Hyper-VでHost Guardian Service (HGS)をセットアップするメモ

setup_hyper-v_host_guardian_service.md

Hyper-VでHost Guardian Service (HGS)をセットアップするメモ

自己署名証明書の作成

$certificatePassword = Read-Host -AsSecureString -Prompt 'Enter a password for the PFX file'

$signCert = New-SelfSignedCertificate -Subject 'CN=HGS Signing Certificate' -KeyUsage DataEncipherment, DigitalSignature Export-PfxCertificate -FilePath '.\signCert.pfx' -Password $certificatePassword -Cert $signCert

Remove the certificate from "Personal" container

Remove-Item $signCert.PSPath

Remove the certificate from "Intermediate certification authorities" container

Remove-Item -Path "Cert:\LocalMachine\CA$($signCert.Thumbprint)"

$encCert = New-SelfSignedCertificate -Subject 'CN=HGS Encryption Certificate' -KeyUsage DataEncipherment, DigitalSignature Export-PfxCertificate -FilePath '.\encCert.pfx' -Password $certificatePassword -Cert $encCert

Remove the certificate from "Personal" container

Remove-Item $encCert.PSPath

Remove the certificate from "Intermediate certification authorities" container

Remove-Item -Path "Cert:\LocalMachine\CA$($encCert.Thumbprint)"

HGSのインストール

Install-WindowsFeature -Name HostGuardianServiceRole -IncludeManagementTools -Restart

HGSの初期化

$adminPasswordAsPlainText = Read-Host -AsSecureString -Prompt 'Enter a password for SafeModeAdministratorPassword' $adminPassword = ConvertTo-SecureString -AsPlainText $adminPasswordAsPlainText -Force

$HgsDomainName="bastion.local" Install-HgsServer -HgsDomainName $HgsDomainName -SafeModeAdministratorPassword $adminPassword -Restart

ここでOS再起動されると bastion.local\Administrator ユーザーでしかログインできなくなる

HGSをキーモードで初期化

$signingCertPass = Read-Host -AsSecureString -Prompt "Signing certificate password" $encryptionCertPass = Read-Host -AsSecureString -Prompt "Encryption certificate password"

Initialize-HgsServer -HgsServiceName 'MyHgsDNN' -SigningCertificatePath '.\signCert.pfx' -SigningCertificatePassword $signingCertPass -EncryptionCertificatePath '.\encCert.pfx' -EncryptionCertificatePassword $encryptionCertPass -TrustHostkey

HGSの構成情報を取得しておく

Get-HgsServer

Hyper-Vホストマシン上でホストキーを作成してHGSに追加する

Install-WindowsFeature Hyper-V, HostGuardian -IncludeManagementTools -Restart Set-HgsClientHostKey

New-Item -ItemType Directory -Path C:\ -Name HGS -Force Get-HgsClientHostKey -Path "C:\HGS$env:computername-HostKey.cer"

HGS上にホストキーを追加する

Add-HgsAttestationHostKey -Name AHCI01 -Path .\AHCI01-HostKey.cer

Hyper-Vホストマシン上で構成証明サーバーを設定する

Set-HgsClientConfiguration -AttestationServerUrl 'http://myhgsdnn.bastion.local/Attestation' -KeyProtectionServerUrl 'http://myhgsdnn.bastion.local/KeyProtection'

ここから下はは上手く行っていない・・・(2022/4/9)

Invoke-WebRequest 'http://myhgsdnn.bastion.local/KeyProtection/service/metadata/2014-07/metadata.xml' -OutFile C:\HGS\guardian.xml Import-HgsGuardian -Path C:\HGS\guardian.xml -Name HGS –AllowUntrustedRoot

$Guardian = Get-HgsGuardian -Name HGS $Owner = New-HgsGuardian -Name OPEPC -GenerateCertificates $KP = New-HgsKeyProtector -Owner $Owner -Guardian $Guardian -AllowUntrustedRoot $VMName = "OPEPC" Set-VMKeyProtector -VMName $VMName -KeyProtector $KP.RawData Set-VMSecurityPolicy -VMName $VMName -Shielded $true Enable-VMTPM -VMName $VMName

いる？いらない？

New-Item -Path HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard -Force New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard -Name EnableVirtualizationBasedSecurity -Value 1 -PropertyType DWord -Force New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard -Name RequirePlatformSecurityFeatures -Value 3 -PropertyType DWord -Force New-ItemProperty -Path HKLM:\System\CurrentControlSet\Control\LSA -Name LsaCfgFlags -Value 2 -PropertyType DWord -Force