How can enable Dhcp and Router Guard in HYPER-V

Windows Server 2012 HYPER-V has some advance features that don't use it but you can protect you from different incidents in your environment or security issues.

Small environment which use HYPER-V maybe don't need these advance features but large environments with lot of Virtual Servers  maybe it's very useful.

Dhcp and Router guard are advance features that i will discuss today.

So let's start

 

What is DHCP Guard

Before start the explanations how can enable these features i prefer to explain with few words what is DHCP Guard.

To begin let explain what is DHCP Rogue. Base on https://en.wikipedia.org/wiki/Rogue_DHCP It's a DHCP Server on the network which is not under administrative control. It's maybe use it for network attacks or maybe install from someone in the company for test purposes but cause serious problem in the network.

DHCP Guard feature disable Servers to act as DHCP Servers and HYPER-V knows who is the real DHCP Server.

When enable this feature in Virtual Server then specific virtual NIC prevents of sending DHCP Offer. 

So if someone  accidentally install any DHCP Server or use it for network attacks DHCP Guard prevent it to act as DHCP Server and 

 

Enable DHCP Guard in HYPER-V

How can enable this feature in HYPER-V Host?

  • Open HYPER-V Manager.
  • Select the Virtual Server that you want to apply the DHCP Guard feature.
  • Click Settings from the right side.

  • Expand Network Adapters.
  • Click Advanced Features.
  • From the right side check the Enable DHCP Guard.

If you would like to enable DHCP Guard in all Virtual Machines at once type the following Powershell Command in HYPER-V Host

Set-VMNetworkAdapter * -DhcpGuard On

 

What is Router Guard

If you are using Windows Servers or get a Microsoft Certificate you know that a Windows Server can act as a Router. Router Guard it's a feature in Windows Server 2012 R2 which prevent a Guest OS to act as a Router.

With Technical words Router Guard prevent the following packets:

  • ICMPv4 Type 5 (Redirect message)
  • ICMPv4 Type 9 (Router Advertisement)
  • ICMPv6 Type 134 (Router Advertisement)
  • ICMPv6 Type 137 (Redirect message)

Someone maybe think that who can do that? Or if an environment compromised a hacker will be search for Virtual Servers to use it a s routers? No not at all. Most of the times this can be done accidentally from a Developer or from large IT Department with lot of System Administrators which wants to test something.

Also why not use it for another one Layer of protection in Virtual Servers? Probably in large environments. As IT Pro we know that never can't protect our environments 100%. Best practice of security are the multiple Layers of protection in an environment.

But let's read another one alternative from Bern Armstrong in https://blogs.msdn.microsoft.com/virtual_pc_guy/2014/03/25/hyper-v-networking router-guard/

So let's go to explain how can enable this feature

Enable Router Guard in HYPER-V

  • Open HYPER-V Manager.
  • Select the Virtual Server that you want to apply the Router Guard feature.
  • Click Settings from the right side.

  • Expand Network Adapters.
  • Click Advanced Features.
  • From the right side check the Enable Router advertisement Guard.

If you would like to enable Router Guard in all Virtual Machines at once type the following Powershell Command in HYPER-V Host

Set-VMNetworkAdapter * -RouterGuard On

It's very easy to enable this feature and add one more Layer of protection in your environment.

 

Come to discuss for the performance hints of the specific features in our commented system. Do you have enable it? Do you have performance issues after enable it?