This post covers Section 1, Configure and Administer vSphere Security, Objective 1.2, Secure ESXi, vCenter Server, and vSphere Virtual Machines.
The vSphere Knowledge covered in this objective:
- Enable/Configure/Disable services in the ESXi firewall
- Enable Lockdown Mode
- Configure network security policies
- Add an ESXi Host to a directory service
- Apply permissions to ESXi Hosts using Host Profiles
- Configure virtual machine security policies
- Create/Manage vCenter Server Security Certificates
Objective 1.2 VMware Resources and Tools include:
- vSphere Installation and Setup Guide
- vSphere Security Guide
- What’s New in the VMware vSphere® 6.0 Platform
- Security of the VMware vSphere® Hypervisor
- vSphere Administration with the vSphere Client Guide
- VMware Hardened Virtual Appliance Operations Guide added to Tech Resource Directory
- vCenter Server, ESXi, vSphere Web Client, vSphere Client
– Enable/Configure/Disable services in the ESXi firewall
ESXi services and firewall are configured using Web Client -> Hosts and Clusters -> Selected Host -> Manage -> Settings -> Security Profile
ESXi Service Configuration:
Services can be Started, Stopped, or Restarted.
Services can be configured to Start and stop with host, Start and stop manually, or Start and stop with port usage.
ESXi Shell and SSH are disabled (Set to Start and stop manually) by default.
ESXi Shell and SSH can be enabled/disabled in the DCUI from the Troubleshooting Mode Options menu.
When the ESXi Shell has been enabled in the DCUI you can switch to the ESXi Shell using Alt-F1. You can switch back to the DCUI using Alt-F2.
Customizing ESXi Services from the Security Profile can be found in the vSphere Security Guide on page 153.
ESXi Firewall Configuration:
Enable firewall rules.
Firewall rules for Incoming and Outgoing Connections.
Allow connections from any IP address or configure specific IP addresses or subnets.
ESXi Firewall rules can be managed from the CLI with esxcli network firewall.
Managing ESXi Firewall Settings can be found in the vSphere Security Guide on page 148.
– Enable Lockdown Mode
Lockdown mode is covered in the vSphere Security Guide on page 155.
Lockdown mode prevents users from accessing ESXi hosts directly.
Lockdown mode can be enabled when adding a Host to vCenter Inventory or using Web Client -> Hosts and Clusters -> Selected Host -> Manage -> Settings -> Security Profile.
Lockdown mode is disabled.
Lockdown mode is enabled. The host can only be accessed from vCenter or from the console (DCUI).
Lockdown mode is enabled. The DCUI service is stopped. The host can not be accessed from the console (DCUI).
When the the Lockdown Mode is set to Strict the DCUI service is stopped (previously referred to as Total Lockdown Mode).
Exception Users are user accounts which keep their permissions on the host when the host is placed in Lockdown mode. <- New in vSphere 6 Lockdown mode can be disabled from the vSphere Client or from the DCUI (unless Strict Lockdown mode is set). When Lockdown mode is enabled on an ESXi host the following message will be displayed when trying to connect directly to the host:
Great article from the vSphere Blogs on vSphere 6.0 Lockdown Modes
– Configure network security policies
Securing vSphere Standard Switches in the vSphere Security Guide on page 207.
The three network security policies:
- Promiscuous mode – Default setting: Reject
Setting this to Accept allows the guest operating system to receive all traffic observed on the connected vSwitch or PortGroup (think Hub instead of switch).
- MAC address changes – Default setting: Accept
Host accepts requests to change the effective MAC
address to a different address than the initial MAC address.
- Forged transmits – Default setting: Accept
Host does not compare source and effective MAC addresses transmitted from a virtual machine.
Each of these can be set to Reject or Accept.
Setting MAC address changes and Forged transmits to Reject protects against MAC address spoofing.
– Add an ESXi Host to a directory service
Using Active Directory to Manage ESXi Users in the vSphere Security Guide on page 163.
Users who are members of the Active Directory group ESX Admins are automatically assigned the Administrator role on the host when the host is joined to an Active Directory domain. For this to work the ESX Admins group must exist before the host is joined to the domain. Otherwise the permissions will need to be applied manually.
– Apply permissions to ESXi Hosts using Host Profiles
Host profiles allow you to set up standard configurations for your ESXi hosts and automate compliance to these configuration settings. vSphere Security Guide on page 131.
The administrator (root) password and user passwords that are included with host profile and host customization are MD5 encrypted.
If you are joining an ESXi host to Active Directory by using host profiles, the passwords for the user used to join the host to domain is stored in plain text.
– Configure virtual machine security policies
Secure the guest OS and applications just as if they were running on a physical machine.
Virtual machine security best practices – Details on each of these can be found in the vSphere Security Guide on page 192:
- General Virtual Machine Protection
Guest OS and application patching. Anti-virus scanning.
- Use Templates to Deploy Virtual Machines
Reduces the risk of mis-configuration during operating system installation.
- Minimize Use of Virtual Machine Console
- Prevent Virtual Machines from Taking Over Resources
- Disable Unnecessary Functions Inside Virtual Machines
Disable unused services. Disconnect/remove unused devices.
- Remove Unnecessary Hardware Devices
Disconnect/remove unnecessary hardware such as floppy drives, serial ports, parallel ports, USB controllers, and CD-ROM drives.
- Disable Unused Display Features
- Disable Unexposed Features
- Disable host guest file system (HGFS) File Transfers
- Disable Copy and Paste Operations Between Guest Operating System and Remote Console
isolation.tools.copy.disable = true
isolation.tools.paste.disable = true
- Limiting Exposure of Sensitive Data Copied to the Clipboard
- Restrict Users from Running Commands Within a Virtual Machine
Remove Virtual machine -> Guest Operations privileges from Roles which do not require them.
- Prevent a Virtual Machine User or Process from Disconnecting Devices
isolation.device.connectable.disable = true
isolation.device.edit.disable = true
- Modify Guest Operating System Variable Memory Limit
- Prevent Guest Operating System Processes from Sending Configuration Messages to the Host
isolation.tools.setinfo.disable = true
- Avoid Using Independent Nonpersistent Disks
Evidence that a machine was compromised can be removed by shutting down or rebooting the system.
Web Client -> Virtual Machine -> Edit Settings -> VM Options -> VMware Remote Console Options
Settings to lock the guest operating system when the last remote user disconnects and to limit the number of simultaneous connections to the virtual machine.
– Create/Manage vCenter Server Security Certificates
There are a TON of changes to certificates in vSphere 6. Details can be found in the vSphere Security Guide section 3 starting on page 51.
The VMware Certificate Authority (VMCA) provisions vCenter Server components and ESXi hosts with certificates that use VMCA as the root certificate authority by default. <- New in vSphere 6 vCenter Server, the Platform Services Controller, and related services support certificates which are generated and signed by the VMCA, Enterprise certificates that are generated and signed by an internal PKI, and third-party CA-signed certificates that are generated and signed by an external PKI. vCenter Certificate Utilities:
- vSphere Certificate Manager utility – certificate replacement tasks from a command line utility.
- Certificate management CLIs – dir-cli, certool, and vecs-cli command line utilities.
- vSphere Web Client certificate management – view certificate information in the Web Client
The vSphere Certificate Manager utility can be used to generate CSRs.
Viewing Certificates in the Web Client -> Home -> System Configuration -> Nodes -> Node -> Manage -> Certificate Authority
In the Web Clinet you can view Active Certificates, Revoked Certificates, Expired Certificates, and Root Certificates.
When upgrading from earlier versions of vSphere the self-signed certificates are replaced with certificates signed by the VMCA.
vCenter Server monitors all certificates in the VMware Endpoint Certificate Store (VECS) and issues an alarm when a certificate is 30 days or less from its expiration. This threshold can be changed by setting the vpxd.cert.threshold advance option.
The VMCA can be used as an Intermediate Certificate Authority.
More Section Objectives in the VCP6-DCV Delta Exam Study Guide Index
I hope you found this helpful. Feel free to add anything associated with this section using the comments below. Happy studying.