Planning for Hyper-V Security
Applies To: Windows Server 2008, Windows Server 2008 R2
You should secure your virtualization server using the same measures you would take to safeguard any server running Windows Server 2008. Additionally, you should use a few extra measures to help secure the virtual machines, configuration files, and data. For more information about how to secure Windows Server 2008 workloads, see the Windows Server 2008 Security Guide (http://go.microsoft.com/fwlink/?LinkId=134200).
Additionally, see the following security-related topics in this guide:
You should secure the virtual machines running on the virtualization server according to your procedures for securing that kind of server or workload. There is nothing special or different you need to do to secure the virtual machine just because it is a virtual machine. For example, if your policies and procedures require that you run antivirus software, run it on the virtual machine. If you have a policy requirement to segment the physical server to a particular network, follow the policy for the virtual machine as well.
We recommend the following best practices to improve the security of your servers running Hyper-V.
You can use BitLocker Drive Encryption to help protect virtual machines and data, but it requires careful deployment and recovery planning. For more information, review the Windows BitLocker Drive Encryption Design and Deployment Guides (http://go.microsoft.com/fwlink/?LinkId=134201).
Hyper-V security best practices
Use a Server Core installation of Windows Server 2008 for the management operating system. A Server Core installation provides the smallest attack surface and reduces the number of patches, updates, and restarts required for maintenance. For detailed information and installation guidance, see the Server Core Installation Option of Windows Server 2008 Step-By-Step Guide (http://go.microsoft.com/fwlink/?LinkId=134202).
For more information about enabling the Hyper-V role on a server running a Server Core installation, see Install the Hyper-V Role on a Server Core Installation of Windows Server 2008.
There is no way to upgrade from a Server Core installation to a full installation of Windows Server 2008. If you need the Windows user interface or a server role that is not supported in a Server Core installation, install a full installation of Windows Server 2008.
To remotely manage Hyper-V on a Server Core installation, use the Hyper-V management tools for Windows Server 2008 and Windows Vista Service Pack 1 (SP1). For more information, see article 950050 (http://go.microsoft.com/fwlink/?LinkId=122188) and article 952627 (http://go.microsoft.com/fwlink/?LinkID=122189) in the Microsoft Knowledge Base. For more information about configuring tools for remote management of Hyper-V, see Install and Configure Hyper-V Tools for Remote Administration.
- Do not run any applications in the management operating system—run all applications on virtual machines. By keeping the management operating system free of applications and running a Windows Server 2008 core installation, you will need fewer updates to the management operating system because nothing requires software updates except the Server Core installation, the Hyper-V service components, and the hypervisor.
If you run programs in the management operating system, you should run your antivirus solution there and add the following to the antivirus exclusions:
- Virtual machine configuration files directory. By default, it is C:\ProgramData\Microsoft\Windows\Hyper-V.
- Virtual machine virtual hard disk files directory. By default, it is C:\Users\Public\Documents\Hyper-V\Virtual Hard Disks.
- Snapshot files directory. By default, it is %systemdrive%\ProgramData\Microsoft\Windows\Hyper-V\Snapshots.
Use the security level of your virtual machines to determine the security level of your management operating system. You should deploy virtual machines onto virtualization servers that have similar security requirements. For example, assume that you classify the level of risk and effort to secure your servers into three categories: “secure”, “more secure”, and “most secure”. You would put more compliance effort and control procedures into the most secure servers than on the secure servers. This would be true whether the server is physical or running on a virtual machine. If you deploy both secure and most secure virtual machines on the management operating system, then you should secure the virtualization server as a “most secure” server. Deploying virtual machines with similar security levels on a virtualization server can make management and movement of the virtual machines easier.
Do not give virtual machine administrators permissions on the management operating system. According to the principle of least privilege, you should give administrators of a virtual machine (sometimes called department administrators or delegated administrators) the minimum permissions required. Managing the required permissions on all the objects associated with a virtual machine can be complex, and can lead to potential security issues if not handled properly. Role-based access control enables you to specify access control in terms of the organizational structure of a company—by creating a new object called a role. You assign a user to a role to perform a job function. Hyper-V uses Authorization Manager policies for role-based access control.
Ensure that virtual machines are fully updated before they are deployed in a production environment. Because virtual machines are so much easier to move around and quicker to deploy than physical machines, there is a greater risk that a virtual machine that is not fully updated or patched might be deployed. To manage this risk effectively, use the same methods and procedures to update virtual machines as you use to update physical servers. For example, if you allow the use of automatic updates using Windows Update, Microsoft System Center Configuration Manager, or another software distribution method, ensure that virtual machines are updated and/or patched before they are deployed.
You can use maintenance hosts and quick migration in Hyper-V to accomplish this. A maintenance host is a host computer that you can dedicate for patching stored resources and for staging virtual machines before you move them into your production environment. For more information about maintenance hosts, see Planning for Hosts (http://go.microsoft.com/fwlink/?LinkId=134482). For information about using quick migration to move virtual machines to a maintenance host, see Hyper-V Step-by-Step Guide: Testing Hyper-V and Failover Clustering (http://go.microsoft.com/fwlink/?LinkId=134481).
Ensure integration services are installed on virtual machines. The accuracy of timestamps and audit log entries is important for computer forensics and compliance. Integration services ensure that time is synchronized between virtual machines and the management operating system. This synchronization makes sure that time is consistent with the physical location of the virtual machine in the event that virtual machines are migrated between data centers in different time zones or virtual machines are restored from previous snapshots.
Use a dedicated network adapter for the management operating system of the virtualization server. By default, no virtual networking is configured for the management operating system. Use a dedicated network adapter for managing the server running Hyper-V and do not expose it to untrusted network traffic. Do not allow virtual machines to use this network adapter. Use one or more different dedicated network adapters for virtual machine networking. This allows you to apply different levels of networking security policy and configuration for your virtual machines. For example, you can configure networking so that the virtual machines have different networking access than your management operating system, including the use of virtual local area networks (VLANs), Internet Protocol Security (IPsec), Network Access Protection (NAP) and Microsoft Forefront Threat Management Gateway. For more information about configuring networking, see Configuring Virtual Networks.
For more information about NAP, see http://go.microsoft.com/fwlink/?LinkID=117804. For information about Microsoft Forefront Threat Management Gateway and Microsoft Forefront “Stirling”, see http://go.microsoft.com/fwlink/?LinkId=134452.
Use BitLocker Drive Encryption to protect resources. BitLocker Drive Encryption works with features in server hardware and firmware to provide secure operating system boot and disk drive encryption, even when the server is not powered on. This helps protect data if a disk is stolen and mounted on another computer for data mining. BitLocker Drive Encryption also helps protect data if an attacker uses a different operating system or runs a software hacking tool to access a disk.
Losing a physical disk is a more significant risk in scenarios with small and medium businesses, as well as remote offices, where physical security of the server may not be as rigorous as in an enterprise data center. However, using BitLocker Drive Encryption makes sense for all computers. You should use BitLocker Drive Encryption on all volumes that store virtual machine files too. This includes the virtual hard disks, configuration files, snapshots, and any virtual machine resources, such as ISO images and virtual floppy disks. For a higher level of security that includes secure startup, BitLocker Drive Encryption requires Trusted Platform Module (TPM) hardware. For more information about TPM management, see the Windows Trusted Platform Module Management Step-by-Step Guide (http://go.microsoft.com/fwlink/?LinkId=134227).
For more information on how to configure BitLocker Drive Encryption to help protect your server and the virtual machines running on it, see Windows Server 2008 Hyper-V and BitLocker Drive Encryption (http://go.microsoft.com/fwlink/?LinkID=123534).
Use BitLocker Drive Encryption in the Hyper-V management operating system and to protect volumes that contain configuration files, virtual hard disks, and snapshots. Do not run BitLocker Drive Encryption within a virtual machine. BitLocker Drive Encryption is not supported within a virtual machine.
- Disable virtualization BIOS settings when they are not required. When you are no longer using a server for virtualization, for example in a test or development scenario, you should turn off the hardware-assisted virtualization BIOS settings that were required for Hyper-V. For instructions on disabling these settings, consult your hardware manufacturer.