How Host Guardians secure Windows Server 2016 Hyper-V VMs

How Host Guardians secure Windows Server 2016 Hyper-V VMs

The purpose of this weblog is to go through the default configuration steps for the Guardian host service function and, therefore, the corresponding Hyper-V support parts. For information on advanced eventualities and additional information on the topology of the protected fabric, refer to the guidelines for preparing the protected fabric.

1. Enter the role of Host Guardian Service (HGS)
On a machine running Windows Server 2016, install the Host Guardian Service Server Manager victimization or Windows PowerShell role. As a security measure, we recommend that you use only an avid physical machine that runs the Server Core for HGS installation option.

Using PowerShell:

2. Configuring HGS Server
After putting in the HGS role, you continue to ought to assemble the role to form it a completely useful HGS server. All management of HGS is completed through Windows PowerShell.

Note: This journal assumes the default installation mode for HGS wherever a brand new Active Directory forest are created specifically for the Host Guardian Service. If you would like to instead be a part of HGS to Associate in Nursing existing, extremely trustworthy  Active Directory domain, please consult the guarded cloth preparation guide for the additional configuration steps you need to take.

2.1. Install-HgsServer
The first step is putting in the dedicated Active Directory forest for the HGS servers. every node within the HGS cluster could be a domain controller for this personal domain. make sure the HGS server isn't already joined to a site before running this command.

After the machine restarts, it'll be the first domain controller for the newly created domain. Log into the server together with your administrator account to continue the HGS setup method.

2.2. Initialize-HgsServer

With the domain started, it's currently time to assemble the HGS cluster and internet services for Key Protection and Attestation. you'll like a pair of certificates (1 for sign language, one for encryption) so as to complete this step.

“HgsServiceName” are accustomed register the cluster service name with the native DNS server. within the higher than the example, the service name is “HGS”, therefore the FQDN of the service is “HGS.DomainName.com” (refer to the name per the Install-HgsServer).

The “TrustTpm” parameter specifies the consulting service operation mode. For TPM-trusted materials, use “-TrustTpm”. If your host machines don't meet the hardware necessities for TPM attestation, you'll assemble HGS to use AD attestation with the “-TrustActiveDirectory” parameter.

The last four parameters square measure for specifying the sign language and secret writing certificates, wherever the certificates square measure provided as references to password-protected PFX files that contain the general public and personal keys of every certificate. These certificates square measure employed by the Key Protection Service in HGS to decode keys of protected  VMs. homeowners of protected  VMs use the general public keys to authorize a cloth to run their VMs.

If you're putting in HGS in your take a look at the workplace, you'll use self-signed certificates to induce started quickly. to come up with self-signed certificates and export them to PFX files, use the New-SelfSignedCertificate and Export-PfxCertificate cmdlets.

When victimization HSM backed certificates or non-exportable certificates from your PKI, you'll specify the fingerprint of the certificate rather than a PFX file and arcanum once running Initialize-HgsServer. The guarded cloth preparation guide explains the additional steps you wish to require once victimization PKI-issued or HSM-backed certificates.

2.3. Validate your configuration

Once the first HGS Server is organized, you'll run the HGS nosology to make sure everything is about up properly. In PowerShell, run the subsequent command to visualize if their area unit any extra steps you wish to require.


3. Authorizing guarded hosts

Before a Hyper-V host will run protected  VMs, HGS should be organized with attestation policies that area unit accustomed to confirm if the host is “healthy” and allowed to request keys for protected  VMs.

3.1. TPM-trusted attestation

For TPM-trusted attestation, a guarded host’s TPM a pair of.0’s Endorsement Key (EK) has to be retrieved and supplementary to the list of licensed hosts in HGS.

On every host, use the Get-PlatformIdentifier cmdlet to come up with an associate degree XML file containing the EKpub and EKcert.


Copy this file to your HGS server and use the Add-HgsAttestationTpmHost cmdlet to authorize the guarded host with the attestation service:


3.2 AD-trusted attestation

For Admin-trusted attestation, the guarded host is predicted to be a part of a lively Directory security cluster. Use the Add-HgsAttestationHostGroup to authorize the Active Directory group’s SID with the Attestation service:


Note: For AD-trusted attestation, you furthermore might have to be compelled to establish unidirectional trust between the material Active Directory domain and therefore the HGS domain. Consult the reading guide for directions on a way to discover this trust.

4. Configuring Policies (TPM-trusted attestation only)

For TPM-trusted attestation, the guarded host’s code integrity is additionally verified. you wish to tack together baseline policies with the attestation report to ascertain one or a lot of licensed (known good) host configurations.

Note: For AD-trusted attestation, the guarded host’s configuration isn't verified. Hence, the steps below don't seem to be needed for AD-trusted attestation.

4.1. Add-HgsAttestationCIPolicy
On a reference host (sometimes referred to as a golden image) that's fully designed with all code agents and options put in, run the New-policy cmdlet to get a code integrity policy. This policy is going to be applied to each machine with an equivalent configuration and is employed to forestall unauthorized code from running on the host. you may produce a CI policy once for every distinctive hardware/software configuration in your datacenter. Consult the reading guide for careful directions on the CI policy cmdlets.

Once generated, you’ll have a code integrity policy hold on during a computer file with a .p7b extension. Copy this file to your HGS server and add it to the attestation service:


4.2. Get-HgsAttestationBaselinePolicy
Next, for every distinctive hardware configuration in your datacenter, you wish to gather a TPM baseline policy. This file can contain data regarding the UEFI boot sequence up to the purpose wherever management of the system is bimanual off to the Windows boot loader. it's valid by HGS to confirm the system didn't attempt to load unauthorized code like a rootkit before Windows was loaded.


To capture a TPM baseline policy, run the subsequent command on a reference host:
Copy the file to your HGS server and register it with the attestation service:


5. tack together HGS shopper
The final step is to tack together every guarded host to attest with and request keys from your HGS servers. you'll realize the 2 URLs to use here by running Get-HgsServer on the HGS server. Run the subsequent command on every guarded host:

This command can trigger Associate in Nursing attestation try with the server and show you its result. If “IsHostGuarded” isn't true, check the attestation standing and sub-status for indications on why your host didn't pass attestation with HGS.

6. Conclusion
Now that the HGS attestation report has been designed with data regarding the trusty hosts and their trusty configurations in your knowledge center, you're able to produce your 1st protected  VM. investigate this diary post or the reading guide for data regarding making a protected  VM.

5/181, J4A, Third Floor, Periyar Street, Medavakkam, Chennai - 600100. India : + 91 8056005901USA  : +1 (415) 871-0906

http://www.altf9.tech