VirtualizationAdmin.com - Monthly Newsletter - April 2017

Welcome to the VirtualizationAdmin.com newsletter by Kevin Kaminski. Each month we will bring you interesting and helpful information on the world of Virtualization. We want to know what *you* are interested in hearing about. Please send your suggestions for future newsletter content to virtualizationadmin@bighatgroup.com.

 

 1. Introduction

Hello and welcome to the next edition of the VirtualizationAdmin.com newsletter. I’ve picked a couple of topics in the news this month by looking at some new developments at FSLogix where they have a solution focused on Office365 users. VMware has an upgrade out for customers that add some enhancements to their server virtualization platform. After the articles of the month, I will look at hypervisor security since I think there is some work to be done in this area.

2. FSLogix Office 365 Containers

I was a little slow getting around to learning about FSLogix. However, I’ve started to see the value it can play for many customers given that it adds vital functionality that should already be in many VDI environments.

FSLogix has recently been turning some heads due to the innovative ways they’ve been applying their technology to solve real-world problems. In a recent announcement on their website, they indicated that they were fixing common issues associated with running the Office365 client. Before diving into what FSLogix is up to, I wanted to briefly summarize who FSLogix is and their core technologies.

In the Virtualization ecosystem, FSLogix is unique because they have taken the approach of building a tool that can solve a variety of problems. Normally a specific problem would be addressed exclusively with application virtualization, folder redirection or image management and while those approaches may be valid, they can be costly and have some shortcomings. FSLogix doesn’t necessarily replace what you have but uses underlying concepts that many virtualization technologies have and can either fix current problems or add new capabilities your current VDI or workstation environment.

The management infrastructure of the product is based on the assumption that enterprise environments have basic components such as a file share, Active Directory and something already managing your VDI environment. The choice to go with a simple set of requirements for the management infrastructure means that there are no management servers that need to be deployed and supported. The system essentially runs using Active Directory, Group Policy, a file share and clients connected to the file share.

At its core, the technology takes to file and registry calls and redirects them according to rules that you build. Their approach is not unlike other application virtualization, layering, and user environment virtualization technologies in the industry. That said, FSLogix has taken it one step further by implementing a rule builder that can create a wide range of solutions based on the types of rules you implement.

One of the most useful attributes of the technology is that it operates deep in the stack of system calls, which delivers better performance and compatibility compared to symbolic links in the file system. Softricity had issues with SoftGrid because they developed a product using a synthetic registry and file system, the closer you can mimic the real thing the better the chance that the application will accept the redirected file and registry calls being applied to it.

So what can you do with a tool like FSLogix? Consider the situation where you have a multi-user machine Remote Desktop Session Host, and you notice that one of the applications crashes because each user is trying to write data to a common folder like C:\Program Files\<AppDir> or C:\Program Data\<AppDir> because it is not multi-user aware. With FSLogix, you can easily build a rule that redirects a common folder to a user’s profile or home drive allowing the application to be multi-user capable.

As another example, I’ve seen FSLogix used to redirect data in such a way that the administrator was able to “trick” older applications into running on a machine without administrator rights. You still need to shim the application in some cases to give it a fake administrator token, but I would prefer
FSLogix for the file and registry redirection over using the shim to do that task as well.
FSLogix also offers a powerful container technology that can be used to redirect large folders (and data sets) to a VHD file, which minimizes image bloat when using image management and provisioning technologies where updates for each user are written to a centrally hosted VHD in the data center.

It is worth noting that FSLogix’s container can simplify image and application management for a VDI farm by controlling which applications are visible. Here is one of those innovative uses I hinted at earlier. They use their technology to hide applications (and their data) in the image itself, which reduces the number of images to manage and allows Administrators to manage application assignments at the user level.

Masking applications is a different spin on application and image management. Nevertheless, the product is so powerful for its size that it can be used to solve simple problems or provide core management features missing in a particular VDI implementation. The technology is essentially vendor neutral, meaning FSLogix is a toolkit you can apply across a range of VDI architectures.

Where FSLogix is currently making noise in the marketplace is with their containers for Office365. Some of the Key features include:

  • Cached Exchange Mode in VDI 
  • Support for OST, PST and PAB files (which improves user experience and application stability) 
  • OneDrive for Business can synchronize with the cloud regardless of how the user saved the document

Aside from an improved user experience, you can expect to see a significant drop in CPU load and subsequent increased capacity in the VDI environment. When you weigh the cost savings from the additional capacity for your VDI environment, the solution can justify its use on that front. Being able to roam Office365 isn’t just for VDI users, but FSLogix can be used in call centers to allow the seamless migration of the user experience from PC to PC.

FSLogix is the type of tool that can seem rather minimal with its management interface, but it is refreshing to see something that has such a diverse set of use cases that it does not require extensive training. When FSLogix is put to good use, it can deal with those strange issues that customers encounter when managing Windows applications and images where you might be looking at a more complex and expensive solution to fill the gap.




3. VMware Gets an Update to 6.5

VMware has traditionally been the dominant player and the gold standard when it comes to server virtualization. Even though VMware is firmly entrenched with a majority of market share they have been under pressure as the hypervisor market has become more of a commodity over the years. Because competition is more heated customers eagerly await new enhancements to enhance the value of the platform in their environment. This might only be a point release, but there are many different changes under the hood.

VSphere 6.5 hit the streets in March, and while it’s been anticipated by some administrators to have an improved experience, there are all sorts of improvements worth mentioning here. Along with a plethora of bug fixes, the release includes improved management, high availability, and security.

First, let’s start off with the administrator experience. The vSphere Client application has been built from the ground up using HTML5, which natively delivers to a variety of client devices. The new client is already receiving praise for the improved experience when compared to previous versions of the interface. The old C# client is gone with this release, which means that the Windows administrator user base will have to move toward using the new client.

Be warned that the HTML5 client isn’t a complete replacement for the C# client because it doesn’t have all the features ported over at this time. The legacy Flex client is still available as an option for those users that resist switching to the HTML5 client. Unfortunately, it remains dogged by performance issues.

I hope that the HTML5 client is positioned as the long-term solution given it natively supports device and platform interoperability.

At the next layer, management is no longer hosted on a vCenter server installed on a Windows host. The vCenter Server Appliance (VCSA) runs on Photon OS which is intended to be more optimized for handling the management requests sent to it. The VCSA is designed to be highly available out of the box, and there is a migration tool to help assist with the upgrade of your environment. In addition to upgraded management tools and management infrastructure, the installation of the product has been streamlined to make it more straightforward to install and configure.

VMware introduced a new capability to define dependencies between virtual machines running in your environment. Having the management layer of your virtual machine environment understand the relationships between virtual machines that host a multi-tier application can prevent some operational headaches. For example, VMware can start a database server if an application server that requires the database server is started first ensuring that the dependent servers are brought online first to prevent application issues. Sometimes in larger environments, operational staff might not be fully aware of server dependencies, and this can save some troubleshooting when a multi-tier application is brought online.

Health monitoring and the mechanism to handle unhealthy nodes has improved with the introduction of quarantine for unhealthy nodes. If hardware becomes unstable (from a VMware perspective), the virtual machines it hosts is immediately moved to healthy hosts, which minimizes or prevents loss of service. Essentially the goal is to have virtual machines always running on healthy hardware and taking humans out of the equation can dramatically increase response time.

The security has been upgraded to support Secure Boot via virtual EFI firmware. Many forms of malware can be prevented by enabling this feature, and I consider it something that should be enabled if the operating system supports it. Unfortunately, I did not see a virtual TPM chip in this release as I would ideally like to see this capability for more secure VDI environments specifically. Additional logging has been introduced to audit changes made to virtual machines so that more real-time alerting can happen.

VMware’s cloud offering also received improvement with the integration with Docker, called vSphere Integrated Containers. Harbor is the Enterprise Docker registry component, which is installed as a virtual appliance. Once set up, you can easily login and begin replicating images.

vRealize Automation 7.2 allows you to automate the management of container environments.

Overall I see some needed changes to keep VMware competitive in the marketplace. I hope to see more innovation on the HTML5 front but overall a decent point release update to their flagship product.

 

4. Blog Articles


5. Tip of the Month: Securing the Hypervisor

Hypervisor security is an interesting topic that is often overlooked by organizations and the security community in general, something I don’t find terribly unsurprising. Usually, when I deploy virtual machines or physical servers, there are well-defined baselines and practices to ensure that these machines are securely configured and managed. After evaluating various hypervisor technologies, I’ve come to realize that their approach to security lacks coherence and long-term vision. There is a hodgepodge of security features, but the prescriptive guidance from vendors and experts remains largely generic and in some cases out of date.

Given I’m passionate about security, and I want to promote that you practice safe computing across the entire stack, I decided to research possible solutions and put together some resources for you to get started.

I feel strongly about securing the hypervisor layer because it’s a major component of almost every data center. Moreover, the hypervisor hosts so many different workloads that the virtualization fabric should be hardened from attack.

I came across a National Institute of Standards and Technology special publications on the topic:

1.Guide to Security for Full Virtualization Technologies (NIST 800-125)
http://csrc.nist.gov/publications/nistpubs/800-125/SP800-125-final.pdf

2.Security Recommendations for Hypervisor Deployment (NIST 800-125A)
http://csrc.nist.gov/publications/drafts/800-125a/sp800-125a_draft.pdf

3.Secure Virtual Network Configuration 20 for Virtual Machine (VM) Protection (NIST 800-125B)
http://csrc.nist.gov/publications/drafts/800-125B/sp800_125b_draft.pdf

The series starts with an introduction to hypervisor components and some basic security considerations. It is straightforward material that identifies components such as physical hardware, storage design, virtual networking, image management, and authentication.

The next two documents examine hypervisor security in much more detail. The take home message from these articles is that you have to be prepared for more than just exploits for privileges because the newest attack vectors are not coming from where you think. For example, it is now possible to experience an internal denial of service attack.

If you are serious about the security of the hypervisor environment, the above NIST documents should inspire you to think of vendor-specific configurations and third party solutions you should be investing in. Of course, the documents aren’t going to say, “buy security product X to provide feature capability Y.” They will give you insight into what your next steps look like.

I recommend that you start by developing configuration baselines for your environment. Many vendors such as VMware, Microsoft, and Citrix have different hardening guides that are specific to their software, and that is where you can dive into your software configuration in more detail. Also don’t forget about the operating system of the guests as well, there are options for secure boot environments, disk encryption, and code integrity.

Security tools and configuration baselines can also be a bit of a chore to implement properly since there are sometimes several baselines available with different needs and the number of settings in each baseline can be overwhelming. There are tools to help with the generation of the security baselines to auditing. I could go down a rabbit hole trying to describe what is out there, so I’ll just briefly present two key resources for you.

The first is Microsoft’s Security Baseline Analyzer, which downloads Microsoft’s security baselines from a Group Policy perspective. From there, you can modify the baseline and document changes before implementing them in your environment. The downside is that it is Microsoft centric and the tool is not intended to document all of your Group Policy settings (though that would have been nice).

It is very information rich, and I make sure all my customers are aware of it.

I suggest going to the Center for Internet Security to get VMware, Hyper-V and XenServer benchmarks for extremely hardened configurations. Unfortunately, some aren’t current, and some products fail to have benchmarks, so they might not have what you’re looking for. Access to the PDF baselines is free, and access to easily implementable baselines is a paid service, which funds the ongoing research and management of the baselines.

Just because the community is not strong with maintaining up to date security baselines does not mean that you shouldn’t be securing the virtualization environment. In fact, I think the security community needs to take this more seriously as we see the expanded use of the cloud. While attacking Amazon, Google or Microsoft might not be time best spent, the exploitation of smaller environment is bound to make a good target since they are likely to have a less secure implementation of their virtual machine infrastructure.

This Tip of the Month was intended to keep you thinking about the importance of identifying a framework of technologies, processes, and controls to keep your workloads secure.