WavebreakmediaMicro - Fotolia
You can't maintain Hyper-V security using a single product or setting; instead, you should simplify your deployment...
and carefully consider your settings and hardening practices.
Hyper-V security starts with host OS security. Most administrators simplify the production system by deploying only the minimum Windows Server installation, roles and software necessary for the server to perform the required tasks.
This kind of simplification reduces the potential points of attack. You should also aggressively update the OS, drivers and system firmware with any security-related patches. Tools such as Microsoft's Security Compliance Toolkit can help you meet established baselines for secure system and Hyper-V configurations.
Remote management is generally better than local, hands-on management. If you prevent local management, you can keep personnel out of the physical data center and away from actual systems.
Remote management tools offer copious logging and authentication features that can help guard against unauthorized configuration changes, software installations and other possibly malicious actions. Physical servers and storage, such as disk arrays, are typically behind locked racks or cabinets in the data center to prevent physical tampering.
Be careful when you assign credentials for system management, Hyper-V administration and host OS management. It isn't safe to entrust a single individual with all of these responsibilities because he or she can only offer limited oversight and review.
Boost Hyper-V security using network and encryption policies
A secure network can also enhance Hyper-V host security. For example, a separate network -- with a separate network adapter -- for system management, VM configuration, live migration traffic and VM file access can guard the host against attacks from the public network. For added security, you can employ encryption such as IPsec over the management network to guard system and management traffic on the fly.
In addition, you should add encryption to storage resources. For example, you might use server message block (SMB) 3.0 to encrypt SMB data or add BitLocker Drive Encryption to protect other storage resources. You can also combine encryption with virtual private networks when you access storage resources related to the Hyper-V host.
Finally, employ guarded fabric to run hosts and guest VMs on trusted systems that have passed either software attestation via Active Directory or hardware attestation that uses system hardware with Unified Extensible Firmware Interface Secure Boot and a Trusted Platform Module 2.0 chip. Guarded fabric ensures that the underlying hardware is known and trustworthy before you load and operate a VM.
Dig Deeper on IT systems management and monitoring
Related Q&A from Stephen J. Bigelow
Some enterprises avoid the public cloud due to its multi-tenant nature and data security concerns. Learn what data separation is and how it can keep ... Continue Reading
There are advantages and disadvantages to using NAS or object storage for unstructured data. Find out what to consider when it comes to scalability, ... Continue Reading
Knowing hardware maximums and VM limits ensures you don't overload the system. Learn hypervisor scalability limits for Hyper-V, vSphere, ESXi and ... Continue Reading