Maksim Kabakou - Fotolia

What are the new security features for VMs in Hyper-V hosts?

Security will be a hot topic this year. Here are some new security features for Hyper-V virtual machines to keep your environment safe.

Hyper-V provides some new security features for virtual machines running on Windows Server 2012 hosts. Users should review these settings and use the new security features to further harden their virtualized environment.

DHCP guard and router advertisement traffic: Enabling the Dynamic Host Configuration Protocol guard will drop the DHCP messages that originate from a virtual machine (VM) running a DHCP server. This is useful in an environment that needs to provide local administrator credentials to the team managing the applications or operating system running inside the VM. A local administrator can always configure the DHCP server and other services in Windows Server guests. Once a DHCP server is configured in a VM, it starts offering IP addresses to DHCP clients. Starting with the Windows Server 2012 Hyper-V host, you configure the virtual network adapter of a VM to drop DHCP packets. The DHCP guard can be turned on from the property page of the VM, or you can execute the PowerShell command. As with the DHCP guard, you can also disable a VM from acting as a router. Once the Router Guard feature is enabled, Hyper-V drops all router packets generated from the Routing and Remote Access Service, or RRAS, or from similar routing software running in the VM. A quick way to turn the Router Guard and the DHCP Guard on for all VMs is to use the following PowerShell commands:

  • Get-VM | Get-VMNetworkAdapter | Set-VMNetworkAdapter –DHCPGuard ON
  • Get-VM | Get-VMNetworkAdapter | Set-VMNetworkAdapter -RouterGuard ON

In the above commands, the Get-VM PowerShell cmdlet gets all the VMs running on the local Hyper-V Server and the Get-VMNetworkAdapter obtains all the virtual network adapters associated with all the VMs; then the Set-VMNetworkAdapter is used to turn both DHCP guard and Router Guard on for all VMs.

Enable or disable MAC address spoofing: As you may know, MAC addresses are automatically assigned to VMs. The assigned MAC address is listed in the outgoing network packets when network applications running inside the VMs communicate with the remote machines. EnablingMAC address spoofing allows VMs to change their source MAC address for outgoing network packets. Enabling MAC address spoofing is particularly useful when a VM is part of a Network Load Balancing (NLB) cluster. You should enable MAC address spoofing for all VMs participating in an NLB cluster. To enable MAC address spoofing for a specific VM, use the following command:

  • Set-VMNetworkAdapter – VMName NLBVM1 –MacAddressSpoofing ON

Windows Server 2012 R2 now supports a new VM format called Generation 2 VMs. Among other advantages, this new format enables Secure Boot by default.

Next Steps

How to customize your Microsoft Hyper-V network adapter settings. 

Dig Deeper on Server virtualization risks and monitoring