Hyper-V provides some new security features for virtual machines running on Windows Server 2012 hosts. Users should...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
review these settings and use the new security features to further harden their virtualized environment.
DHCP guard and router advertisement traffic: Enabling the Dynamic Host Configuration Protocol guard will drop the DHCP messages that originate from a virtual machine (VM) running a DHCP server. This is useful in an environment that needs to provide local administrator credentials to the team managing the applications or operating system running inside the VM. A local administrator can always configure the DHCP server and other services in Windows Server guests. Once a DHCP server is configured in a VM, it starts offering IP addresses to DHCP clients. Starting with the Windows Server 2012 Hyper-V host, you configure the virtual network adapter of a VM to drop DHCP packets. The DHCP guard can be turned on from the property page of the VM, or you can execute the PowerShell command. As with the DHCP guard, you can also disable a VM from acting as a router. Once the Router Guard feature is enabled, Hyper-V drops all router packets generated from the Routing and Remote Access Service, or RRAS, or from similar routing software running in the VM. A quick way to turn the Router Guard and the DHCP Guard on for all VMs is to use the following PowerShell commands:
- Get-VM | Get-VMNetworkAdapter | Set-VMNetworkAdapter –DHCPGuard ON
- Get-VM | Get-VMNetworkAdapter | Set-VMNetworkAdapter -RouterGuard ON
In the above commands, the Get-VM PowerShell cmdlet gets all the VMs running on the local Hyper-V Server and the Get-VMNetworkAdapter obtains all the virtual network adapters associated with all the VMs; then the Set-VMNetworkAdapter is used to turn both DHCP guard and Router Guard on for all VMs.
Enable or disable MAC address spoofing: As you may know, MAC addresses are automatically assigned to VMs. The assigned MAC address is listed in the outgoing network packets when network applications running inside the VMs communicate with the remote machines. EnablingMAC address spoofing allows VMs to change their source MAC address for outgoing network packets. Enabling MAC address spoofing is particularly useful when a VM is part of a Network Load Balancing (NLB) cluster. You should enable MAC address spoofing for all VMs participating in an NLB cluster. To enable MAC address spoofing for a specific VM, use the following command:
- Set-VMNetworkAdapter – VMName NLBVM1 –MacAddressSpoofing ON
Windows Server 2012 R2 now supports a new VM format called Generation 2 VMs. Among other advantages, this new format enables Secure Boot by default.
Dig Deeper on Server virtualization risks and monitoring
Related Q&A from Nirmal Sharma
A misconfigured SCVMM service template can cause serious headaches. Before deploying service templates in production, validate them with SCVMM ...continue reading
When our Run As account experiences issues, SCVMM doesn't show an error message. How do I check account credentials to ensure they're correct?continue reading
It's getting difficult to keep track of all the service templates in SCVMM. Is there a simple command that enables us to query and export them easily?continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.