案例 - 在 VMM 中部署受防護主機和受防護的虛擬機器Scenario - Deploy guarded hosts and shielded virtual machines in VMM

重要

已不再支援此版本的 Virtual Machine Manager (VMM),建議升級至 VMM 2019This version of Virtual Machine Manager (VMM) has reached the end of support, we recommend you to upgrade to VMM 2019.

本文提供在 System Center - Virtual Machine Manager (VMM) 計算網狀架構中,部署 Hyper-V 受防護主機和受防護虛擬機器的概觀。This article provides an overview of deploying Hyper-V guarded hosts and shielded virtual machines in a System Center - Virtual Machine Manager (VMM) compute fabric.

受防護網狀架構為 VM 提供額外的保護,以防止遭到惡意系統管理員和惡意程式碼軟體的竄改和竊取。Guarded fabrics provide additional protections for VMs to prevent tampering and theft by malicious administrators and malware. 身為雲端服務提供者或私人雲端系統管理員,您可以部署一個通常由以下項目組成的受防護網狀架構:一部執行主機守護者服務 (HGS) 的伺服器、一或多部受防護 Hyper-V 主機伺服器,以及一或多部在這些主機上執行的受防護 VM。As a cloud service provider or private cloud administrator, you can deploy a guarded fabric that typically consists of a server running the host guardian service (HGS), one or more guarded Hyper-V host servers, and one or more shielded VMs running on those hosts. 深入了解受防護網狀架構 (英文)。Learn more about guarded fabrics.

為何需要保護 VM?Why do I need to protect VMs?

虛擬機器包含 VM 擁有者可能不想讓網狀架構系統管理員看到的敏感性資料和設定。Virtual machines contain sensitive data and configuration that the VM owner may not want a fabric administrator to see. 不過,由於 VM 的所有資料都存放在檔案中,因此惡意程式碼軟體或惡意系統管理員可輕易地複製及查看這些資料。However, since all the data for VMs are stored in files, the data can easily be copied off and inspected by malware or a malicious administrator. Windows Server 中的受防護 VM 會在啟動 VM 前嚴格證明 Hyper-V 主機的健全狀況、確保只在 VM 擁有者授權的 Datacenter 中啟動 VM,並讓客體作業系統透過使用新的虛擬 TPM 來加密自己的資料,以藉此防止這類攻擊。Shielded VMs in Windows Server help prevent such attacks by rigorously attesting to the health of a Hyper-V host before booting up a VM, ensuring the VM can only be started in datacenters authorized by the VM owner, and enabling the guest OS to encrypt its own data through the use of a new, virtual TPM. VM 擁有者在建立有安全性顧慮的 VM 時,可以選取下列兩種保護類型:The VM owner can select from the following two types of protection when creating a security-sensitive VM:

  • 支援加密︰適合企業私人雲端案例,其中必須有待用且執行中的資料加密,但網狀架構系統管理員仍受信任。Encryption Supported: Ideal for enterprise private cloud scenarios where encryption of data at rest and in-flight is necessary, but the fabric administrators are still trusted. 網狀架構系統管理員仍可使用 VM 主控台和其他管理便利功能。The VM console and other management conveniences remain available to fabric administrators.
  • 已防護︰最安全的部署選項,防護功能可防止網狀架構系統管理員連線到 VM 主控台,或修改 VM 設定的安全性層面。Shielded: The most secure deployment option, shielding prevents fabric administrators from connecting to the VM console or modifying security aspects of the VM configuration. VM 擁有者只能透過選擇啟用的遠端管理工具來存取 VM。VM owners can only access the VM through remote management tools they choose to enable. 建議在公用或共用基礎結構上執行敏感性工作負載的租用戶執行這項作業。This is recommended for tenants running sensitive workloads on public or shared infrastructure.

使用 VMM 管理受防護網狀架構Managing a guarded fabric with VMM

受防護網狀架構的核心基礎結構 (其中包含一或多部受防護的 Hyper-V 主機、主機守護者服務及建立受防護 VM 所需的成品) 隨附於 Windows Server 2016 和更新版本,且必須根據受防護網狀架構文件進行設定。The core guarded fabric infrastructure (consisting of one or more guarded Hyper-V hosts, the Host Guardian Service, and the artifacts needed to create shielded VMs) is included with Windows Server 2016 and above, and must be configured according to the guarded fabric documentation. 設定好之後,您可以選擇性地使用 System Center - Virtual Machine Manager 來簡化管理受防護的網狀架構。Once set up, you can optionally use System Center - Virtual Machine Manager to simplify management of the guarded fabric.

VMM 可用來:VMM can be used to:

  • 在 VMM 網狀架構中佈建和管理受防護主機︰您可以將受防護主機新增到 VMM 網狀架構並加以管理。Provision and manage guarded hosts in the VMM fabric: You can add and manage guarded hosts to the VMM fabric. 受防護主機是 Hyper-V 伺服器︰A guarded host is a Hyper-V server that:
    • 符合受防護主機的必要條件Meets the guarded host prerequisites.
    • 已經過主機守護者服務授權,可讓網狀架構執行受防護的 VM。Is authorized by the Host Guardian Service for the fabric to run shielded VMs. HGS 系統管理員會決定主機必須符合才能成功證明並成為「受防護」的需求。The HGS admin determines the requirements for hosts to successfully attest and become "guarded".
    • 設定使用的 HGS URL 和在通用 VMM 設定中指定的 URL 相同,在 VMM 中標示為受防護。Is marked as guarded in VMM by configuring it to use the same HGS URLs as those specified in the global VMM settings.
  • 設定受防護的虛擬硬碟和選擇性的 VM 範本︰用來部署新的受防護 VM 的已簽署範本磁碟 (VHDX) 可以存放在 VMM 程式庫中,以方便部署。Configure a shielded virtual hard disk and optionally a VM template: Signed template disks (VHDX) used to deploy new shielded VMs can be stored in the VMM library for easy deployment. 您接著可以在 VM 範本中使用此 VHDX。You can then use this VHDX in a VM template.
  • 佈建和管理受防護的 VM:VMM 支援受防護 VM 的完整生命週期。Provision and manage shielded VMs: VMM supports the full lifecycle of shielded VMs. 這包括:This includes:
    • 從已簽署的範本磁碟 (VHDX) 建立新的受防護 VM,並選擇性地使用 VM 範本。Creating new shielded VMs from a signed template disk (VHDX), and optionally using a VM template.
    • 將現有的 VM 轉換成受防護的 VM。Converting existing VMs to shielded VMs.

後續步驟Next steps