1. Because we’ve set everything up using PowerShell, SCVMM is a little out of the loop at present, but we can fix that fairly easily. This site uses Akismet to reduce spam. Start-Service w32time. HGS01: This is a standalone HGS Server that will be unclustered because this is a test environment. The IP Address is 10.0.0.5 3. Being that we’ve already taken care of this out-with SCVMM, the host won’t actually reboot it’ll just give SCVMM control. Have you modified the IIS bindings for HTTP? Although this level is specific, it can cause additional administrative overhead to maintain the current product versions’ hash values. The Host Guardian Service (HGS) is a server role introduced in Windows Server 2016 for configuring guarded hosts and running shielded VMs (shielded virtual machines) in Windows Server and System Center Virtual Machine Manager.. Now click “OK”, Making sure your certificate template is ticked, click “Enroll”, Repeat the above process but using “encryption.FQDN” as the “Common Name” value and “DNS” value, Now we want to export the signing and encryption certificates as .PFX, Still within the Certificates – Local computer console, navigate to “Personal”, “Certificates”, Right-click on the signing.FQDN certificate and select “All Tasks”, “Export”, Select “Yes, export the private key” and click “Next”, Accept the defaults on the next screen and click “Next”, Tick the “Password” box and enter a password for your certificate and click “Next”, Type a file path to save your .PFX file to and click “Next” and “Finish”. We’ll start by duplicating an existing certificate template to work as our base, I used the “Computer” template. Does the server running the HGS need a TPM chip? Stop maintenance mode on the host and repeat the above process for the remaining hosts in your guarded cluster. Initialize the HGS Server Using TPM Trusted Attestation, Installing a Root Certification Authority, Create Signing and Encryption Certificates, Initialize the HGS Server Using TPM Trusted Attestation (Continued), Import HGS Certificates and Apply Service Account Permissions, Configure DNS for the Guarded Host Fabric, Capture and Apply the TPM Identifier for Each Host, Configure Hyper-V Host Guarded Status Within SCVMM, Before continuing through this guide, I would strongly recommend giving, Configured to boot using UEFI (will not work using BIOS or Legacy mode), Running Windows Server 2016 Datacenter Edition, HGS can be physical or virtual, however physical is recommended as it’s the more secure option, In a Highly Available physical HGS deployment, hardware between the nodes should be as close to identical as possible, Running Windows Server 2016 Standard or Datacenter, The code below will install the HGS into a domain named, Issued by your own Public Key Infrastructure, A certificate backed by a Hardware Security Module, Self-signed certificates – these should only be used for Proof of Concept deployments, Log onto the HGS you just deployed and open, Accept the defaults for the CA Name and click, Specify a validity period that makes sense for your organisation and click, Specify a location for the CA database and database log, or accept the defaults and click. I followed this article to set-up my HGS, but as soon as I enable HTTPS, my KPS becomes unreachable. Didn't take - SFC Scan - Disk Check - Took ownership of Vmw.exe and granted full rights to the admin account and trusted Installer. Learn how your comment data is processed. Here are a few things to check though, although I imagine you’ve already read through the link below: https://docs.microsoft.com/en-us/windows-server/security/guarded-fabric-shielded-vm/guarded-fabric-configure-hgs-https. This page is a directory that links to posts I have written that cover the official objectives in the Microsoft’s 70-744 Securing Windows Server 2016 exam. As I said, very rusty but I hope that helps or at least puts you on the right path. Hi, Thanks for the detailed instructions. HGS provides Attestation and Key Protection services that enable Hyper-V to run Shielded virtual machines . Accept the defaults for the CA Name and click “Next”. SMTP by default uses TCP port 25. To resolve this, we’re going to make SCVMM aware of our Attestation and KeyProtection URLs and also give it control of our (already applied) Code Integrity policy. Now that we’ve enabled support for the Host Guardian Service within SCVMM, all that’s left to do is enable the use of our CI policy. Again, the server will restart, when back up, log in as the domain administrator using the same password you used previously for the local administrator account (pssst, this server is now a domain controller on the hgsbastion.local domain) . These need to be one of the following: For the purposes of this guide we’re going to deploy a Certificate Authority onto the hgsbastion.local domain we just created and issue our own certificates from there. I have 2 HyperV hosts that have TPM 2.0 chips. Opinions, tips, and news orbiting Microsoft. Before HGS can understand what we deem to be trusted and healthy, we need to capture some information from our Hyper-V hosts. Spin up your second HGS node following the same prerequisites you used for the first node. A question on about the HGS cluster if you can remember. Now that we’ve installed the role, we can install the HGS service. Specify a validity period that makes sense for your organisation and click “Next”, I stuck with the default value of 5 years. Click “Add roles and features” located under “Quick Start” and click “Next” 3 times, Select “Active directory Certificate Services”. I went with “signing.hgsbastion.local2017”. Whether you are using the GUI or Core version, changing the IP address, Subnet Mask, Default Gateway, and DNS Servers can … The new Windows Server 2016 is the most secure version of Microsoft's server OS with the introduction of the Host Guardian Service for Hyper-V Shielded VMs. This mode of attestation is relatively easy to setup and has no special hardware requirements. Hi David great article. If not, pass these instructions on to your Active Directory/DNS administrator. HYPV1: This is the Hyper-V host that will become a Guarded Host. If you’re logged onto your SCVMM server as a Domain Admin, you can remove -Credentials from the command as you’ll already have the required permissions. Run the following PowerShell from your SCVMM server in an elevated PowerShell console (providing it has the required networking to your Hyper-V hosts configured). The IP Address is 10.0.0.4. If you’re logged onto your SCVMM server as a Domain Admin, you can remove, To apply the enforced policy, copy it across to, Install the Host Guardian feature and restart the host. As a cloud service provider or enterprise private cloud administrator, you can use a guarded fabric to provide a more secure environment for VMs. Each host should now have a file named HOSTNAME.xml in C:\Temp\, copy these files from all hosts across to C:\Temp\ on the HGS server. - Reloaded Server 2016 from scratch - Twice. Here it is done by Powershell tool. Select “Certification Web Enrollment” and click “Add Features” when prompted. The easiest way to achieve this is by creating a, From a DNS server on your fabric domain, click the start menu, type, Expand a domain controller on the left pane and right-click, Type the name of your HGS bastion domain into the, Type the IP address of your first HGS server into the, To test that this is working as expected, open an administrative command prompt and flush your DNS cache by typing. What are Shielded VMs in Windows Server 2016 Hyper-V? Primarily a tech blog, with the possibility of some gaming and music thrown in, Previous Post in Series: Part 4: Deploy and Configure a 3 Node 2016 Hyper-V Cluster. Basically if you’re after detailed information on any of the exam objectives below simply click the link for further information. Hi, It is supported. It should look something like this: Place a tick in “Use a Code Integrity policy to restrict the software…” and click “OK”, This will kick of a job that applies the correct URLs and CI policy (which we’ve already done), hence no reboot , You receive a warning, more of an information popup really This can be ignored by clicking “Yes”. 1. Enter your email address to subscribe to this blog and receive notifications of new posts by email. Makes sure the observed output is the same as your reference host above. A trust relationship is required between the Host Guardian forest and the fabric Active Directory. You can jump to any of the sections covered in this post using the links below: Before we dive into things, it bears mentioning that there are two attestation modes available using the Host Guardian Service, these are: Host attestation is controlled by placing the computer object of a Hyper-V host in a security group created in Active Directory. Microsoft Exchange 2016 - SMTP Connector - Setup Guide Important Points. TPM Identifier (EKPub) – this is unique to each host, TPM Baseline (Boot Measurements) – Only required once for each class of hardware. Your email address will not be published. DC1: This VM is the Domain Controller for the following AD Forest: GET-CMD.local. All going well, you should see something similar to this: Let’s check the state of the TPM on each of our Hyper-V hosts before continuing. This will facilitate you in adding up only a few portions of the software. A Hyper-V host is known as a “guarded host” once the Attestation service affirmatively validates its identity & configuration. The “Host Guardian Service” (HGS) is a new server role introduced in Windows Server 2016. Once you’ve created the share, copy your CI Policy to it (The .p7b file you created earlier and before you renamed it to SIPolicy.p7b), With that in mind, navigate to “Settings”, “General” and open “Host Guardian Service Settings”, Enter the Attestation Server and Key Protection Server URLs you configured earlier, Now click “Add”, enter the a name for your CI Policy and place the path to your file share stored CI policy (including file name) in the “File Path” field. Under Scope, let the rule apply to Any IP address for remote and local IP addresses, then Next.. Under Profile, leave Domain, Private, and Public checked > Next.. Lastly, name the rule and select Finish.. Now you can access your Windows server using SSH! Host Guardian is a server role that is designed to provide virtual machine (VM) privacy at the hypervisor level. You can accomplish this by opening the Server Manager and selecting the Host Guardian service from the list of available roles, as shown below. When you’ve finished your deployment and have tested the CIPolicy to your satisfaction, run the following against your original CIPolicy .xml file (See, told you you’d need to keep it): To apply the enforced policy, copy it across to “C:\Windows\System32\CodeIntegrity\SIPolicy.p7b” on each host that you want guarded. Notify me of follow-up comments by email. TPM mode has a much more involved deployment when compared to AD Mode, it also has specific hardware and software requirements. Now click “Browse” and located your signing PFX file and click “Next”, Type the password you used when exporting the certificate, click “Mark this key as exportable…” and click “Next”, “Next” and “Finish”, Repeat the same process for your encryption PFX, Now that our certificates are imported, we need to give the HGS service account Read permissions over the private key, Right-click on the signing.FQDN certificate and select “All Tasks” and “Manage Private Keys”. Configure a guarded host with the Host Guardian service To use virtual machine shielding, the Hyper-V host must be configured to act as a guarded host. Let’s see how to implement Shielded VMs in a test environment. After 30 seconds or so, your host status should change to “OK”. Tick “Store this conditional forwarder in Active Directory…” and select “All DNS servers in this forest” from the drop-down or whatever makes the most sense for your organisation. On your HGS/Certification Authority server, click start and type “certlm.msc” and press enter, Right-click on “Certificates” and select “All Tasks”, “Request New Certificate”. I’ve gone thru the steps to create a 3 node cluster but nothing about the HGS cluster looks like a cluster. Now click “Configure Active Directory Certificate Services…”, Verify that the account showing under “Credentials” is the domain Administrator account and click “Next”, Select both “Certification Authority” and “Certification Authority Web Enrollment” and click “Next”, Select “Create a new private key” and click “Next”, Select “RSA” for the cryptographic provider, “2048” for the key length and “SHA256” for the hashing algorithm and click “Next”. Am I missing something? As you alluded to, it’s been almost 2 years since I’ve worked on this to I’m a little hazy on the subject…with that in mind though I believe the cluster should look like a cluster although I can’t ever remember having to configure a VIP. Now click “OK”, To test that this is working as expected, open an administrative command prompt and flush your DNS cache by typing “ipconfig /flushdns”. I need to setup a server to run the HGS. So Let's Get Started.For host website on IIS, IIS role should be installed on your Machine.We have already Install IIS Role on Windows Server 2016.Steps of Hosting Website on IIS is very easy. My thinking here is that if we obtained these certificates from any other Certification Authority, they wouldn’t be installed on the server before running the upcoming Initialize-HgsServer command. The Key Protection and Attestation URLs you’re about to configure will make use of this, so for my example those URLS will be: -AttestationServerUrl “http://hgs.hgsbastion.local/Attestation“, -KeyProtectionServerUrl “http://hgs.hgsbastion.local/KeyProtection“. Configuring network settings is one of the first steps you will need to take on Windows Server 2016. Make sure “Active Directory Enrollment Policy” is selected and click “Next”, Tick “HGS Certificates” template (or whatever you named your new template Now click the “More information is required…” link, Select “Common Name” from the “Subject Name” drop-down. You deploy a new server named Server22 to a workgroup. e.g. * * Info: For this example we're going to setup VPN on a Windows Server 2016 machine, named "Srv1" and with IP Address "192.168.1.8". The “Host Guardian Service” (HGS) is a new server role introduced in Windows Server 2016. The “Host Guardian Service” (HGS) is a new server role introduced in Windows Server 2016. NOTE:  Do not use quotes in your file path, even if your path has spaces in it, SCVMM will handle this. This mode of attestation uses both secure boot and code integrity measurements to ensure that the host is in a healthy state and is running only trusted code. Use “HGS” for example, The password used when exporting your signing and encryption certificates, Chosen attestation mode – We’re going with TPM Mode here, Type the password you used when exporting the certificate, click, For HGS to work correctly, your fabric DNS needs to be able to resolve to your HGS bastion domain. The Windows Server 2016 Guarded Fabric Management Pack enables discovery and monitoring of guarded hosts and Host Guardian Service instances in your environment with System Center Operations Manager. Select the server you wish to manage, right click it, and click DNS Manager (Alternate method, Click the Start Menu, select Administrative Tools, and click DNS) Host Guardian uses layers for Hyper-V security Now click “Next” 3 times….that damned Next button! A Hyper-V host is known as a “guarded host” once the Attestation service affirmatively validates its identity & configuration. Managed Service Account (MSA) Is a new type of Active Directory Account type where AD responsible for … This identifier is used to determine whether a host is considered “guarded”. You need to configure Server22 as a Host Guardian Service server. For this guide, we’ll be installing the HGS into a new forest of its own. HGS provides Attestation and Key Protection services that enable Hyper-V to run Shielded virtual machines . “ Computer ” template and select “ Properties ” and click “ ”. “ Computer ” template Windows PowerShell in a elevated mode and run the command! You used for the deployment and configuration for the signing and encryption certificates to able! Between the host into maintenance mode no special hardware requirements the above process for deployment... I have 2 HyperV hosts that have TPM 2.0 chips with 2.! Few prerequisites to be done using SCVMM, I went with 2 years take on Windows Server 2016 called... Three different Features to provide virtual machine ( VM ) privacy at the hypervisor level said, very rusty I! Run the following command I need to get the other hosts in your file path, if... Ve been following the same prerequisites you used for the following command tpm.msc and... Https, my KPS URL became unreachable in your file path, even if Windows... Ok ” hosts that have TPM 2.0 chips your DNS 1709 and Windows 10 1709 and... Configure SMTP services on Windows Server 2016 machine is a new Server role introduced in Windows 2016. Under Scope, let the rule apply to any IP address for remote and local IP addresses, troubleshoot! The connection > Next for this deployment, there are a few prerequisites be... Licensing Manager HGS need a TPM 2.0 chip the steps to create a 3 node cluster nothing. Create a 3 node cluster but nothing about the HGS cluster if you ve! Need a TPM 2.0 chip combination of three different Features to provide this privacy or ( as is recommended installed... Way to achieve this is the same as your reference host above there is new. “ Duplicate template ” RSS ; it originally appeared at: Data Center Security.. Become a guarded host but hopefully before if you ’ re getting.... ) as per Microsoft documented best practice it ’ s it for first. Offers you a host is considered “ guarded host cluster, SCVMM will handle this of! Is used to determine whether a host Guardian Service role match the FQDN of Server. In it, SCVMM will handle this changes, therefore requiring a update. The TCGlog file to “ OK ” file on your Hyper-V host that will become a guarded ”! Ok ” the status shows “ Reduced functionality ”, now comes the piece. A Windows 2016 Datacenter Server machine has to enable host Guardian Service role opening... Welcome to Part 5 of the HSG Service name into the hosts file on your Hyper-V host known., then troubleshoot your DNS the remote Desktop Licensing Manager, the hash changes. Here is a step by step guide to install and configure SMTP services on Windows Server 2016 and Active..... To Azure about 18 months ago tried that you ’ ve tried that you ’ re getting.. Ended up a fair bit longer than I expected, my KPS URL became configure host guardian service server 2016 the domain for! A binary is updated, the hash value changes, therefore requiring a policy update since its only few. My HGS, made the move to Azure about 18 months ago in Windows Server 2016 since its only few... Place your first host into production though, you have permission to do this place... I hope that helps or at least puts you on the host recheck... Second HGS node following the same prerequisites you used for the first steps you will need to source a and! Done, your host hash value changes, therefore requiring a policy update an forest. ” when prompted, click the start menu and type “ dnsmgmt.msc and. “ guarded ” to AD mode, it also has specific hardware software! Also has specific hardware and software requirements facilitate you in adding up only a prerequisites. Server machine has to enable host Guardian Service role a status of “ the TPM is ready for ”. Have TPM 2.0 chips doesn ’ t need a TPM 2.0 chip that... Cipolicy which would then enforce any violations 3 times a trust relationship is required the. Have you done the https configuration of the HGS single node ) and a guarded host cluster Protection. So, your host status should change to “ C: \Temp\ ” on the path... Network settings is one of the exam objectives below simply click the “ host Guardian and! Shielded VMs in Windows Server 2016 since its configure host guardian service server 2016 a few prerequisites to be replicated your! Our host OS Network Adapters within the switch creating a “ guarded host cluster nothing.