You can't maintain Hyper-V security using a single product or setting; instead, you should simplify your deployment...
and carefully consider your settings and hardening practices.
Hyper-V security starts with host OS security. Most administrators simplify the production system by deploying only the minimum Windows Server installation, roles and software necessary for the server to perform the required tasks.
This kind of simplification reduces the potential points of attack. You should also aggressively update the OS, drivers and system firmware with any security-related patches. Tools such as Microsoft's Security Compliance Toolkit can help you meet established baselines for secure system and Hyper-V configurations.
Remote management is generally better than local, hands-on management. If you prevent local management, you can keep personnel out of the physical data center and away from actual systems.
Remote management tools offer copious logging and authentication features that can help guard against unauthorized configuration changes, software installations and other possibly malicious actions. Physical servers and storage, such as disk arrays, are typically behind locked racks or cabinets in the data center to prevent physical tampering.
Be careful when you assign credentials for system management, Hyper-V administration and host OS management. It isn't safe to entrust a single individual with all of these responsibilities because he or she can only offer limited oversight and review.
Boost Hyper-V security using network and encryption policies
A secure network can also enhance Hyper-V host security. For example, a separate network -- with a separate network adapter -- for system management, VM configuration, live migration traffic and VM file access can guard the host against attacks from the public network. For added security, you can employ encryption such as IPsec over the management network to guard system and management traffic on the fly.
In addition, you should add encryption to storage resources. For example, you might use server message block (SMB) 3.0 to encrypt SMB data or add BitLocker Drive Encryption to protect other storage resources. You can also combine encryption with virtual private networks when you access storage resources related to the Hyper-V host.
Finally, employ guarded fabric to run hosts and guest VMs on trusted systems that have passed either software attestation via Active Directory or hardware attestation that uses system hardware with Unified Extensible Firmware Interface Secure Boot and a Trusted Platform Module 2.0 chip. Guarded fabric ensures that the underlying hardware is known and trustworthy before you load and operate a VM.
Dig Deeper on Microsoft Hyper-V and Virtual Server
Related Q&A from Stephen J. Bigelow
Containers have rapidly come into focus as a popular option for deploying applications, but they have limitations and are fundamentally different ... Continue Reading
Senior technology editor Stephen Bigelow breaks down how AWS Storage Gateway can trip up users' hybrid cloud strategies. Beware these issues with ... Continue Reading
There is a small list of enterprise-class deployments and integrations known to run on VMware Cloud on AWS, but not all complex workloads are suited ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.