Hyper-V provides some new security features for virtual machines running on Windows Server 2012 hosts. Users should...
review these settings and use the new security features to further harden their virtualized environment.
DHCP guard and router advertisement traffic: Enabling the Dynamic Host Configuration Protocol guard will drop the DHCP messages that originate from a virtual machine (VM) running a DHCP server. This is useful in an environment that needs to provide local administrator credentials to the team managing the applications or operating system running inside the VM. A local administrator can always configure the DHCP server and other services in Windows Server guests. Once a DHCP server is configured in a VM, it starts offering IP addresses to DHCP clients. Starting with the Windows Server 2012 Hyper-V host, you configure the virtual network adapter of a VM to drop DHCP packets. The DHCP guard can be turned on from the property page of the VM, or you can execute the PowerShell command. As with the DHCP guard, you can also disable a VM from acting as a router. Once the Router Guard feature is enabled, Hyper-V drops all router packets generated from the Routing and Remote Access Service, or RRAS, or from similar routing software running in the VM. A quick way to turn the Router Guard and the DHCP Guard on for all VMs is to use the following PowerShell commands:
- Get-VM | Get-VMNetworkAdapter | Set-VMNetworkAdapter –DHCPGuard ON
- Get-VM | Get-VMNetworkAdapter | Set-VMNetworkAdapter -RouterGuard ON
In the above commands, the Get-VM PowerShell cmdlet gets all the VMs running on the local Hyper-V Server and the Get-VMNetworkAdapter obtains all the virtual network adapters associated with all the VMs; then the Set-VMNetworkAdapter is used to turn both DHCP guard and Router Guard on for all VMs.
Enable or disable MAC address spoofing: As you may know, MAC addresses are automatically assigned to VMs. The assigned MAC address is listed in the outgoing network packets when network applications running inside the VMs communicate with the remote machines. EnablingMAC address spoofing allows VMs to change their source MAC address for outgoing network packets. Enabling MAC address spoofing is particularly useful when a VM is part of a Network Load Balancing (NLB) cluster. You should enable MAC address spoofing for all VMs participating in an NLB cluster. To enable MAC address spoofing for a specific VM, use the following command:
- Set-VMNetworkAdapter – VMName NLBVM1 –MacAddressSpoofing ON
Windows Server 2012 R2 now supports a new VM format called Generation 2 VMs. Among other advantages, this new format enables Secure Boot by default.
How to customize your Microsoft Hyper-V network adapter settings.
Dig Deeper on Server virtualization risks and monitoring
Related Q&A from Nirmal Sharma
To see virtual processors configured for VMs on the local host, execute a simple PowerShell command. For vCPUs configured for VMs on remote servers, ... Continue Reading
If you don't have Guarded Fabric or Shielded VMs, which have the Trusted Platform Module feature built-in, you need to manually enable virtual TPM ... Continue Reading
Hyper-V replication failover only requires two steps. But before you initiate failover, perform some tests to ensure the recovery point has ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.