Secure Windows 7 VM on a WHS Server in Hyper-V

6

One of the slickest things that one can do with a Windows Home Server machine is run it virtualized in a Hyper-V Virtual Machine. Windows Home Server frankly uses very little power itself leaving CPU cycles sitting idle. Of the CEOs, CIOs, and CFOs of companies with more than 10,000 employees I have talked to recently, all of them are looking at application virtualization to keep costs in the data center versus on user desktops. Perhaps I have heard the words “thin client” more times in the past six months from these folks than I have since the 1990’s. For Windows Home Server users, there is a really practical, and important thing that they can do to increase security at home, and that is use a dedicated, disposable, virtual machine for things such as banking (and for the more conservative online shopping).

The premise is simple, setup a clean virtual machine environment for doing sensitive online browsing. Once you are done with the session, delete the machine, and next time re-start with the clean virtual machine. This keeps a fully patched environment that will not accumulate malicious software. Even if it does get some sort of computer virus or other malware, the machine is returned to a freshly installed and patch state after each session, limiting exposure. This is also a decent way to view unknown links in e-mails from friends if you are curious. I would normally suggest using a Linux based virtual machine for extra security, however Ubuntu 10.04’s built-in Hyper-V integration components have been a nightmare to get mouse functionality working. Since WHS is supposed to be a simple solution, using Hyper-V and Windows keeps setup and maintenance simple.

Why do this on a Windows Home Server and not just use VirtualBox or XP mode? My main reason is that I have the hardware capacity to spare on the WHS and I don’t mind waiting 30 seconds for this VM to boot using a mechanical disk. All of my client PCs use smaller SSDs making a Windows 7 VM a $20-40 per machine expense to store at the moment ($2/GB * 10GB * (1 or 2) virtual hard drive(s)). Putting this VM on the WHS where my redundant storage costs are less than $1 for the VM easily accessible for all machines and remotely is a decent cost savings. The added benefit is that since the WHS has a remotely accessible remote desktop server, and is always on, I can reach the clean virtual machine from anywhere in the world.

Test Setup

For this review, I am using the Big WHS. I am using Windows 2008 Server R2 as my Hyper-V platform, but one can use the free Hyper-V server also.

  1. CPU: Intel Core i7 920
  2. Motherboard:  Supermicro X8ST3-F
  3. Memory: Patriot Viper 12GB DDR3 1600
  4. Case (1): Norco RPC-4020
  5. Case (2): Norco RPC-4220
  6. Drives: 12x Seagate 7200rpm 1.5TB, 2x 7200.11 1TB, 12x Hitachi 7200rpm 2TB and 2x 1TB, 8x Western Digital Green 1.5TB EADS, 2x Western Digital Green 2TB EARS.
  7. SSD: 2x Intel X25-V 40GB
  8. Controller: Areca ARC-1680LP
  9. SAS Expanders: 2x HP SAS Expander (one in each enclosure)
  10. NIC (additional): 2x Intel Pro/1000 PT Quad , Intel Pro/1000 GT (PCI)
  11. Host OS: Windows Server 2008 R2 with Hyper-V installed
  12. Guest OSes: Windows Home Server, Windows 7 Professional 64-bit
  13. Fan Controllers: Various
  14. PCMIG board to power the HP SAS Expander in the Norco RPC-4220
  15. Main switch – Dell PowerConnect 2724

Getting started

Using Hyper-V as a virtualization platform for Microsoft operating systems makes setup extremely easy, especially for a modern OS like Windows 7 that has Hyper-V integration components built in. In contrast, older operating systems like Windows Home Server require the user to mount the integration services disk image into the virtual machine during the initial configuration. For this article, I am going to simply use the Hyper-V New Virtual Machine Wizard as it is a quick way to get setup.

Windows 7 Throw Away VM
Windows 7 Throw Away VM

Note: I do aptly name my virtual machines.

After setting up the virtual machine’s name, the next step is to assign memory. Hyper-V does not do the best job of provisioning memory since over allocation features present in VMWare’s ESX(i) are much better. On the other hand, with 12GB DDR3 1600 memory, sparing 2GB when the VM is online is not an issue. RAM Is cheap, get lots.

Windows 7 Throw Away VM Assign 2GB Memory
Windows 7 Throw Away VM Assign 2GB Memory

Next, one needs to select a network for the VM.

Windows 7 Throw Away VM Select Network
Windows 7 Throw Away VM Select Network

Unlike a EON ZFS Storage/ OpenSolaris installation on Hyper-V or a FreeBSD/ FreeNAS installation, there is no need to worry about using a “Legacy NIC”.

Once this is completed, the next step is to create the virtual hard disk that will hold the clean Windows 7 Installation. Note, you can actually store this VHD on a WHS share if you want. I have an entire directory with VHDs for both VirtualBox and Hyper-V on my WHS which lets me move them from physical host to physical host very easily.

Windows 7 Throw Away VM New Virtual Hard Disk
Windows 7 Throw Away VM New Virtual Hard Disk

After this, one can click next and select installation media. I have ISOs from Microsoft of every MS operating system I test with on my WHS so I am using an ISO file here. One can just as easily insert the installation CD/DVD and select that option to install from physical media.

Windows 7 Throw Away VM Attach OS Disk
Windows 7 Throw Away VM Attach OS Disk

After this you can click next, start the virtual machine, and about 30 seconds later (using a local ISO file but longer with physical media) you should be well on your way to the Windows 7 installation process.

Installing Windows 7

Once the virtual machine is up and running, Windows 7 installation is about as easy as can be.

TIP: I do want to point out here that if you wanted to save a few dollars here, one could easily run Windows Vista or Windows XP instead. Both the Vista and XP virtual machines I tried just required the integration components to be installed which is a simple menu selection in Hyper-V manager.

Windows 7 Throw Away VM Win 7 Installation and Setup
Windows 7 Throw Away VM Win 7 Installation and Setup

Here you will be presented with the option to install it into your virtual hard disk as if it was a regular disk.

Windows 7 Throw Away VM Install to Dynamic VHD
Windows 7 Throw Away VM Install to Dynamic VHD

Note, for this I leave 127GB and use dynamically sizing vhds because the actual installation is under 10GB. Also, performance tends to be fine since this VM is getting accessed by only one user. Using fixed size disks just means you use more space that is essentially “free” space in the VM that will never get used. Also, each copy of the VM is about 10GB with a dynamically sizing disk so it saves copy time when you use the smaller footprint option.

Patch with Windows Update, Secure, and make a Master Copy

The next step is to let Windows Update patch the OS. Windows 7 is fairly secure out of the box, but a fully patched-OS is a must. If you want, you can always manually force Windows to update itself and that will usually take a bit less time. The important thing here is to not use the OS for anything while this process is happening. You can also install anti-malware/ anti-virus software at this point, or Windows Defender. If not using Windows Defender, I prefer to install only from retail packaged media out of an abundance of caution. The entire goal here is to get a fully patched OS.

VHD to Copy for Clean VM Re-boot
VHD to Copy for Clean VM Re-boot

After all patches are applied,  I generally do my custom settings for Windows Firewall, turn off any services that I do not need (note I never install Flash on this VM) and etc. Ideally, one wants to get to the point where the OS is activated, patched, security software is installed, and everything is “locked down” before using the machine for any other purpose. I also like to do one other thing, create shortcuts to any banking or other site I may use. That way, if the terminal I am at has a keylogger, I at least will not be typing in an address followed by credentials. At this point, one needs to make a copy of the .vhd file.

Windows 7 Throw Away VM Copy fully patched VHD
Windows 7 Throw Away VM Copy fully patched VHD

This copy of the .vhd file will serve as the master. Whenever a session ends, delete the VM, and copy/ rename a clean .vhd from the master.

That is all there is to it. Total setup time for me was about 8 minutes at the keyboard and after the various reboots, the virtual machine was ready in a few hours. A really cool feature is that you can actually take this portable VHD file and use it on another Hyper-V machine fairly easily.

Conclusion

This is a must-do for anyone running a serious, home-built Windows Home Server. Unfortunately, Atom based servers will not be able to take advantage of this due to the lack of virtualization extension (VT-x and VT-d see the Atom D425 and D525 discussion), and many pre-built machines will have difficulty running this configuration due to the difficulty of installing Hyper-V on closed-system hardware. For those with higher-end home servers, this is a simple, low-cost way to use your WHS to increase your overall security profile online. Disposable VM’s are nothing new, and the same thing can be accomplished with restoring backups, but with the popularity of home servers increasing this is a great way to setup a safer Windows environment for things like online banking. This is not the most secure way to go about this, but it is significantly better than using a client PC that browses hundreds of sites a day and is powered on 24×7. If you have the means, this is an excellent step for increasing security in a Windows environment. Of course, I would recommend using Linux, but for some users, Windows is more familiar and it works perfectly well.

6 COMMENTS

  1. rad! can i just remote desktop into this from any PC? what about VNC? can i leave it off and only turn on when needed. that would be more secure

  2. Walker: Yes you can so long as the VM is setup for it. You need to enable remote desktop like you would in a normal PC, or install a VNC server like you would in a normal PC. This article did not cover that because it does open up a potential vulnerability. If you install VNC server or setup remote desktop you can do that before you save the master copy of the VM that way it comes up in the copied VMs.

  3. Why copy the VM and keep a master when there is no need to do so when using a snapshot?

    Here is how i do most of my browsing and should work for anyone and will save you the most time and it’s hassle free.

    Create the VM as you suggested in the article above and log in and be on the desktop ready to browse but then create a snapshot. Browse the internet and do whatever you like and then simply turn the VM OFF.** When you’d like to browse again simply revert the snapshot and your VM will instantly start and be at the desktop, with you logged in, and ready to browse again. There’s no waiting for the VM to boot, no manually copying files, and it’s super easy.

    ** Turning the VM OFF completely kills the VM where it stands and we’re ok with that because we have a snapshot. Using the shut down option actually initiates a START menu – shutdown command and can take time to turn off the VM.

  4. Very true Shane. I usually use the copy method because I like having one installation that I can use my same process for multiple VMs and multiple physical machines. Using the snapshot method over the copy method is going to be easier if you have one VM/ one machine (otherwise you attach anyway).

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.