Secure Virtualization Infrastructure Flashcards

Question

What is the function of the certificates on the HGS?

Answer 1

HGS certificates are used to protect the sensitive information needed to start a shielded VM. They never leave the HGS are are only used to decrypt VM keys.

Answer 2

Key Algorithm: RSA Minimum key size: 2048 bits Signature Algorithm: Recommended SHA256 Key Usage: Digital Signature and Data Encipherment EKU: Server Authentication Key renewal policy: Renew with the same key Subject Name: Recommended to use the company web address

Answer 3

Subject Name: Name of the HGS Cluster. This is the name supplied with Initialize-HGSServer SAN: If a different DNS name is used to access the cluster, include it as a SAN

Answer 4

Server 2016 version 1709

Answer 5

- Ensure that either the servers have a shared encryption and signing certificates, or separate certificates are used to configure the HGS shielded VMs to use both HGS Servers - Attestation policies need to be in sync between the two clusters - Hyper-V hosts need to be Server 2016 version 1709 or Server 2019. - Run the command: Set-HgsClientConfiguration -FallBackKeyProtectionServerUrl $URL1 -FallbackAttestationServerUrl $URL2

Answer 6

Run the command: Set-HgsClientConfiguration and omit any of the fallback data

Answer 7

Two: One for signing and one for encryption

Answer 8

Initialize-HgsServer -TrustTPM

Answer 9

Get-HgsTrace -RunDiagnostics

Answer 10

Use the cmdlet Get-PlatformIdentifer to grab the key. You'll need to output the XML portion of the command to a file

Answer 11

Add-HgsAttestationHostGroup -Name $GroupName -Identifier $GroupSID

Answer 12

A one-way trust needs configured with the HGS trusting production

Answer 13

It doesn't. This can only be done with TPM-trusted attestation.

Answer 14

New-CIPolicy Note: You need to copy the policy file to the HGS using the following cmdlet: Add-HgsAttestationCIPolicy -Name $Policy -Path $PolicyP7B

Answer 15

Get-HgsAttestationBaselinePolicy -Path $PolicyPath | Note: This needs run on every host with a different hardware profile.

Answer 16

Add-HgsAttestationTPMPolicy -Name $Policy -Path $PolicyPath

Answer 17

- Run Get-HgsServer on the HGS Server to get the attestation URLs. - Run Set-HgsClientConfiguration -KeyProtectionServerURL $KPSUrl -AttestationUrl $AttestURL

Answer 18

- Attestation Service Url - URL of the attestation service, part of the HGS. Confirms the host is authorized to run shielded VMs - Key Protection Service URL - URL of the key protection service, part of the HGS. Once a host passes attestation, it retrieves the key required to decrypt VMs from this service. - Code Integrity Policy File Share Path (Only required for TPM attested mode) - TPM Attestation requires a host to have a TPM 2.0 chip. A code integrity policy restricts the software that can run at the kernel level to only what the code integrity policy has. - Shielding Help VHD - Includes tools to convert existing non-shielded vms to shielded.

Answer 19

1. VMM Console \ Settings \ Host Guardian Service Settings. a. Provide the attestation and Key Protection URLs (must be the same URLs across all hosts in VMM). Needs to be exactly what was entered on the hosts. b. Add any CI Policies to VMM c. Specify the location of the shielding helper VHD 2. For TPM-basted attestation: R-Click the Host \ Start Maintenance Mode 3. Configure Guarded Host: R-Click Host \ Host Guardian Service a. Check "Enable the Host Guardian Service and use the URLs configured as global settings in VMM" b. Check "Use a code integrity policy to restrict the software that can run on the host" 4. R-Click Host \ Stop Maintenance Mode

Answer 20

Server 2016

Answer 21

Generation 2 VMs

Answer 22

A Generation 2 VM with virtual TPM, encrypted with BitLocker, and is restricted to run on healthy and approved hosts.

Answer 23

BitLocker encrypted Disks (OS disks and data disks) Deployment of new shiedled VMs from a trusted template Protection of Passwords and other secrets Tenant control of where a VM can be started

Answer 24

Trusted template disks for deploying shielded VMs that have computed signatures. These signatures are stored in a catalog. When a shielded VM is provisioned the signature of the disk is computed and compared to the trusted signature. If the signatures match, the VM is deployed. If they do not match, the shielded VM is determined to be untrustworthy and the deployment fails.

Answer 25

PDK files are known as shielding data files and are used to protect tenant keys and are uploaded to the fabric by the tenant. They protect important VM configuration data (admin password, RDP, and other certificates, domain join credentials, etc.).

Answer 26

PDK Files | These files also store certificates, admin password, and other important secure information.

Answer 27

Administrator credentials Answer file (unattend.xml) Security Policy that determines whether the created VMs are configured as shielded or encryption supported RDP Certificate Volume signature catalog Key protector that defines which guarded fabrics a VM is authorized to run on.

Answer 28

Shielded VMs are encrypted and protected from access by fabric admins. Encryption-supported VMs can be encrypted but still are accessible by fabric admins.

Answer 29

Encryption-supported VMs are intended for use where the fabric admins are fully trusted. Fabric Admins can continue to manage the VMs in a convenient way.

Answer 30

Shielded VMs are intended to be used on fabrics where the data and the state of the VM must be secured from the fabric admins and untrusted software. They never permit console connections or Powershell Direct connections.

Answer 31

- Shielded VMs require secure boot, vTPM, and that the VM state and live migration traffic be encrypted. Encryption supported VMs require these features but they are allowed to be modified. - Shielded VMs cannot use certain VM integration components (e.g. Data Exchange and Powershell Direct). ES-VMs can use all integration services. - Shielded VMs cannot use VM connection console and HID Devices. ES-VMs can use these (In Server 2016 1803 Shielded Vms can use some of these features) - Shielded VMs do not allow for COM/Serial ports for debuggers to be attached to the VM process.

Answer 32

The VM is tested to be healthy by presenting a certificate of health to the Key Protection Service (KPS)

Answer 33

For TPM-Trusted Attestation: - Identifying information about the TPM (endorsement key) - Information about started processes (TCG Log) - Code Integrity Policy Host Key Attestation - Hyper-V checks the key pair. HGS validates the key is registered Admin-Trusted Attestation - Hyper-V sends a Kerberos ticket identifying which security groups the host is in. HGS validates the host belongs to the correct security group.

Answer 34

1. VM is powered on 2. Host requests attestation 3. Attestation is checked 4. Attestation certificate is sent to host 5. Host requests VM key 6. Key is released to host 7. Key is returned to host

Answer 35

Any version of Windows that supports Generation 2 VMs (2012 and newer)

Answer 36

Shielded VMs protect the VM from a compromised fabric. | Shielded VMs should be used where the fabric and the fabric administrators are not trusted.

Answer 37

An owner key - Cryptographic Key maintained by the owner that is used for last-resort recovery or troubleshooting - and one or more guardians (guarded host keys) - Each guardian is a server/fabric that an owner authorizes a VM to run on

Answer 38

Cryptographic key maintained by the owner that is used for decrypting a shielded VM. Often used as a last resort in troubleshooting. It consists of two certificates: encryption and signing and it can be created with a private or public PKI. Only one owner key should ever be created, but multiple are allowed. Host guardian keys should be different from owner keys.

Answer 39

Many. The best practice is only one should be created.

Answer 40

No. It is best practice they be created separately.

Answer 41

- Security Level : Shielded or Encryption-supported - Owner and list of trusted Host Guardians where the VM can run - VM initialization data (unattend.xml, RDP Cert, etc.) - List of trusted signed template disks for creating the VM in the virtualization environment.

Answer 42

If a given VM requires any of the four items in a data file (security level, owner, initialization data, and trusted template disks) to be different, a new data file is needed. Shielding data files can be used over and over again so a single file can be used to create multiple VMs.

Answer 43

- Create a shielded VM in the environment and upload it to the virtualization fabric. - Create a new shielded VM from a signed template on the fabric. - Shield an existing VM (Must be Generation 2 and running Server 2012+)

Answer 44

- Use an existing signed template disk provided by the virtualization provider. VM Provider maintains the signed template disk. - Upload a signed template to the virtualization fabric. VM owner maintains the template.

Answer 45

Offline mode allows a shidled VM to turn on if an HGS cannot be reached as long as the configuration of the Hyper-V host has not changed. Offline mode utilizes a special version of the VM TPM key protector and requires the absolute latest version of Windows Server (not GA).

Answer 46

Use the Shielded Template Creation WIzard | Powershell: Protect-TemplateDisk

Answer 47

- Must use a GPT disk - Disk type must be basic - Disk must be two partitions: OS and BootLoader - Must use NTFS - OS must be Server 2012/Windows 8 or newer - OS must be sysprepped

Answer 48

Install-WindowsFeature -Name RSAT-Shielded-VM-Tools -Restart

Answer 49

1. Copy generalized VHDX with proper configuration to the server. 2. Install t he shielded VM tools (RSAT-Shielded-VM-Tools) 3. Obtain or create a certificate to sign the VSC for the VHDX 4. Launch the template disk wizard (TemplateDiskWizard.exe) 5. Choose the certificate 6. Provide a friendly disk name and version 7. Generate the disk

Answer 50

1. Create a template disk VHDX u sing the standard creation process 2. Refresh the library server. Navigate to Library \ expand Library Servers \ R-Click the library and choose Refresh 3. Provide VMM with information about the OS on the disk

Answer 51

The icon has a shield next to it. You can also enable the shielded column which will tell if a template is shielded or not.

Answer 52

1. Library \ Create VM Template 2. Choose "Use an existing VM Template or virtual hard disk stored in the library" \ Click Browse 3. Enable the shielded column for easier searching and select a prepared template disk from the library 4. Specify the VM Name 5. Specify the VM capabilities 6. Provide the correct OS Product Key

Answer 53

Protect-TemplateDisk -Certificate $Cert -path $VhdPath -TemplateName $TemplateName -Version $VersionNum

Answer 54

Save-VolumeSignatureCatalog -TemplateDiskPath $VhdPath -VolumeSignatureCatalogPath $VSCPath

Answer 55

THis file is used to provide information about the signing certificate, disk name, and version to the VM owners wanting to use a protected VM template. This file needs to be imported into the Shielding Data File Wizard to authorize someone to create template disk for them.

Answer 56

Management Features like console connection, Powershell Direct, and some integration components are disabled. Secure Boot, TPM, and Encrypt State and Virtual Machine traffic are automatically enabled with shielding

Answer 57

Yes. However, to move the VM to another host requires the Key Protector for the VM to authorize the host.

Answer 58

1. Install HGS Feature Install-WindowsFeature -Name HostGuardianServiceRole -IncludeManagementTools -Restart 2. Install HGS Server (possibly after reboot) Install-HgsServer -HgsDomainName $HgsDomain -SafeModeAdministratorPassword $SecureString -Restart 3. Create a self signed cert: one for signing and one for encryption - Export them as PFX - $Cert = New-SelfSignedCertificate -Subject "CN=Hgs Signing Certificate" - Export-PfxCertificate -FIlePath $SignCertPath -Password $CertPass -Cert $Cert - Remove-Item $Cert.PSPath - $EncCert = New-SelfSignedCertificate -Subject "CN=HGS Encryption Certificate" - Export-PfxCertificate -FilePath $EncCertPath -Password $CertPass -Cert $EncCert - Remove-Item $EncCert.PSPath 4. Initialize HGS - Configure HGS Cluster and WebServices - Initialize-HgsServer -LogDirectory $Directory -HgsServiceName HGS -Http -TrustActiveDirectory -SigningCertificatePath $SignCertPath -SigningCertificatePassword $SignPwd -EncryptionCertificatePath $EncCertPath -EncryptionCertificatePassword $EncPwd 5. Validate HGS Server configuration - Get-HgsTrace -RunDiagnostics

Answer 59

1. Install-WindowsFeature HostGuardianService 2. Install-HgsServer 3. Create 2 Certificates: Signing and Encryption 4. Initialize-HgsServer 5. Get-HgsTrace -RunDiagnostics

Answer 60

- The Fabric AD must trust the HGS Forest - A DNS Conditional Forwarder must be configured in the fabric AD - A HgsHosts group needs configured in the fabric AD

Answer 61

- One HGS Server running Server 2016 | - One guarded Hyper-V host running Server 2016

Answer 62

1. Shielded VM Started 2. Attestation Client initializes the attestation 3. Host presents a Kerberos Service Ticket 4. HGS validates group membership in the AD attestation group 5. HGS issues a signed certificate encrypted to the host.

Answer 63

- Fabric AD must trust the HGS FOrest - DNS conditional Forwarder must be configured in the fabric ad - A HGSHosts group needs configured in the fabric AD

Answer 64

Add-DnsConditionalForwarderZone

Answer 65

Netdom trust $DomainA /domain:$DomainB /userD:$DomainBUser /passwordD:$DomainBPassword /ad

Answer 66

Add-HgsAttestationHostGroup -Name $GroupName -Identifier $SID-of-Group

Answer 67

It secures the system at the hardware level.

Answer 68

You cannot. The Key is fixed into the TPM at manufacture and cannot be changed.

Answer 69

1. Initialize HGS Cluster in New Forest 2. Install Trusted Root TPM Certificates 3. Configure DNS on the Fabric 4. Retrieve the TPM Identifier (guarded host's TPM 2.0 EK) 5. Create CI Policy that will be used 6. Capture TPM Baseline 7. Configure Hyper-V Guarded Host's HGS Server

Answer 70

Get-PlatformIdentifier -Name $Name

Answer 71

Add-HgsAttestationTpmHost -Name $Name -Path $TPM _EK.xml

Answer 72

Add-HgsAttestationCIPolicy -Name $Policy -Path $Policy_P7B

Answer 73

Get-HgsAttestationBaselinePolicy - Path $BaseLinePath_Bin

Answer 74

Add-HgsAttestationTPMPolicy -Name $TPMPolicy -Path $BaselinePath

Answer 75

It provides the transport keys that are required to unlock and run shielded VMs on healthy Hyper-V hosts.

Answer 76

Use HSM-backed keys

Answer 77

Initialize-HgsServer

Answer 78

Add-HgsKeyProtectionCertificate

Answer 79

Get-HgsKeyProtectionCertificate

Answer 80

Set-HgsKeyProtectionCertificate

Answer 81

Local Computer

Answer 82

1. Launch IIS 2. Select Application Protocols 3. Open "Local Machine Certificate Management Console" (Certlm.msc) 4. Locate encryption and signing keys 5. Right Click each certificate \ All Tasks \ Manage Private Keys \ Grant Read permissions to the KPS Service \ Choose the KeyProtection App pool

Answer 83

No. They all utilize the same keys and will need to have them exported to them and have access granted so they can all be read.

Answer 84

Get-HgsClientConfiguration

Answer 85

Get-HgsClientConfiguration

Answer 86

Open the follwoing URL in the browser: http://localhost/KeyProtection/service/metadata/2014-07/metadata.xml

Answer 87

- Normal VMs (No Protections) - Encryption Supported VMs - Shielded VMs

Answer 88

1. Open fabric workspace \ Find host group with guarded hosts 2. Find the host to inspect \ R-Click and choose View Status \ Find measurements under HGS Client Overall 3. Rectify any warnings.

Answer 89

Configure VMM globals with the URLs of the fabric's HGS Cluster

Answer 90

- Remote Powershell | - Microsoft Scripts (e.g. PrepareNanoTP5.ps1)

Answer 91

1. Copy NanoServerImageGenerator to local system 2. Run Powershell 3. Navigate to the folder where NanoServerImageGenerator lives 4. Import-Module .\NanoServerImageGenerator 5. Create Media Path 6. Copy the required files to enable Nano to work with the Guarded Hosts.

Answer 92

New-NanoServerImage -MediaPath $MediaPath -TargetPath $NanoVHDPath -ComputerName $NanoName -OEMDrivers -Computer -DeploymentType Host -Edition Datacenter -Packages Microsoft-NanoServer-SecureStartup-Package,Microsoft-NanoServer-ShieldedVM-Package -EnableRemoteManagementPort -CopyFiles $FIlesToCopy -SetupCompleteCommands @("Powershell.exe -noninteractive -executionpolicy bypass -file C:\PrepareNanoTP5.ps1) -Domain $Domain

Answer 93

Microsoft-NanoServer-SecureStartup-Package | Microsoft-NanoServer-ShieldedVM-Package

Answer 94

1. Mount the generated VHDx 2. Run bcdboot $VHDXDriveLetter\Windows 3. Unmount VHDX 4. Restart Computer

Answer 95

- VM must use GPT Disks (pre-req for Gen 2 VMs and UEFI) - Basic Disks must be used (BitLocker doesn't support Dynamic Disks) - Disks must have a least 2 partitions: Windows OS Secured with BitLocker and the unencrypted bootloader - NTFS - Guest OS must support Gen 2 VMs and Secure Boot - OS must be generalized via Sysprep - VMs must be running Server 2016 Enterprise Edition

Answer 96

No. The ability to attach a debugger is disabled and cannot be enabled for Generation 2 VMs

Answer 97

- Export HGS configuration locally - Stop the VM - Create a new Key Protector - Ensure vTPM is enabled

Answer 98

Invoke-WebRequest Http://$HgsHost/KeyProtection/service/metadata/2014-07/metadata.xml -Outfile $FilePath

Answer 99

$KP = New-HgsKeyProtector -Owner $Owner -Guardian $Guardian -AllowUntrustedBoot Set-KeyProtector -VMName $VM -KeyProtector $KP.RawData Set-VMSecurityPolicy -VMName $VMName -Shielded $True

Answer 100

Enable-VMTPM -VMName $VM

Answer 101

- Ensure the HGS is available and that the VMs are running on a healthy Hyper-V Host - Make sure VMs are all Gen 2

Answer 102

Try one of the following - Disable the shielded data security profile - Copy the VM VHDX file to a secure host, create a new Gen 2 VM based on the VHDX and use the BitLocker Recovery Key to access the VM

Answer 103

1. Export the VM from the guarded host 2. Import the VM into Hyper-V 3. Powershell: Set-VMSecurityProfile -VMName $VM -ShieldingRequested $false 4. Hyper V \ Open VM Settings \ Security \ Security Profile \ Set "Shielded" to "No Additional Protection"

Answer 104

Get-VMSecurity -VMName $VM | Select-Object ShieldedRequested,Shielded

Answer 105

Get-VMSecurity -VMName $VM | Select-Object TpmEnabled

Answer 106

The VM has moved from its Host Guardian and should be moved back to another HGS server with the proper configuration. NOTE: This shows in VMM as "Error 12700 VMM cannot complete the host configuration"

Answer 107

- Self Signed certificates are being used as the guardian keys - Use the parameter -AllowUntrustedRoot with the New-HgsKeyProtector command to allow self signed certificates.

Secure Virtualization Infrastructure Flashcards

Guarded Fabric Shielded VMs Encryption Supported VMs