Simple Security Recommendations When Using Hyper-V
Published: November 9, 2011
Author: Harold Wong, IT Pro Evangelist
As more small to midsize companies move to virtualization, I am seeing many more questions come up around security and virtualization. Microsoft has a few articles on TechNet that outline some of the key aspects of a secure deployment of the Hyper-V virtualization technology, a feature of Windows Server 2008 R2. The Hyper-V Security Best Practices found here outline the following recommendations:
These are great guidelines. However, I want to add some thoughts on four of these items and offer some additional considerations.
Use a Server Core installation of Windows Server 2008 for the management operating system.
This is great for folks who are comfortable with a command-line management environment. Although I am fine with this, I do know that there are many who are not and would prefer to use the GUI install. With that in mind, I want to say that it is perfectly fine to deploy a full GUI install of Windows Server 2008 R2 with the Hyper-V role. The important thing to keep in mind is not to install any other roles or features that are not absolutely necessary on the parent partition. This includes features such as Desktop Experience.
Do not run any applications in the management operating system—run all applications on virtual machines.
I have seen some folks use the Hyper-V host as a file server or DNS server or something “small” like that. I completely disagree with doing this since it means additional services/roles are installed and need to be updated when updates become available. If you make the Hyper-V host a file server, then you really need to install antivirus protection on the parent partition, but doing so will have other performance impacts that I would prefer not to have to deal with. Plus, clients will directly interact with the parent partition, and I just don’t like that.
Use a dedicated network adapter for the management operating system of the virtualization server.
I would prefer to use the built-in remote management module (for HP this is ILO; for Dell, iDRAC) that comes with most servers to connect to and manage the host machine. This also gives console access to the server from a browser through any network resource. Just be sure to secure this connection as well.
Use BitLocker Drive Encryption to help protect resources.
I am divided on this guideline. If someone is able to get into your server room to steal a hard drive out of the server, you have some more pressing issues. That said, I will admit it is a lot easier for someone to walk in and take the removable drives out of your server than it is to unrack the server and carry it out. For that reason, I sway a little more in favor of using BitLocker to help protect the data volumes on the Hyper-V server considering the data for multiple servers is now stored here instead of on just one server. I would go with the basics and use the Trusted Platform Module (TPM) versus a USB key or PIN; otherwise, someone will need to be involved to address an unexpected restart of the server.
There are two additional items I want to point out when it comes to securing a virtual environment.
Virtualizing your servers on a Hyper-V host (or any other virtualization host) does NOT automatically make your virtual machines more secure.
When it comes to security of the operating system (OS) running on a virtual machine (VM), the hypervisor provides no additional inherent security for your OS. Network traffic is passed directly to the VM as if it were a physical server. The Hyper-V host does not do inline packet scanning of the network traffic destined to a VM. If you would have installed antivirus protection on the server as a physical server, you will want to install antivirus protection on it when it is running in a VM. Also, installing antivirus software on the Hyper-V host does not provide scanning of all the VMs running on that Hyper-V host (parent partition). You will still need to install antivirus software on each VM that needs antivirus protection.
I strongly encourage you to continue using Windows Firewall on all instances of Windows Server 2008 running on VMs. Once again, the firewall service on the parent partition does not scan or filter network traffic destined for any of the VMs that are hosted on that Hyper-V host. Please follow all the security guidelines in order to safeguard a virtual server running Windows Server as if it were a physical server.
Physical and console security of the Hyper-V host server is even more important than before.
Now that you have multiple servers running on one physical server, you are at an even bigger risk if you allow people to gain access to this one Hyper-V host. If someone can gain access to the console of the host, they can shut down all the VMs that are running on that host. Also, they can steal or gain access to much more data since multiple servers are now hosted on that one physical box. It is extremely important that you only allow authorized administrators to manage the Hyper-V role of this server, as well as have local logon access to the server. If you are not using Microsoft System Center Virtual Machine Manager in your environment and you have more than one administrator, you really need to look into using Authorization Manager to configure role-based access control for managing virtual machines with Hyper-V.
About the Author
Harold Wong has been with Microsoft for 12 years. He started as a pre-sales Systems Engineer focused on Exchange Server, but has been an IT Pro Evangelist since July of 2004. Although Harold is a generalist across most Microsoft Infrastructure Servers, he has been focused on the Unified Communications area (Exchange Server and Office Communications Server/Lync Server) for quite some time. He also focuses on cloud computing and helping IT pros better understand the role of cloud computing in today’s IT infrastructure. Outside of work, Harold enjoys spending time with his family, finding and eating great sushi, and playing Xbox Live.