Virtual server access control: Tactics for IT segregation of duties

Ensuring virtual server administrators only access servers that they are authorised to view can be quite a challenge. Virtualisation security expert Ben Chai examines the problems, and the tools and tactics to help control virtual server access.

This tip is part of SearchSecurity.co.UK's Security School lesson Virtualisation security for enterprise servers.

One major challenge of working in a virtual server environment is preventing administrators of either a host machine or a virtual machine from accessing another virtual machine that they are not authorised to view or manage.

In this article, we'll look at steps that you can take to mitigate this risk.

Most large environments are used to IT segregation of duties regarding administration for the purpose of server access and management. For example, the email administrator can access, manage and configure the corporate messaging servers, but cannot access the corporate database or line-of-business servers. The database administrator, in turn, can only access databases, and so on.

Furthermore, the majority of these physical servers are rack-mounted and accessed using KVM (keyboard, video, mouse) switch technology to connect and switch between multiple physical servers using a single set of input devices. In advanced environments, the KVM technology used is smart enough to know that the email administrator cannot access database servers, and therefore, will only display servers that the email administrator is authorised to access.

The goal of these safeguards is to prevent unauthorized, incapable and potentially unknown people from accessing critical servers. Yet hosting multiple virtual servers on a single host brings new challenges to this paradigm. By default, the host administrator has full access to the virtual machine files on the host and any other hosts that these VMs may "jump" to. A virtual machine jump is the automatic or manual moving of a live virtual machine from one host to another. Normally this jump takes place when one host does not have adequate hardware resources to properly run a virtual machine.

Fortunately there are ways to help resolve this conundrum by using the native technologies that come with the host operating system. So for example, in VMware, one fairly simple solution is to use the file encryption feature available to make VMs accessible only by specific users.

Similarly, access control lists (ACLs) in Microsoft's Hyper-V product can be used for the same purpose; another option is the use of the Microsoft Encrypting File System to encrypt Microsoft Hyper-V files. The published method as put forth by the vendor is to combine full disk encryption (Bitlocker) with access control lists. However, even this method does not prevent other VM administrators from starting and stopping the Hyper-V-supported virtual machine. Plus, Bitlocker cannot currently be used in a clustered environment, and since use of clusters in any virtualised environment is an absolute necessity -- unless the business will not be adversely affected by the sudden outage of four, eight or 10 virtual servers should your host machine fail – it's difficult to guarantee the same level of access control with virtual servers as physical ones!

Delegation Tools
Depending on the number of virtual servers being managed by your host operating system, your best course of action -- especially for companies managing a large number of virtual servers -- is to use a delegation tool to help segregate duties and dictate who can manage, access and configure which server. These tools allow for segregation of duties and make the appropriate virtualisation files and templates available to the relevant administrators. For example, virtual email servers and templates for those machines can be made available to the messaging administrators and no one else. In addition, these tools will automatically resolve the myriad of permissions required to secure key files.

VMware has a delegation tool called vCentre (Virtual centre) and Microsoft has its System Centre Virtual Machine Manager. These tools can come at an additional cost depending on your negotiated licence agreement, but are frankly invaluable in your overall virtual machine security management. In addition, trying to manage, reset and keep track of permissions when a virtual machine jumps to other hosts can be permission hell. Using tools such as vCentre and Microsoft System Centre Virtual Machine Manager (SCVMM) will help to maintain file permissions and ensure consistency for the different administrators that have management and configuration access to these virtual servers.

Unfortunately these tools alone won't allow you to totally segregate the different virtual servers from the host unless you remember to limit the accessibility of the administrators of all the host machines within your organisation. At time of publication, there are a few third-party vendors of KVM technology, such as Raritan Computer Inc., who can offer true segregation of virtual servers, but its products are currently limited to VMware only. For Microsoft's Hyper-V, the System Center Virtual Machine Manager (SCVMM) allows for the creation of a Web portal where one can ensure server administrators can only see their servers, providing only the Web-portal component is used.

True segregation of server administration for the various virtual servers is a challenging task. The main pointers for ensuring secure virtual server access are:

  1. Limit the virtual servers to which the host administrator has access using access controls and encryption technology.
  2. Use the vendor add-on tools to help segregate each virtual server and prevent each server's administrator from accessing other virtual servers that they are not authorised to manage.
  3. Document the corporate virtual server management strategy for when future host servers come online.
  4. For advanced confidential areas, think about using virtual machine portal tools, such as Microsoft's SCVMM, that will only display the servers that each administrator has access to.

About the author:
Ben Chai is a founding director of Incoming Thought Limited, an IT security training and consultancy practice based in Surrey. He has been a marketing and technical director for a number of successful ventures including QED Training Limited. Ben has been technically involved in several major deployments of Windows technologies (Active Directory, Microsoft SMS, Windows NT, Microsoft Exchange) to blue-chip corporations, such as Royal Bank of Scotland, Citibank, and Total Oil. Over the last 25 years Ben has authored several books, courseware, user guides and magazine articles. In addition he is a respected IT trainer and presenter in the UK.

Read more on Application security and coding requirements