Skip to content

Latest commit

 

History

History

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
 
 
 
 
 
 
 
 
 
 
 
 

README.md

Host Guardian Service (HGS) PowerShell Solution

Author: Adrian Johnson (adrian207@gmail.com)

A comprehensive, modular, and portable PowerShell solution for implementing, configuring, and troubleshooting Host Guardian Service (HGS) in Windows Server environments. This solution covers all 25 enterprise scenarios for HGS deployment, from basic shielded VM protection to advanced hybrid cloud attestation models.

🚀 Overview

Host Guardian Service (HGS) is Microsoft's solution for protecting virtual machines from rogue administrators and compromised hosts. This PowerShell solution provides complete automation for HGS deployment, configuration, security, monitoring, and troubleshooting across all enterprise scenarios.

Key Features

  • 25 Enterprise Scenarios - Complete coverage of all HGS use cases
  • Modular Design - Reusable PowerShell modules for different HGS functions
  • Security-First - Built-in security baselines and Zero Trust integration
  • Comprehensive Monitoring - Health checks, performance metrics, and alerting
  • Troubleshooting Tools - Diagnostic tools and automated repair functions
  • Production Ready - Tested and validated for enterprise deployment

📋 Table of Contents

  1. Quick Start
  2. Architecture
  3. Enterprise Scenarios
  4. Modules
  5. Scripts
  6. Configuration
  7. Security
  8. Monitoring
  9. Troubleshooting
  10. Examples
  11. Testing
  12. Documentation

🚀 Quick Start

Prerequisites

  • Windows Server 2016 or later
  • PowerShell 5.1 or later
  • Administrator privileges
  • TPM 2.0 (recommended for TPM-Trusted attestation)
  • Hyper-V role installed

Basic Deployment

# Clone the repository
git clone https://github.com/your-repo/HGS-Scripts.git
cd HGS-Scripts

# Run basic HGS deployment
.\Scripts\Deployment\Deploy-HGSServer.ps1 -ServerName "HGS01" -AttestationMode "TPM" -SecurityLevel "High"

Advanced Deployment with Configuration File

# Create configuration file
$config = @{
    ServerName = "HGS01"
    AttestationMode = "TPM"
    SecurityLevel = "High"
    AttestationService = $true
    KeyProtectionService = $true
    ZeroTrust = $true
    MonitoringLevel = "Advanced"
    Alerting = @{
        Enabled = $true
        Methods = @("Email", "Webhook")
        Recipients = @("admin@contoso.com")
    }
    Hosts = @(
        @{ Name = "HV01"; AttestationMode = "TPM" }
        @{ Name = "HV02"; AttestationMode = "TPM" }
    )
} | ConvertTo-Json -Depth 10 | Out-File "HGS-Config.json"

# Deploy with configuration
.\Scripts\Deployment\Deploy-HGSServer.ps1 -ConfigurationFile "HGS-Config.json" -Force

🏗️ Architecture

Solution Structure

HGS-Scripts/
├── Modules/                          # PowerShell modules
│   ├── HGS-Core.psm1                 # Core HGS functions
│   ├── HGS-Security.psm1             # Security and attestation
│   ├── HGS-Monitoring.psm1           # Monitoring and alerting
│   └── HGS-Troubleshooting.psm1      # Diagnostics and repair
├── Scripts/                          # Deployment and management scripts
│   ├── Deployment/                   # HGS server deployment
│   ├── Configuration/                # Configuration management
│   ├── Security/                     # Security implementation
│   ├── Monitoring/                   # Monitoring setup
│   ├── Troubleshooting/              # Troubleshooting tools
│   └── Enterprise-Scenarios/         # All 25 enterprise scenarios
├── Examples/                         # Usage examples
├── Tests/                           # Test scripts
└── Documentation/                    # Detailed documentation

Core Components

  1. HGS-Core Module - Basic HGS operations and server management
  2. HGS-Security Module - Attestation policies, trust boundaries, and security baselines
  3. HGS-Monitoring Module - Health monitoring, performance metrics, and alerting
  4. HGS-Troubleshooting Module - Diagnostics, repair, and recovery operations

🎯 Enterprise Scenarios

This solution implements all 25 enterprise scenarios for Host Guardian Service:

Core Scenarios

  1. Shielded Virtual Machines - Protect VMs from rogue administrators
  2. Fabric Assurance - Multi-tenant datacenter security
  3. Tier-0 Domain Controller Virtualization - Secure DC virtualization
  4. Guarded Fabric Design - Segregated Hyper-V infrastructure
  5. Attestation Modes - TPM-Trusted vs Admin-Trusted attestation

High Availability & Clustering

  1. Cluster-Aware Host Attestation - HA virtualization with trust integrity
  2. Disaster Recovery - Secondary site protection and replication
  3. Cloud and Hybrid Deployment - Azure Stack HCI integration

Advanced Security

  1. Offline Shielded VM Deployment - Disconnected environment provisioning
  2. Rogue Host Detection - Dynamic trust management and revocation
  3. Forensic Integrity Verification - Security baseline comparison
  4. Privileged Access Workstation Hosting - PAW VM protection
  5. Cross-Forest Guardian Service - Multi-forest trust boundaries

Development & CI/CD

  1. Secure Build Pipelines - CI/CD integrity for secure image generation
  2. Government/Regulated Infrastructure - CJIS, DoD, FedRAMP compliance
  3. Edge and Field Deployment - Remote host attestation

Integration & Compatibility

  1. TPM and BitLocker Integration - Unified hardware trust chain
  2. Nested Virtualization - Lab simulation and testing
  3. Credential Guard and VBS Synergy - Layered hardware-rooted security
  4. SIEM and Compliance Integration - Audit trail and compliance reporting

Automation & Management

  1. Custom Policy Automation - Dynamic attestation rule updates
  2. Third-Party Management Integration - SCVMM and monitoring dashboards
  3. Research and Education Labs - Training and demonstration environments
  4. Air-Gapped Datacenter Operation - Isolated network security
  5. Lifecycle Management - Automated host retirement and integrity enforcement

📦 Modules

HGS-Core Module

Core functions for HGS operations:

# Install HGS server
Install-HGSServer -ServerName "HGS01" -AttestationService -KeyProtectionService

# Configure attestation mode
Set-HGSAttestationMode -Mode "TPM" -HgsServer "HGS01"

# Add hosts to attestation
Add-HGSHost -HostName "HV01" -AttestationMode "TPM"

# Get HGS status
Get-HGSStatus -HgsServer "HGS01"

HGS-Security Module

Security and attestation management:

# Create attestation policy
Set-HGSAttestationPolicy -PolicyName "HighSecurity" -PolicyType "TPM" -SecurityLevel "High"

# Configure trust boundary
Set-HGSTrustBoundary -BoundaryName "TenantA" -BoundaryType "Tenant" -IsolationLevel "High"

# Configure Zero Trust
Set-HGSZeroTrust -TrustModel "NeverTrust" -VerificationLevel "Continuous" -PolicyEnforcement "Strict"

# Configure multi-tenant security
Set-HGSMultiTenantSecurity -TenantName "TenantA" -IsolationLevel "High"

HGS-Monitoring Module

Monitoring and alerting:

# Get health status
Get-HGSHealthStatus -HgsServer "HGS01" -IncludeDetails

# Get performance metrics
Get-HGSPerformanceMetrics -HgsServer "HGS01" -MetricType "All"

# Configure monitoring
Set-HGSMonitoring -MonitoringLevel "Advanced" -LogRetention 30

# Configure alerting
Set-HGSAlerting -AlertMethods @("Email", "Webhook") -Recipients @("admin@contoso.com")

HGS-Troubleshooting Module

Diagnostics and repair:

# Run comprehensive diagnostics
Test-HGSDiagnostics -HgsServer "HGS01" -DiagnosticLevel "Comprehensive" -IncludePerformance

# Repair HGS services
Repair-HGSService -HgsServer "HGS01" -RepairType "All" -Force

# Analyze event logs
Get-HGSEventAnalysis -HgsServer "HGS01" -TimeRange 7 -AnalysisType "Comprehensive"

# Test configuration
Test-HGSConfiguration -HgsServer "HGS01" -TestType "All"

📜 Scripts

Deployment Scripts

  • Deploy-HGSServer.ps1 - Main HGS server deployment script
  • Deploy-HGSCluster.ps1 - Cluster-aware HGS deployment
  • Deploy-HGSDisasterRecovery.ps1 - DR site HGS deployment

Configuration Scripts

  • Configure-HGS.ps1 - HGS configuration management
  • Configure-HGSSecurity.ps1 - Security baseline configuration
  • Configure-HGSMonitoring.ps1 - Monitoring and alerting setup

Security Scripts

  • Secure-HGS.ps1 - Security implementation
  • Secure-HGSCertificates.ps1 - Certificate management
  • Secure-HGSAttestation.ps1 - Attestation policy management

Monitoring Scripts

  • Monitor-HGS.ps1 - Health monitoring and alerting
  • Monitor-HGSPerformance.ps1 - Performance monitoring
  • Monitor-HGSSecurity.ps1 - Security event monitoring

Troubleshooting Scripts

  • Troubleshoot-HGS.ps1 - Comprehensive troubleshooting tools
  • Troubleshoot-HGSAttestation.ps1 - Attestation-specific troubleshooting
  • Troubleshoot-HGSPerformance.ps1 - Performance troubleshooting

Enterprise Scenario Scripts

  • Deploy-HGSShieldedVMs.ps1 - Shielded VM deployment
  • Deploy-HGSMultiTenant.ps1 - Multi-tenant HGS deployment
  • Deploy-HGSHybridCloud.ps1 - Hybrid cloud HGS deployment
  • Deploy-HGSAirGapped.ps1 - Air-gapped HGS deployment
  • Deploy-HGSGovernment.ps1 - Government compliance HGS deployment

⚙️ Configuration

Configuration File Format

{
    "ServerName": "HGS01",
    "AttestationMode": "TPM",
    "SecurityLevel": "High",
    "AttestationService": true,
    "KeyProtectionService": true,
    "ZeroTrust": true,
    "MultiTenant": false,
    "AirGapped": false,
    "MonitoringLevel": "Enhanced",
    "LogRetention": 30,
    "LogLevel": "Detailed",
    "LogLocation": "C:\\Logs\\HGS",
    "DashboardType": "PowerShell",
    "DashboardRefreshInterval": 30,
    "Alerting": {
        "Enabled": true,
        "Methods": ["Email", "Webhook"],
        "Recipients": ["admin@contoso.com"]
    },
    "Hosts": [
        {
            "Name": "HV01",
            "AttestationMode": "TPM"
        },
        {
            "Name": "HV02",
            "AttestationMode": "TPM"
        }
    ],
    "ClusterAttestation": {
        "Enabled": true,
        "ClusterName": "HVCluster",
        "Nodes": ["HV01", "HV02", "HV03"]
    },
    "DisasterRecovery": {
        "Enabled": true,
        "SecondaryServer": "HGS02",
        "ReplicationMode": "Active-Passive"
    },
    "HybridCloud": {
        "Enabled": false,
        "AzureStackEndpoint": "",
        "TrustMode": "Federated"
    }
}

Environment Variables

# Set environment variables for HGS deployment
$env:HGS_SERVER_NAME = "HGS01"
$env:HGS_ATTESTATION_MODE = "TPM"
$env:HGS_SECURITY_LEVEL = "High"
$env:HGS_LOG_LOCATION = "C:\Logs\HGS"
$env:HGS_CERTIFICATE_THUMBPRINT = "1234567890ABCDEF"

🔒 Security

Security Baselines

The solution includes multiple security baselines:

  • CIS Baseline - Center for Internet Security recommendations
  • NIST Baseline - National Institute of Standards and Technology
  • DoD Baseline - Department of Defense requirements
  • FedRAMP Baseline - Federal Risk and Authorization Management Program
  • Custom Baseline - Organization-specific requirements

Zero Trust Integration

# Configure Zero Trust model
Set-HGSZeroTrust -TrustModel "NeverTrust" -VerificationLevel "Continuous" -PolicyEnforcement "Strict"

# Configure continuous verification
Set-HGSZeroTrust -VerificationLevel "Continuous" -PolicyEnforcement "Strict"

Multi-Tenant Security

# Configure tenant isolation
Set-HGSMultiTenantSecurity -TenantName "TenantA" -IsolationLevel "High" -ResourceQuotas @{VMs=10; Storage="1TB"}

# Configure cross-tenant boundaries
Set-HGSTrustBoundary -BoundaryName "TenantA" -BoundaryType "Tenant" -IsolationLevel "Complete"

Air-Gapped Security

# Configure air-gapped environment
Set-HGSAirGappedSecurity -NetworkIsolation "Complete" -OfflineMode -LocalAttestation

# Configure offline deployment
Set-HGSOfflineDeployment -TemplatePath "C:\Templates\ShieldedVM.vhdx" -AttestationPolicy "OfflinePolicy"

📊 Monitoring

Health Monitoring

# Get comprehensive health status
$healthStatus = Get-HGSHealthStatus -HgsServer "HGS01" -IncludeDetails

# Check specific health aspects
$healthStatus.Services
$healthStatus.AttestationService
$healthStatus.KeyProtectionService
$healthStatus.Performance
$healthStatus.Alerts

Performance Monitoring

# Get performance metrics
$perfMetrics = Get-HGSPerformanceMetrics -HgsServer "HGS01" -MetricType "All"

# Monitor specific metrics
$perfMetrics.CPU
$perfMetrics.Memory
$perfMetrics.Network
$perfMetrics.Disk
$perfMetrics.Attestation

Alerting

# Configure email alerts
Set-HGSAlerting -AlertMethods @("Email") -Recipients @("admin@contoso.com", "security@contoso.com")

# Configure webhook alerts
Set-HGSAlerting -AlertMethods @("Webhook") -Recipients @("https://webhook.contoso.com/hgs-alerts")

# Configure multiple alert methods
Set-HGSAlerting -AlertMethods @("Email", "Webhook", "Teams") -Recipients @("admin@contoso.com", "https://teams.contoso.com/webhook")

Capacity Planning

# Get capacity planning information
$capacityInfo = Get-HGSCapacityPlanning -HgsServer "HGS01" -PlanningHorizon 12

# Review recommendations
$capacityInfo.Recommendations
$capacityInfo.CurrentCapacity
$capacityInfo.ProjectedCapacity

🔧 Troubleshooting

Diagnostic Tools

# Run comprehensive diagnostics
$diagnostics = Test-HGSDiagnostics -HgsServer "HGS01" -DiagnosticLevel "Comprehensive" -IncludePerformance

# Check specific areas
$diagnostics.Results.Services
$diagnostics.Results.Configuration
$diagnostics.Results.Certificates
$diagnostics.Results.Network
$diagnostics.Results.Events
$diagnostics.Results.Attestation

Event Log Analysis

# Analyze HGS event logs
$eventAnalysis = Get-HGSEventAnalysis -HgsServer "HGS01" -TimeRange 7 -AnalysisType "Comprehensive"

# Review patterns and issues
$eventAnalysis.Patterns
$eventAnalysis.Issues
$eventAnalysis.Recommendations

Configuration Testing

# Test HGS configuration
$configTest = Test-HGSConfiguration -HgsServer "HGS01" -TestType "All"

# Review test results
$configTest.Tests.BasicConfig
$configTest.Tests.Security
$configTest.Tests.Performance

Repair Operations

# Repair HGS services
$repairResult = Repair-HGSService -HgsServer "HGS01" -RepairType "All" -Force

# Review repair actions
$repairResult.Actions
$repairResult.Success

Troubleshooting Guide

# Get troubleshooting guidance
$guide = Get-HGSTroubleshootingGuide -IssueType "Attestation" -Severity "Critical"

# Review troubleshooting steps
$guide.Steps
$guide.Commands
$guide.Resources

💡 Examples

Basic HGS Deployment

# Deploy basic HGS server
.\Scripts\Deployment\Deploy-HGSServer.ps1 -ServerName "HGS01" -AttestationMode "TPM" -SecurityLevel "High"

# Add hosts to attestation
Add-HGSHost -HostName "HV01" -AttestationMode "TPM"
Add-HGSHost -HostName "HV02" -AttestationMode "TPM"

# Verify deployment
Get-HGSStatus -HgsServer "HGS01"

Multi-Tenant HGS Deployment

# Configure multi-tenant security
Set-HGSMultiTenantSecurity -TenantName "TenantA" -IsolationLevel "High" -ResourceQuotas @{VMs=10; Storage="1TB"}
Set-HGSMultiTenantSecurity -TenantName "TenantB" -IsolationLevel "High" -ResourceQuotas @{VMs=5; Storage="500GB"}

# Configure trust boundaries
Set-HGSTrustBoundary -BoundaryName "TenantA" -BoundaryType "Tenant" -IsolationLevel "Complete"
Set-HGSTrustBoundary -BoundaryName "TenantB" -BoundaryType "Tenant" -IsolationLevel "Complete"

Hybrid Cloud HGS Deployment

# Configure hybrid cloud
Set-HGSHybridCloud -AzureStackEndpoint "https://azurestack.local" -OnPremisesHgsServer "HGS01" -TrustMode "Federated"

# Configure cross-cloud attestation
Set-HgsAttestationPolicy -Policy "CrossCloudFederation" -Enabled $true

Government Compliance HGS Deployment

# Configure DoD compliance
Set-HGSGovernmentCompliance -ComplianceStandard "DoD" -SecurityLevel "High" -AuditLogging

# Configure CJIS compliance
Set-HGSGovernmentCompliance -ComplianceStandard "CJIS" -SecurityLevel "High" -AuditLogging

# Configure FedRAMP compliance
Set-HGSGovernmentCompliance -ComplianceStandard "FedRAMP" -SecurityLevel "High" -AuditLogging

Air-Gapped HGS Deployment

# Configure air-gapped environment
Set-HGSAirGappedSecurity -NetworkIsolation "Complete" -OfflineMode -LocalAttestation

# Configure offline deployment
Set-HGSOfflineDeployment -TemplatePath "C:\Templates\ShieldedVM.vhdx" -AttestationPolicy "OfflinePolicy"

Monitoring and Alerting Setup

# Configure comprehensive monitoring
Set-HGSMonitoring -MonitoringLevel "Advanced" -LogRetention 30

# Configure alerting
Set-HGSAlerting -AlertMethods @("Email", "Webhook", "Teams") -Recipients @("admin@contoso.com", "https://webhook.contoso.com", "https://teams.contoso.com/webhook")

# Configure logging
Set-HGSLogging -LogLevel "Detailed" -LogRetention 30 -LogLocation "C:\Logs\HGS"

# Configure dashboard
Set-HGSDashboard -DashboardType "Web" -RefreshInterval 30

🧪 Testing

Test Scripts

# Run comprehensive tests
.\Tests\Test-HGS.ps1 -TestType "All"

# Test specific components
.\Tests\Test-HGS.ps1 -TestType "Core"
.\Tests\Test-HGS.ps1 -TestType "Security"
.\Tests\Test-HGS.ps1 -TestType "Monitoring"
.\Tests\Test-HGS.ps1 -TestType "Troubleshooting"

Test Scenarios

  • Core Functionality Tests - Basic HGS operations
  • Security Tests - Attestation and security policies
  • Performance Tests - Performance and capacity testing
  • Integration Tests - Third-party integration testing
  • Disaster Recovery Tests - DR scenario testing

Test Results

Test results are saved to C:\HGS-Tests\Results\ with detailed reports and recommendations.

📚 Documentation

API Reference

Complete API reference for all modules and functions:

  • HGS-Core Module - Core HGS functions and operations
  • HGS-Security Module - Security and attestation functions
  • HGS-Monitoring Module - Monitoring and alerting functions
  • HGS-Troubleshooting Module - Troubleshooting and repair functions

Deployment Guides

  • Basic Deployment Guide - Step-by-step basic HGS deployment
  • Advanced Deployment Guide - Complex enterprise scenarios
  • Security Configuration Guide - Security best practices
  • Monitoring Setup Guide - Monitoring and alerting configuration
  • Troubleshooting Guide - Common issues and solutions

Best Practices

  • Security Best Practices - Security configuration recommendations
  • Performance Optimization - Performance tuning guidelines
  • Disaster Recovery - DR planning and implementation
  • Compliance - Regulatory compliance guidance

🤝 Contributing

Development Guidelines

  1. Follow PowerShell best practices
  2. Include comprehensive error handling
  3. Add detailed documentation
  4. Include unit tests for new functions
  5. Follow the existing code structure

Testing Requirements

  • All new functions must include unit tests
  • Integration tests for complex scenarios
  • Performance tests for critical functions
  • Security tests for security-related functions

📄 License

This project is licensed under the MIT License - see the LICENSE file for details.

🆘 Support

Getting Help

  • Documentation - Check the comprehensive documentation
  • Examples - Review the example scripts
  • Issues - Report issues on GitHub
  • Discussions - Join discussions for questions and ideas

Common Issues

  • Prerequisites - Ensure all prerequisites are met
  • Permissions - Run scripts with administrator privileges
  • Network - Check network connectivity and firewall rules
  • Certificates - Verify certificate validity and permissions

🔄 Version History

  • v1.0.0 - Initial release with all 25 enterprise scenarios
  • v1.1.0 - Enhanced monitoring and alerting capabilities
  • v1.2.0 - Added Zero Trust integration and advanced security features
  • v1.3.0 - Improved troubleshooting tools and diagnostic capabilities

🎯 Roadmap

Upcoming Features

  • GUI Management Console - Web-based management interface
  • Advanced Analytics - Machine learning-based threat detection
  • Cloud Integration - Enhanced Azure and AWS integration
  • Automated Remediation - Self-healing capabilities
  • Compliance Automation - Automated compliance reporting

Planned Enhancements

  • Performance Optimization - Enhanced performance monitoring
  • Security Hardening - Additional security controls
  • Disaster Recovery - Enhanced DR capabilities
  • Multi-Platform Support - Linux and macOS support
  • API Integration - REST API for third-party integration

Author: Adrian Johnson (adrian207@gmail.com)

For questions, issues, or contributions, please contact the author or create an issue on GitHub.