At the time of this post, most of you are currently running 2012 genre PI Systems. However, there has been a recent uptick in upgrade requests and general upgrade planning discussions with our customer support teams. In short, many upgrades are forecast in the coming months.
Whether your upgrade is driven by platform lifecycle strategy or other business needs, it’s likely that virtualization will play a key role in successful push to production. So with upgrade plans in the making, what better time to refresh on Hyper-V security tips?
Even if you use a different virtualization technology there are common security themes. Security plans should include the host, guests, networks and storage. The most effective practices intertwine with administrative roles and techniques.
The associated reference on Microsoft Technet is “Security guide for Hyper-V in Windows Server 2012”. Consider the best practices checklist in planning your upgrade. For instance, Server Core should be considered. Sound familiar? Core is the same approach we intend for PI System server roles. Likewise, baseline settings from the Microsoft Security Compliance Manager tool are recommended for hardening the Windows operating system.
If Microsoft’s guide wets your appetite, "Hyper-V Security" by Eric Siron and Andy Syrewicze dives a bit deeper with balance between the ‘what’ and ‘how’ of security practices. For instance, Chapter 2 “Securing the Host” addresses challenging planning topics such as: using Server Core, Active Directory membership, Anti-Virus, Patching regimens, and remote management strategies. The style tends to be pro and con so you can make informed choices.
Hyper-V Security is more of a hands on guide as pages show detailed step by step wizards, system utilities, and Powershell scripts. Essential coverage also includes best practices using Security Compliance Manager, Microsoft Baseline Security Analyzer, Windows Advanced Firewall, and Virtual Networking. You’ll even find comprehensive advice on setting up certificates to secure Powershell remoting endpoints.
With that favorable endorsement, I should mention Applocker seems missing from discussion topics – I suspect because 2012 R2 was just releasing at the time Hyper-V security was published. I also skipped chapters 7 and 8 which cover SCCM and Hybrid Cloud scenarios.
In closing, many of you are planning PI System and underlying platform upgrades this year. I hope the references above prove to be useful; not only for planning activities but in harnessing latent capability that may otherwise be overlooked. More and more security is built-in to modern software. As folks on PI Square know very well, sometimes a little configuration and knowledge is all that's needed.