News

Microsoft's Shielded VMs Designed To Add Security Against Rogue Admins

Microsoft this week talked more about its Shielded Virtual Machines datacenter security technology.

The idea behind Shielded VMs is to protect workloads in public and private datacenters from "malicious administrators." It's an attestation scheme that gives greater control to tenant administrators.

Shielded VMs can be enabled for Windows Server 2016 tenants, as well as those using Windows Server 2012 or Windows Server 2012 R2. Right now, it only works with Gen-2 VMs. It's possible to convert existing Gen-2 VMs to Shielded VMs.

It turns out that a VM "is just a file," and it can be run on any other system if it gets copied out of an organization, according to Microsoft's TechNet "Overview" article. A VM can be copied by any administrator that has access to the tenant, such as a storage admin or a backup admin. Microsoft's Shielded VM scheme uses BitLocker encryption to block access to the VM file to all but the tenant administrator.

A rogue administrator could copy a VM onto a memory stick and later try to break it, this Microsoft Mechanics video explained. It might take four or five days to extract the information using hacking tools, said Dean Wells, a principal program manager lead for Windows Server and Services, in the video.

To prevent such security breaches, a Shielded VM can get created using the Windows Azure Pack, which is a bunch of datacenter tools that Microsoft first released for Windows Server 2012 R2. The option to create a Shielded VM shows up in the Azure Pack UI with a shield icon on it.

Shielded VMs are based on Microsoft's Guarded Fabric technology, which "enforces strong isolation boundaries between the host and its own VM," Wells explained, which means that the host can't get at the VM's data.

The Guarded Fabric has four component parts, according to Wells. Its Code Integrity component measures code integrity polices on the machine and all of the things that loaded on bootup to ensure they are healthy. It has a Virtual Security Mode that cordons off memory so that admins can't get to it. The Virtual Security Mode has so-called "trustlets" that keep the key encrypted and away from malicious admins. The third component is Trusted Platform Module V2. It's a virtual Trusted Platform Module that enables secure measured boot, but it's not related to the physical TPM on the Hyper-V host. The last component of the Guarded Fabric is the Host Guardian Service, which runs on a cluster and adds security-key protection and attestation services (see figure).

[Click on image for larger view.] Host Guardian Service component. Source: Microsoft TechNet article.

Surprisingly, Shielded VMs are a bit more advanced on the Windows Server side right now. Microsoft Azure doesn't support them yet, Wells said.

It's possible to test the Shielded VM technology with Windows Server 2016 Technical Preview 4, which was released in November. Microsoft is targeting commercial release of Windows Server 2016 in Q3 of this year.

About the Author

Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.

Featured

  • Gears

    Top 10 Microsoft Tips and Analyses of 2018

    Here are the year's most popular explainers and how-to columns -- along with some plain, old "Why did Microsoft do that?" musings thrown in.

  • Sign

    2018 Microsoft Predictions Revisited

    From guessing the fate of Windows 10 S to predicting Microsoft's next big move with Linux, Brien's predictions from a year ago were on the mark more than they weren't.

  • Microsoft Recaps Delivery Optimization Bandwidth Controls for Organizations

    Microsoft expects organizations using its Delivery Optimization peer-to-peer update scheme will optimally see 60 percent to 70 percent improvements in terms of network bandwidth use.

  • Getting a Handle on Hyper-V Virtual NICs

    Hyper-V usually makes it easy to configure virtual network adapters within VMs. That is, until you need to create a VM containing multiple virtual NICs.

comments powered by Disqus
Most   Popular

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.