Every major component of a virtual machine is stored in a file. Like any file, access must be carefully controlled. If an attacker is able to retrieve a copy of a VM's VHDX file, then it can be easily mounted and its contents can be exploited.
Fortunately, NTFS security for Hyper-V is fairly complete right out of the box. This section is less about what to do and more about what not to do.
Every Hyper-V host has a default location for virtual machine configuration files and a default location for virtual machine hard drive files. Most administrators change these right away for a variety of reasons. This is where we get into our first "don't": don't place virtual machine files directly on the root of an NTFS volume. For one thing, Windows really doesn't want to grant access to files there. For another, modifying security on the volume's root can have serious side effects. Instead, use a subfolder.