IC121-End-to-End Virtual Security Hands-On Lab

Description Many of us fear zero day exploits – especially if they could impact our dynamic virtual systems. Learn how you can leverage CCS VSM to quickly lock down your virtual environment as you use CCS VM to identify any impacted systems. Finally we will show you how you can learn from exploits and then customize security standards in CCS SM and VSM.

At the end of this lab, you should be able to

Assess and report on your esx system using VMware hardening guidelines

Use CCS VM to assess your virtual environment for vulnerabilities

Use CCS VSM to lock down your Virtual Environment to protect it against misconfiguration and vulnerabilities

Generate a CCS Dashboard for Virtual Environment

Root Password Vaulting

Notes A brief presentation will introduce this lab session and discuss key concepts.

The lab will be directed and provide you with step-by-step walkthroughs of key features.

Feel free to follow the lab using the instructions on the following pages. You can optionally perform this lab at your own pace.

Be sure to ask your instructor any questions you may have.

Thank you for coming to our lab session.

2 of 12

Exercise 1: Show Evaluation results with same issue as found in CCS VM

CCS provides the ability to assess your virtual environments using best practices based on VMware hardening guidelines for ESX.

1. From the Desktop double click the Symantec Control Compliance Suite Console icon

The Home view is the default view that appears when you log on to the Control Compliance Suite (CCS) Console. This page provides the working flow of the features within the solution.

2. Select Manage > Assets

In Control Compliance Suite, an asset is defined as a managed object in the system that has value, has an owner, has controlled access, and can have authority. The primary goal of the asset management system is to present a consolidated view of the assets that are present in the organization with the ability to manage those assets. .

3. Expand the Asset System folder

4. Select the VMware ESXi machines group

5. Select the 192.168.1.90 Asset

6. What is the Compliance Score for this Asset?

7. Select the Evaluation Tab

CCS provides the ability to evaluate systems security configurations against industry best practices such as the VMware Harding Guidelines

Double click on the evaluation to display the Evaluation Result Details

The Evaluation Results Details page provides you with a quick view of your overall security poster and allows you to also analyze which areas may need more attention than others. The page gives you two views of the data. The Standards based view and the Asset based view.

8. Select the Asset-based view button

9. Drag the Status column into the tool bar

10. Drag the Risk column down to the column headers

11. How many configuration checks failed for this asset?

12. Expand the Failed checks

3 of 12

13. Select and right click the is unauthorized removal, connection and modification of

devices prevents? Check

14. Click Show Detailed Evidence

15. View the devices which have this option disabled select and highlight and hoover the

mouse over the custom message.

This setting is disabled by default for virtual environments. When enabled, users have the ability to connect devices and change settings on virtual systems. This means a user can do things like migrate or copy critical systems and access sensitive data by setting up shares on the image

4 of 12

Exercise 2: View the vulnerability details for ESX system

As more organizations expand their infrastructure into the virtual realm, effective security for business must reflect the changing needs of those dynamic environments. CCS Vulnerability Manager (CCS VM) will help find and report on specific vulnerabilities within your ESX Hypervisor.

1. From the desktop double click the CCS VM icon

2. Select Continue to this website. (the certificates for the website have not been

generated within the demo image at this time)

3. Log on:

Username: vmadmin

Password: symc4now

The Home page shows sites, asset groups, tickets, and statistics about your network that are based on scan data. You have logged on with the Global Administrator role for the solution. This allows you to not only view information but also edit site and asset group information, and run scans for your entire network all from this page.

The row of tabs at the top of the page is used to navigate to the main pages of each functional area of the solution.

4. Using the search feature on the upper right side of the interface enter ESX and select the magnifying glass to search for the ESX systems.

5. How many vulnerabilities were detected within the exs41i system?

6. Select the 192.168.1.90 system link to drill down into the details found from the

vulnerability assessment

7. Filter the Risk Score to see the highest risk vulnerabilities first

8. Select the first vulnerability on the list

9. Provide a brief description of the suggested solution

5 of 12

Exercise 3: Protect systems with critical data from changes or migrations

Locking down your ESX environment against changes will help ensure the security of your surrounding infrastructure especially when critical vulnerabilities have been found. CCS Virtualization Security Manager provides powerful access control features for your virtual environment which allows you to isolate virtual assets limiting access to and from them and dictating where and if they move. This is done by creating policies which are defined by labels, Roles and Rules created within CCS VSM and assigning those policies to specific users based on their role.

1. From the web browser select the CCS VSM tab in the favorites bar

2. Select Continue to this website. (the certificates for the website have not been

generated within the demo image at this time)

3. Log into the web console:

Username: SuperAdminUser

Password: symc4now

The Appliance Dashboard is the first page displayed when logging into the appliance. This page was designed to provide summary information based on your VSM implementation. The row of tabs at the top of the page are used to navigate to the main pages of each functional area of the solution

4. Select the Policy tab and then Resources

5. Expand Appliance Root

The lab environment has two ESX systems. The yellow shield next to each of the systems indicates that these systems are now protected by the VSM Appliance.

6. From the server system taskbar select Start > VMware vSphere Client or click the icon on

the desktop.

7. Login:

Username: Mark_Rhodes

Password: symc4now

6 of 12

8. Select Login

9. What is the message that is displayed?

10. Click OK and Close the Client

11. Go back to the CCS VSM web console

12. From the Policy tab select Labels

Labels are used to classify or categorize policy resources. They are often used to define constraints. For example by assigning production virtual machines with a label you have the ability to assign a constraint that those machines should never be turned off.

13. Select Create Draft

The Create Draft button allows the solution to copy the deployed labels into a draft copy before actually deploying it out.

14. Select the PCI Label

Currently the PCI Label has two Virtual Systems assigned.

15. Select Assign For each label you have the ability to associate different resources within the virtual environment.

16. Select OK and OK again to get back to the Policy Labels window to finish without making any changes to the label.

17. From the Policy Tab select Roles

Roles are used to define authorized operations and usually become an attribute of a rule.

18. From the right side of the page select page 2

19. Select the TestSystemsUsers. Click to open the Edit Role TestSystemUsers window. The checked items listed here are enabled operations which the users who have the TestSystemUsers Role associated

20. Select the check box next to resource Resources enable the ability to change the resource pools within the Virtual Environment. This includes the ability to do actions such as move or migrate virtual machines into different hosts.

21. Click OK

22. From the Policy Tab select Rules

7 of 12

Rules provide the relationships between Active Directory user groups, objects within the virtual environment and the entitlements for a specific role.

23. Select TestUsers and open the Edit Rule TestUsers window.

24. Click the Add button within Constraints

Constraints are used to restrict access to specific entities of the Virtual Environment

25. Select Match VM Label(s)

26. Select the PCI VM Label

27. Click the checkbox to Exclude VM Label

28. Click OK

29. Click the Propagate checkbox

This will propagate the policy down the resource tree and enable it.

30. Click OK

31. Click Deploy Changes

8 of 12

Exercise 4: Test Protection Settings

1. From the system taskbar select Start > VMware vSphere Client

Login:

Username: Mark_Rhodes

Password: symc4now

2. Select Login

Mark Rhodes is part of the user group within Active Directory who has been assigned the TestUser Role.

3. Expand the Symplified Virtual Datacenter

4. Expand the 192.168.1.90 host

5. Right Click the Exchange Server Virtual Machine

6. Select Migrate

7. Select Change both host and datastore

8. Click Next

9. Expand the Symplified Virtual Datastore

10. Select the 192.168.1.85 host

11. Click Next

12. Click the Research and Development Resource Pool

13. Click Next

14. Keep the default for the datastore

15. Select Next

16. Select Finish

17. What is the message that is displayed?

9 of 12

Exercise 5: View Evaluation information for Virtual Environment from a single location

In the beginning of the lab we went through the Configuration Assessment results within CCS Standards Manager and also the Vulnerability scan results from CCS Vulnerability Manager. CCS provides the ability to view the evaluation results from both solutions from the Virtual Environment from a single location using the CCS Dynamic Dashboards which are part of the CCS Web Client.

1. Select the Chrome Icon from the taskbar This brings you to the CCS Web Client. The web client provides the ability to view and create dashboards using the data within the CCS and External data from third party solution, Accept, review, and approve policies from the CCS policy manager solution and answer questionnaires from the CCS Assessment Manager solution.

2. Select the Dashboards tab

3. Expand Misc tab

These are the default dashboards that come with the solution. They have been generated to provide a view of information based on Mandates and operational information

4. Select the Panels Tab

Dashboards are generated by applying different panels. This is a list of predefined panels which come with the solution. Using these panels it is easy to generate a custom dashboard. Panels can also be customized to view and analyze data in different ways.

5. Select New Panel

6. Select Standard Compliance Management > Check as the Area of Interest

7. For Measure (y axis) select Results Summary

8. For Dimension (x axis) select Results Name

9. Select the green plus sign to add an additional Dimension

10. Select Standard Name

11. Select Standard Name for the Axis Label

12. Name the panel Standards Evaluation Results for ESX systems

13. Within Filters select Results Name for the Attribute

14. Select is equal to for the Operator

15. Use the Ctrl keyboard button to select the Check Asset Fail and the Check Asset Pass values

16. Select the green plus sign to add an addition Attribute

17. Select Standard Name as the Attribute

10 of 12

18. Select is equal to for the Operator

19. Select VMware Hardening Guideline for ESXi 4.x

20. Select Apply and Save

21. Select the Dashboard in the top toolbar

22. Select New Dashboard

23. Name the dashboard Vision Virtual Environment

24. Select the green plus sign next to Category

25. Name the category Virtual Environment

26. Select Create

27. Select Stay on this page

28. Expand the Private Panels tab

29. Select the Standards Evaluation Results for ESX systems

30. Drag the panel into the grid

31. Expand the panel so that it take up 7x7squars

32. Expand the Published Panels

33. Select the Top 10 Most Common Network Vulnerabilities panel

34. Drag and drop the panel under the Standards Evaluation Results for ESX systems

35. Expand the panel so it takes up the bottom 7x7 squares

36. From the published panels select Data Collection Coverage

37. Drag the panel and expand it into the space beside the Standards Evaluation Results for ESX systems

38. Select Vulnerabilities by Severity

39. Drag the panel into the remaining space.

40. Select Save and Close

11 of 12

Exercise 6: Root Password Vaulting

It is not a good security practice to distribute the root passwords for an ESX or ESXi system. Root Password Vaulting allows CCS VSM to manage the root password of individual hosts by creating a secure root password for an ESX host and storing that password vault. The system will then automatically rotate the root password on the host on a regular basis.

1. Open Internet Explorer and select CCS VSM from the Favorites tool bar

2. Select Continue to this website. (the certificates for the website have not been

generated within the demo image at this time)

3. Log into the web console:

4. Username: SuperAdminUser

5. Password: symc4now

6. From the CCS VSM web interface select: Configuration > Root Password

Vaulting

7. For the recovery passcode enter: CCS!sfun

8. Confirm the recover passcode: CCS!sfun

9. Click Apply

The Recovery Passcode is used to provide an emergency mechanism to recover root passwords if the VSM is not available

10. Select Compliance > Hosts

11. Select the hyperlink for the esxi50.symplified.org host

12. Click the Root Password Vaulting option

13. User ID: root

Password: Symc4now!

14. Click OK

You will see a key icon appear next to the host which indicated that root password vaulting has been enabled

15. Click the box next to ESXi50.symplified.org

16. Select Issue Password

17. Provide a Reason: Quick Change to ESXi System

18. Click Issue Password

19. Copy down the password

12 of 12

20. Click Apply

21. For the VSM SuperUserPassword enter symc4now

22. Click OK

23. Go to the esxi50.symplified.org vmimage

24. Click on the screen and then click f2

25. Enter the root password provided by VSM