VCP 5 Objective 1.4 – Secure vCenter Server and ESXi

 

 

 

 

 

 

 

 

 

 

Objective 1.4 – Secure vCenter Server and ESXi

For this objective I used only one document

vSphere Security guide

 

Knowledge

Identify common vCenter Server privileges and roles

– Common Privileges

Create a Virtual Machine On the destination folder or datacenter:

  • Virtual Machine.Inventory.Raw Create
  • Virtual Machine.Configuration.Add New Disk (If creating new VMDK)
  • Virtual Machine.Configuration.Add Existing Disk (If using existing VMDK)
  • Virtual Machine.Configuration.Raw Device (If using a RDM)
    On the destination host, cluster or resource pool:
  • Resource.Assign Virtual Machine to Resource Pool
    On the destination datastore or folder containing a datastore:
  • Datastore.Allocate Space
    On the network that the virtual machine will be assigned to:
  • Network.Assisgn Network
Take a virtual machine snapshot On the virtual machine or a folder of virtual machines:

  • Virtual Machine.State.Create Snapshots
    On the destination datastore or folder of datastores
  • Datastore.Allocate Space
Mirgrate a VM with Storage vMotion On the virtual machine or folder of virtual machines:

  • Resource.Migrate

On the destination datastore

  • Datatstore.Allocated Space
Move a host into a cluster On the host:

  • Host.Inventory.Add Host to Cluster

On the destination cluster

  • Host.Inventory.Add Host to Cluster

For further examples of common privileges see pages 56 thru 58 vSphere Security documentation

– Default Roles in ESXi and vCenter Server

Role

Role Type

Description of User Capabilities

No Access system Cannot view or change the assigned object
vSphere Client tabs associated with an object appear without content.
Can be used to revoke perissions that would otherwise be propagated to an object from a parent object
Available in ESXi and vCenter Server
Read Only system View the state and details about the object
View all the tab panels in the vphere Client except the Console tab
Cannot perform any actions through te menus and toolbars
Available on ESXi and vCenter Server
Administrator system All privileges for all objects
Add, remove, and set access rights and privileges for all the vCenter Server users and all the virtual objects in the vSphere environment
Available in ESXi and vCenter Server
Virtual Machine Power User sampe A set of privileges to allow the user to interact with and make hardware changes to virutal machines, as well as perform snapshot operations. Privileges granted include:

  • All privileges for the scheduled task privileges group
  • Selected privileges for global items, datastore, and virtual machine privileges groups
  • No privileges for folder, datacenter, network, host, resource, alarms, sessions, performance, and permissions privileges groups. Usually granted on a folder that contains virtual machines or on individual virtual machines
    Available on vCenter Server
Virtual Machine User sampe A set of privileges to allow the user to interact with a virtual machine’s console, insert media, and perform power operations. Does not gratn privileges to make virtual hardware changes to the virtual machine. Privileges granted include:

  • All privileges for the scheduled taks privileges group
  • Selected privileges for the global items and virtual machines privileges groups
  • No privileges for the folder, datacenter, datastore, network, host, resource, alarms, sessions, performance, and permissions privileges groups

Usually granted on a folder that contains virtual machines or on individual virtual machines.
Available on vCenter Server

Resource Pool Administrator sample A set of privileges to allow the user to create child resource pools and modify the configuration of the children, but not to modify the resource configuration of the pool or cluster on which the role was granted. Also allows the user to grant permissions to child resource pools, and assign virtual machines to the parent or child resource pools. Privileges granted include:

  • All privileges for folder, virtual machine, alarms, and scheduled task privileges groups
  • Selected privileges for resource and permissions privileges groups
  • No privileges for datacenter, network, host, sessions, or performance privileges groups

Additional privileges must be granted on virtual machines and datastores to allow provisioning of new virtual machines
Usually granted on a cluster or resource pool
Available on vCenter Server

Datastore Consumer sample A set of privileges to allow the suer to consume space on the datastores on which this role is granted. To perform a space-consuming operation, such as creating a virtual disk or taking a snapshot, the use msut also have the appropriate virtual machine privileges granted for these operations
Usually granted on a datastore or a folder of datastores
Available on vCenter Server
Network Consumer sample A set of privileges to allow the user to assign virtual machines or hosts to networks, if hte appropriate permissions for the assignment are alos granted on the virtual machines or hosts
Usually granted on a network or folder of networks
Available on vCenter Server

Describe how permissions are applied and inherited in vCenter Server

– vSphere allows the assignment of permissions to objects in the vSphere Client. When assigning permissions you select to have the permissions propagate down through the object tree or not.  If you allow for propagation objects lower in the tree “inherit” the set permissions. However, if a permission is set at the child object it will take prescedance over an inherited permission.

For further information read pages 48 thru 53 (and the great diagram on pg 49) of the vSphere Security document.

Configure and administer the ESXi firewall

Enable/Configure/Disable services in the ESXi firewall

  1. Within the vSphere Client select a host and click on the Configuration tab
  2. In the left hand pane under Software select Security Profile
  3. In the right hand pane select Properties to the right of the Firewall section
  4. Check or uncheck the services you wish to enable or disable
  5. (Optional) With a service highlighted click Options in the lower right
  6. (Optional) Select a Startup Policyfrom the following:
    1. Start Automatically if any ports are open, and stop when all ports are closed
    2. Start and stop with host
    3. Start and stop manually
  7. (Optional) Click OK
  8. (Optional) Click the Firewall button in the lower right
  9. (Optional) Select to Allow connections from any IP address or Only allow connections from the following networks
  10. (Optional) Click OK
  11. Click OK

For further information, including command line syntax, refer to pages 34 thru 40 of the vSphere Security document

Enable Lockdown Mode

Enabled via the vSphere Client

  1. Within the vSphere Client select a host and click on the Configuration tab
  2. In the left hand pane under Software select Security Profile
  3. In the right hand pane select Edit to the right of Lockdown Mode
  4. Check the box Enable Lockdown Mode
  5. Click OK

– Enabled via the Direct Console User Interface (DCUI)

  1. From the DCUI press F2 and log in
  2. Select the option Configure Lockdown Mode and press Enter
  3. Press the ESC to back out of the menus till you are back at the DCUI

Configure network security policies

  • MAC Address Changes – With this policy set to Accept (Default), ESXi allows the changing of effective MAC address to something other than the initial MAC address. When set to Reject ESXi does not allow for those changes to occur. This prevents host against MAC spoofing.
  • Forged Transmissions – With this policy set to Accept (Default), ESXi does not compare source and effective MAC addresses. When set to Reject the ESXi host does compare the source and effective MAC addresses of the client. If they do not match the ESXi host drops the packet.
  • Promiscuous Mode – With this policy set to Reject (Default) guest operating systems are not allowed to receive all network traffic on the wire. When set to Accept the guest operating system can receive all network packets. Helpful when doing troubleshooting with a tool such as WireShark. Note however, this does introduce some security concerns.

View/Sort/Export user and group lists

  1. Connect the vSphere Client directly to an ESXi host
  2. Select the host and click the Local Users & Groups tab
  3. Sort the columns either by UID, User, Name, GID, or Group
  4. Right click any where in the right hand pane and click Export List
  5. Provide a File Name as well as the Location in the Save As dialog box
  6. Click Save

For further information read page 45 of the vSphere Security documentation

Add/Modify/Remove permissions on vCenter Server inventory objects

  1. Connect the vSphere Client directly to an ESXi host or vCenter Server
  2. Select an inventory object and select the Permissions tab
  3. In the right hand pane right click anywhere and select Add Permission
  4. Select a given roll from the Assigned Role menu
  5. Under Users and Groups click Add
  6. Add the required user or groups to the role (either local or Active Directory)
  7. Click OK
  8. Click OK
  9. Verify that permissions have been applied correctly

Create/Clone/Edit vCenter Server Roles

– Create a vCenter Server Role

  1. Within the vSphere Client select the Home page and click Roles
  2. In the upper left corner click Add Role
  3. Provide a name of the new role in the Name field
  4. Select the privileges you would like to provide the roll from the tree
  5. Click OK when completed

Clone a vCenter Server Role

  1. Within the vSphere Client select the Home page and click Roles
  2. Under Roles -> Name right click the role you wish to clone
  3. Select Clone from the options menu
  4. A new role is created with the name Copy of <role name>

– Edit a vCenter Server Role

  1. Within the vSphere Client select the Home page and click Roles
  2. Under Roles -> Name right click the roll you wish to edit
  3. In the Edit Role screen you can change the roll name as well as change the roles privileges
  4. When edits are completed click OK

For further information read pages 61 thru 63 of the vSphere Security documentation

Add an ESXi Host to a directory service

  1. Within the vSphere Client select a host and click on the Configuration tab
  2. In the left hand pane under Software select Authentication Services
  3. In the right hand pane select Properties to the right of Authentication Services Settings
  4. Change the drop down to Active Directory under User Directory Service
  5. Under Domain Settings enter the FQDN of the domain you wish to join in the Domain field
  6. Click the Join Domain button
  7. Enter a user name and password for account that has the rights to join the system to the Active Directory domain.
  8. Click OK
  9. Click OK to close the Directory Services Configuration window

For further information read pages 63 thru 70 of the vSphere Security documentation.

Apply permissiosn to ESXi Hosts using Host Profiles

  1. Within the vSphere Client select the Home page and click Host Profiles
  2. Right click an existing host profile in the left hand pane and select Edit Profile
  3. Expand the profile tree, and then expand Security Configuration
  4. Right-click the Permission rules folder and select Add Profile
  5. Expand Permission Rules and select Permission
  6. On the Configuration Details tab in the right hand pane, click the Configure a permission drop-down menu and select Require a Permission Rule
  7. Enter the name of a user and group
  8. Enter the assigned role name for the user or group
  9. Select the Propagate permission check box and click OK

Determine the appropriate set of privileges for common tasks in vCenter Server

    See section “Common Privileges” above

Tools

  • vSphere Installation and Setup guide
  • vCenter Server and Host Management guide
  • vSphere Security guide
  • Solutions and Examples for VMware vSphere 5 guide