15 Principles of Hyper-V Security
These days, safety is the most important thing for IT-companies. Before you introduce a new technology into production field, IT administrators must consider security and minimize the threat of attack. In this article we give 15 key points, observing that you can be sure that your virtual environment in safety and works as it should.
- Install the Hyper-V role on a Server Core installation
For the security reasons, we recommend that you always install the Hyper-V role on a Server Core installation, instead of using the full version of the Windows operating system. The lack of GUI in Server Core reduces the attack surface. A client not installed management files of the Hyper-V, and it reduces the opportunities for attacks. Use a Server Core installation to a physical computer with Hyper-V provides three key advantages in security:
- Minimize the chance of attacks by managing operating system;
- Decreasing the digital footprint;
- The system works better, and fewer components need to be updated;
- Authority (data) for Hyper-V services login
Never change the default security settings for Hyper-V services. Alerts can cause Hyper-V to stop working. Replace the security context used Hyper-V can allow anyone to control the entire hypervisor.
- Blocking unneeded ports
You do not need to configure any other role/service on the server running Hyper-V. Installed application server will listen to static ports. Always browse the ports that look on a server, and block them if necessary.
- Configure the default Hyper-V
Always check the settings of the default Hyper-V before you run it on a regular Wednesday. By default, virtual server files stored locally. It is always a good idea to change the storage location on the more protected disk.
- Use a BitLocker in the parent partition
As we know that the BitLocker is integrating into Windows, and I am recommending that you run it for those volumes, where Hyper-V is storing those files and virtual servers. Physical protection by BitLocker is present even in the off server.
You could protect the data on a disk even if someone stole it. BitLocker protects your data and attacking different OS, as well as in applying the hacker to access the contents of the drive.
Note: Virtual Servers is not supporting a BitLocker. I would recommend use BitLocker only for Hyper-V.
- Do not use the built-in administrator accounts
Do not use a local administrator account by default to manage the virtual machines and Hyper-V system. Instead, create a new Active Directory group and control using Authorization Manager to delegate her task to manage virtual machines.
- Always place the antivirus on the server
You always have to make sure that when Installing antivirus they will be intercepted by malicious actions on Hyper-V server level. Also, make sure that you update the anti-virus.
- Always install the latest integration components update
Integration components provide the VMBUS and VSP/VSC, which provide secure communications between virtual machines and hypervisor. Installing antivirus are always up to date with each new release of Hyper-V. You have to download the latest version of the components from the Microsoft website and update all virtual machines.
- Do not install any applications on the Hyper-V parent partition
Hyper-V server is using only for the tasks which are mostly corresponding to Hyper-V. Unnecessary applications on the server may interfere with the Hyper-V processes that may be unsafe.
- Protect files and Hyper-V virtual machine files
Always protect Archives and Hyper-V virtual servers. Because this type of data is storing in VHD files, anyone who has access to VHD files can access it.
- Unplug unused machines
Do not use machines that bear no significant features. If you run any of the servers, make sure that you are detaching them from the Hyper-V switches to which are connecting to other servers. Anyone who has access to the right servers may intervene in production field over a network.
- Always use a Firewall and block unwanted features
As soon as you start Hyper-V Manager on the Windows Server, the server provides firewall communication rights necessary for Hyper-V. Make sure that no additional firewall rights not given.
- Providing pictures and control points
A snapshot is a virtual machine at a particular point in time to which you can return the car. We recommend that you store the snapshots and checkpoints that you create, along with the related .vhd files in a safe place.
- Leverage virtual server OS
Use one and the same pattern of enhanced OS for all virtual machines to ensure the same level of security. Also, make sure that the anti-virus is running and turned off unnecessary components.
- Activate auditing
File system protection can prevent unauthorized access to VHD files. Enabling object access auditing, you will be able to identify potentially malicious users.
For more detail information refer to Microsoft Hyper-V official web page and all other related sources which we provided below: