Article Number: 000175495
Shielded VM is a unique security feature introduced by Microsoft in Windows Server 2016 and has undergone a lot of enhancements in the Windows Server 2019 edition. This blog mainly aims at calling out the improvements in the feature.
For the basic introduction to the feature and detailed steps for deployment, please refer to the following links:
The feature initially supported two attestation modes – Active Directory-based attestation and TPM based attestation. TPM based attestation provides enhanced security protections as it uses TPM as hardware root of trust and supports measured boot and code integrity.
Key mode attestation is the new addition, supplanting AD based attestation (which is still present, but deprecated from Windows Server 2019 onwards). The following link contains the information to set up the HGS (Host Guardian Service) node using Key Mode Attestation.
Key mode attestation is preferred or used in the scenarios when TPM hardware is unavailable for usage. It’s easier to configure but again comes with set of security risks as it does not involve hardware root of trust.
HGS Backup feature
Since the HGS cluster is a critical piece in the shielded VM solution, Microsoft has provided an enhancement to easily incorporate a backup for the HGS URLs so that even if the primary HGS server is unresponsive, the Hyper-V guarded hosts are able to attest and launch the shielded VMs without any downtime. This requires two HGS servers to be set up, with the VMs independently attested with both the servers during deployment. The following commands are used to enable the VMs to be attested by both HGS clusters.
# Replace https://hgs.primary.com and https://hgs.backup.com with your own domain names and protocols
Set-HgsClientConfiguration -KeyProtectionServerUrl 'https://hgs.primary.com/KeyProtection' -AttestationServerUrl 'https://hgs.primary.com/Attestation' -FallbackKeyProtectionServerUrl 'https://hgs.backup.com/KeyProtection' -FallbackAttestationServerUrl 'https://hgs.backup.com/Attestation'
In order for the Hyper-V host to pass attestation with both the primary and fallback servers, you will need to ensure that your attestation information is up to date with both HGS clusters.
This is again a special mode introduced by Microsoft which allows the Shielded VMs to turn on even when the HGS node is unreachable. To enable this mode for the VMs, we need to run the following command on the HGS node:
Once this is done, we need to restart all the Virtual machines to enable the cacheable key protector for the Virtual Machines.
Note: Any security configuration changes on the local machine will cause this offline mode to become invalid. The VMs will need to attest with HGS server before turning on the offline mode again.
Linux Shielded VM
Microsoft also extended the support for hosting the VMs having Linux as the guest OS. For more details on which OS flavor and version can be used, please check the following link.
There are few important guidelines to be followed when we are deploying Shielded VMs:
All the options from WS2016 and 2019 are supported on Dell PowerEdge 13 & 14G systems. For most stringent security, using TPM-based attestation along with a TPM 2.0 is recommended.
21 Feb 2021