Q&A from the Windows Server 2016 Preview JumpStart – Part I – Virtualization Security

As mentioned in my previous post, back on August 18th and 19th, myself and Corey Hynes delivered a 2-day, live, Windows Server 2016 Preview Jumpstart. For the thousands of you that attended, thank you, it was a lot of fun, and I hope you learned a lot! There are certainly a lot of new features and capabilities coming in the next release of Windows Server! Some of them are incremental improvements, however there are many areas that are completely new to the Microsoft platform, such as Containers and Nano Server. Naturally, there were a large number of questions during the event, in fact, the number was so large, the team couldn’t answer them all in time, so, over the next few blog posts, I’ll be trying my best to answer your questions that were raised during the event.

In this first Q&A post, I’m going to focus on the large number of Security questions that were posed as part of the virtualization module.  The security capabilities that have been introduced in Windows Server 2016 Hyper-V, are incredibly powerful, but they are also a little complex.  I’d first urge you to watch the on-demand course, to help familiarize yourself with the concepts. If you’re short on time, skip along to the second module, Server Virtualization, around the 8:55 mark, as that’s where we start the security discussion.

Virtualization Security

In this section, we focused heavily on a new set of capabilities within Windows Server 2016 that help to protect the virtualized infrastructure. These capabilities introduced a number of new terms:

  • Virtual Secure Mode – hardware rooted technologies to separate the guest OS from host administrators
  • Host Guardian Service – enables a guarded fabric to identify legitimate hosts and certify them to run Shielded tenant virtual machines
  • Shielded VM – contains a virtual trusted platform module (vTPM) which enables encryption technologies within the VM.

Before we dive into the questions, some extra context will be useful, I’m sure, to connect how those 3 items come together to form a solution.

The virtualization landscape shift has a profound effect on security as it introduces a new trust boundary between the tenant and the datacenter admin/service provider (hoster). To put it plainly, if a datacenter administrator account is compromised, then all the virtual machines (Workloads) running in that datacenter are accessible to the attacker who is then able to both access  sensitive information and inject malicious executables. This is true for anyone that has administrator access to the storage, network, backup and physical machines on the fabric as well as the fabric managers.

To protect the workload from fabric attacks, we have introduced something we call a “trust plane”. This is analogous to the management plane that is used to manage the workloads and the fabric. The trust plane is separate, it is isolated from the fabric and the management plane, and administrators do not have access to the trust plane.

At the heart of the trust plane is a new technology called: “Virtual Secure Mode” (VSM): we use the hypervisor and the hardware to create a space that is entirely separate from the rest of the system. Inside VSM there are only specific binaries and information that are not accessible or controlled by the administrator. No software can be introduced, nobody can get admin privileges and it is not connected to the network. In VSM, we can execute and store security critical operations like secure key management and protecting the integrity of the system.

With this Trust Plane, we can now use cryptographic technology to protect virtual machines and their data files and databases. In Windows Server 2016 we are introducing “Shielded Virtual Machines” (Shielded VM) to achieve isolation between the fabric/host and the Virtual Machine. This capability will be available for on-premises private clouds and service providers (hosters).

While Shielded VMs look just like any other Virtual Machine to the fabric management tools, they are:

  • Encrypted (using BitLocker) on storage and on the wire
  • Can only be executed on hosts that are appropriately configured (verified by remote attestation – the Host Guardian Service)
  • Not accessible to fabric, storage, network administrators and are hardened (based on configuration) against malicious host administrator access.

This allows you to achieve a high level of assurance for all the workloads that you’re virtualizing and in addition, enable you to virtualize sensitive workloads such as domain controllers, which were traditionally kept on physical machines. It’s a simple concept, but we also took a lot of care to make sure we have a practical solution that does not require a re-architecture of the fabric; so we also made Shielded VMs integrate well with the current operational model of the entire lifecycle of a VM: Shielded VMs can be paused and stored and restarted and migrated.

For greater depth on the new VM Security, make sure you check out the ‘Harden the Fabric’ session from Microsoft Ignite.

Can we please discuss Virtual TPM?

The virtual TPM, or vTPM, is just one part of the overall virtual infrastructure security picture. In Windows Server Technical Preview Hyper-V, you can enable a virtual TPM 2.0 device to guest VMs. This gives you the ability to encrypt the VM. The vTPM does not require a physical TPM on the Hyper-V host.

Is TPM 1.2 supported for Shielded VMs? All of our servers have 1.2 and not 2.0.

Shielded VMs don’t require a physical TPM. In addition, the Host Guardian Service can operate in an Admin-Trusted mode, integrated with Active Directory, rather than requiring hardware-trusted attestation, thus, your servers with TPM 1.2 will be fine.

Can we expect new TPM 2.0 modules to be made available in the near future?

Yes. At this stage however, support for the TPM 2.0 standard is not fully implemented—hardware incompatibilities between vendors are expected. Depending upon your hardware, it may not be possible to successfully configure TPM-based attestation, but work with your preferred hardware vendor to understand if and when they will provide TPM 2.0 capable servers.

Does the Virtual Secure Mode require any specific hardware?

Yes, but most modern systems should meet the requirements. These include support for hardware virtualization (Intel-VT-x, AMD-V), SLAT, and I/O MMU virtualization (Intel VT-d, AMD-Vi).

To enable BitLocker inside a Shielded VM, should it be password or TPM-based?

Hyper-V provides a virtual TPM, vTPM, inside the guest OS, thus you are able to use the more secure TPM-based BitLocker protection.

One concern about encrypted VM’s is the effect on deduplication. Would this level of protection affect deduplication capabilities?

Yes, it would. Deduplication would not be effective when trying to optimize a volume containing multiple encrypted images. That said, today, we, Microsoft, don’t support deduplication for running virtual machines. Deduplication on volumes that contain stored virtual machines, such as those in your System Center Virtual Machine Manager library, would be supported for deduplication, assuming you were not using encryption.

Will you get the ‘BitLocker Recovery Key’ question if you try to boot a Shielded VM on an unknown fabric?

No, Hyper-V would fail to boot the VM with an appropriate error code.

What would happen if I tried to take the disk from a Shielded VM, to another Hyper-V host, attach to a new VM and boot it?

On this occasion, you would receive the ‘BitLocker Recovery Key’ prompt. Regardless of whether the VM was being run on a host in a trusted fabric, or not, the ‘new’ VM would come up without a vTPM (or with a vTPM that doesn’t contain the appropriate key) and BitLocker will fail to find the key, thus prompt the user.  Normal BitLocker operations apply here.

When using a Shielded VM in Hyper-V, is it still possible to migrate it to a VMware host in my environment? How does this work in multi-vendor environments? I assume that my Shielded VM won’t boot on VMware?

Hyper-V VMs, regardless of whether they are Shielded or not, will not boot on VMware vSphere. They would need to be converted, offline, using tools that VMware provides. Shielded VMs however, will not be able to be converted by VMware’s tools, due to the encryption in place. In multi-vendor environments, Hyper-V VMs will run on the Hyper-V platform, whilst vSphere VMs will run on the VMware platform. Centralized management can be achieved through tools such as System Center Virtual Machine Manager.

Is there any way we can verify Host Guardian Service itself isn’t compromised?

This is a very generic question so let me answer a more specific question – When using an HSM with the Host Guardian Service – if a bad actor takes over the Host Guardian Service, they might be able to glean the keys that unlock the virtual TPM of a specific VM – however:

  • The bad actor does not have access to the VM itself (so they need to both attack the HGS and the fabric)
  • The bad actor will only see keys for vTPM for VMs that are being invoked

Remember, the Host Guardian Service runs on a separate AD domain, and uses its own dedicated Active Directory forest. Access to this isolated environment is very restrictive and granted to only very few trusted administrators. It is important to note that the Fabrikam.com administrators (in the fabric infrastructure) do not have any access to the HGS infrastructure. This creates a trust boundary between the fabric infrastructure and the HGS environment. That, combined with general Windows Server hardening, utilizing firewall, anti-virus etc, can help to ensure the HGS stays secure.

With Linux Secure Boot, are there plans to support CentOS, or Red Hat?

Today, the supported Linux operating systems are Ubuntu 14.04 and later, along with SUSE Linux Enterprise Server 12. Microsoft works closely with the Linux community to provide optimized drivers for Linux operating systems, running on Hyper-V.  The collection of drivers that are required to run Hyper-V-specific devices are known as Linux Integration Services (LIS). LIS have been added to the Linux kernel and continues to be updated for new releases. This means, as new distributions are developed from the core kernel, the Linux vendor, or community, can choose to enable functionality such as Secure Boot, so, going forward, we would expect to see additional distributions support the additional key security features.

What about general Linux support – which Linux guest operating systems are supported on Hyper-V?

We’re yet to publish a list that provides guidance for supported guest operating systems on Windows Server 2016, however you can refer to TechNet, which details the supported Linux distributions running on Windows Server 2012 R2 Hyper-V.

That’s all for the virtualization security questions – my recommendations to you would be as follows.

  1. If you haven’t already, watch the on-demand course, specifically the server virtualization module!
  2. Watch the Microsoft Ignite session on ‘Harden the Fabric’, which will go into even greater depth on the technologies
  3. Try it out, using the Shielded VMs and Guarded Fabric Validation Guide for Windows Server 2016

That’s all for now – Thanks to Nir Ben Zvi for his help on some of these questions! Stay tuned for more answers coming soon!


Say what?