Tool: Microsoft NVSPBind

microsoft logo

As most readers know, Microsoft offers three Hyper-V editions: the one coming with the full version of Windows Server 2008 R2, the one included in a stripped down version of Windows called “Server Core”, and the stand-alone Hyper-V Server.

The Server Core edition of Windows lacks the well-known GUI, has a limited .NET support and many other OS components are completely missing. It’s done so to reduce the OS surface attack, mimicking minimal Linux distribution that are popular among security professionals.

Problem is that this turns the local management of Hyper-V hosts into a real nightmare. Pretty much everything has be done on the command line but Microsoft doesn’t provide a CLI interface to perform every task.

For example, if you want to unbind a certain network protocol from the host NICs, and this is a typical hardening best practice, there’s no way to do so. Until today.
Microsoft just published a previously internal tool called NVSPBind that can be used to list binded protocols, enable and disable any of them from the Hyper-V NICs.

C:\>nvspbind -d {F93672D9-9085-4EEF-9669154AD4391ED7} ms_server
Hyper-V Network VSP Bind Application 6.1.7672.0.
Copyright (c) Microsoft Corporation. All rights reserved.
acquiring write lock…success

Adapters:
{F93672D9-9085-4EEF-9669154AD4391ED7}
“pci\ven_8086&dev_10c9&subsys_a03c8086”
“Intel(R) Gigabit ET Dual Port Server Adapter”:
    unbinding ms_server from Intel(R) Gigabit ET Dual Port Server Adapter
    unbinding ms_server from Intel(R) Gigabit ET Dual Port Server Adapter
    unbinding ms_server from Intel(R) Gigabit ET Dual Port Server Adapter
    unbinding ms_server from Intel(R) Gigabit ET Dual Port Server Adapter
    unbinding ms_server from Intel(R) Gigabit ET Dual Port Server Adapter
    unbinding ms_server from Intel(R) Gigabit ET Dual Port Server Adapter
applying changes…
cleaning up…releasing write lock…success
finished
C:\>