Explore features and benefits of Hyper-V guarded fabric.
- [Instructor] To help protect against compromised fabric, Windows Server 2016 Hyper-V introduces shielded VMs. Shielded VMs runs on a Hyper-V guarded fabric. And a guarded fabric consists of one host guardian service, typically a cluster of three nodes, one or more guarded Hyper-V hosts, and a set of shielded VMs. A shielded VM is a generation two virtual machine which is supported on Windows Server 2012 or later.
It has a virtual Trusted Platform Module or TPM, it's encrypted using BitLocker, and can only run on a healthy and approved host in our fabric. Shielded VMs and guarded fabric enable service providers and enterprises to provide a more secure environment for their tenant VMs. The host guardian service, or HGS for short, uses attestation to ensure that only known, valid hosts can start the shielded VMs and key protection to ensure that we securely release the keys for shielded VMs.
In the guarded fabric solution, the HGS supports two different attestation modes for a guarded fabric. TPM-trusted attestation, which is hardware based, and admin-trusted attestation, which is Active Directory based. The TPM-trusted attestation is recommended simply because it provides more and stronger assurances. TPM-trusted attestation offers the strongest possible protection but also requires more configuration steps.
Host hardware and firmware must include TPM 2.0 and UEFI 2.3.1 or later with secure boot enabled. Guarded hosts that can run shielded VMs are approved based on their TPM identity, their measured boot sequence, and code integrity policies, so that you can ensure that these hosts are only running approved code. The admin-trusted attestation is really intended to support existing host hardware where TPM 2.0 is not available and administrators of the fabric are trusted.
It requires fewer configuration steps, it's compatible with a variety of commonplace hardware, and guarded hosts that can run shielded VMs are approved by the host guardian service based on membership in an Active Directory domain services security group. And this is the only check made in admin-trusted mode. HGS together with the methods for creating shielded VMs help provide a number of assurances.
BitLocker-encrypted disks and data, the shielded VMs use BitLocker to protect their disks. The BitLocker keys needed to boot the VM and decrypt the disk are protected by the shielded VM's virtual TPM using industry standard technology such as Secure Measured Boot. Deployment of shielded VMs come from trusted template disk images, which enables us to specify which template disks we trust. Shielded template disks have signatures that are computed at a point in time when their content is deemed trustworthy.
Protection of passwords and other secrets when a shielded VM is created. So when creating a VM, it's necessary to ensure that VM secrets such as that trusted disk signature, remote desktop protocol certificates, and the password of the VM's local administrator account are not divulged to the fabric administrators. These secrets are stored in an encrypted file called a shielding data file, or PDK file, which is protected by tenant keys and uploaded to the fabric by the tenant administrator.
When a shielded VM is created, the tenant selects the shielding data to use which securely provides these secrets only to trusted components within the guarded fabric. The tenant can control where VMs can be started. Shielding data also includes a list of the guarded fabrics on which a particular shielded VM is actually permitted to run. This is useful, for example, in cases where a shielded VM typically resides in an on premises private cloud, but may need to be migrated to another public or private cloud for disaster recovery services.
The target cloud or fabric must support shielded VMs and the shielded VM must permit that fabric to run it. Guarded fabrics are capable of running VMs in one of three possible ways. A normal VM with no protections, an encryption-supported VM, and a shielded VM with all protections enabled, which cannot be disabled by a fabric administrator.
Encryption-supported VMs are intended for use where the fabric administrators are fully trusted. And shielded VMs are for use in fabrics where the data and state of the virtual machine must be protected from both fabric administrators and untrusted software that might be running on the Hyper-V host. For example, shielded VMs will never permit a VM console connection, whereas a fabric administrator can turn this protection on or off, for encryption-supported VMs.
- Exploring features and benefits of Hyper-V guarded fabric
- Implementing guarded fabric in Windows Server 2016
- Shielding virtual machine data
- Configuring security policies
- Managing and responding to security alerts
- Encrypting data at rest in Azure