Hey there Dev, are you looking for a secure way to protect your cloud environment? Look no further than Host Guardian Server. In this article, we’ll cover everything you need to know about this powerful tool, from what it does to how to set it up. Let’s dive in!
What is Host Guardian Server?
Host Guardian Server (HGS) is a Windows Server feature that helps to protect virtual machines (VMs) in a cloud environment. It does this by using a combination of hardware, software and policy controls to ensure that only trusted VMs can run on a given host. In other words, HGS acts as a “guardian” for your virtual machines.
HGS works by using a technology called “Shielded VMs”. This means that each VM is protected by a combination of encryption, secure boot, and virtual TPM (Trusted Platform Module) technology. Together, these features ensure that the VM can only be started on an authorized host that has been verified by HGS.
How Does it Work?
In order to use HGS, you’ll need to set up a dedicated HGS server. This server will act as the “root of trust” for your cloud environment, and will be responsible for verifying that each host is authorized to run your VMs. Once you have your HGS server up and running, you can begin to deploy Shielded VMs.
Shielded VMs are essentially normal VMs that have been “wrapped” in additional security features. When you create a Shielded VM, it will be encrypted using BitLocker, and will only run on a host that has been verified by HGS. In addition, the VM will have a virtual TPM chip that ensures that its state is secure.
When you try to start a Shielded VM on a host, HGS will verify that the host is authorized to run the VM by checking that it meets a set of predefined policy rules. If the host passes these checks, the VM can be started. If not, the VM will not run.
Why Use Host Guardian Server?
So, what are the benefits of using Host Guardian Server? Here are just a few:
Benefit |
Description |
|---|---|
Enhanced Security |
HGS provides an additional layer of security for your cloud environment, ensuring that only authorized VMs can run on your hosts. |
Improved Compliance |
By using Shielded VMs, you can meet compliance requirements that require data to be encrypted at rest. |
Increased Control |
HGS allows you to define policy rules that determine which hosts are authorized to run your VMs. This gives you more control over your cloud environment. |
What are the Requirements?
In order to use Host Guardian Server, you’ll need to meet a few requirements:
- A dedicated Host Guardian Server
- Windows Server 2016 or later
- A System Center Virtual Machine Manager (SCVMM) environment
- Hardware that supports virtual TPM technology
In addition, you’ll need to ensure that your hosts are set up correctly. Each host will need to have a virtual TPM chip, and the hardware that it runs on will need to be approved by Microsoft as being “shielded capable”.
How to Set Up Host Guardian Server
Ready to get started with Host Guardian Server? Here’s a high-level overview of the steps you’ll need to follow:
- Set up a dedicated HGS server
- Configure the HGS server to use Active Directory attestation
- Create a TPM provisioning package
- Deploy the TPM provisioning package to each host that you want to use with Shielded VMs
- Configure your VMs to use Shielded VMs
- Create and deploy your VMs
Step 1: Set up a Dedicated HGS Server
The first step in setting up Host Guardian Server is to create a dedicated HGS server. This server will be responsible for verifying that each host is authorized to run your VMs.
To set up HGS, you’ll need to be running Windows Server 2016 or later. Once you have your server up and running, you can install the Host Guardian Server role using Server Manager. Follow the on-screen instructions to complete the installation.
Step 2: Configure the HGS Server to Use Active Directory Attestation
Once you’ve installed the Host Guardian Server role, you’ll need to configure it to use Active Directory attestation. This means that your HGS server will use your Active Directory environment to authenticate each host that tries to run your VMs.
To configure Active Directory attestation, you’ll need to:
- Create a Security group for your hosts
- Create a Key Protection Service (KPS) and specify the Security group
- Configure the HGS server to use the KPS
Step 3: Create a TPM Provisioning Package
Next, you’ll need to create a TPM provisioning package. This package contains information about the virtual TPM that will be used on your hosts. You can create the package using the TPM.msc tool on your HGS server.
To create a TPM provisioning package:
- Launch the TPM.msc tool on your HGS server
- Select the “Create TPM provisioning package” option
- Follow the on-screen instructions to create the package
Step 4: Deploy the TPM Provisioning Package to Each Host
Once you’ve created your TPM provisioning package, you’ll need to deploy it to each host that you want to use with Shielded VMs. You can do this using a tool called the Virtual TPM Provisioning Tool.
To deploy the package:
- Download the Virtual TPM Provisioning Tool from the Microsoft website
- Extract the tool to a directory on your host
- Launch the tool and specify the location of the TPM provisioning package
- Follow the on-screen instructions to deploy the package
Step 5: Configure Your VMs to Use Shielded VMs
With your hosts set up correctly, you’ll next need to configure your VMs to use Shielded VMs. To do this, you’ll need to:
- Configure your VMs to use a vTPM (virtual TPM)
- Encrypt your VMs using BitLocker
- Create a virtual trusted platform module (vTPM) for the VM
- Configure your VM to use Secure Boot
- Create a shielded VM template
Step 6: Create and Deploy Your VMs
Finally, you can create and deploy your Shielded VMs. To do this:
- Create a virtual machine (VM) from your Shielded VM template
- Specify the encryption settings for your VM
- Select the Shielded VM option
- Deploy the VM to your host
Frequently Asked Questions
What is a Shielded VM?
A Shielded VM is a virtual machine that has been wrapped in additional security features. When you create a Shielded VM, it will be encrypted using BitLocker, and will only run on a host that has been verified by HGS. In addition, the VM will have a virtual TPM chip that ensures that its state is secure.
What are the Benefits of Using Host Guardian Server?
Some of the benefits of using Host Guardian Server include enhanced security, improved compliance, and increased control over your cloud environment. By using Shielded VMs, you can ensure that only authorized VMs can run on your hosts, and meet compliance requirements that require data to be encrypted at rest.
What are the Requirements for Using Host Guardian Server?
To use Host Guardian Server, you’ll need to meet a few requirements. These include a dedicated HGS server, Windows Server 2016 or later, a System Center Virtual Machine Manager (SCVMM) environment, and hardware that supports virtual TPM technology.
How Do I Set Up Host Guardian Server?
To set up Host Guardian Server, you’ll need to create a dedicated HGS server, configure it to use Active Directory attestation, create a TPM provisioning package, deploy the package to each host, configure your VMs to use Shielded VMs, and create and deploy your VMs.
Is Host Guardian Server Easy to Use?
While setting up Host Guardian Server can be complex, once it is set up, it is relatively easy to use. Once you have your HGS server up and running, you can begin to deploy Shielded VMs without having to worry about the underlying security features.
How Does Host Guardian Server Compare to Other Security Solutions?
Host Guardian Server is a unique security solution that is specifically designed for cloud environments. While other solutions may offer similar features, such as encryption and secure boot, none offer the same level of control and policy-based management that HGS does.
That’s it for our guide to Host Guardian Server. We hope you found it informative and helpful. If you have any questions or comments, please let us know!