Hyper-V Router Guard and DHCP Guard Explained

This two-part article explains two security features in Windows Server 2012 (WS2012 – and later) Hyper-V networking, DHCP Guard and Router Guard. These features allow Hyper-V admins to prevent virtual machine admins from enabling unwanted network services within the guest operating system. The second part of this article will outline how to deploy these two security features.

The Need for Network Security Services

My first job as a solo contractor was as an administrator in a security software research and development company. One morning a number of developers complained that they could not access the servers. I stayed calm and began performing the usual command line diagnostics on one of their PCs. That’s when I noticed that they had a DHCP-assigned IP address that was not valid on the company network. It wasn’t an address from our DHCP server however. Someone had set up a rogue DHCP server. With the help of a network administrator, we eventually tracked down the floor port that the rogue DHCP server was plugged into. A researcher had fired up a DHCP server on one of their lab machines on the company network.

DHCP clients are pretty dumb. They broadcast, receive, and IP from the first respondent. The researcher incorrectly assumed that his lab DHCP server couldn’t operate on the network because it offered IP addresses for a different subnet. He made an honest and uninformed mistake. Unfortunately, everyone in his VLAN, he should not have run lab machines on an office VLAN, was a potential victim of his accidental denial of service attack.

Anyone with administrator rights on a machine can offer network services. Some of these servers are found and offered using a broadcast. That means issues can easily arise. Perhaps there is an accident as with the story about the researcher, or a disgruntled employee with local admin rights in a virtual machine who decides to cause some damage. Virtualization has led to “VM sprawl”, (which we can control with cloud-based cross-charging or quotas), and that means a lot more employees or customers have local admin rights in virtual machines. There is an increased risk of issues so we need a way to control them.

Sponsored Content

What is “Inside Microsoft Teams”?

“Inside Microsoft Teams” is a webcast series, now in Season 4 for IT pros hosted by Microsoft Product Manager, Stephen Rose. Stephen & his guests comprised of customers, partners, and real-world experts share best practices of planning, deploying, adopting, managing, and securing Teams. You can watch any episode at your convenience, find resources, blogs, reviews of accessories certified for Teams, bonus clips, and information regarding upcoming live broadcasts. Our next episode, “Polaris Inc., and Microsoft Teams- Reinventing how we work and play” will be airing on Oct. 28th from 10-11am PST.

DHCP Guard in Windows Server 2012 (and later)

The first of the two new security features added to Hyper-V in Windows Server 2012 (WS2012) is DHCP Guard. Here is a quick primer on how DHCP works.

A client starts up and realizes that it is configured to use a dynamic IP address instead of a statically assigned address. The client will broadcast a DHCP discover. Any DHCP server that can receive this broadcast (directly on the VLAN or via network helpers) can respond with an offer. This is where a rogue DHCP server can interfere with the legitimate process. The client will (hopefully) receive offers and will send a DHCP request to the first DHCP server to send a DHCP offer.

How DHCP works (Source: Microsoft)

How DHCP works (Source: Microsoft)

Hyper-V administrators typically know which machines are legitimate DHCP servers on their network. All other machines should not be DHCP servers. Hyper-V includes a feature called DHCP Guard. When enabled in the advanced virtual NIC settings, DHCP Guard will prevent that virtual NIC from sending a DHCP offer. The guest OS admin can perform as many DHCP configurations they want but the DHCP Guard prevents the virtual machine from being a DHCP server.

Router Guard in Windows Server 2012 (and later)

If you’ve sat through Microsoft certification or training, you know that an operating system can be configured as a router. What you may not know is that a router can offer its routing services to the network much like a DHCP server can. That means that the administrator of a computer, including the guest OS administrator of a virtual machine, can set up a rogue router on a network (physical or virtual) and start re-routing packets to a rogue location or a black hole.

Router Guard was also added to WS2012 Hyper-V to prevent any accidental or rogue guest OS routers from offering their services on the network. Just like with DHCP Guard, the guest OS admin can do what they want within the confines of their virtual machine, but when Router Guard is enabled, they cannot interfere with normal network operations. This is done by blocking the following packets:

  • ICMPv4 Type 5 (Redirect message)
  • ICMPv4 Type 9 (Router Advertisement)
  • ICMPv6 Type 134 (Router Advertisement)
  • ICMPv6 Type 137 (Redirect message)

Alterative Scenario

Microsoft’s Ben Armstrong has posted a scenario that had not occurred to me previously. You might have a virtual machine that legitimately runs DHCP or routing services on your network. The virtual machine might have multiple virtual networks connected to different virtual networks, which in turn might connect to physical networks. You can enable DHCP Guard or Router Guard on one or more NICs to control which networks the virtual machine will offer services on. This might be to limit services for long term purposes, or this might be to temporarily disable services while you troubleshoot an issue.

The next part of this article will cover the deployment of DHCP Guard and Router Guard.

Related Topics:

Aidan Finn, Microsoft Most Valuable Professional (MVP), has been working in IT since 1996. He has worked as a consultant and administrator for the likes of Innofactor Norway, Amdahl DMR, Fujitsu, Barclays and Hypo Real Estate Bank International where he dealt with large and complex IT infrastructures and MicroWarehouse Ltd. where he worked with Microsoft partners in the small/medium business space.
External Sharing and Guest User Access in Microsoft 365 and Teams

This eBook will dive into policy considerations you need to make when creating and managing guest user access to your Teams network, as well as the different layers of guest access and the common challenges that accompany a more complicated Microsoft 365 infrastructure.

You will learn:

  • Who should be allowed to be invited as a guest?
  • What type of guests should be able to access files in SharePoint and OneDrive?
  • How should guests be offboarded?
  • How should you determine who has access to sensitive information in your environment?

Sponsored by:

Live Webinar: Active Directory Security: What Needs Immediate Priority!Live on Tuesday, October 12th at 1 PM ET

Attacks on Active Directory are at an all-time high. Companies that are not taking heed are being punished, both monetarily and with loss of production.

In this webinar, you will learn:

  • How to prioritize vulnerability management
  • What attackers are leveraging to breach organizations
  • Where Active Directory security needs immediate attention
  • Overall strategy to secure your environment and keep it secured

Sponsored by: