How to use secure machines on Windows Server 2019?

In the latest issue of Windows Server 2019 tutorials, we will focus on additional virtualization topics, protected virtual machines, protected hosts, and the Hyper-V 2019 product.

Hyper-V Console, Remote Desktop Protocol (RDP) and PowerShell

While virtual machine hardware settings need to be configured through Hyper-V Manager, your daily interaction with these virtual machines is done as servers running in the real environment, and you don’t need to go to the Hyper-V server.

 However, the Hyper-V Manager has a tool called the Hyper-V Console that gives the user the option of Connect.

The above option allows you to communicate with the server console quickly and easily. Accessing the servers in the above method is useful when you want to see things in the BIOS or information that is out of the Windows operating system running on the virtual machine.

 In that case, you need this level of console access.

When you deploy Windows servers 2019 as virtual machines, these servers interact in the same way that you communicate with physical servers on the network and use the RDP protocol to communicate with the server.

 If you have your server installed on the virtual machine (here my virtual server is called WEB3 and I have enabled the RDP feature), there is no reason not to open MSTSC and not access the virtual server from your desktop.

The same applies to PowerShell or any other traditional method you use to remotely connect to the server. Since the virtual machine is fully online and the server operating system is installed, I can use PowerShell Remoting to make changes to my virtual server (WEB3) or use another server or PC.

Once you have your hardware ready and installed on the virtual machine, you rarely need to log into the Hyper-V console to interact with the server.

 The main reasons for opening a Hyper-V Manager to access a virtual machine are to make hardware-level changes to the server, such as adding a hard drive, adjusting main memory, or transferring network connectivity from one switch to another.

Windows Management Center (WAC)

We used WAC sporadically throughout this training. WAC is a great new tool that Microsoft wants server administrators to use to interact with and manage every aspect of their servers. Hyper-V hosted virtual machine servers are no exception. You can use WAC tools to manage real and virtual servers in the same way.

Virtual machines protected

If your day-to-day business has nothing to do with Hyper-V, you may never have heard of protected virtual machines.

This term describes the performance of these machines. A protected virtual machine refers to a specific type of machine that is encrypted by algorithms, and only the hard disk file (VHDX) is not encrypted using BitLocker.

It may seem simple to apply the above solution, but it only works when there are some prerequisites.

In order for BitLocker encryption to work properly, the virtual machine needs a Virtual Trusted Platform (TPM) chip. TPMs have quickly become one of the hardware components of the tech world, but their use by most executives is like a weird technology.

. Protected virtual machines can be locked to be used only in healthy environments. The above solution significantly improves security.

To better understand the function of a protected virtual machine, let’s consider a situation where an unprotected virtual machine is being used.

The idea of ​​deploying protected virtual machines is important, especially when the host is deployed in the cloud and you cannot be sure of the security of your service provider.

 In such a situation, the service provider or even the IT department that set up a private cloud may access the contents within the virtual machine.

We ran a Hyper-V host server and created a virtual machine called WEB3 on that host. Let’s imagine that I’m a cloud host provider and one of my clients is a WEB3 web server.

 I created a standalone private virtual switch for my clients to connect to the network so they could manage their server and network.

In this case, I don’t have access to my clients’ virtual machines at the network level.

The point to note is that the WEB3 server is connected to my domain and network of tenants and as a cloud host I do not have access to the client domain credentials and cannot access their server.

Everything seems to be in good shape. As a customer, you do not want the cloud provider to be able to view your virtual machine hosted in the cloud.

You also don’t want other customers who might have virtual machines

in the same cloud to view the contents of your servers.

 The same is true for private clouds. If you host a private cloud and allow different companies or parts of a company to deploy isolated virtual machines on your cloud, you need to make sure that there are real security layers between the different virtual machines and between the virtual machines and the host.

Now let’s look at the above scenario from a security perspective. I am an offending cloud service employee and I decide to do some damage to my organization before leaving work.

It is quite easy to clear the WEB3 server because I have access to the host management console.

However,

deleting the above machine does not pose a problem,

as the client may reboot the server or restore the server from backup.

In another scenario,

the offending employee may try to modify the content of the sites and information contained within the virtual machine to destroy the virtual machine.

 The offending employee does not need actual access to the virtual machine because he has direct access to the virtual hard disk file to manipulate the client website running on the WEB3 server.

 All he has to do is damage the VHD file, modify the website, and edit the website with the information he wants to show.

To do this, the offending employee must first log into the Hyper-V Server and refer to a folder where the WEB3 VHD file is held.

In this case, you do not need a customer credential. In addition, the customer will never notice that a change has been made to his virtual machine. The offending user simply right-clicks on the VHD file and selects the Mount option.

Now that VHD is directly located on the host server operating system, the offending employee can view the virtual machine hard disk as one of the main drivers of the system.

The employee goes to the wwwroot folder to find website files and changes the default page to show the content that is being targeted.

When the site file manipulation is complete, open the Disk Management tool and right-click on the mounted disk option and select Detach VHD.

At the end the file is returned to the original location and all. Of course, one can copy a VHD file onto a flash memory.

 Still with this malicious scenario do you still think hosting virtual machines in the cloud is unsecured?

The example above is a true example of what might happen in the virtual world,

which is why some organizations are reluctant to move their important business activities to cloud-based organizations.

 Fortunately, Microsoft has fixed this security issue by introducing new technology called VM shielded.

Encrypt VHDs

Microsoft has already introduced an excellent drive encryption technology called BitLocker. Protected virtual machines are Hyper-V virtual machines with BitLocker drive encryption enabled.

Once the entire VHD file is protected and bit-locked, no one can create a back door to access the drive. In this case, trying to install the VHD file will cause the following error:

Infrastructure needed for protected virtual machines

A number of prerequisites are needed to achieve virtual machine protection. One of these is the need for protected hosts. You need protected hosting servers to provide protected virtual machines.

 The protected hosts are actually Hyper-V servers in the shell. They host virtual machines similar to the Hyper-V server except that they host encrypted protected virtual machines.

 Protected virtual hosts should run on Windows Server 2016 or 2019 and should be based on the UEFI mechanism that includes the TPM 2.0 chip. Of course, TPM 2.0 is not a requirement, but it is recommended.

 Next, the Host Guardian Service HGS service running on one server or a cluster of servers (at least three servers) is required to validate the servers.

 When a protected virtual machine runs on a protected hosting server, HGS ensures everything is safe and secure.

The above service should run on the 2016 or 2019 server. HGS cache is a new feature that Microsoft has added to Windows Server 2019.

 The previous version had some restrictions on protected virtual machines, and the above restrictions have been removed.

Integration with Linux

Many companies use Linux to do some work. Here are some ways to use Linux next to Windows Server 2019:

Running Linux in Hyper-V:

Virtually all machines on a Hyper-V server are limited to Windows-based operating systems,

but they are no longer. Hyper-V Virtualization Allows you to use Linux-based virtual machines in Hyper-V Manager.

Linux in Protected Machines: We told you about running Protected Virtual Machines in Hyper-V,

now you should know that Linux-based virtual machines are supported in Hyper-V.

 In other words, a combination of Linux and Windows virtual machines is available.

Running Containers: Running Containers: Most Hyper-V servers and administrators have no problem installing Linux on their systems because it’s a simple process, but they have no reason to do so.

But in some cases deploying Linux is especially important in the double-dip debate.

When building deployable cloud-ready applications, we often talk about running these applications inside containers.

In the past, hosting containers on a Windows server meant that the container itself had to run Windows.

You can now host a Linux-based container on Windows Server 2019, giving you greater flexibility in the software development process.

Hyper-V Server 2019

Virtualization is an exciting process. Hardware preparation, installing Windows Server 2019, and running Hyper-V are all you need to do to host hundreds or thousands of virtual machines and make money.

Make sure, however, that each virtual machine you create has its own operating system license, which is reasonable.

However, depending on the type of SKU you are using for the host operating system, there is a limit to the number of virtual machines on the Hyper-V Server.

For example, the version of Windows Server 2019 Edition Standard as Hyper-V Server allows two virtual machines to run.

 It is clear that the Standard Edition SKU version is not designed to be used as a Hyper-V Server. The Windows Server 2019 Datacenter Edition version does not have the above limitation.

 Datacenter version allows to run an unlimited number of virtual machines.

All this talk leads us to a product called Hyper-V Server 2019. Note that Hyper-V Server 2019 is different from the role you installed on Windows Server 2019. Hyper-V Server 2019 is another Microsoft product.

It has its own installation and setup, and has a completely different user interface than a traditional server. Installing Hyper-V Server 2019 on a hardware product enables you to obtain a server that can host an unlimited number of Hyper-V virtual machines and do no other specific task.

 You may not use this product as a public server to host other roles or services.

 Hyper-V Server also does not have a GUI. Hyper-V Server 2019 has a great advantage that is free.

To use it, you need to download the ISO of this product, burn it to a disk, and then install the software. The following is the process of installing the operating system similar to what we mentioned earlier in this tutorial.

 After the installer is finished and we enter the operating system boot menu in Windows Server 2019, the environment will look like this:

We only have one command prompt with a configuration tool called SConfig that launches automatically.

Using the keyboard, we can do things like set the host’s host name,

attach to a domain, and change network settings.

 After you finish using this contextual interface to set basic requirements on the server and communicate with the network,

we do not need to re-access the Hyper-V Server console unless you want to back up or re-check the changes.

Instead, after configuring the Hyper-V server,

you can simply manage the virtual machines running within the Hyper-V server simply

by using Hyper-V Manager or PowerShell on another server or desktop connected to the network.

You can see in the picture below that I have launched Hyper-V Manager. Here’s an example of a Hyper-V Manager running on a Windows 10-based computer with the Hyper-V role installed.

Here I can right-click on the Hyper-V Manager and select Connect to Server

and enter the name of the new Hyper-V server and create a remote connection console.

 From this remote connection,

you can apply all the functions in Hyper-V Manager through Windows 10 Manager.

Similar to the method we used earlier with Server Core and Nano Server. Hyper-V Server offers many benefits such as high security, hosting an unlimited number of virtual machines and even reducing costs for customers.

last word

In this series of Windows Server 2019 tutorials,

we tried to familiarize readers with the Microsoft networked operating system

used across a wide range of servers and data centers, and how to build and configure the operating system,

attaching it to the domain and topics that any networking expert would consider.

Let’s check it out. Of course, Windows Server requires a lot of practical work and resources to improve the technical skills. In this tutorial we have had to refer to some of the titles in a catalog format to make the content shorter.

 It is hoped that this collection will raise the level of technical knowledge of readers.

Leave a Reply

Your email address will not be published. Required fields are marked *