Only authorized user accounts must be allowed to create or run virtual machines on Windows 10 systems.
An XCCDF Rule
Description
<VulnDiscussion>Allowing other operating systems to run on a secure system may allow users to circumvent security. For Hyper-V, preventing unauthorized users from being assigned to the Hyper-V Administrators group will prevent them from accessing or creating virtual machines on the system. The Hyper-V Hypervisor is used by Virtualization Based Security features such as Credential Guard on Windows 10; however, it is not the full Hyper-V installation.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- ID
- SV-220714r958478_rule
- Severity
- Medium
- References
- Updated
Remediation - Manual Procedure
For Hyper-V, remove any unauthorized groups or user accounts from the "Hyper-V Administrators" group.
For hosted hypervisors other than Hyper-V, restrict access to create or run virtual machines to authorized user accounts only.