Manage host, VM access with a Hyper-V administrators security group

Admins should implement role-based access models with Hyper-V administrators security group settings to boost security and control who can use what.

Even if you have hundreds of Hyper-V servers and clusters running in production, you must implement security controls to ensure all of your hosts, VMs and application data are safe from intruders. The two primary methods to improve security in Hyper-V are to use System Center Virtual Machine Manager (SCVMM) and local Hyper-V administrator security group settings to control access based on predefined roles.

SCVMM provides role-based access controls that you can use to create user accounts and assign them to predefined user roles. Predefined user roles can include specifically defined tasks. For example, a user in the administrator role can perform all tasks on Hyper-V hosts. Similarly, a user in the tenant administrator role can perform all tasks related to self-service and SCVMM networks.

Even if you implement the necessary security controls at the SCVMM level by assigning admins SCVMM user roles, you won’t have the ability to provide security at the Hyper-V level. Anyone who has access to local Hyper-V servers as an administrator can perform all Hyper-V-related operational tasks.

Build security at the host and VM levels with a Hyper-V administrators security group

This is where the local Hyper-V administrators security group comes in handy. You can find the local Hyper-V Administrators security group option, as shown in Figure A below.

Hyper-V Administrators group option
Figure A. Locate the Hyper-V Administrators group.

Installing Hyper-V on Windows Server creates the Hyper-V Administrators security group by default. The members of this security group can perform all Hyper-V-related tasks, which includes creating VMs and modifying VM settings. Once you deploy a Hyper-V host into production, you must modify the local Hyper-V Administrators security group to ensure it only includes designated administrators.

There are two ways to do this. You can visit each Hyper-V server individually and manually run a command to add users to the group or you can use a Group Policy Object (GPO) if all of the Hyper-V servers are part of an Active Directory (AD) domain.

To add users to a local Hyper-V administrators security group manually, log onto the Hyper-V host and execute the PowerShell command below.

$ThisUser = “TechTarget.ComJohnThomas”
([adsi]”WinNT://./Hyper-V Administrators,group”).Add(“WinNT://$env:UserDomain/$ThisUser”)

If you want to change the Hyper-V administrator security group membership settings on your hosts via a GPO, start by creating user accounts. Next, create an AD domain security group. Create a GPO in AD and use the security groups preference to add the security groups you created, then assign the GPO only to Hyper-V hosts. Once the Hyper-V hosts receive the new group policy settings, the new list replaces the existing members of the local Hyper-V security administrators group.

The previous steps provide security at the Hyper-V host level, but there are still risks at the VM level.

It’s best practice to also provide security at the VM level.

If you remove a user from the local Hyper-V administrators security group, you eliminate that user’s ability to log onto the Hyper-V server locally. However, the user will still have access to the VM via the Virtual Machine Connection tool — even if the user isn’t part of the Hyper-V administrators security group.

It’s best practice to also provide security at the VM level. Microsoft provides a PowerShell cmdlet you can use to grant and remove access to VMs for different users.

To enable a particular user to connect to a VM — SQLVM, in this example — execute the PowerShell command below on the local Hyper-V host.

Grant-VMConnectAccess -VMName SQLVM -UserName TechTargetJohnThomas

To revoke access, use the Revoke-VMConnectAccess PowerShell cmdlet.

Revoke-VMConnectAccess -VMName SQLVM -UserName TechTargetTestUser

If you want to execute Grant-VMConnectAccess and Revoke-VMConnectAccess for multiple users and multiple Hyper-V hosts, you must create a PowerShell script and push it out via the GPO startup script.