Upload
anilkoli
View
12
Download
0
Embed Size (px)
DESCRIPTION
security hardening
Citation preview
Best Practices
Copyright 2008 VMware, Inc. All rights reserved. 1
Security HardeningVMware Infrastructure 3 (VMware ESX 3.5 and VMware VirtualCenter 2.5)
ByintroducingalayerofabstractionbetweenthephysicalhardwareandvirtualizedsystemsrunningITservices,virtualizationtechnologyprovidesapowerfulmeanstodelivercostsavingsviaserverconsolidationaswellasincreasedoperationalefficiencyandflexibility.However,theaddedfunctionalityintroducesavirtualizationlayerthatitselfbecomesapotentialavenueofattackforthevirtualservicesbeinghosted.Becauseasinglehostsystemcanhousemultiplevirtualmachines,thesecurityofthathostbecomesevenmoreimportant.
Becauseitisbasedonalightweightkerneloptimizedforvirtualization,VMwareESXandVMwareESXiarelesssusceptibletovirusesandotherproblemsthataffectgeneralpurposeoperatingsystems.However,ESX/ESXiisnotimpervioustoattack,andyoushouldtakepropermeasurestohardenit,aswellastheVMwareVirtualCentermanagementserver,againstmaliciousactivityorunintendeddamage.ThispaperprovidesrecommendationsforstepsyoucantaketoensurethatyourVMwareInfrastructure3environmentisproperlysecured.ThepaperalsoexplainsindetailthesecurityrelatedconfigurationoptionsofthecomponentsofVMwareInfrastructure3andtheconsequencesforsecurityofenablingcertaincapabilities.
ForadditionaluptodateinformationonthesecurityofVMwareproducts,gototheVMwareSecurityCenter.SeeReferencesonpage 30foralink.TheVMwareSecurityCenterprovideslinkstosecurityadvisories,alerts,andupdates,aswellassecurityutilitiesandothersecurityrelatedpapers.
TheinformationinthispaperappliestoESX3.5/ESXi3.5andVirtualCenter2.5.ItisdividedintosectionsbaseduponthecomponentsofVMwareInfrastructure3.Thesectionsonvirtualmachines,VirtualCenter,andclientcomponentsapplytobothESX3.5andESXi3.5.HostconfigurationissuesarediscussedinseparatesectionsforESX3.5andESXi3.5.BesuretoconsultthesectionsthatapplytotheVMwareInfrastructuresoftwareyouareusing.
Thepapercoversthefollowingtopics:
VirtualMachinesonpage 2
VirtualMachineFilesandSettingsonpage 4
ConfiguringtheServiceConsoleinESX3.5onpage 7
ConfiguringHostlevelManagementinESXi3.5onpage 16
ConfiguringtheESX/ESXiHostonpage 20
VirtualCenteronpage 24
VirtualCenterAddonComponentsonpage 27
ClientComponentsonpage 28
Referencesonpage 30
AbouttheAuthoronpage 31
Copyright 2008 VMware, Inc. All rights reserved. 2
Security Hardening
Virtual MachinesTherecommendationsinthissectionapplytothewayyouconfigurevirtualmachinesandthewaysyouinteractwithvirtualmachines.
Secure Virtual Machines as You Would Secure Physical MachinesAkeytounderstandingthesecurityrequirementsofavirtualizedenvironmentistherecognitionthatavirtualmachineis,inmostrespects,theequivalentofaphysicalserver.Hencetheguestoperatingsystemthatrunsinthevirtualmachineissubjecttothesamesecurityrisksasaphysicalsystem.Therefore,itiscriticalthatyouemploythesamesecuritymeasuresinvirtualmachinesthatyouwouldforphysicalservers.
Ensurethatantivirus,antispyware,intrusiondetection,andotherprotectionareenabledforeveryvirtualmachineinyourvirtualinfrastructure.Makesuretokeepallsecuritymeasuresuptodate,includingapplyingappropriatepatches.Itisespeciallyimportanttokeeptrackofupdatesfordormantvirtualmachinesthatarepoweredoff,becauseitcouldbeeasytooverlookthem.
Disable Unnecessary or Superfluous FunctionsBydisablingunnecessarysystemcomponentsthatarenotneededtosupporttheapplicationorservicerunningonthesystem,youreducethenumberofpartsthatcanbeattacked.Someofthesestepsinclude:
Disableunusedservicesintheoperatingsystem.Forexample,ifthesystemrunsafileserver,makesuretoturnoffanyWebservices.
Disconnectunusedphysicaldevices,suchasCD/DVDdrives,floppydrives,andUSBadapters.ThisisdescribedinthesectionRemovingUnnecessaryHardwareDevicesintheESXServer3ConfigurationGuide.
Turnoffanyscreensavers.IfusingaLinux,BSD,orSolarisguestoperatingsystem,donotruntheXWindowsystemunlessitisnecessary.
Take Advantage of TemplatesBycapturingahardenedbaseoperatingsystemimage(withnoapplicationsinstalled)inatemplate,youcanensurethatallyourvirtualmachinesarecreatedwithaknownbaselinelevelofsecurity.Youcanthenusethistemplatetocreateother,applicationspecifictemplates,oryoucanusetheapplicationtemplatetodeployvirtualmachines.Makesuretokeeppatchesandsecuritymeasuresuptodateintemplates.InVMwareInfrastructure3,youcanconvertatemplatetoavirtualmachineandbackagainquickly,whichmakesupdatingtemplatesquiteeasy.VMwareUpdateManageralsoprovidestheabilitytopatchtheoperatingsystemandcertainapplicationsinatemplateautomatically,thusensuringthattheyremainuptodate.
Prevent Virtual Machines from Taking Over ResourcesByusingtheresourcemanagementcapabilitiesofESX/ESXi,suchassharesandlimits,youcancontroltheserverresourcesthatavirtualmachineconsumes.Youcanusethismechanismtopreventadenialofservicethatcausesonevirtualmachinetoconsumesomuchofthehostsresourcesthatothervirtualmachinesonthesamehostcannotperformtheirintendedfunctions.Bydefault,allvirtualmachinesonanESX/ESXihostsharetheresourcesequally.Bearinmind,however,thatavirtualmachinethatexhibitsunusualmemoryandstorageaccesspatternsmightstillhavethepotentialtocauseperformancedegradationonothervirtualmachines.Itisrecommendedthatyoumonitorallvirtualmachinesforunusualorunexpectedperformancetobeawareofsuchsituations.
Copyright 2008 VMware, Inc. All rights reserved. 3
Security Hardening
Isolate Virtual Machine NetworksAlthoughthevirtualhardwareofonevirtualmachineisisolatedfromthatofothervirtualmachines,virtualmachinesalsoaretypicallyconnectedtosharednetworks.Anyvirtualmachineorgroupofvirtualmachinesconnectedtoacommonnetworkcancommunicateacrossthosenetworklinksandcan,therefore,stillbethetargetofnetworkattacksfromothervirtualmachinesonthenetwork.Asaresult,youshouldapplynetworkbestpracticestohardenthenetworkinterfacesofvirtualmachinesConsiderisolatingsetsofvirtualmachinesontheirownnetworksegmentstominimizetherisksofdataleakagefromonevirtualmachinezonetothenextacrossthenetwork.
Networksegmentationmitigatestheriskofseveraltypesofnetworkattacks,includingAddressResolutionProtocol(ARP)addressspoofing,inwhichanattackermanipulatestheARPtabletoremapMACandIPaddressestoredirectnetworktraffictoandfromagivenhosttoanotherunintendeddestination.AttackersuseARPspoofingtogeneratedenialsofservice,hijackthetargetsystem,andotherwisedisruptthevirtualnetwork.
Segmentationhastheaddedbenefitofmakingcomplianceauditsmucheasier,becauseitgivesyouaclearviewofwhichvirtualmachinesarelinkedbyanetwork.
Youcanimplementsegmentationusingeitheroftwoapproaches,eachofwhichhasitsownbenefits:
Useseparatephysicalnetworkadaptersforvirtualmachinezonesbycreatingseparatevirtualswitchesforeachone.Maintainingseparatephysicalnetworkadaptersforvirtualmachinezonesislesspronetomisconfigurationafteryouinitiallycreatesegments.
Setupvirtuallocalareanetworks(VLANs)tohelpsafeguardyournetwork.BecauseVLANsprovidealmostallofthesecuritybenefitsinherentinimplementingphysicallyseparatenetworkswithoutthehardwareoverhead,theyofferaviablesolutionthatcansaveyouthecostofdeployingandmaintainingadditionaldevices,cabling,andsoforth,whilealsoallowingforredundancyoptions.
FormoreinformationonusingVLANswithvirtualmachines,seethesectionSecuringVirtualMachineswithVLANsintheESXServer3ConfigurationGuide.
Minimize Use of the VI ConsoleTheVIConsoleallowsyoutoconnecttotheconsoleofavirtualmachine,ineffectseeingwhatamonitoronaphysicalserverwouldshow.However,theVIConsolealsoprovidespowermanagementandremovabledeviceconnectivitycontrols,whichcouldpotentiallyallowamalicioususertobringdownavirtualmachine.Inaddition,italsohasaperformanceimpactontheserviceconsole,especiallyifmanyVIConsolesessionsareopensimultaneously.InsteadofVIConsole,usenativeremotemanagementservices,suchasterminalservicesandssh,tointeractwithvirtualmachines.
Copyright 2008 VMware, Inc. All rights reserved. 4
Security Hardening
Virtual Machine Files and SettingsVirtualmachinesareencapsulatedinasmallnumberoffiles.Oneoftheimportantistheconfigurationfile(.vmx),whichgovernsthebehaviorofthevirtualhardwareandothersettings.Youcanviewandmodifytheconfigurationsettingsbyviewingthe.vmxfiledirectlyinatexteditororbycheckingthesettingsintheVIClient,usingthefollowingprocedure:
1 Choosethevirtualmachineintheinventorypanel.
2 ClickEditsettings.ClickOptions>Advanced/General.
3 ClickConfigurationParameterstoopentheConfigurationParametersdialogbox.
WhetheryouchangeavirtualmachinessettingsintheVIClientorusingatexteditor,youmustrestartthevirtualmachineformostchangestotakeeffect.
Avirtualmachinealsoincludesoneormore.vmdkfiles,whichrepresentthevirtualdisksusedbytheguestoperatingsystem.
Thefollowingsectionsprovideguidelinesyoushouldobservewhendealingwiththeseandothervirtualmachinefiles.
Disable Copy and Paste Operations Between the Guest Operating System and Remote Console
WhenVMwareToolsrunsinavirtualmachine,bydefaultyoucancopyandpastebetweentheguestoperatingsystemandthecomputerwheretheremoteconsoleisrunning.Assoonastheconsolewindowgainsfocus,nonprivilegedusersandprocessesrunninginthevirtualmachinecanaccesstheclipboardforthevirtualmachineconsole.Ifausercopiessensitiveinformationtotheclipboardbeforeusingtheconsole,theuserperhapsunknowinglyexposessensitivedatatothevirtualmachine.ItisrecommendedthatyoudisablecopyandpasteoperationsfortheguestoperatingsystembycreatingtheparametersshowninTable1.
Limit Data Flow from the Virtual Machine to the DatastoreVirtualmachinescanwritetroubleshootinginformationtoavirtualmachinelogfile(vmware.log)storedontheVMwareVMFSvolumeusedtostoreotherfilesforthevirtualmachine.Virtualmachineusersandprocessescanbeconfiguredtoabusetheloggingfunction,eitherintentionallyorinadvertently,sothatlargeamountsofdatafloodthelogfile.Overtime,thelogfilecanconsumesomuchoftheESX/ESXihostsfilesystemspacethatitfillstheharddisk,causinganeffectivedenialofserviceasthedatastorecannolongeracceptnewwrites.
Topreventthisproblem,considermodifyingtheloggingsettingsforvirtualmachines.Youcanusethesesettingstolimitthetotalsizeandnumberoflogfiles.Normallyanewlogfileiscreatedonlywhenahostisrebooted,sothefilecangrowtobequitelarge,butyoucanensurenewlogfilesarecreatedmorefrequentlybylimitingthemaximumsizeofthelogfiles.Ifyouwanttorestrictthetotalsizeofloggingdata,VMwarerecommendssaving10logfiles,eachonelimitedto100KB.Thesevaluesaresmallenoughthatthelogfilesshouldnotconsumeanundueamountofdiskspaceonthehost,yettheamountofdatastoredshouldcapturesufficientinformationtodebugmostproblems.
Table 1. Configuration Settings to Disable Copy and Paste
Name Value
isolation.tools.copy.disable true
isolation.tools.paste.disable true
isolation.tools.setGUIOptions.enable false
Copyright 2008 VMware, Inc. All rights reserved. 5
Security Hardening
Eachtimeanentryiswrittentothelog,thesizeofthelogischecked,andifitisoverthelimit,thenextentryiswrittentoanewlog.Ifthemaximumnumberoflogfilesalreadyexists,whenanewoneiscreated,theoldestlogfileisdeleted.Adenialofserviceattackthatavoidstheselimitscouldbeattemptedbywritinganenormouslogentry,buteachlogentryislimitedto4KB,sonologfilesareevermorethan4KBlargerthantheconfiguredlimit.Table2showswhichparameterstosetandtheirrecommendedvalues:
Asecondoptionistodisableloggingforthevirtualmachine.Disablingloggingforavirtualmachinemakestroubleshootingchallengingandsupportdifficult,soyoushouldnotconsiderdisablingloggingunlessthelogfilerotationapproachprovesinsufficient.Todisablelogging,settheparametershowninTable3.
Disablinglogginginthismannerdoesnotcompletelydisableallloggingmessages.TheVMXprocess,whichrunsontheESXhostandispartlyresponsibleforprovidingvirtualizationservicesforthevirtualmachine,continuestowriteloggingmessagestothevirtualmachinelogfile.However,thevolumeofmessagesfromthissourceisverylowandcannotbeexploitedfromwithinthevirtualmachine,soitisnotnormallyconsideredapotentialsourceofdataflooding.
Ifyouneverthelesswanttopreventallformsoflogging,youcandisableallmessagesbysettingtheparametershowninTable4.Howeverthisisnotrecommendedinanormalproductionenvironment.
Inadditiontologging,guestoperatingsystemprocessescansendinformationalmessagestotheESX/ESXihostthroughVMwareTools.Thesemessages,knownassetinfomessages,arewrittentothevirtualmachinesconfigurationfile(.vmx).Theytypicallycontainnamevaluepairsthatdefinevirtualmachinecharacteristicsoridentifiersthatthehoststoresforexample,ipaddress=10.17.87.224.Asetinfomessagehasnopredefinedformatandcanbeanylength.Therefore,theamountofdatapassedtothehostinthiswayisunlimited.AnunrestricteddataflowprovidesanopportunityforanattackertostageaDOSattackbywritingsoftwarethatmimicsVMwareToolsandfloodingthehostwithpackets,thusconsumingresourcesneededbythevirtualmachines.
Topreventthisproblem,theconfigurationfilecontainingthesenamevaluepairsislimitedtoasizeof1MB.This1MBcapacityshouldbesufficientformostcases,butyoucanchangethisvalue,ifnecessary.Youmightincreasethisvalueiflargeamountsofcustominformationarebeingstoredintheconfigurationfile.
TomodifytheGuestInfofilememorylimit,setthetools.setInfo.sizeLimitparameterinthe.vmxfile.Thedefaultlimitis1MB,andthislimitisappliedevenwhenthesizeLimitparameterisnotlistedinthe.vmxfile.TheexampleinTable5setsthesizelimitto1MB.
Table 2. Configuration Settings to Limit Log File Size and Number of Log Files
Name Recommended Value
log.rotateSize 100000
log.keepOld 10
Table 3. Configuration Setting to Disable Virtual Machine Logging
Name Recommended Value
Isolation.tools.log.disable true
Table 4. Configuration Setting to Disable Virtualization Service Logging
Name Recommended Value
logging false
Table 5. Configuration Setting to Limit Size of GuestInfo File
Name Recommended Value
tools.setInfo.sizeLimit 1048576
Copyright 2008 VMware, Inc. All rights reserved. 6
Security Hardening
Youmayalsoentirelypreventguestoperatingsystemsfromwritinganynamevaluepairstotheconfigurationfile,usingthesettinginTable6.Thisisappropriatewhenguestoperatingsystemsmustbepreventedfrommodifyingconfigurationsettings.
Do Not Use Nonpersistent DisksThesecurityissuewithnonpersistentdiskmodeisthatattackersmayundoorremoveanytracesthattheywereeveronthemachinewithasimpleshutdownorreboot.Oncethevirtualmachinehasbeenshutdown,thevulnerabilityusedtoaccessthevirtualmachinewillstillbepresent,andtheattackersmayaccessthevirtualmachineinthefutureatatimeoftheirchoice.Thedangeristhatadministratorsmayneverknowiftheyhavebeenattackedorhacked.Tosafeguardagainstthisrisk,youshouldusenonpersistentdiskmodeonlyfortestanddevelopmentvirtualmachines.Youshouldsetproductionvirtualmachinestousepersistentdiskmodeonly.Toverify,makesurethattheparameterscsiX:Y.modeisnotpresent,whereXandYaresingledigits,orthatifitispresent,thevalueisnotindependent-nonpersistent.YoucanconfigurethisoptionintheVIClientforeachindividualdiskonavirtualmachine.Youcanmakechangesonlywhenthevirtualmachineisnotpoweredon.Toreviewandmodifythesesettings:
1 LogintotheVIClientandchoosetheserverfromtheinventorypanel.
Thehardwareconfigurationpagefortheserverappears.
2 Expandtheinventoryasneededandchoosethevirtualmachineyouwanttocheck.
3 ClicktheEditSettingslinkintheCommandspaneltodisplaytheVirtualMachinePropertiesdialogbox.
4 ClicktheHardwaretab.
5 ClicktheappropriateharddiskinHardwarelist.
Ensure Unauthorized Devices are Not ConnectedBesidesdisablingunnecessaryvirtualdevicesfromwithinthevirtualmachine,youshouldensurethatnodeviceisconnectedtoavirtualmachineifitdoesnotneedtobethere.Forexample,serialandparallelportsarerarelyusedforvirtualmachinesinadatacenterenvironment,andCD/DVDdrivesareusuallyconnectedonlytemporarilyduringsoftwareinstallation.
Forlesscommonlyuseddevices,Table7showsthe.vmxparametersthatspecifywhetherthedeviceisavailableforavirtualmachinetouse.Ifthedeviceisnotneeded,eithertheparametershouldnotbepresentoritsvaluemustbeFALSE.TheparameterslistedinTable7arenotsufficienttoensurethatadeviceisusable,becauseotherparametersareneededtoindicatespecificallyhoweachdeviceisinstantiated.
Prevent Unauthorized Removal or Connection of DevicesNormalusersandprocessesthatisusersandprocesseswithoutrootoradministratorprivilegeswithinvirtualmachineshavethecapabilitytoconnectordisconnectdevices,suchasnetworkadaptersandCDROMdrives.
Table 6. Configuration Setting to Prevent Writing SetInfo Data to Configuration File
Name Value
isolation.tools.setinfo.disable true
Table 7. Configuration Parameters that Specify Certain Devices
Device Configuration file parameter (where is an integer 0 or greater)
Floppydrive floppy.present
Serialport serial.present
Parallelport parallel.present
Copyright 2008 VMware, Inc. All rights reserved. 7
Security Hardening
Forexample,bydefault,arogueuserwithinavirtualmachinecan:
ConnectadisconnectedCDROMdriveandaccesssensitiveinformationonthemedialeftinthedrive
Disconnectanetworkadaptertoisolatethevirtualmachinefromitsnetwork,whichisadenialofservice
Ingeneral,youshouldusethevirtualmachinesettingseditororConfigurationEditortoremoveanyunneededorunusedhardwaredevices.However,youmaywanttousethedeviceagain,soremovingitisnotalwaysagoodsolution.Inthatcase,youcanpreventauserorrunningprocessinthevirtualmachinefromconnectingordisconnectingadevicefromwithintheguestoperatingsystembyaddingtheparametershowninTable8.
Avoid Denial of Service Caused by Virtual Disk Modification OperationsShrinkingavirtualdiskreclaimsunusedspaceinthevirtualdisk.Ifthereisemptyspaceinthedisk,thisprocessreducestheamountofspacethevirtualdiskoccupiesonthehostdrive.Normalusersandprocessesthatisusersandprocesseswithoutrootoradministratorprivilegeswithinvirtualmachineshavethecapabilitytoinvokethisprocedure.However,ifthisisdonerepeatedly,thevirtualdiskcanbecomeunavailable,effectivelycausingadenialofservice.Inmostdatacenterenvironments,diskshrinkingisnotdone,soyoushoulddisablethisfeaturebysettingtheparameterslistedinTable9.
Specify the Guest Operating System CorrectlyChoosingthecorrectguestoperatingsystemintheconfigurationforeachvirtualmachineisimportant.ESXoptimizescertaininternalconfigurationsonthebasisofthischoice.Thecorrectguestoperatingsettingcanaidthechosenoperatingsystemgreatlyandmaycausesignificantperformancedegradationifthereisamismatchbetweenthesettingandtheoperatingsystemactuallyrunninginthevirtualmachine.TheperformancedegradationmaybesimilartorunninganunsupportedoperatingsystemonESX.Choosingthewrongguestoperatingsystemisnotlikelytocauseavirtualmachinetorunincorrectly,butitcoulddegradethevirtualmachinesperformance.
TheparameterthatspecifiestheguestoperatingsystemisguestOS.Verifythatthespecifiedoperatingsystemandmatchestheoperatingsystemactuallyrunninginthevirtualmachine,whichyoucandeterminebycheckingthevirtualmachinedirectly.
Verify Proper File Permissions for Virtual Machine FilesBesurepermissionsforthevirtualmachinesfilesaresetaccordingtotheguidelinesinthissection.Permissionsfortheconfigurationfile(.vmx),shouldberead,write,execute(rwx)forowner,andreadandexecute(r-x)forgroup(755).Permissionsforthevirtualmachinesvirtualdisk(.vmdk)shouldbereadandwrite(rw-)forowner(600).Forallofthesefiles,boththeuserandgroupshouldberoot.
Configuring the Service Console in ESX 3.5Whetheryouuseamanagementclientorthecommandline,allconfigurationtasksforESX3.5areperformedthroughtheserviceconsole,includingconfiguringstorage,controllingaspectsofvirtualmachinebehavior,andsettingupvirtualswitchesorvirtualnetworks.Aswithanintelligentplatformmanagementinterface(IPMI)orserviceprocessoronaphysicalserver,someoneloggedintotheserviceconsolewithprivilegedpermissionshastheabilitytomodify,shutdown,orevendestroyvirtualmachinesonthathost.Thedifferenceisthat,insteadofasinglephysicalserver,thiscanaffectmanyvirtualmachines.AlthoughESX3.5
Table 8. Configuration Setting to Prevent Device Removal or Connection
Name Value
Isolation.tools.connectable.disable true
Table 9. Configuration Settings to Prevent Virtual Disk Shrinking
Name Value
isolation.tools.diskWiper.disable True
isolation.tools.diskShrink.disable True
Copyright 2008 VMware, Inc. All rights reserved. 8
Security Hardening
managementclientsuseauthenticationandencryptiontopreventunauthorizedaccesstotheserviceconsole,otherservicesmightnotofferthesameprotection.Ifattackersgainaccesstotheserviceconsole,theyarefreetoreconfiguremanyattributesoftheESXhost.Forexample,theycouldchangetheentirevirtualswitchconfigurationorchangeauthorizationmethods.BecausetheserviceconsoleisthepointofcontrolforESX,safeguardingitfrommisuseiscrucial.
Configure the Firewall for Maximum SecurityESX3.5includesafirewallbetweentheserviceconsoleandthenetwork.Bydefault,theserviceconsolefirewallisconfiguredatahighsecuritysetting,withbothincomingandoutgoingtrafficblockedbydefaultexceptforalimitedsetofportsusedbyservicesthatareenabled.Thefirewallcontainsalistofknownservicesforwhichtheappropriateincomingandoutgoingportsareknown,anditautomaticallyopensportsforenabledservicesandclosesthemwhenaserviceisdisabled.ThissectionliststheservicesthatareenabledbydefaultwhenyouinstallESX3.5.YoucanseethelistofcurrentlyenabledservicesonanESXhostandtheassociatedportsintheVIClient:
1 Choosethehost.
2 ClicktheConfigurationtab,thenchoosetheSecurityProfileitemundertheSoftwareheading.
3 ClickFirewallProperties.
Itisbesttoleavethedefaultsecurityfirewallsettings,whichblockallincomingandoutgoingtrafficthatisnotassociatedwithanenabledservices,thenusethefirewallsbuiltinserviceregistrytoenableanddisableservices.Ifyouhaveaparticularserviceoragentthatisnotpartofthebuiltinlist,youcanopenindividualportsusingtheserviceconsolecommandesxcfg-firewall.Ifyoudoopenports,makesuretodocumentthechanges,includingthepurposeforopeningeachport.Formoreinformationonhowtousetheesxcfg-firewallcommand,seethesectionChangingtheServiceConsoleSecurityLevelintheESXServer3ConfigurationGuideortypeman esxcfg-firewallonthecommandline.
Limit the Software and Services Running in the Service ConsoleAlthoughtheserviceconsoleisbasedonLinuxandiscapableofrunningmostLinuxbasedsoftware,youshouldavoidrunninganyadditionalsoftwareorservicesinsideitwhereverpossible.Eachadditionalcomponentthatisrunningrepresentsanadditionalattackvectorandalsoincreasesthepotentialformisconfiguration.Foranyservicethatyourunintheserviceconsole,considerwhetheritisreallyneededandwhethertheequivalentfunctionalitycanbeprovidedbyanexternalagentthatcommunicateswiththeESXhostusingthestandardbuiltinAPIs.
TheservicesthatareonbydefaultintheESX3.5serviceconsoleandtheportstheyusearedescribedinTable10.Thesecondcolumnofthetableshowsthestringusedtoidentifytheservicewhenusingtheesxcfg-firewallcommandforexamplewhenrunningesxcfg-firewall --querytoshowthecurrentstatus.Thetablealsoindicateswhenitisappropriatetodisableaservice.Forexample,ifyouarenotusingNFStomountnetworksharesintheserviceconsole,youshoulddisablethisservice.ConfiguretheFirewallforMaximumSecurityonpage 8describeshowtousetheVIClienttoviewwhichservicesareenabled.Youcanusethesamepropertiesdialogboxtodisableservicesaswellasviewthem.Table 10. Default Services in the ESX 3.5 Service Console
Service
Identification in esxcfg-firewall command Port Traffic Type When to disable
CIMServiceLocationProtocol
CIMSLP 427 IncomingandoutgoingUDPandTCP
IfnotusingCIMbasedsoftwareformonitoringormanagement
NFSclient nfsClient 111,2049 OutgoingTCPandUDP
IfnotmountingNFSbasedstorageintheserviceconsole
VMwareConsolidatedBackup
VCB 443,902 OutgoingTCP IfnotusingVCBforbackup
Copyright 2008 VMware, Inc. All rights reserved. 9
Security Hardening
Additionalsoftwarethatmightrunintheserviceconsoleincludesmanagementagentsandbackupagents.Althoughthissoftwaremighthavealegitimatepurpose,themorecomponentsyouhaverunningintheserviceconsole,themorepotentialobjectsaresusceptibletosecurityvulnerabilities.Inaddition,thesecomponentsoftenrequirespecificnetworkportstobeopeninordertofunction,thusfurtherincreasingtheavenuesofattack.
Formoreinformationandrecommendationsonrunningthirdpartysoftwareintheserviceconsole,seehttp://www.vmware.com/vmtn/resources/516.
Use VI Client and VirtualCenter to Administer the Hosts Instead of Service Console
Thebestmeasuretopreventsecurityincidentsintheserviceconsoleistoavoidaccessingitifatallpossible.YoucanperformmanyofthetasksnecessarytoconfigureandmaintaintheESXhostusingtheVIClient,eitherconnecteddirectlytothehostor,betteryet,goingthroughVirtualCenter.TheVIClientcommunicatesusingawelldefinedAPI,whichlimitswhatcanbedone.Thisissaferthandirectexecutionofarbitrarycommands.GoingthroughVirtualCenterhastheaddedbenefitthatauthorizationandauthenticationareperformedviayourstandardcentralActiveDirectoryservice,insteadofusingspeciallocalaccountsintheserviceconsole.Inaddition,rolesandusersarestoredinadatabase,providinganeasywaytoviewthecurrentpermissionsaswellastakeasnapshotofthem.VirtualCenteralsokeepstrackofeverytaskinvokedthroughit,providinganautomaticaudittrail.
Anotheralternativeistousearemotescriptinginterface,suchastheVIPerlToolkitortheremotecommandlineinterface(RemoteCLI).TheseinterfacesarebuiltonthesameAPIthatVIClientandVirtualCenteruse,soanyscriptusingthemautomaticallyenjoysthesamebenefitsofauthentication,authorization,andauditing.
InESX3.5,someadvancedtasks,suchasinitialconfigurationforpasswordpolicies,cannotbeperformedviatheVIClient.Forthesetasks,youmustlogintotheserviceconsole.Also,ifyouloseyourconnectiontothehost,executingcertainofthesecommandsthroughthecommandlineinterfacemaybeyouronlyrecourseforexample,ifthenetworkconnectionfailsandyouarethereforeunabletoconnectusingVIClient.ThesetasksaredescribedinAppendixAoftheESXServer3ConfigurationGuide.
Use a Directory Service for AuthenticationAdvancedconfigurationandtroubleshootingofanESXhostmayrequirelocalprivilegedaccesstotheserviceconsole.Forthesetasks,youshouldsetupindividualhostlocalizeduseraccountsandgroupsforthefewadministratorswithoverallresponsibilityforyourvirtualinfrastructure.Ideally,theseaccountsshouldcorrespondtorealindividualsandnotbeaccountssharedbymultiplepeople.Althoughyoucancreateonthe
CIMoverHTTP CIMHttpServer 5988 IncomingTCP IfnotusingCIMbasedsoftwareformonitoringormanagement
CIMoverHTTPS
CIMHttpsServer 5989 IncomingTCP IfnotusingCIMbasedsoftwareformonitoringormanagement
Licensing LicenseClient 27000,27010 OutgoingTCP Ifusingonlyhostbasedlicensing
SSHServer sshServer 22 IncomingTCP IfallmanagementisdoneviaVirtualCenter,VIClient,orotherremotemeans
VirtualCenterAgent
vpxHeartbeats 902 OutgoingUDP IfnotmanagedbyVirtualCenter
VIAPI n/a 443 IncomingandoutgoingTCP
Mustalwaysbeavailable
Secureaccessredirect
n/a 80 IncomingTCP Mustalwaysbeavailable
Table 10. Default Services in the ESX 3.5 Service Console
Service
Identification in esxcfg-firewall command Port Traffic Type When to disable
Copyright 2008 VMware, Inc. All rights reserved. 10
Security Hardening
serviceconsoleofeachhostlocalaccountsthatcorrespondtoeachglobalaccount,thispresentstheproblemofhavingtomanageusernamesandpasswordsinmultipleplaces.Itismuchbettertouseadirectoryservice,suchasNISorLDAP,todefineandauthenticateusersontheserviceconsole,soyoudonothavetocreatelocaluseraccounts.
Inthedefaultinstallation,ESX3.5cannotuseActiveDirectorytodefineuseraccounts.However,itcanuseActiveDirectorytoauthenticateusers.Inotherwords,youcandefineindividualuseraccountsonthehost,thenusethelocalActiveDirectorydomaintomanagethepasswordsandaccountstatus.Youmustcreatealocalaccountforeachuserthatrequireslocalaccessontheserviceconsole.Thisshouldnotbeseenasaburden;ingeneral,onlyrelativelyfewpeopleshouldhaveaccesstotheserviceconsole,soitisbetterthatthedefaultisfornoonetohaveaccessunlessyouhavecreatedanaccountexplicitlyforthatuser.
Authenticationontheserviceconsoleiscontrolledbythecommandesxcfg-auth.Youcanfindinformationonthiscommandinitsmanpage.Typeman esxcfg-authatthecommandlinewhenloggedintotheserviceconsole.ForinformationonauthenticationwithActiveDirectory,seethetechnicalnoteathttp://www.vmware.com/vmtn/resources/582.
Itisalsopossibletousethirdpartypackages,suchasWinbindorCentrify,toprovidetighterintegrationwithActiveDirectory.Consultthedocumentationforthosesolutionsforguidanceonhowtodeploythemsecurely.
Strictly Control Root PrivilegesBecausetherootuseroftheserviceconsolehasalmostunlimitedcapabilities,securingthisaccountisthemostimportantstepyoucantaketosecuretheESXhost.Bydefault,allinsecureprotocols,suchasFTP,Telnet,andHTTP,aredisabled.RemoteaccessviaSSHisenabled,butnotfortherootaccount.Youcancopyfilesremotelytoandfromtheserviceconsoleusinganscp(securecp)client,suchasWinSCP.
EnablingremoterootaccessoverSSHoranyotherprotocolisnotrecommended,becauseitopensthesystemtonetworkbasedattackshouldsomeoneobtaintherootpassword.Abetterapproachistologinremotelyusingaregularuseraccount,thenusesudotoperformprivilegedcommands.Thesudocommandenhancessecuritybecauseitgrantsrootprivilegesonlyforselectactivities,incontrastwiththesucommand,whichgrantsrootprivilegesforallactivities.Usingsudoalsoprovidessuperioraccountabilitybecauseallsudoactivitiesarelogged,whereasifyouusesu,ESXlogsonlythefactthattheuserswitchedtorootbywayofsu.Thesudocommandalsoprovidesawayforyoutograntorrevokeexecutionrightstocommandsonanasneededbasis.
YoucangoastepfurtheranddisallowrootaccessevenontheconsoleoftheESXhostthatis,whenyouloginusingascreenandkeyboardattachedtotheserveritself,ortoaremotesessionattachedtotheserversconsole.Thisapproachforcesanyonewhowantstoaccessthesystemtofirstloginusingaregularuseraccount,thenusesudoorsutoperformtasks.Ideally,onlyalimitedsetofindividualsneedpermissiontorunsuinordertoperformarbitraryadministrativetasks.Ifyoudecidetodisallowrootloginontheconsole,youshouldfirstcreateanonprivilegedaccountonthehosttoenablelogins,otherwiseyoucouldfindyourselflockedoutofthehost.Thisnonprivilegedaccountshouldbealocalaccountthatis,onethatdoesnotrequireremoteauthenticationsothatifthenetworkconnectiontothedirectoryserviceislost,accesstothehostisstillpossible.Youcanassurethisaccessbydefiningalocalpasswordforthisaccount,usingthepasswdcommand.Thelocalpasswordoverridesauthenticationviadirectoryservices(asdiscussedintheprevioussection).Theneteffectisthatadministratorscancontinuetoaccessthesystem,buttheyneverhavetologinasroot.Instead,theyusesudotoperformparticulartasksorsutoperformarbitrarycommands.
Topreventdirectrootloginontheconsole,modifythefile/etc/securettytobeempty.Whileloggedinasroot,enterthefollowingcommand:
cat /dev/null > /etc/securetty
Afteryoudothis,onlynonprivilegedaccountsareallowedtologinattheconsole.Notethatthisalsocandisableremoteconsolecapabilities,suchasiLOandDRAC.
Copyright 2008 VMware, Inc. All rights reserved. 11
Security Hardening
Control Access to Privileged CapabilitiesBecausesuissuchapowerfulcommand,youshouldlimitaccesstoit.Bydefault,onlyusersthataremembersofthewheelgroupintheserviceconsolehavepermissiontorunsu.Ifauserattemptstorunsu -togainrootprivilegesandthatuserisnotamemberofthewheelgroup,thesu -attemptfailsandtheeventislogged.
Besidescontrollingwhohasaccesstothesucommand,throughthepluggableauthenticationmodule(PAM)infrastructure,youcanspecifywhattypeofauthenticationisrequiredtosuccessfullyexecutethecommand.Inthecaseofthesucommand,therelevantPAMconfigurationfileis/etc/pam.d/su.Toallowonlymembersofthewheelgrouptoexecutethesucommand,andthenonlyafterauthenticatingwithapassword,findthelinebeginningwithauth requiredandremovetheleadingpoundsign(#)soitreads:
auth required /lib/security/$ISA/pam_wheel.so use_uid
Thesudoutilityshouldbeusedtocontrolwhatprivilegedcommandsuserscanrunwhileloggedintotheserviceconsole.Amongthecommandsyoushouldregulatearealloftheesxcfg-*commandsaswellasthosethatconfigurenetworkingandotherhardwareontheESXhost.Youshoulddecidewhatsetofcommandsshouldbeavailabletomorejunioradministratorsandwhatcommandsyoushouldallowonlysenioradministratorstoexecute.Youcanalsousesudotorestrictaccesstothesucommand.
Usethefollowingtipstohelpyouconfiguresudo:
Configurelocalandremotesudologging(seeMaintainProperLoggingonpage 12).
Createaspecialgroup,suchasvi_admins,andallowonlymembersofthatgrouptousesudo.
Usesudoaliasestodeterminetheauthorizationscheme,thenaddandremoveusersinthealiasdefinitionsinsteadofinthecommandsspecification.
Becarefultopermitonlytheminimumnecessaryoperationstoeachuserandalias.Permitveryfewuserstorunthesucommand,becausesuopensashellthathasfullrootprivilegesbutisnotauditable.
Ifyouhaveconfiguredauthenticationusingadirectoryservice,sudousesitbydefaultforitsownauthentication.Thisbehavioriscontrolledbythe/etc/pam.d/sudofile,onthelineforauth.Thedefaultsettingservice=system-authtellssudotousewhateverauthenticationschemehasbeensetgloballyusingtheesxcfg-authcommand.
Requireuserstoentertheirownpasswordswhenperformingoperations.Thisisthedefaultsetting.Donotrequiretherootpassword,becausethispresentsasecurityrisk,anddonotdisablepasswordchecking.Insudotheauthenticationpersistsforabriefperiodoftimebeforesudoasksforapasswordagain.
Forfurtherinformationandguidelinesforusingsudo,seehttp://www.gratisoft.us/sudo/.
Establish a Password Policy for Local User AccountsForanylocaluseraccounts,theserviceconsoleprovidespasswordcontrolsontwolevelstohelpyouenforcepasswordpoliciestolimittheriskofpasswordcracking:
PasswordagingThesecontrolsgovernhowlongauserpasswordcanbeactivebeforetheuserisrequiredtochangeit.Theyhelpensurethatpasswordschangeoftenenoughthatifanattackerobtainsapasswordthroughsniffingorsocialengineering,theattackercannotcontinuetoaccesstheESXhostindefinitely.
PasswordcomplexityThesecontrolsensurethatuserscreatepasswordsthatarehardforpasswordgeneratorstodetermine.Insteadofusingwords,acommontechniqueforensuringpasswordcomplexityistouseamemorablephrase,thenderiveapasswordfromitforexample,byusingthefirstletterofeachword.
BothofthesepoliciesaredescribedinthesectionPasswordRestrictionsintheESXServer3ConfigurationGuide.
Thedefaultpam_cracklib.sopluginprovidessufficientpasswordstrengthenforcementformostenvironments.However,ifthepam_cracklib.sopluginisnotstringentenoughforyourneeds,youcanusethepam_passwdqc.soplugininstead.Youchangethepluginusingtheesxcfg-authcommand.
Copyright 2008 VMware, Inc. All rights reserved. 12
Security Hardening
Forfurtherprotection,youcanenforceaccountlockoutaftertoomanyunsuccessfulloginattempts.ToconfiguretheESXserviceconsoletodisabletheaccountafterthreeunsuccessfulloginattempts,addthefollowinglinesto/etc/pam.d/system-auth:
auth required /lib/security/pam_tally.so no_magic_rootaccount required /lib/security/pam_tally.so deny=3no_magic_root
Tocreatethefileforloggingfailedloginattempts,executethefollowingcommands:
touch /var/log/faillogchown root:root /var/log/faillogchmod 600 /var/log/faillog
Do Not Manage the Service Console as a Linux HostTheserviceconsoleisgeneratedfromaRedHatLinuxdistributionthathasbeenmodifiedtoprovideexactlythefunctionalitynecessarytocommunicatewithandallowmanagementoftheVMkernel.AnyadditionalsoftwareinstalledshouldnotmakeassumptionsaboutwhatRPMpackagesarepresent,northatthesoftwarecanmodifythem.Inseveralcases,thepackagesthatdoexisthavebeenmodifiedespeciallyforESX.
ItisparticularlyimportantthatyounottreattheserviceconsolelikeaLinuxhostwhenitcomestopatching.NeverapplypatchesissuedbyRedHatoranyotherthirdpartyvendor.ApplyonlypatchesthatarepublishedbyVMwarespecificallyfortheversionsofESXthatyouhaveinuse.Thesearepublishedfordownloadperiodically,aswellasonanasneededbasisforsecurityfixes.Youcanreceivenotificationsforsecurityrelatedpatchesbysigningupforemailnotificationsathttp://www.vmware.com/security.
Similarly,youshouldneveruseascannertoanalyzethesecurityoftheserviceconsoleunlessthescannerisspecificallydesignedtoworkwithyourversionofESX.Inparticular,scannersthatassumetheserviceconsoleisastandardRedHatLinuxdistributionroutinelyyieldfalsepositives.Thesescannerstypicallylookonlyforstringsinthenamesofsoftware,andthereforedonotaccountforthefactthatVMwarereleasescustomversionsofpackageswithspecialnameswhenprovidingsecurityfixes.Becausethesespecialnamesareunknowntothescanners,theyflagthemasvulnerabilitieswheninrealitytheyarenot.YoushoulduseonlyscannersthatspecificallytreattheESXserviceconsoleasauniquetarget.Formoreinformation,seethesectionSecurityPatchesandSecurityVulnerabilityScanningSoftwareinthechapterServiceConsoleSecurityoftheESXServer3ConfigurationGuide.
Inaddition,youshouldnotmanagetheserviceconsoleasifitwereatraditionalLinuxhost.Theusualredhat-config-*commandsarenotpresent,norareothercomponentssuchastheXserver.Instead,youmanagetheESXhostusingaseriesofpurposebuiltcommands,suchasvmkfstoolsandtheesxcfg-*commands.ManyofthesecommandsshouldbeusedonlyuponinstructionfromVMwareTechnicalSupport,ornotinvokedmanuallyatall,butafewprovidefunctionalitythatisnotavailableviatheVIClient,suchasauthenticationmanagementandadvancedstorageconfiguration.
Ifyoufollowthebestpracticeofisolatingthenetworkfortheserviceconsole,thereisnoreasontorunanyantivirusorothersuchsecurityagents,andtheiruseisnotnecessarilyrecommended.However,ifyourenvironmentrequiresthatsuchagentsbeused,useaversiondesignedtorunonRedHatEnterpriseLinux3,Update6.
Formoreinformationonthespecialadministrativecommandsintheserviceconsole,seeESXTechnicalSupportCommandsandUsingvmkfstoolsintheappendicesoftheESXServer3ConfigurationGuide.
Maintain Proper LoggingProperandthoroughloggingallowsyoutokeeptrackofanyunusualactivitythatmightbeaprecursortoanattackandalsoallowsyoutodoapostmortemonanycompromisedsystemsandlearnhowtopreventattacksfromhappeninginthefuture.
Copyright 2008 VMware, Inc. All rights reserved. 13
Security Hardening
ThesyslogdaemonperformsthesystemlogginginESX.Youcanaccessthelogfilesintheserviceconsolebygoingtothe/var/log/directory.SeveraltypesoflogfilesgeneratedbyESXareshowninTable11.
Thelogfilesprovideanimportanttoolfordiagnosingsecuritybreachesaswellasothersystemissues.Theyalsoprovidekeysourcesofauditinformation.Inadditiontostoringloginformationinfilesonthelocalfilesystem,youcansendthisloginformationtoaremotesystem.Thesyslogprogramistypicallyusedforcomputersystemmanagementandsecurityauditing,anditcanservethesepurposeswellforESXhosts.Youcanselectindividualserviceconsolecomponentsforwhichyouwantthelogssenttoaremotesystem.
Thefollowingtipsprovidebestpracticesforlogging:
Ensureaccuratetimekeeping.
Byensuringthatallsystemsusethesamerelativetimesource(includingtherelevantlocalizationoffset),andthattherelativetimesourcecanbecorrelatedtoanagreedupontimestandard(suchasCoordinatedUniversalTimeUTC),youcanmakeitsimplertotrackandcorrelateanintrudersactionswhenreviewingtherelevantlogfiles.Intheserviceconsole,yousetthetimesourceusingtheNTP(NetworkTimeProtocol)system.ForinstructionsonhowtoconfigureNTP,seeVMwareknowledgebasearticle1339(http://kb.vmware.com/kb/1339).
Controlgrowthoflogfiles.
Inordertopreventthelogfilefromfillingupthediskpartitiononwhichitresides,configurelogfilerotation.Thisautomaticallycreatesabackupofthelogfileafteritreachesacertainspecifiedsizeandkeepsonlyaspecifiednumberofolderbackupfilesbeforeautomaticallydeletingthem,thuslimitingthetotaldiskusageforlogging.Thelogrotationbehaviorisspecifiedforeachcomponentinconfigurationfileslocatedinthedirectory/etc/logrotate.daswellasinthefile/etc/logrotate.conf.
Forthethreefilesin/etc/logrotate.dvmkernel,vmksummary,andvmkwarningitisrecommendthattheconfigurationbemodifiedto:
Increasethesizeofthelogfileto4096k.
Enablecompressionbysettingthelinecompressinsteadofnocompress.
Table 11. Key Log Files Generated by ESX
Component Location Purpose
Vmkernel /var/log/vmkernel RecordsactivitiesrelatedtothevirtualmachinesandESX
VMkernelwarnings /var/log/vmkwarning Recordsactivitieswiththevirtualmachines
VMkernelsummary /var/log/vmksummary UsedtodetermineuptimeandavailabilitystatisticsforESX;humanreadablesummaryfoundin/var/log/vmksummary.txt
ESXhostagentlog /var/log/vmware/hostd.log ContainsinformationontheagentthatmanagesandconfigurestheESXhostanditsvirtualmachines
Virtualmachines Thesamedirectoryastheaffectedvirtualmachinesconfigurationfiles;namedvmware.logandvmware-*.log
Containinformationwhenavirtualmachinecrashesorendsabnormally
VirtualCenteragent /var/log/vmware/vpx ContainsinformationontheagentthatcommunicateswithVirtualCenter
Webaccess Filesin/var/log/vmware/webAccess RecordsinformationonWebbasedaccesstoESX
Serviceconsole /var/log/messages ContainallgenerallogmessagesusedtotroubleshootvirtualmachinesorESX
Authenticationlog /var/log/secure Containsrecordsofconnectionsthatrequireauthentication,suchasVMwaredaemonsandactionsinitiatedbythexinetddaemon.
Copyright 2008 VMware, Inc. All rights reserved. 14
Security Hardening
Thisallowsgreaterlogginginthesamefilesystemspace.Formoreinformationonconfiguringlogfilerotation,seeman logrotate.
Useremotesysloglogging.
Remoteloggingtoacentralhostprovidesawaytogreatlyincreaseadministrationcapabilities.Bygatheringlogfilesontoacentralhost,youcaneasilymonitorallhostswithasingletoolaswellasdoaggregateanalysisandsearchingtolookforsuchthingsascoordinatedattacksonmultiplehosts.
Animportantpointtoconsideristhatthelogmessagesarenotencryptedwhensenttotheremotehost,soitisimportantthatthenetworkfortheserviceconsolebestrictlyisolatedfromothernetworks.
Syslogbehavioriscontrolledbytheconfigurationfile/etc/syslog.conf.Forlogsyouwanttosendtoaremoteloghost,addalinewith@afterthemessagetype,whereisthenameofahostconfiguredtorecordremotelogfiles.Makesurethatthishostnamecanbeproperlyresolved,puttinganentryinthenameservicemapsifneeded.
Example:
local6.warning @
Aftermodifyingthefile,tellthesyslogdaemontorereaditbyissuingthefollowingcommand:
kill -SIGHUP `cat /var/run/syslogd.pid`
Displaydifferentloglevelmessagesondifferentscreens.
Anoptionforsyslogistologtoanalternateconsole,whichcanbedisplayedfromtheterminaloftheESXhost.ESXhasthecapabilityattheconsoletodisplayanumberofvirtualterminals.Thisgivesyouthecapabilitytohavecritical,error,andwarningmessagesdisplayedondifferentscreens,enablingyoutoquicklydifferentiatetypesoferrors.
Toenablethisseparationoflogmessagedisplay,addthefollowinglinestothe/etc/syslog.conffile:
*.crit /dev/tty2
Alllogitemsatthecriticallevelorhigherareloggedtothevirtualterminalattty2.PressAltF2attheESXconsoletoviewtheselogs.
*.err /dev/tty3
Alllogitemsattheerrorlevelorhigherareloggedtothevirtualterminalattty3.PressAltF3attheESXconsoletoviewtheselogs
*.warning /dev/tty4
Alllogitemsatthewarninglevelorhigherareloggedtothevirtualterminalattty4.PressAltF4attheESXServerconsoletoviewtheselogs.
Whenyouarefinished,issuethecommandforrereadingtheconfigurationfile:
kill -SIGHUP `cat /var/run/syslogd.pid`
Uselocalandremotesudologging.
Ifyouhaveconfiguredsudotoenablecontrolledexecutionofprivilegedcommands,youcanbenefitfromusingsyslogtoaudituseofthesecommands.Bydefault,allinvocationsofsudoareloggedto/var/log/secure.Bymodifyingthelinecontainingthisfilenameinthesyslogconfigurationfileasdescribedabove,youcanhavealltheselogmessagesalsosenttoaremotesyslogserver.
Establish and Maintain File System IntegrityTheserviceconsolehasanumberoffilesthatspecifyitsconfigurations:
/etc/profile
/etc/ssh/sshd_config
/etc/pam.d/system-auth
Copyright 2008 VMware, Inc. All rights reserved. 15
Security Hardening
/etc/grub.conf
/etc/krb.conf
/etc/krb5.conf
/etc/krb.realms
/etc/login.defs
/etc/openldap/ldap.conf
/etc/nscd.conf
/etc/ntp
/etc/ntp.conf
/etc/passwd
/etc/group
/etc/nsswitch.conf
/etc/resolv.conf
/etc/sudoers
/etc/shadow
Inaddition,ESXconfigurationfileslocatedinthe/etc/vmwaredirectorystorealltheVMkernelinformation.
Allofthesefilesshouldbemonitoredforintegrityandunauthorizedtampering,usingacommercialtoolsuchasTripwireorConfiguresoft,orbyusingachecksumtoolsuchassha1sum,whichisincludedintheserviceconsole.Thesefilesshouldalsobebackedupregularly,eitherusingbackupagentsorbydoingbackupsbasedonfilecopying.NotallofthesefilesareactuallyusedbyyourparticularESXdeployment,butallthefilesarelistedforcompleteness.
Anotherchecktoperformistomakesurethatthefilepermissionsofimportantfilesandutilitycommandshavenotbeenchangedfromthedefault.Somefilesinparticulartocheckinclude:
The/usr/sbin/esxcfg-*commands,whichareallinstalledbydefaultwithpermissions500,exceptforesxcfg-authwhichhaspermissions544.
Thelogfilesdiscussedintheprevioussection,whichallhavepermissions600,exceptforthedirectory/var/log/vmware/webAccess,whichhaspermissions755,andthevirtualmachinelogfiles,whichhavepermissions644.
CertainsystemcommandsthathavetheSUIDbit.ThesecommandsarelistedinTable123oftheESXServer3ConfigurationGuide.
Forallofthesefiles,theuserandgroupownershouldberoot.
Secure the SNMP ConfigurationESX3.5providesanSNMPagenttomonitorfaultsandsystemstatus.ItsupportsSNMPversions1,2c,and3.WhenanSNMPagentisenabledinESX,networkmanagementtoolscanlistenfornotificationsorpollforstatusinformationabouttheconfigurationofvirtualmachinesandthestateofthenetwork,CPU,disk,andinstalledsoftware.
ItisrecommendedthatyouconfigureESX3.5touseSNMPversion3,whichprovidesforauthenticationandprivacyofmessagesbetweentheagentandmanagementstation.Consultthesnmpd.confmanpageformoreinformationonconfiguringSNMP.
Copyright 2008 VMware, Inc. All rights reserved. 16
Security Hardening
Protect against the Root File System Filling UpWhenyouinstallESX3.5,youshouldaccepttherecommendeddiskpartitioningforthemosteffectiveinstallation.Ifyouchoosetopartitionthediskmanually,youshouldensurethatyouhavecreatedseparatepartitionsforthedirectories/home,/tmp,and/var/log.Thesearealldirectoriesthathavethepotentialtofillup,andiftheyarenotisolatedfromtherootpartition,youcouldexperienceadenialofserviceiftherootpartitionisfullandunabletoacceptanymorewrites.DatastorePartitioning,anappendixoftheInstallationandUpgradeGuide,coversdiskpartitionsinmoredetail.
Disable Automatic Mounting of USB DevicesExternalUSBdrivescanbeconnectedtotheESXhostandbeloadedautomaticallyontheserviceconsole.TheUSBdrivemustbemountedbeforeyoucanuseit,butdriversareloadedtorecognizethedevice.MalicioususersmaybeabletorunmaliciouscodeontheESXhostandgoundetectedbecausetheUSBdriveisexternal.Bydefault,automaticUSBdrivemountingisenabled,butitisrecommendedthatyoudisablethisfeaturebyeditingtheserviceconsolefile/etc/modules.confandcommentingoutthelinecontainingalias usb-controllerbyplacingapoundsign(#)atthebeginning.
Configuring Host-level Management in ESXi 3.5EventhoughESXi3.5doesnotshipwithaserviceconsole,therearesomeaspectsofhostlevelmanagementthatyoucanconfigureandmonitor.SomeoftheseoptionsarenewtotheESXiarchitecture,andsomeareanalogoustooptionsavailableinESX3.5.
Strictly Control Root PrivilegesYoumightwanttoavoidmanagingESXihostsdirectly,butinsteadprefertorequirethatallmanagementbedonethroughVirtualCenter.Thisenforcestheuseofacentralauthenticationmodel(typicallyActiveDirectory)andallowspermissionstobesetglobally.Italsoallowsalltaskstobeloggedinoneplace,theVirtualCenterdatabase,whichmakesauditingeasier.
LockdownmodeisavailableonanyESXi3.5hostthatyouhaveaddedtoaVirtualCenterServer.EnablinglockdownmodedisablesallremoterootaccesstoESXi3.5machines.Anysubsequentlocalchangestothehostmustbemade:
InaVIClientsessionorusingRemoteCLIcommandstoVirtualCenter.
InaVIClientsessionorusingRemoteCLIcommandsdirecttotheESXi3.5systemusingalocaluseraccountdefinedonthehost.Bydefault,nolocaluseraccountsexistontheESXisystem.YoumustcreatethoseaccountsbeforeenablinglockdownmodeandmustcreatetheminaVIClientsessionconnecteddirectlytotheESXisystem.Changestoahostarelimitedtothosethatcanbemadewiththeprivilegesgrantedtoaparticularuserlocallyonthathost.
ItisrecommendedthatyouenablelockdownmodeforyourESXi3.5hosts.YoucanenableanddisablelockdownmodeeitherusingaVIClientloggedintoVirtualCenterorusingthedirectconsoleuserinterface(DCUI).Fordetailsonhowtodothis,seethechapterSecurityDeploymentsandRecommendationsintheESXServer3iConfigurationGuide.
Control Access to Privileged CapabilitiesIdeally,youmanageuserswhoaccesstheESXi3.5systemwiththeusermanagementfeaturesofVirtualCenter.Incertaincases,however,youneedtomanageahostdirectlyforexample:
YouhavenotpurchasedVirtualCenterperhapsbecauseyouarejuststartingoutwithESXiorbecauseyouhaveaverysmalldeployment
YouwanttoprovideforadministrativeaccesstothesystemincaseVirtualCenterisdownorotherwiseunavailable,oriftheVirtualCenteragentonthehostisnotworkingproperly
YouneedtouseRemoteCLIcommands,suchasthoseforbackingupandrestoringtheconfigurationofthesystem,thatmustberundirectlyonthehost,notthroughVirtualCenter
Copyright 2008 VMware, Inc. All rights reserved. 17
Security Hardening
Securitybestpracticesdictatethattherootpasswordshouldbeknowntoasfewindividualsaspossible,andtherootaccountshouldnotbeusedifanyalternativeispossible,becauseitisananonymousaccountandactivitybytherootusercannotbedefinitivelyassociatedwithaspecificindividual.Therootpasswordisinitiallyblank,sooneofyourfirststepsinconfiguringtheservershouldbetocreateastrongpasswordfortherootaccount.
ESXi3.5allowsyoutocreatelocalusersandgroupsonthesystem.DefinitionsfortheseusersandgroupsarestoredlocallyoneachindividualESXihost,andthedefinitionsforeachhostaretotallyindependentofotherhosts.YoucannotuseActiveDirectoryoranyotherdirectoryservicetoidentifyorauthenticatethelocalusers.Furthermore,theuserandgrouplistsmaintainedbyVirtualCenterarecompletelyseparatefromthelistsmaintainedbyESXihosts.EvenifthelistsmaintainedbyahostandVirtualCenterappeartohavecommonusers(forinstance,ausercalleddevuser),youmusttreattheseusersasseparateuserswhohappentohavethesamename.TheattributesofdevuserinVirtualCenter,includingpermissionsandpasswords,areseparatefromtheattributesofdevuserontheESXihost.IfyoulogontoVirtualCenterasdevuser,youmighthavepermissiontoviewanddeletefilesfromadatastore,whereasifyoulogontoanESXihostasdevuser,youmightnot.
Becauseoftheconfusionthatduplicatenamingcancause,VMwarerecommendsthatyouchecktheVirtualCenteruserlistbeforeyoucreateESXihostuserssoyoucanavoidcreatinghostusersthathavethesamenamesasVirtualCenterusers.TocheckforVirtualCenterusers,reviewtheWindowsdomainlist.
Youcangrantvariouslevelsofpermissionstolocalusers.TheprivilegemodelforanESXihostmirrorsthatofVirtualCenter,exceptitlacksobjectssuchasdatacentersandclusters,whichhavenomeaningforanindividualhost.Youcancreatecustomrolesthatgrantspecificprivileges,thenassignthemtocertainusers.Theseprivilegesaffectwhataparticularusercando,bothinaVIClientandusingtheRemoteCLI.Youshouldcreateadifferentlocaluseraccountforanypersonwhomightneeddirectaccesstothehostandgrantthatuserparticularprivilegestolimittheuserscapabilities.Youcanuselocalgroupdefinitionstosimplifythisassignment.
Oneparticularbuiltinlocalgrouphasspecialmeaning.Ifyougiveausermembershipinthelocaladmingroup,thatuserhastheabilitytologintotheDCUI,whichistheinterfaceavailableattheconsoleofanESXihostthatallowsforbasichostconfigurationmodifyingnetworkingsettingsandtherootpassword,forexample.AssignmenttothisgroupenablesanadministrativeusertoperformtasksontheDCUIwithoutlogginginasroot.However,thisisaverypowerfulprivilege,becauseaccesstotheDCUIallowssomeonetochangetherootpasswordorevenpoweroffthehost.Therefore,onlythemosttrustedadministratorsshouldbegrantedmembershiptothelocaladmingroup.
FormoreinformationonlocalusersandprivilegesinESXi,seethechapterAuthenticationandUserManagementintheServer3iConfigurationGuide.
Maintain Proper LoggingESXi3.5maintainsalogofactivityinlogfiles.Itusesasyslogfacility,justasESX3.5does.However,ESXimaintainsasmallernumberoflogfiles.Thefollowinglogsareavailable:
hostd.log
messages
vpxa.log(onlyifthehosthasbeedjoinedtoaVirtualCenterinstance)
Thereareseveralwaystoviewthecontentsoftheselogfiles.
ToviewthelogsinaVIClient,takethefollowingsteps:
1 LogindirectlytotheESXihostusingVIClientandmakesurethehostisselectedintheInventory.
2 ClickAdministration,thenclicktheSystemLogstab.
3 Choosethelogfileyouwanttoviewinthedropdownmenuintheupperleft.
ToviewthelogsinaWebbrowser,entertheURLhttps:///host,whereisthehostnameorIPaddressofthemanagementinterfaceoftheESXihost,thenchoosefromthelistoffilespresented.
Copyright 2008 VMware, Inc. All rights reserved. 18
Security Hardening
YoucanusetheRemoteCLIcommandvifstodownloadthelogfilestoyourlocalsystem.
Youcanalsoconfiguresyslogtosendlogmessagestoaremotesystem.
AswithESX3.5,youshouldconfigureNTPonthehosttoensureaccuratetimekeeping.
YoucanfindmoreinformationonconfiguringsyslogandNTPforESXihostsinthefollowingdocuments:
TheSystemLogFilesandHostConfigurationforESXServerandVirtualCentersectionsoftheSystemConfigurationchapterintheBasicSystemAdministrationGuide.
TheappendixRemoteCommandLineInterfaceReferenceintheESXServer3iConfigurationGuide.
Establish and Maintain Configuration File IntegrityAswithESX,ESXimaintainsitsconfigurationstateinasetofconfigurationfiles.However,onESXithesefilescanbeaccessedonlyusingtheremotefileaccessAPI,andtherearefarfewerfilesinvolved.Thesefilesnormallyarenotmodifieddirectly.Instead,theircontentsnormallychangeindirectlybecauseofsomeactioninvokedonthehost.However,thefileaccessAPIdoesallowfordirectmodificationofthesefiles,andsomemodificationsmightbewarrantedinspecialcircumstances.Therefore,youshouldmonitorallofthesefilesforintegrityandunauthorizedtampering,eitherbyperiodicallydownloadingthemandtrackingtheircontentsorbyusingacommercialtooldesignedtodothis.TheaccessibleandrelevantconfigurationfilesinESXi3.5are:
esx.conf
hostAgentConfig.xml
hosts
license.cfg
motd
openwsman.conf
proxy.xml
snmp.xml
ssl_cert
ssl_key
syslog.conf
vmware_config
vmware_configrules
vmware.lic
vpxa.cfg
ToviewtheconfigurationfilesinaWebbrowser,entertheURLhttps:///hostwhereisthehostnameorIPaddressofthemanagementinterfaceoftheESXihost,thenchoosefromthelistoffilespresented.
YoucanusetheRemoteCLIcommandvifstodownloadtheconfigurationfilestoyourlocalsystem,aswellastouploadnewversionsofthesefiles.Althoughinsomecasesthenewsettingstakeeffectimmediately,youshouldalwaysrestarttheESXhostaftermakingchangesdirectlytotheconfigurationfiles(asopposedtomakingconfigurationchangesviatheVIClient,VirtualCenter,ortheRemoteCLI).
Copyright 2008 VMware, Inc. All rights reserved. 19
Security Hardening
Secure the SNMP ConfigurationESXi3.5containsadifferentSNMPagentfromthatinESX3.5,anditsupportsonlyversions1and2c.ItprovidesthesamenotificationsasESX3.5andaddsnotificationsforhardwarerelatedsensors.UnlikeESX3.5,itsupportsonlytheSNMPv2MIBandsupportsitonlyfordiscovery,inventory,anddiagnosticsoftheSNMPagent.
SNMPmessagescontainafieldcalledthecommunitystring,whichconveyscontextandusuallyidentifiesthesendingsystemfornotifications.ThisfieldalsoprovidescontextfortheinstanceofaMIBmoduleonwhichthehostshouldreturninformation.ESX/ESXiSNMPagentsallowmultiplecommunitystringspernotificationtargetaswellasforpolling.Keepinmindthatcommunitystringsarenotmeanttofunctionaspasswords,butonlyasamethodforlogicalseparation.
SNMPv1andv2ctrafficisnotencrypted,whichmeansthatmessagescanbesnooped,andtheycouldbemodifiedinflightwithoutthereceiverknowingaboutit.Waystomitigatethisriskinclude:
RunSNMPontrustednetworks,useroutingandlayer2filteringtolockdownMACaddressestolayer2ports,androuteSNMPtraffictotrustedservers.
RunSNMPinaVPN/IPsectunnelonyouredgeroutersforSNMPtraffic.
Ensure Secure Access to CIMTheCommonInformationModel(CIM)systemprovidesaninterfacethatenableshardwarelevelmanagementfromremoteapplicationsviaasetofstandardAPIs.ToensurethattheCIMinterfaceissecure,followtheserecommendations:
DonotproviderootcredentialstoremoteapplicationstoaccesstheCIMinterface.Instead,createaserviceaccountspecifictotheseapplications.ReadonlyaccesstoCIMinformationisgrantedtoanylocalaccountdefinedontheESXisystem.
IftheapplicationrequireswriteaccesstotheCIMinterface,onlytwolocalprivilegesarerequired.Itisrecommendedthatyoucreatealocalroletoapplytotheserviceaccountwithonlytheseprivileges:
Host>Config>SystemManagement
Host>CIM>CIMInteraction
Audit or Disable Technical Support ModeESXihasaspecialtechnicalsupportmode,whichisaninteractivecommandlineavailableonlyontheconsoleoftheserver.TechnicalsupportmodeisunsupportedunlessusedinconsultationwithVMwareTechnicalSupportandmustbeactivatedbeforeitcanbeused.Accesstothismoderequirestherootpasswordoftheserverinadditiontoaccesstotheconsoleoftheserver,eitherphysicallyorthrougharemoteKVMoriLOinterface.
Technicalsupportmodeisdesignedtobeusedonlyincasesofemergency,whenmanagementagentsthatprovidetheremoteinterfacesareinoperableandtheycannotberestartedthroughtheDCUI.Thereisnoreasontousetechnicalsupportmodeforanyotherpurposeapartfromtechnicalsupport.Technicalsupportmodeisonbydefault,butyoucandisableitentirely.
Technicalsupportmodeissecuredinthefollowingways:
Itisaccessibleonlyonthelocalconsole;unlikeSSHorTelnet,itcannotbeaccessedremotely.Thus,physicalaccesstothehostorsomethingequivalenttophysicalaccess,suchasHPILO,DellDRAC,IBMRSA,orasimilarremoteconsoletoolisabsolutelyrequiredforaccesstotechnicalsupportmode.Mostorganizationshavesufficientformsofprotectiononphysical(orphysicalequivalent)accesstothehost(forexample,doorlocks,keycards,andauthenticationfortheremoteconsole).
Itrequirestherootpasswordbeforeaccessisgranted.Anyindividualswhohavebothphysical(orconsole)accessandtherootpasswordarealreadyfullyprivilegedandcandoanythingtheywantonthesystem.Thepresenceoftechnicalsupportmodedoesnotaugmentorreducethisrisk.
Copyright 2008 VMware, Inc. All rights reserved. 20
Security Hardening
Youcanaudittechnicalsupportmodeusingthefollowinginformation:
Wheneversomeoneactivatestechnicalsupportmode,thetimeanddateofactivationaresenttothesystemlogmessagesfile.
Allunsuccessfulattemptstoaccesstechnicalsupportmode(thatis,someoneenterstheincorrectrootpassword)arerecordedinthesystemlog.
Thetimeanddateofallsuccessfulaccessestotechnicalsupportmodearesenttothesystemlog
Toensureaccurateandreliablesystemlogs,youshouldconfigureremotesyslogontheserver,sologmessagesarekeptonanoutsidesystemandcannotbealteredfromtheserver.Actionsperformedwhileintechnicalsupportmodearenotlogged.AnyaccesstotechnicalsupportmodeshouldbecorrelatedwithaspecificcalltoVMwareTechnicalSupport.Ifthereisnocorrespondingsupportsession,youshouldimmediatelysuspectmaliciousactivityandinspectthesystemfortampering.
Ifyouareunabletoaudittechnicalsupportmodetoadegreethatmatchesyoursecurityriskposture,youshoulddisableitforallofyourESXihosts.Fordetailsondisablingtechnicalsupportmode,seeVMwareknowledgebasearticle1003677(http://kb.vmware.com/kb/1003677).
Configuring the ESX/ESXi HostThefollowingrecommendationsapplytothewaytheESX/ESXihostitselfisconfigured.Manyoftherecommendationsapplytotheconfigurationofthenetworkstowhichvirtualmachinesareattached,becausemostsecurityattacksoccurthroughnetworkconnections.OtherspertaintotheoperationoftheESX/ESXisoftwareitself.
Isolate the Infrastructure-related NetworksSeveralcapabilitiesofVMwareInfrastructureinvolvecommunicationamongcomponentsoveranetwork.
Management.Thisincludesthefollowingtypesofcommunication:
BetweenESX/ESXiandVirtualCenter
AmongstESX/ESXihostsforexample,forVMwareHighAvailabilitycoordination
BetweenESX/ESXiorVirtualCenterandsystemsrunningclientsoftwaresuchastheVIClientoraVISDKapplication
BetweenESX/ESXiandancillarymanagementservices,suchasDNS,NTP,syslog,andtheuserauthenticationservice
BetweenESX/ESXiandthirdpartymanagementtools,suchashardwaremonitoring,systemsmanagement,andbackuptools
BetweenVirtualCenterandsupportingservices,suchastheVirtualCenterdatabaseandtheuserauthenticationservice
BetweenVirtualCenterandoptionaladdoncomponentssuchasVMwareUpdateManagerandVMwareConverterEnterprise,iftheyareinstalledonseparateservers
VMotion.ThisinvolvestransferringtheliverunningstateofavirtualmachinefromoneESX/ESXihosttoanother.
Storage.Thisincludesanynetworkbasedstorage,suchasiSCSIandNFS.
AllofthenetworksusedforthesecommunicationsprovidedirectaccesstocorefunctionalityofVMwareInfrastructure,ThemanagementnetworkprovidesaccesstotheVMwareInfrastructuremanagementinterfaceoneachcomponent,andanyremoteattackwouldmostlikelybeginwithgainingentrytothisnetwork.VMotiontrafficisnotencrypted,sotheentirestateofavirtualmachinecouldpotentiallybesnoopedfromthisnetwork.Finally,accesstothestoragenetworkpotentiallyallowssomeonetoreadthecontentsof
Copyright 2008 VMware, Inc. All rights reserved. 21
Security Hardening
virtualdisksresidingonsharedstorage.Therefore,allofthesenetworksshouldbeisolatedandstronglysecuredfromallothertraffic,especiallyanytrafficgoingtoandfromvirtualmachines.Theexceptionisifoneofthecomponentslistedaboveactuallyrunsinavirtualmachine.Inthatcase,thisvirtualmachinenaturallyhasaninterfaceonthemanagementnetworkandthusshouldnothaveaninterfaceonanyothernetwork.
VMwarerecommendsthatyouisolatenetworksusingoneofthesemethods:
CreateaseparateVLANforeachnetwork.
Configurenetworkaccessforeachnetworkthroughitsownvirtualswitchandoneormoreuplinkports.
Ineithercase,youshouldconsiderusingNICteamingforthevirtualswitchestoprovideredundancy.
IfyouuseVLANs,youneedfewerphysicalNICstoprovidetheisolation,afactorthatisespeciallyimportantinenvironmentswithconstrainedhardwaresuchasblades.VMwarevirtualswitchesarebydesignimmunetocertaintypesofattacksthathavetraditionallytargetedVLANfunctionality.Fordetails,seethechapterSecuringanESXServer3ConfigurationintheESXServer3ConfigurationGuide.Ingeneral,VMwarebelievesthatVLANtechnologyismatureenoughthatitcanbeconsideredaviableoptionforprovidingnetworkisolation.
ESX/ESXidoesnotsupportvirtualswitchportgroupsconfiguredtoVLAN1.IfthephysicalswitchporttowhichtheESX/ESXihostisconnectedisconfiguredwithVLAN1,ESX/ESXidropsallpackets.YoucanconfiguretheESX/ESXivirtualswitchportgroupswithanyvaluebetween2and4094.UtilizingVLAN1causesadenialofservicebecauseESX/ESXidropsthistraffic.ItisrecommendedthatyoucheckthephysicalnetworkhardwareconfigurationtoverifytheportstowhichtheESX/ESXihostconnectsarenotconfiguredtoVLAN1.Inaddition,VLANID4095specifiesthattheportgroupshouldusetrunkmodeorVGTmode,whichallowstheguestoperatingsystemtomanageitsownVLANtags.GuestoperatingsystemstypicallydonotmanagetheirVLANmembershiponnetworks,soifthisvalueisset,ensurethatthereisalegitimatereasonfordoingso.
IfyoudonotuseVLANs,eitherbecauseyouhavenoVLANsupportinyourenvironmentorbecauseyoudonotconsiderVLANsstrongenoughforisolation,youcancombinethethreetypesofinfrastructurerelatednetworksontotwoorfewervirtualswitches.However,youshouldstillkeepthevirtualmachinenetworksseparatefromtheinfrastructurenetworksbyusingseparatevirtualswitcheswithseparateuplinks.
Configure Encryption for Communication between Clients and ESX/ESXiClientsessionswiththeESX/ESXihostmaybeinitiatedfromanyVIAPIclient,suchasVIClient,VirtualCenter,andtheRemoteCommandLineInterface.SSLencryptionprotectstheconnectionbetweentheVIClientandESX/ESXi,butthedefaultcertificatesusedtosecureyourVirtualCenterandVIWebAccesssessionsarenotsignedbyatrustedcertificateauthorityand,therefore,donotprovidetheauthenticationsecurityyoumightneedinaproductionenvironment.Theseselfsignedcertificatesarevulnerabletomaninthemiddleattacks,andclientsreceiveawarningaboutthem.Ifyouintendtouseencryptedremoteconnectionsexternally,considerpurchasingacertificatefromatrustedcertificateauthorityoruseyourownsecuritycertificateforyourSSLconnections.EnablingcertificatecheckingandinstallationofnewcertificatesaredescribedinthechapterAuthenticationandUserManagementintheESXServer3ConfigurationGuide.
Label Virtual Networks ClearlyLabelallyourvirtualnetworksappropriatelytopreventconfusionorsecuritycompromises.Thislabelingpreventsoperatorerrorcausedbyattachingavirtualmachinetoanetworkitisnotauthorizedforortoanetworkthatcouldallowtheleakageofsensitiveinformation.
Do Not Create a Default Port GroupDuringESX/ESXiinstallation,youhavetheoptionofcreatingadefaultvirtualmachineport.However,thisoptioncreatesavirtualmachineportgrouponthesamenetworkinterfaceastheserviceconsole.Ifthissettingisleftunchanged,itcouldallowvirtualmachinestodetectsensitiveandoftenunencryptedinformation.Becausetheserviceconsoleshouldalwaysbeonaseparate,privatenetwork,thisoptionshouldneverbeusedexceptinatestenvironment.
Copyright 2008 VMware, Inc. All rights reserved. 22
Security Hardening
Do Not Use Promiscuous Mode on Network InterfacesESX/ESXicanrunvirtualnetworkadaptersinpromiscuousmode.Youcanenablepromiscuousmodeonvirtualswitchesthatareboundtoaphysicalnetworkadapter(vmnic)andvirtualswitchesthatdonotbindtoaphysicalnetworkadapter(vmnet).Whenpromiscuousmodeisenabledforavmnicswitch,allvirtualmachinesconnectedtothevirtualswitchhavethepotentialofreadingallpacketssentacrossthatnetwork,fromothervirtualmachinesaswellasanyphysicalmachinesorothernetworkdevices.Whenpromiscuousmodeisenabledforavmnetswitch,allvirtualmachinesconnectedtothevmnetswitchhavethepotentialofreadingallpacketsacrossthatnetworkthatis,trafficamongthevirtualmachinesconnectedtothatvmnetswitch.
Althoughpromiscuousmodecanbeusefulfortrackingnetworkactivity,itisaninsecuremodeofoperationbecauseanyadapterinpromiscuousmodehasaccesstopacketsregardlessofwhethersomeofthepacketsshouldbereceivedonlybyaparticularnetworkadapter.Thismeansthatanadministratororrootuserwithinavirtualmachinecanpotentiallyviewtrafficdestinedforotherguestoperatingsystems.Youshouldusepromiscuousmodeonlyforsecuritymonitoringforexample,foranIDSsystem,debugging,ortroubleshooting.
Bydefault,promiscuousmodeissettoReject.Youcanchangethisoptionbymodifyingthesecuritypolicyonanindividualportgrouporontheentirevirtualswitch,asdescribedinthesectionLayer2SecurityPolicyintheESXServer3ConfigurationGuide.Settingthispolicyperportgroupallowsyoutohaveoneormoreprivilegedvirtualmachinesonaportgroupthatallowspromiscuousmode,whileotherportgroupsonthesameswitchdonotgrantthisprivilege.
Protect against MAC Address SpoofingEachvirtualnetworkadapterinavirtualmachinehasitsowninitialMACaddressassignedwhentheadapteriscreated.Inaddition,eachadapterhasaneffectiveMACaddressthatfiltersoutincomingnetworktrafficwithadestinationMACaddressdifferentfromtheeffectiveMACaddress.
Whenitiscreated,anetworkadapterseffectiveMACaddressandinitialMACaddressarethesame.However,thevirtualmachinesoperatingsystemcanaltertheeffectiveMACaddresstoanothervalueatanytime.IfanoperatingsystemchangestheeffectiveMACaddress,itsnetworkadapterthenreceivesnetworktrafficdestinedforthenewMACaddress.TheoperatingsystemcansendframeswithanimpersonatedsourceMACaddressatanytime.Thus,anoperatingsystemcanstagemaliciousattacksonthedevicesinanetworkbyimpersonatinganetworkadapterauthorizedbythereceivingnetwork.YoucanusevirtualswitchsecurityprofilesonESX/ESXihoststoprotectagainstthistypeofattackbysettingtwooptions,whichyoushouldsetforeachvirtualswitch:
MACaddresschangesBydefault,thisoptionissettoAccept,meaningthatESX/ESXiacceptsrequeststochangetheeffectiveMACaddresstoavalueotherthantheinitialMACaddress.TheMACAddressChangesoptionsettingaffectstrafficreceivedbyavirtualmachine.
ToprotectagainstMACimpersonation,youcansetthisoptiontoReject.Ifyoudo,ESX/ESXidoesnothonorrequeststochangetheeffectiveMACaddresstoanythingotherthantheinitialMACaddress.Instead,theportthatthevirtualadapterusedtosendtherequestisdisabled.Asaresult,thevirtualadapterdoesnotreceiveanymoreframesuntilitchangestheeffectiveMACaddresstomatchtheinitialMACaddress.TheguestoperatingsystemdoesnotdetectthattheMACaddresschangehasnotbeenhonored.
ForgedtransmissionsBydefault,thisoptionissettoAccept,meaningESX/ESXidoesnotcomparesourceandeffectiveMACaddresses.TheForgedTransmitsoptionsettingaffectstraffictransmittedfromavirtualmachine.
IfyousetthisoptiontoReject,ESX/ESXicomparesthesourceMACaddressbeingtransmittedbytheoperatingsystemwiththeeffectiveMACaddressforitsadaptertoseeiftheymatch.Iftheaddressesdonotmatch,ESX/ESXidropsthepacket.TheguestoperatingsystemdoesnotdetectthatitsvirtualnetworkadaptercannotsendpacketsusingtheimpersonatedMACaddress.ESX/ESXiinterceptsanypacketswithimpersonatedaddressesbeforetheyaredelivered,andtheguestoperatingsystemmightassumethatthepacketshavebeendropped.
Copyright 2008 VMware, Inc. All rights reserved. 23
Security Hardening
ItisrecommendedthatyousetbothoftheseoptionstoRejectformaximalsecurity.
Youcanalsosetthesesecuritypoliciesonaperportgroupbasis,whichletsyouoverridethevirtualswitchsettingforthatparticularportgroup.Ifyouneedtoconfigureadifferentpolicyforaparticularvirtualmachineforexample,ifyouhaveanintrusiondetectionvirtualappliancethatneedstomonitoralltrafficonavirtualswitchyoucancreateaspecialportgroupforthis(andonlythis)virtualappliancewiththemodifiedsettings.
Tolearnhowtheseoptionsareconfigured,seethesectionLayer2SecurityPolicyintheESXServer3ConfigurationGuide.
Secure the ESX/ESXi Host ConsoleEvenifyouhavelockeddownESX/ESXitoprotectitfromattacksthatarriveoverthenetwork,anyonewithaccesstotheconsoleofthehostmightstillcauseproblems.Althoughphysicalharmtothehostcannotbeprevented,itstillmightbepossible,forexample,toinfluencethehostsothatitbehavesimproperly,perhapsinamannerthatishardtodetect.
ForESX3.5,whichrunsaserviceconsole,onewaytoguardagainstthisistousegrubpasswordstopreventusersfrombootingintosingleusermodeorpassingoptionstothekernelduringboot.Unlessthepasswordisentered,theserverbootsonlythekernelwiththedefaultoptions.Formoreinformationongrubpasswords,seetheGNUGrubManualathttp://www.gnu.org/software/grub/manual/html_node/index.html.ThistechniquedoesnotapplytoESXi3.5,becausethereisnoserviceconsoleavailableattheconsoleofthehost.
Mask and Zone SAN Resources AppropriatelyZoningprovidesaccesscontrolinaSANtopology.Itdefineswhichhostbusadapters(HBAs)canconnecttowhichSANdeviceserviceprocessors.WhenaSANisconfiguredusingzoning,thedevicesoutsideazonearenotvisibletothedevicesinsidethezone.Inaddition,SANtrafficwithineachzoneisisolatedfromtheotherzones.WithinacomplexSANenvironment,SANswitchesprovidezoning,whichdefinesandconfiguresthenecessarysecurityandaccessrightsfortheentireSAN.
LUNmaskingiscommonlyusedforpermissionmanagement.LUNmaskingisalsoreferredtoasselectivestoragepresentation,accesscontrol,andpartitioning,dependingonthevendor.LUNmaskingisperformedatthestorageprocessororserverlevel.ItmakesaLUNinvisiblewhenatargetisscanned.TheadministratorconfiguresthediskarraysoeachserverorgroupofserverscanseeonlycertainLUNs.Maskingcapabilitiesforeachdiskarrayarevendorspecific,asarethetoolsformanagingLUNmasking.
YoushouldusezoningandLUNmaskingtosegregateSANactivity.Forexample,youmanagezonesdefinedfortestingindependentlywithintheSANsotheydonotinterferewithactivityintheproductionzones.Similarly,youcouldsetupdifferentzonesfordifferentdepartments.ZoningmusttakeintoaccountanyhostgroupsthathavebeensetupontheSANdevice.
Secure iSCSI Devices through AuthenticationOnemeansofsecuringiSCSIdevicesfromunwantedintrusionistorequirethattheESX/ESXihost,orinitiator,beauthenticatedbytheiSCSIdevice,ortarget,wheneverthehostattemptstoaccessdataonthetargetLUN.Thegoalofauthenticationistoprovethattheinitiatorhastherighttoaccessatarget,arightgrantedwhenyouconfigureauthentication.
YouhavetwochoiceswhenyousetupauthenticationforiSCSISANsontheESX/ESXihost:
ChallengeHandshakeAuthenticationProtocol(CHAP)YoucanconfiguretheiSCSISANtouseCHAPauthentication.ESX/ESXisupportsonewayCHAPauthenticationforiSCSI.ItdoesnotsupportbidirectionalCHAP.InonewayCHAPauthentication,thetargetauthenticatestheinitiator,buttheinitiatordoesnotauthenticatethetarget.Theinitiatorhasonlyonesetofcredentials,andalloftheiSCSItargetsusethem.ESX/ESXisupportsCHAPauthenticationattheHBAlevelonly.ItdoesnotsupportpertargetCHAPauthentication,whichenablesyoutoconfiguredifferentcredentialsforeachtargettoachievegreatertargetrefinement.
Copyright 2008 VMware, Inc. All rights reserved. 24
Security Hardening
DisabledYoucanconfiguretheiSCSISANtousenoauthentication.Communicationsbetweentheinitiatorandtargetareauthenticatedinarudimentaryway,becausetheiSCSItargetdevicesaretypicallysetuptocommunicatewithspecificinitiatorsonly.
ChoosingnottoenforcemorestringentauthenticationcanmakesenseifyoucreateadedicatednetworkorVLANtoserviceallyouriSCSIdevices.BecausetheiSCSIfacilityisisolatedfromgeneralnetworktraffic,itislessvulnerabletoexploit.
ESX/ESXidoesnotsupportKerberos,SecureRemoteProtocol(SRP),orpublickeyauthenticationmethodsforiSCSI.Additionally,itdoesnotsupportIPsecauthenticationandencryption.
Forinformationonhowtodeterminewhetherauthenticationiscurrentlybeingperformedandtoconfiguretheauthenticationmethod,seethechapterSecuringanESXServer3ConfigurationintheESXServer3ConfigurationGuide.
VirtualCenterVirtualCenterprovidesapowerfulwaytomanageandcontrolyourVMwareInfrastructureenvironmentfromacentralpointandenablesmoresophisticatedoperationsthroughtoolsthatworkthroughitsSDK.Itisextremelypowerfulandthereforeshouldbesubjecttothestrictestsecuritystandards.
Set Up the Windows Host for VirtualCenter with Proper SecurityBecauseVirtualCenterrunsonaWindowshost,itisespeciallycriticaltoprotectthishostagainstvulnerabilitiesandattacks.Thestandardsetofrecommendationsapplies,asitwouldforanyhost:installantivirusagents,spywarefilters,intrusiondetectionsystems,andanyothersecuritymeasures.Makesuretokeepallsecuritymeasuresuptodate,includingapplicationofpatches.
ThepasswordthatVirtualCenterusestoaccessitsdatabaseisstoredintheWindowsregistryinanencodedformat.Althoughthepasswordcannotbereaddirectly,itisnotprotectedbyencryption,soyoushouldprotecttheregistryontheVirtualCenterhosttopreventunauthorizedaccesstotheVirtualCenterdatabase.
Ingeneral,youshouldhardenandlockdowntheVirtualCenterhostaccordingtoindustrystandardconfigurationguides,suchastheDISASTIGorCISBenchmark.
Limit Administrative AccessVirtualCenterrunsasauserthatrequireslocaladministratorprivilegesandmustbeinstalledbyalocaladministrativeuser.Tolimitthescopeofadministrativeaccess,avoidusingtheWindowsAdministratorusertorunVirtualCenterafteryouinstallit.Instead,useadedicatedVirtualCenteradministratoraccount.Tosetuptheadministrativeaccount,takethefollowingsteps:
1 CreatealocalaccountforanordinaryuserontheWindowshost.ThisistheaccounttheVirtualCenteradministratorshouldusetomanageVirtualCenter.
2 InVirtualCenter,logonastheWindowsAdministrator,thengrantVirtualCenterrootadministratoraccesstothenewlycreatedaccount
3 LogoutofVirtualCenter,thenmakesureyoucanlogintoVirtualCenterasthenewuserandthatthisuserisabletoperformalltasksavailabletoaVirtualCenteradministrator
4 RemovethepermissionsinVirtualCenterforthelocalAdministratorsgroup.
Byconfiguringaccountsinthisway,youavoidautomaticallygivingadministrativeaccesstodomainadministrators,whotypicallybelongtothelocalAdministratorsgroup.ThisalsoprovidesawayofloggingintoVirtualCenterwhenthedomaincontrollerisdown,becausethelocalVirtualCenteradministratoraccountdoesnotrequireremoteauthentication.
Copyright 2008 VMware, Inc. All rights reserved. 25
Security Hardening
Limit Network Connectivity to VirtualCenterTheonlynetworkconnectionVirtualCenterrequiresistothemanagementnetworkdescribedinIsolateVirtualMachineNetworksonpage 3.YoushouldavoidputtingtheVirtualCenterserveronanyothernetwork,suchasyourproductionorstoragenetwork.Specifically,VirtualCenterdoesnotneedaccesstothenetworkonwhichVMotiontakesplace.Bylimitingthenetworkconnectivity,youcutdownonthepossibleavenuesofattack.
Usethefollowingguidelinestolimitnetworkconnectivity:
Firewalls
YoushouldprotecttheVirtualCenterserverusingafirewall.ThisfirewallmaysitbetweentheclientsandtheVirtualCenterserver,orboththeVirtualCenterServerandtheclientsmaysitbehindthefirewall,dependingonyourdeployment.Themainconsiderationisensuringthatafirewallispresentatwhatyouconsidertobeanentrypointforthesystemasawhole.
UsefirewallstorestrictwhichsystemscanaccessVirtualCenterbyIPaddress.
FormoreinformationonthepossiblelocationsforfirewallsusedwithVirtualCenter,seethesectionFirewallsforConfigurationswithaVirtualCenterServerintheESXServer3ConfigurationGuide.
TCPandUDPportsformanagementaccess
NetworksconfiguredwithaVirtualCenterservercanreceivecommunicationsfromseveraltypesofclients:theVIClient,VIWebAccess,asystemwiththeRemoteCLIoroneoftheVIToolkitsforscriptinginstalled,orthirdpartynetworkmanagementclientsthatusetheSDKtointeractwiththehost.Duringnormaloperation,VirtualCenterlistensondesignatedportsfordatafromthehostsitismanagingandfromclients.VirtualCenteralsoassumesthatthehostsitismanaginglistenfordatafromVirtualCenterondesignatedports.Ifafirewallispresentbetweenanyofthesecomponents,youmustensurethattheappropriateportsareopentosupportdatatransferthroughthefirewall.
ThesectionTCPandUDPPortsforManagementAccessintheESXServer3ConfigurationGuidelistsallthepredeterminedTCPandUDPportsusedformanagementaccesstoyourVirtualCenterserver,ESXhosts,andothernetworkcomponents.Studythissectioncarefullytodeterminehowtoconfigureyourfirewallstomaintainmaximumsecuritywhilestillallowingrequiredmanagementoperations.
Use Proper Security Measures when Configuring the Database for VirtualCenterYoushouldinstalltheVirtualCenterdatabaseonaseparateserverorvirtualmachineandsubjectittothesamesecuritymeasuresasanyproductiondatabase.Youshouldalsocarefullyconfigurethepermissionsusedforaccesstothedatabasetotheminimumnecessary.Usetheguidelinesappropriatetoyourdatabase.
MicrosoftSQLServer
Duringinstallationandupgrade,theVirtualCenteraccountmusthavetheDBOwnerrole.Duringnormaloperations,youmayfurtherrestrictpermissionstothefollowing:
Invoke/executestoredprocedures
Select,update,insert
Delete
Oracle
TheprivilegesrequiredfortheVirtualCenteraccountarelistedinthesectionPreparingtheVirtualCenterServerDatabaseofthechapterInstallingVMwareInfrastructureManagementintheESXServer3InstallationGuide.
NOTEYoumightnotbeabletoopenaVIClientremoteconsolewhenyournetworkisconfiguredsuchthatafirewallusingNATstandsbetweentheESXhostandthecomputerrunningVIClient.SeeVMwareknowledgebasearticle749640(http://kb.vmware.com/kb/749640)foraworkaroundforthisissue.
Copyright 2008 VMware, Inc. All rights reserved. 26
Security Hardening
Enable Full and Secure Use of Certificate-based EncryptionForenvironmentsthatrequirestrongsecurity,VMwarerecommendsthatadministratorsreplacealldefaultselfsignedcertificatesgeneratedatinstallationtimewithlegitimatecertificatessignedbytheirlocalrootcertificateauthorityorpublic,thirdpartycertificatesavailablefrommultiplepubliccertificateauthorities.YoushouldalsoenableservercertificateverificationonallVIClientinstallationsandtheVirtualCenterhost.ThisinvolvesamodificationtotheWindowsregistryonallclienthosts.
ForbackgroundandinformationonreplacingVirtualCenterServercertificates,seethetechnicalnoteReplacingVirtualCenterServerCertificates(http://www.vmware.com/vmtn/resources/658).ForinformationonenablingservercertificateverificationforVIClientinstallations,includinghowtopretrustcertificatesandhowtomodifytheWindowsregistryforclienthosts,seeVMwareknowledgebasearticle4646606(http://kb.vmware.com/kb/4646606).
Use VirtualCenter Custom RolesBeginningwithversion2.0,VirtualCenterprovidesasophisticatedsystemofrolesandpermissions.Theserolesandpermissionsallowfinegraineddeterminationofauthorizationforadministrativeandusertasks,basedonuserorgroupandinventoryitem,suchasclusters,resourcepools,andhosts.Youshouldtakeadvantageofthissystemtoassurethatonlytheminimumnecessaryprivilegesareassignedtopeopleinordertopreventunauthorizedaccessormodification.Somerecommendationsare:
Createrolesthatenableonlythenecessarytasks.Forexample,auserwhoisonlygoingtomakeuseofanassignedvirtualmachinemightneedpermissiononlytopowerthemachineonoroff,andnotnecessarilytoattachaCDorfloppydevice.
Assignrolestoaslimitedascopeasnecessary.Forexample,youcangiveausercertainpermissionsonaresourcepoolinsteadofadiscretehost,andyoucanusefolderstocontainthescopeofaprivilege.
FormoreinformationonVirtualCenterroles,seethepaperManagingVirtualCenterRolesandPermissions(http://www.vmware.com/resources/techresources/826).
Document and Monitor Changes to the ConfigurationAlthoughmostofaVMwareInfrastructureenvironmentisdefinedbyinformationcontainedintheVirtualCenterdatabase,certainimportantconfigurationinformationresidesonlyontheVirtualCenterServerhostslocalfilesystem.Thisincludesthemainconfigurationfilevpxd.cfg,variouslogfiles,and,implicitly,theWindowsregistrysettingsthatpertaintoVirtualCenter.
Forcomplianceandauditing,itisimportantthatyouhavearecordoftheseconfigurationsovertime.OneconvenientwaytocaptureeverythinginoneplaceistousetheGenerateVirtualCenterServerlogbundlecommand,intheVMwareprogramfilemenuontheVirtualCenterhost.Thistoolisdesignedtocaptureinformationtobeusedfortroubleshootinganddebugging,buttheresultingarchivefileservesasaconvenientwaytomaintainahistoricalrecord.
TheresultingZIParchiveincludesfilesthatcontainthevaluesofrelevantWindowsregistryentries,configurationfilesforVirtualCenterandanyaddoncomponents,andlogfilesforVirtualCenter,thelicenseserver,andanyaddoncomponents.Byperformingthistaskonaregularbasis,youcankeeptrackofallchangesthataffectyourVirtualCenterinstallation.
NOTEYouneedtoreplacethedefaultVirtualCenterServercertificatebeforeenablingservercertificateverification.
Copyright 2008 VMware, Inc. All rights reserved. 27
Security Hardening
Ifyouwanttomonitorthelogfilesdirectly,useTable12todeterminewhichfilestowatch:
VirtualCenter Add-on ComponentsBeginningwithversion2.5,VirtualCenterincludesaframeworkthatenablesyoutoaddcomponentstoVirtualCentertoextenditsfunctionality.Thesecomponentstypicallyrunasseparateservices,whichareinstalledontheVirtualCenterserverorinsomecasesaonseparatehostorinavirtualmachine.ThreeofthesecomponentsarebundledwithVirtualCenter:
VMwareUpdateManager:managesandautomatespatchmanagementandtrackingofESXhostsandvirtualmachines,includingturnedoffvirtualmachinesandvirtualmachinetemplates
VMwareConverterEnterpriseforVirtualCenter:providesanintegratedsolutionformigratingbothphysicalandvirtualmachinestoVMwareInfrastructure.
VMwareGuidedConsolidation:automaticallydiscoversphysicalservers,helpsanalyzetheirperformance,andtriggerstheconversionofphysicaltovirtualmachinesplacedintelligentlyonasuitablehost.
VMware Update ManagerYoushouldconsiderVMwareUpdateManageranessentialcomponentofanyVMwareInfrastructuredeployment.Theabilitytomakesurethatcriticaloperatingsystempatchesareappliedtoallvirtualmachines,especiallyofflinevirtualmachinesandtemplates,addressesoneofthemostimportantaspectsofsecurityinavirtualizedenvironment.Furthermore,theabilitytoautomatethepatchingofESXhostsgreatlyincreasesthelikelihoodthatyouareprotectedagainstanyvulnerabilitiesthatmaybediscoveredforthisplatform.
InordertomaintainisolationoftheVirtualCenterhost,itisrecommendedthatyouinstallVMwareUpdateManageronaseparatehostorinavirtualmachine.ThishostneedstohaveaccesstotheVirtualCenterusingtheVIAPIinterface(availablebydefaultonTCPport443).Inthedefaultinstallation,thehostwhereyouinstallVMwareUpdateManageralsoneedsaccesstotheInternetinordertodownloadpatchesandpatchinformation.YoucanconfigureittouseaWebproxy,astepyoushouldtakeifaWebproxyisavailable.Forhighestsecurity,youcaninstalltheUpdateManagerDownloadServiceonaseparateserver,andthepatchesandinformationthatitdownloadscanbetransferredmanuallytotheUpdateManagerhostforexample,usingaUSBkeyorscheduled,securefiletransfer.ThisavoidshavingtheUpdateManagerhostitselfconnectedtoanexternalnetwork.FormoreinformationoninstallingUpdateManagerandtheUpdateManagerDownloadService,seethechapterWorkingwithUpdateManagerintheUpdateManagerAdministrationGuide.
VMware Converter EnterpriseAswithUpdateManager,youshouldinstallConverteronaseparatesysteminordertomaintainisolationoftheVirtualCenterhost.ConverterandthesourcesystemneedaccesstoVirtualCenterusingtheVIAPIinterface(TCPport443bydefault)andtheVIAPIinterfaceofanydestinationESXhost.However,theinformationfromtheharddiskofthesourcesystemistransferredtothedestinationESXhostoverport902.Inaddition,theConverterserverneedsaccesstoport139onthesourcesystem.
TheuseofConverterhasthepotentialforintroducingsomesecurityrisks.WhenmigratingphysicalorvirtualmachinestoVMwareInfrastructure,youruntheriskofimportingacompromisedorinfectedserver.Becausetheimportoccurswithlittlemodificationtothesource,youcouldbeintroducingavulnerabilitydirectlyintoyourenvironment.YoumightwanttoconsiderusingConverteronlyintestorstagingenvironments.
Table 12. Paths to Key VirtualCenter Log Files
Component Default path to file
VirtualCenter C:\Documents and Settings\All Users\Application Data\VMware\VMware VirtualCenter\Logs\*
WebservercomponentofVirtualCenter
C:\Program Files\VMware\Infrastructure\VirtualCenter Server\tomcat\logs\*
Licensemanager C:\WINDOWS\Temp\lmgrd.log
Copyright 2008 VMware, Inc. All rights reserved. 28
Security Hardening
VMware Guided ConsolidationGuidedConsolidationautomatestheprocessofdiscoveringandanalyzingexistingservers(virtualorphysical)forsuitabilityofconversiontovirtualmachines,andchoosingthedestinationESXhostontowhichtomigratethem.ItthenautomaticallyinvokesConvertertoperformtheactualmigrationprocess.
GuidedConsolidationisnotanoptionalcomponent,andyoucannotinstallitonaseparatehost.ItisalwaysrunningasaserviceontheVirtualCenterServerhost.GuidedConsolidationrequiresaccesstotheportsforWMI,Perfmon,andRemoteRegistryports135,137,138,139,and445.TheseportsmustbeopenonboththeVirtualCenterhostandthetargetserver.TheGuidedConsolidationservicemustberunasauserwithVirtualCenterAdministratorprivileges,aswellaswiththenecessaryWindowsprivilegestoqueryActiveDirectoryforserversintheenvironment.Inaddition,administratorcredentialsarerequiredforeachtargetsystemtobeanalyzed,sothatperformancedatacanbecollectedfromthem.Youcanenteradefaultsetoftargetsystemcredentialsandoverridethisdefaultforindividualtargetsystemsthatmightdeviatefromthedefault.
TheGuidedConsolidationservicereliesonConvertertoimporttargetserver,soallrecommendationsforConverterapplytoGuidedConsolidation,aswell.ItisrecommendedthatyounotuseGuidedConsolidationinhighersecurityenvironments.
General ConsiderationsWithanyaddoncomponent,observethefollowing:
Hardenandlockdowntheserveronwhichthecomponentisinstalledaccordingtotheindustrybestpracticesforthehostsoperatingsystem.
ThesecomponentsoftenrequireyoutoprovidecredentialsofauseraccountwithfullVMwareInfrastructureadministratorprivileges.Toreduceexposureandhaveawayofrestrictingaccessincaseaproblemisfound,createauniqueaccountforeachcomponent.Then,ifavulnerabilityorotherproblemisdiscovered,youcanreduceoreliminateprivilegesonthataccountuntilthesituationisresolved.DonotprovidethecredentialsoftheVirtualCenterhostsAdministratoraccountorofanactualuser.
Thesecomponentsusuallyhavetheirownlogfiles.Table13showsthelogfilesforthecomponentsthatarebundledwithVirtualCenter:
Client ComponentsTherecommendationsinthissectionapplytoclientsthatconnecttoVirtualCenterorESX.
Restrict the use of Linux-based ClientsAlthoughSSLbasedencryptionisusedtoprotectedcommunicationbetweenclientcomponentsandVirtualCenterorESX,theLinuxversionsofthesecomponentsdonotperformcertificatevalidation.Therefore,evenifyouhavereplacedtheselfsignedcertificatesonVirtualCenterandESXwithlegitimatecertificatessignedbyyourlocalrootcertificateauthorityorathirdparty,communicationswithLinuxclientsarestillvulnerabletomaninthemiddleattacks.ThecomponentsthatarevulnerablewhenrunningonLinuxinclude:
AnyRemoteCLIcommand
AnyVIPerlToolkitscript
Table 13. Paths to Log Files for Bundled VirtualCenter Components
Component Default path to file
VMwareUpdateManager C:\Documents and Settings\All Users\Application Data\VMware\VMware Update Manager\Logs\*
VMwareEnterpriseConverter
C:\Documents and Settings\All Users\Application Data\VMware\VMware Converter Enterprise\Logs\*
VMwareGuidedConsolidation
C:\Documents and Settings\All Users\Application Data\VMware\VMware Capacity Planner\Logs\*
Copyright 2008 VMware, Inc. All rights reserved. 29
Security Hardening
VirtualmachineconsoleaccessinitiatedfromaLinuxbasedWebAccessbrowsersession
AnyprogramwrittenusingtheVISDK
ThemanagementinterfacesofVirtualCenterandESXshouldbeavailableonlyontrustednetworks,butprovidingencryptionandcertificatevalidationaddextralayersofdefenseagainstanattack.Ifyouareabletomitigateagainstsystemsonthemanagementnetworkinterposingthemselvesonnetwork