Many of our security-conscious readers are familiar with DISA STIGs, the Security Technical Information Guides that the US Defense Information Systems Agency (DISA) publishes. These guides are wonderful in that they bridge the gap between compliance frameworks and infrastructure implementations. Compliance frameworks rarely specify what to do on & to an operating system to be secure, which leaves IT staff with the responsibility of figuring it all out, or paying third-parties to do it.
DISA has recently published a new STIG for Microsoft Windows Server 2019 that brings additional requirements to securing Windows. Specifically, it now requires UEFI firmware with Secure Boot enabled, as well as Virtualization-Based Security/Hypervisor Code Integrity to be enabled. If you’re running vSphere this won’t be a problem at all!
UEFI Firmware & Secure Boot
VMware vSpherefully supports UEFI firmware and Secure Boot as part of vSphere 6.5 and newer. Secure Boot uses cryptography to ensure that the system boots software that is trusted by the manufacturer. This helps stop malicious kernel modules, drivers, and bootloaders, and prevents rootkits and other malware from being able to reload itself after a reboot.
You can enable it for ESXi and for virtual machines, and we strongly recommend both, but you do not need to have it enabled for ESXi to enable it for a VM. It’s difficult to retrofit a system to UEFI so that is best done when you build a new VM or VM template. After that, Secure Boot is easy to enable, as it is simply a checkbox inside the VM settings or the New VM wizard, and then the operating system installer will detect it and install correctly.
Virtualization-Based Security
Virtualization-Based Security (VBS) is a Microsoft technology that creates a separate memory space for credentials and secrets inside Windows. It’s often called Device Guard and/or Credential Guard. It’s supported on Windows Server 2016 and 2019, as well as Windows 10, and fully supported on vSphere 6.7 and newer. A vSphere virtual machine simply needs to have the setting checked for VBS in either the VM settings or in the New VM wizard, and then VBS can be enabled in Windows as it would anywhere else. You can retrofit a VM with VBS, and Microsoft supplies the Device Guard Readiness Tool to help identify issues.
VBS can take advantage of a virtual TPM if it is present, but does not require one. VBS also does not require a TPM or any support from the physical hardware in your infrastructure. You can turn it on as-is either in the VM settings or as part of the new VM wizard. Because VBS helps protect credentials and secrets we recommend enabling it as early as possible in a system build to help ensure that credentials and secrets are stored there and not in the more traditional, less secure memory spaces.
Virtual Trusted Platform Module
The Windows Server 2019 STIG doesn’t require a Trusted Platform Module (TPM), but does accurately state that if one is present Windows will use it to further secure encryption keys, secrets, and cryptographic information for Secure Boot. VMware vSphere 6.7 and newer support virtual TPMs which can be added to Windows VMs. This feature does require VM Encryption to be enabled, and in turn, VM Encryption requires that a Key Management Server (KMS) cluster be present and attached to vSphere. VMware doesn’t supply KMSes, but the VMware Compatibility Guide lists a number of them ranging in features, price, and form-factors. We recommend that KMS installations be clustered, backed up, and protected against DR/BC loss, because if your KMS is unavailable after an outage you will have trouble accessing encrypted VMs.
There are many benefits to VM Encryption, including additional permissions in vCenter to prevent administrators from decrypting and exfiltrating VM data, compliance with data-at-rest guidelines, and enabling the virtual TPM for virtual machines. VM Encryption operates separately from the hardware in your environment, so you do not need a TPM in your physical hosts. Adding it to a VM is done as you would add any other hardware:
Easy to be Secure
VMware has done a lot of work to turn these deeply technical, very important security features into simple checkboxes for our customers. We do this because security is often a thankless job: do it right and nobody knows that you did anything. When security is easy to enable people will use it, and from there, compliance efforts get easier, too. That means more time for all of us humans in IT to do the interesting work that moves organizations forward.
VMware has been a leader with security features in virtual infrastructure for decades, and so there are many resources out there to draw from for more information. The vSphere documentation itself is often overlooked, but it’s full of information about what a feature is, how it works, and often includes suggestions and tips. Similarly, the VMware YouTube channels have immense amounts of content for someone new to a particular feature:
As always, thank you for being our customer, and let us know how we can help you be secure.
Many of our security-conscious readers are familiar with DISA STIGs, the Security Technical Information Guides that the US Defense Information Systems Agency (DISA) publishes. These guides are wonderful in that they bridge the gap between compliance frameworks and infrastructure implementations. Compliance frameworks rarely specify what to do on & to an operating system to be secure, which leaves IT staff with the responsibility of figuring it all out, or paying third-parties to do it.
