Understanding Hyper-V's architecture

Before you can address the security of your Hyper-V host, it's important to have a basic comprehension of Hyper-V architecture. Without this, it's difficult to understand how various security measures will affect the components of your deployment.

The most important thing to understand is that, for the most part, the hypervisor is independent of the management operating system. Hyper-V is a type 1 hypervisor, which means that it is not an application or an operating system component. The hypervisor has direct control over the hardware it is installed on. It manages a number of partitions, which contain the virtual machines. One of these partitions, known as parent partition, is where the management operating system runs. The parent partition is the only partition that is allowed to communicate directly with the hypervisor. In Hyper-V, the parent partition provides the hardware drivers used by the hypervisor. To some extent, the parent partition does have direct access to the hardware, but Hyper-V is ultimately in charge of I/O. The distance between the management operating system and the hardware is most clearly seen on very large systems; even though Hyper-V can completely utilize physical hosts that have 320 logical processors and 4 TB of RAM, the management operating system will report no more than 64 logical processors and 1 TB of RAM—the same as any other virtual machine.

The following figure depicts a visualization of the relationships of the various components of a Hyper-V system:

This chapter is dedicated to securing the management operating system. The important thing to understand from the preceding figure is that the actions you take at the host level will have the most impact on the management operating system's environment. Very little will be or can be changed that affects Hyper-V. The guests are isolated, so they will be almost completely unaffected.