by Neil MacDonald | March 2, 2009 | Comments Off on Securing Hyper-V
Last week, Microsoft released its beta guidelines for securing Hyper-V. Prescriptive guidance is an important first step for securely deploying any virtualization solution. As many of you know, Hyper-V is based on a virtual machine monitor that runs in a “parent” partition based on Windows Server 2008’s Server Core. Although Microsoft’s hypervisor itself is thin, the parent partition running in Server Core in a Hyper-V deployment is not. As I discussed previously here and here, the virtualization layer will be a target for attack, so hardening guidelines (especially on a footprint as large as Windows Server 2008 Core) is a welcome first step.
To close the gap with VMware, more information and tools are needed. Ideally, configuration guidelines for securing Hyper-V would be available from other independent sources such as the Center for Internet Security and the National Institute of Standards and Technology. For Gartner clients, we have provided a comprehensive overview of security considerations and best practices for securing virtual machines which was written to cover all virtualization platforms.
Also, we need third party configuration management tool vendors such as Configuresoft and Tripwire to automatically assess the configuration of Hyper-V deployments as they do today for VMware environments. Security and management tools to support Hyper-V deployments will come, but at this point lag far behind those available for VMware. Microsoft’s hardening guidelines are a welcome first step – but it’s only a step.
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.