Free Hyper-V Security Assessment

Hosts are the hyper-v security assessment control area that defines expected configuration, ownership, supporting evidence, and review cadence. A reviewer should be able to confirm the current state from system exports, admin-console settings, monitoring records, tickets, and maintained documentation. For hosts, the relevant evidence usually includes compare inventory against monitoring, EDR, backup, and licensing systems, then identify unsupported versions and unowned assets. Review the related CMDB, warranty status, end-of-life, patch baseline, EDR coverage, backup scope, hypervisor hardening, resource utilization, then confirm which systems or users are affected, which logs prove the control is operating, and how exceptions are approved, tracked, and revisited. Common review sources include asset inventory, RMM, hypervisor console, Microsoft Admin Center, EDR dashboard, warranty lookup, vulnerability scanner.

Switches are the operating area where policy, configuration, monitoring, and support records need to agree with the actual environment. A reviewer should be able to confirm the current state from system exports, admin-console settings, monitoring records, tickets, and maintained documentation. For switches, the relevant evidence usually includes review running configuration, rule hit counts, stale objects, topology diagrams, firmware levels, remote-access groups, and change tickets. Review the related ACLs, NAT, zone policy, VLAN tagging, trunk ports, route tables, VPN profiles, split tunneling, 802.1X, WPA3, guest isolation, then confirm which systems or users are affected, which logs prove the control is operating, and how exceptions are approved, tracked, and revisited. Common review sources include firewall manager, switch/router CLI exports, wireless controller, NetFlow/syslog, VPN gateway logs, network monitoring platform.

VMs are the technical and administrative control set used to prove this part of the environment is configured, maintained, and reviewed. A reviewer should be able to confirm the current state from system exports, admin-console settings, monitoring records, tickets, and maintained documentation. For vms, the relevant evidence usually includes compare inventory against monitoring, EDR, backup, and licensing systems, then identify unsupported versions and unowned assets. Review the related CMDB, warranty status, end-of-life, patch baseline, EDR coverage, backup scope, hypervisor hardening, resource utilization, then confirm which systems or users are affected, which logs prove the control is operating, and how exceptions are approved, tracked, and revisited. Common review sources include asset inventory, RMM, hypervisor console, Microsoft Admin Center, EDR dashboard, warranty lookup, vulnerability scanner.

Recovery is the hyper-v security assessment control area that defines expected configuration, ownership, supporting evidence, and review cadence. A reviewer should be able to confirm the current state from system exports, admin-console settings, monitoring records, tickets, and maintained documentation. For recovery, the relevant evidence usually includes review job success history, protected workload scope, immutable-copy status, last restore test, retention settings, and recovery dependency mapping. Review the related RTO, RPO, 3-2-1 backup, immutable storage, air gap, restore verification, retention policy, recovery runbook, ransomware isolation, then confirm which systems or users are affected, which logs prove the control is operating, and how exceptions are approved, tracked, and revisited. Common review sources include backup console, restore-test logs, storage reports, DR runbooks, cloud backup policy, ticketing evidence.

Documentation is the operating area where policy, configuration, monitoring, and support records need to agree with the actual environment. A reviewer should be able to confirm the current state from system exports, admin-console settings, monitoring records, tickets, and maintained documentation. For documentation, the relevant evidence usually includes sample recent tickets and changes, verify approval and rollback records, compare documentation against production, and confirm named owners. Review the related SLA, RACI, change advisory review, rollback plan, runbook accuracy, configuration management, evidence repository, operational KPIs, then confirm which systems or users are affected, which logs prove the control is operating, and how exceptions are approved, tracked, and revisited. Common review sources include ticketing system, documentation portal, change calendar, asset inventory, monitoring alerts, configuration exports.

Monitoring is the technical and administrative control set used to prove this part of the environment is configured, maintained, and reviewed. A reviewer should be able to confirm the current state from system exports, admin-console settings, monitoring records, tickets, and maintained documentation. For monitoring, the relevant evidence usually includes inspect zone changes, resolver paths, DHCP scope utilization, alert thresholds, log retention, NTP synchronization, and monitoring coverage gaps. Review the related forwarders, secure dynamic updates, DHCP failover, reservations, lease scope utilization, syslog, SNMP, NetFlow, SIEM correlation, then confirm which systems or users are affected, which logs prove the control is operating, and how exceptions are approved, tracked, and revisited. Common review sources include DNS/DHCP consoles, SIEM, syslog server, network monitoring dashboards, packet captures, availability reports.

Ownership is the hyper-v security assessment control area that defines expected configuration, ownership, supporting evidence, and review cadence. A reviewer should be able to confirm the current state from system exports, admin-console settings, monitoring records, tickets, and maintained documentation. For ownership, the relevant evidence usually includes sample recent tickets and changes, verify approval and rollback records, compare documentation against production, and confirm named owners. Review the related SLA, RACI, change advisory review, rollback plan, runbook accuracy, configuration management, evidence repository, operational KPIs, then confirm which systems or users are affected, which logs prove the control is operating, and how exceptions are approved, tracked, and revisited. Common review sources include ticketing system, documentation portal, change calendar, asset inventory, monitoring alerts, configuration exports.

Testing is the operating area where policy, configuration, monitoring, and support records need to agree with the actual environment. A reviewer should be able to confirm the current state from system exports, admin-console settings, monitoring records, tickets, and maintained documentation. For testing, the relevant evidence usually includes sample recent tickets and changes, verify approval and rollback records, compare documentation against production, and confirm named owners. Review the related SLA, RACI, change advisory review, rollback plan, runbook accuracy, configuration management, evidence repository, operational KPIs, then confirm which systems or users are affected, which logs prove the control is operating, and how exceptions are approved, tracked, and revisited. Common review sources include ticketing system, documentation portal, change calendar, asset inventory, monitoring alerts, configuration exports.