Maksim Kabakou - Fotolia
Hyper-V provides some new security features for virtual machines running on Windows Server 2012 hosts. Users should review these settings and use the new security features to further harden their virtualized environment.
DHCP guard and router advertisement traffic: Enabling the Dynamic Host Configuration Protocol guard will drop the DHCP messages that originate from a virtual machine (VM) running a DHCP server. This is useful in an environment that needs to provide local administrator credentials to the team managing the applications or operating system running inside the VM. A local administrator can always configure the DHCP server and other services in Windows Server guests. Once a DHCP server is configured in a VM, it starts offering IP addresses to DHCP clients. Starting with the Windows Server 2012 Hyper-V host, you configure the virtual network adapter of a VM to drop DHCP packets. The DHCP guard can be turned on from the property page of the VM, or you can execute the PowerShell command. As with the DHCP guard, you can also disable a VM from acting as a router. Once the Router Guard feature is enabled, Hyper-V drops all router packets generated from the Routing and Remote Access Service, or RRAS, or from similar routing software running in the VM. A quick way to turn the Router Guard and the DHCP Guard on for all VMs is to use the following PowerShell commands:
- Get-VM | Get-VMNetworkAdapter | Set-VMNetworkAdapter –DHCPGuard ON
- Get-VM | Get-VMNetworkAdapter | Set-VMNetworkAdapter -RouterGuard ON
In the above commands, the Get-VM PowerShell cmdlet gets all the VMs running on the local Hyper-V Server and the Get-VMNetworkAdapter obtains all the virtual network adapters associated with all the VMs; then the Set-VMNetworkAdapter is used to turn both DHCP guard and Router Guard on for all VMs.
Enable or disable MAC address spoofing: As you may know, MAC addresses are automatically assigned to VMs. The assigned MAC address is listed in the outgoing network packets when network applications running inside the VMs communicate with the remote machines. EnablingMAC address spoofing allows VMs to change their source MAC address for outgoing network packets. Enabling MAC address spoofing is particularly useful when a VM is part of a Network Load Balancing (NLB) cluster. You should enable MAC address spoofing for all VMs participating in an NLB cluster. To enable MAC address spoofing for a specific VM, use the following command:
- Set-VMNetworkAdapter – VMName NLBVM1 –MacAddressSpoofing ON
Windows Server 2012 R2 now supports a new VM format called Generation 2 VMs. Among other advantages, this new format enables Secure Boot by default.
How to customize your Microsoft Hyper-V network adapter settings.
Dig Deeper on Server virtualization risks and monitoring
Related Q&A from Nirmal Sharma
Use System Center Virtual Machine Manager and PowerShell to make logical network management easy. Execute a script to display network virtualization ... Continue Reading
Hyper-V replication is easy to use, but there are a number of steps you should take during Hyper-V replication setup to ensure you stay abreast of ... Continue Reading
Manage Hyper-V clusters more easily with PowerShell cmdlets and scripts that automate the retrieval and display of node information, including node ... Continue Reading