16 Jan (E) SAE Deep Dive Series Part 1: Hyper-V Host Guardian Service (HGS) and Shielded VMs in an EASE Environment
After the success of the first ESAE series, we decided to launch a deep dive series in which we go into a little more detail on various measures. This first part deals with the Hyper-V Host Guardian Service and how it can help in the (E)SAE context.
Use of virtualization in an EASE environment
Microsoft recommends the introduction of a tiering model, which divides assets into different layers (tiers) according to their protection needs, in order to be able to protect them adequately and effectively. As a rule, Tier 0 is the layer with the highest need for protection.
The model provides that each layer is managed by dedicated administrators. The higher the need for protection, the higher the requirements for administrators (e.g. certifications, job tenure , police clearance certificate, etc.). Therefore, the effort is to keep the number of administrators as small as possible, especially in Tier 0. Implicit rights or the possibility of privilege escalation must also be considered.
For example, a company uses the popular Microsoft System Center Configuration Manager (SCCM) platform to patch Windows servers. If the SCCM client is installed on the domain controllers, the administrators of the SCCM platform implicitly receive administrative access to the Active Directory forest (since the SCCM agent runs in the system context).
In a similar way, this also applies to other management platforms and, interesting for our article, to virtualization platforms such as Hyper-V or VMWare. A Hyper-V administrator can basically access the virtual machines (VMs) in his environment even if he does not have special permissions in the guest OS. For example to start and stop VMs or mount virtual hard disk files and thus copy away the SYSTEM Registry Hive and the Active Directory database ntds.dit and attack them offline. An example is the Get-ADDBAccount function from the PowerShell module DSInternals, which can extract password hashes from the database for use in pass-the-hash attacks.
A Hyper-V administrator has physical access, so to speak, to the VMs on his platform. This means that one of the unchangeable security laws is also valid:
Law #3: If a bad guy has unrestricted physical access to your computer, it’s not your computer anymore.
So, what can you do to virtualize Tier 0 systems without building a separate Tier 0 virtualization environment or treating the existing environment as Tier 0? The answer is Hyper-V Host Guardian Service (HGS).
Hyper-V Host Guardian Service and Shielded VM Overview
Since Windows Server 2016, Microsoft’s virtualization platform Hyper-V has offered the possibility of protecting a virtual machine from the operator of the virtualization infrastructure – also known as the fabric.
For detailed documentation and installation instructions, refer to the Windows Server documentation. In our article we will discuss the basic functionality and the added value within an (E) SAE project.
The architecture consists of the following main components:
Host Guardian Service
The HGS monitors the Hyper-V hosts and the shielded VMs hosted on them and
- ensures that only a trusted person can run Hyper-V Shielded VMs by checking the integrity of the Hyper-V host and
- provides a Key Protection Service that provides the keys to start the shielded VMs and perform live migration to other Hyper-V hosts.
The Host Guardian Service typically consists of a 3-node Windows Failover Cluster and a self-contained Active Directory. It can also be installed into the root domain of an existing forest. Both options are valid in our (E) SAE scenario.
The actual Hyper-V servers are referred to as Guarded Hosts if they are protected by an HGS.
One or more VMs. A Guarded Host can host different types of VMs:
- Normal VMs (analogue to older Hyper-V versions).
- Encryption-supported VMs:
- The fabric administrator can disable certain security features, such as Secure Boot.
- Shielded VMs:
- All security features are enabled, and the Fabric Administrator cannot disable them.
In our context, only shielded VMs are a valid option
The following diagram shows the architecture schematically:
Hyper-V Host Guardian Service und Shielded VM Details
Now that we know how HGS and Shielded VMs help us, we will go into more detail in this section on how the overall solution works.
The Host Guardian Service provides the following core components:
- The Attestation Service ensures that only trusted Hyper-V hosts can run shielded VMs. When starting a shielded VM, the Hyper-V host sends an attestation request to the HGS, which performs one or more checks depending on the configured attestation mode and, if successful, sends an attestation certificate back to the Hyper-V host.
- A TPM-trusted attestation checks the TPM identity, the startup sequence and the code integrity policies.
- Host key attestation checks whether the Hyper-V host has the correct certificate.
- AD attestation is no longer supported with Windows Server 2019.
- The Key Protection Service (KPS) provides the Hyper-V host with the keys necessary to start the shielded VM if the attestation process is successful.
So, in our scenario only the TPM-trusted attestation is useful.
The core security features of an HGS with shielded VMs are outlined below:
- The virtual disks of a shielded VM are encrypted with BitLocker. The keys of the shielded VM are handed out by the HGS when the shielded VM is started as part of the so-called attestation procedure and stored in the virtual TPM of the VM. This prevents the Hyper-V administrator from mounting the virtual disks of a VM. However, with administrative access to the HGS, it is possible to export the keys, import them on a standalone Hyper-V host, and thus the Shielded VM can be started there as well. The security of a shielded VM is therefore dependent on the security of the keys stored on the HGS and their protection.
- The Hyper-V administrator can change the VM configuration, such as CPU or RAM, but cannot start or stop a VM and cannot open a Console or PowerShell Direct session. (With Windows Server 1803 as a Hyper-V host, both features are enabled again to facilitate troubleshooting in the hoster scenario. They should be deactivated in the (E) SAE scenario in the guest OS).
- To enable the Hyper-V Admin to create new VMs, sensitive information such as trusted disk signatures, RDP certificates and the local administrator’s password is stored encrypted in a shielded data file (*. pdk).
- Optional templates for the deployment of shielded VMs are secured by signatures that are stored in a signature catalog and compared to a shielded VM during provisioning. Provisioning is only successful if the signatures match.
Summary and outlook
Finally, we will briefly summarize the benefits of the Host Guardian Service and Shielded VMs in an (E) SAE environment:
- The HGS solution with shielded VMs makes it possible to hand over the operation of the virtualization infrastructure to a tier 1 operations team or a provider and still enable secure operation.
- The contents of the virtual hard disks are encrypted and cannot be read by the fabric operator. Even if a virtual hard disk is stolen, it cannot be started or mounted on another system.
- The client can control which Hyper-V hosts are trustworthy and on which shielded VMs may be executed. The Shielded VM can only be started if the Key Protection Service has issued valid keys after successful attestation.
- If the virtualization infrastructure is compromised, shielded VMs and their data are still protected. A shielded VM will only run on a Hyper-V host if the attestation via the HGS was successful.
Since the HGS manages the keys and the security level of the overall solution depends on it, the consequence is that the HGS must be managed by the Tier 0 operations team.
Even though Hyper-V has been a reliable virtualization platform with many features for several versions, many of our customers use VMWare. In the next blog article in this series, we will show you how we have implemented the same requirements with VMWare.
In our January blog, we started an SAE deep dive series and explained how to use Hyper-V as a secure hypervisor in an (E)SAE scenario. Since by far not all our customers use Hyper-V, but many also use VMWare...15 June, 2020
(E) SAE Deep Dive Series Part 1: Hyper-V Host Guardian Service (HGS) and Shielded VMs in an EASE Environment
After the success of the first ESAE series, we decided to launch a deep dive series in which we go into a little more detail on various measures....16 January, 2020
After Hyper-V HGS and VM protection with VMWare, now the third part of our (E) SAE Deep Dive Series follows. Maybe you follow us on LinkedIn, Xing, Facebook, Instagram or Twitter and ...15 July, 2020