locked
Securing A Virtual Machine Running In A Third Party Site RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi,

    I've not had to do this before and I have no room for researching it, getting it wrong, then trying again so I thought it best to ask for advice here first before doing too much (assuming here is the correct forum, apologies if it is not, I can move it if someone notifies me).

    The scenario is a Windows Server 2012 R2 Standard virtual machine comprising of separate virtual disks for system and data.

    It will be hosted in a 3rd party virtual environment and I will be able to connect to it using remote desktop. The 3rd party is not to be able to logon at all to the vm, just restart it if required. It should be a black box effectively and will only allow them to transfer files to it via ftp and view web pages over http.

    I think that from the no logon perspective, as long as they have no accounts, the machine should be secure. The machine will not be part of their domain so there should be no policy or domain admins residing in local admin group ways around this part.

    The part I really need help with is securing the actual disks and their data (unless of course I have missed something in the above assumption and need correcting on that too!). I know that they can simply mount the virtual disks on another machine and access them with no difficulty.

    I am guessing this is where BitLocker comes in, to secure the disks by encrypting them so that if they are then mounted elswhere they are unreadable. I have a few questions on this bit:-

     - can I use BitLocker inside a virtual machine to achieve this? (I think it used to be impossible, but may now be ok in R2)

     - if I want to alow them to be able to restart the virtual machine, do I need to provide them with a key file? (e.g. on a virtual floppy)

     - will the disks still be secure from the mounting approach if they have this key? (e.g. is it something that only works during a boot up of the actual system disk and therefore will then be protected by the logon)

    Thanks in advance :)

    Sunday, July 5, 2015 4:28 PM

Answers

  • Question
    Sign in to vote
    0
    Sign in to vote
    No worries :)

    1: Yes.
    2: They would have access to the disks in the sense that the password is the protection.
    3: Yes, there is no limit on local accounts.
    4: Once they enter the password, to boot, they are able to read the content. The password is the encryption key.
    5: The mention regarding Local Admin, is just to obtain access to O/S. As they already have access to encrypted content through the password.

    Basically instead of using a combination of hardware and software ID's to build the encryption key. You use a password.

    I'm thinking now you could do as follows:
    Enable BitLocker; Set a password;
    Whenever you need to boot, you hand out password; After first successful boot you change the BitLocker password. That way your service staff will only know the password at the time of boot.

    Of course they could counter measure this by;
    Asking for password to boot; Copy disks, Boot servers. They will have access to old disk files.
    • Marked as answer by Dan0001 Friday, July 10, 2015 8:01 AM
    Monday, July 6, 2015 11:30 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    I think this one would answer most of the last questions. Think of the Virtual Machines as external hard drives. Because they have no TPM available.

    https://technet.microsoft.com/en-us/library/hh831507.aspx?f=255&MSPPError=-2147217396#BKMK_WhatIsBitLocker

    I would expect them to be able to mount the disks anywhere, as long as they have the matching password, they would be able to access the data. As far as I know, there is nothing that binds the disks to a specific O/S, when you are using the password method.

    • Marked as answer by Dan0001 Friday, July 10, 2015 8:01 AM
    Wednesday, July 8, 2015 7:39 AM

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote

    Hiya,

    The following article describes exactly what you need. Besides a silly karaoke story...

    http://blogs.technet.com/b/chrisavis/archive/2013/09/29/what-s-new-r2-bitlocker-new-updates-and-why-would-i-use-it-on-a-server.aspx

    In short; Yes you can use Bitlocker and yes, in order to restart, they must have the password for the vhd's, which leads to no, they will not be secure from a mounting point, as you need to give them the password for the vhd's.

    Two separate passwords; One for mounting/booting and one for logging on to the server itself.

    They would still be able to take a copy of your vhd's, mount them on a separate server and use bruteforce or just reset the local admin password, using the options available.

    • Proposed as answer by Alex Lv Friday, July 10, 2015 3:07 AM
    Monday, July 6, 2015 7:19 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi Jesper, thanks for the response!

    Ok, so I just want to get this right in my head - apologies for some of the basic questions below :-

     - does the password for mounting/booting do the same thing as the floppy mounted key file? (in which case the key file looks to be a convenience thing rather than different functionality)

     - if they took a copy of the vhd's to mount on a separate server, would that mean the only options available to them would be "breaking and entering" type options? i.e. they wouldn't be able to just type the password in (or supply the key file) and then have full access to the disks

     - by bruteforce, do you mean doing like a dictionary attack on the password at the logon screen to try to eventually get the right one? isn't there a limit like three attempts after which the account locks?

     - if you reset the local admin password, does that mean you can then read the encrypted disks? (that seems like a very easy way to circumvent the encryption)

    Thanks

    Monday, July 6, 2015 8:56 AM
  • Question
    Sign in to vote
    0
    Sign in to vote
    No worries :)

    1: Yes.
    2: They would have access to the disks in the sense that the password is the protection.
    3: Yes, there is no limit on local accounts.
    4: Once they enter the password, to boot, they are able to read the content. The password is the encryption key.
    5: The mention regarding Local Admin, is just to obtain access to O/S. As they already have access to encrypted content through the password.

    Basically instead of using a combination of hardware and software ID's to build the encryption key. You use a password.

    I'm thinking now you could do as follows:
    Enable BitLocker; Set a password;
    Whenever you need to boot, you hand out password; After first successful boot you change the BitLocker password. That way your service staff will only know the password at the time of boot.

    Of course they could counter measure this by;
    Asking for password to boot; Copy disks, Boot servers. They will have access to old disk files.
    • Marked as answer by Dan0001 Friday, July 10, 2015 8:01 AM
    Monday, July 6, 2015 11:30 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Can you only access the data disks as unencrypted if you boot from the "owning" OS disk?

    If so, I think I understand it that the BitLocker encryption only stops the reading of the data disks mounted in another machine - if the original OS disk boots up then the disks are decrypted during the boot up.

    "Once they enter the password, to boot, they are able to read the content." - is that only through normal Windows means such as logging on or accessing file shares, etc? I am guessing that the data disks cannot be mounted on another machine while attached to the original running OS disk.

    It seems then that the main protection of the data disks is then the Windows logon and if someone resets the local admin, then they will be able to boot up as normal and access the data disks. They would not have access to any logon accounts at all, but as you say, that would not be much of a problem with the reset approach (or brute force).

    Nearly there I think :)

    Tuesday, July 7, 2015 1:09 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    I think this one would answer most of the last questions. Think of the Virtual Machines as external hard drives. Because they have no TPM available.

    https://technet.microsoft.com/en-us/library/hh831507.aspx?f=255&MSPPError=-2147217396#BKMK_WhatIsBitLocker

    I would expect them to be able to mount the disks anywhere, as long as they have the matching password, they would be able to access the data. As far as I know, there is nothing that binds the disks to a specific O/S, when you are using the password method.

    • Marked as answer by Dan0001 Friday, July 10, 2015 8:01 AM
    Wednesday, July 8, 2015 7:39 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi Dan0001,

    Additional, you can allow shutdown the computer without any account logon, therefore you needn’t offer the account to 3<sup>rd</sup> party operation staff.

    And you can enable the EFS to protect the important data on C drive and use others bitlocker password to encrypt the reset partition.

    Protecting Data by Using EFS to Encrypt Hard Drives

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/9cf19e2c-0708-43be-8c78-9ed6dc65996e/securing-a-virtual-machine-running-in-a-third-party-site?forum=winservergen

    Shutdown: Allow system to be shut down without having to log on

    https://technet.microsoft.com/en-us/library/cc776336(v=ws.10).aspx

    I’m glad to be of help to you!

    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Friday, July 10, 2015 3:07 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Ok I think I have it now, many thanks for your perseverance Jesper! :)

    The big takeaway for me then as far as I understand it now is that I am basically making life very difficult for securing the vm with a requirement for the 3rd party to be able to restart the machine. I had thought this would be useful in allowing them some level of management (hands up who's solved 80% of their problems with a reboot ;-) should things go wrong, but maybe this is going too far as it obviously introduces a big hole in securing the vm that will require many workarounds.

    I will need to go back and think about this again as all my security problems go away if I remove that requirement, albeit at the cost of their ability to restart.

    Thanks also to Alex, I would need more than shutdown in this case, but EFS looks interesting and I will definitely take a look!

    Friday, July 10, 2015 8:01 AM