What are the most important features and tactics used for virtual server security?
Today's hypervisors include more features designed to secure the system and its virtual machines. For example, software acceptance features prevent unsigned software from taking up residence on the system, while integrated firewalls eliminate the need for IP tables and use rules to define port access for every service. Enhanced logging and auditing features track activities on the system and prevent malicious activities from being hidden or erased. In addition, Active Directory integration helps to authenticate users trying to access the virtualized servers.
Further reading on hypervisor features and virtual server security
New disaster recovery features in hypervisors
Storage features in VMware vSphere
Hyper-V vs. vSphere memory features
Hypervisor security features, however, provide little benefit unless you deploy and configure them with the proper security guidelines. When you install a hypervisor-OS combination such as Windows Server 2012 and Hyper-V, use a Server Core installation or install only that system's essential roles, which minimizes the OS footprint and attack surface. In addition, never run applications -- even seemingly innocuous applications such as DNS servers -- on the Hyper-V server. You should run all virtual server workloads as VMs. If you must install administrator consoles or other management tools, always use strong, confidential logon credentials.
When you configure virtual server management, use a dedicated network adapter as opposed to sharing management traffic on the general LAN. This configuration is particularly important when working with dedicated management modules, such as HP iLO or Dell DRAC. By keeping management traffic on its own internal LAN and away from WANs such as the Internet, you reduce the chance that hackers will take control of the servers. If separate IT staff manage VMs and servers, do not allow VM admins to access the server management tools. This least-privilege consideration limits the number of personnel that can affect system management.
VMs may spend considerable time in a test and development environment before they are considered ready for production, but they can easily miss critical patches and updates during the development period. Always update the OS in any VM before deploying that VM on a production server. You can also enhance security by using encryption tools tied to the server's physical trusted platform module, which encrypts data on the server's local disk drives and prevents data leakage from disk theft.
This was first published in July 2013