Objective 1.2: Secure ESXi, vCenter Server, and vSphere Virtual Machines

Enable/Configure/Disable services in the ESXi firewall

ESXi services and firewall are configured using Web Client -> Hosts and Clusters -> Selected Host -> Manage -> Settings -> Security Profile.  Services can be Started, Stopped, or Restarted. Services can be configured to Start and stop with host, Start and stop manually, or Start and stop with port usage.  Customizing ESXi Services from the Security Profile can be found in the vSphere Security Guide on page 155.

Enable Lockdown Mode

Lockdown mode is covered in the vSphere Security Guide on page 155.

Lockdown mode forces all operations to be performed through vCenter Server.  When you enable lockdown mode, no users other than vpxuser have authentication permissions.  The root user is still authorized to log in to the Direct Console User Interface (DCUI) when lockdown mode is enabled.

Lockdown mode can be enabled when adding a Host to vCenter Inventory or using Web Client -> Hosts and Clusters -> Selected Host -> Manage -> Settings -> Security Profile.

Lockdown Modes:

  • Normal Lockdown

1. Can no longer SSH to the box

2. Can no longer vSphere Client to the box

3. Can still get into the DCUI via Console

a. with root

b. or any account in DCUI.access

  • Strict Lockdown

1. You will have to reinstall the host if there are major issues

2. Should REALLY setup exception users

a. have access to SSH ONLY!!!  or 3rd party API

b. or any account in DCUI.access
  • Disabled

Configure network security policies

There are three network security policies:

  • Promiscuous mode – Default setting: Reject
    Setting this to Accept allows the guest operating system to receive all traffic observed on the connected vSwitch or PortGroup (think Hub instead of switch).
  • MAC address changes – Default setting: Accept
    Host accepts requests to change the effective MAC
    address to a different address than the initial MAC address.
  • Forged transmits – Default setting: Accept
    Host does not compare source and effective MAC addresses transmitted from a virtual machine.

Each of these can be set to Reject or Accept.  Network security policies can be set on the vSwitch or PortGroup.  The Override checkbox allows you to override the vSwitch setting when configuring Network security policies on a PortGroup.  Setting MAC address changes and Forged transmits to Reject protects against MAC address spoofing.

Add an ESXi Host to a directory service

A standalone ESXi host can be joined to an Active Directory domain using the vSphere Client -> ESXi host -> Configuration -> Authentication Services.

An ESXi host managed by vCenter can be joined to an Active Directory domain using the Web Client -> Hosts and Clusters -> ESXi host -> Manage -> Settings -> Authentication Services.

The root user and users with the Administrator role can access the ESXi Shell. Users who are in the Active Directory group ESX Admins are automatically assigned the Administrator role. By default, only the root user can execute system commands (such as vmware -v) using the ESXi Shell.

 Apply permissions to ESXi Hosts using Host Profiles

Host profiles allow you to set up standard configurations for your ESXi hosts and automate compliance to these configuration settings.  You can also use host profiles to monitor hosts for host configuration changes.

ESXi host users and permissions can be included in the Host Profile.  The administrator (root) password and user passwords that are included with host profile and host customization are MD5 encrypted.  If you are joining an ESXi host to Active Directory by using host profiles, the passwords for the user used to join the host to domain is stored in plain text.

Configure virtual machine security policies

Secure the guest OS and applications just as if they were running on a physical machine.

Virtual machine security best practices:

  • General Virtual Machine Protection
    Guest OS and application patching. Anti-virus scanning.
  • Use Templates to Deploy Virtual Machines
    Reduces the risk of mis-configuration during operating system installation.
  • Minimize Use of Virtual Machine Console
  • Prevent Virtual Machines from Taking Over Resources
  • Disable Unnecessary Functions Inside Virtual Machines
    Disable unused services. Disconnect/remove unused devices.
  • Remove Unnecessary Hardware Devices
    Disconnect/remove unnecessary hardware such as floppy drives, serial ports, parallel ports, USB controllers, and CD-ROM drives.
  • Disable Unused Display Features
  • Disable Unexposed Features
  • Disable host guest file system (HGFS) File Transfers
  • Disable Copy and Paste Operations Between Guest Operating System and Remote Console
    isolation.tools.copy.disable = true
    isolation.tools.paste.disable = true
  • Limiting Exposure of Sensitive Data Copied to the Clipboard
  • Restrict Users from Running Commands Within a Virtual Machine
    Remove Virtual machine -> Guest Operations privileges from Roles which do not require them.
  • Prevent a Virtual Machine User or Process from Disconnecting Devices
    isolation.device.connectable.disable = true
    isolation.device.edit.disable = true
  • Modify Guest Operating System Variable Memory Limit
  • Prevent Guest Operating System Processes from Sending Configuration Messages to the Host
    isolation.tools.setinfo.disable = true
  • Avoid Using Independent Nonpersistent Disks
    Evidence that a machine was compromised can be removed by shutting down or rebooting the system.

Create/Manage vCenter Server Security Certificates

The VMware Certificate Authority (VMCA) provisions vCenter Server components and ESXi hosts with certificates that use VMCA as the root certificate authority by default. <- New in vSphere 6

vCenter Server, the Platform Services Controller, and related services support certificates which are generated and signed by the VMCA, Enterprise certificates that are generated and signed by an internal PKI, and third-party CA-signed certificates that are generated and signed by an external PKI.

vCenter Certificate Utilities:

  • vSphere Certificate Manager utility – certificate replacement tasks from a command line utility.
  • Certificate management CLIs – dir-cli, certool, and vecs-cli command line utilities.
  • vSphere Web Client certificate management – view certificate information in the Web Client

The vSphere Certificate Manager utility can be used to generate CSRs.

Viewing Certificates in the Web Client -> Home -> System Configuration -> Nodes -> Node -> Manage -> Certificate Authority
In the Web Clinet you can view Active Certificates, Revoked Certificates, Expired Certificates, and Root Certificates.

When upgrading from earlier versions of vSphere the self-signed certificates are replaced with certificates signed by the VMCA.

vCenter Server monitors all certificates in the VMware Endpoint Certificate Store (VECS) and issues an alarm when a certificate is 30 days or less from its expiration. This threshold can be changed by setting the vpxd.cert.thresholdadvance option.

The VMCA can be used as an Intermediate Certificate Authority.

Comments are closed.

%d bloggers like this: