Skip to main content

Virtualization: Security Best Practices

Published: November 9, 2011

Author: Harry L. Waldron, CPCU, AAI

Virtualization Provides Cost Efficiencies and Other Benefits

During challenging economic times, virtualization strategies can help reduce data center expenses. Rather than deploying a physical server for each application, virtual sessions can be created to consolidate hardware. Fewer physical servers provide real savings by reducing equipment, energy, and management costs.

Virtualization works well for consolidating multiple applications onto a single physical server. Smaller and less active applications are prime candidates for virtualization. Highly active and business-critical OLTP applications are better suited to reside on a dedicated physical server.

Currently, VMware ESX and Microsoft Hyper-V facility are two leading solutions. VMware is the most popular approach with a decade of industry experience. Hyper-V has experienced recent growth as guest licenses are built into Windows Server 2008 R2, which can lower costs. Both solutions offer advanced features including virtual clustering and server failover capabilities. The Additional Resources section at the end of this article offers some detailed best security and design practices for both environments.

Virtualization can be applied workstations to meet special connectivity requirements. Kiosk environments are sometimes needed for untrusted Active Directory environments. A service company may need to log on to multiple untrusted domains, and this access may be difficult to set up on a physical workstation. Virtual desktop infrastructure (VDI) capabilities permit users to log on to different domains using web links. These environments can be locked down; plus, they offer excellent performance.

Best Security Practices for Safeguarding Virtual Devices

Virtual resources must be safeguarded using the same principles used to keep Windows and Windows Server secure. Administrators must promptly apply security maintenance to all software components and help ensure the environment is restricted from unauthorized users. Strong corporate policies and security awareness help promote the user's role in the process as well.

Key best practices for safeguarding virtual information resources include:

  • Updating the hypervisor environment – The control system for a virtual environment is called a hypervisor, which must be kept up-to-date as security releases are issued. Failure to update this important resource over time could create future risk exposures. It is important to track product developments, use the most recent hypervisor versions, and promptly apply product maintenance.
  • Disabling unnecessary hypervisor services – Guest service accounts or sessions should be deactivated if they are not required. USB ports, DVDs, and other devices not in use should also be disabled from the virtual environment.
  • Helping secure Windows and all other applications – Windows and all other software components must be updated as promptly as if they were on a dedicated physical device. Antivirus software should always be active and kept automatically updated. The use of the latest versions of Windows, Windows Internet Explorer, and Microsoft Office also will provide a safer experience for users.
  • Helping secure network controls – Strong passwords and firewall controls help protect confidential information from unauthorized access. It is also important to use limited rights for users to prevent modifications to the Windows environment that might compromise key settings. Network address translation techniques should be used along with network segmentation to restrict and limit potential access. SSL encryption must be used in communicating with virtual server command systems.
  • Training administrators – An investment in training is beneficial to help ensure virtual capabilities are constructed with the best levels of security, functionality, and efficiency. After initial training, it is important to build on skill sets through experience and continuing education.
  • Security auditing, monitoring, and testing – The IT security team must actively audit and monitor all virtual activities to evaluate violations and to improve security through continuous improvement. It is beneficial to penetration test all IT resources on a regular basis internally, as opportunities for improvement are almost always found. Over time, these proactive activities will help strengthen network controls.
  • Don't forget the user – Meaningful corporate policies define user responsibilities in safeguarding information resources. Security awareness programs promote continuous education and best security practices. Address special considerations for VDI access with business professionals, so that they use these resources responsibly and safely  

Safeguarding the virtual environment is similar to protecting physical servers and workstations. The virtual layer adds some complexity, as the hypervisor environment must be included in the process. Because security is only as strong as its weakest link, all physical, virtual, and network components must employ rigorous controls throughout. Human behavior safeguards are equally critical in complementing stringent technology controls.

Additional Resources

Below are several links to sites that include more detailed information for safeguarding leading virtualization strategies:

Best Security Practices for Hyper-V Facility Built into Windows 2008

http://blogs.technet.com/b/secguide/archive/2009/03/31/we-just-released-the-hyper-v-security-guide.aspx

http://technet.microsoft.com/en-us/library/dd569113.aspx

http://technet.microsoft.com/en-us/magazine/dd744830.aspx

http://www.microsoft.com/virtualization/assets/media/hdbp/local/index.htm

Best Security Practices for VMware

http://www.vmware.com/files/pdf/vi35_security_hardening_wp.pdf

http://blogs.vmware.com/security/

http://technet.microsoft.com/en-us/library/dd548299.aspx

About the Author

Harry Waldron photoHarry Waldron is a Senior IT professional with Fairfax Information Technology Systems, based in Roanoke, Virginia. He has almost 35 years of experience in the insurance industry, including a decade as a senior IT Security specialist. Currently, he assists with the implementation of technology solutions for property and casualty insurance applications. He has insurance expertise, including the Chartered Property and Casualty Underwriting and Accredited Advisor in Insurance professional designations. He has been a Microsoft Enterprise Security MVP since 2003.

Microsoft Security Newsletter

Sign up for a free monthly roundup of security news, bulletins, and guidance for IT pros and developers.