Hyper-V Server Authorization, Part 2

In part one, we reviewed a bit of background on authorization models including mandatory access control (MAC) and discretionary access control (DAC), and noted that classically speaking, Windows has largely been managed with a DAC model. There’s a new sheriff in town beside good ole DAC. Alongside the classic DAC is role-based access control (RBAC), which is used to govern access to certain services and resources. Permissions for services such as Hyper-V are controlled via RBAC. Users who need to administer the virtualization aspects of a particular virtual machine could be assigned a role which is granted the appropriate abilities.

Two of the graphical user interface (GUI) management tools for Hyper-V are the Hyper-V Manager (virtmgmt.msc) and System Center Virtual Machine Manager (VMM) 2008 R2. Management and usage control for Hyper-V, and therefore management using both of these tools use the RBAC Authorization Manager (AzMan) to adjust the management permissions for Hyper-V. The GUI management interface for AzMan is the MMC console AzMan.msc.

AzMan is used to manage sets of authorization configuration information called authorization stores. An authorization store for a particular application or service could either be stored in Active Directory or in a configuration file in extensible markup language (XML) format. By default, Hyper-V uses an authorization store in the file InitalStore.xml at the full path such as C:\ProgramData\Microsoft\Windows\Hyper-V\InitialStore.xml. If you are managing the Hyper-V server with VMM 2008 R2, the authorization store file HyperVAuthStore.xml supersedes the InitialStore.xml. If you have access to the host server, you could query the registry value HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization\StoreLocation, which reveals which authorization store AzMan is currently using. An example value would be:

msxml://C:\ProgramData\Microsoft\Windows\Hyper-V\InitialStore.xml

Just what is in the authorization store? You could look at it within AzMan.msc. That’s the typical way if you have already set up networking between your ServerCore-based Hyper-V server and your management station. But remember that Hyper-V Server 2008 R2 has some shared heritage with release two of the full standard, enterprise, and datacenter editions of Windows Server 2008. In R2, Windows PowerShell is supported on ServerCore. How would we install it? The following command could be run in the server’s command prompt to install the .NET framework and PowerShell.

start /w ocsetup NetFx2-ServerCore;MicrosoftWindowsPowerShell

Once we have PowerShell installed, we can run it by typing powershell.exe (or without the .exe part) to run it. Then in PowerShell we can examine that InitialStore.xml authorization store for Hyper-V in a structured way rather than in raw XML notation in notepad.

$az = [XML](get-content InitialStore.xml)

$az.AzAdminManager.AzApplication

The first line here gets the contents of the authorization store and translates it using the XML parser. The second line just shows a few of the basic components of the authorization store. One of these components is the AzOperation list, which defines the permissions that AzMan can be used to assign.

$az.AzAdminManager.AzApplication.AzOperation | FT Name,Description -auto

This lists out the operations which can be delegated to people administering Hyper-V. While VMM 2008 R2 includes some PowerShell cmdlets for working with Hyper-V, these are not included with either Hyper-V Manager nor Hyper-V Server 2008 R2 itself. Even without such cmdlets, PowerShell can be used to help manage Hyper-V delegations, basic server setup, and with WMI even Hyper-V itself can be managed.

-Brad

In this article

Join the Conversation