Q
Get started Bring yourself up to speed with our introductory content.

What's the best way to achieve Hyper-V security for hosts?

Hyper-V security is complicated, but you can set the foundation of your security strategies by following a few best practices, such as simplification and encryption.

You can't maintain Hyper-V security using a single product or setting; instead, you should simplify your deployment...

and carefully consider your settings and hardening practices.

Hyper-V security starts with host OS security. Most administrators simplify the production system by deploying only the minimum Windows Server installation, roles and software necessary for the server to perform the required tasks.

This kind of simplification reduces the potential points of attack. You should also aggressively update the OS, drivers and system firmware with any security-related patches. Tools such as Microsoft's Security Compliance Toolkit can help you meet established baselines for secure system and Hyper-V configurations.

Remote management is generally better than local, hands-on management. If you prevent local management, you can keep personnel out of the physical data center and away from actual systems.

Remote management tools offer copious logging and authentication features that can help guard against unauthorized configuration changes, software installations and other possibly malicious actions. Physical servers and storage, such as disk arrays, are typically behind locked racks or cabinets in the data center to prevent physical tampering.

It isn't safe to entrust a single individual with all of these responsibilities because he or she can only offer limited oversight and review.

Be careful when you assign credentials for system management, Hyper-V administration and host OS management. It isn't safe to entrust a single individual with all of these responsibilities because he or she can only offer limited oversight and review.

Boost Hyper-V security using network and encryption policies

A secure network can also enhance Hyper-V host security. For example, a separate network -- with a separate network adapter -- for system management, VM configuration, live migration traffic and VM file access can guard the host against attacks from the public network. For added security, you can employ encryption such as IPsec over the management network to guard system and management traffic on the fly.

In addition, you should add encryption to storage resources. For example, you might use server message block (SMB) 3.0 to encrypt SMB data or add BitLocker Drive Encryption to protect other storage resources. You can also combine encryption with virtual private networks when you access storage resources related to the Hyper-V host.

Finally, employ guarded fabric to run hosts and guest VMs on trusted systems that have passed either software attestation via Active Directory or hardware attestation that uses system hardware with Unified Extensible Firmware Interface Secure Boot and a Trusted Platform Module 2.0 chip. Guarded fabric ensures that the underlying hardware is known and trustworthy before you load and operate a VM.

This was last published in November 2018

Dig Deeper on Microsoft Hyper-V and Virtual Server

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

What best practices do you follow to secure a Hyper-V host?
Cancel

-ADS BY GOOGLE

SearchVMware

SearchWindowsServer

SearchCloudComputing

SearchVirtualDesktop

SearchDataCenter

Close