1

I am a developer, not a sysadmin, so I am seeking out some opinions and answers about virtualization. In order to solve some project deadline issues, the development team installed and setup a Windows Server 2008 Hyper-V "Bare Metal" edition (meaning there is very little of the Windows UI and functionality). The IT department has correctly raised some security concerns, and I have not been able to locate answers for them through Google searches.

  • Can the Bare Metal version run an antivirus product? Meaning the host OS, not the guest VMs. If no, how do you get around this limitation? Just leave the host open to attack? If yes, which ones are supported? Security Essentials only? Or are Symantec and other vendors supported?

  • Are group policies pushed to the Bare Metal version?

Thanks in advance for your expertise!

mgnoonan
  • 113
  • 3

3 Answers3

5

I'd say don't do it. Read this.

With a stripped down bare-metal hypervisor server, you shouldn't need it. A virus needs an attack vector...how is it getting on that machine? Network shares? Email? Web browsing? If it's a type-one hypervisor machine, it shouldn't have network services or workstation-like uses open to it.

Plus your adding scanning issues (what, you're going to have the AV file scanner real-time scanning virtual hard drives with each access?), security issues (AV software have bugs too), and you're increasing the attack surface (software that can be exploited) PLUS you can have issues if the software stops working, has update issues, etc. and all of that is on top of AV software being an imperfect solution in the first place to malware and viruses.

The full answer is that yes, it looks like you can run AV, and exclude most of the files that I railed on just a moment ago (but I wanted to emphasize...what are you putting on that computer aside from VM's and the base OS if it's bare-metal?) See here for information. I personally wouldn't want to do it and if you're using the machine properly, I think the only thing that needs the AV are the guests. The bare-metal system should be protected in that it is not running services other than the bare minimum necessary and not being used as a workstation, so the attack surface should be very very shallow.

If it were exploited, the work comes in restoring the VM's; even a reinstall of the hypervisor should be cake as it's meant to be very thin and small to restore from scratch.

Bart Silverstrim
  • 31,092
  • 9
  • 65
  • 87
  • 1
    +1 Who hasn't seen antivirus software crash and bring down the machine? Then there is the problem of the very significant extra load that would be placed on the host (who hasn't complained about AV software slowing their machine down by an absurd amount?). – John Gardeniers Sep 30 '10 at 12:33
  • 1
    +1 Best practices are to keep the VH as stripped down as possible, no AV, and minimize every possible attack vector. Also, most viruses spread via user mistake or exploits in user programs. – Chris S Sep 30 '10 at 12:39
  • @John Agreed, but it is the policy framework which I must work within. – mgnoonan Sep 30 '10 at 12:40
  • Or on servers that in themselves get little extra attention having someone remember to check an obscure software package is still working properly (wait, this hasn't updated signatures in three months and it didn't alert me? Bloody @#%!) – Bart Silverstrim Sep 30 '10 at 12:40
  • 1
    @mgnoonan: work on getting the policy altered. You can damage the server and cause downtime pursuing that route. And if you take out one virtual host, you take out...how many VM's?... – Bart Silverstrim Sep 30 '10 at 12:41
  • @Bart - might be tough given that we are in the financial industry. – mgnoonan Sep 30 '10 at 15:27
  • @Mgnoonan-Seems like more and more common-sense things just don't get done because of red tape. You can either go ahead and shoot your server in the foot because someone can't see the fact that blindly following a policy of AV on everything doesn't always make sense, or you can explain to them that in this case it is a pain and a problem and start doing whatever paper chain has to be followed to get the exception written into the policy. A bare-metal type one hypervisor virtual host server isn't the same as your file server. – Bart Silverstrim Sep 30 '10 at 15:45
1

I found that Kapersky, Sophos, and McAfee support Server 2008 Core edition. Main concerns would be that the product can be installed from a remote console, a remote script, or from command line (which is the majority of the interface that Core provides...)

It's likely that Symantec and Trend do as well, given that their previous editions could be managed entirely from the management console.

As said in the comments above, Check for Microsoft guidance with regards to AV, and ensure that any AV vendor supports Hyper-V.

UPDATE: A couple of resources:

Planning for Hyper-V Security

Microsoft KB961804

gWaldo
  • 11,887
  • 8
  • 41
  • 68
0

I know that Kaspersky 6 works just fine using Server 2008 Core editions (which is the proper name as the regular version is bare-metal too by the way). Could tell you about other products sorry.

Chopper3
  • 100,240
  • 9
  • 106
  • 238
  • 2
    Here's what confuses me; for bare-metal hypervisors, why would you need antiviruses? Nothing should be exposed on those systems other than an API to interact with a management tool of some sort. Other network services aren't turned off? Back when I was a young'un, I didn't use a software firewall because if you didn't want the service exploited, you didn't run it, and the services that did run you could limit in tcpwrappers for who got in...maybe I'm just rambling now. – Bart Silverstrim Sep 30 '10 at 12:15
  • Server Core is a different product. Hyper-V is a bare-metal hypervisor, Server Core is just a regular server OS which is stripped down. – ThatGraemeGuy Sep 30 '10 at 12:15
  • Seems like running additional software (antiviruses) exposes another way for the host software to crash (bad update, corruption, bug) or be exploited to me. – Bart Silverstrim Sep 30 '10 at 12:16
  • So...hyper-V *doesn't* run any additional software? That makes more sense to me. – Bart Silverstrim Sep 30 '10 at 12:16
  • Sorry if I misunderstood here guys but I thought with odd use of the term 'bare metal' (which doesn't exist in the Hyper-V world does it?) he meant running an antivirus package in the initial server-core installation before the Hyper-V role kicked in - was I wrong? Graeme - can I JUST download Hyper-V on its own without any Windows? I'm an ESX guy sorry. – Chopper3 Sep 30 '10 at 12:25
  • Server 2008 Core is basically stripped of the standard GUI. There is still a bare-bones (read: "blank") desktop, populated with a command/terminal window. You can still run (some) GUI apps (such as Notepad and help windows), but this is discouraged by the UI presented. Powershell, standard commands, and remote management are encouraged. This is all to save system resources (that are typically spent maintaining a desktop) for services that the server is providing. Hyper-V is a _role_, like File/Print Services and being a Domain Controller are roles. – gWaldo Sep 30 '10 at 12:27
  • thanks for that gWaldo - but it was my understanding that Windows has to start before Hyper-V can start, is that wrong? if so then I guess it might make some sense to run an antivirus in that initial windows code as it'll be open to attack as per the regular OS right? – Chopper3 Sep 30 '10 at 12:29
  • In other words, a Server 2008 Core machine is directly analogous to VMware ESX, where there is an entire Linux system supporting the virtualization stack. – gWaldo Sep 30 '10 at 12:29
  • actually gWaldo that's the old pre-v4 model - the service console is now purely a bolt-on management interface these days and the main VMKernel code doesn't rely on it at all. Just to confuse everyone :) – Chopper3 Sep 30 '10 at 12:31
  • I don't remember the guidance on AV for Hyper-V (Check Technet for a whitepaper), but I'm pretty sure that it's a good idea. With that said, I would ensure that your AV provider is Hyper-V -compatible. Without awareness of that, it could try to stomp all over it because Hyper-V is "executing code"... – gWaldo Sep 30 '10 at 12:31
  • I think the bare-metal side of hyper-v is that there is a stripped down version of Windows underneath...but it's not really. What we think of as Windows is a series of elephants stacked on top of each other. Inside Microsoft, Windows "NT" is really a core kernel and command line that had a GUI integrated on top. The hyper-V "bare metal" server is Windows with the gui and other components stripped to what is the actual core of Windows. – Bart Silverstrim Sep 30 '10 at 12:34
  • @Chopper, Yes, Hyper-V (like AD, File/Print Services, etc) starts as a Windows service. I apologize if I'm wrong about ESX 4; Most of my time was spent on v3.x. Good to know they've changed the architecture out from under me... – gWaldo Sep 30 '10 at 12:34
  • Hyper-V "bare metal" is probably showing us more of what Windows "really is" and now comes out as a side effect of Microsoft's initiative to modularize Windows for future releases. – Bart Silverstrim Sep 30 '10 at 12:35
  • As for the AV AV guidance on AV for hyper-V there's a security guide linked in my answer that touches on it. – Bart Silverstrim Sep 30 '10 at 12:36
  • My understanding is that Hyper-V is a service that you can run on a regular workstation, but the standalone bare metal version is just a stripped 2008 core server with the intention of JUST running hyper-V. As such I don't think you should have or need AV on it. – Bart Silverstrim Sep 30 '10 at 12:36
  • Don't worry gWaldo, if we all knew everything about everything we wouldn't need this place would we :) I have very little experience of Hyper-V but have had the usual MS slideware pumped into my DNA for years by their sales people. – Chopper3 Sep 30 '10 at 12:37
  • Understand you Bart, I was just telling the guy that you can get AV code for server core. – Chopper3 Sep 30 '10 at 12:38
  • 1
    @Chopper3: I think you can. It's been a few months but you used to download Hyper-V for free as a standalone bare-metal server. It was to compete with ESXi (free) or Xen (or whatever Citrix called their free edition). So you can find and download a hyper-v server for free. – Bart Silverstrim Sep 30 '10 at 12:38
  • 1
    New feature req: comments shown as a tree that branches out to know where and what comments are referring to. HA! – Bart Silverstrim Sep 30 '10 at 12:39
  • @Bart Silverstrim: Second that feature request, but then that makes it a Forum... – gWaldo Sep 30 '10 at 12:41
  • Hyper-V can be run on Standard and Enterprise editions of 2008. (I'm assuming DataCenter, also, but not sure about the other ed's.), but it's recommended that for production you should run it on Core and manage from the console remotely. I posted some guidance in my answer. – gWaldo Sep 30 '10 at 12:43
  • 2
    @Bart, @Chopper3, @gWaldo; Hyper-V is a bare metal Hypervisor. The OS sits on top of it; and has special privileges to certain hardware, VMs show up as processes under it (but they are not the actual processes, it's actually a monitoring process), and is also responsible for storage access for the hypervisor. Hyper-V is not a service. Virtual Server and VirtualPC use paravirtualization and run as a service/application within the Host. – Chris S Sep 30 '10 at 12:46
  • @gwaldo re: tree-Technically, I've never seen a forum with what I had in mind for the visualization...but that's way off topic here. – Bart Silverstrim Sep 30 '10 at 12:48
  • @ChrisS: My understanding was that Hyper-V is a service that can run as a service with the OS, or you can get a bare metal server version that runs JUST as a virtual host. Synonymous like you can run VMWare on Linux or Windows as a server host, or you can run ESX which is VMWare on a kernel that just works as a virtual machine host. Is this inaccurate? – Bart Silverstrim Sep 30 '10 at 12:50
  • @Bart, the Hyper-V role and Hyper-V Server work the same way (different licensing and other details); the Hyper-V hypervisor sits on the "bare-metal" and the Host OS run on top of it. – Chris S Sep 30 '10 at 13:15