60% Virtualized Servers Less Secure Than Physical Servers
Today I found an interesting article from Gartner, they predict that in 2012 60 percent of all virtual servers will be less secure than the physical servers they replace. Gartner expects this percentage to drop to 30% at the end of 2015.
These are the main risks Gartner identified, for the complete article check this page.
- Information Security Isn't Initially Involved in the Virtualization Projects
- A Compromise of the Virtualization Layer Could Result in the Compromise of All Hosted Workloads
- The Lack of Visibility and Controls on Internal Virtual Networks Created for VM-to-VM Communications Blinds Existing Security Policy Enforcement Mechanisms
- Workloads of Different Trust Levels Are Consolidated Onto a Single Physical Server Without Sufficient Separation
- Adequate Controls on Administrative Access to the Hypervisor/VMM Layer and to Administrative Tools Are Lacking
- There Is a Potential Loss of Separation of Duties for Network and Security Controls
"Virtualization is not inherently insecure," said Neil MacDonald, vice president and Gartner fellow. "However, most virtualized workloads are being deployed insecurely. The latter is a result of the immaturity of tools and processes and the limited training of staff, resellers and consultants."
Whoo!! VMware reads our blog.
Or maybe not 
, it could be they already planned to release a new beta version of ThinApp in november. VMware announced this news at VMworld 2009. The final release is planned for Q1 2010 a little late if you ask me.. since there are already some working versions out there: for instance check Rubens video.
Next to that i also found a nice howto that shows how to decompile Thinapp and Xenocode packages created by NickOn and a nice little script that executes Thinreg in a decent way with support for recursive folders (here).
Windows 7 (and Server 2008 R2) Mount VHD function a real saver when you messed up your sysprep unattend.xml file
Don’t you just hate it when you are preparing some sysprepped Windows Server 2008 VHD’s you use as a template for all your Virtual Lab environments with Virtual PC, sysprepped the Server 2008 installation and during deployment you find out you messed up a setting in the sysprep XML file? Well I do anyway, so here goes .
Windows 7 (and Windows Server 2008 R2 as well) has a really nice feature called Atach VHD available in the Disk Management MMC (diskmgmt.msc for you geeks )
So you just attach your sysprepped VHD file and replace the Windows\Panther\unattend.xml file with a corect file (for some reason editing the xml file directly gives some access denied errors, mess around with Take Ownership and setting some security permissions, you all know how it’s done 
). Detach the VHD file and there you go… nice and smooth mini-setup of Windows 2008 or Vista 
Virtualization.. as Escher would make it
Trust me, the Hyper-V installation & desingn posts are not finished yet; I will continue with that once I have regained some inspiration.
In the mean time, I got myself a shiny Macbook Pro (naah.. just the 15" version) with 4 GB memory and it's waiting for me to finally start practicing photoshop. There however lies a problem; I think I lack some expressionistic genes and after 1 month of downloading and installing all cool Mac stuff it is time to actually start utilizing the machine. Besides initiating RDP sessions to my Hyper-V servers, there must be some better use for the machine
Well.. Since Virtual PC for MAC is still not available I installed VMware Fusion (Workstation variant for MAC). I won't bother you with that install routine, it's next,next finish) and soon there was the inevitable question; what shall I run inside that? well.. let's do ESX!
So how to do that? Well there are quite some instructions available on the net (ie. here or here) so just click there to see what is the trick.
Installing ESX was a breeze now. After connecting to the console and creating a esx-VM (within a fusion-VM) I got a nifty little error: You may not power on a virtual machine in a virtual machine.
Well... that's kind of a bummer now isn't it?
Luckily there are some additional isolation settings that can be set within the vmx file as can be found here.
After some wrestling with formatting (quotes vs no quotes) the VM actually powered on and right now it's installing VMware virtual center.
Of course performance is not really stunning but that's logical. After all, you have to be kind of a weirdo to want this I suppose. Apart from that; for about 800 euro's a fine 8 GB physical host can be purchased but yeah.. my attick is already at full power capacity .
So, is there any use of this evenings work? Practically; not really. However the plan is to connect to virtual center server to SCVMM. Aha! now that's a use