A virtualized computer system can recover from a virtual-machine failure on one computing device by instantiating a fail-over virtual-machine on either the same computing device or on a separate fail-over computing device. However, there is currently no assurance that the fail-over computing device has a security-level appropriate for the functions and data of the virtual-machine. For example, a domain controller typically requires a high level of security. Instantiating a domain controller virtual-machine on a fail-over computing device with a relatively low security-level potentially leaves critical data and functions at risk. For example, a potential intruder may launch a denial-of-service attack against a virtualized computer system containing sensitive information hoping that the computer system will fail-over to another system with fewer security controls protecting the stored data. One known solution is to manually place computing devices into fail-over groups based on security characteristics of the devices.