-
Notifications
You must be signed in to change notification settings - Fork 1
Shielded VMs
Shielded VMs are a feature exclusive to the Datacenter Edition of Windows Server 2016.
As a result of increased virtualization, physical servers that were once secured physically were migrated to Hyper-V hosts that are less secure because they are accessible to fabric administrators. Shielded VMs were introduced to protect tenant workloads from inspection, theft, and tampering as a result of being run on potentially compromised hosts.
A security concept closely associated to shielded VMs is the guarded fabric, which is a collection of nodes cooperating to protect shielded Hyper-V guests. The guarded fabric consists of:
- Host Guardian Service (HGS) utilizes remote attestation to confirm that a node is trusted; if so, it releases a key enabling the shielded VM to be started. HGS is typically a cluster of 3 nodes.
- Guarded hosts: Windows Server 2016 Datacenter edition Hyper-V hosts that can run shielded VMs only if they can prove they are running in a known, trusted state to the Host Guardian Service.
- Shielded VMs
In a production environment, a fabric manager like Virtual Machine Manager would be used to deploy shielded VMs (which are signified by a shield icon).
Shielded VMs must run Windows (8+) or Windows Server (2012+), although Linux shielded VMs are now also supported since version Windows Server version 1709.
Shielded VMs are produced by a three-stage process (VHD -> Shielded template -> Shielded VMs)
- Preparation: Install and configure an OS onto a virtual disk file
- Templatization: Convert virtual disk file into a shielded template
- Provisioning: Create one or more shielded VMs from the shielded template
Configure HGS in its own new forest YouTube
Install-WindowsFeature HostGuardianServiceRole -Restart
Install-HgsServer -HgsDomainName 'savtechhgs.net' -SafeModeAdministratorPassword $adminPassword -RestartShielding Data is created and owned by tenant VM owners and contains secrets needed to create shielded VMs that must be protected from the fabric admin.
Further reading:
- Intro to shielded VMs
- Create a shielded VM using Powershell
- Linux Shielded VM How To
- Shielded VM Demonstration and Quick Setup
- Guarded Fabric Deployment Guide for Windows Server 2016
- Deploying Shielded VMs and a Guarded Fabric with Windows Server 2016
There are two modes of attestation supported by HGS: MS Docs
- Hardware-trusted attestation
- Remote attestation based on asymmetric key pairs
- Admin-trusted attestation was previously based on guarded host membership in a designated AD DS security group, but is deprecated beginning with Windows Server 2019.
Hardware-trusted attestation mode requires: ?
- Measured boot: TPMv2 to seal software and hardware configuration details measured at boot
- Code integrity enforcement to strictly define permissible software
- Platform Identity Verification: Active Directory is not sufficient to identify the host. Rather, an identity key rooted in the host TPM is used for identity.
Admin-trusted attestation mode: ?
- Host identity is verified by checking security group permission
- No Measured Boot or Code Integrity Validation
- Intended to aid transition to Hardware-trusted attestation mode for hosts produced before TPMv2
- ADCSAdministration
- ADCSDeployment
- ADDSAdministration
- ADDSDeployment
- Cluster
- DCBQOS
- DHCPServer
- Diagnostics
- DISM
- DNSServer
- Dedup
- GroupPolicy
- Hyper-V
- iSCSITarget
- iSCSI
- LocalAccounts
- Management
- NLB
- PackageManagement
- SR
- Utility
- WB
- WDS
- WSMan.Management
- WSUS
- cmdkey.exe
- dcgpofix.exe
- ddpeval.exe
- dism.exe
- djoin.exe
- dnscmd.exe
- dsamain.exe
- dsquery.exe
- netdom.exe
- ntdsutil.exe
- wbadmin.exe
- wdsutil.exe