Securing a virtualized datacenter is altogether different from conventional server security. Agent-based protection isn’t really feasible in a virtual environment, since virtual machines are dynamic—with many cycles of deployment and removal. In some organizations, VMs are often copied from a library that may have obsolete antivirus definitions, which makes it especially difficult to maintain security policies. In many cases, VMs are deployed by end users or tenants without any administrative oversight. Some compliance standards restrict admins from accessing particular VMs to install agents.
Also, let’s remember that virtualization hosts are meant to run at near full capacity for better resource utilization. When a VM uses an agent to run an AV scan, it may cause a 30% spike in virtual CPU utilization and result in sluggish performance for all the VMs on the host to slow down.
Here we offer a number of security best practices for you to consider as you seek to optimize and maintain Hyper-V hosts and VMs. (What is Hyper-V?)
Tip 1 — Install Hyper-V on Server Core
If possible, install the Hyper-V on the Server Core—not the Full Server. Since a Server Core doesn’t have a graphical user interface—nor does it contain any client files—the attack surface is much smaller. Running Hyper-V on a Server Core OS also reduces the computer footprint and improves system uptime since the Windows Update service needs to update fewer components.
Tip 2 — Protect Against Attacks Between VMs, in all Virtual Networks
Conventional security products protect traffic between hosts, but doesn’t protect traffic between VMs on the same host. So, threats can propagate and multiply even if just one client becomes infected. VM jumping —also known as hyper jumping—is a type of attack that is especially damaging within a virtualized environment because of the higher machine density on the cluster or host. Much like human infection pathways, hyper jumping exploits VM weaknesses to find a route for launching an attack against other machines that reside on the same infrastructure. Invest in a security solution that will provide this level of protection.
Tip 3 — Use Agentless Protection
Some solutions offer antivirus protection that does not install agents onto the VMs, but only on each Hyper-V host. This design puts a serious damper on any tendency toward excessive resource consumption and content generation, which is prone to happen in an antivirus storm. Tools like those offered by 5nine greatly simplify the management of Virtual Desktop Infrastructure (VDI). Also, users don’t get distracting security alerts, and they don’t need to manually update signatures or manually run security scans. In nearly all cases, users won’t experience any impact from such antivirus and security protection. Because they won’t have such frustrations or performance issues, users won’t attempt to disable security.
Tip 4 — Protect the Hyper-V Host
Many organizations run a large portion of their entire infrastructure on Hyper-V, so it’s critically important for them to protect all of their hosts. Host protection will harden the physical infrastructure against malware attacks and other threats. Look for solutions that offer integrated multilayered security in one package—including a virtual firewall, antivirus and antimalware hardening, intrusion detection, and full-feature network analytics.
Tip 5 — Centrally Manage Rules and Definitions
Authorization Manager provides role-based access control for Hyper-V. But you’ll need to configure a data store for the policy that correlates users with roles and access rights. A better alternative is to find a solution that gives you the power to manage all virus definitions and security rules from a single management interface.
Tip 6 — Establish Multiple Layers of Security
To properly secure your virtualized environment, it’s important to achieve solid, comprehensive protection—at all levels. This includes automated host, VM and network protection. Look for solutions that give you antivirus detection on the network and exhaustive disk scans. Also insist on features such as automatic network intrusion monitoring and detection, as well as network anomaly analysis.
Tip 7 — Set Antivirus Options and Exclusions
Windows Defender includes default automatic antivirus exclusion settings, though it has a limited feature set. Generally, it’s best to install 3rd-party antivirus software onto your Hyper-V host, and to understand all of the options for optimizing the operation of the host and all virtual machines. There are a number of exclusions that are necessary in many cases. For more details, see the Microsoft article, Recommended Antivirus Exclusions for Hyper-V Hosts.
Tip 8 — Secure All Guest VMs
Before starting a VM in a production environment, make it a priority to install the latest security updates. Integration components help secure communication between VMs and the hypervisor. Each release of Hyper-V includes integration component updates. Be sure to update all of your virtual machines. Integration services should be installed and kept current for any guest OS that requires it. Of course, you can obtain these updates through the Windows Update program. Harden any VM OS according to its role in the Hyper-V environment.
Tip 9 — Secure All VM Devices
Solid, confident device management primarily involves configuring only those devices that are necessary for a particular virtual machine. In production, leave discrete device assignment disabled unless you absolutely require it. If it is necessary, take care that you only use devices from vendors in which you have the highest confidence.
Tip 10 — Disconnect Idle VMs
In nearly all contexts, it’s unwise to deploy a virtual machine unless it has a specific, active function in the system. If you must tolerate an idle VM, explicitly disconnect it from a Hyper-V virtual switch which also connects to other operational virtual machines. Anyone with access to an idle VM might find a way access to the production environment and wreak havoc.
Tip 11 — Install 3rd-party Firewall Protection
The Windows firewall only does one thing really well: block incoming connections. Though it has some advanced features, these are hidden and difficult to manage. Most third-party firewalls allow you to easily control which applications can access the Internet. You should also look for firewall products that intercept network traffic before it routes toward any VM, and also gives you the flexibility to manage traffic at the protocol level (TCP, UDP, GRE, ICMP, IGMP and others).
Tip 12 — Enable Discreet Device Assignment Only if Necessary
Discrete Device Assignment should only be enabled if it’s necessary for a specific, active function. Contact the manufacturer to learn if it this is applicable for a particular device in a secure context.