Matt works as a datacenter fabric engineer for Contoso, a premier datacenter service provider located in the southeast United States. Matt is a disgruntled employee who plans to resign from his position next week after performing some activities he’s planned for the past several months.
First, Matt logs into a rack-mounted Hyper-V host that contains virtual machines owned by a local health care firm. He targets a virtual domain controller, stops the VM, and copies its VHD to Matt’s trusty USB thumb drive. He figures, correctly, that the health care firm has several domain controllers and won’t notice this virtual DC being offline for one hour.
Second, Matt copies the VHD to his personal laptop, where he uses community hacking software to launch an offline attack on the client’s Active Directory database.
Third, Matt logs into one of the client’s file server VMs and injects some malware that scans the server’s file system for sensitive data and transmits it to Matt’s offshore FTP account.
After all is said and done, Matt “owns” sensitive data from one of Contoso’s most important clients, and he has a back door to their information systems, available for Matt’s use whenever he wishes.
This is a nightmarish scenario, isn’t it? The sad fact is that it reflects reality. In this chapter we examine new Windows Server 2016 features that remediate the problem of separation of duties between fabric and workload administrators. Specifically, we dive into Microsoft’s Guarded Fabric solution, which protects Hyper-V VM workloads against virtualization host administrators. The days of the hardware host having full, “keys to the kingdom” access to all guest VMS are rapidly coming to an end.
Skills in this chapter:
Implement a Guarded Fabric solution
Implement shielded and encryption-supported VMs
More to that point, a fabric administrator is a systems administrator who is charged with the maintenance of the fabric’s constituent hardware and system software. In a Hyper-V context, this normally allows the fabric administrator to perform actions like:
- Start, restart, and service the host hardware
- Start and stop the host’s virtual machines (VMs)
Notice that a fabric administrator can very well have no right to actually logging into those hosted VMs. That job role is normally reserved for the workload administrator
It’s true that in some businesses the fabric administrators and the workload administrators are the same people. Guarded Fabric isn’t appropriate for those scenarios.
FIGURE 2-1 Guarded Fabric conceptual
Preparing your HGS nodes
Technically, the HGS server role provides two services that enable guarded hosts (also known as HGS clients) to run shielded virtual machines. For now, consider a shielded VM to be a protected VM; we’ll formally delve into shielded VMs specifically later in the chapter.
What are the two services?
- Attestation The Host Guardian Service unlocks a shielded VM only if the identity and integrity of the VM has been verified.
- Key protection These are the encryption keys that enable the shielded VM to transition between the encrypted and unencrypted states.
- The Host Guardian Service (HGS) is a new role in Windows System 2016 that allows for the creation and management of shielded virtual machines.
- The need for HGS and shielded VMs is based in the separation of duties between workload (VM) administrators and fabric (Hyper-V host) administrators and least-privilege security.
- HGS is deployed exclusively with PowerShell; Microsoft recommends at least three nodes per HGS cluster to support high availability.
- HGS and shielded VMs rely upon various hardware and software features (physical and virtual TPM, UEFI, Secure Boot, Hardware Security Module (HSM), and more.
- HGS has two main functions: attestation that a guarded host is healthy, and key transfer to lock and unlock shielded virtual machines.
- Local console access is blocked for shielded virtual machines, making pre-shielding VM configuration crucial to allow for remote management.
- Shielded VMs offer strong protection against fabric (host) administrators as well as compromised Hyper-V host servers themselves.
- Shielded VM deployment is inextricably tied to the presence and availability of a Host Guardian Service (HGS) cluster.
- The strong protections offered by shielded VMs have one potential downfall—no
- host console access could lead to connectivity and availability problems if the shielded VM isn’t correctly configured.
- Encryption-supported VMs represent an approach that combines some of the shielded
- VM protections but preserves console access. However, this protection method involves trusting your fabric admins.