Virtulization Security
You need to look at your virtualization implementation as a system and not just focus on one part. We’ve covered some security basics, and now we’re going to go deeper and cover protecting your hosts, protecting the guests, and implementing security in the Hyper-V Manager and System Center Virtual Machine Manager.
Protecting the Host
To put it simply, if your host gets compromised, your VMs will be compromised. With that said, we need to take a look at how we go about protecting your host systems. A large part of protecting your host system is going to be to reducing the attack surface to which a malicious entity would have access.
Reducing the Attack Surface
When you are looking at reducing the attack surface after you install your system, you should absolutely update your system with security patches. At the time of this writing, there are 17 different Hyper-V updates available, and there will likely be one or two additional updates by the time you’re reading this. Microsoft has been very gracious to create a comprehensive list of all of the Hyper-V updates. Part of reducing the attack surface of your host system is also how you configure your hardware for your host system. When you create the host system, you will want to have a dedicated NIC for the parent partition and other NICs for guest traffic. You should consider having the parent partition NIC on a separate, secure management network that has an Access Control List of who can be on that network. You may also want to consider using IPsec to encrypt your traffic, and two-factor authentication to further secure your host system.
The first thing you should consider when reducing the attack surface on your host systems is to implement Hyper-V on servers that are running as Server Core installations. To refresh your memory, Windows Server Core is a stripped-down, minimal installation of Windows Server. Aside from the fact that the operating system footprint is much smaller than that of a full version of Windows, one of the nice things about installing Server Core is that it already has many of the services that you may want to turn off disabled. This smaller footprint allows you to give the parent partition where Core will be installed fewer resources and gives you the opportunity to make more resources available to the guest partitions. Another reason that we like Server Core is that it’s all command-line–driven. So any command that you want to run in Core is completely scriptable and the automated build and configuration of the Core installation is very straightforward.
Server Core was built to be a lightweight version of Windows that will only run a specific set of server roles:
-Active Directory Domain Services
-Active Directory Lightweight Domain Services
-DHCP server
-DNS server
-File services
-Media services
-Printer services
-Web services—limited IIS
-Hyper-V
Processing your request, Please wait....
