Sangfor Cloud Platform (SCP)

Enterprise Cloud Computing Platform Built on Business-Centric HCI.
{{ $t('productDocDetail.guideClickSwitch') }}
{{ $t('productDocDetail.know') }}
{{ $t('productDocDetail.dontRemind') }}
6.11.3
Sangfor Cloud Platform (SCP) {{ breadTitle }} Virtual Machine Service VM Security and Authentication Security Configuration
{{sendMatomoQuery("Sangfor Cloud Platform (SCP)","Security Configuration")}}

Security Configuration

{{ $t('productDocDetail.updateTime') }}: 2025-12-18

Reset SID

Introduction

Resetting SID resolves security identifier conflicts that occur after cloning or copying Windows VMs, making sure that each VM has a unique SID. This is applicable for VM deployment from template or adding bulk created VMs to domain environment, preventing domain trusts relationship error.

Background

  1. SID is a unique identifier used by Windows systems to recognize computers, users, and groups. Cloning a VM copies the original SID, causing the domain controller to be unable to distinguish between the devices.
  2. The Create snapshot for VM before SID resetting option is selected on the system by default before the operation. The snapshot saves the VM's current system status (contains memory data and process information) to the platform's default backup repository, and the retention period matches that in the snapshot policy on the platform.
  3. If the SID reset operation is executed when the VM is powered off, the SID will be automatically reset upon VM startup. If the SID reset operation is executed when the VM is running, VM restart is required for the changes to take effect. A new unique SID will be generated during the restart process.

Constraints and Restrictions

  1. The feature is only supported by Windows operating systems, including Windows 7, Windows Server 2008 R2, and later versions. The feature is not supported by Linux systems because the SID does not exist in Linux systems.
  2. For VMs that have already joined to an AD domain, resetting SIID will break domain trusts relationships. The trust relationships must be established again, or the VMs must be rejoined to the domain.
  3. Snapshot creation requires occupying the same amount of storage space as the VM's disk. Backup resources on the platform must be sufficient. If the reset process is interrupted, the VM may become unable to start and require recovery from the snapshot.

Steps

Step 1.Log in to SCP and go to Resource Center > VMs.

Step 2.Locate the Windows VM you want to edit (vmTools must be installed), click More in the Operation column, and select Reset SID.

Step 3.In the Message pop-up window, confirm that the Create snapshot for VM before SID resetting option is selected (it is recommended to keep this option selected). Read and confirm that you understand the operation may cause VM to become unavailable, and click OK.

Result Verification

Step 1.After the VM restarts, log in to it through remote desktop. Open the command prompt and run the whoami /user command. Check the SID field in the output result to confirm that it differs from the SID before reset.

Step 2.If the VM requires joining a domain, run the Test-ComputerSecureChannel command. If the returned value is True, it indicates a normal domain trust relationship. If it is False, run the Reset-ComputerMachinePassword command to repair the trust relationship.

Enable Disk Encryption

Introduction

Enabling disk encryption provides encrypted protection for static data in VM’s system disks and data disks. This can prevent data breach caused by physical disk leak or unauthorized internal access. It is applicable for VMs storing sensitive information such as user privacy data, financial data, or commercial secrets, and it helps to meet the compliance requirements such as GDPR and the applicable data protection laws.

  1. Supports two encryption modes: Built-in server for encryption (uses built-in key management on the platform) and KMS server for encryption (integrates with a third-party key management service and requires pre-configuration of the KMS server address and port).
  2. It employs driver-level transparent encryption technology. Data is automatically encrypted upon write and decrypted upon read, making the process completely transparent to apps. Supports the AES-256 and the SM4 algorithms (Chinese cryptographic algorithm).
  3. The encryption scope covers disk data, snapshots, and backup files. The key lifecycle follows the NIST SP 800-57 standard and supports regular automatic rotation.

Constraints and Restrictions

  1. After a disk is encrypted, the VM performance will be degraded by 30%-50%. The performance tolerance for IO-intensive services must be assessed in advance. If the SM4 algorithm (Chinese cryptographic algorithm) is applied, the performance loss can be controlled within 5%.
  2. During the encryption process, the VM must be powered off, and the operations such as CDP, disaster recovery, cloning, export, creating images, and disk capacity expansion must be performed during off-peak hours.
  3. Loss of the encryption key will cause permanent and unrecoverable data loss. Therefore, the key must be backed up through the KMS service or the key management module on the platform. If disk encryption is enabled on a VM, it cannot be disabled.

Steps

Step 1.Log in to SCP and go to Resource Center > VMs.

Step 2.Locate the VM you want to edit, click More in the Operation column, and select Enable Disk Encryption.

Step 3.In the Enable Disk Encryption pop-up window, select Built-in Server or KMS Server for Key Source.

Step 4. If KMS Server is selected for encryption, the address, port, and authentication information of the KMS server are required. Select an available key in the Select Key drop-down list. If no keys are available, click the plus sign (+) to create or import a key.

Step 5.Read the encryption notes (containing performance impact and functional limitations), and click OK to start encryption.

A snapshot is a point-in-time record of a VM’s data. It can be used for scenarios such as data recovery and environment replication. It enables quick rollback to a specific operational status. For detailed operations such as creating and deleting snapshot and restoring VM from snapshot, see the xx section of the [Product Name] VM Management Guide[19].