRM Client -> Trusted Hosts To add all machines from workgroup to trusted hosts {local} name can be used. Typical symptom of such a problem is an error WinRM cannot process the request in a Management Console log. This message may also appear when the system can t resolve remote host s path (it is wrong or DNS server is inaccessible for example) or wrong credentials are used. 5nine Cloud Security Free Edition uses system security log events for logging denied packets. By default Windows Filtering Platform filtering audit is disabled to prevent the system log overflow and avoid storing of unnecessary data. WFP filtering audit can be enabled with following command: auditpol /set /subcategory:"filtering Platform Packet Drop" /success:enable /failure:enable 11
WFP filtering can be enabled from 5nine Cloud Security Free Edition setup. Enable Windows Filtering Platform audit checkbox exists on a Installation settings page. If that checkbox is checked the command listed above would be executed during the installation process: You can manually disable WFP with following command: auditpol /set /subcategory:"filtering Platform Packet Drop" /success:disable /failure:disable It will be better to disable WFP filtering audit if it is not used or after 5nine Cloud Security Free Edition uninstallation. Confirm installation: 12
Confirm the 3f3b34c.msi installation and choose the necessary settings if asked (it depends on your server s OS security settings): Set the SQL Server instance that will be used and connect to it by entering user name and password. There could be either SQL Server Authentication or Windows Authentication used while gaining access to your database. To find out which authentication is used and get the user name and password contact your database administrator. The installer would skip this step if MS SQL Server Compact was previously selected as a data source. You can test the database connection by pressing the Test connection button. In the case of successful connection the following type of message will appear: 13
Set account for Security Management service as required: If you earlier chose the option Include Remote installation step in setup process as described above, you would be advised to choose the remote host(s) for the 5nine Cloud Security Free Edition installation: You may also add servers to the list individually by pressing the Add button and entering the server name manually in the dialog window above or let 5nine Cloud Security Free Edition search and add servers automatically by pressing the AD Discovery button, or search for servers by IP range/subnet mask, which can be set in the window below called out by pressing the IP Discovery button: 14
Install the product on the previously selected servers in the next dialog: There will be table with servers and installation status. Possible statuses include: - Idle. Idle for installation start. Waiting for the start button to be pressed. - Processing. Remote installation in progress. - Complete. Remote installation completed. - Failed. Remote installation failed. Additional information about the error will be in the description column. Remote installation will be processed in parallel for each selected server. MSI file and selected license file will be copied to drive C: on remote machine (user should have permissions to write file on target machine). After the files are copied, installation will be started in silent mode with parameters selected for local installation. After installation is completed the temporary files will be removed and the remote machine will be rebooted. For using the remote installation feature a user should pass msi file name unchanged vfwsetup.msi. After all installations are completed (successfully or failed) a user can close the dialog and go forward with the installation. After the remote installation step the next installation step is the monitored servers selection step. The local machine is included into the list by default. Also servers from previous installation configuration (if it was saved) will also be included into the list. Then press the Start button to start the remote installation, watch the process and results and press the Close button when the remote installation process is complete: 15
Add servers for monitoring (press the Add button in the window below to add the servers): Select the servers from the list (separate window Select Hyper-V Servers shown below will be opened) and then set the credentials in the dialog window. Contact your network administrator to get the credentials. You can select one of two ways of authentication: 1) Use default credentials. Current user credentials will be used. 2) Use custom credentials. You can define credentials that will be used to manage vfirewall on the target server. Those credentials will be used only for authentication to retrieve virtual machines list and manage vfirewall with Powershell API. It will not affect user account used by vfirewall service on target machine. 16
You may change properties of the already added server at any time by pressing the Edit button in the Servers for monitoring window shown above. You can also change server credentials and a default monitoring state in the Server Properties dialog further (please, refer to Changing Host Settings subsection of 5nine Security Operations section). You may also add servers to the list individually by pressing the Add button and entering the server s name manually in the dialog window below: 17
Or let 5nine Cloud Security Free Edition search and add servers automatically by pressing the AD Discovery button, or search for servers by IP range/subnet mask, which can be set in the window below called out by pressing the IP Discovery button: At the end of 5nine Cloud Security Free Edition successful installation process the following message will appear: To finally complete the 5nine Cloud Security Free Edition installation, confirm rebooting of your host: 18
vfirewall Silent Installation vfirewall installer accepts following parameters: 1) DataSource. Defines which SQL database to use. This consists of the several parts. The first part defines the type of data source. Possible variants: CE and SQL Instance. The first specifies that local SQL CE 4.0 server will be used; the second specifies that a specific SQL server instance will be used. The second part defines the name of the used SQL Server (in the case of using SQL instance). The third part defines SQL Server authorization type. Possible variants: WinAuth (Authorization with Windows User credentials) or SQLAuth (Authorization by SQL account). If SQLAuth variant is specified user should define SQL user name and password separated by a comma. All parts of data source parameter should be separated by a comma. Common form of datasource string: { CE, SQLInstance }[, ServName,{ WinAuth, SQLAuth }[, UsrName,Password]] Examples of datasource parameter: CE SQLInstance, SOME_SERVER\SQLEXPRESS, WinAuth SQLInstance, SOME_SERVER\SQLEXPRESS, SQLAuth, sa,sa 2) SrvUserName. Defines user name for vfirewall service. 3) SrvPassword. User password. 4) LicenseFile. License file path. Silent installation command line sample: vfwsetup.msi /q Datasource= SQLInstance, SOME_SERVER\SQLEXPRESS, WinAuth SrvUserName= SOME_DOMAIN\Administrator SrvPassword= 123 LicenseFile= c:\license.txt After silent installation machine will be automatically rebooted. 19
5nine Security Operations To configure 5nine Cloud Security Free Edition use the menu commands described below: Adding and RemovingH To add host(s) for monitoring; use the Hosts-Add Host menu command, then type the host(s) name in to the dialog below or select them from the list (as described above): Set Authentication parameters just like it was done earlier during installation (please, refer to Installation). To remove a host from monitoring, select it in the tree and use the Hosts Remove Host menu command. Setting v-firewall Rules Adding Rules To add 5nine Cloud Security Free Edition rules; use the Rules menu commands: 20
Adding IP rule: Set the necessary parameters, use a space and comma as delimiters when specifying remote IPs and VMs as shown in the windows below: 21
To select remote virtual machines from a list, press the button to the right of the field containing their names and check the machines you would like to add and then press OK in the window below: At the end click Ok and the rule will appear in the 5nine Cloud Security Free Edition main window. 22
Rule templates There are pre-defined rule parameters sets (templates) implemented in 5nine Cloud Security Free Edition that help you to populate the dialog with necessary values to create rules for some common scenarios (e.g. HTTP access; remote access through RDP, Telnet or SSH etc.). These templates already contain the necessary values to be entered to the dialog, i.e. protocol, TCP/UDP port number etc. The only thing you need to do is select the template you need and choose the right direction, action and remote VMs/IP addresses for which the rule will apply. To use the rule template click the Templates button in the lower left corner of the Add Rule dialog. The following dialog will show you the template list with the most common-used scenarios placed on the top of the list and marked as Popular : - Select the scenario you need by using a left-click; - Select the direction (inbound/outbound); - Click Apply. The Add rule dialog will be filled with parameters applicable for the selected scenario. Note. Be accurate when choosing the direction of the traffic you wish to allow or block. It is important to set this parameter correctly and the assigned TCP/UDP port (local or remote) depends on the set direction. Otherwise the rule you created will not work properly. E.g. if you wish to create the HTTP rule on the VM-web client, set the Outbound direction; if you wish to create the same rule on the VM that is a web server, set the Inbound direction. 5nine Cloud Security Free Edition template will set the HTTP port 80 to remote for VM-client and local for VM-server accordingly to set the TCP segment analysis in the proper way. Contact your network expert, if assistance is needed. As an example, let s see how it will work for the HTTP rule, allowing traffic on the VM web client: Select the template row with the name HTTP : 23
Make sure you have selected Outbound direction ( Inbound is default): 24
Click Apply. The Add Rule dialog will be filled automatically: Adding rules for multiple virtual machines: The following message will appear when multiple rules are added successfully: 25
Adding default gateway rule: Here you have two options: - Add rules to Virtual machines Global Rules the rule being created will be added to Global-VM Rules list and will apply to all the VMs set on v-firewall; - Add rules to selected Virtual machines the rule being created will only be added to the rules lists only for those VMs which were chosen. 26
After pressing Ok the following message should appear to inform you that you have successfully added the default gateway rules: and the single IP rule with the following characteristics will be automatically created and added to the necessary places as described above: - Name: Default gateway IP Rule ; - Type of rule: IP ; - Type: Any ; - Action: Allow ; - Protocol: Any ; - Remote IPs: 192.168.1.1 (as it s entered in the example given here); - Local ports: Any ; - Remote ports: Any ; - Priority: 1. As you can see, this IP rule is a permissive rule. It assures that VMs are able to send/receive traffic to/from other subnets through their default gateway that has to be properly configured in TCP/IP settings (or at a DHCP server or a router if a DHCP automatic IP settings assignment is used in your network). Certainly, the other permissive rules have to be additionally created for the necessary type of traffic and added to necessary VMs. Editing rule To edit a rule, select it in the list, then click the Edit Rule button on the top menu panel. Then change the IP, ARP or Broadcast rule settings in the appropriate dialog just like when adding the rule. Removing rule To remove a rule, select it in the list, then click the Remove Rule button on the top menu panel. The rule will disappear from the list. 27
Changing rules order To change rules order in the list (up or down) click the Change Order button on the top menu panel and set the desired order in the dialog window below: Select one of the options: - Move First to put the selected rule on the first place in the list. - Move Last to put the selected rule on the last place in the list. - Move After to put the selected rule after another rule. Select that rule from the list box next to this option. Rules will be applied in accordance with their positions in the list. Setting Virtual Firewall To set a virtual firewall use the Settings v-firewall menu command: 28
Specify which VMs will be set on the virtual firewall in the dialog below. Clear the check box to remove the necessary VM from monitoring and then press OK: To set the particular VM on the monitoring, select the VM and use the Monitoring context menu command: Use the same command to remove the VM from vfirewall protection. Antivirus There are two ways 5nine Cloud Security Free Edition antivirus works: - Automatic anti-malware scans by pre-defined schedules; - On-demand anti-malware scans initiated by user. Scheduled Antivirus To set 5nine Security Antivirus for scheduled automatic anti-malware runs, you should enable it on the selected VMs and set antivirus schedule. 29
Enable antivirus To enable scheduled anti-malware scans, use the Settings Antivirus menu command. The following dialog will appear: Tick the boxes to the left of the VM names for those VMs that you choose to enable for the scheduled anti-malware scans (ticking the box to the left of the host name will enable antivirus for all of its VMs). Choose the file extensions that will be scanned for viruses: Here you have two options: - Scan all files all files on the virtual machine will be checked. 30
- Allow me to control exactly what is scanned (default option) only certain types of files which extensions are added to the list will be checked. There is the default list of file types which is recommended to be used. However, you are able to edit it by adding or removing file extensions from this list. Push the Add or Remove buttons to add or remove the extensions. Add the file extension and its description in the dialog below, and then click Ok: To edit the already added extension, find it in the list, then click the Edit button and perform the same actions as above in the Edit extension dialog: To include the files without extensions in the scanning process, enable the Scan files with no extension option (disabled by default): To restore the default settings push the Restore defaults button on the Extensions tab. 31
If you do not want the Hyper-V cloud snapshot to be removed after scan, open the Advanced tab and clear the Remove Hyper-V snapshot after scan check box that is ticked by default: Set antivirus schedule To set antivirus schedule use the Settings Antivirus Schedule menu command. The Antivirus Schedule List dialog will appear: 32
Call out the schedule setting window by pressing the Add button in the window above: Set the recurrence parameters hourly (shown above), daily: 33
weekly: or monthly: 34
At the end press Ok. On-Demand antivirus To enable on-demand anti-malware scan on the host and control it, select the necessary host in the tree on the left, then use the appropriate Antivirus context menu command: - Start to start the anti-malware scan. - Stop to terminate the anti-malware scan. - Query to retrieve the anti-malware scan state. The state will be shown with appropriate message, e.g.: - Pause to temporarily pause the anti-malware scan. - Resume to continue the temporarily paused anti-malware scan. - Last scan log to view the anti-malware last scan results. The results will appear on the Antivirus tab. 35
To enable on-demand anti-malware scan on the virtual machine and control it, select the virtual machine in the tree on the left, then use the appropriate Antivirus context menu command: or use the appropriate buttons on the Antivirus tab: The controls are the same as when operating on a host. Changing VM Settings To change virtual machine settings, select the virtual machine in the tree on the left, then click the VM Settings button on the top menu panel or use the VM Settings context menu command: 36
The following dialog will appear: Here you can enable/disable logging on the particular VM and set logging parameters such as retention length in days and log records count. Changing Host Settings To change host settings, first select the host in the tree on the left, then use the Settings context menu command: The Server Properties dialog will appear: 37
Set authentication parameters as described in Adding and Removing subsection. Tick Enable monitoring on new VMs by default box to set vfirewall automatically when a new VM is added (either created or migrated) on the host. Default monitoring state setting is stored in the management service configuration file (settings DefaultMonitoringState in 5nine.VirtualFirewall.Manager.exe.config). Default monitoring state is individual for each monitored host. By default it set to true. This means that all new virtual machines have a monitoring state set to Enabled. When a new virtual machine is created on a monitored host the vfirewall checks if there are any saved settings (in case when machine created as result of migration from any other host with vfirewall installed). If there are no previously saved settings then new VM monitoring state will be set to default monitoring state value. Click OK. Push the Workload thresholds button to change workload parameters if necessary. The following dialog will appear: Set the virtual environment workload thresholds for server s processor, memory, disk input/output and network input/output over-utilization (all in percent to maximum) then press Ok. The defaults are: - Processor over-utilization threshold: 80 - Memory over-utilization threshold: 90 - Disk I/O over-utilization threshold: 80 - Network I/O over-utilization threshold: 80 When anti-malware scan is running, the scanning process on each VM will be automatically paused/resumed (if necessary) in accordance with current workload parameters preventing the host from overload. Refreshing the Object Tree To refresh or change the view (list or tree) use the View menu commands: 38
5nine Security Information To get 5nine Cloud Security Free Edition information, use the Help About menu command: The following dialog will display the product version installed on your server and copyright information: 5nine Security Configuration File and PowerShell API v-firewall vfw3 service configuration file %Program Files%\5nine\5nine v-firewall 3.0\5Nine.vFW.vFWService.exe.cfg <?xml version="1.0" encoding="utf-8"?> <configuration> <configsections> <section name="monitoredhosts" type="fivenine.vfw.vfwservicehelpers.monitoredhostsconfigurationsection, 5Nine.vFW.vFWServiceHelpers" /> </configsections> <MonitoredHosts> <host name="host1" /> <host name="host2" />... <host name="hostn" /> </MonitoredHosts> <appsettings> <add key="heartbeatperiod" value="5000" /> <add key="attemptsbeforepause" value="4" /> <add key="logfile" value="vfirewall2.log" /> <add key="loglevel" value="information" /> </appsettings> </configuration> 39
Get the list of VM machines The sample of Power Shell script to get GUIDs of VM machines from the specified host $VMs = get-wmiobject -computername $hyper -namespace "root\virtualization" -query "SELECT * FROM Msvm_ComputerSystem WHERE Caption Like '%virtual%'" foreach ($VM in $VMs) { write-host "==================================" write-host "VM Name: " $VM.ElementName write-host "VM GUID: " $VM.Name } API description Add-IP-Rule Add-IP-Rule -VMId <Guid> -Name <String> [-Description <String>] [- Type <String>] -Action <RuleAction> -Protocol <String> [-LocalPort s <String>] [-RemotePorts <String>] [-IPAddresses <String>] [-VMs <String>] [-MACAddresses <String>] [-Priority <Int32>] [-ApplyNow] [-Verbose] [-Debug] [-ErrorAction <ActionPreference>] [-WarningAc tion <ActionPreference>] [-ErrorVariable <String>] [-WarningVariab le <String>] [-OutVariable <String>] [-OutBuffer <Int32>] Set-VMMonitoring Set-VMMonitoring -VMId <Guid> -Enable 1 0 [-Verbose] [-Debug] [-ErrorA ction <ActionPreference>] [-WarningAction <ActionPreference>] [-Er rorvariable <String>] [-WarningVariable <String>] [-OutVariable <S tring>] [-OutBuffer <Int32>] Get-LogRecords Get-LogRecords -VMId <Guid> [-Verbose] [-Debug] [-ErrorAction <Act ionpreference>] [-WarningAction <ActionPreference>] [-ErrorVariabl e <String>] [-WarningVariable <String>] [-OutVariable <String>] [- OutBuffer <Int32>] Get-Rules Get-Rules [-Id <Guid[]>] [-VMId <Guid>] [-Verbose] [-Debug] [-Erro raction <ActionPreference>] [-WarningAction <ActionPreference>] [- ErrorVariable <String>] [-WarningVariable <String>] [-OutVariable <String>] [-OutBuffer <Int32>] Get-VMIPMAC Get-VMIPMAC -VMId <Guid> [-Verbose] [-Debug] [-ErrorAction <Action Preference>] [-WarningAction <ActionPreference>] [-ErrorVariable < 40
String>] [-WarningVariable <String>] [-OutVariable <String>] [-Out Buffer <Int32>] Get-VMMonitoring Get-VMMonitoring [-VMId <Guid>] [-Verbose] [-Debug] [-ErrorAction <ActionPreference>] [-WarningAction <ActionPreference>] [-ErrorVar iable <String>] [-WarningVariable <String>] [-OutVariable <String> ] [-OutBuffer <Int32>] Remove-Rule Remove-Rule -Id <Guid> [-ApplyNow] [-Verbose] [-Debug] [-ErrorActi on <ActionPreference>] [-WarningAction <ActionPreference>] [-Error Variable <String>] [-WarningVariable <String>] [-OutVariable <Stri ng>] [-OutBuffer <Int32>] Reset-Rules Reset-Rules -VMId <Guid> [-Verbose] [-Debug] [-ErrorAction <Action Preference>] [-WarningAction <ActionPreference>] [-ErrorVariable < String>] [-WarningVariable <String>] [-OutVariable <String>] [-Out Buffer <Int32>] Set-Rule Set-Rule -Id <Guid> [-Name <String>] [-Description <String>] [-Typ e <String>] [-Action <RuleAction>] [-Protocol <String>] [-LocalPor ts <String>] [-RemotePorts <String>] [-IPAddresses <String>] [-MAC Addresses <String>] [-VMs <String>] [-Priority <Int32>] [-ApplyNow ] [-Verbose] [-Debug] [-ErrorAction <ActionPreference>] [-WarningA ction <ActionPreference>] [-ErrorVariable <String>] [-WarningVaria ble <String>] [-OutVariable <String>] [-OutBuffer <Int32>] Set-VMIPMAC Set-VMIPMAC -VMId <Guid> [-IPAddresses <String>] [-MACAddresses <S tring>] [-Verbose] [-Debug] [-ErrorAction <ActionPreference>] [-Wa rningaction <ActionPreference>] [-ErrorVariable <String>] [-Warnin gvariable <String>] [-OutVariable <String>] [-OutBuffer <Int32>] How to Set Firewall rules in vfw3 Sample scenario to allow RDP access to VM Launch Power Shell and input the following commands: o o o Add-PSSnapIn RulesAPI add vfw3 API snap-in to Power Shell Get VM GUIDs by applying sample PS script Set-VMMonitoring -VMId <Guid> -Enable 1 - set VM to vfw3 monitoring 41
o Add-IP-Rule -VMId <Guid> -Name "Allow RDP" -Action Allow -Protocol TCP - LocalPort 3389 add IP rule to allow incoming packets to 3389 port ( RDP ) The same scenario with vfw3 management console 1. Set VM machines for monitoring (use Settings Monitoring top menu command or a context menu command): 2. Set IP rule to allow inbound traffic to port 3389 Sample scripts Basic sample script to allow 80 port on Win2003 VM: 1. $VMs = get-wmiobject -computername superserver2 -namespace "root\virtualization" query "SELECT * FROM Msvm_ComputerSystem WHERE Caption Like '%virtual%'" foreach ($VM in $VMs) { write-host "==================================" write-host "VM Name: " $VM.ElementName write-host "VM GUID: " $VM.Name } Press Enter two times. Get GUID for Win2003 - it is 7D2FDDAB-3B41-4FB1-99E0- CDD633453FCA 2. Set-VMMonitoring -VMId 7D2FDDAB-3B41-4FB1-99E0-CDD633453FCA -Enable 1 3. Add-IP-Rule -VMId 7D2FDDAB-3B41-4FB1-99E0-CDD633453FCA -Name "Allow RDP" - Action Allow - 42
Protocol TCP -LocalPort 80 4. Get-LogRecords -VMId 7D2FDDAB-3B41-4FB1-99E0-CDD633453FCA Sample common scenarios using Management console GUI Allowing FTP, DHCP 1. allow active FTP on a VM a. For protocol interpreter (PI): b. For data transfer process (DTP): 2. allow DHCP on a VM (VM is a DHCP-client): a. allow client s request to DHCP server: b. allow DHCP response to client: Allow remote access to VM Common scenario: - VM has IIS on it, and possibly MS SQL server; 43
- RDP should be opened; - http:// traffic should be allowed: 44
5nine Security and Compliance Scanner for Hyper-V Summary 5nine Security and Compliance Scanner for Hyper-V is a virtual environment security tool that will help you to investigate present and potential security problems on your server. It also performs an aggressive anti-malware scan on your server during the overall scanning process. Upon scan completion 5nine Security and Compliance Scanner for Hyper-V provides detailed reports on each identified security issue. Installation To install 5nine Security and Compliance Scanner for Hyper-V, run the 5nine.Scanner.msi installation distributive provided with the installation archive. The welcome wizard will appear: Click Next. The 5nine Software End User License Agreement will appear. Accept it and click Next. 45
Select the folder for 5nine Security and Compliance Scanner for Hyper-V: Choose the default folder or select where you would like 5nine Security and Compliance Scanner for Hyper-V to be installed on your server: 46
Confirm installation: When installation is complete, tick the Launch 5nine Security and Compliance Scanner for Hyper-V box if you want it to be launched immediately, and then click Finish: The installation is now complete. 47
Interface Initially, the 5nine Security and Compliance Scanner for Hyper-V interface looks as below: When first installed no scans have been processed yet and 5nine Security and Compliance Scanner for Hyper-V is waiting to start its first job. All statuses are differentiated by colors for clarity and ease of understanding: - blue the parameter has not yet been analyzed; - green the parameter is safe and system is healthy; - yellow the parameter is generally safe but there are some warnings; - red the parameter is not safe and some critical issues/threats on system health are detected. 48
Products tab displays the latest information about currently offered 5nine solutions: On this tab a brief product description is provided along with the link to reach the 5nine Software production site to get more information and download free/trial versions of corresponding products. About tab displays the currently installed product version, 5nine Software Inc. contacts and general information. 49
Operation There are four critical security parameters checked by 5nine Security and Compliance Scanner for Hyper-V: - Virtual Machine Firewalling. 5nine Security and Compliance Scanner for Hyper-V detects and displays the status of virtual firewall, whether it is currently installed, but not activated 1, or absent. In each case 5nine Security and Compliance Scanner for Hyper-V will deliver a separate advice or a recommendation. If neither of 5nine virtual firewall solutions are installed, it will advise to either enable the Free Version of 5nine Security for Hyper-V (enabling means the installation will be launched), which is supplied along with 5nine Security and Compliance Scanner for Hyper-V distributive, and/or download the Full Version of 5nine Security for Hyper V Data Center (you will be redirected to the 5nine Software production site to compare and download the Full Version when clicking the appropriate button). - Intrusion Detection. 5nine Security and Compliance Scanner for Hyper-V detects the presence of the Full Version of 5nine Security for Hyper-V Data Center and the status of its Intrusion Detection Subsystem 2 (please, refer to the 5nine Security for Hyper-V Data Center description to find out more about IDS feature). If the Full Version of 5nine Security for Hyper-V Data Center is not detected on your server, 5nine Security and Compliance Scanner for Hyper-V will advise you to download it from 5nine Software production site (the appropriate button will lead you to this site). - Performance. 5nine Security and Compliance Scanner for Hyper-V detects the presence of 5nine Hyper-V Cloud Monitor application on the server, and checks general parameters of system health such as utilization of server s memory, processor (both logical and virtual), network and storage. If the 5nine Hyper-V Cloud Monitor application is not detected on your server, 5nine Security and Compliance Scanner for Hyper-V will prompt you to download it from the 5nine Software production site (the appropriate button will lead you to this site). - Antivirus Protection. 5nine Security and Compliance Scanner for Hyper-V detects the presence on the server of at least one of the following 5nine products: 5nine Security for Hyper-V Essentials 3, 5nine Security for Hype-V Data Center or 5nine Security for Hyper-V Free. If none of these security solutions is installed, the scanner will advise you to either enable the Free Version of 5nine Security for Hyper-V (enabling means the installation will be launched), which is supplied along with 5nine Security and Compliance Scanner for Hyper-V distributive, and/or download Full Version of 5nine Security for Hyper-V Datacenter (you will be redirected to the 5nine Software 1 v-firewall activeness is determined by presence and state of the 59vFWManager Windows service. This service must be installed and in the Running state so that 5nine Security and Compliance Scanner for Hyper-V determines the v-firewall status is healthy. Otherwise, this parameter will be considered as not safe and v-fiewall is disabled and VMs are not protected. 2 IDS state is determined by the presence of the task snort* in the server s active task list. This process is used by Snort application that the Data Center IDS feature is based on. If this process is present in the server s memory, intrusion detection parameter is considered fully healthy. Otherwise, 5nine Security and Compliance Scanner for Hyper-V will warn you that IDS is not enabled. Please, refer to the 5nine Security for Hyper-V Data Center description to find out more about IDS feature and snort application. 3 When checking for presence 5nine Security for Hyper-V Essentials, 5nine.Antivirus.AgentService Windows service is also checked to be installed on the server (but not necessarily to be currently in the Running state). If at least this service is installed on the server, 5nine Security and Compliance Scanner for Hyper-V consider that anti-malware solution is installed (which does not automatically mean that the system is healthy as there still might some malware be detected). 50
production site to compare and download the Full Version when clicking the appropriate button). 5nine Security and Compliance Scanner for Hyper-V will perform an extensive virus scan of the virtual disks for currently known virus signatures for virtual machines currently present on the server (check the *.vhd/*.vhdx files in the folder they are stored in). In the case malware is found, the infected files are placed in the *QAR* folders inside a particular VM (virtual disk). To initiate the system health scan, simply click the Start Scan button on the 5nine Security and Compliance Scanner for Hyper-V main System Scan tab and watch throughout the scanning process (different intermediate results are shown for your clarification): You can interrupt the scanning process at any time by clicking Stop Scan button. Complete scan parameters squares will change their colors from blue to one of the other colors described 51
in the Installation section depending on scan results. The number in the upper-right corner of each square identifies there is a security issue to be addressed. E.g. the presence of 1 on the first square VMs Firewalling of green means that 5nine Security for Hyper-V Free version is installed and the system is generally secured from this point of view, though 5nine Security and Compliance Scanner for Hyper-V suggests you to download and install full version of 5nine Security for Hyper-V Datacenter. How to get the details on each parameter scan result will be described below. When the scan is totally complete, all the squares will change their colors: Now each square is a button that could be pressed to get the scan details for each parameter. 52
Checking Scan Results To view scan results click the appropriate square: VMs Firewalling Upon clicking the VMs Firewalling square, the following window will appear displaying the scan results for the virtual firewall protection: In the case above there is no virtual firewall solution installed on the server and the virtual environment is not protected. Therefore, 5nine Security and Compliance Scanner for Hyper-V recommends you to install either of the two 5nine Security for Hyper-V solutions Free version or full Data Center version. Clicking the Download Full Version button will lead you to 5nine Software production site where you will be able to purchase 5nine Security for Hyper-V Data Center. Clicking the Enable Free Version button will invoke 5nine Security for Hyper-V Free version installation process (please refer to Error! Reference source not found. section, Installation subsection). 53
Intrusion Detection Upon clicking the Intrusion Detection square, the following window will appear showing you scan results for IDS protection: In the above example IDS is not detected on the server, which indicates the absence of 5nine Security Data Center which includes IDS. Therefore, 5nine Security and Compliance Scanner for Hyper-V recommends you download and install the Full Data Center Version. Clicking the Download Full Version button will lead you to the 5nine Software production site where you will be able to purchase 5nine Security for Hyper-V Data Center. 54
Performance Upon clicking the Performance square, the following window will appear showing your scan results for system performance parameters: In the example above the entire server s parameters are healthy, but 5nine Cloud Monitor for Hyper-V is not detected on the server. Therefore, 5nine Security and Compliance Scanner for Hyper-V recommends you to download and install this very useful product to help you monitor and troubleshoot important system parameters and the overall performance of hosts and virtual machines in real time. Clicking the Download Cloud Monitor button will lead you to the 5nine Software production site where you will be able to purchase 5nine Cloud Monitor for Hyper-V. 55
Antivirus Protection Upon clicking the Antivirus Protection square, the following window will appear showing you the scan results for anti-malware protection status of your system: In the example above 5nine Security and Compliance Scanner for Hyper-V has completed the anti-malware scan, having checked the VMs and virtual disks stored on your server. In the example infected files have not been found, however no Antivirus solution has been detected to be installed on your sever. Therefore, 5nine Security and Compliance Scanner for Hyper-V recommends you to install either of the two 5nine Security for Hyper-V solutions Free version or full version Data Center. As a separate antivirus solution for your system, 5nine Security Essentials Edition is also available. Clicking the Download Full Version button will lead you to 5nine Software production site where you will be able to purchase 5nine Security for Hyper-V Data Center. Clicking the Enable Free Version button will invoke 5nine Security for Hyper-V Free version installation process (please refer to Error! Reference source not found. section, Installation subsection). 56
Overall Report To view system scan overall report, click the View report button. The System Scan Report will show you the united data for the system health scan performed on all four parameters as outlined above: 57