
Protecting virtual machines hosted in a data center

In the age of cloud technology, when each user has their own cloud for storing photos, and companies rent servers for cloud computing, the question arises about the confidentiality of stored information. And if users can manage to trust the cloud or use crypto containers to protect stored data, then things are worse for companies. Since not only the data warehouse is transferred to the clouds, but also the calculations themselves.
The protection of virtual machines is particularly affected, since in the event of a compromised host, it will not be difficult to gain access to the VM. Until recently, not one of the hypervisors, whether VMware, Xen, Hyper-V, provided any significant technologies for protecting VMs.
And if an attacker gains physical access to the server, then only disk encryption can save, and even then not in all cases. Of course, renting a server, a part of the protective measures is taken by the data center. But in this case, you must trust the data center administrators.
With the release of Windows Server 2016, Microsoft decided to pay more attention to host security and virtual infrastructure. Now you can isolate the VM from the Hyper-V host administrator. And using virtual TPM, it became possible to encrypt VM data using bitlocker.
Thus, using new technologies, it is possible to host virtual machines on unmonitored servers or in corporate data centers, but with an increased level of security, distinguishing between the roles of physical and virtual access.
Used technologies
Shielded VM is a technology that isolates a virtual machine from a host. Protects the VM from accidental or deliberate actions by the host administrator and from malicious software.
For the Shielded VM to work, a Host Guardian Service (HGS) server is required, which issues VM access keys and checks the health of the Hyper-V host.
HGS supports two types of certification:
- TPM-trusted certification - verification is based on the TPM identifier, OS boot sequence and code integrity policy. This way you can be sure that only approved code is running on the host.
- Admin-trusted certification - verification is based on membership in the Active Directory security group.
HGS Work Scheme

When the virtual machine starts up, the secure host is certified by the HGS server, which decides on the transfer of access keys to the virtual machine.
Admin-trusted certification should be used internally when it is necessary to isolate access to the VM from administrators.
It is better to use TPM-trusted certification when placing VMs on a leased server in order to isolate data and VMs from Data Center employees.
The HGS server and the secure host communicate via the http (https) protocol. HTTPS is not required to provide secure communications, but if you want to enable HTTPS, you will need an additional certificate. In the case of AD certification, you must additionally configure a one-way domain trust.
Virtual Secure Mode (VSM)- Virtualization-based technology that isolates security-critical operations in a mini OS.
Two other technologies work on VSM:
- Device Guard - checking UEFI firmware data and kernel mode drivers (code integrity control).
- Credential Guard - Isolation of the user authentication process (LSA).
How VSM works

The main OS runs in a virtual environment. And the hypervisor acts as the host OS, thereby limiting access to RAM. As a result, malware running on the host, even with administrator rights, will not be able to access the VSM memory. Also, such a structure should protect against attacks on DMA ports.
About Shielded VM
When ordering a Shielded VM, it is understood that the Hyper-V host and the HGS server are on the data center side (as organized in Microsoft Azure). In this case, you can create a shielded virtual machine yourself or using the provided template.
Creating a Shielded VM on its own, the customer deploys and configures the VM on his PC, and then encrypts with the key issued by the Data Center. After it transfers the VM to the Data Center.
In the second case, the customer creates only a PDK file that protects the VM created from the template. The PDK file associates the template file with the HGS server. But you need to make sure that there is no malware in the template.
The first method looks more secure, since the VM data file gets to the host in an encrypted form. In any case, access keys to the VM do not get to the administrators of the Data Center in the clear.
The only place prone to attacks was the HGS server. Because:
- An HGS administrator may lower security policy requirements.
- An attacker who has obtained administrative rights may try to obtain access keys.
- For HGS to work, AD is required and there is no requirement for the mandatory presence of TPM, therefore, the keys are most likely to be stored in the clear.
Based on this, the idea came up to test the possibility of the Shielded VM working under conditions when the HGS server is located in its infrastructure. This will further protect virtual machines. Also, this method can be used if the Data Center does not provide the Shielded VM service. The disadvantage of this approach is that you have to independently administer this structure.
There may be a question about replacing the HGS server with the administrator of the hypervisor - because for this you just need to specify a new address. Protection against this is implemented quite simply, the created VM is encrypted using the public key of the HGS server, so another HGS server will not be able to issue keys for its launch.
It is also worthwhile to understand that Shielded VM technology encrypts only virtual machine configuration files. VHDX file remains unencrypted. To encrypt it, you need to enable vTPM, and encrypt the drive with a bitlocker.
The combination of new technologies provides reliable protection:
- the human factor is eliminated;
- keys are transmitted in encrypted form;
- servers are protected by new technologies that provide code integrity checking;
- whitelist of allowed applications;
- isolating the VM from the host.
This all very well protects against malware targeting the Hyper-V host and provides access to the VM only to the owner, protecting against the actions of administrators or anyone who has gained administrative rights.
Hyper-V and HGS Server Requirements
Requirements are indicated for using TPM certification. AD certification is less demanding, but provides much less protection.
HGS:
- Windows Server 2016
Hyper-V:
- Windows Server 2016 Datacenter Edition
- UEFI Secure Boot
- TPM v2
- IOMMU (VT-d)
How to setup
For example, an option will be considered: you rented a dedicated server and want to secure it. TPM certification will be used. The connection between the host and HGS will be over the http protocol. If the HGS server does not have a white IP, it will be necessary to forward port 80 or use a reverse proxy.
Adding and configuring HGS roles on the server
HGS server installation and domain creation
Install-WindowsFeature -Name HostGuardianServiceRole -IncludeManagementTools -Restart
HGS requires a domain to work. It can be connected to an existing domain, but it is recommended that you create a separate domain to increase security. Before executing the following command, make sure that the computer is not connected to the domain.
$adminPassword = ConvertTo-SecureString -AsPlainText '' -Force
Install-HgsServer -HgsDomainName 'relecloud.com' -SafeModeAdministratorPassword $adminPassword -Restart

Create Self-Signed Certificates
Self-signed certificates were created for the test, but PKI is better for a real environment.
$certificatePassword = ConvertTo-SecureString -AsPlainText '' -Force
$signingCert = New-SelfSignedCertificate -DnsName "signing.relecloud.com"
Export-PfxCertificate -Cert $signingCert -Password $certificatePassword -FilePath 'C:\signingCert.pfx'
$encryptionCert = New-SelfSignedCertificate -DnsName "encryption.relecloud.com"
Export-PfxCertificate -Cert $encryptionCert -Password $certificatePassword -FilePath 'C:\encryptionCert.pfx'


HGS server initialization
Specify encryption and signature certificates. We choose a certification method.
$certificatePassword = ConvertTo-SecureString -AsPlainText '' -Force
Initialize-HgsServer -HgsServiceName '' -SigningCertificatePath 'C:\signingCert.pfx' -SigningCertificatePassword $certificatePassword -EncryptionCertificatePath 'C:\encryptionCert.pfx' -EncryptionCertificatePassword $certificatePassword [-TrustActiveDirectory | -TrustTPM]


Adding a Hyper-V Guarded Host
Get the TPM ID
This procedure must be performed for each protected host.
(Get-PlatformIdentifier -Name '').InnerXml | Out-file .xml -Encoding UTF8

Add the resulting file to the HGS server
Add-HgsAttestationTpmHost -Path .xml -Name -Force

We create and apply Code Integrity Policy
When creating a policy, all installed programs are scanned and added to the white list. Before creating a policy, you need to make sure that the system:
- No viruses or malware
- The software necessary for the operation is installed and it is reliable
It is recommended that you first verify that the policy is in audit mode. In this case, the executable file prohibited by the policy will be displayed in the log.
Scanning will take some time.
New-CIPolicy -Level FilePublisher -Fallback Hash -FilePath 'C:\temp\HW1CodeIntegrity.xml' -UserPEs
ConvertFrom-CIPolicy -XmlFilePath 'C:\temp\HW1CodeIntegrity.xml' -BinaryFilePath 'C:\temp\HW1CodeIntegrity.p7b'


The .p7b file must be renamed to SIPolicy.p7b and copied to the folder C: \ Windows \ System32 \ CodeIntegrity \ SIPolicy.p7b We
restart the computer and check the system under the planned typical load. After a successful check of the system, disable audit mode
Set-RuleOption -FilePath 'C:\temp\HW1CodeIntegrity.xml' -Option 3 -Delete
ConvertFrom-CIPolicy -XmlFilePath 'C:\temp\HW1CodeIntegrity.xml' -BinaryFilePath 'C:\temp\HW1CodeIntegrity_enforced.p7b'
Copy-Item -Path '' -Destination 'C:\Windows\System32\CodeIntegrity\SIPolicy.p7b'
Restart-Computer
If several identical hosts are protected, a policy can be created only once.
It is recommended that you leave the original XML file so that you do not need to re-scan if you need to change a policy.
When the policy is enabled, you must be careful when updating or adding kernel-mode drivers, as this can prevent the system from booting.
Register the policy on the HGS server
Add-HgsAttestationCIPolicy -Path -Name ''

Creating TPM baseline policies
This policy is based on the PCR registers (Platform Configuration Registers) located in the TPM module. They store the integrity of the system metrics, from the BIOS boot to the system shutdown. If the boot order is changed, for example, by a rootkit, it will be displayed in the PCR registers.
A policy is created for a class of identical hardware hosts. Before creating it, you must have installed Hyper-V.
Install-WindowsFeature Hyper-V, HostGuardian -IncludeManagementTools -Restart
Get-HgsAttestationBaselinePolicy -Path 'HWConfig1.tcglog'
For this command, you must enable Secure Boot, IOMMU (VT-d), Virtualization Based Security.
You can use the -SkipValidation flag which allows the command to execute, but it will not fix the error.

Add TCGlog file to HGS server
Add-HgsAttestationTpmPolicy -Path .tcglog -Name ''

Check the status of the HGS server
At this point, the configuration of the HGS server ends. To verify the work performed, we will carry out a diagnosis.
Get-HgsTrace -RunDiagnostics


Connect the Hyper-V host to the HGS server
To connect the protected host to the HGS server, just specify the server URL.
Set-HgsClientConfiguration -AttestationServerUrl 'http:///Attestation' -KeyProtectionServerUrl 'http:///KeyProtection'

When configured correctly, it should be:
- IsHostGuarded: true
- AttestationStatus: passed
If something is not configured correctly, the reason will be indicated in the AttestationStatus.
Creating a Shielded Virtual Machine
We get the HGS server description file, which is needed to bind the VM to the server.
Invoke-WebRequest http://<"HGSServer">FQDN>/KeyProtection/service/metadata/2014-07/metadata.xml -OutFile C:\HGSGuardian.xml

You need to create VMs on a separate machine running Windows Server 2016 that is not configured to use HGS.
We create a new second-generation VM, install the OS on it, configure RDP and check its performance, encrypt it with a bitlocker.

VM Shielding
Set VM name
$VMName = 'SVM'
Turn off the VM
Stop-VM –VMName $VMName
Create a certificate of ownership
$Owner = New-HgsGuardian –Name 'Owner' –GenerateCertificates
Import a server certificate
$Guardian = Import-HgsGuardian -Path 'C:\HGSGuardian.xml' -Name 'TestFabric' –AllowUntrustedRoot
Create Key Protector
$KP = New-HgsKeyProtector -Owner $Owner -Guardian $Guardian -AllowUntrustedRoot
Turn on shielding
Set-VMKeyProtector –VMName $VMName –KeyProtector $KP.RawData
Set-VMSecurityPolicy -VMName $VMName -Shielded $true
Enable vTPM in the virtual machine
Enable-VMTPM -VMName $VMName

After configuring and enabling protection in the VM, it must be moved to the protected host. To do this, export the machine, transfer the received files to the host, and import it into the Hyper-V console.
At this stage, the configuration is completed, the VM is shielded.
Checking the operation of Shielded VM
When you try to connect to the VM through the Hyper-V console, we will see the message:

Also in the VM settings we will see a warning about the inability to change the protection settings:

The virtual machine partition is protected by BitLocker:

Thus, the Shielded VM was configured, which provides a higher level of protection for virtual machines. If you have any questions, welcome to comment.
More articles on Servilon