5 hours 8 minutes
we generally for security as a whole in hyper V. What you want to be doing is wherever possible, you want to be using a generation to machine.
Now what do I mean by generation to sew generation to machines are designed to basically use
the instead of using a BIOS interface, they use you, Effy, which you may have. We I think we covered a little bit in the previous version, where biopsy is your basic input output system. It's kind of if you bought a machine maybe 10 years ago, you might have seen or even a little bit before they're naturally. You may have seen the BIOS environment where
it comes up with the post. The power on self test
on that, Basically, make sure that all hardware is working correctly, that the motherboard can see everything that's plugged into it. That kind of stuff.
There's no mouse pointer in that environment. If you wanted to make a change in the bios you hit, usually like F two or delete or a key similar to that on, that allowed you to kind of go into the bios on dhe make changes if you wanted to reconfigure like the clock speed of your processor change sentence on your motherboard. And what
boot order You wanted your discs to go in if you wanted a password on Boo.
And so and then along came
our Lord and savior you, Effy, the unified extensible firmware interface. This allowed us tohave amount pointer graphical interface is much easier to use. You could have live data in grafs on the screen. Andi is just so much easier. You can update it by connecting to
on I pay. You can pick up an I p address within without even loading an operating system
on do updates and all kinds of really cool, great stuff like that. But generally in a virtual environment, you want a generation to machine. Generation one is more kind of buyouts based on it's more to do with emulation generation to ISMM or with the USC firmware kind of thing
on dhe. It allows the machine to interact a lot better with the physical hardware
one is emulated on one is actually talking directly with the hardware itself. There's no kind of middleman in between Generation to is also a lot quicker as well
in general s O as I mentioned here always use it unless generation to doesn't support the operating system, You want to run on the virtual machine or do I mean by this?
So in general generation to you're gonna be looking at 64 bit operating systems. So if you have an old Windows X P that's not gonna work on a Gentoo, you'd have to run a generation one machine S O. That's the only reason kind of that you would generally looked to run it. But
usually if the operating system isn't supported on a Gentoo,
which is becoming less and less these days, might get Maura Maura printing systems up and running. And we do cover those through this course as well.
It's huge. The list is massive. Now they cover everything from limits to FreeBSD and everything in between. They go really far with it now on. Also, you wouldn't use generation to if it doesn't support the boot method you want to use as well. So we've discussed different methods of booting one big one, and this is quite massive in enterprise environment
generation to does not support pixie, which is the pre boot execute environment. So if you're looking to build machines dynamically on a network with maybe a image deployment system like windows deployment or anything like that.
You can't use generation to virtual machines. They will not work
s So that's just something to bear in mind. It is something that is on the list for Microsoft to build into gen to, but for the moment, until they can get something make. Maybe it could be that they either replace Pixie and they come up with a better version, maybe something that uses you Effy instead. Or
they actually build pixie into gen to machines
either way. But we're waiting on Microsoft to do that one
s. So we're gonna talk a little bit about the settings to do with Jen to machines, Jen. One have less of these settings, but they're all covered in here. So I'm focusing on the Gentoo stuff just for the sake of keeping this very succinct. Andi kind of focusing you guys on the more modern technology side of things.
So secure boot is basically a security standard
developed by various companies and members of the PC industry. That helps make sure that a device boots only software that is trusted by what's called the O. E. M. You may have heard of these before. If you ever bought machine with Windows preinstalled,
it's installed by the E M. And that means the original equipment manufacturer. If you've seen, like Dell or HP, any of those, they pre build it, and they put all their software on which hand on heart. I generally tend to remove the second I find that form or more apt in to give an example in my enterprise environments I support.
I just basically want the machine and rebuild it to what I wanted to be.
But it kind of just gives it that that kind of that's what an O. E. M. Is. It's the original equipment manufacturer. Now what the secure boot do you know when the PC starts, the firmware off, secure boot checks the signature like a digital key signature
off each piece of boot software,
including the UFC Unified Extensible firmware interface. Andi checks all the drivers thes air, also known as you may find them in the industry as option runs, Rome stands for read only memories, so they will. It will check the driver's, make sure they're signed
on their no doing anything they shouldn't do. It also checks e f I applications
if I'm being the extensible firmware interface applications. If you've got gaming machines or you've seen them, then you may have found that there are programs to be able to over clock different south your mother boards for clocking. Or you can actually run programs within the UFC environment as well on, but also critically
checks the operating system.
It checks the signature of the operating system and says, Are you the same operating system that you were when it was installed? So if there's maybe a boot time virus or something like that, it will go in. And if the signature doesn't match, secure boot will just go. I don't recognize you, your names on the list. You're not coming in, and it just doesn't give access to the machine.
Once it finds that the signature is valid and you know 99% of the time more than that it will be. Then it will then give control to the operating system. But that's secure. Boot is kind of like having a bouncer on the door off the hardware going
is your name on the list. If your name's not on the list, you're not coming in. That's the end of the story.
That's kind of the design behind it.
Secure boot has a couple of options built into it
s o the 1st 1 Is Microsoft Windows fairly obvious? You would select this one when you want to secure the virtual machine for a Windows operating system. And we will show you these in an environment very shortly as well.
Onda. Good morning, Eric. Subjective, of course, for me is just on eight o'clock in the evening. But good morning for some good afternoon for others. Love the international community. Okay, the second option that would pop up if you're looking at it, is a Microsoft you e f I certificate authority.
Now you would select this one when you want to secure the boot
off the virtual machine for a Linux distribution operating system. Any limits distribution? Operating system.
So, basically, if it's not Windows and its lyrics, you pop it over to this one, and it basically has a certificate that's built in going. It's not going to be windows, so don't panic when you check the operating system on dhe windows doesn't respond. If you don't get the right one, it will totally freak out
because it is expecting a window's environment and you give it something else
secure. But it's not gonna be happy that bounce is not gonna be happy. It's all on the front door.
Uh, and then you have the open source shielded Viet. Now this template is leveraged to secure boot for Lennox based Shielded VM. Now we do cover shielded V EMS as we work through this as well. So keep this in mind. We will come back to this.
But shielded viens are very important that highly secure.
And it allows the machine the virtual machines to be even more secure than they already with secure boot and the whole virtual environment that we've discussed thus far.
let's carry on a little bit. So let's wipe the screen here on now. We're gonna go into another security option, the trusted platform module. Now you probably heard maybe some of you will have heard this before. The T P M. This is a chip that's on the motherboard that provides encryption for a variety of reasons and situations.
It creates random number generation, as we've seen as I brought up on the screen here,
it also does secure generation of cryptographic keys. I'm gonna explain a little bit as to what it does with these things in just a second. It also does remote anti station now remote access station is a hardware slash software proof summary. So what it does is it says that
this piece of hardware matches with this piece of software
on dhe. They should be interacting in this way. It's usually set up. It sets itself up with the keys, and it uses random number generation and secure generation of thes cryptographic keys kind of the same way that you would encrypted file or you see end to end encryption fuse programs like WHATS app on your mobile phone. That's a pretty good example.
if the numbers don't match on both keys one for the software, one for the hardware, this thing kicks in and goes, Wait a minute. Something dodgy is going on here. It's either a virus or someone attacked you or whatever is going on on. That's what it does on basically checks. To make sure that what you've set up on the machine
is still what you set up on. The machine's not changed without you knowing about it,
Theo. Only way that it would make a change is if you've actually loaded the operating system, then you make the change and the TPM generates a new remote access station. That's what it does
binding as well. This is used to encrypt data using that TPM key, either by random number, generation or generation through remote access station or anything like that. So it allows you to actually encrypt data. And it says you can only use this data on this T p M.
And if you don't have that t p M,
you can't. It's kind of like having those old if you remember, they given example those old authentication dangles that you used to plug into machines in the office. You go. I need my user name. I need my password and I need this Don Well, it's kind of like a multi factor authentication. That's effectively what T P M is.
It's that dongle, but it's built on to the motherboard. It's not something you carry around with you,
so if it's not running on this T. P M. It's just not gonna run because the T. P M holds that encryption.
Then we have shielding so
shielding machines. This is basically where allows shielded V EMS. They protect virtual machines from compromised or like malicious administrators in the fabric on. You're here a lot. If you go into this environment, you hear the words. The fabric, it's just means
the actual environment itself.
People like, for example, people who look after your storage, the storage at Mons, people who deal with your backups, those kinds of things.
Administration nowadays doesn't just mean you have one systems admin, and he does back up along your network storage all your highly off updates for your window. You can't have a team, and you have, right you do back up. You do stories you do windows updates and everything else in between firewall access, whatever it might be,
it means that these machines can actually be protected. What it does is really simple, but really, really effective.
It encrypts the disk on the state off the virtual machine,
so they're only the VM itself or the tenant admin. The people who look after that VM can access it
So if anyone else wants to run a backup of that VM, they can run the backup. But if they try and access the actual shielded VM, it will stop them on. Basically, go. I'm sorry, you're no authenticated to deal with this side of it. You're not dealing with the actual VM itself. You're just doing the back up or you're just doing this storage
and you can access that module arised admin section.
It won't allow that vm that shielded VM to be compromised effectively quite handy if you've got Maybe if you're a large organization and you have possibly like a disgruntled employees deciding he's gonna I don't know, pop one of your servers before he goes off for his final time, that kind of thing.
It just stops that kind of thing and it module arises The administrative access effectively
eso yet disables management features like consul Connection power shell direct on some integration components. So the ability to copy files from your physical machine to your virtual machine just by copy and pasting onto the desktop. For example, power shell direct means that you can control a virtual machine from
the Power Shell script a passion environment on your own machine,
that kind of thing. It just doesn't allow it. And Consul Connection is the actual. It's almost as if you're satin. If the VM was a physical machine, you're sat in front of that Vienna. That's the console connection. Many service allow multiple people to log in at once. Those aren't consul console. It's like if I had a mouse and keyboard and I plugged in the monitor.
That's what I'm looking at. That's Mike, my console connection.
Eso it just It disables those kinds of sections.
encrypt state. So the quipped, encrypting the state of it. The basically From here,
it takes the safe state of the virtual machine, which the safe state is. If you pause, the VM
decide to make a checkpoint or anything where there's a copy off that virtual machine that you can refer back to
it actually encrypt it, using the security, saying that allows you to basically say, Don't touch this Encrypt it don't allow anyone to see unless I'm the tenant administrator, the tenant being the virtual machine itself,
So with this