Read the pdf here.
I have listed the recommendations, in full, below.
The following are some simple recommendations for safely deploying virtualization in production environments:
- Treat Virtual Machines like services that can be compromised; use chroot, systrace, acls, least privileged users, etc.
- Disable emulated hardware you don’t need, and external services you don’t use (DHCP daemons, etc.) to reduce the attack surface exposed to hostile users.
- Xen is worth watching in future; separating domains should limit the impact of a compromise.
- Maintain the integrity of guest operating systems, protect the kernel using standard procedures of disabling modules, /dev/mem, /dev/port, etc.
- Take advantage of the securelevels features available on BSD systems.
- Keep guest software up-to-date with published vulnerabilities.
- If an attacker cannot elevate their privileges within the guest, the likelihood of compromising the VMM is significantly reduced.
- Keep Virtual Machine software updated to ensure all known vulnerabilities have been corrected.
- Avoid guests that do not operate in protected mode, and make use of any security features offered, avoid running untrusted code with root-equivalent privileges within the guest.