What is a shielded VM?
Shielded VMs, or Shielded Virtual Machines, are a security feature introduced in Windows Server 2016 for protecting Hyper-V Generation 2 virtual machines (VMs) from unauthorized access or tampering by using a combination of techniques like Secure boot, Bit-locker encryption, virtual Trusted Platform Module and the Host Guardian Service.
Normally, Shielded VMs boot from a virtual Unified Extensible Firmware Interface (UEFI) as opposed to a traditional BIOS, providing Secure Boot protection and enabling BitLocker disk encryption inside the VM’s virtual disks.
The Host Guardian Service, a new role introduced in Windows Server 2016, enables shielded virtual machines, protecting them from unauthorized access by Hyper-V host administrators.
In this blog, we will look at the process of securing your On-premise Hyper-V server VMs. This is achieved by enabling the Host Guardian Service(HGS) role and the corresponding support components on the Hyper-V host and converting the VMs running on it from normal to Shielded VMs. Also, we will walk through the process of protecting the Hyper-V VMs (Shielded & Unshielded VMs) using Vembu BDR Suite, to safeguard your VM data in case of corruption or disaster.
- Hyper-V host with Host Guardian Service running
- VMs (Unshielded) running on the Hyper-V host that we will be converting into Shielded VMs
- Vembu BDR Backup Server running on Windows or Linux server
- Allocate storage targets on Vembu BDR backup server to store the Shielded VMs backup data
Minimum Hardware and Operating system requirements for setting up a Shielded VM environment on your network:
- One Windows 2012/2016 physical/virtual machine to provision fabricated domain controller
- One Windows 2016 DC physical/virtual machine to provision Host Guardian Service (HGS)
- One Windows 2016 DC physical machine to provision guarded hosts
- One or more Shielded Virtual Machines (Generation 2 VMs) provisioned on the guarded hosts
I. Creating Shielded VMs
Creating a Shielded VM involves four steps:
- Configuring HGS Node
- Initializing HGS Node
- Configuring Guarded Fabrics DC
- Configuring Guarded Host
Here we are using 4 Windows 2016 servers with their configured IP addresses
AD Server – 192.168.102.100
Host Guardian Service Node – 192.168.102.101
Guarded Host Node – 192.168.102.102
Created Shielded VM – 192.168.102.103
Step 1: Configuring HGS Node
On a Windows 2016 Server DC with IP 192.168.102.101, we plan to configure the Host Guardian Service (HGS).
Below are the steps and commands to be executed on an elevated Windows PowerShell.
1. Enable Host Guardian Service role on the Windows 2016 DC server
Install-WindowsFeature -Name HostGuardianServiceRole -IncludeManagementTools -Restart
2. Install HGS on the domain forest
$adminPassword = ConvertTo-SecureString -AsPlainText ‘< password >‘ -Force
Note : Replace < Password > with HGS machine password.
Install-HgsServer -HgsDomainName ‘Vembutechhgs.net‘ -SafeModeAdministratorPassword $adminPassword -Restart
Note: Replace ‘Vembutechhgs.net’ with a domain name of your choice.
After installing HGS service, reboot the server and login to the domain account
Step 2: Initialise HGS Node
For initializing HGS Node, administrators need to have a valid SSL certificate. For a lab environment, we can use a self-signed certificate. But for production use, it is necessary to purchase an SSL certificate from digital certificate vendors.
$CertificatePassword = ConvertTo-SecureString -AsPlainText ‘
$signingCert = New-SelfSignedCertificate -DnsName “signing.Vembutechhgs.net”
Export-PfxCertificate -Cert $signingCert -Password $CertificatePassword -FilePath ‘C:\signingCert.pfx’
$encryptionCert =New-SelfSignedCertificate -DnsName “signing.Vembutechhgs.net”
Export-PfxCertificate -Cert $encryptionCert -Password $certificatePassword -FilePath ‘C:\encryptionCert.pfx’
Next is initializing the HGS Node:
Initialize-HgsServer -HgsServiceName ‘Hgs’ -SigningCertificatePath ‘C:\signingCert.pfx’ -SigningCertificatePassword $certificatePassword -EncryptionCertificatePath ‘C:\encryptionCert.pfx’ -EncryptionCertificatePassword $certificatePassword -TrustTpm
( All in one line command )
To do a conditional forwarding pointed to the fabricated domain, invoke the below command:
Add-DnsServerConditionalForwardZone -Name “vembutech.net” -ReplicationScope “Forest” -MasterServers 192.168.102.100
Here, fabricated domain fqdn is vembutech.net with IP 192.168.102.100
To add the vembutech.net to the trusted group, run the below command:
netdom trust vembutechhgs.net /domain:vembutech.net /userD:vembutech.net\Administrator /passwordD:
Note: Replace “< PASSWORD >” with appropriate credential details.
You are all done with the HGS Server configuration. Now, connect to your fabricator domain controller and proceed with the below steps.
Step 3: Configuring Guarded Fabrics DC
1. Add the Guarded Host to the AD domain.
2. Create a group with the name “GuardedHosts” with the scope as “Global” and Group Type as “Security” as attached in the Image
3. Add the available guarded host server to the newly created group. Go to Computer-> Right-click the Guarded Host and choose Add to group.
Note: This is under the assumption that the guarded host: 192.168.102.103 is already a part of the fabricated domain controller, if not please do that first, before proceeding this step.
4. Type in the group name as “GuardedHosts” in the object field and hit the “Check Name” button.
5. Add a conditional forwarding to the HGS domain name. To do this, open DNS service at your AD host.
6. Right-click “Conditional Forwarders” and choose “New Conditional Forwarders”.
7. Type in your HGS domain name ‘Vembutechhgs.net’ and provide its IP address – 192.168.102.101 to add.
8. Now, Open the PowerShell in the elevated mode on the AD Server and invoke below command.
Get-ADGroup “GuardedHosts” | Select-Object SID
Note down its resultant SID and keep it aside.
9. Switch back to your HGS Server PowerShell and invoke the below command.
Add-HgsAttestationHostGroup -Name “GuardedHosts” -Identifier “S-1-5-21-1715446949-429339150-1483827033-1107”
Note: Replace the SID which you got as the result to step 9.
10. To verify added HgsAttestation, invoke below command.
On success, you will be seeing a result as below.
At this point, we are done with all configuration settings at both AD and HGS hosts. Now, let’s move on to the guarded host configuration.
Step 4: Configuring Guarded Host
1. On the guarded host, create the Code Integrity Policy by invoking below two commands one by one.
New-CIPolicy -Level FilePublisher -Fallback Hash -FilePath ‘C:\HWLCodeIntegrityc.xml’
ConvertFrom-CIPolicy -XmlFilePath ‘C:\HWLCodeIntegrityc.xml’ -BinaryFilePath ‘C:\HWLCodeIntegrityc.p7b’
2. Copy the converted file “C:\HWLCodeIntegrityc.p7b” to HGS server[192.168.102.101] to the root drive location [i.e] C:/
3. Then run the below command on the HGS Server.
Add-HgsAttestationCIPolicy -Path ‘C:\HWLCodeIntegrityc.p7b’ -Name ‘StdGuardHost’
4. To get the AttestationUrl and KeyProtectionUrl run the below command at your HGS server
On the successful run, the result will look something like below.
5. Switch back to your Guarded Host and Configure it to use HGS, by invoking below command.
Set-HgsClientConfiguration -KeyProtectionServerUrl “http://hgs.vembutechhgs.net/KeyProtection” -AttestationServerUrl “http://hgs.vembutechhgs.net/Attestation”
Note: On successful verification, you can see a message like below:
IsHostGuarded : True
Mode : HostGuardianService
KeyProtectionServerUrl : http://hgs.vembutechhgs.net/KeyProtection
AttestationServerUrl : http://hgs.vembutechhgs.net/Attestation
AttestationOperationMode : ActiveDirectory
AttestationStatus : Passed
AttestationSubstatus : NoInformation
6. You can also check the host guarded status on-demand by invoking the below command at the guarded host.
7. After seeing the successful message as IsHostGuarded true, invoke the below command to proceed further.
7.1 Invoke-WebRequest ‘http://hgs.vembutechhgs.net/KeyProtection/service/metadata/2014-07/metadata.xml’ -OutFile ‘C:/VembuTechGuardian.xml’
7.2 Import-HgsGuardian -path ‘C:\VembuTechGuardian.xml’ -Name ‘VembuTech’ -AllowUntrustedRoot
7.3 $Guardian = Get-HgsGuardian -Name ‘VembuTech’
7.4 $Owner = New-HgsGuardian -Name ‘Owner’ -GenerateCertificates
7.5 $KP = New-HgsKeyProtector -Owner $Owner -Guardian $Guardian -AllowUntrustedRoot
Note: Before proceeding further, we were under the assumption that the guarded host is already having a VM provisioned with the name “Testing-machine”.
Also, note that before enabling shielded VM, please make sure that you have enabled the remote desktop service at the VM because you cannot connect to shielded VM using a virtual machine connection.
7.6 $VMName = ‘Testing-machine’
7.7 Stop-VM -Name $VMName -Force
7.8 Set-VMKeyProtector -VMName $VMName -keyprotector $KP.RawData
7.9 Set-VMSecurityPolicy -VMName $VMName -Shielded $true
7.10 Enable-VMTPM -VMName $VMName
7.11 Start-VM -Name $VMName
II. Configuring Vembu Backup for Hyper-V Shielded VMs
In our earlier steps, we described how to change a running VM into a shielded VM. Though Shielded VMs protect from unauthorized access or tampering, it does not provide protection against any data loss due to VM failure or disaster.
In this section, we will look at the process of backing up and protecting the Hyper-V Shielded VMs using the Vembu BDR Suite application.
- Login to the Vembu BDR Backup Server with the default credentials (admin/admin) or if you have selected the custom configuration during installation and provided different credentials, use that credentials to log in to the GUI.
- On the main console Select Backup → Configure Backups → Microsoft Hyper-V
- Add your Hyper-V host information where the shielded VMs are running. Vembu BDR Backup Server will install the Vembu Integration Service on the Hyper-V host. This service will be used to communicate between the Hyper-V host and the Backup Server. Also, this service used to take snapshots, track changed blocks, perform backups and etc.
- Then, Click on the Configure Backup option alongside the host from which you would like to back up the VMs. This shows available VMs running on the host, in our case only one VM running as in the picture below.
- Next is the Guest OS processing, which is optional. Enable application-aware processing, log truncation, and file exclusion, if you are running critical applications like Microsoft Active Directory, Exchange Server, SQL, SharePoint and Oracle server running on the VM, otherwise skip to next.
Note: If you enable application-aware settings, you need to provide the domain user credentials which have administrator privileges.
- On the next step, you will have multiple options to schedule your backup. In our example running every day at 9 PM, with an additional full backup every week on Sundays at 9 pm. You can also select the maximum no. of full backups to be retained on your storage. Here we have provided 10 full backups to be retained on the storage. Additional full backup configuration is optional.
- On the next step, we are configuring the Retention policy, Backup Repository, and Encryption.
By default, the retention policy is not enabled and lets you retain all restore points. Enabling this, lets the user say the no. of restore points to retain. Here, we are not enabling retention policy and hence all restore points are retained.
Backup repository shows all available backup locations added in the Vembu BDR backup server. You can add a new backup repository or use the already existing repository. Here we are using the existing backup repository.
Encryption – By default, all backup data will be encrypted when stored in the backup repository. Enabling this option will let you protect the backup data using a system-generated password or custom password. Here we are not using any custom password, hence left as it is.
- On the next screen, review the settings and save the backup.
In this article, we looked at the process of converting Hyper-V VMs as Shielded VMs and the steps to secure and protect your production Hyper-V VMs using the Vembu BDR Suite. The steps and processes shared above are easy to implement with moderate technical knowledge.