Best Practices

Copyright 2008 VMware, Inc. All rights reserved. 1

Security HardeningVMware Infrastructure 3 (VMware ESX 3.5 and VMware VirtualCenter 2.5)

ByintroducingalayerofabstractionbetweenthephysicalhardwareandvirtualizedsystemsrunningITservices,virtualizationtechnologyprovidesapowerfulmeanstodelivercostsavingsviaserverconsolidationaswellasincreasedoperationalefficiencyandflexibility.However,theaddedfunctionalityintroducesavirtualizationlayerthatitselfbecomesapotentialavenueofattackforthevirtualservicesbeinghosted.Becauseasinglehostsystemcanhousemultiplevirtualmachines,thesecurityofthathostbecomesevenmoreimportant.

Becauseitisbasedonalightweightkerneloptimizedforvirtualization,VMwareESXandVMwareESXiarelesssusceptibletovirusesandotherproblemsthataffectgeneralpurposeoperatingsystems.However,ESX/ESXiisnotimpervioustoattack,andyoushouldtakepropermeasurestohardenit,aswellastheVMwareVirtualCentermanagementserver,againstmaliciousactivityorunintendeddamage.ThispaperprovidesrecommendationsforstepsyoucantaketoensurethatyourVMwareInfrastructure3environmentisproperlysecured.ThepaperalsoexplainsindetailthesecurityrelatedconfigurationoptionsofthecomponentsofVMwareInfrastructure3andtheconsequencesforsecurityofenablingcertaincapabilities.

ForadditionaluptodateinformationonthesecurityofVMwareproducts,gototheVMwareSecurityCenter.SeeReferencesonpage 30foralink.TheVMwareSecurityCenterprovideslinkstosecurityadvisories,alerts,andupdates,aswellassecurityutilitiesandothersecurityrelatedpapers.

TheinformationinthispaperappliestoESX3.5/ESXi3.5andVirtualCenter2.5.ItisdividedintosectionsbaseduponthecomponentsofVMwareInfrastructure3.Thesectionsonvirtualmachines,VirtualCenter,andclientcomponentsapplytobothESX3.5andESXi3.5.HostconfigurationissuesarediscussedinseparatesectionsforESX3.5andESXi3.5.BesuretoconsultthesectionsthatapplytotheVMwareInfrastructuresoftwareyouareusing.

Thepapercoversthefollowingtopics:

VirtualMachinesonpage 2

VirtualMachineFilesandSettingsonpage 4

ConfiguringtheServiceConsoleinESX3.5onpage 7

ConfiguringHostlevelManagementinESXi3.5onpage 16

ConfiguringtheESX/ESXiHostonpage 20

VirtualCenteronpage 24

VirtualCenterAddonComponentsonpage 27

ClientComponentsonpage 28

Referencesonpage 30

AbouttheAuthoronpage 31

Copyright 2008 VMware, Inc. All rights reserved. 2

Security Hardening

Virtual MachinesTherecommendationsinthissectionapplytothewayyouconfigurevirtualmachinesandthewaysyouinteractwithvirtualmachines.

Secure Virtual Machines as You Would Secure Physical MachinesAkeytounderstandingthesecurityrequirementsofavirtualizedenvironmentistherecognitionthatavirtualmachineis,inmostrespects,theequivalentofaphysicalserver.Hencetheguestoperatingsystemthatrunsinthevirtualmachineissubjecttothesamesecurityrisksasaphysicalsystem.Therefore,itiscriticalthatyouemploythesamesecuritymeasuresinvirtualmachinesthatyouwouldforphysicalservers.

Ensurethatantivirus,antispyware,intrusiondetection,andotherprotectionareenabledforeveryvirtualmachineinyourvirtualinfrastructure.Makesuretokeepallsecuritymeasuresuptodate,includingapplyingappropriatepatches.Itisespeciallyimportanttokeeptrackofupdatesfordormantvirtualmachinesthatarepoweredoff,becauseitcouldbeeasytooverlookthem.

Disable Unnecessary or Superfluous FunctionsBydisablingunnecessarysystemcomponentsthatarenotneededtosupporttheapplicationorservicerunningonthesystem,youreducethenumberofpartsthatcanbeattacked.Someofthesestepsinclude:

Disableunusedservicesintheoperatingsystem.Forexample,ifthesystemrunsafileserver,makesuretoturnoffanyWebservices.

Disconnectunusedphysicaldevices,suchasCD/DVDdrives,floppydrives,andUSBadapters.ThisisdescribedinthesectionRemovingUnnecessaryHardwareDevicesintheESXServer3ConfigurationGuide.

Turnoffanyscreensavers.IfusingaLinux,BSD,orSolarisguestoperatingsystem,donotruntheXWindowsystemunlessitisnecessary.

Take Advantage of TemplatesBycapturingahardenedbaseoperatingsystemimage(withnoapplicationsinstalled)inatemplate,youcanensurethatallyourvirtualmachinesarecreatedwithaknownbaselinelevelofsecurity.Youcanthenusethistemplatetocreateother,applicationspecifictemplates,oryoucanusetheapplicationtemplatetodeployvirtualmachines.Makesuretokeeppatchesandsecuritymeasuresuptodateintemplates.InVMwareInfrastructure3,youcanconvertatemplatetoavirtualmachineandbackagainquickly,whichmakesupdatingtemplatesquiteeasy.VMwareUpdateManageralsoprovidestheabilitytopatchtheoperatingsystemandcertainapplicationsinatemplateautomatically,thusensuringthattheyremainuptodate.

Prevent Virtual Machines from Taking Over ResourcesByusingtheresourcemanagementcapabilitiesofESX/ESXi,suchassharesandlimits,youcancontroltheserverresourcesthatavirtualmachineconsumes.Youcanusethismechanismtopreventadenialofservicethatcausesonevirtualmachinetoconsumesomuchofthehostsresourcesthatothervirtualmachinesonthesamehostcannotperformtheirintendedfunctions.Bydefault,allvirtualmachinesonanESX/ESXihostsharetheresourcesequally.Bearinmind,however,thatavirtualmachinethatexhibitsunusualmemoryandstorageaccesspatternsmightstillhavethepotentialtocauseperformancedegradationonothervirtualmachines.Itisrecommendedthatyoumonitorallvirtualmachinesforunusualorunexpectedperformancetobeawareofsuchsituations.

Copyright 2008 VMware, Inc. All rights reserved. 3

Security Hardening

Isolate Virtual Machine NetworksAlthoughthevirtualhardwareofonevirtualmachineisisolatedfromthatofothervirtualmachines,virtualmachinesalsoaretypicallyconnectedtosharednetworks.Anyvirtualmachineorgroupofvirtualmachinesconnectedtoacommonnetworkcancommunicateacrossthosenetworklinksandcan,therefore,stillbethetargetofnetworkattacksfromothervirtualmachinesonthenetwork.Asaresult,youshouldapplynetworkbestpracticestohardenthenetworkinterfacesofvirtualmachinesConsiderisolatingsetsofvirtualmachinesontheirownnetworksegmentstominimizetherisksofdataleakagefromonevirtualmachinezonetothenextacrossthenetwork.

Networksegmentationmitigatestheriskofseveraltypesofnetworkattacks,includingAddressResolutionProtocol(ARP)addressspoofing,inwhichanattackermanipulatestheARPtabletoremapMACandIPaddressestoredirectnetworktraffictoandfromagivenhosttoanotherunintendeddestination.AttackersuseARPspoofingtogeneratedenialsofservice,hijackthetargetsystem,andotherwisedisruptthevirtualnetwork.

Segmentationhastheaddedbenefitofmakingcomplianceauditsmucheasier,becauseitgivesyouaclearviewofwhichvirtualmachinesarelinkedbyanetwork.

Youcanimplementsegmentationusingeitheroftwoapproaches,eachofwhichhasitsownbenefits:

Useseparatephysicalnetworkadaptersforvirtualmachinezonesbycreatingseparatevirtualswitchesforeachone.Maintainingseparatephysicalnetworkadaptersforvirtualmachinezonesislesspronetomisconfigurationafteryouinitiallycreatesegments.

Setupvirtuallocalareanetworks(VLANs)tohelpsafeguardyournetwork.BecauseVLANsprovidealmostallofthesecuritybenefitsinherentinimplementingphysicallyseparatenetworkswithoutthehardwareoverhead,theyofferaviablesolutionthatcansaveyouthecostofdeployingandmaintainingadditionaldevices,cabling,andsoforth,whilealsoallowingforredundancyoptions.

FormoreinformationonusingVLANswithvirtualmachines,seethesectionSecuringVirtualMachineswithVLANsintheESXServer3ConfigurationGuide.

Minimize Use of the VI ConsoleTheVIConsoleallowsyoutoconnecttotheconsoleofavirtualmachine,ineffectseeingwhatamonitoronaphysicalserverwouldshow.However,theVIConsolealsoprovidespowermanagementandremovabledeviceconnectivitycontrols,whichcouldpotentiallyallowamalicioususertobringdownavirtualmachine.Inaddition,italsohasaperformanceimpactontheserviceconsole,especiallyifmanyVIConsolesessionsareopensimultaneously.InsteadofVIConsole,usenativeremotemanagementservices,suchasterminalservicesandssh,tointeractwithvirtualmachines.

Copyright 2008 VMware, Inc. All rights reserved. 4

Security Hardening

Virtual Machine Files and SettingsVirtualmachinesareencapsulatedinasmallnumberoffiles.Oneoftheimportantistheconfigurationfile(.vmx),whichgovernsthebehaviorofthevirtualhardwareandothersettings.Youcanviewandmodifytheconfigurationsettingsbyviewingthe.vmxfiledirectlyinatexteditororbycheckingthesettingsintheVIClient,usingthefollowingprocedure:

1 Choosethevirtualmachineintheinventorypanel.

2 ClickEditsettings.ClickOptions>Advanced/General.

3 ClickConfigurationParameterstoopentheConfigurationParametersdialogbox.

WhetheryouchangeavirtualmachinessettingsintheVIClientorusingatexteditor,youmustrestartthevirtualmachineformostchangestotakeeffect.

Avirtualmachinealsoincludesoneormore.vmdkfiles,whichrepresentthevirtualdisksusedbytheguestoperatingsystem.

Thefollowingsectionsprovideguidelinesyoushouldobservewhendealingwiththeseandothervirtualmachinefiles.

Disable Copy and Paste Operations Between the Guest Operating System and Remote Console

WhenVMwareToolsrunsinavirtualmachine,bydefaultyoucancopyandpastebetweentheguestoperatingsystemandthecomputerwheretheremoteconsoleisrunning.Assoonastheconsolewindowgainsfocus,nonprivilegedusersandprocessesrunninginthevirtualmachinecanaccesstheclipboardforthevirtualmachineconsole.Ifausercopiessensitiveinformationtotheclipboardbeforeusingtheconsole,theuserperhapsunknowinglyexposessensitivedatatothevirtualmachine.ItisrecommendedthatyoudisablecopyandpasteoperationsfortheguestoperatingsystembycreatingtheparametersshowninTable1.

Limit Data Flow from the Virtual Machine to the DatastoreVirtualmachinescanwritetroubleshootinginformationtoavirtualmachinelogfile(vmware.log)storedontheVMwareVMFSvolumeusedtostoreotherfilesforthevirtualmachine.Virtualmachineusersandprocessescanbeconfiguredtoabusetheloggingfunction,eitherintentionallyorinadvertently,sothatlargeamountsofdatafloodthelogfile.Overtime,thelogfilecanconsumesomuchoftheESX/ESXihostsfilesystemspacethatitfillstheharddisk,causinganeffectivedenialofserviceasthedatastorecannolongeracceptnewwrites.

Topreventthisproblem,considermodifyingtheloggingsettingsforvirtualmachines.Youcanusethesesettingstolimitthetotalsizeandnumberoflogfiles.Normallyanewlogfileiscreatedonlywhenahostisrebooted,sothefilecangrowtobequitelarge,butyoucanensurenewlogfilesarecreatedmorefrequentlybylimitingthemaximumsizeofthelogfiles.Ifyouwanttorestrictthetotalsizeofloggingdata,VMwarerecommendssaving10logfiles,eachonelimitedto100KB.Thesevaluesaresmallenoughthatthelogfilesshouldnotconsumeanundueamountofdiskspaceonthehost,yettheamountofdatastoredshouldcapturesufficientinformationtodebugmostproblems.

Table 1. Configuration Settings to Disable Copy and Paste

Name Value

isolation.tools.copy.disable true

isolation.tools.paste.disable true

isolation.tools.setGUIOptions.enable false

Copyright 2008 VMware, Inc. All rights reserved. 5

Security Hardening

Eachtimeanentryiswrittentothelog,thesizeofthelogischecked,andifitisoverthelimit,thenextentryiswrittentoanewlog.Ifthemaximumnumberoflogfilesalreadyexists,whenanewoneiscreated,theoldestlogfileisdeleted.Adenialofserviceattackthatavoidstheselimitscouldbeattemptedbywritinganenormouslogentry,buteachlogentryislimitedto4KB,sonologfilesareevermorethan4KBlargerthantheconfiguredlimit.Table2showswhichparameterstosetandtheirrecommendedvalues:

Asecondoptionistodisableloggingforthevirtualmachine.Disablingloggingforavirtualmachinemakestroubleshootingchallengingandsupportdifficult,soyoushouldnotconsiderdisablingloggingunlessthelogfilerotationapproachprovesinsufficient.Todisablelogging,settheparametershowninTable3.

Disablinglogginginthismannerdoesnotcompletelydisableallloggingmessages.TheVMXprocess,whichrunsontheESXhostandispartlyresponsibleforprovidingvirtualizationservicesforthevirtualmachine,continuestowriteloggingmessagestothevirtualmachinelogfile.However,thevolumeofmessagesfromthissourceisverylowandcannotbeexploitedfromwithinthevirtualmachine,soitisnotnormallyconsideredapotentialsourceofdataflooding.

Ifyouneverthelesswanttopreventallformsoflogging,youcandisableallmessagesbysettingtheparametershowninTable4.Howeverthisisnotrecommendedinanormalproductionenvironment.

Inadditiontologging,guestoperatingsystemprocessescansendinformationalmessagestotheESX/ESXihostthroughVMwareTools.Thesemessages,knownassetinfomessages,arewrittentothevirtualmachinesconfigurationfile(.vmx).Theytypicallycontainnamevaluepairsthatdefinevirtualmachinecharacteristicsoridentifiersthatthehoststoresforexample,ipaddress=10.17.87.224.Asetinfomessagehasnopredefinedformatandcanbeanylength.Therefore,theamountofdatapassedtothehostinthiswayisunlimited.AnunrestricteddataflowprovidesanopportunityforanattackertostageaDOSattackbywritingsoftwarethatmimicsVMwareToolsandfloodingthehostwithpackets,thusconsumingresourcesneededbythevirtualmachines.

Topreventthisproblem,theconfigurationfilecontainingthesenamevaluepairsislimitedtoasizeof1MB.This1MBcapacityshouldbesufficientformostcases,butyoucanchangethisvalue,ifnecessary.Youmightincreasethisvalueiflargeamountsofcustominformationarebeingstoredintheconfigurationfile.

TomodifytheGuestInfofilememorylimit,setthetools.setInfo.sizeLimitparameterinthe.vmxfile.Thedefaultlimitis1MB,andthislimitisappliedevenwhenthesizeLimitparameterisnotlistedinthe.vmxfile.TheexampleinTable5setsthesizelimitto1MB.

Table 2. Configuration Settings to Limit Log File Size and Number of Log Files

Name Recommended Value

log.rotateSize 100000

log.keepOld 10

Table 3. Configuration Setting to Disable Virtual Machine Logging

Name Recommended Value

Isolation.tools.log.disable true

Table 4. Configuration Setting to Disable Virtualization Service Logging

Name Recommended Value

logging false

Table 5. Configuration Setting to Limit Size of GuestInfo File

Name Recommended Value

tools.setInfo.sizeLimit 1048576

Copyright 2008 VMware, Inc. All rights reserved. 6

Security Hardening

Youmayalsoentirelypreventguestoperatingsystemsfromwritinganynamevaluepairstotheconfigurationfile,usingthesettinginTable6.Thisisappropriatewhenguestoperatingsystemsmustbepreventedfrommodifyingconfigurationsettings.

Do Not Use Nonpersistent DisksThesecurityissuewithnonpersistentdiskmodeisthatattackersmayundoorremoveanytracesthattheywereeveronthemachinewithasimpleshutdownorreboot.Oncethevirtualmachinehasbeenshutdown,thevulnerabilityusedtoaccessthevirtualmachinewillstillbepresent,andtheattackersmayaccessthevirtualmachineinthefutureatatimeoftheirchoice.Thedangeristhatadministratorsmayneverknowiftheyhavebeenattackedorhacked.Tosafeguardagainstthisrisk,youshouldusenonpersistentdiskmodeonlyfortestanddevelopmentvirtualmachines.Youshouldsetproductionvirtualmachinestousepersistentdiskmodeonly.Toverify,makesurethattheparameterscsiX:Y.modeisnotpresent,whereXandYaresingledigits,orthatifitispresent,thevalueisnotindependent-nonpersistent.YoucanconfigurethisoptionintheVIClientforeachindividualdiskonavirtualmachine.Youcanmakechangesonlywhenthevirtualmachineisnotpoweredon.Toreviewandmodifythesesettings:

1 LogintotheVIClientandchoosetheserverfromtheinventorypanel.

Thehardwareconfigurationpagefortheserverappears.

2 Expandtheinventoryasneededandchoosethevirtualmachineyouwanttocheck.

3 ClicktheEditSettingslinkintheCommandspaneltodisplaytheVirtualMachinePropertiesdialogbox.

4 ClicktheHardwaretab.

5 ClicktheappropriateharddiskinHardwarelist.

Ensure Unauthorized Devices are Not ConnectedBesidesdisablingunnecessaryvirtualdevicesfromwithinthevirtualmachine,youshouldensurethatnodeviceisconnectedtoavirtualmachineifitdoesnotneedtobethere.Forexample,serialandparallelportsarerarelyusedforvirtualmachinesinadatacenterenvironment,andCD/DVDdrivesareusuallyconnectedonlytemporarilyduringsoftwareinstallation.

Forlesscommonlyuseddevices,Table7showsthe.vmxparametersthatspecifywhetherthedeviceisavailableforavirtualmachinetouse.Ifthedeviceisnotneeded,eithertheparametershouldnotbepresentoritsvaluemustbeFALSE.TheparameterslistedinTable7arenotsufficienttoensurethatadeviceisusable,becauseotherparametersareneededtoindicatespecificallyhoweachdeviceisinstantiated.

Prevent Unauthorized Removal or Connection of DevicesNormalusersandprocessesthatisusersandprocesseswithoutrootoradministratorprivilegeswithinvirtualmachineshavethecapabilitytoconnectordisconnectdevices,suchasnetworkadaptersandCDROMdrives.

Table 6. Configuration Setting to Prevent Writing SetInfo Data to Configuration File

Name Value

isolation.tools.setinfo.disable true

Table 7. Configuration Parameters that Specify Certain Devices

Device Configuration file parameter (where is an integer 0 or greater)

Floppydrive floppy.present

Serialport serial.present

Parallelport parallel.present

Copyright 2008 VMware, Inc. All rights reserved. 7

Security Hardening

Forexample,bydefault,arogueuserwithinavirtualmachinecan:

ConnectadisconnectedCDROMdriveandaccesssensitiveinformationonthemedialeftinthedrive

Disconnectanetworkadaptertoisolatethevirtualmachinefromitsnetwork,whichisadenialofservice

Ingeneral,youshouldusethevirtualmachinesettingseditororConfigurationEditortoremoveanyunneededorunusedhardwaredevices.However,youmaywanttousethedeviceagain,soremovingitisnotalwaysagoodsolution.Inthatcase,youcanpreventauserorrunningprocessinthevirtualmachinefromconnectingordisconnectingadevicefromwithintheguestoperatingsystembyaddingtheparametershowninTable8.

Avoid Denial of Service Caused by Virtual Disk Modification OperationsShrinkingavirtualdiskreclaimsunusedspaceinthevirtualdisk.Ifthereisemptyspaceinthedisk,thisprocessreducestheamountofspacethevirtualdiskoccupiesonthehostdrive.Normalusersandprocessesthatisusersandprocesseswithoutrootoradministratorprivilegeswithinvirtualmachineshavethecapabilitytoinvokethisprocedure.However,ifthisisdonerepeatedly,thevirtualdiskcanbecomeunavailable,effectivelycausingadenialofservice.Inmostdatacenterenvironments,diskshrinkingisnotdone,soyoushoulddisablethisfeaturebysettingtheparameterslistedinTable9.

Specify the Guest Operating System CorrectlyChoosingthecorrectguestoperatingsystemintheconfigurationforeachvirtualmachineisimportant.ESXoptimizescertaininternalconfigurationsonthebasisofthischoice.Thecorrectguestoperatingsettingcanaidthechosenoperatingsystemgreatlyandmaycausesignificantperformancedegradationifthereisamismatchbetweenthesettingandtheoperatingsystemactuallyrunninginthevirtualmachine.TheperformancedegradationmaybesimilartorunninganunsupportedoperatingsystemonESX.Choosingthewrongguestoperatingsystemisnotlikelytocauseavirtualmachinetorunincorrectly,butitcoulddegradethevirtualmachinesperformance.

TheparameterthatspecifiestheguestoperatingsystemisguestOS.Verifythatthespecifiedoperatingsystemandmatchestheoperatingsystemactuallyrunninginthevirtualmachine,whichyoucandeterminebycheckingthevirtualmachinedirectly.

Verify Proper File Permissions for Virtual Machine FilesBesurepermissionsforthevirtualmachinesfilesaresetaccordingtotheguidelinesinthissection.Permissionsfortheconfigurationfile(.vmx),shouldberead,write,execute(rwx)forowner,andreadandexecute(r-x)forgroup(755).Permissionsforthevirtualmachinesvirtualdisk(.vmdk)shouldbereadandwrite(rw-)forowner(600).Forallofthesefiles,boththeuserandgroupshouldberoot.

Configuring the Service Console in ESX 3.5Whetheryouuseamanagementclientorthecommandline,allconfigurationtasksforESX3.5areperformedthroughtheserviceconsole,includingconfiguringstorage,controllingaspectsofvirtualmachinebehavior,andsettingupvirtualswitchesorvirtualnetworks.Aswithanintelligentplatformmanagementinterface(IPMI)orserviceprocessoronaphysicalserver,someoneloggedintotheserviceconsolewithprivilegedpermissionshastheabilitytomodify,shutdown,orevendestroyvirtualmachinesonthathost.Thedifferenceisthat,insteadofasinglephysicalserver,thiscanaffectmanyvirtualmachines.AlthoughESX3.5

Table 8. Configuration Setting to Prevent Device Removal or Connection

Name Value

Isolation.tools.connectable.disable true

Table 9. Configuration Settings to Prevent Virtual Disk Shrinking

Name Value

isolation.tools.diskWiper.disable True

isolation.tools.diskShrink.disable True

Copyright 2008 VMware, Inc. All rights reserved. 8

Security Hardening

managementclientsuseauthenticationandencryptiontopreventunauthorizedaccesstotheserviceconsole,otherservicesmightnotofferthesameprotection.Ifattackersgainaccesstotheserviceconsole,theyarefreetoreconfiguremanyattributesoftheESXhost.Forexample,theycouldchangetheentirevirtualswitchconfigurationorchangeauthorizationmethods.BecausetheserviceconsoleisthepointofcontrolforESX,safeguardingitfrommisuseiscrucial.

Configure the Firewall for Maximum SecurityESX3.5includesafirewallbetweentheserviceconsoleandthenetwork.Bydefault,theserviceconsolefirewallisconfiguredatahighsecuritysetting,withbothincomingandoutgoingtrafficblockedbydefaultexceptforalimitedsetofportsusedbyservicesthatareenabled.Thefirewallcontainsalistofknownservicesforwhichtheappropriateincomingandoutgoingportsareknown,anditautomaticallyopensportsforenabledservicesandclosesthemwhenaserviceisdisabled.ThissectionliststheservicesthatareenabledbydefaultwhenyouinstallESX3.5.YoucanseethelistofcurrentlyenabledservicesonanESXhostandtheassociatedportsintheVIClient:

1 Choosethehost.

2 ClicktheConfigurationtab,thenchoosetheSecurityProfileitemundertheSoftwareheading.

3 ClickFirewallProperties.

Itisbesttoleavethedefaultsecurityfirewallsettings,whichblockallincomingandoutgoingtrafficthatisnotassociatedwithanenabledservices,thenusethefirewallsbuiltinserviceregistrytoenableanddisableservices.Ifyouhaveaparticularserviceoragentthatisnotpartofthebuiltinlist,youcanopenindividualportsusingtheserviceconsolecommandesxcfg-firewall.Ifyoudoopenports,makesuretodocumentthechanges,includingthepurposeforopeningeachport.Formoreinformationonhowtousetheesxcfg-firewallcommand,seethesectionChangingtheServiceConsoleSecurityLevelintheESXServer3ConfigurationGuideortypeman esxcfg-firewallonthecommandline.

Limit the Software and Services Running in the Service ConsoleAlthoughtheserviceconsoleisbasedonLinuxandiscapableofrunningmostLinuxbasedsoftware,youshouldavoidrunninganyadditionalsoftwareorservicesinsideitwhereverpossible.Eachadditionalcomponentthatisrunningrepresentsanadditionalattackvectorandalsoincreasesthepotentialformisconfiguration.Foranyservicethatyourunintheserviceconsole,considerwhetheritisreallyneededandwhethertheequivalentfunctionalitycanbeprovidedbyanexternalagentthatcommunicateswiththeESXhostusingthestandardbuiltinAPIs.

TheservicesthatareonbydefaultintheESX3.5serviceconsoleandtheportstheyusearedescribedinTable10.Thesecondcolumnofthetableshowsthestringusedtoidentifytheservicewhenusingtheesxcfg-firewallcommandforexamplewhenrunningesxcfg-firewall --querytoshowthecurrentstatus.Thetablealsoindicateswhenitisappropriatetodisableaservice.Forexample,ifyouarenotusingNFStomountnetworksharesintheserviceconsole,youshoulddisablethisservice.ConfiguretheFirewallforMaximumSecurityonpage 8describeshowtousetheVIClienttoviewwhichservicesareenabled.Youcanusethesamepropertiesdialogboxtodisableservicesaswellasviewthem.Table 10. Default Services in the ESX 3.5 Service Console

Service

Identification in esxcfg-firewall command Port Traffic Type When to disable

CIMServiceLocationProtocol

CIMSLP 427 IncomingandoutgoingUDPandTCP

IfnotusingCIMbasedsoftwareformonitoringormanagement

NFSclient nfsClient 111,2049 OutgoingTCPandUDP

IfnotmountingNFSbasedstorageintheserviceconsole

VMwareConsolidatedBackup

VCB 443,902 OutgoingTCP IfnotusingVCBforbackup

Copyright 2008 VMware, Inc. All rights reserved. 9

Security Hardening

Additionalsoftwarethatmightrunintheserviceconsoleincludesmanagementagentsandbackupagents.Althoughthissoftwaremighthavealegitimatepurpose,themorecomponentsyouhaverunningintheserviceconsole,themorepotentialobjectsaresusceptibletosecurityvulnerabilities.Inaddition,thesecomponentsoftenrequirespecificnetworkportstobeopeninordertofunction,thusfurtherincreasingtheavenuesofattack.

Formoreinformationandrecommendationsonrunningthirdpartysoftwareintheserviceconsole,seehttp://www.vmware.com/vmtn/resources/516.

Use VI Client and VirtualCenter to Administer the Hosts Instead of Service Console

Thebestmeasuretopreventsecurityincidentsintheserviceconsoleistoavoidaccessingitifatallpossible.YoucanperformmanyofthetasksnecessarytoconfigureandmaintaintheESXhostusingtheVIClient,eitherconnecteddirectlytothehostor,betteryet,goingthroughVirtualCenter.TheVIClientcommunicatesusingawelldefinedAPI,whichlimitswhatcanbedone.Thisissaferthandirectexecutionofarbitrarycommands.GoingthroughVirtualCenterhastheaddedbenefitthatauthorizationandauthenticationareperformedviayourstandardcentralActiveDirectoryservice,insteadofusingspeciallocalaccountsintheserviceconsole.Inaddition,rolesandusersarestoredinadatabase,providinganeasywaytoviewthecurrentpermissionsaswellastakeasnapshotofthem.VirtualCenteralsokeepstrackofeverytaskinvokedthroughit,providinganautomaticaudittrail.

Anotheralternativeistousearemotescriptinginterface,suchastheVIPerlToolkitortheremotecommandlineinterface(RemoteCLI).TheseinterfacesarebuiltonthesameAPIthatVIClientandVirtualCenteruse,soanyscriptusingthemautomaticallyenjoysthesamebenefitsofauthentication,authorization,andauditing.

InESX3.5,someadvancedtasks,suchasinitialconfigurationforpasswordpolicies,cannotbeperformedviatheVIClient.Forthesetasks,youmustlogintotheserviceconsole.Also,ifyouloseyourconnectiontothehost,executingcertainofthesecommandsthroughthecommandlineinterfacemaybeyouronlyrecourseforexample,ifthenetworkconnectionfailsandyouarethereforeunabletoconnectusingVIClient.ThesetasksaredescribedinAppendixAoftheESXServer3ConfigurationGuide.

Use a Directory Service for AuthenticationAdvancedconfigurationandtroubleshootingofanESXhostmayrequirelocalprivilegedaccesstotheserviceconsole.Forthesetasks,youshouldsetupindividualhostlocalizeduseraccountsandgroupsforthefewadministratorswithoverallresponsibilityforyourvirtualinfrastructure.Ideally,theseaccountsshouldcorrespondtorealindividualsandnotbeaccountssharedbymultiplepeople.Althoughyoucancreateonthe

CIMoverHTTP CIMHttpServer 5988 IncomingTCP IfnotusingCIMbasedsoftwareformonitoringormanagement

CIMoverHTTPS

CIMHttpsServer 5989 IncomingTCP IfnotusingCIMbasedsoftwareformonitoringormanagement

Licensing LicenseClient 27000,27010 OutgoingTCP Ifusingonlyhostbasedlicensing

SSHServer sshServer 22 IncomingTCP IfallmanagementisdoneviaVirtualCenter,VIClient,orotherremotemeans

VirtualCenterAgent

vpxHeartbeats 902 OutgoingUDP IfnotmanagedbyVirtualCenter

VIAPI n/a 443 IncomingandoutgoingTCP

Mustalwaysbeavailable

Secureaccessredirect

n/a 80 IncomingTCP Mustalwaysbeavailable

Table 10. Default Services in the ESX 3.5 Service Console

Service

Identification in esxcfg-firewall command Port Traffic Type When to disable

Copyright 2008 VMware, Inc. All rights reserved. 10

Security Hardening

serviceconsoleofeachhostlocalaccountsthatcorrespondtoeachglobalaccount,thispresentstheproblemofhavingtomanageusernamesandpasswordsinmultipleplaces.Itismuchbettertouseadirectoryservice,suchasNISorLDAP,todefineandauthenticateusersontheserviceconsole,soyoudonothavetocreatelocaluseraccounts.

Inthedefaultinstallation,ESX3.5cannotuseActiveDirectorytodefineuseraccounts.However,itcanuseActiveDirectorytoauthenticateusers.Inotherwords,youcandefineindividualuseraccountsonthehost,thenusethelocalActiveDirectorydomaintomanagethepasswordsandaccountstatus.Youmustcreatealocalaccountforeachuserthatrequireslocalaccessontheserviceconsole.Thisshouldnotbeseenasaburden;ingeneral,onlyrelativelyfewpeopleshouldhaveaccesstotheserviceconsole,soitisbetterthatthedefaultisfornoonetohaveaccessunlessyouhavecreatedanaccountexplicitlyforthatuser.

Authenticationontheserviceconsoleiscontrolledbythecommandesxcfg-auth.Youcanfindinformationonthiscommandinitsmanpage.Typeman esxcfg-authatthecommandlinewhenloggedintotheserviceconsole.ForinformationonauthenticationwithActiveDirectory,seethetechnicalnoteathttp://www.vmware.com/vmtn/resources/582.

Itisalsopossibletousethirdpartypackages,suchasWinbindorCentrify,toprovidetighterintegrationwithActiveDirectory.Consultthedocumentationforthosesolutionsforguidanceonhowtodeploythemsecurely.

Strictly Control Root PrivilegesBecausetherootuseroftheserviceconsolehasalmostunlimitedcapabilities,securingthisaccountisthemostimportantstepyoucantaketosecuretheESXhost.Bydefault,allinsecureprotocols,suchasFTP,Telnet,andHTTP,aredisabled.RemoteaccessviaSSHisenabled,butnotfortherootaccount.Youcancopyfilesremotelytoandfromtheserviceconsoleusinganscp(securecp)client,suchasWinSCP.

EnablingremoterootaccessoverSSHoranyotherprotocolisnotrecommended,becauseitopensthesystemtonetworkbasedattackshouldsomeoneobtaintherootpassword.Abetterapproachistologinremotelyusingaregularuseraccount,thenusesudotoperformprivilegedcommands.Thesudocommandenhancessecuritybecauseitgrantsrootprivilegesonlyforselectactivities,incontrastwiththesucommand,whichgrantsrootprivilegesforallactivities.Usingsudoalsoprovidessuperioraccountabilitybecauseallsudoactivitiesarelogged,whereasifyouusesu,ESXlogsonlythefactthattheuserswitchedtorootbywayofsu.Thesudocommandalsoprovidesawayforyoutograntorrevokeexecutionrightstocommandsonanasneededbasis.

YoucangoastepfurtheranddisallowrootaccessevenontheconsoleoftheESXhostthatis,whenyouloginusingascreenandkeyboardattachedtotheserveritself,ortoaremotesessionattachedtotheserversconsole.Thisapproachforcesanyonewhowantstoaccessthesystemtofirstloginusingaregularuseraccount,thenusesudoorsutoperformtasks.Ideally,onlyalimitedsetofindividualsneedpermissiontorunsuinordertoperformarbitraryadministrativetasks.Ifyoudecidetodisallowrootloginontheconsole,youshouldfirstcreateanonprivilegedaccountonthehosttoenablelogins,otherwiseyoucouldfindyourselflockedoutofthehost.Thisnonprivilegedaccountshouldbealocalaccountthatis,onethatdoesnotrequireremoteauthenticationsothatifthenetworkconnectiontothedirectoryserviceislost,accesstothehostisstillpossible.Youcanassurethisaccessbydefiningalocalpasswordforthisaccount,usingthepasswdcommand.Thelocalpasswordoverridesauthenticationviadirectoryservices(asdiscussedintheprevioussection).Theneteffectisthatadministratorscancontinuetoaccessthesystem,buttheyneverhavetologinasroot.Instead,theyusesudotoperformparticulartasksorsutoperformarbitrarycommands.

Topreventdirectrootloginontheconsole,modifythefile/etc/securettytobeempty.Whileloggedinasroot,enterthefollowingcommand:

cat /dev/null > /etc/securetty

Afteryoudothis,onlynonprivilegedaccountsareallowedtologinattheconsole.Notethatthisalsocandisableremoteconsolecapabilities,suchasiLOandDRAC.

Copyright 2008 VMware, Inc. All rights reserved. 11

Security Hardening

Control Access to Privileged CapabilitiesBecausesuissuchapowerfulcommand,youshouldlimitaccesstoit.Bydefault,onlyusersthataremembersofthewheelgroupintheserviceconsolehavepermissiontorunsu.Ifauserattemptstorunsu -togainrootprivilegesandthatuserisnotamemberofthewheelgroup,thesu -attemptfailsandtheeventislogged.

Besidescontrollingwhohasaccesstothesucommand,throughthepluggableauthenticationmodule(PAM)infrastructure,youcanspecifywhattypeofauthenticationisrequiredtosuccessfullyexecutethecommand.Inthecaseofthesucommand,therelevantPAMconfigurationfileis/etc/pam.d/su.Toallowonlymembersofthewheelgrouptoexecutethesucommand,andthenonlyafterauthenticatingwithapassword,findthelinebeginningwithauth requiredandremovetheleadingpoundsign(#)soitreads:

auth required /lib/security/$ISA/pam_wheel.so use_uid

Thesudoutilityshouldbeusedtocontrolwhatprivilegedcommandsuserscanrunwhileloggedintotheserviceconsole.Amongthecommandsyoushouldregulatearealloftheesxcfg-*commandsaswellasthosethatconfigurenetworkingandotherhardwareontheESXhost.Youshoulddecidewhatsetofcommandsshouldbeavailabletomorejunioradministratorsandwhatcommandsyoushouldallowonlysenioradministratorstoexecute.Youcanalsousesudotorestrictaccesstothesucommand.

Usethefollowingtipstohelpyouconfiguresudo:

Configurelocalandremotesudologging(seeMaintainProperLoggingonpage 12).

Createaspecialgroup,suchasvi_admins,andallowonlymembersofthatgrouptousesudo.

Usesudoaliasestodeterminetheauthorizationscheme,thenaddandremoveusersinthealiasdefinitionsinsteadofinthecommandsspecification.

Becarefultopermitonlytheminimumnecessaryoperationstoeachuserandalias.Permitveryfewuserstorunthesucommand,becausesuopensashellthathasfullrootprivilegesbutisnotauditable.

Ifyouhaveconfiguredauthenticationusingadirectoryservice,sudousesitbydefaultforitsownauthentication.Thisbehavioriscontrolledbythe/etc/pam.d/sudofile,onthelineforauth.Thedefaultsettingservice=system-authtellssudotousewhateverauthenticationschemehasbeensetgloballyusingtheesxcfg-authcommand.

Requireuserstoentertheirownpasswordswhenperformingoperations.Thisisthedefaultsetting.Donotrequiretherootpassword,becausethispresentsasecurityrisk,anddonotdisablepasswordchecking.Insudotheauthenticationpersistsforabriefperiodoftimebeforesudoasksforapasswordagain.

Forfurtherinformationandguidelinesforusingsudo,seehttp://www.gratisoft.us/sudo/.

Establish a Password Policy for Local User AccountsForanylocaluseraccounts,theserviceconsoleprovidespasswordcontrolsontwolevelstohelpyouenforcepasswordpoliciestolimittheriskofpasswordcracking:

PasswordagingThesecontrolsgovernhowlongauserpasswordcanbeactivebeforetheuserisrequiredtochangeit.Theyhelpensurethatpasswordschangeoftenenoughthatifanattackerobtainsapasswordthroughsniffingorsocialengineering,theattackercannotcontinuetoaccesstheESXhostindefinitely.

PasswordcomplexityThesecontrolsensurethatuserscreatepasswordsthatarehardforpasswordgeneratorstodetermine.Insteadofusingwords,acommontechniqueforensuringpasswordcomplexityistouseamemorablephrase,thenderiveapasswordfromitforexample,byusingthefirstletterofeachword.

BothofthesepoliciesaredescribedinthesectionPasswordRestrictionsintheESXServer3ConfigurationGuide.

Thedefaultpam_cracklib.sopluginprovidessufficientpasswordstrengthenforcementformostenvironments.However,ifthepam_cracklib.sopluginisnotstringentenoughforyourneeds,youcanusethepam_passwdqc.soplugininstead.Youchangethepluginusingtheesxcfg-authcommand.

Copyright 2008 VMware, Inc. All rights reserved. 12

Security Hardening

Forfurtherprotection,youcanenforceaccountlockoutaftertoomanyunsuccessfulloginattempts.ToconfiguretheESXserviceconsoletodisabletheaccountafterthreeunsuccessfulloginattempts,addthefollowinglinesto/etc/pam.d/system-auth:

auth required /lib/security/pam_tally.so no_magic_rootaccount required /lib/security/pam_tally.so deny=3no_magic_root

Tocreatethefileforloggingfailedloginattempts,executethefollowingcommands:

touch /var/log/faillogchown root:root /var/log/faillogchmod 600 /var/log/faillog

Do Not Manage the Service Console as a Linux HostTheserviceconsoleisgeneratedfromaRedHatLinuxdistributionthathasbeenmodifiedtoprovideexactlythefunctionalitynecessarytocommunicatewithandallowmanagementoftheVMkernel.AnyadditionalsoftwareinstalledshouldnotmakeassumptionsaboutwhatRPMpackagesarepresent,northatthesoftwarecanmodifythem.Inseveralcases,thepackagesthatdoexisthavebeenmodifiedespeciallyforESX.

ItisparticularlyimportantthatyounottreattheserviceconsolelikeaLinuxhostwhenitcomestopatching.NeverapplypatchesissuedbyRedHatoranyotherthirdpartyvendor.ApplyonlypatchesthatarepublishedbyVMwarespecificallyfortheversionsofESXthatyouhaveinuse.Thesearepublishedfordownloadperiodically,aswellasonanasneededbasisforsecurityfixes.Youcanreceivenotificationsforsecurityrelatedpatchesbysigningupforemailnotificationsathttp://www.vmware.com/security.

Similarly,youshouldneveruseascannertoanalyzethesecurityoftheserviceconsoleunlessthescannerisspecificallydesignedtoworkwithyourversionofESX.Inparticular,scannersthatassumetheserviceconsoleisastandardRedHatLinuxdistributionroutinelyyieldfalsepositives.Thesescannerstypicallylookonlyforstringsinthenamesofsoftware,andthereforedonotaccountforthefactthatVMwarereleasescustomversionsofpackageswithspecialnameswhenprovidingsecurityfixes.Becausethesespecialnamesareunknowntothescanners,theyflagthemasvulnerabilitieswheninrealitytheyarenot.YoushoulduseonlyscannersthatspecificallytreattheESXserviceconsoleasauniquetarget.Formoreinformation,seethesectionSecurityPatchesandSecurityVulnerabilityScanningSoftwareinthechapterServiceConsoleSecurityoftheESXServer3ConfigurationGuide.

Inaddition,youshouldnotmanagetheserviceconsoleasifitwereatraditionalLinuxhost.Theusualredhat-config-*commandsarenotpresent,norareothercomponentssuchastheXserver.Instead,youmanagetheESXhostusingaseriesofpurposebuiltcommands,suchasvmkfstoolsandtheesxcfg-*commands.ManyofthesecommandsshouldbeusedonlyuponinstructionfromVMwareTechnicalSupport,ornotinvokedmanuallyatall,butafewprovidefunctionalitythatisnotavailableviatheVIClient,suchasauthenticationmanagementandadvancedstorageconfiguration.

Ifyoufollowthebestpracticeofisolatingthenetworkfortheserviceconsole,thereisnoreasontorunanyantivirusorothersuchsecurityagents,andtheiruseisnotnecessarilyrecommended.However,ifyourenvironmentrequiresthatsuchagentsbeused,useaversiondesignedtorunonRedHatEnterpriseLinux3,Update6.

Formoreinformationonthespecialadministrativecommandsintheserviceconsole,seeESXTechnicalSupportCommandsandUsingvmkfstoolsintheappendicesoftheESXServer3ConfigurationGuide.

Maintain Proper LoggingProperandthoroughloggingallowsyoutokeeptrackofanyunusualactivitythatmightbeaprecursortoanattackandalsoallowsyoutodoapostmortemonanycompromisedsystemsandlearnhowtopreventattacksfromhappeninginthefuture.

Copyright 2008 VMware, Inc. All rights reserved. 13

Security Hardening

ThesyslogdaemonperformsthesystemlogginginESX.Youcanaccessthelogfilesintheserviceconsolebygoingtothe/var/log/directory.SeveraltypesoflogfilesgeneratedbyESXareshowninTable11.

Thelogfilesprovideanimportanttoolfordiagnosingsecuritybreachesaswellasothersystemissues.Theyalsoprovidekeysourcesofauditinformation.Inadditiontostoringloginformationinfilesonthelocalfilesystem,youcansendthisloginformationtoaremotesystem.Thesyslogprogramistypicallyusedforcomputersystemmanagementandsecurityauditing,anditcanservethesepurposeswellforESXhosts.Youcanselectindividualserviceconsolecomponentsforwhichyouwantthelogssenttoaremotesystem.

Thefollowingtipsprovidebestpracticesforlogging:

Ensureaccuratetimekeeping.

Byensuringthatallsystemsusethesamerelativetimesource(includingtherelevantlocalizationoffset),andthattherelativetimesourcecanbecorrelatedtoanagreedupontimestandard(suchasCoordinatedUniversalTimeUTC),youcanmakeitsimplertotrackandcorrelateanintrudersactionswhenreviewingtherelevantlogfiles.Intheserviceconsole,yousetthetimesourceusingtheNTP(NetworkTimeProtocol)system.ForinstructionsonhowtoconfigureNTP,seeVMwareknowledgebasearticle1339(http://kb.vmware.com/kb/1339).

Controlgrowthoflogfiles.

Inordertopreventthelogfilefromfillingupthediskpartitiononwhichitresides,configurelogfilerotation.Thisautomaticallycreatesabackupofthelogfileafteritreachesacertainspecifiedsizeandkeepsonlyaspecifiednumberofolderbackupfilesbeforeautomaticallydeletingthem,thuslimitingthetotaldiskusageforlogging.Thelogrotationbehaviorisspecifiedforeachcomponentinconfigurationfileslocatedinthedirectory/etc/logrotate.daswellasinthefile/etc/logrotate.conf.

Forthethreefilesin/etc/logrotate.dvmkernel,vmksummary,andvmkwarningitisrecommendthattheconfigurationbemodifiedto:

Increasethesizeofthelogfileto4096k.

Enablecompressionbysettingthelinecompressinsteadofnocompress.

Table 11. Key Log Files Generated by ESX

Component Location Purpose

Vmkernel /var/log/vmkernel RecordsactivitiesrelatedtothevirtualmachinesandESX

VMkernelwarnings /var/log/vmkwarning Recordsactivitieswiththevirtualmachines

VMkernelsummary /var/log/vmksummary UsedtodetermineuptimeandavailabilitystatisticsforESX;humanreadablesummaryfoundin/var/log/vmksummary.txt

ESXhostagentlog /var/log/vmware/hostd.log ContainsinformationontheagentthatmanagesandconfigurestheESXhostanditsvirtualmachines

Virtualmachines Thesamedirectoryastheaffectedvirtualmachinesconfigurationfiles;namedvmware.logandvmware-*.log

Containinformationwhenavirtualmachinecrashesorendsabnormally

VirtualCenteragent /var/log/vmware/vpx ContainsinformationontheagentthatcommunicateswithVirtualCenter

Webaccess Filesin/var/log/vmware/webAccess RecordsinformationonWebbasedaccesstoESX

Serviceconsole /var/log/messages ContainallgenerallogmessagesusedtotroubleshootvirtualmachinesorESX

Authenticationlog /var/log/secure Containsrecordsofconnectionsthatrequireauthentication,suchasVMwaredaemonsandactionsinitiatedbythexinetddaemon.

Copyright 2008 VMware, Inc. All rights reserved. 14

Security Hardening

Thisallowsgreaterlogginginthesamefilesystemspace.Formoreinformationonconfiguringlogfilerotation,seeman logrotate.

Useremotesysloglogging.

Remoteloggingtoacentralhostprovidesawaytogreatlyincreaseadministrationcapabilities.Bygatheringlogfilesontoacentralhost,youcaneasilymonitorallhostswithasingletoolaswellasdoaggregateanalysisandsearchingtolookforsuchthingsascoordinatedattacksonmultiplehosts.

Animportantpointtoconsideristhatthelogmessagesarenotencryptedwhensenttotheremotehost,soitisimportantthatthenetworkfortheserviceconsolebestrictlyisolatedfromothernetworks.

Syslogbehavioriscontrolledbytheconfigurationfile/etc/syslog.conf.Forlogsyouwanttosendtoaremoteloghost,addalinewith@afterthemessagetype,whereisthenameofahostconfiguredtorecordremotelogfiles.Makesurethatthishostnamecanbeproperlyresolved,puttinganentryinthenameservicemapsifneeded.

Example:

local6.warning @

Aftermodifyingthefile,tellthesyslogdaemontorereaditbyissuingthefollowingcommand:

kill -SIGHUP `cat /var/run/syslogd.pid`

Displaydifferentloglevelmessagesondifferentscreens.

Anoptionforsyslogistologtoanalternateconsole,whichcanbedisplayedfromtheterminaloftheESXhost.ESXhasthecapabilityattheconsoletodisplayanumberofvirtualterminals.Thisgivesyouthecapabilitytohavecritical,error,andwarningmessagesdisplayedondifferentscreens,enablingyoutoquicklydifferentiatetypesoferrors.

Toenablethisseparationoflogmessagedisplay,addthefollowinglinestothe/etc/syslog.conffile:

*.crit /dev/tty2

Alllogitemsatthecriticallevelorhigherareloggedtothevirtualterminalattty2.PressAltF2attheESXconsoletoviewtheselogs.

*.err /dev/tty3

Alllogitemsattheerrorlevelorhigherareloggedtothevirtualterminalattty3.PressAltF3attheESXconsoletoviewtheselogs

*.warning /dev/tty4

Alllogitemsatthewarninglevelorhigherareloggedtothevirtualterminalattty4.PressAltF4attheESXServerconsoletoviewtheselogs.

Whenyouarefinished,issuethecommandforrereadingtheconfigurationfile:

kill -SIGHUP `cat /var/run/syslogd.pid`

Uselocalandremotesudologging.

Ifyouhaveconfiguredsudotoenablecontrolledexecutionofprivilegedcommands,youcanbenefitfromusingsyslogtoaudituseofthesecommands.Bydefault,allinvocationsofsudoareloggedto/var/log/secure.Bymodifyingthelinecontainingthisfilenameinthesyslogconfigurationfileasdescribedabove,youcanhavealltheselogmessagesalsosenttoaremotesyslogserver.

Establish and Maintain File System IntegrityTheserviceconsolehasanumberoffilesthatspecifyitsconfigurations:

/etc/profile

/etc/ssh/sshd_config

/etc/pam.d/system-auth

Copyright 2008 VMware, Inc. All rights reserved. 15

Security Hardening

/etc/grub.conf

/etc/krb.conf

/etc/krb5.conf

/etc/krb.realms

/etc/login.defs

/etc/openldap/ldap.conf

/etc/nscd.conf

/etc/ntp

/etc/ntp.conf

/etc/passwd

/etc/group

/etc/nsswitch.conf

/etc/resolv.conf

/etc/sudoers

/etc/shadow

Inaddition,ESXconfigurationfileslocatedinthe/etc/vmwaredirectorystorealltheVMkernelinformation.

Allofthesefilesshouldbemonitoredforintegrityandunauthorizedtampering,usingacommercialtoolsuchasTripwireorConfiguresoft,orbyusingachecksumtoolsuchassha1sum,whichisincludedintheserviceconsole.Thesefilesshouldalsobebackedupregularly,eitherusingbackupagentsorbydoingbackupsbasedonfilecopying.NotallofthesefilesareactuallyusedbyyourparticularESXdeployment,butallthefilesarelistedforcompleteness.

Anotherchecktoperformistomakesurethatthefilepermissionsofimportantfilesandutilitycommandshavenotbeenchangedfromthedefault.Somefilesinparticulartocheckinclude:

The/usr/sbin/esxcfg-*commands,whichareallinstalledbydefaultwithpermissions500,exceptforesxcfg-authwhichhaspermissions544.

Thelogfilesdiscussedintheprevioussection,whichallhavepermissions600,exceptforthedirectory/var/log/vmware/webAccess,whichhaspermissions755,andthevirtualmachinelogfiles,whichhavepermissions644.

CertainsystemcommandsthathavetheSUIDbit.ThesecommandsarelistedinTable123oftheESXServer3ConfigurationGuide.

Forallofthesefiles,theuserandgroupownershouldberoot.

Secure the SNMP ConfigurationESX3.5providesanSNMPagenttomonitorfaultsandsystemstatus.ItsupportsSNMPversions1,2c,and3.WhenanSNMPagentisenabledinESX,networkmanagementtoolscanlistenfornotificationsorpollforstatusinformationabouttheconfigurationofvirtualmachinesandthestateofthenetwork,CPU,disk,andinstalledsoftware.

ItisrecommendedthatyouconfigureESX3.5touseSNMPversion3,whichprovidesforauthenticationandprivacyofmessagesbetweentheagentandmanagementstation.Consultthesnmpd.confmanpageformoreinformationonconfiguringSNMP.

Copyright 2008 VMware, Inc. All rights reserved. 16

Security Hardening

Protect against the Root File System Filling UpWhenyouinstallESX3.5,youshouldaccepttherecommendeddiskpartitioningforthemosteffectiveinstallation.Ifyouchoosetopartitionthediskmanually,youshouldensurethatyouhavecreatedseparatepartitionsforthedirectories/home,/tmp,and/var/log.Thesearealldirectoriesthathavethepotentialtofillup,andiftheyarenotisolatedfromtherootpartition,youcouldexperienceadenialofserviceiftherootpartitionisfullandunabletoacceptanymorewrites.DatastorePartitioning,anappendixoftheInstallationandUpgradeGuide,coversdiskpartitionsinmoredetail.

Disable Automatic Mounting of USB DevicesExternalUSBdrivescanbeconnectedtotheESXhostandbeloadedautomaticallyontheserviceconsole.TheUSBdrivemustbemountedbeforeyoucanuseit,butdriversareloadedtorecognizethedevice.MalicioususersmaybeabletorunmaliciouscodeontheESXhostandgoundetectedbecausetheUSBdriveisexternal.Bydefault,automaticUSBdrivemountingisenabled,butitisrecommendedthatyoudisablethisfeaturebyeditingtheserviceconsolefile/etc/modules.confandcommentingoutthelinecontainingalias usb-controllerbyplacingapoundsign(#)atthebeginning.

Configuring Host-level Management in ESXi 3.5EventhoughESXi3.5doesnotshipwithaserviceconsole,therearesomeaspectsofhostlevelmanagementthatyoucanconfigureandmonitor.SomeoftheseoptionsarenewtotheESXiarchitecture,andsomeareanalogoustooptionsavailableinESX3.5.

Strictly Control Root PrivilegesYoumightwanttoavoidmanagingESXihostsdirectly,butinsteadprefertorequirethatallmanagementbedonethroughVirtualCenter.Thisenforcestheuseofacentralauthenticationmodel(typicallyActiveDirectory)andallowspermissionstobesetglobally.Italsoallowsalltaskstobeloggedinoneplace,theVirtualCenterdatabase,whichmakesauditingeasier.

LockdownmodeisavailableonanyESXi3.5hostthatyouhaveaddedtoaVirtualCenterServer.EnablinglockdownmodedisablesallremoterootaccesstoESXi3.5machines.Anysubsequentlocalchangestothehostmustbemade:

InaVIClientsessionorusingRemoteCLIcommandstoVirtualCenter.

InaVIClientsessionorusingRemoteCLIcommandsdirecttotheESXi3.5systemusingalocaluseraccountdefinedonthehost.Bydefault,nolocaluseraccountsexistontheESXisystem.YoumustcreatethoseaccountsbeforeenablinglockdownmodeandmustcreatetheminaVIClientsessionconnecteddirectlytotheESXisystem.Changestoahostarelimitedtothosethatcanbemadewiththeprivilegesgrantedtoaparticularuserlocallyonthathost.

ItisrecommendedthatyouenablelockdownmodeforyourESXi3.5hosts.YoucanenableanddisablelockdownmodeeitherusingaVIClientloggedintoVirtualCenterorusingthedirectconsoleuserinterface(DCUI).Fordetailsonhowtodothis,seethechapterSecurityDeploymentsandRecommendationsintheESXServer3iConfigurationGuide.

Control Access to Privileged CapabilitiesIdeally,youmanageuserswhoaccesstheESXi3.5systemwiththeusermanagementfeaturesofVirtualCenter.Incertaincases,however,youneedtomanageahostdirectlyforexample:

YouhavenotpurchasedVirtualCenterperhapsbecauseyouarejuststartingoutwithESXiorbecauseyouhaveaverysmalldeployment

YouwanttoprovideforadministrativeaccesstothesystemincaseVirtualCenterisdownorotherwiseunavailable,oriftheVirtualCenteragentonthehostisnotworkingproperly

YouneedtouseRemoteCLIcommands,suchasthoseforbackingupandrestoringtheconfigurationofthesystem,thatmustberundirectlyonthehost,notthroughVirtualCenter

Copyright 2008 VMware, Inc. All rights reserved. 17

Security Hardening

Securitybestpracticesdictatethattherootpasswordshouldbeknowntoasfewindividualsaspossible,andtherootaccountshouldnotbeusedifanyalternativeispossible,becauseitisananonymousaccountandactivitybytherootusercannotbedefinitivelyassociatedwithaspecificindividual.Therootpasswordisinitiallyblank,sooneofyourfirststepsinconfiguringtheservershouldbetocreateastrongpasswordfortherootaccount.

ESXi3.5allowsyoutocreatelocalusersandgroupsonthesystem.DefinitionsfortheseusersandgroupsarestoredlocallyoneachindividualESXihost,andthedefinitionsforeachhostaretotallyindependentofotherhosts.YoucannotuseActiveDirectoryoranyotherdirectoryservicetoidentifyorauthenticatethelocalusers.Furthermore,theuserandgrouplistsmaintainedbyVirtualCenterarecompletelyseparatefromthelistsmaintainedbyESXihosts.EvenifthelistsmaintainedbyahostandVirtualCenterappeartohavecommonusers(forinstance,ausercalleddevuser),youmusttreattheseusersasseparateuserswhohappentohavethesamename.TheattributesofdevuserinVirtualCenter,includingpermissionsandpasswords,areseparatefromtheattributesofdevuserontheESXihost.IfyoulogontoVirtualCenterasdevuser,youmighthavepermissiontoviewanddeletefilesfromadatastore,whereasifyoulogontoanESXihostasdevuser,youmightnot.

Becauseoftheconfusionthatduplicatenamingcancause,VMwarerecommendsthatyouchecktheVirtualCenteruserlistbeforeyoucreateESXihostuserssoyoucanavoidcreatinghostusersthathavethesamenamesasVirtualCenterusers.TocheckforVirtualCenterusers,reviewtheWindowsdomainlist.

Youcangrantvariouslevelsofpermissionstolocalusers.TheprivilegemodelforanESXihostmirrorsthatofVirtualCenter,exceptitlacksobjectssuchasdatacentersandclusters,whichhavenomeaningforanindividualhost.Youcancreatecustomrolesthatgrantspecificprivileges,thenassignthemtocertainusers.Theseprivilegesaffectwhataparticularusercando,bothinaVIClientandusingtheRemoteCLI.Youshouldcreateadifferentlocaluseraccountforanypersonwhomightneeddirectaccesstothehostandgrantthatuserparticularprivilegestolimittheuserscapabilities.Youcanuselocalgroupdefinitionstosimplifythisassignment.

Oneparticularbuiltinlocalgrouphasspecialmeaning.Ifyougiveausermembershipinthelocaladmingroup,thatuserhastheabilitytologintotheDCUI,whichistheinterfaceavailableattheconsoleofanESXihostthatallowsforbasichostconfigurationmodifyingnetworkingsettingsandtherootpassword,forexample.AssignmenttothisgroupenablesanadministrativeusertoperformtasksontheDCUIwithoutlogginginasroot.However,thisisaverypowerfulprivilege,becauseaccesstotheDCUIallowssomeonetochangetherootpasswordorevenpoweroffthehost.Therefore,onlythemosttrustedadministratorsshouldbegrantedmembershiptothelocaladmingroup.

FormoreinformationonlocalusersandprivilegesinESXi,seethechapterAuthenticationandUserManagementintheServer3iConfigurationGuide.

Maintain Proper LoggingESXi3.5maintainsalogofactivityinlogfiles.Itusesasyslogfacility,justasESX3.5does.However,ESXimaintainsasmallernumberoflogfiles.Thefollowinglogsareavailable:

hostd.log

messages

vpxa.log(onlyifthehosthasbeedjoinedtoaVirtualCenterinstance)

Thereareseveralwaystoviewthecontentsoftheselogfiles.

ToviewthelogsinaVIClient,takethefollowingsteps:

1 LogindirectlytotheESXihostusingVIClientandmakesurethehostisselectedintheInventory.

2 ClickAdministration,thenclicktheSystemLogstab.

3 Choosethelogfileyouwanttoviewinthedropdownmenuintheupperleft.

ToviewthelogsinaWebbrowser,entertheURLhttps:///host,whereisthehostnameorIPaddressofthemanagementinterfaceoftheESXihost,thenchoosefromthelistoffilespresented.

Copyright 2008 VMware, Inc. All rights reserved. 18

Security Hardening

YoucanusetheRemoteCLIcommandvifstodownloadthelogfilestoyourlocalsystem.

Youcanalsoconfiguresyslogtosendlogmessagestoaremotesystem.

AswithESX3.5,youshouldconfigureNTPonthehosttoensureaccuratetimekeeping.

YoucanfindmoreinformationonconfiguringsyslogandNTPforESXihostsinthefollowingdocuments:

TheSystemLogFilesandHostConfigurationforESXServerandVirtualCentersectionsoftheSystemConfigurationchapterintheBasicSystemAdministrationGuide.

TheappendixRemoteCommandLineInterfaceReferenceintheESXServer3iConfigurationGuide.

Establish and Maintain Configuration File IntegrityAswithESX,ESXimaintainsitsconfigurationstateinasetofconfigurationfiles.However,onESXithesefilescanbeaccessedonlyusingtheremotefileaccessAPI,andtherearefarfewerfilesinvolved.Thesefilesnormallyarenotmodifieddirectly.Instead,theircontentsnormallychangeindirectlybecauseofsomeactioninvokedonthehost.However,thefileaccessAPIdoesallowfordirectmodificationofthesefiles,andsomemodificationsmightbewarrantedinspecialcircumstances.Therefore,youshouldmonitorallofthesefilesforintegrityandunauthorizedtampering,eitherbyperiodicallydownloadingthemandtrackingtheircontentsorbyusingacommercialtooldesignedtodothis.TheaccessibleandrelevantconfigurationfilesinESXi3.5are:

esx.conf

hostAgentConfig.xml

hosts

license.cfg

motd

openwsman.conf

proxy.xml

snmp.xml

ssl_cert

ssl_key

syslog.conf

vmware_config

vmware_configrules

vmware.lic

vpxa.cfg

ToviewtheconfigurationfilesinaWebbrowser,entertheURLhttps:///hostwhereisthehostnameorIPaddressofthemanagementinterfaceoftheESXihost,thenchoosefromthelistoffilespresented.

YoucanusetheRemoteCLIcommandvifstodownloadtheconfigurationfilestoyourlocalsystem,aswellastouploadnewversionsofthesefiles.Althoughinsomecasesthenewsettingstakeeffectimmediately,youshouldalwaysrestarttheESXhostaftermakingchangesdirectlytotheconfigurationfiles(asopposedtomakingconfigurationchangesviatheVIClient,VirtualCenter,ortheRemoteCLI).

Copyright 2008 VMware, Inc. All rights reserved. 19

Security Hardening

Secure the SNMP ConfigurationESXi3.5containsadifferentSNMPagentfromthatinESX3.5,anditsupportsonlyversions1and2c.ItprovidesthesamenotificationsasESX3.5andaddsnotificationsforhardwarerelatedsensors.UnlikeESX3.5,itsupportsonlytheSNMPv2MIBandsupportsitonlyfordiscovery,inventory,anddiagnosticsoftheSNMPagent.

SNMPmessagescontainafieldcalledthecommunitystring,whichconveyscontextandusuallyidentifiesthesendingsystemfornotifications.ThisfieldalsoprovidescontextfortheinstanceofaMIBmoduleonwhichthehostshouldreturninformation.ESX/ESXiSNMPagentsallowmultiplecommunitystringspernotificationtargetaswellasforpolling.Keepinmindthatcommunitystringsarenotmeanttofunctionaspasswords,butonlyasamethodforlogicalseparation.

SNMPv1andv2ctrafficisnotencrypted,whichmeansthatmessagescanbesnooped,andtheycouldbemodifiedinflightwithoutthereceiverknowingaboutit.Waystomitigatethisriskinclude:

RunSNMPontrustednetworks,useroutingandlayer2filteringtolockdownMACaddressestolayer2ports,androuteSNMPtraffictotrustedservers.

RunSNMPinaVPN/IPsectunnelonyouredgeroutersforSNMPtraffic.

Ensure Secure Access to CIMTheCommonInformationModel(CIM)systemprovidesaninterfacethatenableshardwarelevelmanagementfromremoteapplicationsviaasetofstandardAPIs.ToensurethattheCIMinterfaceissecure,followtheserecommendations:

DonotproviderootcredentialstoremoteapplicationstoaccesstheCIMinterface.Instead,createaserviceaccountspecifictotheseapplications.ReadonlyaccesstoCIMinformationisgrantedtoanylocalaccountdefinedontheESXisystem.

IftheapplicationrequireswriteaccesstotheCIMinterface,onlytwolocalprivilegesarerequired.Itisrecommendedthatyoucreatealocalroletoapplytotheserviceaccountwithonlytheseprivileges:

Host>Config>SystemManagement

Host>CIM>CIMInteraction

Audit or Disable Technical Support ModeESXihasaspecialtechnicalsupportmode,whichisaninteractivecommandlineavailableonlyontheconsoleoftheserver.TechnicalsupportmodeisunsupportedunlessusedinconsultationwithVMwareTechnicalSupportandmustbeactivatedbeforeitcanbeused.Accesstothismoderequirestherootpasswordoftheserverinadditiontoaccesstotheconsoleoftheserver,eitherphysicallyorthrougharemoteKVMoriLOinterface.

Technicalsupportmodeisdesignedtobeusedonlyincasesofemergency,whenmanagementagentsthatprovidetheremoteinterfacesareinoperableandtheycannotberestartedthroughtheDCUI.Thereisnoreasontousetechnicalsupportmodeforanyotherpurposeapartfromtechnicalsupport.Technicalsupportmodeisonbydefault,butyoucandisableitentirely.

Technicalsupportmodeissecuredinthefollowingways:

Itisaccessibleonlyonthelocalconsole;unlikeSSHorTelnet,itcannotbeaccessedremotely.Thus,physicalaccesstothehostorsomethingequivalenttophysicalaccess,suchasHPILO,DellDRAC,IBMRSA,orasimilarremoteconsoletoolisabsolutelyrequiredforaccesstotechnicalsupportmode.Mostorganizationshavesufficientformsofprotectiononphysical(orphysicalequivalent)accesstothehost(forexample,doorlocks,keycards,andauthenticationfortheremoteconsole).

Itrequirestherootpasswordbeforeaccessisgranted.Anyindividualswhohavebothphysical(orconsole)accessandtherootpasswordarealreadyfullyprivilegedandcandoanythingtheywantonthesystem.Thepresenceoftechnicalsupportmodedoesnotaugmentorreducethisrisk.

Copyright 2008 VMware, Inc. All rights reserved. 20

Security Hardening

Youcanaudittechnicalsupportmodeusingthefollowinginformation:

Wheneversomeoneactivatestechnicalsupportmode,thetimeanddateofactivationaresenttothesystemlogmessagesfile.

Allunsuccessfulattemptstoaccesstechnicalsupportmode(thatis,someoneenterstheincorrectrootpassword)arerecordedinthesystemlog.

Thetimeanddateofallsuccessfulaccessestotechnicalsupportmodearesenttothesystemlog

Toensureaccurateandreliablesystemlogs,youshouldconfigureremotesyslogontheserver,sologmessagesarekeptonanoutsidesystemandcannotbealteredfromtheserver.Actionsperformedwhileintechnicalsupportmodearenotlogged.AnyaccesstotechnicalsupportmodeshouldbecorrelatedwithaspecificcalltoVMwareTechnicalSupport.Ifthereisnocorrespondingsupportsession,youshouldimmediatelysuspectmaliciousactivityandinspectthesystemfortampering.

Ifyouareunabletoaudittechnicalsupportmodetoadegreethatmatchesyoursecurityriskposture,youshoulddisableitforallofyourESXihosts.Fordetailsondisablingtechnicalsupportmode,seeVMwareknowledgebasearticle1003677(http://kb.vmware.com/kb/1003677).

Configuring the ESX/ESXi HostThefollowingrecommendationsapplytothewaytheESX/ESXihostitselfisconfigured.Manyoftherecommendationsapplytotheconfigurationofthenetworkstowhichvirtualmachinesareattached,becausemostsecurityattacksoccurthroughnetworkconnections.OtherspertaintotheoperationoftheESX/ESXisoftwareitself.

Isolate the Infrastructure-related NetworksSeveralcapabilitiesofVMwareInfrastructureinvolvecommunicationamongcomponentsoveranetwork.

Management.Thisincludesthefollowingtypesofcommunication:

BetweenESX/ESXiandVirtualCenter

AmongstESX/ESXihostsforexample,forVMwareHighAvailabilitycoordination

BetweenESX/ESXiorVirtualCenterandsystemsrunningclientsoftwaresuchastheVIClientoraVISDKapplication

BetweenESX/ESXiandancillarymanagementservices,suchasDNS,NTP,syslog,andtheuserauthenticationservice

BetweenESX/ESXiandthirdpartymanagementtools,suchashardwaremonitoring,systemsmanagement,andbackuptools

BetweenVirtualCenterandsupportingservices,suchastheVirtualCenterdatabaseandtheuserauthenticationservice

BetweenVirtualCenterandoptionaladdoncomponentssuchasVMwareUpdateManagerandVMwareConverterEnterprise,iftheyareinstalledonseparateservers

VMotion.ThisinvolvestransferringtheliverunningstateofavirtualmachinefromoneESX/ESXihosttoanother.

Storage.Thisincludesanynetworkbasedstorage,suchasiSCSIandNFS.

AllofthenetworksusedforthesecommunicationsprovidedirectaccesstocorefunctionalityofVMwareInfrastructure,ThemanagementnetworkprovidesaccesstotheVMwareInfrastructuremanagementinterfaceoneachcomponent,andanyremoteattackwouldmostlikelybeginwithgainingentrytothisnetwork.VMotiontrafficisnotencrypted,sotheentirestateofavirtualmachinecouldpotentiallybesnoopedfromthisnetwork.Finally,accesstothestoragenetworkpotentiallyallowssomeonetoreadthecontentsof

Copyright 2008 VMware, Inc. All rights reserved. 21

Security Hardening

virtualdisksresidingonsharedstorage.Therefore,allofthesenetworksshouldbeisolatedandstronglysecuredfromallothertraffic,especiallyanytrafficgoingtoandfromvirtualmachines.Theexceptionisifoneofthecomponentslistedaboveactuallyrunsinavirtualmachine.Inthatcase,thisvirtualmachinenaturallyhasaninterfaceonthemanagementnetworkandthusshouldnothaveaninterfaceonanyothernetwork.

VMwarerecommendsthatyouisolatenetworksusingoneofthesemethods:

CreateaseparateVLANforeachnetwork.

Configurenetworkaccessforeachnetworkthroughitsownvirtualswitchandoneormoreuplinkports.

Ineithercase,youshouldconsiderusingNICteamingforthevirtualswitchestoprovideredundancy.

IfyouuseVLANs,youneedfewerphysicalNICstoprovidetheisolation,afactorthatisespeciallyimportantinenvironmentswithconstrainedhardwaresuchasblades.VMwarevirtualswitchesarebydesignimmunetocertaintypesofattacksthathavetraditionallytargetedVLANfunctionality.Fordetails,seethechapterSecuringanESXServer3ConfigurationintheESXServer3ConfigurationGuide.Ingeneral,VMwarebelievesthatVLANtechnologyismatureenoughthatitcanbeconsideredaviableoptionforprovidingnetworkisolation.

ESX/ESXidoesnotsupportvirtualswitchportgroupsconfiguredtoVLAN1.IfthephysicalswitchporttowhichtheESX/ESXihostisconnectedisconfiguredwithVLAN1,ESX/ESXidropsallpackets.YoucanconfiguretheESX/ESXivirtualswitchportgroupswithanyvaluebetween2and4094.UtilizingVLAN1causesadenialofservicebecauseESX/ESXidropsthistraffic.ItisrecommendedthatyoucheckthephysicalnetworkhardwareconfigurationtoverifytheportstowhichtheESX/ESXihostconnectsarenotconfiguredtoVLAN1.Inaddition,VLANID4095specifiesthattheportgroupshouldusetrunkmodeorVGTmode,whichallowstheguestoperatingsystemtomanageitsownVLANtags.GuestoperatingsystemstypicallydonotmanagetheirVLANmembershiponnetworks,soifthisvalueisset,ensurethatthereisalegitimatereasonfordoingso.

IfyoudonotuseVLANs,eitherbecauseyouhavenoVLANsupportinyourenvironmentorbecauseyoudonotconsiderVLANsstrongenoughforisolation,youcancombinethethreetypesofinfrastructurerelatednetworksontotwoorfewervirtualswitches.However,youshouldstillkeepthevirtualmachinenetworksseparatefromtheinfrastructurenetworksbyusingseparatevirtualswitcheswithseparateuplinks.

Configure Encryption for Communication between Clients and ESX/ESXiClientsessionswiththeESX/ESXihostmaybeinitiatedfromanyVIAPIclient,suchasVIClient,VirtualCenter,andtheRemoteCommandLineInterface.SSLencryptionprotectstheconnectionbetweentheVIClientandESX/ESXi,butthedefaultcertificatesusedtosecureyourVirtualCenterandVIWebAccesssessionsarenotsignedbyatrustedcertificateauthorityand,therefore,donotprovidetheauthenticationsecurityyoumightneedinaproductionenvironment.Theseselfsignedcertificatesarevulnerabletomaninthemiddleattacks,andclientsreceiveawarningaboutthem.Ifyouintendtouseencryptedremoteconnectionsexternally,considerpurchasingacertificatefromatrustedcertificateauthorityoruseyourownsecuritycertificateforyourSSLconnections.EnablingcertificatecheckingandinstallationofnewcertificatesaredescribedinthechapterAuthenticationandUserManagementintheESXServer3ConfigurationGuide.

Label Virtual Networks ClearlyLabelallyourvirtualnetworksappropriatelytopreventconfusionorsecuritycompromises.Thislabelingpreventsoperatorerrorcausedbyattachingavirtualmachinetoanetworkitisnotauthorizedforortoanetworkthatcouldallowtheleakageofsensitiveinformation.

Do Not Create a Default Port GroupDuringESX/ESXiinstallation,youhavetheoptionofcreatingadefaultvirtualmachineport.However,thisoptioncreatesavirtualmachineportgrouponthesamenetworkinterfaceastheserviceconsole.Ifthissettingisleftunchanged,itcouldallowvirtualmachinestodetectsensitiveandoftenunencryptedinformation.Becausetheserviceconsoleshouldalwaysbeonaseparate,privatenetwork,thisoptionshouldneverbeusedexceptinatestenvironment.

Copyright 2008 VMware, Inc. All rights reserved. 22

Security Hardening

Do Not Use Promiscuous Mode on Network InterfacesESX/ESXicanrunvirtualnetworkadaptersinpromiscuousmode.Youcanenablepromiscuousmodeonvirtualswitchesthatareboundtoaphysicalnetworkadapter(vmnic)andvirtualswitchesthatdonotbindtoaphysicalnetworkadapter(vmnet).Whenpromiscuousmodeisenabledforavmnicswitch,allvirtualmachinesconnectedtothevirtualswitchhavethepotentialofreadingallpacketssentacrossthatnetwork,fromothervirtualmachinesaswellasanyphysicalmachinesorothernetworkdevices.Whenpromiscuousmodeisenabledforavmnetswitch,allvirtualmachinesconnectedtothevmnetswitchhavethepotentialofreadingallpacketsacrossthatnetworkthatis,trafficamongthevirtualmachinesconnectedtothatvmnetswitch.

Althoughpromiscuousmodecanbeusefulfortrackingnetworkactivity,itisaninsecuremodeofoperationbecauseanyadapterinpromiscuousmodehasaccesstopacketsregardlessofwhethersomeofthepacketsshouldbereceivedonlybyaparticularnetworkadapter.Thismeansthatanadministratororrootuserwithinavirtualmachinecanpotentiallyviewtrafficdestinedforotherguestoperatingsystems.Youshouldusepromiscuousmodeonlyforsecuritymonitoringforexample,foranIDSsystem,debugging,ortroubleshooting.

Bydefault,promiscuousmodeissettoReject.Youcanchangethisoptionbymodifyingthesecuritypolicyonanindividualportgrouporontheentirevirtualswitch,asdescribedinthesectionLayer2SecurityPolicyintheESXServer3ConfigurationGuide.Settingthispolicyperportgroupallowsyoutohaveoneormoreprivilegedvirtualmachinesonaportgroupthatallowspromiscuousmode,whileotherportgroupsonthesameswitchdonotgrantthisprivilege.

Protect against MAC Address SpoofingEachvirtualnetworkadapterinavirtualmachinehasitsowninitialMACaddressassignedwhentheadapteriscreated.Inaddition,eachadapterhasaneffectiveMACaddressthatfiltersoutincomingnetworktrafficwithadestinationMACaddressdifferentfromtheeffectiveMACaddress.

Whenitiscreated,anetworkadapterseffectiveMACaddressandinitialMACaddressarethesame.However,thevirtualmachinesoperatingsystemcanaltertheeffectiveMACaddresstoanothervalueatanytime.IfanoperatingsystemchangestheeffectiveMACaddress,itsnetworkadapterthenreceivesnetworktrafficdestinedforthenewMACaddress.TheoperatingsystemcansendframeswithanimpersonatedsourceMACaddressatanytime.Thus,anoperatingsystemcanstagemaliciousattacksonthedevicesinanetworkbyimpersonatinganetworkadapterauthorizedbythereceivingnetwork.YoucanusevirtualswitchsecurityprofilesonESX/ESXihoststoprotectagainstthistypeofattackbysettingtwooptions,whichyoushouldsetforeachvirtualswitch:

MACaddresschangesBydefault,thisoptionissettoAccept,meaningthatESX/ESXiacceptsrequeststochangetheeffectiveMACaddresstoavalueotherthantheinitialMACaddress.TheMACAddressChangesoptionsettingaffectstrafficreceivedbyavirtualmachine.

ToprotectagainstMACimpersonation,youcansetthisoptiontoReject.Ifyoudo,ESX/ESXidoesnothonorrequeststochangetheeffectiveMACaddresstoanythingotherthantheinitialMACaddress.Instead,theportthatthevirtualadapterusedtosendtherequestisdisabled.Asaresult,thevirtualadapterdoesnotreceiveanymoreframesuntilitchangestheeffectiveMACaddresstomatchtheinitialMACaddress.TheguestoperatingsystemdoesnotdetectthattheMACaddresschangehasnotbeenhonored.

ForgedtransmissionsBydefault,thisoptionissettoAccept,meaningESX/ESXidoesnotcomparesourceandeffectiveMACaddresses.TheForgedTransmitsoptionsettingaffectstraffictransmittedfromavirtualmachine.

IfyousetthisoptiontoReject,ESX/ESXicomparesthesourceMACaddressbeingtransmittedbytheoperatingsystemwiththeeffectiveMACaddressforitsadaptertoseeiftheymatch.Iftheaddressesdonotmatch,ESX/ESXidropsthepacket.TheguestoperatingsystemdoesnotdetectthatitsvirtualnetworkadaptercannotsendpacketsusingtheimpersonatedMACaddress.ESX/ESXiinterceptsanypacketswithimpersonatedaddressesbeforetheyaredelivered,andtheguestoperatingsystemmightassumethatthepacketshavebeendropped.

Copyright 2008 VMware, Inc. All rights reserved. 23

Security Hardening

ItisrecommendedthatyousetbothoftheseoptionstoRejectformaximalsecurity.

Youcanalsosetthesesecuritypoliciesonaperportgroupbasis,whichletsyouoverridethevirtualswitchsettingforthatparticularportgroup.Ifyouneedtoconfigureadifferentpolicyforaparticularvirtualmachineforexample,ifyouhaveanintrusiondetectionvirtualappliancethatneedstomonitoralltrafficonavirtualswitchyoucancreateaspecialportgroupforthis(andonlythis)virtualappliancewiththemodifiedsettings.

Tolearnhowtheseoptionsareconfigured,seethesectionLayer2SecurityPolicyintheESXServer3ConfigurationGuide.

Secure the ESX/ESXi Host ConsoleEvenifyouhavelockeddownESX/ESXitoprotectitfromattacksthatarriveoverthenetwork,anyonewithaccesstotheconsoleofthehostmightstillcauseproblems.Althoughphysicalharmtothehostcannotbeprevented,itstillmightbepossible,forexample,toinfluencethehostsothatitbehavesimproperly,perhapsinamannerthatishardtodetect.

ForESX3.5,whichrunsaserviceconsole,onewaytoguardagainstthisistousegrubpasswordstopreventusersfrombootingintosingleusermodeorpassingoptionstothekernelduringboot.Unlessthepasswordisentered,theserverbootsonlythekernelwiththedefaultoptions.Formoreinformationongrubpasswords,seetheGNUGrubManualathttp://www.gnu.org/software/grub/manual/html_node/index.html.ThistechniquedoesnotapplytoESXi3.5,becausethereisnoserviceconsoleavailableattheconsoleofthehost.

Mask and Zone SAN Resources AppropriatelyZoningprovidesaccesscontrolinaSANtopology.Itdefineswhichhostbusadapters(HBAs)canconnecttowhichSANdeviceserviceprocessors.WhenaSANisconfiguredusingzoning,thedevicesoutsideazonearenotvisibletothedevicesinsidethezone.Inaddition,SANtrafficwithineachzoneisisolatedfromtheotherzones.WithinacomplexSANenvironment,SANswitchesprovidezoning,whichdefinesandconfiguresthenecessarysecurityandaccessrightsfortheentireSAN.

LUNmaskingiscommonlyusedforpermissionmanagement.LUNmaskingisalsoreferredtoasselectivestoragepresentation,accesscontrol,andpartitioning,dependingonthevendor.LUNmaskingisperformedatthestorageprocessororserverlevel.ItmakesaLUNinvisiblewhenatargetisscanned.TheadministratorconfiguresthediskarraysoeachserverorgroupofserverscanseeonlycertainLUNs.Maskingcapabilitiesforeachdiskarrayarevendorspecific,asarethetoolsformanagingLUNmasking.

YoushouldusezoningandLUNmaskingtosegregateSANactivity.Forexample,youmanagezonesdefinedfortestingindependentlywithintheSANsotheydonotinterferewithactivityintheproductionzones.Similarly,youcouldsetupdifferentzonesfordifferentdepartments.ZoningmusttakeintoaccountanyhostgroupsthathavebeensetupontheSANdevice.

Secure iSCSI Devices through AuthenticationOnemeansofsecuringiSCSIdevicesfromunwantedintrusionistorequirethattheESX/ESXihost,orinitiator,beauthenticatedbytheiSCSIdevice,ortarget,wheneverthehostattemptstoaccessdataonthetargetLUN.Thegoalofauthenticationistoprovethattheinitiatorhastherighttoaccessatarget,arightgrantedwhenyouconfigureauthentication.

YouhavetwochoiceswhenyousetupauthenticationforiSCSISANsontheESX/ESXihost:

ChallengeHandshakeAuthenticationProtocol(CHAP)YoucanconfiguretheiSCSISANtouseCHAPauthentication.ESX/ESXisupportsonewayCHAPauthenticationforiSCSI.ItdoesnotsupportbidirectionalCHAP.InonewayCHAPauthentication,thetargetauthenticatestheinitiator,buttheinitiatordoesnotauthenticatethetarget.Theinitiatorhasonlyonesetofcredentials,andalloftheiSCSItargetsusethem.ESX/ESXisupportsCHAPauthenticationattheHBAlevelonly.ItdoesnotsupportpertargetCHAPauthentication,whichenablesyoutoconfiguredifferentcredentialsforeachtargettoachievegreatertargetrefinement.

Copyright 2008 VMware, Inc. All rights reserved. 24

Security Hardening

DisabledYoucanconfiguretheiSCSISANtousenoauthentication.Communicationsbetweentheinitiatorandtargetareauthenticatedinarudimentaryway,becausetheiSCSItargetdevicesaretypicallysetuptocommunicatewithspecificinitiatorsonly.

ChoosingnottoenforcemorestringentauthenticationcanmakesenseifyoucreateadedicatednetworkorVLANtoserviceallyouriSCSIdevices.BecausetheiSCSIfacilityisisolatedfromgeneralnetworktraffic,itislessvulnerabletoexploit.

ESX/ESXidoesnotsupportKerberos,SecureRemoteProtocol(SRP),orpublickeyauthenticationmethodsforiSCSI.Additionally,itdoesnotsupportIPsecauthenticationandencryption.

Forinformationonhowtodeterminewhetherauthenticationiscurrentlybeingperformedandtoconfiguretheauthenticationmethod,seethechapterSecuringanESXServer3ConfigurationintheESXServer3ConfigurationGuide.

VirtualCenterVirtualCenterprovidesapowerfulwaytomanageandcontrolyourVMwareInfrastructureenvironmentfromacentralpointandenablesmoresophisticatedoperationsthroughtoolsthatworkthroughitsSDK.Itisextremelypowerfulandthereforeshouldbesubjecttothestrictestsecuritystandards.

Set Up the Windows Host for VirtualCenter with Proper SecurityBecauseVirtualCenterrunsonaWindowshost,itisespeciallycriticaltoprotectthishostagainstvulnerabilitiesandattacks.Thestandardsetofrecommendationsapplies,asitwouldforanyhost:installantivirusagents,spywarefilters,intrusiondetectionsystems,andanyothersecuritymeasures.Makesuretokeepallsecuritymeasuresuptodate,includingapplicationofpatches.

ThepasswordthatVirtualCenterusestoaccessitsdatabaseisstoredintheWindowsregistryinanencodedformat.Althoughthepasswordcannotbereaddirectly,itisnotprotectedbyencryption,soyoushouldprotecttheregistryontheVirtualCenterhosttopreventunauthorizedaccesstotheVirtualCenterdatabase.

Ingeneral,youshouldhardenandlockdowntheVirtualCenterhostaccordingtoindustrystandardconfigurationguides,suchastheDISASTIGorCISBenchmark.

Limit Administrative AccessVirtualCenterrunsasauserthatrequireslocaladministratorprivilegesandmustbeinstalledbyalocaladministrativeuser.Tolimitthescopeofadministrativeaccess,avoidusingtheWindowsAdministratorusertorunVirtualCenterafteryouinstallit.Instead,useadedicatedVirtualCenteradministratoraccount.Tosetuptheadministrativeaccount,takethefollowingsteps:

1 CreatealocalaccountforanordinaryuserontheWindowshost.ThisistheaccounttheVirtualCenteradministratorshouldusetomanageVirtualCenter.

2 InVirtualCenter,logonastheWindowsAdministrator,thengrantVirtualCenterrootadministratoraccesstothenewlycreatedaccount

3 LogoutofVirtualCenter,thenmakesureyoucanlogintoVirtualCenterasthenewuserandthatthisuserisabletoperformalltasksavailabletoaVirtualCenteradministrator

4 RemovethepermissionsinVirtualCenterforthelocalAdministratorsgroup.

Byconfiguringaccountsinthisway,youavoidautomaticallygivingadministrativeaccesstodomainadministrators,whotypicallybelongtothelocalAdministratorsgroup.ThisalsoprovidesawayofloggingintoVirtualCenterwhenthedomaincontrollerisdown,becausethelocalVirtualCenteradministratoraccountdoesnotrequireremoteauthentication.

Copyright 2008 VMware, Inc. All rights reserved. 25

Security Hardening

Limit Network Connectivity to VirtualCenterTheonlynetworkconnectionVirtualCenterrequiresistothemanagementnetworkdescribedinIsolateVirtualMachineNetworksonpage 3.YoushouldavoidputtingtheVirtualCenterserveronanyothernetwork,suchasyourproductionorstoragenetwork.Specifically,VirtualCenterdoesnotneedaccesstothenetworkonwhichVMotiontakesplace.Bylimitingthenetworkconnectivity,youcutdownonthepossibleavenuesofattack.

Usethefollowingguidelinestolimitnetworkconnectivity:

Firewalls

YoushouldprotecttheVirtualCenterserverusingafirewall.ThisfirewallmaysitbetweentheclientsandtheVirtualCenterserver,orboththeVirtualCenterServerandtheclientsmaysitbehindthefirewall,dependingonyourdeployment.Themainconsiderationisensuringthatafirewallispresentatwhatyouconsidertobeanentrypointforthesystemasawhole.

UsefirewallstorestrictwhichsystemscanaccessVirtualCenterbyIPaddress.

FormoreinformationonthepossiblelocationsforfirewallsusedwithVirtualCenter,seethesectionFirewallsforConfigurationswithaVirtualCenterServerintheESXServer3ConfigurationGuide.

TCPandUDPportsformanagementaccess

NetworksconfiguredwithaVirtualCenterservercanreceivecommunicationsfromseveraltypesofclients:theVIClient,VIWebAccess,asystemwiththeRemoteCLIoroneoftheVIToolkitsforscriptinginstalled,orthirdpartynetworkmanagementclientsthatusetheSDKtointeractwiththehost.Duringnormaloperation,VirtualCenterlistensondesignatedportsfordatafromthehostsitismanagingandfromclients.VirtualCenteralsoassumesthatthehostsitismanaginglistenfordatafromVirtualCenterondesignatedports.Ifafirewallispresentbetweenanyofthesecomponents,youmustensurethattheappropriateportsareopentosupportdatatransferthroughthefirewall.

ThesectionTCPandUDPPortsforManagementAccessintheESXServer3ConfigurationGuidelistsallthepredeterminedTCPandUDPportsusedformanagementaccesstoyourVirtualCenterserver,ESXhosts,andothernetworkcomponents.Studythissectioncarefullytodeterminehowtoconfigureyourfirewallstomaintainmaximumsecuritywhilestillallowingrequiredmanagementoperations.

Use Proper Security Measures when Configuring the Database for VirtualCenterYoushouldinstalltheVirtualCenterdatabaseonaseparateserverorvirtualmachineandsubjectittothesamesecuritymeasuresasanyproductiondatabase.Youshouldalsocarefullyconfigurethepermissionsusedforaccesstothedatabasetotheminimumnecessary.Usetheguidelinesappropriatetoyourdatabase.

MicrosoftSQLServer

Duringinstallationandupgrade,theVirtualCenteraccountmusthavetheDBOwnerrole.Duringnormaloperations,youmayfurtherrestrictpermissionstothefollowing:

Invoke/executestoredprocedures

Select,update,insert

Delete

Oracle

TheprivilegesrequiredfortheVirtualCenteraccountarelistedinthesectionPreparingtheVirtualCenterServerDatabaseofthechapterInstallingVMwareInfrastructureManagementintheESXServer3InstallationGuide.

NOTEYoumightnotbeabletoopenaVIClientremoteconsolewhenyournetworkisconfiguredsuchthatafirewallusingNATstandsbetweentheESXhostandthecomputerrunningVIClient.SeeVMwareknowledgebasearticle749640(http://kb.vmware.com/kb/749640)foraworkaroundforthisissue.

Copyright 2008 VMware, Inc. All rights reserved. 26

Security Hardening

Enable Full and Secure Use of Certificate-based EncryptionForenvironmentsthatrequirestrongsecurity,VMwarerecommendsthatadministratorsreplacealldefaultselfsignedcertificatesgeneratedatinstallationtimewithlegitimatecertificatessignedbytheirlocalrootcertificateauthorityorpublic,thirdpartycertificatesavailablefrommultiplepubliccertificateauthorities.YoushouldalsoenableservercertificateverificationonallVIClientinstallationsandtheVirtualCenterhost.ThisinvolvesamodificationtotheWindowsregistryonallclienthosts.

ForbackgroundandinformationonreplacingVirtualCenterServercertificates,seethetechnicalnoteReplacingVirtualCenterServerCertificates(http://www.vmware.com/vmtn/resources/658).ForinformationonenablingservercertificateverificationforVIClientinstallations,includinghowtopretrustcertificatesandhowtomodifytheWindowsregistryforclienthosts,seeVMwareknowledgebasearticle4646606(http://kb.vmware.com/kb/4646606).

Use VirtualCenter Custom RolesBeginningwithversion2.0,VirtualCenterprovidesasophisticatedsystemofrolesandpermissions.Theserolesandpermissionsallowfinegraineddeterminationofauthorizationforadministrativeandusertasks,basedonuserorgroupandinventoryitem,suchasclusters,resourcepools,andhosts.Youshouldtakeadvantageofthissystemtoassurethatonlytheminimumnecessaryprivilegesareassignedtopeopleinordertopreventunauthorizedaccessormodification.Somerecommendationsare:

Createrolesthatenableonlythenecessarytasks.Forexample,auserwhoisonlygoingtomakeuseofanassignedvirtualmachinemightneedpermissiononlytopowerthemachineonoroff,andnotnecessarilytoattachaCDorfloppydevice.

Assignrolestoaslimitedascopeasnecessary.Forexample,youcangiveausercertainpermissionsonaresourcepoolinsteadofadiscretehost,andyoucanusefolderstocontainthescopeofaprivilege.

FormoreinformationonVirtualCenterroles,seethepaperManagingVirtualCenterRolesandPermissions(http://www.vmware.com/resources/techresources/826).

Document and Monitor Changes to the ConfigurationAlthoughmostofaVMwareInfrastructureenvironmentisdefinedbyinformationcontainedintheVirtualCenterdatabase,certainimportantconfigurationinformationresidesonlyontheVirtualCenterServerhostslocalfilesystem.Thisincludesthemainconfigurationfilevpxd.cfg,variouslogfiles,and,implicitly,theWindowsregistrysettingsthatpertaintoVirtualCenter.

Forcomplianceandauditing,itisimportantthatyouhavearecordoftheseconfigurationsovertime.OneconvenientwaytocaptureeverythinginoneplaceistousetheGenerateVirtualCenterServerlogbundlecommand,intheVMwareprogramfilemenuontheVirtualCenterhost.Thistoolisdesignedtocaptureinformationtobeusedfortroubleshootinganddebugging,buttheresultingarchivefileservesasaconvenientwaytomaintainahistoricalrecord.

TheresultingZIParchiveincludesfilesthatcontainthevaluesofrelevantWindowsregistryentries,configurationfilesforVirtualCenterandanyaddoncomponents,andlogfilesforVirtualCenter,thelicenseserver,andanyaddoncomponents.Byperformingthistaskonaregularbasis,youcankeeptrackofallchangesthataffectyourVirtualCenterinstallation.

NOTEYouneedtoreplacethedefaultVirtualCenterServercertificatebeforeenablingservercertificateverification.

Copyright 2008 VMware, Inc. All rights reserved. 27

Security Hardening

Ifyouwanttomonitorthelogfilesdirectly,useTable12todeterminewhichfilestowatch:

VirtualCenter Add-on ComponentsBeginningwithversion2.5,VirtualCenterincludesaframeworkthatenablesyoutoaddcomponentstoVirtualCentertoextenditsfunctionality.Thesecomponentstypicallyrunasseparateservices,whichareinstalledontheVirtualCenterserverorinsomecasesaonseparatehostorinavirtualmachine.ThreeofthesecomponentsarebundledwithVirtualCenter:

VMwareUpdateManager:managesandautomatespatchmanagementandtrackingofESXhostsandvirtualmachines,includingturnedoffvirtualmachinesandvirtualmachinetemplates

VMwareConverterEnterpriseforVirtualCenter:providesanintegratedsolutionformigratingbothphysicalandvirtualmachinestoVMwareInfrastructure.

VMwareGuidedConsolidation:automaticallydiscoversphysicalservers,helpsanalyzetheirperformance,andtriggerstheconversionofphysicaltovirtualmachinesplacedintelligentlyonasuitablehost.

VMware Update ManagerYoushouldconsiderVMwareUpdateManageranessentialcomponentofanyVMwareInfrastructuredeployment.Theabilitytomakesurethatcriticaloperatingsystempatchesareappliedtoallvirtualmachines,especiallyofflinevirtualmachinesandtemplates,addressesoneofthemostimportantaspectsofsecurityinavirtualizedenvironment.Furthermore,theabilitytoautomatethepatchingofESXhostsgreatlyincreasesthelikelihoodthatyouareprotectedagainstanyvulnerabilitiesthatmaybediscoveredforthisplatform.

InordertomaintainisolationoftheVirtualCenterhost,itisrecommendedthatyouinstallVMwareUpdateManageronaseparatehostorinavirtualmachine.ThishostneedstohaveaccesstotheVirtualCenterusingtheVIAPIinterface(availablebydefaultonTCPport443).Inthedefaultinstallation,thehostwhereyouinstallVMwareUpdateManageralsoneedsaccesstotheInternetinordertodownloadpatchesandpatchinformation.YoucanconfigureittouseaWebproxy,astepyoushouldtakeifaWebproxyisavailable.Forhighestsecurity,youcaninstalltheUpdateManagerDownloadServiceonaseparateserver,andthepatchesandinformationthatitdownloadscanbetransferredmanuallytotheUpdateManagerhostforexample,usingaUSBkeyorscheduled,securefiletransfer.ThisavoidshavingtheUpdateManagerhostitselfconnectedtoanexternalnetwork.FormoreinformationoninstallingUpdateManagerandtheUpdateManagerDownloadService,seethechapterWorkingwithUpdateManagerintheUpdateManagerAdministrationGuide.

VMware Converter EnterpriseAswithUpdateManager,youshouldinstallConverteronaseparatesysteminordertomaintainisolationoftheVirtualCenterhost.ConverterandthesourcesystemneedaccesstoVirtualCenterusingtheVIAPIinterface(TCPport443bydefault)andtheVIAPIinterfaceofanydestinationESXhost.However,theinformationfromtheharddiskofthesourcesystemistransferredtothedestinationESXhostoverport902.Inaddition,theConverterserverneedsaccesstoport139onthesourcesystem.

TheuseofConverterhasthepotentialforintroducingsomesecurityrisks.WhenmigratingphysicalorvirtualmachinestoVMwareInfrastructure,youruntheriskofimportingacompromisedorinfectedserver.Becausetheimportoccurswithlittlemodificationtothesource,youcouldbeintroducingavulnerabilitydirectlyintoyourenvironment.YoumightwanttoconsiderusingConverteronlyintestorstagingenvironments.

Table 12. Paths to Key VirtualCenter Log Files

Component Default path to file

VirtualCenter C:\Documents and Settings\All Users\Application Data\VMware\VMware VirtualCenter\Logs\*

WebservercomponentofVirtualCenter

C:\Program Files\VMware\Infrastructure\VirtualCenter Server\tomcat\logs\*

Licensemanager C:\WINDOWS\Temp\lmgrd.log

Copyright 2008 VMware, Inc. All rights reserved. 28

Security Hardening

VMware Guided ConsolidationGuidedConsolidationautomatestheprocessofdiscoveringandanalyzingexistingservers(virtualorphysical)forsuitabilityofconversiontovirtualmachines,andchoosingthedestinationESXhostontowhichtomigratethem.ItthenautomaticallyinvokesConvertertoperformtheactualmigrationprocess.

GuidedConsolidationisnotanoptionalcomponent,andyoucannotinstallitonaseparatehost.ItisalwaysrunningasaserviceontheVirtualCenterServerhost.GuidedConsolidationrequiresaccesstotheportsforWMI,Perfmon,andRemoteRegistryports135,137,138,139,and445.TheseportsmustbeopenonboththeVirtualCenterhostandthetargetserver.TheGuidedConsolidationservicemustberunasauserwithVirtualCenterAdministratorprivileges,aswellaswiththenecessaryWindowsprivilegestoqueryActiveDirectoryforserversintheenvironment.Inaddition,administratorcredentialsarerequiredforeachtargetsystemtobeanalyzed,sothatperformancedatacanbecollectedfromthem.Youcanenteradefaultsetoftargetsystemcredentialsandoverridethisdefaultforindividualtargetsystemsthatmightdeviatefromthedefault.

TheGuidedConsolidationservicereliesonConvertertoimporttargetserver,soallrecommendationsforConverterapplytoGuidedConsolidation,aswell.ItisrecommendedthatyounotuseGuidedConsolidationinhighersecurityenvironments.

General ConsiderationsWithanyaddoncomponent,observethefollowing:

Hardenandlockdowntheserveronwhichthecomponentisinstalledaccordingtotheindustrybestpracticesforthehostsoperatingsystem.

ThesecomponentsoftenrequireyoutoprovidecredentialsofauseraccountwithfullVMwareInfrastructureadministratorprivileges.Toreduceexposureandhaveawayofrestrictingaccessincaseaproblemisfound,createauniqueaccountforeachcomponent.Then,ifavulnerabilityorotherproblemisdiscovered,youcanreduceoreliminateprivilegesonthataccountuntilthesituationisresolved.DonotprovidethecredentialsoftheVirtualCenterhostsAdministratoraccountorofanactualuser.

Thesecomponentsusuallyhavetheirownlogfiles.Table13showsthelogfilesforthecomponentsthatarebundledwithVirtualCenter:

Client ComponentsTherecommendationsinthissectionapplytoclientsthatconnecttoVirtualCenterorESX.

Restrict the use of Linux-based ClientsAlthoughSSLbasedencryptionisusedtoprotectedcommunicationbetweenclientcomponentsandVirtualCenterorESX,theLinuxversionsofthesecomponentsdonotperformcertificatevalidation.Therefore,evenifyouhavereplacedtheselfsignedcertificatesonVirtualCenterandESXwithlegitimatecertificatessignedbyyourlocalrootcertificateauthorityorathirdparty,communicationswithLinuxclientsarestillvulnerabletomaninthemiddleattacks.ThecomponentsthatarevulnerablewhenrunningonLinuxinclude:

AnyRemoteCLIcommand

AnyVIPerlToolkitscript

Table 13. Paths to Log Files for Bundled VirtualCenter Components

Component Default path to file

VMwareUpdateManager C:\Documents and Settings\All Users\Application Data\VMware\VMware Update Manager\Logs\*

VMwareEnterpriseConverter

C:\Documents and Settings\All Users\Application Data\VMware\VMware Converter Enterprise\Logs\*

VMwareGuidedConsolidation

C:\Documents and Settings\All Users\Application Data\VMware\VMware Capacity Planner\Logs\*

Copyright 2008 VMware, Inc. All rights reserved. 29

Security Hardening

VirtualmachineconsoleaccessinitiatedfromaLinuxbasedWebAccessbrowsersession

AnyprogramwrittenusingtheVISDK

ThemanagementinterfacesofVirtualCenterandESXshouldbeavailableonlyontrustednetworks,butprovidingencryptionandcertificatevalidationaddextralayersofdefenseagainstanattack.Ifyouareabletomitigateagainstsystemsonthemanagementnetworkinterposingthemselvesonnetwork