Archive

Posts Tagged ‘tp5’

Shielded VM’s: Virtualization security is a major investment area in Hyper-V 2016

May 11, 2016 Leave a comment

security_banner1SECURITY – Protecting the company data should be a priority.

 

Protecting a Virtual Machine(VM) guest from a possible host compromised as well as the certain that on a 3rd party hosting environment your VM will be protected in addition to the protection applied to the hosts is a major investment area in Hyper-V 2016.

If you find that Microsoft is helping you and your business and find it has amazing technologies  as I as do, please help me out by recommending it on Recomazing a new tech platform where socially connected networks store and share trusted recommendations. Please click here to help our community.

Taking into consideration that a VM is a file, stored somewhere on a storage on locally in the Hyper-v host, it needs to be protected from attacks to the storage system, the network, while it is backed up or taken or copied to other systems.

To help protect against compromised fabric, Windows Server 2016 Hyper-V introduces Shielded VMs. A Shielded VM, requires a VM to be created as generation 2, which has a virtual TPM, is encrypted using BitLocker and can only run on healthy and approved hosts in the fabric. So, if someone copy either maliciously or accidentally the VM to a non-approved host, the VM (which is encrypted), won’t start and cannot be used to be mounted to allow access to it’s file system.

Shielded VM’s use several features to make it harder for Host administrators and malware on the host to inspect, tamper with, or steal data from the state of a shielded virtual machine. Data and state is encrypted, Hyper-V administrators can’t see the video output and disks, and the virtual machines can be restricted to run only on known, healthy hosts, as determined by a Host Guardian Server.

A configured Shielded VM has:

  • BitLocker encrypted disks
  • A hardened VM worker process (VMWP) that helps prevent inspection and tampering
  •  Automatically encrypted live migration traffic as well as encryption of its runtime state file, saved state, checkpoints and even Hyper-V Replica files (from 2016 TP5)
  • Blocked console access
  • Blocked  PowerShell Direct
  • Blocked Guest File Copy Integration Components
  • Blocked  services that provide possible paths from a user or process with administrative privileges to the VM.

 

 

 

With the release of Windows Server 2016 TP5, the Hyper-V team at Microsoft  made shielded virtual machines compatible with Hyper-V Replica. As with copying/moving the VM, to replicate a shielded VM, the host you want to replicate to must be authorized to run that shielded VM.

The Host Guardian Service supports two different deployments of a Guarded fabric (attestation modes): TPM-trusted attestation (Hardware based) and Admin-trusted attestation (AD based).

I hope you walk away with a better understanding of the Hyper-V Shielded VM solution from this post.

 

Advertisements

Hyper-V 2016 Tp5: Hyper-V Manager Console new features

April 28, 2016 Leave a comment

Here are some important information and improvements Microsoft released for Hyper-V Manager in Tp5:

  • Alternate credentials support. You can now use a different set of credentials in Hyper-V Manager when you connect to another Windows Server 2016 TP5 or Windows 10 remote host. You can also save these credentials to make it easier to log on again.
  • Previous version management: the New Hyper-V Manager will allow you to manage versions manage computers running Hyper-V on Windows Server 2012/R2 and Windows 8.x client version.
  • Updated management protocolHyper-V Manager has been updated to communicate with remote Hyper-V hosts using the WS-MAN protocol, which permits CredSSP, Kerberos or NTLM authentication. When you use CredSSP to connect to a remote Hyper-V host, you can do a live migration without enabling constrained delegation in Active Directory. The WS-MAN-based infrastructure also makes it easier to enable a host for remote management. WS-MAN connects over port 80, which is open by default.
  • No more Integration services for Windows Virtual Machines. Updates to integration services for Windows guests are distributed through Windows Update. For service providers and hosting companies, this puts the control of applying updates into the hands of the tenants who own the virtual machines. Customers (tenants Administrators) can now update their Windows virtual machines with all updates, including the integration services, using a single method.
  • Integration services for Linux and FreeBSD Virtual Machines. Hyper-V supports both emulated and Hyper-V-specific devices for Linux and FreeBSD virtual machines. Linux Integration Services (LIS) or FreeBSD Integration Services (BIS) , the collection of drivers that are required to run Hyper-V-specific devices, has been added to the Linux kernel and is updated for new releases, but Linux distributions based on older kernels may not have the latest enhancements or fixes. Microsoft provides a download containing installable LIS drivers for some Linux installations based on these older kernels.
    Note: As some Linux distributions include versions of LIS, make sure you install the latest downloadable version of LIS, if applicable, for your installation.

Download: