Security is very important step for any Task or Project in IT. More and more companies move to virtualization security is more important that ever before. Planning security for your HYPER-V host Servers is critical step for any virtualization deployment. In this article i will try to give best practices for any IT that decide to move or already is in virtualization enviroment.
It's not easy steps but it's necessary to be protected.
Server Core Installation
Before start to deploy Windows Server as HYPER-V Host have in mind that Server-Core Installation prefered for Security Reasons. This means that not GUI enviroment exist. Server Core provides a server environment with functionality scaled back to core server features, and because of limited features, it has reduced servicing and management requirements.
Because Server Core has fewer System Services running instead of Full Installation, has fewer possibilities for malicious attacks on the server. But how can proceed with Server Core Installation? Unfortunately for Windows Server 2008 R2 you must reinstall the OS and proceed with the selection as follow.
But in Windows Server 2012 you can run Powershell Command and turn into Server Core. I wrote an article for this greate feature Turn in System Core from Full Installation Windows Server 2012 but now i will give a quick explain and if you want more details go in
- Open PowerShell as Administrator and run the following command
Remove-WindowsFeature User-Interfaces-Infra –Restart
When finish will be restart and that's if. You have turn your Full Installation in Server Core.
HYPER-V Host keep up to date
Keep HYPER-V Host up date with all security updates and hotfixes from Microsoft. Maybe sound obvious but believe me i know organizations that do't use Windows Updates in Windows Servers with critical Systems. You can use different ways to achieve and be sure all your Windows Sevrers and Windows Clients are up to date. For example You can use a WSUS Server to send all Windows Updates in your Windows Servers without need to do it for every Server individual.
If you don't want to install WSUS Server At least Schedule the Windows Updates for your HYPER-V host to run every Sunday. So you will be sure that you are up to date.
If you intresing WSUS Server to find any information that you want in https://technet.microsoft.com/en-us/windowsserver/bb332157.aspx
If you are the only IT Administrator then you don't mind. But if you are in IT Department you must be carefull with the type of Access that give. If you have a System Admin responsible for HYPER-V then give administrator permissions only in advance feature of HYPER-V and not Full Admin rights in the Server.
In Windows Server 2012 when install HYPER-V new local group created as HYPER-V Administrators and you can add any user that you want to has access in HYPER-V only without be in Administrators Group.
In Windows Server 2008 R2 you can't find any local group as HYPER-V Administrators but you can use Authorization Manager to delegate access in HYPER-V. In this article i will not proceed to explain how can do it but one of my next articles will be discuss for this Tool.
If you are intresting open the official link from Microsoft that you can find all the details https://technet.microsoft.com/en-us/library/cc726036.aspx
Use Separate Networks with Dedicated Cards
Don't use the same Network for the Mangement Operating System for HYPER-V Host. Use separate networks with Dedicated Network Cards in your Server. Separate networks can be achieve with VLAN and i eplain how can dedicate Network Card for the Virtual Machines you can find it in previous Article Best Practices for Physical Servers hosting HYPER-V Roles.
Don't install Antivirus/Antimailware Software in HYPER-V Host if you can keep all the Security Recommendations. For example if has access only you an keep up to date with Security Updates every day then don't install Antivirus/Antimailware in your HYPER-V Host.
But if the company policy must has Antivirrus then install your Antivirus but exclude the following folder/files from the Scan
- Process Vmss.exe
- Process Vmwp.exe
- Folders that contains Virtual Machines Configuration files.
- Folders that contains Virtual Machines Hard Disks.
Limit Software Installation in Parent Partition
If you use Server Core then you can't install any other Software. This is another advantage of Server Core Installation. But if you prefer to use Full Installation don't instal any other Software. You don't need it in your HYPER-V Host and it's sure that increase the malicious attacks in your Server.
These are some security recommendations for your HYPER-V Host. You can start from here and implement one by one these 5 Recommendations. You can find lot of recommendations in the Internet but you must think and Planning base on your enviroment size.
Do you think that you need to add more Recommendations? Do you have questions how can implement in already Virtualization enviroment? Tell us your opinion through your comments.