July 30, 2014 at 16:0215 Hyper-V Security Principles
Security today is the most important thing for IT companies. Before introducing the new technology into the production environment, IT administrators must address the security issue and minimize the threat of attack. In the article, we will announce 15 key points, observing which you will be sure that your virtual environment is safe and working as it should.
For security reasons, it is recommended that you always install the Hyper-V role in the Server Core installation option instead of using the full version of the Windows operating system. The lack of a graphical interface in Server Core reduces the potential for attack. Hyper-V client management files are not installed, and this reduces the potential for file attacks. Using Server Core on a physical computer with Hyper-V provides three major security benefits:
Never change the default security settings for Hyper-V services. Alerts can cause Hyper-V to crash. Changing the security context used by Hyper-V can enable anyone to control the entire hypervisor.
There is no need to configure any other roles / services on the Hyper-V server. Installed server applications will listen on static ports. Always look at ports that are listening on the server, and block them if necessary.
Always check your default Hyper-V settings before launching it into production. By default, virtual server files will be stored locally. It is recommended that you always change the storage location to a more secure drive.
Because BitLocker is built into Windows, it is recommended to run it for those volumes where Hyper-V files and virtual servers are stored. BitLocker-based physical protection is present even when the server is turned off.
Data will be protected even if the drive is stolen. BitLocker protects data in the case of attackers using different OSs, as well as when using hacker software to gain access to the contents of the disk.
Note: Use BitLocker for Hyper-V only. Do not use it on virtual servers, as BitLocker is not supported on them.
Do not use the default local administrator account to manage virtual machines and the Hyper-V system. Instead, create a new Active Directory management group and delegate virtual machine management tasks to it using the Authorization Manager.
By installing an antivirus, you will always be sure that malicious actions will be intercepted at the Hyper-V server level. Also take care of the timely update of the antivirus.
Integration components support VMBUS and VSP / VSC, which provide a secure interface between virtual machines and the hypervisor. These components are updated with each new release of Hyper-V. You need to timely download the latest versions of components from the Microsoft website and update all virtual machines.
The Hyper-V server should only be used for Hyper-V tasks. Unnecessary applications on the server may interfere with Hyper-V processes, which may be unsafe.
Hyper-V and virtual server files must be protected. Since this data is stored in VHD files, anyone who has access to VHD files can mount it and gain access to the contents.
Do not use machines that do not carry any essential functions. If you start any of the servers, make sure they are disconnected from the Hyper-V switches that other servers are connected to. Anyone with access to unused servers can interfere with the production environment through the network or in some other way.
As soon as you start Hyper-V on a Windows server, the management server gives the firewall the rights necessary for Hyper-V communication. Make sure that no unnecessary rights are granted to the firewall.
A snapshot is an image of a virtual machine at a certain point in time, to which you can later return the machine. It is recommended that you store the snapshots and breakpoints that you create together with the associated .vhd files in a safe place.
Use the same enhanced OS template for all virtual machines to ensure the same level of security. Also make sure that the antivirus is working and that unnecessary components are disabled.
File system protection can prevent unauthorized access to VHD files. By enabling object access auditing, you can identify potentially malicious user actions.
Installing the Hyper-V Role in a Server Core Installation Option
For security reasons, it is recommended that you always install the Hyper-V role in the Server Core installation option instead of using the full version of the Windows operating system. The lack of a graphical interface in Server Core reduces the potential for attack. Hyper-V client management files are not installed, and this reduces the potential for file attacks. Using Server Core on a physical computer with Hyper-V provides three major security benefits:
- Opportunities for attacks in the managing operating system are minimized.
- Digital footprint reduced
- The system works better, fewer components require updating.
Hyper-V Services Login Permissions (Data)
Never change the default security settings for Hyper-V services. Alerts can cause Hyper-V to crash. Changing the security context used by Hyper-V can enable anyone to control the entire hypervisor.
Blocking Unnecessary Ports
There is no need to configure any other roles / services on the Hyper-V server. Installed server applications will listen on static ports. Always look at ports that are listening on the server, and block them if necessary.
Hyper-V default settings
Always check your default Hyper-V settings before launching it into production. By default, virtual server files will be stored locally. It is recommended that you always change the storage location to a more secure drive.
Using BitLocker encryption in the parent section.
Because BitLocker is built into Windows, it is recommended to run it for those volumes where Hyper-V files and virtual servers are stored. BitLocker-based physical protection is present even when the server is turned off.
Data will be protected even if the drive is stolen. BitLocker protects data in the case of attackers using different OSs, as well as when using hacker software to gain access to the contents of the disk.
Note: Use BitLocker for Hyper-V only. Do not use it on virtual servers, as BitLocker is not supported on them.
Do not use built-in administrator accounts
Do not use the default local administrator account to manage virtual machines and the Hyper-V system. Instead, create a new Active Directory management group and delegate virtual machine management tasks to it using the Authorization Manager.
Always put antivirus on the server
By installing an antivirus, you will always be sure that malicious actions will be intercepted at the Hyper-V server level. Also take care of the timely update of the antivirus.
Always install the latest integration component updates
Integration components support VMBUS and VSP / VSC, which provide a secure interface between virtual machines and the hypervisor. These components are updated with each new release of Hyper-V. You need to timely download the latest versions of components from the Microsoft website and update all virtual machines.
Do not install any applications in the parent section of Hyper-V
The Hyper-V server should only be used for Hyper-V tasks. Unnecessary applications on the server may interfere with Hyper-V processes, which may be unsafe.
Protect Hyper-V Files and Virtual Machine Files
Hyper-V and virtual server files must be protected. Since this data is stored in VHD files, anyone who has access to VHD files can mount it and gain access to the contents.
Turn off machines that are not in use
Do not use machines that do not carry any essential functions. If you start any of the servers, make sure they are disconnected from the Hyper-V switches that other servers are connected to. Anyone with access to unused servers can interfere with the production environment through the network or in some other way.
Always use a firewall and block unnecessary features
As soon as you start Hyper-V on a Windows server, the management server gives the firewall the rights necessary for Hyper-V communication. Make sure that no unnecessary rights are granted to the firewall.
Providing snapshots and control points
A snapshot is an image of a virtual machine at a certain point in time, to which you can later return the machine. It is recommended that you store the snapshots and breakpoints that you create together with the associated .vhd files in a safe place.
Strengthen virtual server OS
Use the same enhanced OS template for all virtual machines to ensure the same level of security. Also make sure that the antivirus is working and that unnecessary components are disabled.
Activate audit
File system protection can prevent unauthorized access to VHD files. By enabling object access auditing, you can identify potentially malicious user actions.