the impact on the overall performance of the system is minimal. Unlike the server isolation scenario, IPSec does not encrypt the actual data.
In general, it is recommended to use domain isolation whenever possible inside the virtual environment, and utilize server isolation only where absolutely essential. If there is no way to physically isolate the management console from the rest of the network, server isolation can be used with an IPSec policy to link only the Administrator‘s console to the management NIC which has access to the Parent partition and full management of the Hyper-V Host.
IPSec hardware accelerators are not effective in virtual environments, and thus cannot help offload IPSec traffic onto hardware.
Recommended Firewall Exceptions for Hyper-V Below are the required ports that must be open for Hyper-V to operate properly;
these are established automatically when the Hyper-V role is added to the Windows 2008 R2 server. They should not be changed either via Group Policy or locally. This configuration can be permanently set in the security policy to make sure other policies do not override and shut down on the essential Hyper-V services.
These ports were extracted from the Windows Server 2008 Hyper-V Attack Surface Reference.xlsx, a reference of all the files, services and ports affected by the Hyper-V role. The spreadsheet can be downloaded from:
http://download.microsoft.com/download/8/2/9/829bee7b-821b-4c4c-8297- 13762aa5c3e4/Windows%20Server%202008%20Hyper- V%20Attack%20Surface%20Reference.xlsx
BitLocker An attacker could gain physical access to the server and access the server‘s data
on the physical drive, accessing the NTFS partition without authentication simply by inserting a Microsoft Windows Pre-installation Environment (WinPE) CD and booting. If data is not encrypted with Encrypted File System (EFS) or some other
method, all files will be exposed.
The best response to this is to secure the volumes storing Hyper-V system files and virtual machines with Windows® BitLocker™ Drive Encryption, a hardware based volume encryption which is built into Windows Server 2008.