Towards a work setup on a hardened host and doing everything in VMs
Posted by jpluimers on 2023/04/21
SwiftOnSecurity posted this interesting tweet in 2021: [Archive] SwiftOnSecurity on Twitter: “Lenovo P1 Gen3 with 12core Xeon, 64GB RAM, two 1TB M.2 SSDs. Running Windows Server 2022 with the Hyper-V role. All hardening applied to host OS, almost nothing happens here except managing guest VMs. On the second SSD I then have Win10 VMs joined to the corporate domain.” / Twitter.
I wonder if a similar setup can be done using an Apple M1 based machine as host and running all work in virtual machines.
Swift had some issues getting cameras and microphones to work: [Archive] SwiftOnSecurity on Twitter: “The problem here is Teams. If I want to pass through my webcam and microphone that could get a bit dicey, despite HyperV Enhanced Session being essentially an RDP session. For now I’m using my phone for Teams microphone. Also I’m not sure how well thermal management will work….” / Twitter
This resulted in some answers and interesting links:
- [Archive] Mitchell J. Skurnik on Twitter: “@SwiftOnSecurity Lookup RemoteFX webcam or something like that. I’ve done it before with other USB devices.” / Twitter
- [Archive] JD116 on Twitter: “@SwiftOnSecurity It’s doable, but the last time I tried it I found that you have to restart Teams after connecting with RDP for it to recognize a webcam connected via RDP. Just make sure you have the camera selected in the local resources tab & set remote audio to record for your local PC.” / Twitter
- [Archive] Leo on Twitter: “@SwiftOnSecurity I did something very similar for years. Hyper-V device passthrough was absolutely the worst sticking point, with Hyper-V networking management close behind (stop making new adapters!)” / Twitter (I remember the Wireless and Wired networks of the host not being able to be on the same client network in the days I wrote about P2V of an existing XP machine to Hyper-V to have an emergency fallback when retiring old XP physical machines whereas this is a no-brainer on VMware to get working; not much has changed on the Hyper-V side since then)
Some more interesting tweets in that thread:
- [Archive] 🐀 on Twitter: “@SwiftOnSecurity Are you using the Opal or other HW encryption features that the SSD offers for data ‘at rest’ (ie SSD is powered off)?” / Twitter
- [Archive] SwiftOnSecurity on Twitter: “The host laptop will then be joined to a completely separate “Red Forest” in AzureAD so it can be a fully-secured management point for Out-Of-Band communications in event of a total corporate compromise. It will be the bootstrap of the entire IT recovery.” / Twitter
- [Archive] Jimmy on Twitter: “@SwiftOnSecurity How do you deal with the red forest management ? Host OS is the PAW?” / Twitter ([Wayback/Archive] Privileged Access Management in Windows Server)
- [Archive] SwiftOnSecurity on Twitter: “@michkisan Yeah.” / Twitter
- [Archive] Jimmy on Twitter: “@SwiftOnSecurity Making that part work for more than couple of individuals .. at enterprise level, proved to be impossible for us” / Twitter
- [Archive] SwiftOnSecurity on Twitter: “@michkisan Yes. This will be one of a few just for the specialized domain” / Twitter
- [Archive] Jimmy on Twitter: “@SwiftOnSecurity How do you deal with the red forest management ? Host OS is the PAW?” / Twitter ([Wayback/Archive] Privileged Access Management in Windows Server)
- [Archive] Nyarlohotep rises on Twitter: “@SwiftOnSecurity I have a P1G3, and the thermals are atrocious. Ended up disabling boost via the power management settings to limit the CPU to 99%. Laptop sits tented on my desk with two external displays. If it wasn’t a work-issued machine, I’d take it apart and repaste the CPU cooler” / Twitter
- [Archive] Vincent Milum Jr on Twitter: “@SwiftOnSecurity Dunno bout Hyper-V, but VMWare Workstation will most likely allow those devices to be passed into the guest OS.” / Twitter
- [Archive] SwiftOnSecurity on Twitter: “The host laptop will then be joined to a completely separate “Red Forest” in AzureAD so it can be a fully-secured management point for Out-Of-Band communications in event of a total corporate compromise. It will be the bootstrap of the entire IT recovery.” / Twitter
- [Archive] SwiftOnSecurity on Twitter: “Every empire needs its capital city. ” / Twitter
- [Archive] Mirko Schnellbach 🇪🇺 on Twitter: “@SwiftOnSecurity Win11 has Hyper-V and probably better power management / driver support for laptop class HW. Why install Server?” / Twitter
- [Archive] SwiftOnSecurity on Twitter: “@MadMirko Less junk overhead I’d need to rip out or disable. I could do a comparison still we’ll see” / Twitter
- [Archive] SwiftOnSecurity on Twitter: “Every empire needs its capital city. ” / Twitter
–jeroen
The Wiert Corner - irregular stream of stuff 
Leave a Reply