Virtualization Security Best Practices – How to Lockdown a Hyper-V Host

I recently had the opportunity to chat with Brandon Baker, Senior Dev Lead on the Hyper-V team to get some security best practices. You can hear them in this 8 minute podcast on Virtualization Security Best Practices, including:

1. Use Windows Server 2008 core OS on the host and don’t run any apps or unnecessary services there – only VMs (reduce attack surface)
2. Use a dedicated NIC on the host for *host management, use a different dedicated NIC(s) for VM network traffic (reduce attack surface)
3. Use AzMan policies to create delegated administrator roles for the administrators of the VMs on the host, such that the VM Admin has minimum privileges on the host (principle of least privilege)
4. Ensure that stale VMs are patched up on a maintenance host before bringing them online. Today (till 8/1/2008) you can use the free Offline Virtual Machine Servicing Tool (Beta) to take care of this. VMM 2008 will help you with this as well.
5. Use Bitlocker on the drives that you use for VMs, all the VHDs will be encrypted

Check out Brandon’s Blackhat conference presentation, including:

· Windows Server virtualization and Windows Server 2008 architecture and components

· How Windows Server virtualization virtualizes the CPU and enforces virtual machine isolation

· Best practices for Windows Server virtualization deployment

· Hardware futures [e.g., TXP from Intel, SVM from AMD, IOMMU]

· And more…