Archive

Posts Tagged ‘Windows Server’

Shielded VM’s: Virtualization security is a major investment area in Hyper-V 2016

May 11, 2016 Leave a comment

security_banner1SECURITY – Protecting the company data should be a priority.

 

Protecting a Virtual Machine(VM) guest from a possible host compromised as well as the certain that on a 3rd party hosting environment your VM will be protected in addition to the protection applied to the hosts is a major investment area in Hyper-V 2016.

If you find that Microsoft is helping you and your business and find it has amazing technologies  as I as do, please help me out by recommending it on Recomazing a new tech platform where socially connected networks store and share trusted recommendations. Please click here to help our community.

Taking into consideration that a VM is a file, stored somewhere on a storage on locally in the Hyper-v host, it needs to be protected from attacks to the storage system, the network, while it is backed up or taken or copied to other systems.

To help protect against compromised fabric, Windows Server 2016 Hyper-V introduces Shielded VMs. A Shielded VM, requires a VM to be created as generation 2, which has a virtual TPM, is encrypted using BitLocker and can only run on healthy and approved hosts in the fabric. So, if someone copy either maliciously or accidentally the VM to a non-approved host, the VM (which is encrypted), won’t start and cannot be used to be mounted to allow access to it’s file system.

Shielded VM’s use several features to make it harder for Host administrators and malware on the host to inspect, tamper with, or steal data from the state of a shielded virtual machine. Data and state is encrypted, Hyper-V administrators can’t see the video output and disks, and the virtual machines can be restricted to run only on known, healthy hosts, as determined by a Host Guardian Server.

A configured Shielded VM has:

  • BitLocker encrypted disks
  • A hardened VM worker process (VMWP) that helps prevent inspection and tampering
  •  Automatically encrypted live migration traffic as well as encryption of its runtime state file, saved state, checkpoints and even Hyper-V Replica files (from 2016 TP5)
  • Blocked console access
  • Blocked  PowerShell Direct
  • Blocked Guest File Copy Integration Components
  • Blocked  services that provide possible paths from a user or process with administrative privileges to the VM.

 

 

 

With the release of Windows Server 2016 TP5, the Hyper-V team at Microsoft  made shielded virtual machines compatible with Hyper-V Replica. As with copying/moving the VM, to replicate a shielded VM, the host you want to replicate to must be authorized to run that shielded VM.

The Host Guardian Service supports two different deployments of a Guarded fabric (attestation modes): TPM-trusted attestation (Hardware based) and Admin-trusted attestation (AD based).

I hope you walk away with a better understanding of the Hyper-V Shielded VM solution from this post.

 

Advertisements

Comparing Windows Server Networking features : W2012 x W2008.

December 10, 2012 Leave a comment

Windows 2012 : Feature rich, extensible, all there in the box, no compromises

 Networking feature Windows Server 2008 Windows Server 2008 R2 Windows Server 2012
NIC   Teaming Yes, via partners Yes, via partners Windows   NIC Teaming   in box.
VLAN   Tagging Yes Yes Yes
MAC   Spoofing Protection No Yes,   with R2   SP1 Yes
ARP   Spoofing Protection No Yes,   with R2   SP1 Yes
SR-IOV   Networking No No Yes
Network   QoS No No Yes
Network   Metering No No Yes
Network   Monitor Modes No No Yes
IPsec   Task Offload No No Yes
VM   Trunk Mode No No Yes

Windows 2012 Hyper-V Advanced Network Security : DHCP Guard, Router Guard, Port Mirroring

November 27, 2012 5 comments

Windows 2012 Hyper-V brought a lot of new features. There are many improvements in security as well:

DHCP Guard is a security feature that drops DHCP server messages from unauthorized virtual machines pretending to be DHCP servers.
Router Guard is a security feature that drops Router Advertisement and Redirection messages from unauthorized virtual machines pretending to be routers.
Port Mirroring duplicates all egress and ingress traffic to/from one or more switch ports (being monitored) to another switch port (performing monitoring)

These settings are configured per Virtual Machine and Virtual Switch. To configure :

  1. Open the Hyper-V Manager and then select the Virtual Machine (e.g. W2012-FS01)
  2. On the right panel, click on Settings.
  3. Select the Virtual Switch (e.g. v-External-Wired) you want to configure and expand Advanced Features.

Find out what hotfix or update replaces other windows updates

February 18, 2012 Leave a comment

Sometimes you need an hotfix but you find that hotfix is currently unavailable for online request. How to find out a superseding hotfix.

I found out the procedure in this wiki page : http://social.technet.microsoft.com/wiki/contents/articles/windows-server-how-to-determine-update-supersedence-and-find-replacing-hotfixes.aspx