Home / server / Questions / 1496
Accepted
MrChrister
Asked: 2009-05-01 11:20:13 +0800 CST

Virtual Machine security

  • 772

Our devs want to use virtual computers for dev, but the sysadmins can't have server os's on the network. Is there a resource that talks about locking down the Virtual Computers so that they can

  • Authenticate against AD
  • Not have internet access
  • Have settings and configuration be controlled by the sys admins, not the user
  • Have intranet access to hit Visual Source Safe

Question #1: Are the requirements possible with a single configuration?

Question #2: What are some search terms to use to find out more?

Question #3: Is there a definitive resource / authority?

More details:

Scenario 1: SharePoint development requires Visual Stuido to be installed on the server directly. From there packages are rolled up and sent to a staging, then production server. The dev needs to be an admin on Win2k3, but no Internet access, but intranet access for the source control / backup solution would be good.

Scenario 2: GIS devs want to replicate bug reports on various workstation OSs (win2k, XP, Vista) and fix those bugs. They require access to Visual Source Safe, but don't need server operating systems. Internet access isn't crucial

Scenario 3: Web devs just want a platform to test the staging and public internet sites with more browsers and OS than are allowed in our baseline. These machines would require Internet access, but not Intranet access.

virtualization security

3 Answers

  1. Best Answer

    This is pretty standard and basically follows how you would deploy physical servers with the same parameters.

    • Deploy a solution using Xen Server, Hyper-V, or VMware ESX Server.
    • Configure networking where they are on a separate subnet/VLAN.
    • Configure that subnet/VLAN to only have access to internal resources.
    • Settings/configuration for the virtualized hardware are controlled by the hypervisor, so you're good there. If you mean OS configuration, that's self-explanatory.
    • 3

  2. Your dev's are going to hate you :)

    I would do that by putting the host server on a non-internet accessible network (this you should be able to accomplish by configuring your routers); just like you would do with a physical development server.

    As I recall, with MS Virtual Server (and probably VM-Ware and other competitors) you can configure the access that a user has to the host environment (e.g., can they create a guest instance, alter, view, etc.). The rest of the configuration would be on the guest servers. If you want them to have admin access, then you can do that.

    Alternately, you could create an entire environment as a guest on the host server with guest instance of an AD server, development server, multiple testing environments, and even their own VSS server; all within one box.

    • 1

  3. We host all of our development systems in the server room. Why virtualize on the desktop?

    • 0