VCAP-DCA 5 Objective 7.1– Secure ESXi Hosts

Objective 7.1 Secure ESXi Hosts

For this objective I used the following resources:

  •  vSphere Security Documentation
  • vSphere Examples and Scenarios Documentation
  • vSphere 5 Hardening Guide
  • VMware KB Article 1002934 How promiscuous mode works at the virtual switch and portgroup levels
  • VMware KB Article 1017910 Using Tech Support Mode in ESXi 4.1 and ESXi 5.0
  • VMware KB Article 1012285 Failure to enable Fault Tolerance for a virtual machine
  • VMware KB Article 1008077 Enabling or disabling Lockdown mode on an ESXi host
  • VMware KB Article 2015499 Configuring CA signed certificates for ESXi 5.0 hosts
  • VMware KB Article 2015383 Implementing CA signed SSL certificates with vSphere 5
  • VMware KB Article 1029944 Generating custom or default SSL certifictates
  • VMware KB Article 2015387 Configuring OpenSSL for installation and configuration of CA signed certificates in the vSphere Environment
  • VMware KB Article 1012033 ESX and ESXi 4.x and 5.x password requirements and restrictions
  • VMware KB Article 2004201 Location of ESXi 5.0 log files

Knowledge

Identify virtual switch security characteristics

MAC Address Changes – This setting affects traffic that a virtual machine receives. When the option is set to Accept (Default), ESX accepts requests to change the effective MAC address to other than the initial MAC address.

When the option is set to Reject, ESX does not honor requests to change the effective MAC address to anything other than the initial MAC address, which protects the host against MAC impersonation. The port that the virtual adapter used to send the request is disabled and the virtual adapter does not receive any more frames until it changes the effective MAC address to match the initial MAC address. The guest operating system does not detect that the MAC address change was not honored.

In some situation, you might have a legitimate need for more than one adapter to have the same MAC address on a network – for example, if you are using Microsoft Network Load Balancing in unicast mode. When MS NLB is used in the standard multicast mode, adapters do not share MAC addresses.

Forged Transmissions – This setting affects traffic that is transmitted from a virtual machine. When the option is set to Accept (Default), ESX does not compare source and effective MAC addresses

To protect against MAC impersonation, you can set this option to Reject. If you do, the host compares the source MAC address being transmitted by the operating system with the effective MAC address for its adapter to see if they match. If the addresses do not match, ESX drops the packet.

The guest operating system does not detect that its virtual network adapter cannot send packets by using the impersonated MAC address. The ESX host intercepts any packets with impersonated addresses before they are delivered, and the gust operating system might assume that the packets are dropped.

Promiscuous Mode Operation – Promiscuous mode eliminates any reception filtering that the virtual network adapter would perform so that the guest operating system receives all traffic observed on the wire. By default, the virtual network adapter cannot operate in promiscuous mode.
Although promiscuous mode can be useful for tracking networking activity, it is an insecure mode of operation, because any adapter in promiscuous mode has access to the packets regardless of whether some of the packets are received only by a particular network adapter. This means that an administrator or root user within a virtual machine can potentially view traffic destined for other gust or host operating systems.

See page 51 of the vSphere Networking documentation for the procedure to how to configure these settings. For additional reading on how promiscuous mode works have a look at VMware KB Article 1002934 “How promiscuous mode works at the virtual switch and portgroup levels”

Skills and Abilities

Add/Edit Remove users/groups on an ESXi host

Adding a user to an ESXi host

  • Connect directly to the ESXi host via the vSphere Client
  • Click the Users & Group tabe and click Users
  • Right-click anywhere in the Users table and click Add to open the Add New Userdialog box
  • Enter a login, a user name, a numeric user ID (UID), and a password
    • Specifying the user name and UID are optional. If you do not specify the UID, the vSphere Client assigns the next available UID
    • Create a password that meets the length and complexity requirements. The host checks for password compliance using the default authentication plug-in, pam_passwdqc.so. If the password is not compliant, the following error appears: A general system error occurred: passwd: Authentication token manipulation error.
  • To allow a user access to access the ESX host through a command shell, select Grant shell access to this user
  • To add the user to a group, select the group name from the Group drop-down menu and click Add
  • Click OK

Edit a user account on an ESXi host

  • Connect directly to the ESX host via the vSphere Client
  • Click the Users & Groups tab and click Users
  • Right-click the user and click Edit to open the Edit User dialog box
  • To change the user ID, enter a numeric user UID in the UID text box
  • Enter a new user name
  • To change the user’s password, select Change Password and enter the new password
    • Create a password that meets the length and complexity requirements. The host checks for password compliance using the default authentication plug-in, pam_passwdqc.so. If the password is not compliant, the following error appears: A general system error occurred: passwd: Authentication token manipulation error
  • To change the user’s ability to access the ESX hsot through a command shell, select or deselect Grant shell access to this user
  • To add the user to a group, select the group name form the Group drop-down menu and click Add
  • To remove the user from a group, select the group name from the Group membership box and click Remove
  • Click OK

Remove a User or Group

  • Connect directly to the ESX host via the vSphere Client
  • Click the Users & Groups tab and click Users or Groups
  • Right-click the user or group to remove and select Remove

Adding a Group to an ESXi host

  • Connect directly to the ESX host via the vSphere Client
  • Click the Users & Groups tab and click Groups
  • Right-click anywhere in the Group table and click Add to open the Create New Group dialog box
  • Enter a group name and numeric group ID (GUI) in the Group ID text box
  • For each user that you want to add as a group member, select the user namefrom the list and click Add
  • Click OK

Add or Remove Users from a Group

  • Connect directly to the ESX host via the vSphere Client
  • Click the Users & Groups tab and click Groups
  • Right-click the group to modify and select Properties to open the Edit Group dialog box
  • To add the user to a group, select the group name from the Group drop-down menu and click Add
  • To remove the user from a group, select the group name form the Group membership box and click Remove
  • Click OK

Customize SSH settings for increased security

By default SSH access to an ESXi host is disable by default and gone are the days of “ESX Classic” and manipulating the sshd.config file to allow the ‘root’ account SSH access. In ESXi you can enable SSH access either via the vSphere Client or at the Direct Console User Interface. See VMware KB Article 1017910 “Using Tech Support Mode in ESXi 4.1 and ESXi 5.0” on how to enable SSH as well as set the SSH timeout values.

Enable/Disable certificate checking

To prevent man-in-the-middle attacks and to fully use the security that certificates provide, certificate checking is enabled by default. Note that certificate checking is required to use VMware Fault Tolerance (see VMware KB Article 1012285 “Failure to enable Fault Tolerance for a virtual machine”).

Procedure – Taken from page 72 of the vSphere Security documentation

  • Log in to the vCenter Server system using the vSphere Client
  • Select Administration –> vCenter Server Settings
  • Click SSL Settings in the left pane and verify that Check host certificatesis selected
  • If there are hosts that require manual validation, compare the thumbprints listed for the hosts to the thumprints in the host console (see bleow)
  • If the thumbprint matches, select Verify check box next to the host
  • Click OK

To obtain the host thumbprint using the Direct Console User Interface

  • Log in to the direct console and press F2 to access the System Customizationmenu
  • Select View Support Information
  • The host thumbprint appears in the column on the right

Generate ESXi host certificates

Procedure – Taken from page 72 of the vSphere Security documentation

  • Log in to the ESXi Shell and acquire root privileges
  • In the directory /etc/vmware/ssl, back up any existing certificates by renaming them using the following commands:
    • mv rui.crt orig.rui.crt
    • mv rui.key orig.rui.key
  • Run the command /sbin/generate-certificatesto generate new certificates
  • Run the command /etc/init.d/hostd restart to restart the hostd process
  • Confirm that the host successfully generated new certificates by using the following command and comparing the time stamps of the new certificate files with orig.rui.crt and orig.rui.key
    • ls –la

Enable ESXi lockdown mode

When you enable lockdown mode, no users other then vpxuser have authentication permissions, nor can they perform operations against the host directly. Lockdown mode forces all operations to be performed through vCenter Server. This includes running vCLI commands or using the vMA against the host. You can enable lockdown mode using the Add Host wizard to add an ESXi hot to vCenter Server, using the vSphere Client to manage a host, or using the direct console user interface.

Note – If you enable or disable lockdown mode using the direct console user interface, permissions for users and groups on the host are discarded. To preserver these permissions, you must enable and disable lockdown mode using the vSphere Client connect to vCenter Server

Enabling lockdown mode affects which users are authorized to access host services. The chart below list which services can be used by different types of users when the host is running in lockdown mode, compared to when the host is running in normal mode:

Service

Normal Mode

Lockdown Mode

vSphere WebServices API All users, based on ESXi permissions vCenter only (vpxuser)
CIM Providers Root users and Admin Users vCenter only (ticket)
Direct Console User Interface Root users and Admin Users Root users
ESXi Shell Root users and Admin users No users
SSH Root users and Admin users No users

 

Procedure – Taken from page 82 and 83 of the vSphere Security documentation

Using the vSphere Client

  • Log in to a vCenter Server system using the vSphere Client
  • Select the host in the inventory panel
  • Click the Configuration tab and click Security Profile
  • Click the Edit link next to lockdown mode
  • Select Enable Lockdown Mode
  • Click Ok

Using the Direct Console User Interface (DCUI)

  • At the DCUI of the host, press F2and log in
  • Scroll to the Configure Lockdown Mode setting and press Enter
  • Press ESC until you return to the main menu of the DCUI

For further reading on Lockdown Mode see pages 81 thru 83 of the vSphere Security documentation. Also see VMware KB Article 1008077 “Enabling or disabling Lockdown mode on an ESXi host” to enable/disable lock down mode using vim-cmd as well as PowerCLI.

Replace default certificate with CA-signed certificate

This is one of those topics that goes far into great detail and has been well documented by others in the VMware community as well as several VMware KB articles. Below is the procedure outlined in the vSphere Security documentation as well several other resources I would strongly recommend reading as well.

Procedure – Taken from page 73 of the vSphere Security documentation

  • Log in to the ESXi Shell and acquire root privileges
  • In the directory /etc/vmware/ssl, back up any existing certificates by renaming them using the following commands:
    • mv rui.crt orig.rui.crt
    • mv rui.key orig.rui.key
  • Copy the new certificate and key to /etc/vmware/ssl
  • Rename the new certificate and key to rui.crt and rui.key
  • Restart the hostdproccess
    • /etc/init.d/hostd restart

For additional reading/information on using CA-signed certificates take a look at the following:

Configure SSL timeouts

Timeout periods can be set for two types of idle connections:

  • The Read Timeout setting applies to connections that have completed the SSL handshake process with port 443 of ESXi
  • The Handshake Timeout setting applies to connections that have not completed the SSL handshake process with port 443 of ESXi

Procedure – Taken from page 75 of the vSphere Security documentation

  • Log in to the ESXi Shell and acquire root privileges
  • Change to the directory /etc/vmware/hostd
  • Use a text editor to open the config.xmlfile
  • Enter the <readTimeoutsMs> value in milliseconds
  • Enter the <handshakeTimeoutMs>value in milliseconds
  • Save your changes and close the file
  • Restart the hostdprocess:
    • /etc.init.d/hostd restart

Configure vSphere Authentication Proxy

The vSphere Authentication Proxy allows for better security in environments that plan on leveraging either PXE booting hosts or utilizing VMware AutoDeploy. It does this by eliminating the need to store Active Directory credentials with the host configuration. The installation and configuration of the proxy is a multi-step process that has been outlined on pages 65 thru 69 of the “vSphere Security” documentation. Rather then re-type the steps I will refer you to that document.

Enable strong passwords and configure password policies

Password strength and complexity – By default ESXi uses the pam_passwdqc.so plugin to set the rules that users must observe when creating passwords and to check password strength. To configure password complexity, you can change the default value of the following parameters:

  • N0 –Is the number of characters required for a password that uses characters from only on character class. For example, the password contains only lowercase letters
  • N1 – Is the number of characters required for a password that uses characters from two character classes
  • N2 –Is used for passphrases. ESX requires three words for a passphrase. Each word in the passphrase must be 8 to 40 characters long
  • N3 –Is the number of characters required for a password that uses characters from three character classes
  • N4 –Is the number of characters required for a password that uses characters from all four character classes
  • match –Is the number of characters allowed in a string that is reused from the old password. If the pam_passwdqc.so plugin finds a reused string of this length or longer, it disqualifies the string from the strength test and uses only the remaining characters
  • retry – Is the number of times a user is prompted for a new password if the password candidates is not sufficiently strong

Procedure – Taken from page 93 of the vSphere Security documentation

  • Log in to the ESXi Shell and acquire root privileges
  • Open the passwdfile with a text editor
  • Edit the following line
    • password requisite /lib/security/$ISA/pam_passwdq.so retry-N min-N0,N1,N2,N3.N4
  • Save the file

VMware KB Article 1012033 “ESX and ESXi 4.x and 5.x password requirements and restrictions” covers the same steps as well as provides an example.

Identify methods for hardening virtual machines

Suggestions take from the vSphere Security documentation (as well as procedures to implement) starting on page 87:

  • Install antivirus software
  • Disable copy and past to the clipboard
  • Remove unnecessary hardware devices
  • Limiting guest operating system writes to host memory
For additional security settings covering VMs, ESXi hosts, networking, and vCenter I STRONGLY suggest taking a look at the VMware “vSphere 5 Hardening Guide” located HERE.

Analyze logs for security-related messages

Review VMware KB Article 2004201Location of ESXi 5.0 log files”. The article covers each of the host log files and tools that can be used to view them.

Manage Active Directory integration

Procedure – Taken from page 67 of the vSphere Security documentation

  • Select a host in the vSphere Client inventory, and click the Configuration tab
  • Click Properties
  • In the Directory Services Configuration dialog box, select the directory service from the drop-down menu
  • Enter a domain
  • Click Join Domain
  • Enter the user name and password of a directory service user who has permissions to join the host to the domain, and click OK
  • Click OK to close the Directory Services Configuration dialog box

Jason Boche (blog / twitter) has put together a post outlining how to place a host in a specific AD OU when joining it to your domain. That post is located HERE. If you are or planning on using VMware Host Profiles to manage your ESXi systems have a look at page 41 of the “VMware vSphere Examples and Scenarios” documentation. It will outline the proper configuration steps needed.

%d bloggers like this: