Protect Hyper-V with on-board resources
Counterintelligence
Hosts, and their operating systems in particular, play a central role in secure operations with Hyper-V. The individual virtual machines (VMs) and the operating systems on the VMs naturally need to be secured. The third security-relevant area is the configuration files for the individual VMs and Hyper-V itself – and don't forget the system services. If available, it makes sense to use a trusted platform module (TPM) chip on Hyper-V hosts to take advantage of technologies such as BitLocker and shielded VMs. As an administrator, you're adding security in a number of places, and much of it with the help of Microsoft recommendations and templates.
Securing the Host and Operating System
Minimizing the attack surface is an important security foundation, and it starts with installation. In general, it is recommended that you use the Core installation of Windows Server 2019 or newer for Hyper-V hosts, which will help you prevent attacks on the desktop and the programs installed on it. Bear in mind that a graphical user interface (GUI) can be installed retroactively on Core servers.
If you do install the GUI, you should remove programs and services that are not required. For example, Windows Media Player is active by default on Windows Server 2019, but definitely not needed on production servers. To uninstall Media Player, enter:
dism /online /Disable-Feature /FeatureName:WindowsMediaPlayer /norestart
Only absolutely essential services should be installed and started on the Hyper-V host. Any additional software just adds attack vectors. In general, it is almost always better to install additional software on another server rather than on a Hyper-V host on which numerous VMs are in use. Of course, this is also true when you consider performance.
Microsoft advises against deploying production VMs for server applications by way of Hyper-V on Windows 10. Especially on smaller networks, administrators are tempted to connect users to VMs by this route, but doing so poses a significant risk for security reasons. It's better to go for the free Hyper-V Server 2019. Windows 10, as a never genuinely completed operating system, is fine as a test environment for Hyper-V, but under no circumstances should you provide server-based services on networks with Windows 10.
Installing Updates and Closing the Gaps
The operating system on the Hyper-V host, the firmware, and the device drivers should always be up to date. Microsoft regularly closes critical gaps that also affect Hyper-V on its monthly patch day. In most cases, numerous VMs run on a Hyper-V host, so a security vulnerability does not just affect one server, but several. The patch status of your Hyper-V hosts therefore plays an important role.
For example, Microsoft closed a critical vulnerability in Hyper-V on patch day in October 2020. Attackers were able to execute malware on the VMs because of the vulnerability and gain access to the host. On Hyper-V servers, therefore, you will want to install at least this update [1] promptly, which is possible with Windows Server Update Services (WSUS) on the internal network or directly on the Windows update server.
Implement Safety Recommendations with Policies
As the vendor of Windows Server, Microsoft issues security recommendations that you will want to take note of as an administrator through the Microsoft Security Compliance Toolkit [2], which contains group policy templates with which you can secure Hyper-V hosts in line with Microsoft recommendations. The download comprises tools and ZIP files for various Windows versions with which you can create Group Policy Objects (GPOs) for improved security on Hyper-V hosts and VMs.
With the Policy Analyzer from the toolset, first check whether the security settings on the server make sense, so you can adjust the settings to comply with Microsoft's recommendations, if needed. For the analysis, the Policy Analyzer reads the backup files of the current GPOs along with their settings. The ZIP archives include files with the PolicyRules extension, which you can use to compare the existing settings with the recommendations from Microsoft. In this way, you can quickly identify vulnerabilities and missing settings.
Microsoft also provides an Excel table in the Documentation
directory of the ZIP archive, listing all settings that can be implemented with group policy templates. Under the item Security Template
, you can see which security settings are addressed by the group policies. The table shows the settings for member servers and domain controllers on the basis of Windows Server 2019. In the GP Reports
directory, you will find a report as an HTML file for each policy. From this information, you can either create new policies or modify existing ones.
If you want to create group policies from the templates recommended by Microsoft, the easiest approach is first to create a new GPO in Group Policy Management and read in the templates. As long as the GPO is not yet linked to a container, the settings will not be implemented. Only when they are linked do the servers apply the settings. To integrate the policy settings into the new policy, select Import Settings
from the context menu of the newly created policy. You can use a wizard to import the templates with Microsoft's recommendations (Figure 1). The files are located in the GPOs
directory. View Settings
lets you view the policy settings to be imported, although this report is basically what you can find in GP Reports
.
In addition to the baselines provided by Microsoft, third-party vendors also offer recommendations for secure operation of Windows on corporate networks. Well-known third-party providers are the Defense Information Systems Agency (DISA) [3] and the Center for Internet Security (CIS) [4]. In general, it is worthwhile to work through these recommendations carefully and to adapt them to your own requirements.
Buy this article as PDF
(incl. VAT)