Insufficient data from Andrew Fryer

The place where I page to when my brain is full up of stuff about the Microsoft platform

Hyper-V security

Curiously one of the topics we hardly ever get asked about at our IT Camps is security in Hyper-V.  Perhaps it’s because you all have total confidence in our approach security, or you already have the facts to hand, but more likely is that you forgot to ask about because it’s not top of your agenda.

That’s OK, and anyway I need to write this so I have the definitive answers to hand when someone asks me.

So what do you need to consider when virtualising your data centre?

The best resource I have seen is by the US Government specifically the National Institute of Standards & Technology in their Guide to Security for Virtualization Technologies.  It’s a big read but the three key sections are:

4-2 recommendations about locking down the hypervisor.  the key points are:

  • No unauthorised access to the operating system controlling the VMs
  • Resources shared by the managing operating system and the guest VMs are kept to a minimum
  • that the host or physical operating system is kept up to date with patches
  • The host operating system is only used to run virtual machines

4-3 recommendations for securing the virtual machines themselves

4-4 recommendations for securing a virtual desktop infrastructure

So having got your head around that and carried out your own risk assessments be that by contacting CESG if you are in UK government or the risk assessment advice put out by the UK government for businesses in the UK, you then need to apply this to your environment.  For Hyper-V the three key resources you need are: 

I would argue that you’ll also need System Center to manage your data centre security, check and rectify compliance issues as well as to audit and changes.  To help with that there is a Governance Risk & Compliance Process Pack which uses the integration between Service Manager and the rest of System Center (Config Manager, Ops Manager, Virtual machine Manger via Orchestrator).   It has extensive guidance for the non IT functions and  has the side benefit of showing you how to unify System Center to better support the business.

Finally You’ll want to lock down windows server as well whether that’s the physical operating system or the guest and there’s a Security Compliance Manager to help with that.