Virtualization Security Resources
Getting started with virtualization security can be a little daunting. I’m not going to go into a great level of detail, but I do want to point out some sources of information to get you started down the path to securing your virtual datacenters (you did plan the security of the infrastructure before you virtualized, right?). This entire blog entry will be a list of places to find guidance in terms of virtualization security and compliance. It is by no means exhaustive; I’ll leave the rest of the resources out there as an exercise for the reader.
Vendors
The first place to look for security guidance is always the vendors:
Microsoft Hyper-V
Microsoft released Hyper-V as a free hypervisor that runs on top of windows with Windows Server 2008. Here are a couple resources you can use: https://technet.microsoft.com/en-us/library/dd569113.aspx – Hyper-V Security Guide https://www.microsoft.com/en-us/download/details.aspx?id=16650 – Hyper-V Security Guide download
VMware
VMware is the best known, longest running hypervisor out there. Their products have gone through a lot of changes over the years, so it’s pretty important to track the version of VMware/vSphere you’re using closely. Listed below are the hardening guides for each version:
VMware 3 (Seriously? You should update!):
https://www.vmware.com/pdf/vi3_security_hardening_wp.pdf
vSphere 4.0:
https://www.vmware.com/files/pdf/techpaper/VMware_vSphere_HardeningGuide_May10_EN.pdf
vSphere 4.1:
https://www.vmware.com/files/pdf/techpaper/VMW-TWP-vSPHR-SECRTY-HRDNG-USLET-101-WEB-1.pdf
vSphere 5 (brand new):
Xen
Xen is a very popular open source hypervisor. I couldn’t find any specific hardening documents for Xen, but I believe the standard Linux hardening guides will go a long way. Here is a portal for their documentation: https://xen.org/support/documentation.html
Third Parties
Vendors are great and all, but I think objective third parties provide the most insight into the problem, as they’re not trying to sell you on how great their software is or ram virtual security appliances down your throat.
Defense Information Systems Agency (DISA) STIG:
Cloud Security Alliance:
https://cloudsecurityalliance.org/csaguide.pdf
SANS:
https://www.sans.org/reading_room/analysts_program/vmware-guide-may-2010.pdf
CIS Security Benchmarks:
Regulatory
Aren’t regulations fun? While not exactly a security data point, regulation guidance is useful at times.
PCI Security Standards Council:
https://www.pcisecuritystandards.org/documents/Virtualization_InfoSupp_v2.pdf
Explore More Blog Posts
Emulating & Exploiting UEFI: Unveiling Vulnerabilities in Firmware Security
Explore the intricacies of UEFI security with exploration into emulation, dynamic analysis, and the LogoFail vulnerability. Learn how subtle input manipulations can expose critical firmware weaknesses.
Scaling Security with Modern PTaaS: Gartner Report Insights
Discover Gartner® 2025 insights on how PTaaS scales security with continuous validation, automation, and real-time remediation, and how NetSPI can help.
Why Continuous Testing is the New Standard for Modern Security
NetSPI's continuous pentesting delivers regular, tailored assessments across critical assets, customized to your organization's risk profile and operational cadence to ensure coverage where it matters most. These services are delivered through NetSPI’s leading PTaaS platform using existing workflows.