Although Windows Server 2016 was not an R2 release, it was widely regarded by the IT industry as being a minor Windows Server release. Even so, Windows Server 2016 Hyper-V contained a new feature that makes this release a must have for any organization that hosts virtual machines on Hyper-V. That feature is virtual machine shielding.
Hyper-V virtual machines have always suffered from one extremely critical security vulnerability. Anyone who has physical access to a Hyper-V server could potentially gain access to the virtual machines that are running on that server.
The reason why physical access to a Hyper-V server presents such a huge risk has to do with the anatomy of a Hyper-V virtual machine. Virtual machines almost always make use of virtual hard disks. Although the virtual machine treats the virtual hard disk as though it were a real disk, to the host operating system a virtual hard disk is nothing more than a file. Like any other file, a virtual hard disk file can be moved, deleted, or even copied. Herein lies the problem.
A rogue administrator who has physical access to a Hyper-V host could easily copy a virtual hard disk file to a USB flash drive, or to a USB hard drive. The administrator would then be able to run the virtual machine on their own computer at home. Even if the administrator does not have an actual Hyper-V server at home, it does not matter, because Hyper-V virtual machines can be run on top of Windows 10.
Once the virtual machine is up and running on the rogue administrator’s personal computer, the administrator can log into the VM and begin using it for whatever purpose they had in mind. Even if the rogue administrator does not know the VM’s password, they can still gain access. Rather than booting the virtual machine, the administrator could simply tell Windows to mount the virtual hard disks. This would give the administrator access to the full contents of the virtual disks, without requiring the administrator to enter a password of to complete any other sort of authentication. Hence, the virtual machine’s contents are completely vulnerable to anyone who has physical access to the host server, even if that person does not know the virtual machine’s password.
The shielded virtual machine feature that is found in the latest version of Hyper-V is designed to protect virtual machine contents against this type of exploit. Shielded virtual machines are encrypted, and bound to specific hardware. This means that if someone were to make an unauthorized virtual machine copy, the copy would be useless because of the way that the virtual hard disk is encrypted. The person who made the copy would not be able to boot the VM, nor would they be able to browse the virtual hard disk’s contents.
There are three main components that work together to enable the shielding of virtual machines. The first of these components is the Host Guardian Service, which exists only in Windows Server 2016 Datacenter Edition. The Host Guardian Service is a host level component that provides two services – attestation and key protection. The attestation service is used in validating a Hyper-V host as being authorized to run shielded virtual machines. The key protection functionality maintains the keys that are needed in order to unlock and boot shielded virtual machines.
It is worth noting that even though it is possible to run the Host Guardian Service on a standalone server, it should only be used within a clustered environment. Otherwise, a host level failure could render the shielded virtual machines permanently inaccessible.
The second of the three main components used in the shielded virtual machine architecture is the guarded host. For all practical purposes, a guarded host is a Hyper-V host server that has been authorized by the Host Guardian Service to run shielded virtual machines.
Guarded hosts make use of something called the guarded fabric. The guarded fabric is essentially a hardened OS environment that makes the guarded host resistant to tampering through the use of code integrity checking and other security mechanisms.
The final major component used for VM shielding is the shielded virtual machine itself. Only Generation 2 virtual machines can be shielded. Furthermore, the virtual machine must contain a virtual TPM chip, and the underlying virtual hard disk must be BitLocker encrypted.
Follow our Twitter and Facebook feeds for new releases, updates, insightful posts and more.
