Protecting virtual Domain Controllers on vSphere with Virtualization-based Security

Virtualizing Domain Controllers

VMware vSphere 6.7 offers the ability to enable virtualization-based security (VBS) for virtual machines. Let’s find out what kind of protection this setting provides, what’s needed to get it going and how to configure a virtual Domain Controller to use it.

 

About Virtualization-based Security

Virtualization-based Security (VBS) uses virtualization features to create and isolate a secure region of memory from the normal Operating System. Windows Server can use this "virtual secure mode" to host a number of security solutions, providing them with greatly increased protection from vulnerabilities in the operating system, and preventing the use of malicious exploits which attempt to defeat protections.

 

Benefits of using Virtualization-based Security

Virtualization-based Security (VBS) uses the Windows hypervisor to create this virtual secure mode, and to enforce restrictions which protect vital system and Operating System resources, or to protect security assets such as authenticated user credentials.

With the increased protections offered by Virtualization-based Security, even if malware gains access to the Operating System’s kernel, the possible exploits can be greatly limited and contained because the hypervisor can prevent the malware from executing code or accessing platform secrets.

For Active Directory Domain Controllers, specifically, Virtualization-based Security offers:

Secure Boot

The Secure Boot feature in Windows Server 2016, and up, is designed to protect the virtual machine from malicious boot loaders. In traditional Basic Input/Output System (BIOS)-based systems, a rootkit may replace the Windows boot loader, remaining invisible and undetectable on the Domain Controller.

With Secure Boot, a virtual machine no longer boots with BIOS, but with Unified Extensible Firmware Interface (UEFI). UEFI checks the signature of the boot loader before launching, detecting any malware impersonating, replacing or tampering with the Windows boot loader.

Direct Memory Access (DMA) Protection

Direct Memory Access (DMA) attacks try to grab the memory of a running Operating System to gain access to BitLocker keys and other information from the memory. In vSphere, you can take advantage of an Input/Output Memory Management Unit (IOMMU) to connect a DMA-capable I/O bus to the main memory.

With IOMMU, memory of Windows Server 2016 installations, and  up, is protected from malicious devices that are attempting DMA attacks and faulty devices that are attempting errant memory transfers because a device cannot read or write to memory that has not been explicitly allocated (mapped or re-mapped) for it.

Hypervisor-enforced Code Integrity (HVCI)

Kernel-mode Code Integrity enforces kernel-mode memory protections by protecting the Code Integrity validation path with Virtualization-based Security. All drivers in the virtual machine must be compatible with virtualization-based protection of code integrity; otherwise, the virtual machine fails.

Code Integrity (CI) Policies

Historically, most malware has been unsigned. Simply by deploying code integrity policies, organizations can get immediately protection against unsigned malware. By using Code Integrity policies, an enterprise can also select exactly which binaries can run in both user mode and kernel mode. When completely enforced, it will only load specific applications or software with specific signatures.

Note:
Code Integrity policies are independent of Hypervisor-enforced Code Integrity (HVCI). However, when using CI policies without HVCI, the enforcement will not be as strong as when using CI Policies with HVCI.

Note:
Windows Server 2019 expands on the CI policies feature in Windows Server 2016 by offering built-in CI policies for robust yet quick deployment of Code Integrity.

 

Other features like Application Guard, Credential Guard and Windows Sandbox, operating in their separate memory spaces are features targeted towards Windows-based devices and are not applicable to Domain Controllers. Well… when you adhere to the rule of thumb not to browse the Internet and install all kinds of software on your Domain Controllers, that is.

Note:
Do not configure Credential Guard on Domain Controllers.

 

Getting Ready

For Virtualization-based Security (VBS) you’ll need to meet the following requirements:

  • At least one ESXi host running VMware vSphere 6.7, or up, managed by vSphere
  • At least one virtual machine running hardware version 14 (Compatible only with ESXi 6.7 and later), or up, configured with Virtualization Based Security. and installed with Windows Server 2016, or a later version of Windows Server in this virtualization state.

Note:
The Virtualization Base Security option enables CPU virtualization extensions, IOMMU, EFI firmware and Secure Boot.

 

Configuring Virtualization-based Security

Configuring Virtualization-based Security consists of three steps:

  1. Configure the right virtual machine settings on vSphere 6.7
  2. Configure the right security settings in the virtual Domain Controller
  3. Install the Hyper-V feature on the virtual Domain Controller

Configure the right virtual machine settings

First, we need to create a virtual Domain Controller that meets the requirements.

ESXi 6.7

When creating a new virtual machine for a Domain Controller, on the 2 Select a name and guest OS page of the New virtual machine wizard, make sure as a Compatibility level you pick ESXi 6.7 virtual machine (or up), resulting in hardware version 14. Pick Microsoft Windows Server 2016 or later (64-bit) as the Gues OS version. Then, make sure you select the option Enable Windows Virtualization Based Security:

Enable Virtualization Based Security on the Select a name and guest OS page when creating a virtual machine in ESXi 6.7 (click for original screenshot)

vSphere 6.7

In the vSphere Web Client, when creating a new virtual machine, take care of the following settings:

  • On the Select compatibility page of the New Virtual Machine wizard, select ESXi 6.7 and later. The accompanying text below this settings will then indicate that This virtual machine uses hardware version 14, which provides the best performance and latest features available in ESXi 6.7.
  • On the Select a guest OS page of the New Virtual Machine wizard, specify Microsoft Windows Server 2016 or later (64-bit) as the Guest OS Version and select the option Enable Windows Virtualization Based Security:

Enable Virtualization Based Security on the Select a guest OS page when creating a virtual machine in vSphere Web Client 6.7 (click for original screenshot)

 

Configure the right security settings in the virtual Domain Controller

After installing Windows Server 2016, or up, on the new virtual Domain Controller and configuring it as a Domain Controller for (one of) your Active Directory domain(s), perform the following actions in the virtual machine or on any other domain-joined machine that has the Group Policy Management Console feature installed:

  • Sign in with an account that has sufficient permissions in Active Directory to create Group Policy objects and link them to the Domain Controllers Organizational Unit (OU). Typically, a member of the Domain Admins group has these permissions.
  • Open the Group Policy Managment console, by either:
    • Picking it from the Tools menu in Server Manager.
    • Selecting it in the Start Menu from the Windows Administrative Tools folder.
    • Clicking the Start button and typing gpmc.msc followed by a press of the Enter button on the keyboard.
    • right-clicking the Start button and typing gpmc.msc followed by a click on the OK button.
  • The Group Policy Management window appears.
  • In the left navigation pane, expand the forest node, then the Domains node, than your domain. Select the Domain Controllers Organizational Unit (OU).
  • Right-click Domain Controllers and select the Create a GPO in this domain, and Link it here… menu option.
    The New GPO pop-up window appears.
  • In the New GPO pop-up window, type a name for the Group Policy object.
  • Click the OK button.
  • In the left navigation pane, expand the Domain Controllers OU and select the newly created Group Policy object.
  • Dismiss the Group Policy Management Console pop-up telling you that You have selected a link to a Group Policy Object (GPO). Except for changes to link properties, changes you make here are global to the GPO, and will impact all other locations where this GPO is linked. by clicking the OK button, if it pops up.
  • Right-click the Group Policy object and select Edit… from the context menu.
    The Group Policy Management Editor window appears.
  • In the left navigation pane of the Group Policy Management Editor window, expand the Computer Configuration node, then the Policies node, the Administrative Templates node, the System, and finally the Device Guard node.

The Device Guard settings in Group Policy Management (click for original screenshot)

  • In the main pane, double-click the Turn on Virtualization Based Security group policy setting.
    The Turn on Virtalization Based Security window appears
  • In the top part of the Group Policy setting, select the Enabled option.
  • At the left Options: pane, select the following options:
    • For Virtualization Based Protection of Code Integrity:, select Enabled without lock from the drop-down list. As we are configuring Virtualization-based Security through Group Policy, we’d want Group Policy to be able to remove the settings remotely as well, if need be.
    • Enable the Require UEFI Memory Attributes Table option.
    • For Secure Launch Configuration:, select Enabled from the drop-down list.
  • Click the OK button at the bottom of the Turn on Virtualization Based Security window to save the Group Policy settings and close the Turn on Virtualization Based Security window:

Turn on Virtualization Based Security Group Policy Settings (click for original screenshot)

  • Close the Group Policy Management Editor window.
  • In the left navigation pane of the Group Policy Management window, right-click the Domain Controllers OU. Select Group Policy Update… from the context menu.
    The Force Group Policy update window appears.
  • Click the Yes button to answer the question Are you sure you want to update policy for these computers?
    The Remote Group Policy update results window appears.
  • Click the Close button to close the window.
  • Close the Group Policy Management window.

 

 

Install the Hyper-V feature on the virtual Domain Controller

If you’ve managed the Group Policy settings from another machine than the virtualized Domain Controller running Windows Server 2016, or up, sign into the Domain Controller with an Active Directory account that has administrative privileges on the Domain Controller.

Run the following lines of Windows PowerShell in an elevated PowerShell window on each Domain Controller that you want enabled with Virtualization-based Security:

Install-WindowsFeature Hyper-V

Restart-Computer

  

Concluding

Virtualization-based Security offers benefits for virtualized Domain Controllers running Windows Server 2016, and up. It uses nested virtualization, where Microsoft Hyper-V offers the secure memory regions and vSphere offers the virtualization platform as it would do for any virtual machine.

Further reading

Virtualization-based Security (VBS)
Introducing support for Virtualization Based Security in vSphere 6.7
Overview of Device Guard in Windows Server 2016
Enabling Windows 10 Virtualization Based Security with vSphere 6.7

Series Navigation

<< Domain Controller Cloning on VMware vSphereProtecting virtual Domain Controllers on vSphere with VM Encryption >>

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.