15 Hyper-V Security Principles
Security today is the most important thing for IT companies. Before introducing new technology into the production environment, IT administrators must work through the security issue and minimize the threat of attack. In the article we will sound 15 key points, observing that you will be sure that your virtual environment is safe and working as it should.
For security reasons, it is recommended to always install the Hyper-V role in the Server Core installation option instead of using the full version of the Windows operating system. The lack of a graphical user interface in Server Core reduces the potential for attack. Hyper-V client management files are not installed, and this reduces the opportunities for file attacks. Using Server Core on a physical computer with Hyper-V provides three major security benefits:
')
Never change the default security settings for Hyper-V services. Alerts may cause Hyper-V to stop working. Changing the security context used Hyper-V can enable anyone to control the entire hypervisor.
No need to configure any more roles / services on the Hyper-V server. Installed server applications will listen to static ports. Always look at the ports that are listening on the server, and block them if necessary.
Always check the default Hyper-V settings before launching it into production. By default, virtual server files will be stored locally. It is recommended to always move the storage location to a more secure disk.
Since BitLocker is built into Windows, it is recommended to run it for those volumes where Hyper-V files and virtual servers are stored. BitLocker-based physical security is present even when the server is turned off.
Data will be protected even if the disk is stolen. BitLocker protects data in the case of attackers using different operating systems, as well as using hacker software to gain access to the contents of the disk.
Note: Use BitLocker for Hyper-V only. Do not use it on virtual servers, because BitLocker is not supported on them.
Do not use the local default administrator account to manage virtual machines and the Hyper-V system. Instead, create a new Active Directory management group and delegate virtual machine management tasks to it using the Authorization Manager.
By installing an antivirus, you will always be sure that malicious actions will be intercepted at the Hyper-V server level. Also take care of the timely update of the antivirus.
The integration components provide VMBUS and VSP / VSC operations that provide secure interaction between virtual machines and the hypervisor. These components are updated with each new release of Hyper-V. You need to timely download the latest components from the Microsoft website and update all virtual machines.
Hyper-V server should be used only for Hyper-V tasks. Unnecessary applications on the server can interfere with Hyper-V processes, which can be unsafe.
Hyper-V and virtual server files must be protected. Since this data is stored in VHD files, anyone who has access to VHD files can mount them and access the contents.
Do not use machines that do not carry any essential functions. If you start any of the servers, make sure they are disconnected from the Hyper-V switches that other servers are connected to. Anyone who has access to unused servers can interfere with the production environment via the network or in some other way.
As soon as you start Hyper-V on a Windows server, the management server grants the firewall the permissions required for Hyper-V communication. Make sure that no extra rights are given to the firewall.
A snapshot is an image of a virtual machine at a certain point in time, to which you can later return the machine. It is recommended to store the snapshots and control points you create, together with the VHD files associated with them, in a safe place.
Use the same OS-enhanced pattern for all virtual machines to ensure the same level of security. Also make sure that the antivirus is running and unnecessary components are disabled.
File system protection can prevent unauthorized access to VHD files. By enabling object access auditing, you can identify potentially harmful user actions.
Installing the Hyper-V role in a Server Core installation
For security reasons, it is recommended to always install the Hyper-V role in the Server Core installation option instead of using the full version of the Windows operating system. The lack of a graphical user interface in Server Core reduces the potential for attack. Hyper-V client management files are not installed, and this reduces the opportunities for file attacks. Using Server Core on a physical computer with Hyper-V provides three major security benefits:
')
- The possibilities for attacks in the control operating system are minimized.
- Digital footprint decreases
- The system works better, fewer components need updating.
Authorization (data) to enter Hyper-V services
Never change the default security settings for Hyper-V services. Alerts may cause Hyper-V to stop working. Changing the security context used Hyper-V can enable anyone to control the entire hypervisor.
Block unnecessary ports
No need to configure any more roles / services on the Hyper-V server. Installed server applications will listen to static ports. Always look at the ports that are listening on the server, and block them if necessary.
Hyper-V default settings
Always check the default Hyper-V settings before launching it into production. By default, virtual server files will be stored locally. It is recommended to always move the storage location to a more secure disk.
Using BitLocker encryption in the parent partition.
Since BitLocker is built into Windows, it is recommended to run it for those volumes where Hyper-V files and virtual servers are stored. BitLocker-based physical security is present even when the server is turned off.
Data will be protected even if the disk is stolen. BitLocker protects data in the case of attackers using different operating systems, as well as using hacker software to gain access to the contents of the disk.
Note: Use BitLocker for Hyper-V only. Do not use it on virtual servers, because BitLocker is not supported on them.
Do not use the built-in administrator accounts.
Do not use the local default administrator account to manage virtual machines and the Hyper-V system. Instead, create a new Active Directory management group and delegate virtual machine management tasks to it using the Authorization Manager.
Always put antivirus on the server
By installing an antivirus, you will always be sure that malicious actions will be intercepted at the Hyper-V server level. Also take care of the timely update of the antivirus.
Always install the latest integration component updates.
The integration components provide VMBUS and VSP / VSC operations that provide secure interaction between virtual machines and the hypervisor. These components are updated with each new release of Hyper-V. You need to timely download the latest components from the Microsoft website and update all virtual machines.
Do not install any applications in the Hyper-V parent partition.
Hyper-V server should be used only for Hyper-V tasks. Unnecessary applications on the server can interfere with Hyper-V processes, which can be unsafe.
Protect Hyper-V files and virtual machine files
Hyper-V and virtual server files must be protected. Since this data is stored in VHD files, anyone who has access to VHD files can mount them and access the contents.
Turn off unused machines
Do not use machines that do not carry any essential functions. If you start any of the servers, make sure they are disconnected from the Hyper-V switches that other servers are connected to. Anyone who has access to unused servers can interfere with the production environment via the network or in some other way.
Always use the firewall and block unnecessary features.
As soon as you start Hyper-V on a Windows server, the management server grants the firewall the permissions required for Hyper-V communication. Make sure that no extra rights are given to the firewall.
Providing snapshots and control points
A snapshot is an image of a virtual machine at a certain point in time, to which you can later return the machine. It is recommended to store the snapshots and control points you create, together with the VHD files associated with them, in a safe place.
Strengthen the OS virtual servers
Use the same OS-enhanced pattern for all virtual machines to ensure the same level of security. Also make sure that the antivirus is running and unnecessary components are disabled.
Activate the audit
File system protection can prevent unauthorized access to VHD files. By enabling object access auditing, you can identify potentially harmful user actions.
Source: https://habr.com/ru/post/231647/
All Articles