Home

Best Practice for secure HyperV configuration

%3CLINGO-SUB%20id%3D%22lingo-sub-11665%22%20slang%3D%22en-US%22%3EBest%20Practice%20for%20secure%20HyperV%20configuration%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-11665%22%20slang%3D%22en-US%22%3E%3CP%3EOur%20design%20and%20deployment%20teams%20were%20having%20a%20debate%20on%20the%20most%20secure%20way%20to%20deploy%20HyperV%2C%20particularly%20with%20respect%20to%20Ransomware%20attacks%20and%20protecting%20from%20encryption.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThere%20seems%20to%20be%20two%20camps%2C%20one%20to%20deploy%20standalone%20and%20one%20to%20join%20to%20Active%20Directory.%20I%20would%20like%20to%20know%20what%20the%20best%20practice%20is%20for%20securing%20the%20hypervisor.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECheers%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EJason%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-51848%22%20slang%3D%22en-US%22%3ERe%3A%20Best%20Practice%20for%20secure%20HyperV%20configuration%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-51848%22%20slang%3D%22en-US%22%3E%3CP%3EIn%20a%20properly%20designed%20infraestructure%2C%20you%20should%20have%20Hyper-V%20AD%20integrated%20and%20even%20if%20a%20VM%20get%20its%20files%20compromised%20by%20ransomware%2C%20it%20doesn't%20afect%20the%20Hosts.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-49242%22%20slang%3D%22en-US%22%3ERe%3A%20Best%20Practice%20for%20secure%20HyperV%20configuration%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-49242%22%20slang%3D%22en-US%22%3E%3CP%3ETo%20keep%20it%20as%20short%20as%20possible%2C%20here%20my%202%20cents%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CUL%3E%3CLI%3ESeperate%20infrastructure%26nbsp%3Bforest%20for%20fabric%20components%20(storage%20%2F%20compute)%3C%2FLI%3E%3CLI%3EUse%20bastion%26nbsp%3Bjump%20servers%26nbsp%3Bfor%26nbsp%3Bfabric%20admins%2C%20do%20not%20allow%20administrative%20access%20from%20client%20networks%20%2F%20admin%20PCs%3C%2FLI%3E%3CLI%3EDedicated%20management%20vlan%20for%20parent%20partition%3C%2FLI%3E%3CLI%3EMake%20intra-cluster%20communication%20vlans%2C%20dedicated%20and%26nbsp%3Bprivate%20(not%20routed)%3C%2FLI%3E%3CLI%3EUse%20server%20core%20or%20nano%20edition%20to%20keep%20layer-8%20issues%26nbsp%3Baway%20as%20much%20as%20possible.%20A%20hyper-v%20host%20with%20GUI%20is%20not%26nbsp%3Bsafe%20at%20all%3C%2FLI%3E%3CLI%3EUse%20host%20firewall%3C%2FLI%3E%3CLI%3EUser%26nbsp%3BPowerShell%20DSC%20%2F%20GPOs%20to%26nbsp%3Bprevent%20configuration%20drifts%3C%2FLI%3E%3C%2FUL%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECheers%2C%3CBR%20%2F%3EMichael%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-16850%22%20slang%3D%22en-US%22%3ERe%3A%20Best%20Practice%20for%20secure%20HyperV%20configuration%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-16850%22%20slang%3D%22en-US%22%3E%3CP%3EIs%20this%20for%20protecting%20the%20host%20itself%20against%20ransomware%20or%20the%20VMs%20running%20on%20the%20hosts%3F%20We've%20seen%20instances%20of%20users%20who%20have%20access%20to%20SMB%20file%20shares%20manage%20to%20get%20the%20file%20shares%20encrypted%20even%20though%20they%20dont%20have%20admin%20access%20to%20the%20VM.%20Active%20Directory%20joined%20servers%20%2B%20proper%20group%20policy%20management%20would%20be%20the%20best%20approach%20(Policies%20to%20disable%20autorun%2C%20script%20execution....).%20Also%2C%20if%20you're%20talking%20about%20protecting%20the%20hosts%20themselves%2C%20there%20should%20be%20network%20policies%20in%20place%20to%20prevent%20users%20from%20accessing%20the%20hosts%20themselves.%20I%20can't%20think%20of%20a%20situation%20where%20an%20end%20user%20would%20need%20to%20be%20able%20to%20get%20to%20anything%20on%20a%20Hyper-V%20host.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-16834%22%20slang%3D%22en-US%22%3ERe%3A%20Best%20Practice%20for%20secure%20HyperV%20configuration%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-16834%22%20slang%3D%22en-US%22%3E%3CP%3EFor%20big%20hyper-v%20farm%2C%20I%20suggest%20to%20have%20separate%20network%2C%20with%20it's%20own%20AD%20Forest%20(without%20any%20trust)%2C%20protected%20by%20a%20firewall.%20To%20manage%20the%20farm%2C%20admin%20use%20a%20TS%20connection%20on%20an%20admin%20server%20(each%20admin%20as%20is%20own%20login).%20No%20direct%20access%20from%20%26nbsp%3Boffice%20computer%20to%20Hyper-V%20servers.%20It's%20the%20best%20way%20to%20secure%20Hyper-V%20and%20other%20service%20(SOFS%20cluster%2C%20SCVM%20...)%2C%20but%26nbsp%3Bif%20you%20have%20less%20than%2010%20servers%20it%20is%20not%20the%20best%20solutions.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-12387%22%20slang%3D%22en-US%22%3ERE%3A%20Best%20Practice%20for%20secure%20HyperV%20configuration%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-12387%22%20slang%3D%22en-US%22%3EI%20agree%20with%20everyone%20so%20far%20and%20just%20to%20add%20a%20few%20more%20things%20to%20consider.%20Managing%20non%20domain%20joined%20machines%2C%20if%20not%20done%20correctly%2C%20can%20be%20less%20secure%20over%20all%20since%20you%20don't%20have%20a%20secure%20channel%20by%20default%20to%20work%20through.%20If%20you%20have%20not%20denied%20access%20to%20domain%20admins%20to%20everything%20in%20your%20enterprise%20except%20the%20domain%20controllers%2C%20you%20should%20start%20there.%20If%20you%20have%20not%20looked%20at%20LAPS%2C%20you%20should%20consider%20deploying%20and%20using%20that%20and%20removing%20all%20but%20a%20select%20few%20domain%20users%20and%20groups%20from%20local%20admin.%20No%20admins%20is%20preferred.%20Deploy%20your%20Hyper-V%20host%20configurations%20with%20PowerShell%20DSC%20and%20access%20them%20over%20PowerShell%20constrained%20endpoints%20using%20Just%20Enough%20Administration%20(JEA).%20If%20no%20one%20ever%20logs%20in%20interactively%2C%20admin%20or%20user%2C%20then%20the%20potential%20for%20malware%20execution%20is%20greatly%20reduced.%20In%20short%20how%20you%20configure%20and%20manage%20your%20servers%20is%20just%20as%20and%20sometime%20more%20important%20than%20the%20configuration%20itself.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-12348%22%20slang%3D%22en-US%22%3ERe%3A%20Best%20Practice%20for%20secure%20HyperV%20configuration%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-12348%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Jason%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20will%20suggest%20to%20get%20the%20Operating%20System%20to%20comply%20to%20OS%20Hardening%20first.%3C%2FP%3E%3CUL%3E%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fbenchmarks.cisecurity.org%2Ftools2%2Fwindows%2FCIS_Microsoft_Windows_Server_2012_R2_Benchmark_v2.2.0.pdf%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3ECIS%20Microsoft%20Windows%20Server%202012%20R2%20Banchmark%20v2.2%3C%2FA%3E%3C%2FLI%3E%3C%2FUL%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAfter%20that%20not%20sure%20if%20you%20have%20already%20read%20these%20documentations%2C%20there%20are%20some%20resources%20on%20Hyper-V%20hardening%20below%3A%3C%2FP%3E%3CUL%3E%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Ftechnet.microsoft.com%2Fen-us%2Flibrary%2Fdn741280%2528v%3Dws.11%2529.aspx%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3ESecurity%20guide%20for%20Hyper-V%20in%20Windows%20Server%202012%3C%2FA%3E%3CBR%20%2F%3E%3CUL%3E%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Ftechnet.microsoft.com%2Fen-us%2Flibrary%2Fdn741283%2528v%3Dws.11%2529.aspx%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3EChapter%202%3A%20Hardening%20the%20Hyper-V%20host%3C%2FA%3E%3C%2FLI%3E%3C%2FUL%3E%3C%2FLI%3E%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Ftechnet.microsoft.com%2Fen-us%2Flibrary%2Fdd569113.aspx%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3EHyper-V%20Security%20Guide%3C%2FA%3E%3C%2FLI%3E%3C%2FUL%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHope%20it%20helps%20and%20pave%20way%20for%20you%20to%20have%20a%20good%20start.%20%3Cimg%20id%3D%22smileyhappy%22%20class%3D%22emoticon%20emoticon-smileyhappy%22%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Fi%2Fsmilies%2F16x16_smiley-happy.png%22%20alt%3D%22Smiley%20Happy%22%20title%3D%22Smiley%20Happy%22%20%2F%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-11995%22%20slang%3D%22en-US%22%3ERE%3A%20Best%20Practice%20for%20secure%20HyperV%20configuration%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-11995%22%20slang%3D%22en-US%22%3EIf%20you%20have%20already%20an%20Active%20Directory%20infrastructure%2C%20deploying%20standalone%20would%20create%20additional%20headache.%20Security%20relies%20on%20multiple%20segments%2C%20such%20as%20user%20account%20security%2C%20strictly%20divide%20admin%20and%20non%20admin%20accounts%2C%20patch%20management%2C%20security%20software%20and%20policies%2C%20user%20training...%20The%20weakest%20point%20in%20the%20chain%20is%20usually%20the%20end%20user%20(remember%2C%20also%20each%20administrator%20is%20an%20end%20user).%20And%20this%20is%20not%20specific%20to%20HyperV.%20For%20which%20purpose%20and%20on%20which%20scale%20do%20you%20plan%20to%20use%20it%2C%20btw.%3F%20Without%20knowing%20this%20it%20is%20hard%20to%20tell%2C%20what%20would%20be%20%22better%22.%20Best%20greetings%20from%20Germany%20Olaf%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-11918%22%20slang%3D%22en-US%22%3ERe%3A%20Best%20Practice%20for%20secure%20HyperV%20configuration%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-11918%22%20slang%3D%22en-US%22%3E%3CP%3EI%20think%20it%20depends%20on%20your%20infrastructure%20scale%20and%20architecture.%20%3Cimg%20id%3D%22smileyhappy%22%20class%3D%22emoticon%20emoticon-smileyhappy%22%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Fi%2Fsmilies%2F16x16_smiley-happy.png%22%20alt%3D%22Smiley%20Happy%22%20title%3D%22Smiley%20Happy%22%20%2F%3E%20Having%20domain%20joined%20Hyper-V%20Host%20allows%20centralized%20management%20with%20ease%20but%20it%20definitely%20cannot%20stop%20user%20that%20has%20admin%20privileges%20to%20make%20a%20silly%20mistake%20to%20take%20down%20the%20environment.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20a%20large%20environment%2C%20we%20can%20have%20an%20infrastructure.contoso.com%20forest%20and%20corporate.contoso.com%20forest%20with%20forest%20trust%20between%20forests%2C%20review%20and%20lock%20down%20the%20privileges%20but%20this%20can%20be%20complex%20arhitecture%20for%20small%20environment.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20suppose%20for%20small%20environment%2C%20it%20will%20be%20best%20to%20review%20the%20privileges%20and%20ensure%20that%20there%20is%20limited%20privileges%20for%20average%20user%20to%20access%20the%20Hyper-V%20Host%20storage%20through%20shared%20folders%20or%20UNC%20paths%20so%20that%20ransomware%20initiation%20cannot%20reach%20those%20files%20and%20encrypt%20them.%20If%20possible%2C%20get%20the%20Hyper-V%20host%20into%20Server%20Core%20mode%20and%20as%20for%20Windows%20Server%202016%2C%20deploy%20Nano%20Server%20with%20Hyper-V%20role%20because%20its%20the%20way%20to%20go.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-11853%22%20slang%3D%22en-US%22%3ERe%3A%20RE%3A%20Best%20Practice%20for%20secure%20HyperV%20configuration%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-11853%22%20slang%3D%22en-US%22%3E%3CP%3EHere%20is%20a%20nice%20spreadsheet%20of%20current%20best%20practices%20for%20preventing%20ransomware%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.google.com%2Fspreadsheets%2Fd%2F1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g%2Fpubhtml%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.google.com%2Fspreadsheets%2Fd%2F1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g%2Fpubhtml%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EConsider%20application%20whitelisting%20if%20you%20really%20want%20to%20go%20uber%20protection.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-11817%22%20slang%3D%22en-US%22%3ERE%3A%20Best%20Practice%20for%20secure%20HyperV%20configuration%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-11817%22%20slang%3D%22en-US%22%3EGiven%20that%20stupid%20users%20that%20click%20on%20attachments%20and%20browser%20cocktails%20should%20not%20be%20impacting%20the%20HyperV%20host%2C%20and%20the%20user%20should%20not%20have%20access%20to%20the%20container%20I%20have%20not%20seen%20reports%20of%20HyperV%20hosts%20nailed%20by%20user%20initiated%20ransomware.%20While%20I've%20seen%20some%20reports%20of%20utilization%20of%20pass%20the%20hash%2Fprivilege%20escalation%2C%20I%20have%20not%20seen%20reports%20of%20ransomware%20nailing%20the%20hyperV%20host%20even%20when%20domain%20joined.%20As%20long%20as%20the%20admin%20patches%20themselves%20and%20uses%20appropriate%20run%20as%20admin%2Flog%20in%20with%20appropriate%20creds%20etc%20etc.%3C%2FLINGO-BODY%3E
Jason Childs
Senior Member

Our design and deployment teams were having a debate on the most secure way to deploy HyperV, particularly with respect to Ransomware attacks and protecting from encryption.

 

There seems to be two camps, one to deploy standalone and one to join to Active Directory. I would like to know what the best practice is for securing the hypervisor.

 

Cheers,

 

Jason

10 Replies
Given that stupid users that click on attachments and browser cocktails should not be impacting the HyperV host, and the user should not have access to the container I have not seen reports of HyperV hosts nailed by user initiated ransomware. While I've seen some reports of utilization of pass the hash/privilege escalation, I have not seen reports of ransomware nailing the hyperV host even when domain joined. As long as the admin patches themselves and uses appropriate run as admin/log in with appropriate creds etc etc.

Here is a nice spreadsheet of current best practices for preventing ransomware

 

https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml

 

Consider application whitelisting if you really want to go uber protection.

I think it depends on your infrastructure scale and architecture. Smiley Happy Having domain joined Hyper-V Host allows centralized management with ease but it definitely cannot stop user that has admin privileges to make a silly mistake to take down the environment.

 

In a large environment, we can have an infrastructure.contoso.com forest and corporate.contoso.com forest with forest trust between forests, review and lock down the privileges but this can be complex arhitecture for small environment.

 

I suppose for small environment, it will be best to review the privileges and ensure that there is limited privileges for average user to access the Hyper-V Host storage through shared folders or UNC paths so that ransomware initiation cannot reach those files and encrypt them. If possible, get the Hyper-V host into Server Core mode and as for Windows Server 2016, deploy Nano Server with Hyper-V role because its the way to go.

If you have already an Active Directory infrastructure, deploying standalone would create additional headache. Security relies on multiple segments, such as user account security, strictly divide admin and non admin accounts, patch management, security software and policies, user training... The weakest point in the chain is usually the end user (remember, also each administrator is an end user). And this is not specific to HyperV. For which purpose and on which scale do you plan to use it, btw.? Without knowing this it is hard to tell, what would be "better". Best greetings from Germany Olaf

Hi Jason,

 

I will suggest to get the Operating System to comply to OS Hardening first.

 

After that not sure if you have already read these documentations, there are some resources on Hyper-V hardening below:

 

Hope it helps and pave way for you to have a good start. Smiley Happy

I agree with everyone so far and just to add a few more things to consider. Managing non domain joined machines, if not done correctly, can be less secure over all since you don't have a secure channel by default to work through. If you have not denied access to domain admins to everything in your enterprise except the domain controllers, you should start there. If you have not looked at LAPS, you should consider deploying and using that and removing all but a select few domain users and groups from local admin. No admins is preferred. Deploy your Hyper-V host configurations with PowerShell DSC and access them over PowerShell constrained endpoints using Just Enough Administration (JEA). If no one ever logs in interactively, admin or user, then the potential for malware execution is greatly reduced. In short how you configure and manage your servers is just as and sometime more important than the configuration itself.

For big hyper-v farm, I suggest to have separate network, with it's own AD Forest (without any trust), protected by a firewall. To manage the farm, admin use a TS connection on an admin server (each admin as is own login). No direct access from  office computer to Hyper-V servers. It's the best way to secure Hyper-V and other service (SOFS cluster, SCVM ...), but if you have less than 10 servers it is not the best solutions. 

Is this for protecting the host itself against ransomware or the VMs running on the hosts? We've seen instances of users who have access to SMB file shares manage to get the file shares encrypted even though they dont have admin access to the VM. Active Directory joined servers + proper group policy management would be the best approach (Policies to disable autorun, script execution....). Also, if you're talking about protecting the hosts themselves, there should be network policies in place to prevent users from accessing the hosts themselves. I can't think of a situation where an end user would need to be able to get to anything on a Hyper-V host. 

To keep it as short as possible, here my 2 cents:

 

  • Seperate infrastructure forest for fabric components (storage / compute)
  • Use bastion jump servers for fabric admins, do not allow administrative access from client networks / admin PCs
  • Dedicated management vlan for parent partition
  • Make intra-cluster communication vlans, dedicated and private (not routed)
  • Use server core or nano edition to keep layer-8 issues away as much as possible. A hyper-v host with GUI is not safe at all
  • Use host firewall
  • User PowerShell DSC / GPOs to prevent configuration drifts

 

Cheers,
Michael

In a properly designed infraestructure, you should have Hyper-V AD integrated and even if a VM get its files compromised by ransomware, it doesn't afect the Hosts.

Related Conversations
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
Tabs and Dark Mode
cjc2112 in Discussions on
30 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
29 Replies