What's the update?

Virtualization Based Security (VBS) in vSphere 6.7

As we all know VMware has released their latest version vSphere 6.7 recently and there are many enhancements and new features .Now a days security is very import in all the platform and VMware has fantastic improvements  in the security side. There are really big security features with vSphere 6.7 and one of the really cool security features is the support for Microsoft Virtualization Based Security (VBS).

 

In this post I will sharing information about Microsoft Virtualization Based Security (VBS) and to enable this on  Windows 2016 Hyper-V in vSphere 6.7  virtual machine.

Virtualization-based security  ( VBS ) is a feature of the Windows 10 and Windows Server 2016 operating systems. It uses hardware and software virtualization to enhance Windows system security by creating an isolated, hypervisor-restricted, specialized subsystem. Microsoft Virtualization Based Security  (VBS)  uses hardware virtualization features to create and isolate a secure region of memory from the normal operating system. VBS uses the underlying hypervisor to create this virtual secure mode, and to enforce restrictions which protect vital system and operating system resources, or to protect security assets such as authenticated user credentials. Microsoft is using the hypervisor as a restricted memory space where sensitive information like credentials can be stored instead of  on the operating system itself. With the increased protections offered by VBS, even if malware gains access to the OS kernel the possible exploits can be greatly limited and contained, because the hypervisor can prevent the malware from executing code or accessing platform secrets.

Prerequisites
VBS reinforces the security of Microsoft Hyper-V  and you have to configure below setting on your virtual machine 
Option Required Setting
Firmware type UEFI
Enable UEFI Secure Boot Enabled
Enable hypervisor applications in this virtual machine Enabled
Enable IOMMU in this virtual machine Enabled
  • Create a virtual machine that uses hardware version 14 or later and one of the following supported guest operating systems.

    • Windows 10 Enterprise, 64-bit

    • Windows Server 2016

  • To use Windows 2016 as the guest operating system, apply all Microsoft updates to the guest.

Note:- VBS might not function in a Windows 2016 guest without the most current updates.

Enabling Virtualization Based Security in Windows 2016 with vSphere 6.7

I am  creating a  2016 virtual machine in a nested ESXi 6.7 vSphere environment  for configure VBS , you have two options to enable VBS  and VM compatibility Level should be ESXi 6.7

  • While creating the Virtual machine

  • After Creating the Virtual Machine

After booting the Windows 2016 Server  VM  follow below steps to enable Virtualization Based Security .

  • Enable the group policy setting first for VBS
  • Enable Hyper-V in Windows 2016 Server

Navigate to  Group Policy setting where VBS has to be  enabled

Open up the local group policy editor by typing gpedit.msc  using RUN menu or Search  Local Security  Policy from Start Menu

Navigate to Computer Configuration > Administrative Templates > System > Device Guard > Turn On Virtualization Based Security  

 

Set the policy to Enabled  and below options  from drop down menu and click OK   – > Reboot the Server

  • Select Platform Security level                                    :   Secure Boot and DMA Protection
  • Virtualization Based Protection of Code Integrity:   Enabled with UEFI lock
  • Credential Guard Configuration                               :   Enabled with UEFI lock

Note:- Enabled without UEFI lock option will allow you enable or disable this setting remotely

 

Enable Hyper-v on Windows 2016 Server

Navigate to Server Manager – > Add roles and features 

 

Click Next with default options and from Server Roles Select Hyper-V  & Include Management tools  and Click OK 

 

 

Continue with default options and Click Finish

After enabling the Hyper-V feature Restart Windows.

 

How to Verify VBS Enabled 

Run  the msinfo32.exe command from run menu  and under the System Summary  You can find the entries  related device guard

More about VBS can found here 

Check more vSphere 6.7 Posts 

Thank you for reading this post  , Share the knowledge if you feel worth sharing it.

Follow VMarena on FaceBook , Twitter , Youtube