It’s important to consider the security of your Hyper-V hosts as you prepare your host deployment plan. To begin with, you should apply the same principles, processes, and practices for securing Hyper-V hosts that you would apply to any other Windows Server components within your environment. In addition to adhering to such best practices, you should also do the following:
-
Deploy the Server Core installation option on your Hyper-V hosts instead of the Server With A GUI installation option. Server Core is now the default installation option when installing Windows Server 2012 because of its smaller attack surface and reduced servicing footprint. If needed, you can still use the Hyper-V Manager snap-in to manage Server Core hosts as long as you do so from either a server that has the Server With A GUI installation option installed or from a client machine that has the Remote Server Administration Tools (RSAT) for Windows 8 installed.
-
Do not install any additional server roles on your hosts other than the Hyper-V role. Your Hyper-V hosts should be dedicated servers whose only function is to host the virtualized workloads that run on them. Installing additional roles on hosts not only uses additional server resources (processor, memory, disk, and network), but it can also increase the server’s attack surface and maintenance (updating) requirements. The exception to this is the File And Storage Services role because the role services for this role can be used for configuration storage pools for virtual machine storage. For more information on the File And Storage Services role, see the next chapter.
Mitch Tulloch is a nine-time recipient of the Microsoft Most Valuable Professional (MVP) award and a widely recognized expert on Windows administration, deployment and virtualization. For more information see http://www.mtit.com. This tip was excerpted from his latest book Training Guide: Installing and Configuring Windows Server 2012 from Microsoft Press.
