Windows Server 2019 upgrades enable greater scalability and more reliable recovery from outages for Shielded Virtual Machines.
With Windows Server 2019, Microsoft is adding resiliency and redundancy enhancements to the Shielded Virtual Machines security controls it introduced with Windows Server 2016.
Shielded VMs originally provided a way to protect virtual machine assets by isolating them from the hypervisor infrastructure and could also help prove to auditors that systems were adequately isolated and controlled. Now Shielded VM enhancements in Window Server 2019 provide real-time failback configurations and host- and policy-based security improvements.
Host key attestation
Under Windows Server 2016, key authentication was based on trusted platform module (TPM) cryptoprocessors and Microsoft Active Directory authentication. Both of these are great solutions but were limited when it comes to extensibility and redundancy.
Host key attestation that’s been added to Windows Server 2019 provides a certificate-based solution that allows organizations to store keys using standard certificate-storage mechanisms. Organizations that want to isolate Shielded VMs to TPM-based systems can continue with TPM-based attestation.
No longer limited by the extent of an Active Directory or TPM-based environment, host key attestation has opened up new scenarios for Shielded VMs. These include scaling up Shielded VMs as well as improving the redundancy of Shielded VMs.
Failback Configuration
Host guardian service (HGS) in Windows Server 2016 was introduced to configure guarded hosts and Shielded VMs, and provides attestation and key protection needed to run Shielded VMs. When HGS is inaccessible, and a Shielded VM system needs to boot, failback configuration in Windows Server 2019 provides an additional layer for HGS redundancy. The Shielded VM environment can be configured to have a primary and a secondary HGS server so that if the primary is down, the Shielded VM reaches out to the secondary HGS server to authenticate the boot process.
This can address remote/branch office scenarios in which a significant outage causes servers to shut down, and upon reboot the local HGS server is not online yet or possibly in a critical failed state, yet the remote office needs to get its systems booted up and running.
With failback configuration, when branch office systems try to authenticate to the local HGS server and fail, the systems will reach across the WAN to the main data-center HGS servers for authentication so the boot can proceed. This resiliency is an optional configuration.
Improved tools and policies for Shielded VMs
Shielded VM in Windows Server 2019 includes a number of improvements in the tools and policies available. Among them:
- VMConnect and PS Direct: Shielded VMs in Windows Server 2016 blocked Shielded VM access from the host system console (using VMConnect) or remote access from the console to the Shielded VMs (using PS Direct). While the intent of this protection was to prevent rogue host administrators from accessing the Shielded VMs, at times host administrators do need to work with the Shielded VM system and application owners, such as when networking or communication controls between the Shielded VM and the host infrastructure need to be reviewed. Windows Server 2019 brings back the ability for Shielded VM to be accessible via VMConnect and PS Direct to enable external access to components of the Shielded VM that might be necessary in problem solving and debugging.
- Shielded VM PowerShell Cmdlets: Microsoft is releasing a Guarded Fabric Tools module that works with Windows Server 2019 and Windows Server 2016. It introduces new cmdlets like New-ShieldedVM and New-ShieldingDataAnswerFile that enable PowerShell controls for Shielded VM deployment. As organizations are leveraging PowerShell to create standard deployment templates, these new cmdlets go a long way toward providing consistency in the creation of Shielded VMs in the enterprise
- Code Integrity Policy: Enhancement to Microsoft’s Device Guard, starting with Windows Server, version 1709 (the September 2017 update to Windows Server 2016), Microsoft provides example policies that help organizations assess and ultimately lock down systems with a policy looking for “known valid” code. This ensures that malware doesn’t slip into a system and run on a system without having the system recognize and send an alert of non-standard, non-supported or unidentified code. The code integrity policy will help organizations running Shielded VM protected systems assess their security risks from the inside-out.
This article originally appeared on NetworkWorld.