I'm in the process of setting up a new Hyper-V cluster, and I'm focusing on security aspects. Sami Laiho has mentioned that Hyper-V hosts should not be managed with domain admin accounts. This raises a concern: if a domain admin account gets compromised, it could allow attackers to delete or encrypt all virtual machines. Does this imply that using a workgroup setup for Hyper-V hosts is the best practice? Has anyone implemented this kind of configuration, and what are your thoughts on it?
3 Answers
Using workgroup for Hyper-V can sound secure, but it's a bit like being safe but isolated. You're best off joining a domain, but just strip domain admin rights. Implement Just Enough Administration (JEA), use shielded VMs, and go for Local Administrator Password Solution (LAPS). This way, you still benefit from Kerberos and System Center Virtual Machine Manager (SCVMM), plus it makes your life easier.
Check out the Microsoft documentation on Hyper-V security planning. It has a lot of valuable insights: https://learn.microsoft.com/en-us/windows-server/virtualization/hyper-v/plan/plan-hyper-v-security-in-windows-server.
Really, domain admins should only log in for specific tasks like adding or removing domain controllers, or changing domain settings. This limited access helps minimize potential attack surfaces.
That makes sense. But if a compromised domain admin can simply adjust policies to revoke protections, doesn't that open up a significant risk? It feels like if your domain admin is breached, you've already lost.