Protect Hyper-V with on-board resources

Counterintelligence

Encryption Without Shielded VMs

If you want to encrypt your VM virtual hard drives, you do not necessarily have to rely on shielded VMs. Since Windows Server 2016, a virtual TPM can also be added to VMs from the Security menu item in the properties of the VMs. Activating the Trusted Platform Module function, makes a virtual TPM available on the VM; it can then be used for BitLocker encryption. VMs encrypted with a vTPM based on BitLocker can be integrated into a guarded fabric with shielded VMs at any time. Live migration is also possible. The important thing here is that you are working with a generation 2 VM. In addition to the Hyper-V Manager, the settings can also be made in PowerShell. For example, to activate and deactivate the technology, use:

Enable-VMTPM -VMname <name>
Disable-VMTPM -VMName <name>

The TPM is displayed in the VM's device manager under Security devices . Selecting tpm.msc lets you initialize and set up the module.

Access Permissions and Authorizations

VM administrators do not need administrative access to the host operating system. For this reason, you will also want to adjust the authorizations for administrators on Hyper-V hosts. Admins who do not need to manage the host also do not need administrative access to the host operating system. Usually, it is sufficient for Hyper-V administrators to be members of the Hyper-V Administrators group on the server. Hyper-V hosts should also have antivirus protection installed. However, exclusions in malware scans are useful. When using Microsoft Defender, this is automatically the case. Many other scanners also support Hyper-V. To disable the exclusions, enter the command:

Set-MpPreference -DisableAutoExclusions $true

In general, however, you will want to make sure that the essential components of Hyper-V are monitored, but not unnecessary areas or services and directories that can cause performance problems. Windows Defender does not scan the following file types: VHD, VHDX, AVHD, AVHDX, VSV, ISO, RCT, VMCX, and VMRS. You can additionally exclude the following directories from scanning:

  • %ProgramData%\Microsoft\Windows\Hyper-V
  • %ProgramFiles%\Hyper-V
  • %SystemDrive%\ProgramData\Microsoft\Windows\Hyper-V\Snapshots
  • %Public%\Documents\Hyper-V\Virtual Hard Disks

The following processes are particularly important:

  • %systemroot%\System32\Vmms.exe
  • %systemroot%\System32\Vmwp.exe

For more information on exclusions, see recommended antivirus exclusions for Hyper-V hosts online [6].

Third-Party VHDs and Nested Virtualization

It should go without saying that you should never mount third-party virtual hard disks (VHDs) on Hyper-V hosts because of the risk of attacks at the filesystem level. You should also avoid deploying VMs with unknown VHDs. Perform extensive tests, preferably on test servers, before you implement third-party VHDs for a VM on a host to check for malware or suspicious activity.

Additionally, Microsoft generally recommends not using nested virtualization on Hyper-V hosts. Otherwise, administrators of VMs with activated virtualization could create VMs themselves, which in turn represent a danger for, and generate load on, the Hyper-V host. Nested virtualization should only be implemented for scenarios that you absolutely need – ideally in highly monitored environments.

For even greater security, Microsoft recommends generation 2 VMs for supported operating systems whenever possible. You will also want to enable Secure Boot on the VMs (Figure 3) to prevent unauthorized code from starting with the operating system without first being checked by a virus scanner. The feature is also available for Linux servers if the distribution supports generation 2 VMs in Hyper-V. The settings can be found in the properties of a VM under Security . You can enable secure start for generation 2 VMs here, select the template, and, if prompted to do so, enable TPM on the VM and shielding.

Figure 3: Enabling a secure startup of VMs in Hyper-V prevents malware from loading during the boot process.

Microsoft explains the options for secure generation 2 VMs on GitHub [7]. As with the Hyper-V host, you should always keep the VMs as up to date as possible, especially for security updates. Install the integration services for the supported guest operating systems; Windows Update handles these updates.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs



Support Our Work

ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.