Windows Server 2012 HYPER-V has some advance features that don't use it but you can protect you from different incidents in your environment or security issues.
Small environment which use HYPER-V maybe don't need these advance features but large environments with lot of Virtual Servers maybe it's very useful.
Dhcp and Router guard are advance features that i will discuss today.
So let's start
What is DHCP Guard
Before start the explanations how can enable these features i prefer to explain with few words what is DHCP Guard.
To begin let explain what is DHCP Rogue. Base on https://en.wikipedia.org/wiki/Rogue_DHCP It's a DHCP Server on the network which is not under administrative control. It's maybe use it for network attacks or maybe install from someone in the company for test purposes but cause serious problem in the network.
DHCP Guard feature disable Servers to act as DHCP Servers and HYPER-V knows who is the real DHCP Server.
When enable this feature in Virtual Server then specific virtual NIC prevents of sending DHCP Offer.
So if someone accidentally install any DHCP Server or use it for network attacks DHCP Guard prevent it to act as DHCP Server and
Enable DHCP Guard in HYPER-V
How can enable this feature in HYPER-V Host?
- Open HYPER-V Manager.
- Select the Virtual Server that you want to apply the DHCP Guard feature.
- Click Settings from the right side.
- Expand Network Adapters.
- Click Advanced Features.
- From the right side check the Enable DHCP Guard.
If you would like to enable DHCP Guard in all Virtual Machines at once type the following Powershell Command in HYPER-V Host
Set-VMNetworkAdapter * -DhcpGuard On
What is Router Guard
If you are using Windows Servers or get a Microsoft Certificate you know that a Windows Server can act as a Router. Router Guard it's a feature in Windows Server 2012 R2 which prevent a Guest OS to act as a Router.
With Technical words Router Guard prevent the following packets:
- ICMPv4 Type 5 (Redirect message)
- ICMPv4 Type 9 (Router Advertisement)
- ICMPv6 Type 134 (Router Advertisement)
- ICMPv6 Type 137 (Redirect message)
Someone maybe think that who can do that? Or if an environment compromised a hacker will be search for Virtual Servers to use it a s routers? No not at all. Most of the times this can be done accidentally from a Developer or from large IT Department with lot of System Administrators which wants to test something.
Also why not use it for another one Layer of protection in Virtual Servers? Probably in large environments. As IT Pro we know that never can't protect our environments 100%. Best practice of security are the multiple Layers of protection in an environment.
But let's read another one alternative from Bern Armstrong in https://blogs.msdn.microsoft.com/virtual_pc_guy/2014/03/25/hyper-v-networking router-guard/
So let's go to explain how can enable this feature
Enable Router Guard in HYPER-V
- Open HYPER-V Manager.
- Select the Virtual Server that you want to apply the Router Guard feature.
- Click Settings from the right side.
- Expand Network Adapters.
- Click Advanced Features.
- From the right side check the Enable Router advertisement Guard.
If you would like to enable Router Guard in all Virtual Machines at once type the following Powershell Command in HYPER-V Host
Set-VMNetworkAdapter * -RouterGuard On
It's very easy to enable this feature and add one more Layer of protection in your environment.
Come to discuss for the performance hints of the specific features in our commented system. Do you have enable it? Do you have performance issues after enable it?