Validating that audit has been initialized My camsex online
By ensuring no one admin has access to both systems, an attacker would need to compromise 2 different accounts from 2 individuals to complete his mission to change the HGS policies.
This also means that the domain and enterprise admins for the two Active Directory environments should not be the same person, nor should HGS use the same Active Directory forest as your Hyper-V hosts.
The guarded fabric management pack has event monitors to check for common misconfigurations that can lead to datacenter downtime, including hosts not passing attestation and HGS servers reporting errors.
To get started, install and configure SCOM 2016 and download the guarded fabric management pack.
When a tenant decides to trust you to host their shielded VMs, they are placing their trust in your configuration and management of the Host Guardian Service.
Therefore, it is very important to follow best practices when managing the Host Guardian Service to ensure the security, availability and reliability of your guarded fabric.
This decision, as well as the roles you assign the admins in your organization, determine the trust boundary for HGS.
This includes: These attestation artifacts require coordination with the admins of your hosting fabric to obtain, potentially making it difficult to get this information again after a disaster.
\hgsadmin01' -Configuration Name 'microsoft.windows.hgs' Copy-Item -Path $cipolicy -Destination ' User:' -To Session $session # Now that the file is copied, we enter the interactive session to register it with HGS Enter-PSSession -Session $session Add-Hgs Attestation Ci Policy -Name ' New CI Policy via JEA' -Path ' User:\cipolicy.p7b' # Confirm it was added successfully Get-Hgs Attestation Policy -Policy Type Ci Policy # Finally, remove the PSSession since it is no longer needed Exit-PSSession Remove-PSSession -Session $session You can view these events by opening Event Viewer and navigating to Microsoft-Windows-Host Guardian Service-Attestation and Microsoft-Windows-Host Guardian Service-Key Protection.
In a large environment, it is often preferable to forward events to a central Windows Event Collector to make analyzation of the events easier.
An attacker or malicious admin who has access to HGS can use this power to authorize compromised hosts to run shielded VMs, initiate a denial-of-service attack by removing key material, and more.
To avoid this risk, it is recommended that you limit the overlap between the admins of your HGS (including the domain to which HGS is joined) and Hyper-V environments.