Shielded VMs and Host Guardian Service
A huge focus for most environments is security and providing protection from
external threats. However, some threats don’t originate from outside the organization.
Today, in most virtual environments, many types of administrators have access to
virtual machine assets such as their storage. This includes virtualization
administrators, storage administrators, network administrators, and backup
administrators, to name just a few. The power of administrators is not a new concept,
and the normal mindset is that administrators should be trusted actors in the
organization and it’s OK for them to be privileged. This view is changing, however,
especially in virtualization environments and even more so in virtualization
environments that have VMs hosted from other organizations. For this reason, many
organizations including hosting providers need a way to secure VMs even from
administrators, which is exactly what shielded VMs provide. Note that this protection
from administrators is needed for various reasons:
Phishing attacks
Stolen administrator credentials
Insider attacksReview of Shielded VMs and Host Guardian Service
Shielded VMs provide protection for the data and state of the VMs against inspection,
theft, and tampering from administrator privileges. Shielded VMs work for generation
2 VMs, which provide the necessary Secure Boot, UEFI firmware, and virtual Trusted
Platform Module (vTPM) 2 capabilities required to implement shielded VMs. While
the Hyper-V hosts must be running Windows Server 2016 Datacenter (for the full set
of capabilities), the guest operating system in the VM can be Windows Server 2012 or
above.
A shielded VM provides the following benefits:
BitLocker-encrypted disks (utilizing its vTPM)
A hardened VM worker process (VMWP) that encrypts Live Migration/traffic in
addition to its runtime state file, saved state, checkpoints, and even Hyper-V
Replica files
No console access in addition to blocking PowerShell Direct, Guest File Copy
Integration Components, RemoteFX, and other services that provide possible
paths from a user or process with administrative privileges to the VMHow is this security possible? Any kind of security is only as good as its lock and key
and how they are guarded. For shielded VMs, a new Host Guardian Service (HGS)
instance is deployed in the environment, which will store the keys required for an
approved Hyper-V host that can prove their health to run shielded VMs.