Secure Windows 7 VM on a WHS Server in Hyper-V
One of the slickest things that one can do with a Windows Home Server machine is run it virtualized in a Hyper-V Virtual Machine. Windows Home Server frankly uses very little power itself leaving CPU cycles sitting idle. Of the CEOs, CIOs, and CFOs of companies with more than 10,000 employees I have talked to recently, all of them are looking at application virtualization to keep costs in the data center versus on user desktops. Perhaps I have heard the words “thin client” more times in the past six months from these folks than I have since the 1990′s. For Windows Home Server users, there is a really practical, and important thing that they can do to increase security at home, and that is use a dedicated, disposable, virtual machine for things such as banking (and for the more conservative online shopping).
The premise is simple, setup a clean virtual machine environment for doing sensitive online browsing. Once you are done with the session, delete the machine, and next time re-start with the clean virtual machine. This keeps a fully patched environment that will not accumulate malicious software. Even if it does get some sort of computer virus or other malware, the machine is returned to a freshly installed and patch state after each session, limiting exposure. This is also a decent way to view unknown links in e-mails from friends if you are curious. I would normally suggest using a Linux based virtual machine for extra security, however Ubuntu 10.04′s built-in Hyper-V integration components have been a nightmare to get mouse functionality working. Since WHS is supposed to be a simple solution, using Hyper-V and Windows keeps setup and maintenance simple.
Why do this on a Windows Home Server and not just use VirtualBox or XP mode? My main reason is that I have the hardware capacity to spare on the WHS and I don’t mind waiting 30 seconds for this VM to boot using a mechanical disk. All of my client PCs use smaller SSDs making a Windows 7 VM a $20-40 per machine expense to store at the moment ($2/GB * 10GB * (1 or 2) virtual hard drive(s)). Putting this VM on the WHS where my redundant storage costs are less than $1 for the VM easily accessible for all machines and remotely is a decent cost savings. The added benefit is that since the WHS has a remotely accessible remote desktop server, and is always on, I can reach the clean virtual machine from anywhere in the world.
For this review, I am using the Big WHS. I am using Windows 2008 Server R2 as my Hyper-V platform, but one can use the free Hyper-V server also.
- CPU: Intel Core i7 920
- Motherboard: Supermicro X8ST3-F
- Memory: Patriot Viper 12GB DDR3 1600
- Case (1): Norco RPC-4020
- Case (2): Norco RPC-4220
- Drives: 12x Seagate 7200rpm 1.5TB, 2x 7200.11 1TB, 12x Hitachi 7200rpm 2TB and 2x 1TB, 8x Western Digital Green 1.5TB EADS, 2x Western Digital Green 2TB EARS.
- SSD: 2x Intel X25-V 40GB
- Controller: Areca ARC-1680LP
- SAS Expanders: 2x HP SAS Expander (one in each enclosure)
- NIC (additional): 2x Intel Pro/1000 PT Quad , Intel Pro/1000 GT (PCI)
- Host OS: Windows Server 2008 R2 with Hyper-V installed
- Guest OSes: Windows Home Server, Windows 7 Professional 64-bit
- Fan Controllers: Various
- PCMIG board to power the HP SAS Expander in the Norco RPC-4220
- Main switch – Dell PowerConnect 2724
Using Hyper-V as a virtualization platform for Microsoft operating systems makes setup extremely easy, especially for a modern OS like Windows 7 that has Hyper-V integration components built in. In contrast, older operating systems like Windows Home Server require the user to mount the integration services disk image into the virtual machine during the initial configuration. For this article, I am going to simply use the Hyper-V New Virtual Machine Wizard as it is a quick way to get setup.
Note: I do aptly name my virtual machines.
After setting up the virtual machine’s name, the next step is to assign memory. Hyper-V does not do the best job of provisioning memory since over allocation features present in VMWare’s ESX(i) are much better. On the other hand, with 12GB DDR3 1600 memory, sparing 2GB when the VM is online is not an issue. RAM Is cheap, get lots.
Next, one needs to select a network for the VM.
Unlike a EON ZFS Storage/ OpenSolaris installation on Hyper-V or a FreeBSD/ FreeNAS installation, there is no need to worry about using a “Legacy NIC”.
Once this is completed, the next step is to create the virtual hard disk that will hold the clean Windows 7 Installation. Note, you can actually store this VHD on a WHS share if you want. I have an entire directory with VHDs for both VirtualBox and Hyper-V on my WHS which lets me move them from physical host to physical host very easily.
After this, one can click next and select installation media. I have ISOs from Microsoft of every MS operating system I test with on my WHS so I am using an ISO file here. One can just as easily insert the installation CD/DVD and select that option to install from physical media.
After this you can click next, start the virtual machine, and about 30 seconds later (using a local ISO file but longer with physical media) you should be well on your way to the Windows 7 installation process.
Installing Windows 7
Once the virtual machine is up and running, Windows 7 installation is about as easy as can be.
TIP: I do want to point out here that if you wanted to save a few dollars here, one could easily run Windows Vista or Windows XP instead. Both the Vista and XP virtual machines I tried just required the integration components to be installed which is a simple menu selection in Hyper-V manager.
Here you will be presented with the option to install it into your virtual hard disk as if it was a regular disk.
Note, for this I leave 127GB and use dynamically sizing vhds because the actual installation is under 10GB. Also, performance tends to be fine since this VM is getting accessed by only one user. Using fixed size disks just means you use more space that is essentially “free” space in the VM that will never get used. Also, each copy of the VM is about 10GB with a dynamically sizing disk so it saves copy time when you use the smaller footprint option.
Patch with Windows Update, Secure, and make a Master Copy
The next step is to let Windows Update patch the OS. Windows 7 is fairly secure out of the box, but a fully patched-OS is a must. If you want, you can always manually force Windows to update itself and that will usually take a bit less time. The important thing here is to not use the OS for anything while this process is happening. You can also install anti-malware/ anti-virus software at this point, or Windows Defender. If not using Windows Defender, I prefer to install only from retail packaged media out of an abundance of caution. The entire goal here is to get a fully patched OS.
After all patches are applied, I generally do my custom settings for Windows Firewall, turn off any services that I do not need (note I never install Flash on this VM) and etc. Ideally, one wants to get to the point where the OS is activated, patched, security software is installed, and everything is “locked down” before using the machine for any other purpose. I also like to do one other thing, create shortcuts to any banking or other site I may use. That way, if the terminal I am at has a keylogger, I at least will not be typing in an address followed by credentials. At this point, one needs to make a copy of the .vhd file.
This copy of the .vhd file will serve as the master. Whenever a session ends, delete the VM, and copy/ rename a clean .vhd from the master.
That is all there is to it. Total setup time for me was about 8 minutes at the keyboard and after the various reboots, the virtual machine was ready in a few hours. A really cool feature is that you can actually take this portable VHD file and use it on another Hyper-V machine fairly easily.
This is a must-do for anyone running a serious, home-built Windows Home Server. Unfortunately, Atom based servers will not be able to take advantage of this due to the lack of virtualization extension (VT-x and VT-d see the Atom D425 and D525 discussion), and many pre-built machines will have difficulty running this configuration due to the difficulty of installing Hyper-V on closed-system hardware. For those with higher-end home servers, this is a simple, low-cost way to use your WHS to increase your overall security profile online. Disposable VM’s are nothing new, and the same thing can be accomplished with restoring backups, but with the popularity of home servers increasing this is a great way to setup a safer Windows environment for things like online banking. This is not the most secure way to go about this, but it is significantly better than using a client PC that browses hundreds of sites a day and is powered on 24×7. If you have the means, this is an excellent step for increasing security in a Windows environment. Of course, I would recommend using Linux, but for some users, Windows is more familiar and it works perfectly well.