« Previous 1 2 3 4 Next »
Protect Hyper-V with on-board resources
Counterintelligence
Encryption Without Shielded VMs
If you want to encrypt your VM virtual hard drives, you do not necessarily have to rely on shielded VMs. Since Windows Server 2016, a virtual TPM can also be added to VMs from the Security menu item in the properties of the VMs. Activating the Trusted Platform Module function, makes a virtual TPM available on the VM; it can then be used for BitLocker encryption. VMs encrypted with a vTPM based on BitLocker can be integrated into a guarded fabric with shielded VMs at any time. Live migration is also possible. The important thing here is that you are working with a generation 2 VM. In addition to the Hyper-V Manager, the settings can also be made in PowerShell. For example, to activate and deactivate the technology, use:
Enable-VMTPM -VMname <name> Disable-VMTPM -VMName <name>
The TPM is displayed in the VM's device manager under Security devices
. Selecting tpm.msc
lets you initialize and set up the module.
Access Permissions and Authorizations
VM administrators do not need administrative access to the host operating system. For this reason, you will also want to adjust the authorizations for administrators on Hyper-V hosts. Admins who do not need to manage the host also do not need administrative access to the host operating system. Usually, it is sufficient for Hyper-V administrators to be members of the Hyper-V Administrators group on the server. Hyper-V hosts should also have antivirus protection installed. However, exclusions in malware scans are useful. When using Microsoft Defender, this is automatically the case. Many other scanners also support Hyper-V. To disable the exclusions, enter the command:
Set-MpPreference -DisableAutoExclusions $true
In general, however, you will want to make sure that the essential components of Hyper-V are monitored, but not unnecessary areas or services and directories that can cause performance problems. Windows Defender does not scan the following file types: VHD, VHDX, AVHD, AVHDX, VSV, ISO, RCT, VMCX, and VMRS. You can additionally exclude the following directories from scanning:
%ProgramData%\Microsoft\Windows\Hyper-V
%ProgramFiles%\Hyper-V
%SystemDrive%\ProgramData\Microsoft\Windows\Hyper-V\Snapshots
%Public%\Documents\Hyper-V\Virtual Hard Disks
The following processes are particularly important:
%systemroot%\System32\Vmms.exe
%systemroot%\System32\Vmwp.exe
For more information on exclusions, see recommended antivirus exclusions for Hyper-V hosts online [6].
Third-Party VHDs and Nested Virtualization
It should go without saying that you should never mount third-party virtual hard disks (VHDs) on Hyper-V hosts because of the risk of attacks at the filesystem level. You should also avoid deploying VMs with unknown VHDs. Perform extensive tests, preferably on test servers, before you implement third-party VHDs for a VM on a host to check for malware or suspicious activity.
Additionally, Microsoft generally recommends not using nested virtualization on Hyper-V hosts. Otherwise, administrators of VMs with activated virtualization could create VMs themselves, which in turn represent a danger for, and generate load on, the Hyper-V host. Nested virtualization should only be implemented for scenarios that you absolutely need – ideally in highly monitored environments.
For even greater security, Microsoft recommends generation 2 VMs for supported operating systems whenever possible. You will also want to enable Secure Boot on the VMs (Figure 3) to prevent unauthorized code from starting with the operating system without first being checked by a virus scanner. The feature is also available for Linux servers if the distribution supports generation 2 VMs in Hyper-V. The settings can be found in the properties of a VM under Security . You can enable secure start for generation 2 VMs here, select the template, and, if prompted to do so, enable TPM on the VM and shielding.
Microsoft explains the options for secure generation 2 VMs on GitHub [7]. As with the Hyper-V host, you should always keep the VMs as up to date as possible, especially for security updates. Install the integration services for the supported guest operating systems; Windows Update handles these updates.
« Previous 1 2 3 4 Next »
Buy this article as PDF
(incl. VAT)