WavebreakmediaMicro - Fotolia

Manage Learn to apply best practices and optimize your operations.

Use these features and techniques to ensure Hyper-V security

To successfully enhance the security of Hyper-V hosts and VMs, admins should consider network security, guarded fabric technology, Generation 2 VMs and Secure Boot.

Despite their benefits, server virtualization technologies such as Microsoft Hyper-V Manager tend to complicate the task of keeping workloads secure. Not only do virtualization administrators need to execute workload-specific security tasks, they also must secure the underlying virtualization infrastructure. To ensure Hyper-V security, admins must consider specific features and techniques, such as traffic isolation, shielded VMs and Secure Boot.

Use a secure network to isolate traffic

To keep Hyper-V network traffic secure, admins must understand there's some traffic that shouldn't traverse the user network. Admins need to isolate this traffic to a dedicated physical or virtual network segment whenever possible to ensure efficient Hyper-V security.

This includes things like server backbone traffic, communications between a Hyper-V host and storage array, and replication and cluster traffic. It's also a good idea to encrypt this traffic whenever possible. Admins can use an encryption protocol, such as IPsec, but Hyper-V does include native options to encrypt VM state and migration traffic.

Shield VMs with guarded fabric

To keep Hyper-V network traffic secure, admins must understand there's some traffic that shouldn't traverse the user network.

One of the major risks posed by server virtualization is rogue admins. A rogue admin can copy a VM to removable media, eliminate the VM copy from the organization and then run it on an unauthorized host. Admins can protect against this type of VM leakage by taking advantage of Hyper-V's guarded fabric to shield their VMs.

A shielded VM is a special type of BitLocker-encrypted VM that can only run on an authorized Hyper-V host. The guarded fabric is the infrastructure that makes it possible to encrypt a shielded VM and determine whether or not a host is authorized to run the VM. Guarded fabric consists of the Host Guardian Service (HGS), which runs in a highly available configuration; one or more guarded Hyper-V hosts; and the shielded VMs.

Generation 2 VMs running on Windows Server 2012 Hyper-V or later can support VM shielding, although HGS runs on Windows Server 2016 or later. Microsoft improved shielded VMs in Windows Server 2019 by introducing both support for Linux VMs and an offline mode. This offline feature enables a shielded VM to function even if it loses connectivity to HGS, successfully maintaining Hyper-V security.

Create Generation 2 VMs for increased performance

When admins create a new VM in Hyper-V, they can choose between creating a Generation 1 VM or a Generation 2 VM. Whenever possible, admins should create Generation 2 VMs, because they are hypervisor-aware and run more efficiently. Generation 1 VMs are necessary for running older -- 32 bit -- guest OSes, or if the VM requires direct access to a physical DVD drive.

Generation 2 VMs are best known for offering better performance, compared with Generation 1 VMs. Generation 2 VMs also provide security advantages. More specifically, Generation 2 VMs support VM shielding and the Secure Boot feature.

Unless admins have no choice but to create a VM as Generation 1, as a general rule, they should always create Generation 2 VMs. This is because there's no official way to support the conversion from a Generation 1 VM to a Generation 2 VM. Once admins create a VM, they can't change that VM's generation.

Defend against malicious attacks with Secure Boot

Admins can use Secure Boot to prevent malicious code from being initialized during the early phases of a PC's boot cycle. Secure Boot ensures the device uses only trusted software, which is predetermined by the OEM.

Microsoft added Secure Boot to Hyper-V, providing virtualization admins with a way to make sure a guest OS' low-level boot code hasn't been tampered with. Hyper-V 2016 and 2019 provide Secure Boot templates for Microsoft Windows, a Microsoft Unified Extensible Firmware Interface Certificate Authority and for Open Source Shielded VMs.

Dig Deeper on Microsoft Hyper-V management