When deploying a Xen system, one must be sure to secure the management
domain (Domain-0) as much as possible. If the management domain is
compromised, all other domains are also vulnerable. The following are a
set of best practices for Domain-0:
- Run the smallest number of necessary services. The less
things that are present in a management partition, the better.
Remember, a service running as root in the management domain has full
access to all other domains on the system.
- Use a firewall to restrict the traffic to the management
domain. A firewall with default-reject rules will help prevent
attacks on the management domain.
- Do not allow users to access Domain-0. The Linux kernel
has been known to have local-user root exploits. If you allow normal
users to access Domain-0 (even as unprivileged users) you run the risk
of a kernel exploit making all of your domains vulnerable.
