VCP6–Objective 1.2–Secure ESXi, vCenter Server, & vSphere Virtual Machines

For this objective the following resources where used:

Objective 1.2 – Secure ESXi, VCenter Server, & vSphere Virtual Machines

Knowledge

Enable/Configure/Disable Services in the ESXi Firewall

  • From the Home screen, click Hosts and Clusters
  • In the left navigation pane, select the desired Host
  • In the right navigation pane, select Manage and click the Settings tab
  • Under System highlight Security Profile
  • In the right hand pane select Edit to the right of Services
  • A list of ESXi services will be displayed:

Service_Settings

Services can be configured with one of three Startup Policies:

  • Start and stop with host
  • Start and stop manually
  • Start and stop with port usage

Enable Lockdown Mode

Enabled via vSphere Web Client:

  • From the Home screen, click Hosts and Clusters
  • In the left navigation pane, select the desired Host
  • In the right navigation pane, select Manage and click the Settings tab
  • Under System highlight Security Profile
  • In the right hand pane select Edit to the right of Lockdown Mode (you may need to scroll down to this option)
  • Specify the Host Lockdown Mode and any Exception Users
  • Click OK to complete

LockDown_WebUI

Lockdown mode supports three configurations:

    • Disabled – Lockdown mode is disabled
      • Normal – The host is accessible only through the local console or vCenter Server
      • Strict – The host is accessible only through vCenter Server. The Direct Console UI service is stopped

New to lockdown mode in vSphere 6 is the implementation of Exception Users. Users added to the execption list do not lose their permissions or privileges when an ESXi host is placed into Lockdown Mode. Exception Users can only be added/configure via the vSphere Web client.

Exception_Users

Enabled via the Direct Console User Interface (DCUI)

  • From the DCUI (Direct Console User Interface) press F2 and log in
  • Select the option Configure Lockdown Mode and press Enter
  • Use the Space Bar to Enable/Disable lockdown mode
  • Press the ESC to cancel or Enter to accept the changes

LockDown_DCUI

Configure Network Security Policies

Network security policies can be configured on both vSphere Standard Switches (VSS) and vSphere Distributed Switches (VDS) at the switch or Port Group level.

  • MAC Address Changes – With this policy set to Accept (Default), ESXi allows the changing of effective MAC address to something other than the initial MAC address. When set to Reject ESXi does not allow for those changes to occur. This prevents host against MAC spoofing.
  • Forged Transmissions – With this policy set to Accept (Default), ESXi does not compare source and effective MAC addresses. When set to Reject the ESXi host does compare the source and effective MAC addresses of the client. If they do not match the ESXi host drops the packet.
  • Promiscuous Mode – With this policy set to Reject (Default) guest operating systems are not allowed to receive all network traffic on the wire. When set to Accept the guest operating system can receive all network packets. Helpful when doing troubleshooting with a tool such as WireShark. Note however, this does introduce some security concerns.

Add an ESXi Host to a Directory Service

    • From the Home screen, click Hosts and Clusters
    • In the left navigation pane, select the desired Host
    • In the right navigation pane, select Manage and click the Settings tab
    • Under System highlight Authentication Services
    • In the right hand pane click Join Domain to the right of Authentication Services
    • In the Domain Settings dialog provide the FQDN of the desired Active Directory Domain and provide User Credentials with the appropriate permissions to join systems to the domain.
    • (Optional) Provide a Proxy Server if needed
    • Click OK to complete

Join_Domain

Apply Permissions to ESXi Hosts Using Host Profiles

  • From the Home screen, click Host Profiles
  • In the left hand navigation pane select the Host Profile (note, if a Host Profile has not been created, create one now)
  • In the right hand navigation pane, select Manage and click the Settings tab
  • Click Edit Host Profile
  • Expand Security and Services
  • Select the Permission Rules folder and click the Green Plus Sign
  • In the right hand pane using the dropdown menu select the Permission
  • Click Next
  • Click Finish to save the changes to the Host Profile

Host_Profile

 

Configure Virtual Machine Security Policies

Lots of details here, but the first rule of thumb of securing a virtual machine is treat it the same as physical server. That means keeping both OS and installed applications patched to the latest versions, leveraging Anti-Virus software (in guest or host offloaded), disable unnecessary services, and proper access to the system. For additional VMware virtual machine specific settings have a look at Section 7 of the vSphere Security documentation. Below is a run down listed in the Virtual Machine Security Best Practices section:

  • Use templates to deploy virtual machines
  • Minimize use of virtual machine console
  • Prevent virtual machines from taking over resources
  • Disable unnecessary functions inside virtual machines
  • Remove unnecessary hardware devices
  • Disable unused display features
  • Disable unexposed features
  • Disable HGFS file transfers
  • Disable copy and past operations between guest operating system and remote console
  • Limiting exposure of sensitive data copied to the Clipboard
  • Restrict users from running commands within a virtual machine
  • Prevent a virtual machine user or process from disconnecting devices
  • Modify guest operating system variable memory limit
  • Prevent guest operating system process from sending configuration messages to the host
  • Avoid using Independent Nonpersistent Disks

Create/Manage vCenter Server Security Certificates

Everyone’s favorite topic when comes to securing your VMware vSphere environment, certificates. Historically managing certificates for vCenter and ESXi hosts has been somewhat of a challenge. New to vSphere 6 is the VMware Certificate Authority (VMCA) feature. The VMCA command line utility can be used to replace the default certificates installed with each ESXi host and vCenter server (these certificates are provided via the VMCA by default).

Using the VMCA you can manage certificates in three ways:

      • VMCA Default – Provide certificates to vCenter and ESXi hosts with VMCA being listed as the root certificate authority. By default the root certificate expires after ten years.
      • Make VMCA an Intermediate CA – You can replace the VMCA root certificate with a certificate signed by your enterprise certificate authority or a third party certificate authority.
      • Do not use the VMCA – The use of the VMCA is optional, if you want to “manually” issue and manage all the needed certificates for vSphere components that is still an available option. This would be similar to managing certificates in vSphere 5.5 and older versions of the product.

To manage vCenter Server certificates (view or replace) the following utilities are available:

  • vSphere Certificate Manager Utility – Perform all common certificate replacement tasks from the command-line
  • Certificate Management CLI’s – Perform all certificate management tasks with dir-cli, certool, and vecs-cli
  • vSphere Web Client – View certificates, including expiration information

This is a LARGE topic, and the notes above only scratch the surface. For further details review Section 3 –  vSphere Security Certificates of the vSphere Security 6.0 documentation. Also have a look at the following blog post VMware Certificate Authority Overview and Using VMCA Root Certificates in a Browser.

Thanks for reading!

-Jason

%d bloggers like this: