Securing the Hyper-V Server
Your Hyper-V servers are running the majority of your server operating system
instances and potentially your desktops if you’re using VDI solutions. While an
administrator on a Hyper-V server cannot bypass the regular logon to an operating
system in a virtual machine, if you have access to the Hyper-V server, then you have
access to the virtual machine storage. The storage could then be mounted, and the
content could be accessed.
The normal security best practices for servers should apply:
Ensure that servers are physically secure.
Ensure that the firewall is enabled.
Patch servers.
Run malware protection (with the required exclusions configured).
Restrict who is an administrator (and by extension, domain administrators should
be limited as well).
Run Server Core on Hyper-V servers.
Do not run other applications or browse the Web on Hyper-V servers. Running
Server Core will help stop this.
Use BitLocker to encrypt volumes containing virtual machines; it can also be used
on Cluster Shared Volumes.
Make sure administrators are well trained and understand their actions.
Use Group Policy to ensure that policies are set as required.
Have a monitoring solution in place, and ensure that security logs are checked to
detect any attack attempts.The best Microsoft resource to help with security is the Microsoft Security
Compliance Manager, which is available at the following location:
http://www.microsoft.com/en-us/download/details.aspx?id=16776
It is a large download at over 100MB, but it provides not only documentation to help
secure your entire environment but also tools and templates to ensure security.