What are the most important features and tactics used for virtual server security?
Today's hypervisors include more features designed to secure the system and its virtual machines. For example, software acceptance features prevent unsigned software from taking up residence on the system, while integrated firewalls eliminate the need for IP tables and use rules to define port access for every service. Enhanced logging and auditing features track activities on the system and prevent malicious activities from being hidden or erased. In addition, Active Directory integration helps to authenticate users trying to access the virtualized servers.
Hypervisor security features, however, provide little benefit unless you deploy and configure them with the proper security guidelines. When you install a hypervisor-OS combination such as Windows Server 2012 and Hyper-V, use a Server Core installation or install only that system's essential roles, which minimizes the OS footprint and attack surface. In addition, never run applications -- even seemingly innocuous applications such as DNS servers -- on the Hyper-V server. You should run all virtual server workloads as VMs. If you must install administrator consoles or other management tools, always use strong, confidential logon credentials.
When you configure virtual server management, use a dedicated network adapter as opposed to sharing management traffic on the general LAN. This configuration is particularly important when working with dedicated management modules, such as HP iLO or Dell DRAC. By keeping management traffic on its own internal LAN and away from WANs such as the Internet, you reduce the chance that hackers will take control of the servers. If separate IT staff manage VMs and servers, do not allow VM admins to access the server management tools. This least-privilege consideration limits the number of personnel that can affect system management.
VMs may spend considerable time in a test and development environment before they are considered ready for production, but they can easily miss critical patches and updates during the development period. Always update the OS in any VM before deploying that VM on a production server. You can also enhance security by using encryption tools tied to the server's physical trusted platform module, which encrypts data on the server's local disk drives and prevents data leakage from disk theft.
Dig Deeper on Virtualization security and patch management
Related Q&A from Stephen J. Bigelow
Full virtualization and paravirtualization both enable hardware resource abstraction, but the two technologies differ when it comes to isolation ... Continue Reading
Organizations can cap their hyper-converged infrastructure costs when they deploy the Azure Stack HCI platform, but once they plug into the cloud, ... Continue Reading
You can implement ESXi on ARM -- or other RISC processors -- in micro and nano data centers. A nano data center is more specialized but also more ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.