BACKGROUND IMAGE: iSTOCK/GETTY IMAGES
You can't maintain Hyper-V security using a single product or setting; instead, you should simplify your deployment...
and carefully consider your settings and hardening practices.
Hyper-V security starts with host OS security. Most administrators simplify the production system by deploying only the minimum Windows Server installation, roles and software necessary for the server to perform the required tasks.
This kind of simplification reduces the potential points of attack. You should also aggressively update the OS, drivers and system firmware with any security-related patches. Tools such as Microsoft's Security Compliance Toolkit can help you meet established baselines for secure system and Hyper-V configurations.
Remote management is generally better than local, hands-on management. If you prevent local management, you can keep personnel out of the physical data center and away from actual systems.
Remote management tools offer copious logging and authentication features that can help guard against unauthorized configuration changes, software installations and other possibly malicious actions. Physical servers and storage, such as disk arrays, are typically behind locked racks or cabinets in the data center to prevent physical tampering.
Be careful when you assign credentials for system management, Hyper-V administration and host OS management. It isn't safe to entrust a single individual with all of these responsibilities because he or she can only offer limited oversight and review.
Boost Hyper-V security using network and encryption policies
A secure network can also enhance Hyper-V host security. For example, a separate network -- with a separate network adapter -- for system management, VM configuration, live migration traffic and VM file access can guard the host against attacks from the public network. For added security, you can employ encryption such as IPsec over the management network to guard system and management traffic on the fly.
In addition, you should add encryption to storage resources. For example, you might use server message block (SMB) 3.0 to encrypt SMB data or add BitLocker Drive Encryption to protect other storage resources. You can also combine encryption with virtual private networks when you access storage resources related to the Hyper-V host.
Finally, employ guarded fabric to run hosts and guest VMs on trusted systems that have passed either software attestation via Active Directory or hardware attestation that uses system hardware with Unified Extensible Firmware Interface Secure Boot and a Trusted Platform Module 2.0 chip. Guarded fabric ensures that the underlying hardware is known and trustworthy before you load and operate a VM.