Beginners Guide: 3 Essential VM Security Measures for MSPs

Table of contents

In the world of IT, security plays a huge role in how we approach things and it’s especially important for managed service providers dealing with sensitive customer data. That’s why when planning and designing infrastructures you must make sure your workloads are protected and secure. Here are 3 essential security measures to take in order to protect your VMs, regardless what hypervisor you’re using.

1. Secure the Operating Systems On the VMs

Reducing the attack surface of your VMs is a great way to reduce the potential vulnerabilities of the OS. This means building your servers with no GUI (Graphical User Interface) if possible. For example, Windows domain controllers and file servers do not require a GUI and can be managed via the Windows RSAT (Remote Server Administration Tools) tools. So, instead of deploying a server with the default full GUI install of Windows Server, install Windows Server Core to greatly reduce the attack surface for those VMs. Not only does this improve the security aspect of your VMs, but it also reduces the cost of resources and downtime since these servers will require fewer patches than their full GUI counterparts.

Another method of securing the OS is by only installing applications on your servers that are necessary. Not every server needs flash or Java installed. You don’t need to access your SAN management tools from every server! Keep the 3rd party applications to a minimum on your VMs and you’ll be greatly reducing the vulnerable openings that come with installing those apps.

Not only do we want to minimize the types of applications and features installed on our servers, but also disable weak Ciphers (typically DES/3DES and RC4) and protocols (TLS 1.0, SSL 2.0, and SSL 3.0) that are not used by applications. Check out Microsoft’s official documentation on how to disable each protocol via the registry. Also, make it a company standard to disable the local Administrator account on servers to make it harder for successful brute force attacks. Take the initiative to ‘harden’ your OS builds. It’s a painful process to test and find a happy medium between a secure and functioning server, but it’s well worth it for you, your company, and your clients to be running tightly secured VMs in your environment.

2. Protect the Physical Host

Not only do we need to secure our VMs on the software level, but also on a physical one. The physical location of the host that our VMs are running on needs to be in a protected area, it is easier than you would think for someone to break in and walk off with an ESXi or Hyper-V host and if your data is not protected then this could wreak havoc for your company. Too many times, I’ve seen companies storing their server underneath a spare desk in an open cubicle. Take the time and resources to plan and make sure your host is in a locked room (with proper AC) and only those who need to have access can enter that room.

VM Encryption is now almost a necessity these days. Both Hyper-V and VMware have their own “VM Encryption” features. Also, most of the popular server or storage manufacturers (like HP or Dell) will have some sort of encryption solution for their storage. It is recommended to have some sort of encryption in place protecting the storage of your servers.

Also, take the steps to lock down your physical hosts. Password protect your hardware, make sure there is a password on the bios and limit access via USB or CD. Don’t make it easy for someone to connect media to the server and steal data or load malicious code.

3. Manage Access to VMs

From a hypervisor perspective, don’t just give every administrator and developer full access to manage your VMs. Use the practice of JEA (just enough access) and give them an account with only the permissions required to perform the actions they carry out. Don’t allow everyone to use the “root” password of your hypervisor to perform their job duties. Also, administrators shouldn’t be logging into their hypervisors with the same user account that they use to login to their desktop every day. A separate account should be created to manage the hypervisor. This is very important as there are malicious applications such as ransomware that can wreak havoc upon your systems if they’re run by a highly privileged account. It happens quite a bit more than you would think.

It’s also important to manage and maintain the security account privileges to your VMs. For example, if an Administrator leaves the company, there should be processes in place to disable and track their privileged access to your systems. I say track because depending on the size of your company, managing who has access to what can get out of hand quickly so either using a 3rd party solution or simply documenting that access is highly recommended.

Wrap-Up

As IT is changing and new technologies emerge, it’s hugely important that we understand the vulnerabilities of environments and how to prevent security breaches. These are just a few points to help get you started. Let us know in the comments on other ways you’ve secured your VM environment.

To learn more about how to protect yourself from ransomware attacks specifically, be sure to check out the Altaro’s eBook Ransomware: A Survival Guide. It‘s a great read and goes over many ways to protect yourself from these types of attacks.

Thanks for reading!

Altaro O365 Backup for MSPs
Share this post

Not a DOJO Member yet?

Join thousands of other IT pros and receive a weekly roundup email with the latest content & updates!

Leave a comment

Your email address will not be published. Required fields are marked *