X hits on this document





31 / 62


they are turned on in a production environment.

  • Ensure that your virtual machines have integration services installed.

Network configuration The Hyper-V server should have at minimum two physical network interface

cards (NICs), and potentially more to isolate groups of guest virtual machines from one another.

The first NIC should be used to manage the host partition and the remaining NICs would be used by the guest machines for communication with the physical network and storage. Using separate interfaces is particularly useful because should the NIC(s) in use by child partitions become overloaded, the administrator can still access the host partition.

In addition, guest machines with particularly sensitive data could be configured to use only one NIC to access the physical network. With VLANs and other physical boundaries controlling who has access to those systems, administrators can add another layer of security, depending upon access either to an additional physical NIC or a Virtual Network.

Domain Isolation There are advantages, and relatively small overhead in terms of additional traffic,

to implementing IPSec-based domain isolation, especially when utilizing Kerberos-based authentication, in the domain to which the Hyper-V host is joined. Administrators will be assured that only systems that have been authenticated by Kerberos can browse or attach to the Hyper-V host. Domain isolation also blocks the rogue machine plugging into the internal network from browsing and scanning for servers. The intruder will simply get a blank reading as it attempts to list servers; no server will accept its queries.

Since domain isolation utilizes only IPSec authentication to isolate the systems,

Document info
Document views206
Page views206
Page last viewedTue Jan 17 15:17:10 UTC 2017