Virtualizing Exchange Server on Microsoft Hyper-V offers a number of advantages, but any server virtualization project adds an extra layer of complexity to deployments. Therefore, it's critical that the proper security precautions are in place to ensure that this additional layer is not susceptible to threats such as denial-of-service attacks.
A denial-of-service (DoS) attack is the single biggest server virtualization-related security threat against
DoS attacks can prove even more disruptive in virtualized environments. For example, in a virtualized environment, all of the virtual machines (VMs) running on a host server share a finite pool of physical hardware resources. If an intruder launches a DoS attack against a virtual server, the attack has the potential to deplete the underlying host server of its physical resources. It's also very possible that all the VMs on the host suffer from the DoS attack, not just the server that was initially attacked.
So how do you prevent this sort of situation? The solution lies in placing limits on individual virtual servers, and in a Microsoft Hyper-V environment, administrators can put a number of limits in place.
Note: Understand that you must take the Exchange Server roles into account when planning for DoS attack prevention. In most cases, DoS attacks come from outside your organization. Therefore you should focus the majority of your efforts on the edge transport server (if you have one) and the client access server.
Settings and techniques to avoid denial-of-service attacks
When using Hyper-V to virtualize Exchange, each physical network adapter that is authorized for use with Hyper-V is bound to a virtual switch. When virtual servers are created, they are connected to a virtual switch. The virtual switch you select determines which physical network adapter the VM uses.
One of the first things to consider when protecting your virtualized Exchange deployment against DoS attacks is a dedicated physical network adapter/virtual switch for Internet-facing VMs. For example, you can reserve a physical network interface card (NIC) specifically for your edge transport server's Internet-facing connection.
This technique minimizes the impact of a denial-of-service attack. If an outside attacker floods the physical network connection with traffic, only that connection would suffer the effects. Other VMs would not be affected because they don't share the adapter.
You may be quick to point out that it's difficult to flood a physical NIC with Internet packets because the NIC is likely much faster than the Internet connection. Additionally, some firewalls filter out these types of packet floods. Both are true, but it's still a good idea to use a dedicated network adapter for Internet-facing VM connections as a part of your defense strategy. I've seen instances of distributed bot net denial-of-service attacks launched from behind a company's perimeter firewall. A dedicated NIC helps guard against that sort of attack.
Hyper-V also has a few CPU settings that prove useful in preventing denial-of-service attacks. One such setting is the Virtual Machine Reserve (Percentage) setting, which puts aside a percentage of a logical CPU's capacity for a specific VM. With this setting, you can reserve a certain amount of virtual CPU resources for each of your virtual Exchange servers as a way to ensure that each virtual server always has enough CPU resources to function.
On the flip side, you can also use the Virtual Machine Limit (Percentage) setting to control the maximum percentage of a virtual CPU's resources that a VM consumes. In other words, it's possible to use the setting to make sure that no single VM ever consumes an excessive amount of CPU resources, thereby depleting the other virtual machines.
As a final measure, if you use dynamic memory on your VMs, I recommend setting realistic memory caps. Even though memory over-commitment is acceptable in many cases, you don't want to end up in a situation where an attacker is able to rob memory from your other virtual servers by increasing the memory demand on the VM he is attacking.
As you can see, there are a number of different Hyper-V settings to prevent a denial-of-service attack from affecting multiple VMs. These measures are especially important in virtualized Exchange environments because so much of the Exchange Server traffic originates beyond the network perimeter.
About the author
Brien Posey is a ten-time Microsoft MVP with two decades of IT experience. Before becoming a freelance technical writer, Brien worked as a chief information officer at a national chain of hospitals and health care facilities. He has also served as a network administrator for some of the nation's largest insurance companies and for the Department of Defense at Fort Knox.
This was first published in April 2013