There is no doubt that security concerns top the list of initiatives and concerns for IT administrators as well as CIOs and CEOs alike. Security is something that must be taken seriously no matter what system or platform is utilized in an organization’s environment. Since the outset of virtualization there have been concerns about the separation of resources and permissions between the guest operating system from the host itself and its operating system. Additionally, there are concerns about the separation between guest operating systems.
Table of Contents
- Hyper-V Host and Guest Operating System Security
- Securing Hyper-V Hosts
- Installation Options – Nano, Core, GUI
- Workgroup Clusters
- Patch Management
- Secure Networks
- Drive Encryption
- Securing Hyper-V Virtual Machines
- Generation 2 Virtual Machine
- Secure Boot
- Patch Management
- Secure Networking
- Virtualization-based Security (VBS)
- Concluding Thoughts
What about the network communication both from a storage and management perspective?
The list of concerns is quite long when it comes to virtualized environments.
With Microsoft’s Hyper-V hypervisor, how can organizations make sure their environments are secure?
We will take a look at some recommendations to secure Hyper-V host and guest operating systems from security risks and increase the overall security posture of the Hyper-V environment.
Hyper-V Host and Guest Operating System Security
There are many concerns related to both the host and guest operating systems as well as how they are configured. An effective Hyper-V security approach should cover both aspects of the Hyper-V infrastructure. Security is often only as good as the weakest link. If a Hyper-V host is effectively secured but the guest operating systems are wide open for compromise, then effectively securing the environment is not possible.
We will take a look at the following concerns as they relate to both aspects.
Hyper-V Host:
- Hyper-V Installation Options for Better Security – Nano, Core, and GUI
- Workgroup Clusters
- Patch Management
- Secure Networks for management, Live Migration, and Storage
- Drive Encryption
Hyper-V Virtual Machines
- Type – Use Generation 2
- Secure Boot
- Patch Management
- Secure Networking
- Virtualization Based Security
The above is by no means an all-encompassing list, however, we will look at these general major areas of focus when it comes to securing Hyper-V environments.
Securing Hyper-V Hosts
Securing the Hyper-V host itself is certainly an important aspect of securing the overall Hyper-V environment. If an attacker compromises the Hyper-V host, control of the entire environment along with the guest operating systems is possible at that point. So, it is a critical aspect of security with Hyper-V.
Installation Options – Nano, Core, GUI
While many are used to and comfortable with administering Windows Server GUIs, using a Windows Server installation with the GUI installed provides a much larger footprint for an attacker to compromise. Installing the GUI for production Hyper-V hosts drastically lowers the security posture for the host as well as creates a platform that requires many more patches and other potential hotfixes for various security threats.
Installing the very small footprint Nano Server or Core installation to host the Hyper-V role is a much better option for production Hyper-V environments. This decreases the operating system footprint without the GUI installed which in turn lowers the security threats and vulnerabilities that have to be mitigated or patched.
Workgroup Clusters
Windows Server 2016 introduced the new capability for Hyper-V Clusters to be installed on Windows Server 2016 Workgroups. This opens up a really good use case for security reasons. Prior to Windows Server 2016, Failover Clustering was not possible with a workgroup. If running a Hyper-V cluster, some Hyper-V admins were forced to create an entirely separate domain if they wanted to keep the Hyper-V environment separate from the production domain.
With the new Workgroup possibility with Windows Server 2016 Failover Clusters, Hyper-V administrators can now much more easily separate Hyper-V clusters from the production domain. This way, if they are compromised, the production domain is not at risk. However, while the Hyper-V role is supported in the Workgroup cluster configuration, it does have caveats that need to be noted. One of the major caveats to the Workgroup cluster that can be a deterrent for Hyper-V is Live migration is not supported in this configuration. However quick migration is supported.
Patch Management
Keeping Hyper-V hosts patched is an essential part of securing a Hyper-V environment. Hyper-V is nothing more than a special role that is hosted by a Windows Server. With that being said, a Windows Server Hyper-V installation needs patched like any other Windows Server. Implementing an effective patch management scheme for Windows Server Hyper-V is essential to keeping the environment stable and secure.
Using tools such as Windows Server Update Services along with cluster-aware updating with a Windows Server Hyper-V cluster allows implementing an effective and powerful patch management system for Hyper-V clusters. The cluster-aware updating mechanism allows a much more fluid and automated way to update Hyper-V clusters with multiple hosts by automatically draining roles and seamlessly Live Migrating virtual machines in the process.
Secure Networks
Implementing secure networks for various network traffic is a great way from a networking perspective to secure a Hyper-V cluster. By using the tools available and the built-in networking that Hyper-V provides, traffic can be properly segmented. Paying attention to the “plumbing” of traffic and ensuring that storage traffic is isolated into its own network as well as the Live Migration network ensures that storage traffic and Live Migration traffic are not flowing across the same paths as other Hyper-V services.
With virtual machines, the Hyper-V virtual switches can provide segmentation just like any other physical switch by applying VLANs to various connections. Virtual machines can then be attached to the appropriate virtual switch and isolated from other virtual machine traffic that may be serviced by the Hyper-V host.
Drive Encryption
Windows Server 2016 introduced the ability to protect the operating system disk using BitLocker drive encryption for generation 1 virtual machines along with the already existing ability for generation 2 virtual machines using TPM. This is made possible by the guarded fabric technology which utilizes key management to decrypt virtual machine disks and start the VM.
Securing Hyper-V Virtual Machines
Moving on from the Hyper-V host, securing Hyper-V virtual machines is also a necessary aspect of Hyper-V security. The guest operating systems found in production virtual machines are the resources that supply business critical applications. Keeping them secure allows protecting these key business resources from being compromised.
Generation 2 Virtual Machine
The Hyper-V Generation 2 virtual machine provides the newest features and functionality. Additionally, generation 2 offers the best security features. With generation 2 virtual machines, you are able to take advantage of the secure boot feature that helps prevent unauthorized firmware, operating systems, or UEFI drivers from running at boot. Generation 2 virtual machines can be run with Windows or Linux distros. It opens up additional security features including Trusted Platform
Secure Boot
As mentioned secure boot is available to help secure the boot environment of a Hyper-V virtual machine, enabling a security mechanism that prevents unauthorized software to be introduced at the time of boot.
Patch Management
Patching Hyper-V virtual machines should be performed on a schedule of patching as any other Windows Server. Many organizations make use of some sort of rotation where patches are first released to a test group or perhaps tested in a DEV/TEST environment before being released to production. Keeping Hyper-V virtual machines to be patched is essential to ensuring discovered vulnerabilities are remediated. Like Hyper-V hosts, Hyper-V administrators can make use of tools like Windows Server Update Services or WSUS to control and approve patches to Hyper-V guest operating systems.
Secure Networking
Hyper-V supports having many different virtual machine networks, all of which can have different VLAN tags. Ensuring Hyper-V virtual machines are connected to the correct virtual switches and assigned appropriately is a necessary configuration task as it relates not only to connectivity, but also security.
Virtualization-based Security (VBS)
With Windows 10 or Windows Server 2016, Hyper-V administrators can enable a new security feature called Virtualization-based Security. This mechanism creates an isolated secure region of memory from the normal operating system. This memory is then used in virtual secure mode to provide increased protection from vulnerabilities in the operating system and prevent malicious exploits.
VBS uses the Windows hypervisor to create the virtual secure mode that protects valuable security assets such as authenticated user credentials. Even if malware compromises the operating system itself, VBS can greatly limit the scope of what the malware can do in executing code or accessing the authenticated credentials.
Enabling this new mechanism on supported guest operating systems in Hyper-V including Windows 10 and Windows Server 2016 greatly enhances overall security.
Concluding Thoughts
Security is generally best executed in multiple layers. When thinking about Hyper-V, securing both the host as well as the guest operating systems provides the best overall security stance to mitigate compromise from a number of sources. By making use of various security best practices on the host such as considering the hypervisor install to exclude GUI installations from production, using workgroup clusters, secure networks, patch management, drive encryption and other security mechanisms goes a long way in securing the Hyper-V host. In the guest operating system, using generation 2 virtual machines, secure boot, patch management, secure networking and virtualization-based security makes it exponentially harder for an attacker or malware to compromise guest operating systems running on top of Hyper-V. Security is an essential part of any Hyper-V deployment. By using these and other mechanisms, Hyper-V administrators can ensure a stable, powerful, and secure platform for business-critical services and applications.
Follow our Twitter and Facebook feeds for new releases, updates, insightful posts and more.