agsandrew - Fotolia

Manage Learn to apply best practices and optimize your operations.

Support Hyper-V security with these important protocols

A virtual environment's security can make the difference when it comes to malicious attacks, preventing unauthorized OS or firmware codes from running at boot time.

Hyper-V security can make or break an IT administrator's virtual environment. Without proper security precautions, admins risk not only breaches but also VMs that fail to run properly.

To ensure the health and capabilities of their environments, admins should prioritize Hyper-V security above all else. They should take stock of their current environments and incorporate several security protocols into their plans to bolster Hyper-V defenses, such as using the Host Guardian Service (HGS), prioritizing Generation 2 VMs, installing the latest patches and ensuring successful system boots.

Windows Server 2016 supports Hyper-V security

Windows Server 2016 offers a security model that protects hosts and guest VMs against harmful activity. This security model enables admins to use guarded fabric, HGS and shielded VM technologies to enable encryption.

HGS runs in conjunction with an encryption key protection service to create, manage and operate shielded VMs. Not only can this guarded fabric operate an encrypted VM successfully, it can also operate shielded VMs that rely on verification to validate the underlying platform.

Use Generation 2 VMs for Hyper-V security

HGS runs in conjunction with an encryption key protection service to create, manage and operate shielded VMs.

Before admins secure their Hyper-V virtualization software, they must take into account several VM considerations. For example, admins should use Generation 2 VMs, install the latest patches and security updates and connect to guest VMs using VPNs. By combing secure networks with encryption, admins can protect storage resources and guard data at rest and in flight.

Following these steps before enabling Hyper-V 2016 software prevents unknown or unauthorized OSes or firmware codes from running at boot time.

Protect against Meltdown and Spectre

To protect Hyper-V software from prospective security threats, admins should ensure that they don't neglect the security of the virtual host environment. Meltdown and Spectre hardware vulnerabilities are intrinsic to the architecture of modern CPUs. The only way vendors are able to protect systems from these malicious attacks is through software patches.

Admins should install new patches, incorporate registry keys to Windows VMs through deployment software, install a new host BIOS, shut down and restart VMs and use monitoring tools to check the performance effect. To use the newly patched settings on VMs, hosts must include all patches and changes related to the Meltdown and Spectre security repair, and admins might find that they have to update their patches regularly as new updates come out.

Overcome issues with OS system boots

As admins secure their Hyper-V software, they might come across OSes that are unable to successfully boot the system. This is especially true for computers that rely on Linux. Any computer built after 2012 most likely uses Unified Extensible Firmware Interface (UEFI) Secure Boot. UEFI Secure Boot enables firmware-makers to include advanced features beyond those found in traditional BIOS.

Previously, UEFI Secure Boot omitted signatures for non-Windows OSes, which would prevent the system from booting at all. If a system is unable to boot, it prevents Hyper-V VMs that run on Linux as a guest OS from spinning up on a Windows and UEFI host server. One way admins can address this is by using a shim boot loader for versions of Ubuntu, Fedora, openSUSE and Red Hat, which acts as a bridge between the OS and UEFI Secure Boot to confirm the OSes' signatures.

Reinforce existing Hyper-V security

Reinforcing Hyper-V security can help avoid breaches down the line. A single product or setting can't successfully maintain security without exposing the software to weaknesses. To combat this, admins must simplify their deployments and consider settings and hardening practices such as using Windows Server installation, updating their OSes aggressively and prioritizing remote management.

Admins can also boost the securities they have in place by employing encryption services such as IPsec for added system and management security. In addition, admins can use guarded fabrics to run hosts and guest VMs on trusted systems.

This was last published in July 2019

Dig Deeper on Server virtualization hypervisors and management

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

How do you secure your Hyper-V environment?
Cancel

-ADS BY GOOGLE

SearchVMware

SearchWindowsServer

SearchCloudComputing

SearchVirtualDesktop

SearchDataCenter

Close