Posted in Virtual Machine Manager | 4 Comments | 173,990 views | 14/01/2011 13:42
I research a feature called “Install Virtual Guest Services” in SCVMM. We know, Hyper-V virtual machines are completely isolated from Parent partition. But a few days ago, Benjamin posted an article about data exchange between Parent Node and Virtual Machines. You can reach that post from this link:
What Physical Computer am I on?
After this post, I tried to figure out how really works this process. So I figured out, Hyper-V Data Exchange service is responsible about Registry changes. That means, you can send information or fetch information directly from virtual machine without any authentication. Because Data Exchange services runs as Local Service and has rights to write on specific area of registry as Taylor’s post. Please check this link too:
Hyper-V Data Exchange Service
I asked a question on Benjamin’s blog about this situation and he answered:
We do not see this as a security risk. We have always designed our system with the assumption that the bad guy in a VM would be able to figure out that they were in a VM – and then ensure that there is nothing that they could do with that information. In this case – the only real risk is that a bad guy could try to launch a network based attack against the host (in which case – being in a VM gives them no advantage when compared to being a seperate physical computer)
If this is a concern to you – there are two options you could take:
1) Configure the virtual machines so that they cannot attempt to connect to the host over the network. To do this configure an “external only” network that connects to a different physical network than the one the host is connected to.
2) Disable the data-exchange integration services under the virtual machine settings (which will stop this information from being sent in the first place).
and yes, this is the same “Microsoft” who requires certificate authentication between SCOM servers and clients because of security concerns. So getting information from internal clients via SCOM is not secure and that’s why you have to use certificate between servers, but getting or sending information between Hyper-V Parent Node and Virtual machines is not a security risk? Strange..
So I know a feature in SCVMM called “Install Virtual Guest Services”. If you click “Install Virtual Guest Services” for a virtual machine, process goes with these steps:
1. step: it attachs vmguest.iso to virtual machine.
2. step: reboot virtual machine with that iso.
3. step: after starting Windows, it executes vmguest.iso and installs it automatically. (without any authentication)
Yes, without authentication. Is that means you can execute a script or maybe exe, without any authentication, inside a virtual machine? If it is true, how? I made a test to figure out situation. Results are really unexpected.
You can install virtual guest services with clicking “Install Virtual Guest Services” feature in SCVMM. To do that, just create a new virtual machine with blank disk template and install a Windows Server. Then turn off the virtual machine and click the “Install Virtual Guest Services”.
So let’s see what happens really when you click “Install Virtual Guest Services”.
As a first step, it starts virtual machine:
Then installs Virtual Guest Services and shut downs virtual machine:
Now process is completed:
Now I’ll show you what really happens inside the virtual machine.
I installed a Windows Server 2008 SP2. After installation, mouse integration is not available.
So I did shut down the virtual machine. Clicked “Install Virtual Guest Services” from SCVMM. I went to Hyper-V console to watch what really happens and I saw this:
SCVMM calls a service inside VM and you only see “Interactive Services Dialog..” I don’t know what really it is, but it’s something to execute scripts. I tried to find out what services really do that.
Update 1: I captured detailed screens of “Interactive Services Dialog Detection”.
If you click “Show me the message”, you see installation of integration components:
So I disabled all Hyper-V services inside the Virtual Machine.
Also I disabled Hyper-V offers.
I checked SCVMM and it sees “no service offering” too.
Then I did same thing and clicked “Install Virtual Guest Services” via SCVMM. But nothing changed. Without any integration services and without any Hyper-V offers, SCVMM successfully updated my Virtual Machine!
Also strange thing is SCVMM can watch all steps. If somehow process does not go well, SCVMM can see that and gives you warning. After finish of process, SCVMM shows you a process report.
For example, I installed Windows Server 2003 R2 and clicked “Install Virtual Guest Services”.
SCVMM gave error because you can’t install integration services on Windows Server 2003 R2. You need at least Windows Server 2003 R2 SP2 to install Hyper-V integration services. So what happened? SCVMM tried to install integration services but Windows gave “You need newer version of Windows to install” and SCVMM got that error and finished the update process.
That means SCVMM can really detects failed process inside the virtual machine without any authentication. But how?
Update 2: I found some traces of process.
What is the C:\VMMGuestAgent.exe and where did it come from? I checked after installation but there is no file called “VMMGuestAgent” in C drive.
Also a message to SCVMM team. There is a typo error in message. “The server must be rebooted by SCVMM to intall virtualization components.” You should change that as “install” :)
By the way, there is no information about “VMMGuestAgent.exe” on Technet, or even Google! :)
So far I have two questions:
1) How really “Install Virtual Guest Services” works?
I hope someone can answer my questions. I think that’s really strange situation.