Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
IC121-End-to-End Virtual Security Hands-On Lab
Description Many of us fear zero day exploits – especially if they could impact our dynamic virtual systems. Learn how you can leverage CCS VSM to quickly lock down your virtual environment as you use CCS VM to identify any impacted systems. Finally we will show you how you can learn from exploits and then customize security standards in CCS SM and VSM.
At the end of this lab, you should be able to
Assess and report on your esx system using VMware hardening guidelines
Use CCS VM to assess your virtual environment for vulnerabilities
Use CCS VSM to lock down your Virtual Environment to protect it against misconfiguration and vulnerabilities
Generate a CCS Dashboard for Virtual Environment
Root Password Vaulting
Notes A brief presentation will introduce this lab session and discuss key concepts.
The lab will be directed and provide you with step-by-step walkthroughs of key features.
Feel free to follow the lab using the instructions on the following pages. You can optionally perform this lab at your own pace.
Be sure to ask your instructor any questions you may have.
Thank you for coming to our lab session.
2 of 12
Exercise 1: Show Evaluation results with same issue as found in CCS VM
CCS provides the ability to assess your virtual environments using best practices based on VMware hardening guidelines for ESX.
1. From the Desktop double click the Symantec Control Compliance Suite Console icon
The Home view is the default view that appears when you log on to the Control Compliance Suite (CCS) Console. This page provides the working flow of the features within the solution.
2. Select Manage > Assets
In Control Compliance Suite, an asset is defined as a managed object in the system that has value, has an owner, has controlled access, and can have authority. The primary goal of the asset management system is to present a consolidated view of the assets that are present in the organization with the ability to manage those assets. .
3. Expand the Asset System folder
4. Select the VMware ESXi machines group
5. Select the 192.168.1.90 Asset
6. What is the Compliance Score for this Asset?
7. Select the Evaluation Tab
CCS provides the ability to evaluate systems security configurations against industry best practices such as the VMware Harding Guidelines
Double click on the evaluation to display the Evaluation Result Details
The Evaluation Results Details page provides you with a quick view of your overall security poster and allows you to also analyze which areas may need more attention than others. The page gives you two views of the data. The Standards based view and the Asset based view.
8. Select the Asset-based view button
9. Drag the Status column into the tool bar
10. Drag the Risk column down to the column headers
11. How many configuration checks failed for this asset?
12. Expand the Failed checks
3 of 12
13. Select and right click the is unauthorized removal, connection and modification of
devices prevents? Check
14. Click Show Detailed Evidence
15. View the devices which have this option disabled select and highlight and hoover the
mouse over the custom message.
This setting is disabled by default for virtual environments. When enabled, users have the ability to connect devices and change settings on virtual systems. This means a user can do things like migrate or copy critical systems and access sensitive data by setting up shares on the image
4 of 12
Exercise 2: View the vulnerability details for ESX system
As more organizations expand their infrastructure into the virtual realm, effective security for business must reflect the changing needs of those dynamic environments. CCS Vulnerability Manager (CCS VM) will help find and report on specific vulnerabilities within your ESX Hypervisor.
1. From the desktop double click the CCS VM icon
2. Select Continue to this website. (the certificates for the website have not been
generated within the demo image at this time)
3. Log on:
Username: vmadmin
Password: symc4now
The Home page shows sites, asset groups, tickets, and statistics about your network that are based on scan data. You have logged on with the Global Administrator role for the solution. This allows you to not only view information but also edit site and asset group information, and run scans for your entire network all from this page.
The row of tabs at the top of the page is used to navigate to the main pages of each functional area of the solution.
4. Using the search feature on the upper right side of the interface enter ESX and select the magnifying glass to search for the ESX systems.
5. How many vulnerabilities were detected within the exs41i system?
6. Select the 192.168.1.90 system link to drill down into the details found from the
vulnerability assessment
7. Filter the Risk Score to see the highest risk vulnerabilities first
8. Select the first vulnerability on the list
9. Provide a brief description of the suggested solution
5 of 12
Exercise 3: Protect systems with critical data from changes or migrations
Locking down your ESX environment against changes will help ensure the security of your surrounding infrastructure especially when critical vulnerabilities have been found. CCS Virtualization Security Manager provides powerful access control features for your virtual environment which allows you to isolate virtual assets limiting access to and from them and dictating where and if they move. This is done by creating policies which are defined by labels, Roles and Rules created within CCS VSM and assigning those policies to specific users based on their role.
1. From the web browser select the CCS VSM tab in the favorites bar
2. Select Continue to this website. (the certificates for the website have not been
generated within the demo image at this time)
3. Log into the web console:
Username: SuperAdminUser
Password: symc4now
The Appliance Dashboard is the first page displayed when logging into the appliance. This page was designed to provide summary information based on your VSM implementation. The row of tabs at the top of the page are used to navigate to the main pages of each functional area of the solution
4. Select the Policy tab and then Resources
5. Expand Appliance Root
The lab environment has two ESX systems. The yellow shield next to each of the systems indicates that these systems are now protected by the VSM Appliance.
6. From the server system taskbar select Start > VMware vSphere Client or click the icon on
the desktop.
7. Login:
Username: Mark_Rhodes
Password: symc4now
6 of 12
8. Select Login
9. What is the message that is displayed?
10. Click OK and Close the Client
11. Go back to the CCS VSM web console
12. From the Policy tab select Labels
Labels are used to classify or categorize policy resources. They are often used to define constraints. For example by assigning production virtual machines with a label you have the ability to assign a constraint that those machines should never be turned off.
13. Select Create Draft
The Create Draft button allows the solution to copy the deployed labels into a draft copy before actually deploying it out.
14. Select the PCI Label
Currently the PCI Label has two Virtual Systems assigned.
15. Select Assign For each label you have the ability to associate different resources within the virtual environment.
16. Select OK and OK again to get back to the Policy Labels window to finish without making any changes to the label.
17. From the Policy Tab select Roles
Roles are used to define authorized operations and usually become an attribute of a rule.
18. From the right side of the page select page 2
19. Select the TestSystemsUsers. Click to open the Edit Role TestSystemUsers window. The checked items listed here are enabled operations which the users who have the TestSystemUsers Role associated
20. Select the check box next to resource Resources enable the ability to change the resource pools within the Virtual Environment. This includes the ability to do actions such as move or migrate virtual machines into different hosts.
21. Click OK
22. From the Policy Tab select Rules
7 of 12
Rules provide the relationships between Active Directory user groups, objects within the virtual environment and the entitlements for a specific role.
23. Select TestUsers and open the Edit Rule TestUsers window.
24. Click the Add button within Constraints
Constraints are used to restrict access to specific entities of the Virtual Environment
25. Select Match VM Label(s)
26. Select the PCI VM Label
27. Click the checkbox to Exclude VM Label
28. Click OK
29. Click the Propagate checkbox
This will propagate the policy down the resource tree and enable it.
30. Click OK
31. Click Deploy Changes
8 of 12
Exercise 4: Test Protection Settings
1. From the system taskbar select Start > VMware vSphere Client
Login:
Username: Mark_Rhodes
Password: symc4now
2. Select Login
Mark Rhodes is part of the user group within Active Directory who has been assigned the TestUser Role.
3. Expand the Symplified Virtual Datacenter
4. Expand the 192.168.1.90 host
5. Right Click the Exchange Server Virtual Machine
6. Select Migrate
7. Select Change both host and datastore
8. Click Next
9. Expand the Symplified Virtual Datastore
10. Select the 192.168.1.85 host
11. Click Next
12. Click the Research and Development Resource Pool
13. Click Next
14. Keep the default for the datastore
15. Select Next
16. Select Finish
17. What is the message that is displayed?
9 of 12
Exercise 5: View Evaluation information for Virtual Environment from a single location
In the beginning of the lab we went through the Configuration Assessment results within CCS Standards Manager and also the Vulnerability scan results from CCS Vulnerability Manager. CCS provides the ability to view the evaluation results from both solutions from the Virtual Environment from a single location using the CCS Dynamic Dashboards which are part of the CCS Web Client.
1. Select the Chrome Icon from the taskbar This brings you to the CCS Web Client. The web client provides the ability to view and create dashboards using the data within the CCS and External data from third party solution, Accept, review, and approve policies from the CCS policy manager solution and answer questionnaires from the CCS Assessment Manager solution.
2. Select the Dashboards tab
3. Expand Misc tab
These are the default dashboards that come with the solution. They have been generated to provide a view of information based on Mandates and operational information
4. Select the Panels Tab
Dashboards are generated by applying different panels. This is a list of predefined panels which come with the solution. Using these panels it is easy to generate a custom dashboard. Panels can also be customized to view and analyze data in different ways.
5. Select New Panel
6. Select Standard Compliance Management > Check as the Area of Interest
7. For Measure (y axis) select Results Summary
8. For Dimension (x axis) select Results Name
9. Select the green plus sign to add an additional Dimension
10. Select Standard Name
11. Select Standard Name for the Axis Label
12. Name the panel Standards Evaluation Results for ESX systems
13. Within Filters select Results Name for the Attribute
14. Select is equal to for the Operator
15. Use the Ctrl keyboard button to select the Check Asset Fail and the Check Asset Pass values
16. Select the green plus sign to add an addition Attribute
17. Select Standard Name as the Attribute
10 of 12
18. Select is equal to for the Operator
19. Select VMware Hardening Guideline for ESXi 4.x
20. Select Apply and Save
21. Select the Dashboard in the top toolbar
22. Select New Dashboard
23. Name the dashboard Vision Virtual Environment
24. Select the green plus sign next to Category
25. Name the category Virtual Environment
26. Select Create
27. Select Stay on this page
28. Expand the Private Panels tab
29. Select the Standards Evaluation Results for ESX systems
30. Drag the panel into the grid
31. Expand the panel so that it take up 7x7squars
32. Expand the Published Panels
33. Select the Top 10 Most Common Network Vulnerabilities panel
34. Drag and drop the panel under the Standards Evaluation Results for ESX systems
35. Expand the panel so it takes up the bottom 7x7 squares
36. From the published panels select Data Collection Coverage
37. Drag the panel and expand it into the space beside the Standards Evaluation Results for ESX systems
38. Select Vulnerabilities by Severity
39. Drag the panel into the remaining space.
40. Select Save and Close
11 of 12
Exercise 6: Root Password Vaulting
It is not a good security practice to distribute the root passwords for an ESX or ESXi system. Root Password Vaulting allows CCS VSM to manage the root password of individual hosts by creating a secure root password for an ESX host and storing that password vault. The system will then automatically rotate the root password on the host on a regular basis.
1. Open Internet Explorer and select CCS VSM from the Favorites tool bar
2. Select Continue to this website. (the certificates for the website have not been
generated within the demo image at this time)
3. Log into the web console:
4. Username: SuperAdminUser
5. Password: symc4now
6. From the CCS VSM web interface select: Configuration > Root Password
Vaulting
7. For the recovery passcode enter: CCS!sfun
8. Confirm the recover passcode: CCS!sfun
9. Click Apply
The Recovery Passcode is used to provide an emergency mechanism to recover root passwords if the VSM is not available
10. Select Compliance > Hosts
11. Select the hyperlink for the esxi50.symplified.org host
12. Click the Root Password Vaulting option
13. User ID: root
Password: Symc4now!
14. Click OK
You will see a key icon appear next to the host which indicated that root password vaulting has been enabled
15. Click the box next to ESXi50.symplified.org
16. Select Issue Password
17. Provide a Reason: Quick Change to ESXi System
18. Click Issue Password
19. Copy down the password
12 of 12
20. Click Apply
21. For the VSM SuperUserPassword enter symc4now
22. Click OK
23. Go to the esxi50.symplified.org vmimage
24. Click on the screen and then click f2
25. Enter the root password provided by VSM