In all data centers today, virtualization is being utilized heavily. Virtual machines make it easier to deploy, manage, service and automate the infrastructure. There are many benefits but there are also security risks that we need to consider and understand.
We protect our hosts and virtual machines from running malicious software and viruses but we must also protect them from compromised hosts. Many companies are running much of their server farm in the cloud or in a hosted environment so we need to take new precautions. A virtual machine is just a file that needs to be protected from attacks via the storage system, the network, during backup or even from rouge host administrators. Protecting your organization’s high-value assets, such as domain controllers, sensitive file servers, and HR systems is a top priority.
Introduced in Windows Server 2016 are Shielded VMs. They protect virtual machines by encrypting disk and state of virtual machines so only VM or tenant admins can access it. The fabric is also protected using a new Windows Server 2016 feature called Host Guardian Service. When a shielded virtual machine is turned on, the Host Guardian Service (HGS) checks to see if the hosts are allowed to run the Shielded VM.
Admin-trusted attestation: Intended to support existing host hardware where there is no TPM 2.0 available. Requires relatively few configuration steps and is compatible with commonplace server hardware. Guarded hosts that can run Shielded VMs are approved by the Host Guardian Service based on membership in a designated Active Directory Domain Services (AD DS) security group.
TPM-trusted attestation: Offers the strongest possible protections but also requires more configuration steps. Host hardware and firmware must include TPM 2.0 and UEFI 2.3.1 with secure boot enabled. Guarded hosts that can run Shielded VMs are approved based on their TPM identity, measured boot sequence and code integrity policies – so you can ensure these hosts are only running approved code.
If you have older hardware without the TPM 2.0 chip, you can use Admin-trusted attestation and move to TPM trusted attestation when you acquire new hardware. This is accomplished by switching the attestation mode on the Host Guardian Service with minimal to no interruption to your fabric.
An administrator without full rights to the shielded VM can power it off and on but cannot change the settings or view the contents. BitLocker encryption protects the shielded VM’s data at rest and when the VM is moving across the network during a Live Migration.
A shielded VM requires Windows Server 2012 or Windows 8 or higher operating system.
There is also a recovery environment that provides a way to securely troubleshoot and repair shielded virtual machines within the fabric they normally run while offering the same protection as the shielded virtual machine itself.
Windows Server 2016 Blog Series
Sources for this article: