Vous êtes sur la page 1sur 352

vSphere 5.

0 Security Hardening Guide


v1.0 6/1/2012 Scope of Guide
This guide covers the following components of vSphere Virtual Machines ESXi hosts Virtual Network vCenter Server, plus its database and clients vCenter Update Manager Everything else is out of scope and hence NOT covered by the guide. This includes vCenter Virtual Appliance vSphere Management Assistant (vMA) any other add-on component

Description of fields

Each guideline is uniquely identified by the concatenation of Product-Version-Component-ID. Some examples: vSphere-5.0-esxi-apply-patches vSphere-5.0-vm-prevent-device-interaction-edit vSphere-5.0-vnetwork-reject-mac-change-dvportgroup vSphere-5.0-vcenter-isolated-vum-proxy When referring to guidelines within a single version, the Product-Version may be omitted and the component-ID u esxi-apply-patches

The Profile field indicates the relative increase in security provided by the guidelines. Some guidelines describe an Profile 3: guidelines that should be implemented in all environments Profile 2: guidelines that should be implemented for more sensitive environments, Profile 1: guidelines that only be implemented in the highest security environments

Control Type indicates how the guideline is implemented Parameter: A system-level parameter should be set to a particular value, either spe Configuration: A certain hardware and/or software configuration or combination o Operational: Indicates an ongoing check, either monitoring for certain actions or co

Assessment Procedure: describes how to validate whether or not the guideline is being followed. The remediation The following fields are filled in where applicable or determinate Configuration Parameter Configuration File

Desired Value Is Desired Value the Default?

Negative Functional Impact indicates if this guideline has any side effects that reduce or prevent normal functiona

Where possible, CLI commands for assessment and remediation are provided. The commands are provided for th Reference to the API which relates to a guideline is also provided if possible.

For the ESXi guidelines, a special column indicates whether or not the guidelines can be configured using Host Pro

nt-ID. Some examples:

ed and the component-ID used by itself, e.g.

ome guidelines describe an issue with more than one defense, and these will be associated with more than one profile nvironments e sensitive environments, e.g. those handling more sensitive data, those subject to stricter compliance rules, etc. hest security environments, e.g. top-secret government or military, extremely sensitive data, etc.

particular value, either specified in the guideline or else site-specific guration or combination of settings should be used ng for certain actions or conditions, or else verifying the use of proper procedures

followed. The remediation procedure is generally not described, but in some cases the remediation steps are available in an e

r prevent normal functionality

mands are provided for the vSphere CLI (vCLI), ESXi Shell, and PowerCLI.

configured using Host Profiles

more than one profile

pliance rules, etc.

tion steps are available in an external reference.

ID

Product

Version

Component

disable-autoinstall

vSphere

5.0

Virtual Machines

disable-hgfs

vSphere

5.0

Virtual Machines

disable-independent-nonpersistent

vSphere

5.0

Virtual Machines

disable-unexposed-features-autologon

vSphere

5.0

Virtual Machines

disable-unexposed-features-biosbbs

vSphere

5.0

Virtual Machines

disable-unexposed-features-getcreds

vSphere

5.0

Virtual Machines

disable-unexposed-features-launchmenu

vSphere

5.0

Virtual Machines

disable-unexposed-features-memsfss

vSphere

5.0

Virtual Machines

disable-unexposed-features-unitypush

vSphere

5.0

Virtual Machines

disconnect-devices-floppy

vSphere

5.0

Virtual Machines

disconnect-devices-ide

vSphere

5.0

Virtual Machines

disconnect-devices-parallel

vSphere

5.0

Virtual Machines

disconnect-devices-serial

vSphere

5.0

Virtual Machines

disconnect-devices-usb

vSphere

5.0

Virtual Machines

limit-console-connections-one

vSphere

5.0

Virtual Machines

limit-console-connections-two

vSphere

5.0

Virtual Machines

prevent-device-interaction-connect

vSphere

5.0

Virtual Machines

prevent-device-interaction-edit

vSphere

5.0

Virtual Machines

restrict-host-info

vSphere

5.0

Virtual Machines

Subcomponent

Title

Tools

Disable tools auto install

Monitor

Disable HGFS file transfers

Storage

Avoid using independent nonpersistent disks.

Monitor

Disable certain unexposed features.

Monitor

Disable certain unexposed features.

Monitor

Disable certain unexposed features.

Monitor

Disable certain unexposed features.

Monitor

Disable certain unexposed features.

Monitor

Disable certain unexposed features.

Device

Disconnect unauthorized devices

Device

Disconnect unauthorized devices

Device

Disconnect unauthorized devices

Device

Disconnect unauthorized devices

Device

Disconnect unauthorized devices

Communication

Limit sharing of console connections

Communication

Limit sharing of console connections

Device

Prevent unauthorized removal, connection and modification of devices.

Device

Prevent unauthorized removal, connection and modification of devices.

Tools

Do not send host information to guests.

Vulnerability Discussion

Tools auto install can initiate an automatic reboot, disabling this option can will prevent tools from being installed automatically and prevent automatic machine reboots

Certain automated operations such as automated tools upgrades use a component into the hypervisor called "Host Guest File System" and an attacker could potentially use this to transfer files inside the guest OS The security issue with nonpersistent disk mode is that successful attackers, with a simple shutdown or reboot, might undo or remove any traces that they were ever on the machine. To safeguard against this risk, you should set production virtual machines to use either persistent disk mode or nonpersistent disk mode; additionally, make sure that activity within the VM is logged remotely on a

Because VMware virtual machines are designed to work on both vSphere as well as hosted virtualization platforms such as Workstation and Fusion, there are some VMX parameters that dont apply when running on vSphere. Although the functionality governed by these parameters is not exposed on ESX, explicitly disabling them will reduce the potential for vulnerabilities. Disabling these features reduces the number of vectors through which a guest can attempt to influence the host, and thus may help prevent successful exploits.

Because VMware virtual machines are designed to work on both vSphere as well as hosted virtualization platforms such as Workstation and Fusion, there are some VMX parameters that dont apply when running on vSphere. Although the functionality governed by these parameters is not exposed on ESX, explicitly disabling them will reduce the potential for vulnerabilities. Disabling these features reduces the number of vectors through which a guest can attempt to influence the host, and thus may help prevent successful exploits.

Because VMware virtual machines are designed to work on both vSphere as well as hosted virtualization platforms such as Workstation and Fusion, there are some VMX parameters that dont apply when running on vSphere. Although the functionality governed by these parameters is not exposed on ESX, explicitly disabling them will reduce the potential for vulnerabilities. Disabling these features reduces the number of vectors through which a guest can attempt to influence the host, and thus may help prevent successful exploits.

Because VMware virtual machines are designed to work on both vSphere as well as hosted virtualization platforms such as Workstation and Fusion, there are some VMX parameters that dont apply when running on vSphere. Although the functionality governed by these parameters is not exposed on ESX, explicitly disabling them will reduce the potential for vulnerabilities. Disabling these features reduces the number of vectors through which a guest can attempt to influence the host, and thus may help prevent successful exploits.

Because VMware virtual machines are designed to work on both vSphere as well as hosted virtualization platforms such as Workstation and Fusion, there are some VMX parameters that dont apply when running on vSphere. Although the functionality governed by these parameters is not exposed on ESX, explicitly disabling them will reduce the potential for vulnerabilities. Disabling these features reduces the number of vectors through which a guest can attempt to influence the host, and thus may help prevent successful exploits.

Because VMware virtual machines are designed to work on both vSphere as well as hosted virtualization platforms such as Workstation and Fusion, there are some VMX parameters that dont apply when running on vSphere. Although the functionality governed by these parameters is not exposed on ESX, explicitly disabling them will reduce the potential for vulnerabilities. Disabling these features reduces the number of vectors through which a guest can attempt to influence the host, and thus may help prevent successful exploits. Besides disabling unnecessary virtual devices from within the virtual machine, you should ensure that no device is connected to a virtual machine if it is not required to be there. For example, serial and parallel ports are rarely used for virtual machines in a datacenter environment, and CD/DVD drives are usually connected only temporarily during software installation. For less commonly used devices that are not required, either the parameter should not be present or its value must be FALSE. NOTE: Besides disabling unnecessary virtual devices from within the virtual machine, you should ensure that no device is connected to a virtual machine if it is not required to be there. For example, serial and parallel ports are rarely used for virtual machines in a datacenter environment, and CD/DVD drives are usually connected only temporarily during software installation. For less commonly used devices that are not required, either the parameter should not be present or its value must be FALSE. NOTE: Besides disabling unnecessary virtual devices from within the virtual machine, you should ensure that no device is connected to a virtual machine if it is not required to be there. For example, serial and parallel ports are rarely used for virtual machines in a datacenter environment, and CD/DVD drives are usually connected only temporarily during software installation. For less commonly used devices that are not required, either the parameter should not be present or its value must be FALSE. NOTE: The parameters listed are not sufficient to ensure that a device is usable; other parameters are required to indicate specifically how each device is instantiated. Any enabled or connected device represents another potential attack channel. Besides disabling unnecessary virtual devices from within the virtual machine, you should ensure that no device is connected to a virtual machine if it is not required to be there. For example, serial and parallel ports are rarely used for virtual machines in a datacenter environment, and CD/DVD drives are usually connected only temporarily during software installation. For less commonly used devices that are not required, either the parameter should not be present or its value must be FALSE. NOTE: The parameters listed are not sufficient to ensure that a device is usable; other parameters are required to indicate specifically how each device is instantiated. Any enabled or connected device Besides disabling unnecessary virtual devices from within the virtual machine, you should ensure that no device is connected to a virtual machine if it is not required to be there. For example, serial and parallel ports are rarely used for virtual machines in a datacenter environment, and CD/DVD drives are usually connected only temporarily during software installation. For less commonly used devices that are not required, either the parameter should not be present or its value must be FALSE. NOTE:

By default, remote console sessions can be connected to by more than one user at a time. When multiple sessions are activated, each terminal window gets a notification about the new session. If an administrator in the VM logs in using a VMware remote console during their session, a nonadministrator in the VM might connect to the console and observe the administrator's actions. Also, this could result in an administrator losing console access to a virtual machine. For example if a jump box is being used for an open console session, and the admin loses connection to that box, then the console session remains open. Allowing two console sessions permits debugging via a shared session. For highest security, only one remote console session at a time should be allowed

By default, remote console sessions can be connected to by more than one user at a time. When multiple sessions are activated, each terminal window gets a notification about the new session. If an administrator in the VM logs in using a VMware remote console during their session, a nonadministrator in the VM might connect to the console and observe the administrator's actions. Also, this could result in an administrator losing console access to a virtual machine. For example if a jump box is being used for an open console session, and the admin loses connection to that box, then the console session remains open. Allowing two console sessions permits debugging via a shared session. For highest security, only one remote console session at a time should be allowed Normal users and processesthat is, users and processes without root or administrator privilegeswithin virtual machines have the capability to connect or disconnect devices, such as network adaptors and CD-ROM drives, as well as the ability to modify device settings. In general, you should use the virtual machine settings editor or configuration editor to remove any unneeded or unused hardware devices. However, you might want to use the device again, so removing it is not always a good solution. In that case, you can prevent a user or running process in the virtual machine from connecting or disconnecting a device from within the guest operating system, as well as modifying devices, by adding the following parameters. By default, a rogue user with nonadministrator privileges in a virtual machine can: Connect a disconnected CD-ROM drive and access sensitive information on the media left in the drive Disconnect a network adaptor to isolate the virtual machine from its network, which is a denial of Normal users and processesthat is, users and processes without root or administrator privilegeswithin virtual machines have the capability to connect or disconnect devices, such as network adaptors and CD-ROM drives, as well as the ability to modify device settings. In general, you should use the virtual machine settings editor or configuration editor to remove any unneeded or unused hardware devices. However, you might want to use the device again, so removing it is not always a good solution. In that case, you can prevent a user or running process in the virtual machine from connecting or disconnecting a device from within the guest operating system, as well as modifying devices, by adding the following parameters. By default, a rogue user with nonadministrator privileges in a virtual machine can: Connect a disconnected CD-ROM drive and access sensitive information on the media left in the drive

If enabled, a VM can obtain detailed information about the physical host. The default value for the parameter is FALSE. This setting should not be TRUE unless a particular VM requires this information for performance monitoring. An adversary potentially can use this information to inform further attacks on the host.

Profile

Control Type

1,2

Parameter

Parameter

1,2

Parameter

Parameter

Parameter

Parameter

Parameter

Parameter

Parameter

1,2

Parameter

1,2

Parameter

1,2

Parameter

1,2

Parameter

1,2

Parameter

1,2

Parameter

Parameter

1,2,3,

Parameter

1,2,3

Parameter

1,2

Parameter

Assessment Procedure

Check virtual machine configuration file and verify that isolation.tools.autoinstall.disable is set to TRUE

Check virtual machine configuration file and verify that isolation.tools.hgfsServerSet.disable is set to TRUE

If remote logging of events and activity is not configured for the guest, scsiX:Y.mode should be either: 1. Not present 2. Not set to independent nonpersistent

Check virtual machine configuration file and verify that isolation.tools.ghi.autologon.disable is set to TRUE

Check virtual machine configuration file and verify that isolation.bios.bbs.disable is set to TRUE

Check virtual machine configuration file and verify that isolation.tools.getCreds.disable is set to TRUE

Check virtual machine configuration file and verify that isolation.tools.ghi.launchmenu.change is set to TRUE

Check virtual machine configuration file and verify that isolation.tools.memSchedFakeSampleStats.disable is set to TRUE

Check virtual machine configuration file and verify that isolation.tools.unity.push.update.disable is set to TRUE

The following parameters should either NOT be present or should be set to FALSE, unless Floppy drives are required: floppyX.present

The following parameters should either NOT be present or should be set to FALSE, unless CD-ROM is required: ideX:Y.present

The following parameters should either NOT be present or should be set to FALSE, unless Parallel ports are required: parallelX.present

The following parameters should either NOT be present or should be set to FALSE, unless Serial ports are required: serialX.present

The following parameters should either NOT be present or should be set to FALSE, unless USB controllers are required: usb.present

Check virtual machine configuration file and verify that RemoteDisplay.maxConnections is set to 1

Check virtual machine configuration file and verify that RemoteDisplay.maxConnections is set to 2

Check virtual machine configuration file and verify that isolation.device.connectable.disable is set to TRUE

Check virtual machine configuration file and verify that isolation.device.edit.disable is set to TRUE

Check virtual machine configuration file and verify that tools.guestlib.enableHostInfo is set to FALSE

Configuration File

Configuration Parameter

VMX

isolation.tools.autoInstall.disable

VMX

isolation.tools.hgfsServerSet.disable

VMX

scsiX:Y.mode

VMX

isolation.tools.ghi.autologon.disable

VMX

isolation.bios.bbs.disable

VMX

isolation.tools.getCreds.disable

VMX

isolation.tools.ghi.launchmenu.change

VMX

isolation.tools.memSchedFakeSampleStats.disable

VMX

isolation.tools.unity.push.update.disable

VMX

floppyX.present

VMX

ideX:Y.present

VMX

parallelX.present

VMX

serialX.present

VMX

usb.present

VMX

RemoteDisplay.maxConnections

VMX

RemoteDisplay.maxConnections

VMX

isolation.device.connectable.disable

VMX

isolation.device.edit.disable

VMX

tools.guestlib.enableHostInfo

Desired Value

Change Type

Is desired value the default?

TRUE

modify

NO

TRUE

Modify

NO

not present or independent nonpersistent

remove, modify

TRUE

Modify

NO

TRUE

Modify

NO

TRUE

Modify

NO

TRUE

Modify

NO

TRUE

Modify

NO

TRUE

Modify

NO

not present or FALSE

remove, modify

NO

not present or FALSE

remove, modify

NO

not present or FALSE

remove, modify

NO

not present or FALSE

remove, modify

NO

not present or FALSE

remove, modify

NO

modify

NO

modify

NO

TRUE

Modify

NO

TRUE

Modify

NO

FALSE

Modify

NO

vSphere API

http://pubs.vmware.com/vsphere50/index.jsp?topic=/com.vmware.wssd k.apiref.doc_50/vim.option.OptionValu e.html

http://pubs.vmware.com/vsphere50/index.jsp?topic=/com.vmware.wssd k.apiref.doc_50/vim.option.OptionValu e.html http://pubs.vmware.com/vsphere50/index.jsp?topic=/com.vmware.wssd k.apiref.doc_50/vim.vm.device.Virtual Device.html

http://pubs.vmware.com/vsphere50/index.jsp?topic=/com.vmware.wssd k.apiref.doc_50/vim.option.OptionValu e.html

http://pubs.vmware.com/vsphere50/index.jsp?topic=/com.vmware.wssd k.apiref.doc_50/vim.option.OptionValu e.html

http://pubs.vmware.com/vsphere50/index.jsp?topic=/com.vmware.wssd k.apiref.doc_50/vim.option.OptionValu e.html

http://pubs.vmware.com/vsphere50/index.jsp?topic=/com.vmware.wssd k.apiref.doc_50/vim.option.OptionValu e.html

http://pubs.vmware.com/vsphere50/index.jsp?topic=/com.vmware.wssd k.apiref.doc_50/vim.option.OptionValu e.html

http://pubs.vmware.com/vsphere50/index.jsp?topic=/com.vmware.wssd k.apiref.doc_50/vim.option.OptionValu e.html http://pubs.vmware.com/vsphere50/index.jsp?topic=/com.vmware.wssd k.apiref.doc_50/vim.vm.device.Virtual Device.html http://pubs.vmware.com/vsphere50/index.jsp?topic=/com.vmware.wssd k.apiref.doc_50/vim.vm.device.Virtual Device.html

http://pubs.vmware.com/vsphere50/index.jsp?topic=/com.vmware.wssd k.apiref.doc_50/vim.vm.device.Virtual Device.html

http://pubs.vmware.com/vsphere50/index.jsp?topic=/com.vmware.wssd k.apiref.doc_50/vim.vm.device.Virtual Device.html http://pubs.vmware.com/vsphere50/index.jsp?topic=/com.vmware.wssd k.apiref.doc_50/vim.vm.device.Virtual Device.html

http://pubs.vmware.com/vsphere50/index.jsp?topic=/com.vmware.wssd k.apiref.doc_50/vim.option.OptionValu e.html

http://pubs.vmware.com/vsphere50/index.jsp?topic=/com.vmware.wssd k.apiref.doc_50/vim.option.OptionValu e.html

http://pubs.vmware.com/vsphere50/index.jsp?topic=/com.vmware.wssd k.apiref.doc_50/vim.option.OptionValu e.html

http://pubs.vmware.com/vsphere50/index.jsp?topic=/com.vmware.wssd k.apiref.doc_50/vim.option.OptionValu e.html

http://pubs.vmware.com/vsphere50/index.jsp?topic=/com.vmware.wssd k.apiref.doc_50/vim.option.OptionValu e.html

ESXi Shell Command Assessment

grep -i "isolation.tools.autoInstall.disable" [VMX]

grep -i "isolation.tools.hgfsServerSet.disable" [VMX]

grep -i "^scsi[0-9]*:[0-9]*.mode" [VMX]

grep -i "isolation.tools.ghi.autologon.disable" [VMX]

grep -i "isolation.bios.bbs.disable" [VMX]

grep -i "isolation.tools.getCreds.disable" [VMX]

grep -i "isolation.tools.ghi.launchmenu.change" [VMX]

grep -i "isolation.tools.memSchedFakeSampleStats.disable" [VMX]

grep -i "isolation.tools.unity.push.update.disable"

grep -i "^floppy[0-9]*.present" [VMX]

grep -i "^ide[0-9]*.present" [VMX]

grep -i "^parallel[0-9]*.present" [VMX]

grep -i "^serial[0-9]*.present" [VMX]

grep -i "^usb[0-9]*.present" [VMX]

grep -i "RemoteDisplay.maxConnections" [VMX]

grep -i "RemoteDisplay.maxConnections" [VMX]

grep -i "isolation.device.connectable.disable" [VMX]

grep -i "isolation.device.edit.disable" [VMX]

grep -i "tools.guestlib.enableHostInfo" [VMX]

ESXi Shell Command Remediation

vCLI Command Assessment

N/A

vmware-cmd --server [SERVER] --username [USERNAME] --password [PASSWORD] /vmfs/volumes/[DATASTORE]/[VM]/[VM].vm x getguestinfo isolation.tools.diskWiper.disable

N/A

N/A

vmware-cmd --server [SERVER] --username [USERNAME] --password [PASSWORD] /vmfs/volumes/[DATASTORE]/[VM]/[VM].vm x getguestinfo isolation.tools.hgfsServerSet.disable 1. vifs --server [SERVER] --username [USERNAME] --password [PASSWORD] -g "[DATASTORE] VM/VM.vmx" VM.vmx 2. grep i "^scsi[0-9]*:[0-9]*.mode" [VMX]

N/A

vmware-cmd --server [SERVER] --username [USERNAME] --password [PASSWORD] /vmfs/volumes/[DATASTORE]/[VM]/[VM].vm x getguestinfo isolation.tools.ghi.autologon.disable

N/A

vmware-cmd --server [SERVER] --username [USERNAME] --password [PASSWORD] /vmfs/volumes/[DATASTORE]/[VM]/[VM].vm x getguestinfo isolation.bios.bbs.disable

N/A

vmware-cmd --server [SERVER] --username [USERNAME] --password [PASSWORD] /vmfs/volumes/[DATASTORE]/[VM]/[VM].vm x getguestinfo isolation.tools.getCreds.disable

N/A

vmware-cmd --server [SERVER] --username [USERNAME] --password [PASSWORD] /vmfs/volumes/[DATASTORE]/[VM]/[VM].vm x getguestinfo isolation.tools.ghi.launchmenu.change

N/A

vmware-cmd --server [SERVER] --username [USERNAME] --password [PASSWORD] /vmfs/volumes/[DATASTORE]/[VM]/[VM].vm x getguestinfo isolation.tools.memSchedFakeSampleStats.dis able

N/A

vmware-cmd --server [SERVER] --username [USERNAME] --password [PASSWORD] /vmfs/volumes/[DATASTORE]/[VM]/[VM].vm x getguestinfo isolation.tools.unity.push.update.disable 1. vifs --server [SERVER] --username [USERNAME] --password [PASSWORD] -g "[DATASTORE] VM/VM.vmx" VM.vmx 2. grep i "^floppy[0-9]*.present" [VMX] 1. vifs --server [SERVER] --username [USERNAME] --password [PASSWORD] -g "[DATASTORE] VM/VM.vmx" VM.vmx 2. grep i "^ide[0-9]*.present" [VMX]

N/A

N/A

N/A

1. vifs --server [SERVER] --username [USERNAME] --password [PASSWORD] -g "[DATASTORE] VM/VM.vmx" VM.vmx 2. grep i "^parallel[0-9]*.present" [VMX]

N/A

1. vifs --server [SERVER] --username [USERNAME] --password [PASSWORD] -g "[DATASTORE] VM/VM.vmx" VM.vmx 2. grep i "^floppy[0-9]*.present" [VMX] 1. vifs --server [SERVER] --username [USERNAME] --password [PASSWORD] -g "[DATASTORE] VM/VM.vmx" VM.vmx 2. grep i "^usb[0-9]*.present" [VMX]

N/A

N/A

vmware-cmd --server [SERVER] --username [USERNAME] --password [PASSWORD] /vmfs/volumes/[DATASTORE]/[VM]/[VM].vm x getguestinfo RemoteDisplay.maxConnections

N/A

vmware-cmd --server [SERVER] --username [USERNAME] --password [PASSWORD] /vmfs/volumes/[DATASTORE]/[VM]/[VM].vm x getguestinfo RemoteDisplay.maxConnections

N/A

vmware-cmd --server [SERVER] --username [USERNAME] --password [PASSWORD] /vmfs/volumes/[DATASTORE]/[VM]/[VM].vm x getguestinfo isolation.device.connectable.disable

N/A

vmware-cmd --server [SERVER] --username [USERNAME] --password [PASSWORD] /vmfs/volumes/[DATASTORE]/[VM]/[VM].vm x getguestinfo isolation.device.edit.disable

N/A

vmware-cmd --server [SERVER] --username [USERNAME] --password [PASSWORD] /vmfs/volumes/[DATASTORE]/[VM]/[VM].vm x getguestinfo tools.guestlib.enableHostInfo

vCLI Command Remediation

PowerCLI Command Assessment # In this Example you will need to add the functions from this post: http://communities.vmware.com/docs/DOC18653 # List the VMs and their current settings Get-VM | Select Name, @{N="Setting";E={($_ | Get-VMAdvancedConfiguration -key "isolation.tools.autoInstall.disable").Value }}

N/A # In this Example you will need to add the functions from this post: http://communities.vmware.com/docs/DOC18653 # List the VMs and their current settings Get-VM | Select Name, @{N="Setting";E={($_ | Get-VMAdvancedConfiguration -key "tools.guestlib.enableHostInfo").Value }} N/A #List the VM's and their disk types Get-VM | Get-HardDisk | Select Parent, Name, Filename, DiskType, Persistence N/A # In this Example you will need to add the functions from this post: http://communities.vmware.com/docs/DOC18653 # List the VMs and their current settings Get-VM | Select Name, @{N="Setting";E={($_ | Get-VMAdvancedConfiguration -key "isolation.tools.ghi.autologon.disable").Value }} N/A

# In this Example you will need to add the functions from this post: http://communities.vmware.com/docs/DOC18653 # List the VMs and their current settings Get-VM | Select Name, @{N="Setting";E={($_ | Get-VMAdvancedConfiguration -key "isolation.bios.bbs.disable").Value }} N/A # In this Example you will need to add the functions from this post: http://communities.vmware.com/docs/DOC18653 # List the VMs and their current settings Get-VM | Select Name, @{N="Setting";E={($_ | Get-VMAdvancedConfiguration -key "isolation.tools.getCreds.disable").Value }} N/A # In this Example you will need to add the functions from this post: http://communities.vmware.com/docs/DOC18653 # List the VMs and their current settings Get-VM | Select Name, @{N="Setting";E={($_ | Get-VMAdvancedConfiguration -key "isolation.tools.ghi.launchmenu.change").Val ue }} N/A # In this Example you will need to add the functions from this post: http://communities.vmware.com/docs/DOC18653 # List the VMs and their current settings Get-VM | Select Name, @{N="Setting";E={($_ | Get-VMAdvancedConfiguration -key "isolation.tools.memSchedFakeSampleStats.di sable").Value }} N/A

# In this Example you will need to add the functions from this post: http://communities.vmware.com/docs/DOC18653 # List the VMs and their current settings Get-VM | Select Name, @{N="Setting";E={($_ | Get-VMAdvancedConfiguration -key "isolation.tools.unity.push.update.disable").V alue }} N/A # Check for Floppy Devices attached to VMs Get-VM | Get-FloppyDrive | Select Parent, Name, ConnectionState N/A # Check for CD/DVD Drives attached to VMs Get-VM | Get-CDDrive

N/A # In this Example you will need to add the functions from this post: http://blogs.vmware.com/vipowershell/2012/ 05/working-with-vm-devices-in-powercli.html # Check for Parallel ports attached to VMs Get-VM | Get-ParallelPort N/A # In this Example you will need to add the functions from this post: http://blogs.vmware.com/vipowershell/2012/ 05/working-with-vm-devices-in-powercli.html # Check for Serial ports attached to VMs Get-VM | Get-SerialPort N/A # Check for USB Devices attached to VMs Get-VM | Get-USBDevice

N/A

# In this Example you will need to add the functions from this post: http://communities.vmware.com/docs/DOC18653 # List the VMs and their current settings Get-VM | Select Name, @{N="Setting";E={($_ | Get-VMAdvancedConfiguration -key "RemoteDisplay.maxConnections").Value }} N/A # In this Example you will need to add the functions from this post: http://communities.vmware.com/docs/DOC18653 # List the VMs and their current settings Get-VM | Select Name, @{N="Setting";E={($_ | Get-VMAdvancedConfiguration -key "RemoteDisplay.maxConnections").Value }} N/A # In this Example you will need to add the functions from this post: http://communities.vmware.com/docs/DOC18653 # List the VMs and their current settings Get-VM | Select Name, @{N="Setting";E={($_ | Get-VMAdvancedConfiguration -key "isolation.device.connectable.disable").Value }} N/A # In this Example you will need to add the functions from this post: http://communities.vmware.com/docs/DOC18653 # List the VMs and their current settings Get-VM | Select Name, @{N="Setting";E={($_ | Get-VMAdvancedConfiguration -key "isolation.device.edit.disable").Value }} N/A

# In this Example you will need to add the functions from this post: http://communities.vmware.com/docs/DOC18653 # List the VMs and their current settings Get-VM | Select Name, @{N="Setting";E={($_ | Get-VMAdvancedConfiguration -key "tools.guestlib.enableHostInfo").Value }} N/A

Negative Functional Impact PowerCLI Command Remediation # In this Example you will need to add the functions from this post: http://communities.vmware.com/docs/DOC18653 # Add the setting to all VMs Get-VM | Set-VMAdvancedConfiguration -key "isolation.tools.autoInstall.disable" -value $true This option disables tools auto install, all tools installs will have to be manually started. # In this Example you will need to add the functions from this post: http://communities.vmware.com/docs/DOC18653 # Add the setting to all VMs Get-VM | Set-VMAdvancedConfiguration -key This will cause the VMX process to not "tools.guestlib.enableHostInfo" -value $true respond to commands from the tools process, this may have a negative impact on operations such as automated tools upgrades #Alter the parameters for the following cmdlet Wont be able to make use of nonpersistent to set the VM Disk Type: mode, which allows rollback to a known state Get-VM | Get-HardDisk | Set-HardDisk when rebooting the VM. # In this Example you will need to add the functions from this post: http://communities.vmware.com/docs/DOC18653 # Add the setting to all VMs Get-VM | Set-VMAdvancedConfiguration -key "isolation.tools.ghi.autologon.disable" -value $true

# In this Example you will need to add the functions from this post: http://communities.vmware.com/docs/DOC18653 # Add the setting to all VMs Get-VM | Set-VMAdvancedConfiguration -key "isolation.bios.bbs.disable" -value $true

# In this Example you will need to add the functions from this post: http://communities.vmware.com/docs/DOC18653 # Add the setting to all VMs Get-VM | Set-VMAdvancedConfiguration -key "isolation.tools.getCreds.disable" -value $true

# In this Example you will need to add the functions from this post: http://communities.vmware.com/docs/DOC18653 # Add the setting to all VMs Get-VM | Set-VMAdvancedConfiguration -key "isolation.tools.ghi.launchmenu.change" value $true

# In this Example you will need to add the functions from this post: http://communities.vmware.com/docs/DOC18653 # Add the setting to all VMs Get-VM | Set-VMAdvancedConfiguration -key "isolation.tools.memSchedFakeSampleStats.di sable" -value $true

# In this Example you will need to add the functions from this post: http://communities.vmware.com/docs/DOC18653 # Add the setting to all VMs Get-VM | Set-VMAdvancedConfiguration -key "isolation.tools.unity.push.update.disable" value $true

# Remove all Floppy drives attached to VMs Get-VM | Get-FloppyDrive | RemoveFloppyDrive

Virtual machine will need to be powered off to reverse change if any of these devices are needed at a later time.

# Remove all CD/DVD Drives attached to VMs Get-VM | Get-CDDrive | Remove-CDDrive Virtual machine will need to be powered off to reverse change if any of these devices are needed at a later time. # In this Example you will need to add the functions from this post: http://blogs.vmware.com/vipowershell/2012/ 05/working-with-vm-devices-in-powercli.html # Remove all Parallel Ports attached to VMs Virtual machine will need to be powered off Get-VM | Get-ParallelPort | Removeto reverse change if any of these devices are ParallelPort needed at a later time. # In this Example you will need to add the functions from this post: http://blogs.vmware.com/vipowershell/2012/ 05/working-with-vm-devices-in-powercli.html Virtual machine will need to be powered off # Remove all Serial Ports attached to VMs Get-VM | Get-SerialPort | Remove-SerialPort to reverse change if any of these devices are needed at a later time. # Remove all USB Devices attached to VMs Get-VM | Get-USBDevice | RemoveVirtual machine will need to be powered off USBDevice to reverse change if any of these devices are needed at a later time.

# In this Example you will need to add the functions from this post: http://communities.vmware.com/docs/DOC18653 # Add the setting to all VMs Get-VM | Set-VMAdvancedConfiguration -key "RemoteDisplay.maxConnections" -value 1 Only one remote console connection to the VM will be permitted. Other attempts will be rejected until the first session disconnects. # In this Example you will need to add the functions from this post: http://communities.vmware.com/docs/DOC18653 # Add the setting to all VMs Get-VM | Set-VMAdvancedConfiguration -key Only two remote console connections to the VM will be permitted. Other attempts will be "RemoteDisplay.maxConnections" -value 2 rejected until the one session disconnects. This still allows sharing but keeps the amount of connections limited # In this Example you will need to add the functions from this post: http://communities.vmware.com/docs/DOC18653 # Add the setting to all VMs Get-VM | Set-VMAdvancedConfiguration -key "isolation.device.connectable.disable" -value $true Device interaction is blocked inside the guest OS using VMware tools # In this Example you will need to add the functions from this post: http://communities.vmware.com/docs/DOC18653 # Add the setting to all VMs Get-VM | Set-VMAdvancedConfiguration -key "isolation.device.edit.disable" -value $true Device interaction is blocked inside the guest OS using VMware tools

# In this Example you will need to add the functions from this post: http://communities.vmware.com/docs/DOC18653 # Add the setting to all VMs Get-VM | Set-VMAdvancedConfiguration -key Unable to retrieve performance information "tools.guestlib.enableHostInfo" -value $false about the host from inside the guest, there are times when this can be useful for troubleshooting.

Reference

ID

Product

Version

Component

Subcomponent

apply-patches

vSphere

5.0

ESXI

Install

config-firewall-access

vSphere

5.0

ESXI

Communication

config-ntp

vSphere

5.0

ESXI

Communication

config-persistent-logs

vSphere

5.0

ESXI

Logging

config-snmp

vSphere

5.0

ESXI

Communication

disable-dcui

vSphere

5.0

ESXI

Console

disable-esxi-shell

vSphere

5.0

ESXI

Console

disable-mob

vSphere

5.0

ESXI

Communication

disable-ssh

vSphere

5.0

ESXi

Console

enable-ad-auth

vSphere

5.0

ESXI

Access

enable-auth-proxy

vSphere

5.0

ESXI

Communication

enable-chap-auth

vSphere

5.0

ESXI

Storage

enable-lockdown-mode

vSphere

5.0

ESXI

Console

enable-nfc-ssl

vSphere

5.0

ESXI

Communication

enable-remote-syslog

vSphere

5.0

ESXI

Logging

esxi-no-self-signed-certs

vSphere

5.0

ESXI

Communication

limit-cim-access

vSphere

5.0

ESXI

Console

mask-zone-san

vSphere

5.0

ESXI

Storage

remove-authorized-keys

vSphere

5.0

ESXi

Console

set-password-complexity

vSphere

5.0

ESXI

Access

set-shell-timeout

vSphere

5.0

ESXI

Console

unique-chap-secrets

vSphere

5.0

ESXI

Storage

verify-acceptance-level-accepted

vSphere

5.0

ESXI

Install

verify-acceptance-level-certified

vSphere

5.0

ESXI

Install

verify-acceptance-level-supported

vSphere

5.0

ESXI

Install

verify-admin-group

vSphere

5.0

ESXI

Access

verify-config-files

vSphere

5.0

ESXI

Console

verify-dvfilter-bind

vSphere

5.0

ESXI

Communication

verify-install-media

vSphere

5.0

ESXI

Install

verify-kernel-modules

vSphere

5.0

ESXI

Install

vmdk-zero-out

vSphere

5.0

ESXi

Storage

vpxuser-password-age

vSphere

5.0

ESXI

Access

vpxuser-password-length

vSphere

5.0

ESXI

Access

Title

Keep ESXi system properly patched.

Configure the ESXi host firewall to restrict access to services running on the host

Configure NTP time synchronization

Configure persistent logging for all ESXi host

Ensure proper SNMP configuration

Disable DCUI to prevent local administrative control.

Disable ESXi Shell unless needed for diagnostics or troubleshooting.

Disable Managed Object Browser (MOB)

Disable SSH

Use Active Directory for local user authentication.

When adding ESXi hosts to Active Directory use the vSphere Authentication Proxy to protect passwords

Enable bidirectional CHAP authentication for iSCSI traffic.

Enable lockdown mode to restrict remote access.

Enable SSL for NFC

Configure remote logging for ESXi hosts

Do not use default self-signed certificates for ESXi communication.

Do not provide root/administrator level access to CIM-based hardware monitoring tools or other 3rd party applications.

Mask and zone SAN resources appropriately.

Remove keys from SSH authorized_keys file.

Establish a password policy for password complexity.

Set a timeout for the ESXi Shell to automatically disabled idle sessions after a predetermined period.

Ensure uniqueness of CHAP authentication secrets.

Verify Image Profile and VIB Acceptance Levels.

Verify Image Profile and VIB Acceptance Levels.

Verify Image Profile and VIB Acceptance Levels.

Verify Active Directory "ESX Admin" group membership.

Verify contents of exposed configuration files

Prevent unintended use of dvfilter network APIs.

Verify the integrity of the installation media before installing ESXi

Verify no unauthorized kernel modules are loaded on the host.

Zero out VMDK files prior to deletion

Ensure that vpxuser auto-password change meets policy.

Ensure that vpxuser password meets length policy

Vulnerability Discussion

Profile

Control Type

By staying up to date on ESXi patches, vulnerabilities in the hypervisor can be mitigated. An educated attacker can exploit known vulnerabilities when attempting to attain access or elevate privileges on an ESXi host. 1,2,3

Operational

Unrestricted access to services running on an ESXi host can exposes a host to outside attacks and unauthorized access. Reduce the risk by configuring the ESXi firewall to only allow access from authorized networks only. 1,2,3
By ensuring that all systems use the same relative time source (including the relevant localization offset), and that the relative time source can be correlated to an agreed-upon time standard (such as Coordinated Universal TimeUTC), you can make it simpler to track and correlate an intruders actions when reviewing the relevant log files. Incorrect time settings can make it difficult to inspect and correlate log files to detect attacks, and can make auditing inaccurate. 1,2,3 ESXi can be configured to store log files on an in-memory file system. This occurs when the host's "/scratch" directory is linked to "/tmp/scratch". When this is done only a single day's worth of logs are stored at any time, in addition log files will be reinitialized upon each reboot. This presents a security risk as user activity logged on the host is only stored temporarily and will not persistent across reboots. This can also complicate auditing and make it harder to monitor events and diagnose issues. ESXi host logging should always be configured to a persistent datastore. 1,2,3 If SNMP is not being used, it should remain disabled. If it is being used, the proper trap destination should be configured. If SNMP is not properly configured, monitoring information can be sent to a malicious host that can then use this information to plan an attack. 1,2,3

Configuration

Parameter

Parameter

Parameter

The DCUI allows for low-level host configuration such as configuring IP address, hostname and root password as well as diagnostic capabilities such as enabling the ESXi shell, viewing log files, restarting agents, and resetting configurations. Actions performed from the DCUI are not tracked by vCenter Server. Even if Lockdown Mode is enabled, someone with the root password can perform administrative tasks in the DCUI bypassing RBAC and auditing controls provided through vCenter. DCUI access can be disabled. Disabling it prevents all local activity and thus forces actions to be performed in vCenter Server where they can be centrally audited and monitored. 1 ESXi Shell is an interactive command line environment available from the DCUI or remotely via SSH. Access to this mode requires the root password of the server. The ESXi Shell can be turned on and off for individual hosts. Activities performed from the ESXi Shell bypass vCenter RBAC and audit controls. The ESXi shell should only be turned on when needed to troubleshoot/resolve problems that cannot be fixed through the vSphere client or vCLI/PowerCLI. 1,2,3

Parameter

Parameter

The managed object browser (MOB) provides a way to explore the object model used by the VMkernel to manage the host; it enables configurations to be changed as well. This interface is meant to be used primarily for debugging the vSphere SDK but because there are no access controls it could also be used as a method obtain information about a host being targeted for unauthorized access. 1,2,3 The ESXi Shell is an interactive command line environment available on the console of the ESXi server. The shell can be accessed directly from the host console through the DCUI or remotely using SSH. Remote access to the host should be limited to the vSphere Client, remote command-line tools (vCLI/PowerCLI), and through the published APIs. Under normal circumstances remote access to the host using SSH should be disabled. 1,2,3

Parameter

Parameter

Creating local user accounts on each host presents challenges with having to synchronize account names and passwords across multiple hosts. Join ESXi hosts to an Active Directory domain to eliminate the need to create and maintain local user accounts. Using Active Directory for user authentication simplifies the ESXi host configuration and reduces the risk for configuration issues that could lead to unauthorized access. Note that when adding ESXi hosts to Active Directory, if the group "ESX Admins" exists, all user/group accounts assigned to the group will have full administrative access to the host. If full admin access is not desired refer to http://kb.vmware.com/kb/1025569). 1,2,3

Configuration

If you configure your host to join an Active Directory domain using host profiles, the passwords used to authenticate the host are not protected. To avoid transmitting clear text passwords use the vSphere Authentication Proxy to configure hosts in Active Directory. 1,2,3 vSphere allows for the use of bidirectional authentication of both the iSCSI target and host. Choosing not to enforce more stringent authentication can make sense if you create a dedicated network or VLAN to service all your iSCSI devices. By not authenticating both the iSCSI target and host, there is a potential for a MiTM attack in which an attacker might impersonate either side of the connection to steal data. Bidirectional authentication can mitigate this risk. If the iSCSI facility is isolated from general network traffic, it is less vulnerable to exploitation. 1,2,3

Parameter

Parameter

Enabling lockdown prevents all API-based access by the all accounts to the ESXi host. This includes: vSphere Client, vCLI, PowerCLI, and any API-based client. Enabling lockdown mode disables all remote access to ESXi 5.0 machines. Any subsequent local changes to the host must be made: Using the DCUI In a vSphere Client session or using vCLI commands to vCenter Server There are some operations, such as backup and troubleshooting, that require direct access to the host. In these cases Lockdown Mode can be disabled on a temporary basis for specific hosts as needed, and then re-enabled when the task is completed. Lockdown restricts access to the ESXi console to the root user only, requiring non-root users access the host through vCenter where RBAC and logging can be used to restrict and log activity. By forcing all interaction to occur through vCenter Server, the risk of someone inadvertently attaining elevated privileges or performing tasks that are not properly audited is greatly reduced. Note: Lockdown mode does not apply to root users who log in using authorized keys. When you use an authorized key file for root user authentication, root users are not prevented from accessing a host with SSH even when the host is in lockdown mode. 1,2,3

Parameter

NFC (Network File Copy) is the name of the mechanism used to migrate or clone a VM between two ESXi hosts over the network. By default, SSL is used only for the authentication of the transfer, but If desired, SSL can also be enabled on the data transfer. Without this setting VM contents could potentially be sniffed if the management network is not adequately isolated and secured. 1
Remote logging to a central log host provides a secure, centralized store for ESXi logs. By gathering host log files onto a central host you can more easily monitor all hosts with a single tool. You can also do aggregate analysis and searching to look for such things as coordinated attacks on multiple hosts. Logging to a secure, centralized log server also helps prevent log tampering and also provides a longterm audit record. To facilitate remote logging provides the vSphere Syslog Collector. 1,2,3

Parameter

Parameter

Using the default self-signed certificates leaves the SSL connection open to Man-in-The-Middle (MiTM) attacks. Replace default self-signed certificates with those from a trusted CA, either commercial or organizational.

1,2,3

Configuration

The CIM system provides an interface that enables hardwarelevel management from remote applications via a set of standard APIs. To ensure that the CIM interface remains secure only provide the minimum access necessary to these applications. Do not provision CIM and other 3rd party tools to run as root or another administrator account. Instead, use a dedicated service account with a limited privilege set If CIM or other 3rd party are granted administrator level access they could potentially become a back door and compromise security of the host. Note: due to a limitation in vSphere 5.0 configuring "read only" access to the CIM interface requires "read only" CIM accounts be placed into the "root" group. This limitation will be removed in a future ESXi release. 1,2,3

Operational

You should use zoning and LUN masking to segregate SAN activity. For example, you manage zones defined for testing independently within the SAN so they do not interfere with activity in the production zones. Similarly, you can set up different zones for different departments. Zoning must take into account any host groups that have been set up on the SAN device.

1,2,3

Operational

ESXi hosts come with SSH which can be enabled to allow remote access without requiring user authentication. To enable password free access copy the remote users public key into the "/etc/ssh/keys-root/authorized_keys" file on the ESXi host. The presence of the remote user's public key in the "authorized_keys" file identifies the user as trusted, meaning the user is granted access to the host without providing a password. Note: Lockdown mode does not apply to root users who log in using authorized keys. When you use an authorized key file for root user authentication, root users are not prevented from accessing a host with SSH even when the host is in lockdown mode. 1,2,3 ESXi uses the pam_passwdqc.so plug-in to set rules that users must observe when creating passwords and to check password strength. It is important to use passwords that are not easily guessed and that are difficult for password generators to determine. 1,2,3

Configuration

Parameter

If ESXi Shell is enabled on the host and a user forgets to logout of their SSH session the idle connection will remain indefinitely increasing the potential for someone to gain privileged access to the host

1,2,3

Parameter

The mutual authentication secret for each host should be different; if possible, the secret should be different for each client authenticating to the server as well. This ensures that if a single host is compromised, an attacker cannot create another arbitrary host and authenticate to the storage device. With a single shared secret, compromise of one host can allow an attacker to authenticate to the storage device. 1,2,3

Parameter

Verify the ESXi Image Profile to only allow signed VIBs. An unsigned VIB represents untested code installed on an ESXi host. The ESXi Image profile supports four acceptance levels: (1) VMwareCertified - VIBs created, tested and signed by VMware, (2) VMwareAccepted - VIBs created by a VMware partner but tested and signed by VMware, (3) PartnerSupported - VIBs created, tested and signed by a certified VMware partner, and (4) CommunitySupported VIBs that have not been tested by VMware or a VMware partner. Community Supported VIBs are not supported and do not have a digital signature. To protect the security and integrity of your ESXi hosts do not allow unsigned (CommunitySupported) VIBs to be installed on your hosts. 2 Verify the ESXi Image Profile to only allow signed VIBs. An unsigned VIB represents untested code installed on an ESXi host. The ESXi Image profile supports four acceptance levels: (1) VMwareCertified - VIBs created, tested and signed by VMware, (2) VMwareAccepted - VIBs created by a VMware partner but tested and signed by VMware, (3) PartnerSupported - VIBs created, tested and signed by a certified VMware partner, and (4) CommunitySupported VIBs that have not been tested by VMware or a VMware partner. Community Supported VIBs are not supported and do not have a digital signature. To protect the security and integrity of your ESXi hosts do not allow unsigned (CommunitySupported) VIBs to be installed on your hosts. 1

Parameter

Parameter

Verify the ESXi Image Profile to only allow signed VIBs. An unsigned VIB represents untested code installed on an ESXi host. The ESXi Image profile supports four acceptance levels: (1) VMwareCertified - VIBs created, tested and signed by VMware, (2) VMwareAccepted - VIBs created by a VMware partner but tested and signed by VMware, (3) PartnerSupported - VIBs created, tested and signed by a certified VMware partner, and (4) CommunitySupported VIBs that have not been tested by VMware or a VMware partner. Community Supported VIBs are not supported and do not have a digital signature. To protect the security and integrity of your ESXi hosts do not allow unsigned (CommunitySupported) VIBs to be installed on your hosts. 3
When adding ESXi hosts to Active Directory, if the group "ESX Admins" exists, all user/group accounts assigned to the group will have full administrative access to the host. Discretion should be used when managing membership to the "ESX Admins" group. 1,2,3

Parameter

Configuration

Although most configurations on ESXi are controlled via an API, there are a limited set of configuration files that are used directly to govern host behavior. These specific files are exposed via the vSphere HTTPS-based file transfer API. Any changes to these files should be correlated with an approved administrative action, such as an authorized configuration change. Tampering with these files has the potential to enable unauthorized access to the host configuration and virtual machines. WARNING: do not attempt to monitor files that are NOT exposed via this file-transfer API, since this can result in a destabilized system 1
If you are not using products that make use of the dvfilter network API, the host should not be configured to send network information to a VM. If the API is enabled, an attacker might attempt to connect a VM to it, thereby potentially providing access to the network of other VMs on the host. If you are using a product that makes use o this API then verify that the host has been configured correctly.

Operational

1,2,3

Parameter

Verify the ESXi Image Profile to only allow signed VIBs. An unsigned VIB represents untested code installed on an ESXi host. The ESXi Image profile supports four acceptance levels: (1) VMwareCertified - VIBs created, tested and signed by VMware, (2) VMwareAccepted - VIBs created by a VMware partner but tested and signed by VMware, (3) PartnerSupported - VIBs created, tested and signed by a certified VMware partner, and (4) CommunitySupported VIBs that have not been tested by VMware or a VMware partner. Community Supported VIBs are not supported and do not have a digital signature. To protect the security and integrity of your ESXi hosts do not allow unsigned (CommunitySupported) VIBs to be installed on your hosts. 1,2,3 VMware provides digital signatures for kernel modules. By default the ESXi host does not permit loading of kernel modules that lack a valid digital signature. However, this behavior can be overridden allowing unauthorized kernel modules to be loaded. Untested or malicious kernel modules loaded on the ESXi host can put the host at risk for instability and/or exploitation.

Operational

1,2,3

Operational

To help prevent sensitive data in VMDK files from being read off the physical disk after it is deleted, the virtual disk should be zeroed out prior to deletion. This will make it more difficult for someone to reconstruct the contents of the VMDK file. The CLI command 'vmkfstools -writezeroes' can be used to write zeros to the entire contents of a VMDK file prior to its deletion. 1,2 By default, the vpxuser password will be automatically changed by vCenter every 30 days. Ensure that this setting meets your policies; if not, configure to meet password aging policies. NOTE: It is very important that the password aging policy not be shorter than the interval that is set to automatically change the vpxuser password, to preclude the possibility that vCenter might get locked out of an ESXi host. If an attacker obtains the vpxuser password, the password can be used only for a limited amount of time. 1,2,3

Operational

Parameter

The default length of the vpxuser password is 32 characters. Ensure that this setting meets your policies; if not, configure to meet password length policies . Longer passwords make brute-force password attacks more difficult. 1,2,3

Parameter

Assessment Procedure
Employ a process to keep ESXi hosts up to date with patches in accordance with industry-standards and internal guidelines. VMware Update Manager is an automated tool that can greatly assist with this. VMware also publishes Advisories on security patches, and offers a way to subscribe to email alerts for them.

For each host, from the vSphere client, select the host and go to "Configuration -> Security Profile". In the "Firewall" section select "Properties". For each enabled service, (e.g. ssh, vSphere Web Access, http client), select "Firewall", select "Only allow connections from the following networks" and provide a range of authorized IP addresses.

From the vSphere Client: Select the host and click "Configuration -> Time Configuration". Select the properties link and chose 'Options'. From the General tab start the NTP service and select "Start and stop with host". From the NTP Settings tab click the ' Add' button to add the site specific NTP servers. NTP can also be configured using the vCLI or PowerCLI. It is recommended to synchronize the ESXi clock with a time server that is located on the management network rather than directly with a time server on a public network. This time server can then synchronize with a public source through a strictly controlled network connection with a firewall. Note: Verify the required firewall ports are open.

Logon to the ESXi shell and run "ls -al /" to verify "/scratch" is not linked to "/tmp/scratch". If "/scratch" is linked to "/tmp/scratch" use the vSphere client to change it to a persistent datastore. From the vSphere UI select the ESXi hosts and click "Configuration -> Advanced Settings -> Syslog -> global" and specify a datastore and directory location for 'Syslog.global.logDir'. Run "vicfg-snmp <conn_options> --show" to determine if SNMP is being used. If SNMP is not being used, make sure that it is not running: "vicfg-snmp <conn_options> --disable>. If SNMP is being used, refer to the vSphere Command-Line Interface Concepts and Examples guide, Chapter 10 for steps to make sure the parameters are properly configured. SNMP must be configured on each ESXi host using either vCLI or PowerCLI, or using an API client.

From the vSphere Client, select the host and select "Configuration -> Security Profile". In the services section select Properties". Select "Direct Console UI" and click Options. From the pop-up stop the DCUI service and set the startup policy to "start and stop manually". DCUI access can also be configured using APIs and PowerCLI as well as with Host Profiles.

From the DCUI: select "Troubleshooting Options" from the main menu and select "Enable ESXi Shell". From the vSphere Client, select the host then select "Configuration -> Security Profiles". In the Services section select "Properties". Select the "ESXi Shell" and click Options. Stop the ESXi Shell and select the option to "Start and stop manually". Note: A host warning is displayed in the vSphere client when the ESXi Shell is enabled.

To determine if the MOB is enabled run the following command on the ESXi shell: ~# vim-cmd proxysvc/service_list. To disable the MOB run the following command: ~# vim-cmd proxysvc/remove_service "/mob" "httpsWithRedirect". Note: You cannot disable MOB while in lockdown mode.

From the DCUI: From the main menu select "Troubleshooting Options -> Disable ESXi SSH". From the vSphere client, select the ESXi host, go to "Configuration -> Security Profile". In the "Services" section select "Properties". Verify 'SSH' is stopped. Select "Options..." and verify the 'SSH' is set to "Start and stop manually".

Refer to the vSphere Security Guide, chapter 4 page 65 for steps to add ESXi hosts to an Active Directory domain. http://pubs.vmware.com/vsphere50/topic/com.vmware.vsphere.security.doc_50/GUID-25A5EB3B-7BB1-4B0B-9323926AE6F0667F.html

From the vSphere client home page select "Host Profiles". Right click the Host Profile and select Edit. Choose "Authentication configuration -> Active Directory Configuration -> Join Domain Method". Set the Join Domain Method to "Use vSphere Authentication Proxy to add the host to domain".

In the vSphere Client, select the host, and then choose: Configuration - Storage Adaptors - iSCSI Initiator Properties - CHAP - CHAP (Target Authenticates Host) - determine if "Use Chap" is selected with a Name and a "Secret" configured.

From the vSphere client, select the host then select "Configuration -> Security Profile". Verify Lockdown Mode is Enabled. From the DCUI 1. Log in directly to the ESXi host. 2. Open DCUI on the host. 3. Press F2 for Initial Setup. 4. Toggle the Configure Lockdown Mode setting.

From the vSphere client select "Administration -> vCenter Server Settings -> Advanced Settings". Set "config.nfc.useSSL = true". Default is false.

Step 1: Install/Enable a syslog host (vSphere Syslog Collector recommended). Step 2: From the vSphere Client: Select the host and click "Configuration -> Advanced Settings -> Syslog -> Global". Set 'Syslog.global.logHost' to the hostname of your syslog server. Note: the 'Syslog.global.logHost' parameter can also be configured the vCLI or PowerCLI, or using an API client.

Connect to each ESX/ESXi host with an internet browser, https://<hostname>/. View the details of the SSL certificate, determine if it is issued by a trusted CA, either commercial or organizational.

Create a limited-privileged service account for CIM and other 3rd party applications. Place the CIM account into the "root" group. By default "read-only" access is granted to local accounts defined on the host as well as roles created in vCenter. In most cases read only access will be sufficient. If write access is required only grant the minimum required privileges. Typically, CIM accounts should be limited to the "Host > Config > System Management" and "Host > CIM > CIMInteraction" privileges.

Zoning and masking capabilities for each SAN switch and disk array are vendor specific, as are the tools for managing LUN masking.

For day-to-day operations disable SSH on your ESXi hosts. In the event that SSH is enabled, even temporarily, monitor the contents of the "/etc/ssh/keys-root/authorized_keys" to ensure no users are allowed to access the host without proper authentication. To check for SSH keys added to the authorized_keys file logon to the ESXi shell as root and verify the /etc/ssh/keys-root/authorized_keys file is empty. If the file is not empty remove any keys found in the file.

Edit the "password requisite /lib/security/$ISA/pam_passwdqc.so retry=N min=N0,N1,N2,N3,N4" entry in the /etc/pam.d/passwd file as outlined in the vSphere Security Guide, Chapter 7 Page 94. Verify the expected settings are configured in the /etc/pam.d/passwd file

From the DCUI: select Troubleshooting Options -> Modify SSH Timeouts. From the vSphere client: select the host and click "Configuration -> Advanced Settings". Select UserVars.ESXiShellTimeOut parameter and set it to a value between 0 and 86400 seconds. A value of 0 disables the ESXi Shell timeout.

In the vSphere Client, select the host, and then choose: Configuration - Storage Adaptors - iSCSI Initiator Properties - CHAP - CHAP (Target Authenticates Host) - determine if a different authentication secret is configured for each ESXi host.

STEP 1: Connect to each ESX/ESXi host using the vCLI and execute the command "esxcli software acceptance get" to verify the acceptance level is set to either "VMwareCertified" or "VMwareAccepted". STEP 2: Connect to each ESX/ESXi host using the vCLI and execute the command "esxcli software vib list" and verify the acceptance level for each VIB is set to "VMwareCertified" or "VMwareAccepted".

STEP 1: Connect to each ESX/ESXi host using the vCLI and execute the command "esxcli software acceptance get" to verify the acceptance level is set to "VMware Certified". STEP 2: Connect to each ESX/ESXi host using the vCLI and execute the command "esxcli software vib list" and verify the acceptance level for each VIB is set to "VMware Certified".

STEP 1: Connect to each ESX/ESXi host using the vCLI and execute the command "esxcli software acceptance get" to verify the acceptance level is at either "VMware Certified", "VMware Supported", or "PartnerSupported". STEP 2: Connect to each ESX/ESXi host using the vCLI and execute the command "esxcli software vib list" and verify the acceptance level for each VIB is either "VMware Certified", "VMware Supported", or "Partner Supported"

From Active Directory monitor membership of the "ESX Admins" group to verify only authorized accounts and groups are added to this group. If full admin access for accounts groups in the "ESX Admins" group is not desired refer to: http://kb.vmware.com/kb/1025569

ESXi Configuration files can be found by browsing to https://<hostname>/host (not available if MOB is disabled). NOTE: not all the files listed are modifiable. The files can also be retrieved using the vCLI or PowerCLI. Implement a procedure to track the files and their contents over time to ensure that they are not improperly modified. Be sure not to monitor log files and other files whose content is expected to change regularly due to system activity. Also, account for configuration file changes that are due to deliberate administrative activity.

If a dvfilter-based network security appliance is not being used on the host, ensure that the following kernel parameter has a blank value: /Net/DVFilterBindIpAddress. From the vSphere client select the host and click "Configuration -> Advanced Settings -> Net" and verify that Net.DVFilterBindIpAddress has an empty value. If such an appliance is being used, then make sure the value of this parameter is set to match this appliance.

Always check the SHA1 hash after downloading an ISO, offline bundle, or patch to ensure integrity and authenticity of the downloaded files. If you obtain physical media from VMware and the security seal is broken, return the software to VMware for a replacement.

Each ESXi host should be monitored for unsigned kernel modules. To list all the loaded kernel modules run: "esxcli system module list". For each module verify the signature by running "esxcli system module get -m <module>". Secure the host by disabling unsigned modules and removing the offending VIBs from the host. Note: evacuate VMs and place the host into maintenance mode before disabling kernel modules.

When deleting a VMDK file with sensitive data, shut down or stop the virtual machine, and then issue the CLI command 'vmkfstools -writezeroes' on that file prior to deleting it from the datastore.

From the vSphere client select "Administration -> vCenter Server Settings -> Advanced Settings". Set the "VirtualCenter.VimPasswordExpirationInDays" to comply with your requirements. Default is 30 days.

From the vSphere client select "Administration -> vCenter Server Settings -> Advanced Settings". Set the "config.vpxd.hostPasswordLength" to comply with your requirements. Default is 32 characters.

Configuration File

Configuration Parameter

Desired Value

N/A

N/A

N/A

N/A

N/A

Site Specific

/etc/ntp.conf

N/A

Site Specific

N/A

Syslog.global.logDir

Site Specific

/etc/vmware/snmp.xml

N/A

site-specific

N/A

N/A

Stopped

N/A

N/A

Stopped

N/A

N/A

Remove Service

N/A

N/A

Stopped

N/A

N/A

N/A

N/A

N/A

Site Specific

N/A

Use Chap, Name, Secret

Site Specific

N/A

vimsvc/auth/lockdown_is_enabled

Enabled

Windows = C:\ProgramData\VMware\V Mware VirtualCenter\vpxd.cfg VCSA = /etc/vmwarevpx/vpxd.cfg config.nfc.useSSL

True

N/A

Syslog.global.logHost

Site Specific

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

/etc/ssh/keysroot/authorized_keys

N/A

N/A

/etc/pam.d/passwd

password requisite /lib/security/$ISA/pam_passwdqc.so

Site specific

N/A

UserVars.ESXiShellTimeout

Site Specific

Secret

site-dependent

N/A

N/A

VMwareCertified VMwareAccepted

N/A

N/A

VMwareCertified

N/A

N/A

VMwareCertified VMwareAccepted PartnerSupported

N/A

N/A

N/A

N/A

N/A

N/A

N/A

Net.DVFilterBindIpAddress

empty

N/A

N/A

N/A

N/A

N/A

N/A

N/A On Windows: C:\Documents and Settings\All Users\Application Data\VMware\VMware VirtualCenter\vpxd.cfg VCSA: /etc/vmwarevpx/vpxd.cfg

N/A

N/A

VirtualCenter.VimPasswordExpirationInD ays Site Specific

On Windows: C:\Documents and Settings\All Users\Application Data\VMware\VMware VirtualCenter\vpxd.cfg VCSA: /etc/vmwarevpx/vpxd.cfg

vpxd.hostPasswordLength

Site Specific

Change Type

Is desired value the default?

vSphere API

Update

N/A

Modify

No

N/A http://pubs.vmware.com/ vsphere50/index.jsp?topic=/com.v mware.wssdk.apiref.doc_5 0/vim.host.ServiceSystem. html

Modify

No

http://pubs.vmware.com/vs phere50/index.jsp?topic=/com.v mware.wssdk.apiref.doc_5 0/vim.host.DateTimeSyste m.html

Modify

http://pubs.vmware.com/ When booting from a vspherelocal disk yes. When 50/index.jsp?topic=/com.v booting from USB/SD or mware.wssdk.apiref.doc_5 when using Auto Deploy 0/vim.option.OptionMana No. ger.html
http://pubs.vmware.com/vs phere50/index.jsp?topic=/com.v mware.wssdk.apiref.doc_5 0/vim.host.SnmpSystem.ht ml

Modify

N/A

Modify

No

http://pubs.vmware.com/ vsphere50/index.jsp?topic=/com.v mware.wssdk.apiref.doc_5 0/vim.host.ServiceSystem. html

Modify

Yes

http://pubs.vmware.com/ vsphere50/index.jsp?topic=/com.v mware.wssdk.apiref.doc_5 0/vim.host.ServiceSystem. html

Remove

No

N/A

Modify

Yes

http://pubs.vmware.com/ vsphere50/index.jsp?topic=/com.v mware.wssdk.apiref.doc_5 0/vim.host.ServiceSystem. html

N/A

N/A

http://pubs.vmware.com/ vsphere50/index.jsp?topic=/com.v mware.wssdk.apiref.doc_5 0/vim.host.ActiveDirectory Authentication.html

Modify

No

http://pubs.vmware.com/ vsphere50/index.jsp?topic=/com.v mware.wssdk.apiref.doc_5 0/vim.host.ActiveDirectory Authentication.html

modify

No

http://pubs.vmware.com/ vsphere50/index.jsp?topic=/com.v mware.wssdk.apiref.doc_5 0/vim.host.InternetScsiHb a.AuthenticationProperties .html

Modify

No

http://pubs.vmware.com/vs phere50/index.jsp?topic=/com.v mware.wssdk.apiref.doc_5 0/vim.HostSystem.html

Add

No

N/A

Modify

No

http://pubs.vmware.com/ vsphere50/index.jsp?topic=/com.v mware.wssdk.apiref.doc_5 0/vim.option.OptionMana ger.html

Configuration

No

N/A

N/A

N/A

http://pubs.vmware.com/ vsphere50/index.jsp?topic=/com.v mware.wssdk.apiref.doc_5 0/vim.host.LocalAccountM anager.html

N/A

N/A

N/A

N/A

Yes

N/A

Modify

Yes

N/A

Modify

No

http://pubs.vmware.com/ vsphere50/index.jsp?topic=/com.v mware.wssdk.apiref.doc_5 0/vim.option.OptionMana ger.html http://pubs.vmware.com/ vsphere50/index.jsp?topic=/com.v mware.wssdk.apiref.doc_5 0/vim.host.InternetScsiHb a.AuthenticationProperties .html

modify

No

Verify

No

http://pubs.vmware.com/ vsphere50/index.jsp?topic=/com.v mware.wssdk.apiref.doc_5 0/vim.host.ImageConfigM anager.html

Verify

No

http://pubs.vmware.com/ vsphere50/index.jsp?topic=/com.v mware.wssdk.apiref.doc_5 0/vim.host.ImageConfigM anager.html

Verify

Yes

http://pubs.vmware.com/ vsphere50/index.jsp?topic=/com.v mware.wssdk.apiref.doc_5 0/vim.host.ImageConfigM anager.html

N/A

N/A

N/A

N/A

N/A

N/A

Modify

Yes

http://pubs.vmware.com/ vsphere50/index.jsp?topic=/com.v mware.wssdk.apiref.doc_5 0/vim.option.OptionMana ger.html

N/A

N/A

N/A

Yes

N/A

N/A

N/A

http://pubs.vmware.com/ vsphere50/index.jsp?topic=%2Fco m.vmware.wssdk.apiref.do c_50%2Fvim.VirtualDiskM anager.html

Modify

N/A

http://pubs.vmware.com/ vsphere50/index.jsp?topic=/com.v mware.wssdk.apiref.doc_5 0/vim.option.OptionMana ger.html

Modify

N/A

http://pubs.vmware.com/ vsphere50/index.jsp?topic=/com.v mware.wssdk.apiref.doc_5 0/vim.option.OptionMana ger.html

ESXi Shell Command Assessment

ESXi Shell Command Remediation

# esxcli software profile get / # esxcli software vib get

# esxcli software profile update / # esxcli software vib update

#List all services: ls /etc/init.d #get service status: /etc/init.d/[SERVICE] status

# /etc/init.d/[SERVICE] STOP

N/A

N/A

# esxcli system syslog config get

# esxcli system syslog config set --logDir

N/A

N/A

# chkconfig --list DCUI

# chkconfig DCUI off

# chkconfig --list ESXShell

#stop ESXi Shell: /etc/init.d/ESXShell stop #disable ESXi Shell: chkconfig ESXShell off

vim-cmd proxysvc/service_list

vim-cmd proxysvc/remove_service "/mob" "httpsWithRedirect"

# chkconfig --list SSH

# /etc/init.d/ESXShell stop # chkconfig SSH off

TBD

TBD

N/A

N/A

# esxcli iscsi adapter auth chap get

# esxcli iscsi adapter auth chap set

# To disable Lockdown mode: vim-cmd -U # To check if Lockdown mode is enabled: dcui vimsvc/auth/lockdown_mode_exit vim-cmd -U dcui # To enable Lockdown mode: vim-cmd -U vimsvc/auth/lockdown_is_enabled dcui vimsvc/auth/lockdown_mode_enter

N/A

N/A

# esxcli system syslog config get

# esxcli system syslog config set loghost # esxcli system syslog reload

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

# esxcli --formatter=csv --formatparam=fields="Path,Int Value" system settings advanced list | grep /UserVars/ESXiShellTimeOut

# esxcli system settings advanced set -o /UserVars/ESXiShellTimeOut -i

# esxcli iscsi adapter auth chap get

# esxcli iscsi adapter auth chap set

# esxcli software acceptance get # esxcli # esxcli <conn_options> software acceptance software vib list set --level

# esxcli software acceptance get # esxcli # esxcli <conn_options> software acceptance software vib list set --level

# esxcli software acceptance get # esxcli # esxcli <conn_options> software acceptance software vib list set --level

N/A

N/A

N/A

N/A

# esxcli --formatter=csv --formatparam=fields="Path,Int Value" system settings advanced list | grep /Net/DVFilterBindIpAddress

# esxcli system settings advanced set -o /Net/DVFilterBindIpAddress -d

N/A

N/A

# esxcli system modules get -m <module>

# esxcli system modules set -e false -m <module>

N/A

# vmkfstools -w <vmdk>

N/A

N/A

N/A

N/A

vCLI Command Assessment

vCLI Command Remediation # esxcli <conn_options> software # esxcli <conn_options> software profile update / # esxcli profile get / # esxcli <conn_options> software vib <conn_options> software vib get update

N/A

N/A

# vicfg-ntp <conn_options> --add # vicfg-ntp <conn_options> --list <IP>

# esxcli <conn_options> system syslog config get

# esxcli <conn_options> system syslog config set --logDir

# vicfg-snmp <conn_options> -show

# vicfg-snmp <conn_options> ---communities

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

vicfg-authconfig <conn_options> - vicfg-authconfig <conn_options> -authscheme AD -<ad_conn_options> --authscheme currentdomain AD --joindomain <domain_FQDN>

# vicfg-authconfig <conn_options> --authscheme AD --currentdomain

# vicfg-authconfig <conn_options> <ad_conn_options> --authscheme AD --joindomain <domain_FQDN>

# esxcli <conn_options> iscsi adapter auth chap get

# esxcli iscsi <conn_options> adapter auth chap set

N/A

N/A

N/A

N/A

# esxcli <conn_options> system syslog config get

# esxcli <conn_options> system syslog config set loghost # esxcli system syslog reload

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

# esxcli --formatter=csv --formatparam=fields="Path,Int Value" system settings advanced list | # esxcli <conn_options> system grep settings advanced set -o /UserVars/ESXiShellTimeOut /UserVars/ESXiShellTimeOut -i

# esxcli <conn_options> iscsi adapter auth chap get

# esxcli iscsi <conn_options> adapter auth chap set

# esxcli <conn_options> software acceptance get # esxcli software # esxcli <conn_options> software vib list acceptance set --level

# esxcli <conn_options> software acceptance get # esxcli software # esxcli <conn_options> software vib list acceptance set --level

# esxcli <conn_options> software acceptance get # esxcli software # esxcli <conn_options> software vib list acceptance set --level

N/A

N/A

N/A

N/A

# esxcli <conn_options> -formatter=csv --formatparam=fields="Path,Int Value" # esxcli <conn_options> system system settings advanced list | settings advanced set -o grep /Net/DVFilterBindIpAddress /Net/DVFilterBindIpAddress -d

N/A

N/A

# esxcli <conn_options> system modules get -m <module>

# esxcli <conn_options> system modules set -e false -m <module>

N/A

# vmkfstools <conn_options> -w <vmdk>

N/A

N/A

N/A

N/A

PowerCLI Command Assessment

# VMware Update Manager PowerCLI Cmdlets can be used to check this feature # List all services for a host Get-VMHost HOST1 | Get-VMHostService # List the services which are enabled and have rules defined for specific IP ranges to access the service Get-VMHost HOST1 | Get-VMHostFirewallException | Where {$_.Enabled -and (-not $_.ExtensionData.AllowedHosts.AllIP)}

# List the NTP Settings for all hosts Get-VMHost | Select Name, @{N="NTPSetting";E={$_ | Get-VMHostNtpServer}}

# List Syslog.global.logDir for each host Get-VMHost | Select Name, @{N="Syslog.global.logDir";E={$_ | Get-VMHostAdvancedConfiguration Syslog.global.logDir | Select -ExpandProperty Values}}

# List the SNMP Configuration of a host (single host connection required) Get-VMHost | Get-VMHostSnmp

# List DCUI settings for all hosts Get-VMHost | Get-VMHostService | Where { $_.key -eq "DCUI" }

# Check if ESXi Shell is running and set to start Get-VMHost | Get-VMHostService | Where { $_.key -eq "TSM" } | Select VMHost, Key, Label, Policy, Running, Required

N/A

# Check if SSH is running and set to start Get-VMHost | Get-VMHostService | Where { $_.key -eq "TSM-SSH" } | Select VMHost, Key, Label, Policy, Running, Required

# Check each host and their domain membership status Get-VMHost | Get-VMHostAuthentication | Select VmHost, Domain, DomainMembershipStatus # Check the host profile is using vSphere Authentication proxy to add the host to the domain Get-VMHost | Select Name, ` @{N="HostProfile";E={$_ | Get-VMHostProfile}}, ` @{N="JoinADEnabled";E={($_ | GetVmHostProfile).ExtensionData.Config.ApplyProfile.Authentication.ActiveDirectory.Enabled}}, ` @{N="JoinDomainMethod";E={(($_ | GetVMHostProfile).ExtensionData.Config.ApplyProfile.Authentication.ActiveDirectory | Select ExpandProperty Policy | Where {$_.Id -eq "JoinDomainMethodPolicy"}).Policyoption.Id}}

# List Iscsi Initiator and CHAP Name if defined Get-VMHost | Get-VMHostHba | Where {$_.Type -eq "Iscsi"} | Select VMHost, Device, ChapType, @{N="CHAPName";E={$_.AuthenticationProperties.ChapName}}

# To check if Lockdown mode is enabled Get-VMHost | Select Name,@{N="Lockdown";E={$_.Extensiondata.Config.adminDisabled}}

# Check Network File Copy NFC uses SSL $vCenter = "MyvCenterFQDN" [XML]$file = Get-Content "\\$vCenter\C$\ProgramData\VMware\VMware VirtualCenter\vpxd.cfg" if ($file.config.nfc.Usessl) { "SSL Setting is compliant" } Else { "SSL Setting is not set or unreadable"}

# List Syslog.global.logHost for each host Get-VMHost | Select Name, @{N="Syslog.global.logHost";E={$_ | Get-VMHostAdvancedConfiguration Syslog.global.logHost | Select -ExpandProperty Values}}

function Test-WebServerSSL { # Function original location: http://en-us.sysadmins.lv/Lists/Posts/Post.aspx?List=332991f0-bfed4143-9eea-f521167d287c&ID=60 [CmdletBinding()] param( [Parameter(Mandatory = $true, ValueFromPipeline = $true, Position = 0)] [string]$URL, [Parameter(Position = 1)] [ValidateRange(1,65535)] [int]$Port = 443, [Parameter(Position = 2)] [Net.WebProxy]$Proxy, [Parameter(Position = 3)] [int]$Timeout = 15000, [switch]$UseUserContext ) Add-Type @" using System; using System.Net; using System.Security.Cryptography.X509Certificates; namespace PKI { namespace Web { public class WebSSL { public Uri OriginalURi; public Uri ReturnedURi; public X509Certificate2 Certificate;

# List all user accounts on the Host -Host Local connection requiredGet-VMHostAccount

N/A

N/A

N/A

# List UserVars.ESXiShellTimeOut for each host Get-VMHost | Select Name, @{N="UserVars.ESXiShellTimeOut";E={$_ | GetVMHostAdvancedConfiguration UserVars.ESXiShellTimeOut | Select -ExpandProperty Values}}

# List Iscsi Initiator and CHAP Name if defined Get-VMHost | Get-VMHostHba | Where {$_.Type -eq "Iscsi"} | Select VMHost, Device, ChapType, @{N="CHAPName";E={$_.AuthenticationProperties.ChapName}}

# List the Software AcceptanceLevel for each host Foreach ($VMHost in Get-VMHost ) { $ESXCli = Get-EsxCli -VMHost $VMHost $VMHost | Select Name, @{N="AcceptanceLevel";E={$ESXCli.software.acceptance.get()}} } # List only the vibs which are not at "VMwareCertified" or "VMwareAccepted" acceptance level Foreach ($VMHost in Get-VMHost ) { $ESXCli = Get-EsxCli -VMHost $VMHost $ESXCli.software.vib.list() | Where { ($_.AcceptanceLevel -ne "VMwareCertified") -and ($_.AcceptanceLevel -ne "VMwareAccepted") } }

# List the Software AcceptanceLevel for each host Foreach ($VMHost in Get-VMHost ) { $ESXCli = Get-EsxCli -VMHost $VMHost $VMHost | Select Name, @{N="AcceptanceLevel";E={$ESXCli.software.acceptance.get()}} } # List only the vibs which are not at "VMwareCertified" acceptance level Foreach ($VMHost in Get-VMHost ) { $ESXCli = Get-EsxCli -VMHost $VMHost $ESXCli.software.vib.list() | Where { $_.AcceptanceLevel -ne "VMwareCertified" } }

# List the Software AcceptanceLevel for each host Foreach ($VMHost in Get-VMHost ) { $ESXCli = Get-EsxCli -VMHost $VMHost $VMHost | Select Name, @{N="AcceptanceLevel";E={$ESXCli.software.acceptance.get()}} } # List only the vibs which are not at "VMwareCertified" or "VMwareAccepted" or "PartnerSupported" acceptance level Foreach ($VMHost in Get-VMHost ) { $ESXCli = Get-EsxCli -VMHost $VMHost $ESXCli.software.vib.list() | Where { ($_.AcceptanceLevel -ne "VMwareCertified") -and ($_.AcceptanceLevel -ne "VMwareAccepted") -and ($_.AcceptanceLevel -ne "PartnerSupported") } }

N/A

N/A

# List Net.DVFilterBindIpAddress for each host Get-VMHost | Select Name, @{N="Net.DVFilterBindIpAddress";E={$_ | GetVMHostAdvancedConfiguration Net.DVFilterBindIpAddress | Select -ExpandProperty Values}}

# Check the SHA1 has of the download with the following function Function Get-SHA1 { Param ( $Filename ) begin { [Reflection.Assembly]::LoadWithPartialName("System.Security") | out-null $sha1 = new-Object System.Security.Cryptography.SHA1Managed } Process { $file = [System.IO.File]::Open($filename, "open", "read") $filehash = $sha1.ComputeHash($file) | Foreach { write-host -NoNewLine $_.ToString("x2") } $file.Dispose() } } Get-SHA1 -Filename "C:\Sources\ESX5.ISO" # List the system modules and Signature Info for each host Foreach ($VMHost in Get-VMHost ) { $ESXCli = Get-EsxCli -VMHost $VMHost $ESXCli.system.module.list() | Foreach { $ESXCli.system.module.get($_.Name) | Select @{N="VMHost";E={$VMHost}}, Module, License, Modulefile, Version, SignedStatus, SignatureDigest, SignatureFingerPrint }

# List the vCenter Password Expiration Value Get-AdvancedSetting -Entity $defaultVIServer -Name "VirtualCenter.VimPasswordExpirationInDays"

N/A

PowerCLI Command Remediation

# VMware Update Manager PowerCLI Cmdlets can be used to check this feature

N/A

# Set the NTP Settings for all hosts $NTPServers = "pool.ntp.org", "pool2.ntp.org" Get-VMHost | Add-VmHostNtpServer $NTPServers

# Set Syslog.global.logDir for each host Get-VMHost | Foreach { Set-VMHostAdvancedConfiguration -VMHost $_ -Name Syslog.global.logDir Value "NewLocation" }

# Update the host SNMP Configuration (single host connection required) Get-VmHostSNMP | Set-VMHostSNMP -Enabled:$true -ReadOnlyCommunity 'secret'

# Set DCUI to start manually rather than automatic for all hosts Get-VMHost | Get-VMHostService | Where { $_.key -eq "DCUI" } | Set-VMHostService -Policy Off

# Set ESXi Shell to start manually rather than automatic for all hosts Get-VMHost | Get-VMHostService | Where { $_.key -eq "TSM" } | Set-VMHostService -Policy Off

N/A

# Set SSH to start manually rather than automatic for all hosts Get-VMHost | Get-VMHostService | Where { $_.key -eq "TSM-SSH" } | Set-VMHostService -Policy Off

# Join the ESX Host to the Domain Get-VMHost HOST1 | Get-VMHostAuthentication | Set-VMHostAuthentication -Domain domain.local User Administrator -Password Passw0rd -JoinDomain

# Join the ESX Host to the Domain Get-VMHost HOST1 | Get-VMHostAuthentication | Set-VMHostAuthentication -Domain domain.local User Administrator -Password Passw0rd -JoinDomain

# Set the Chap settings for the Iscsi Adapter Get-VMHost | Get-VMHostHba | Where {$_.Type -eq "Iscsi"} | Set-VMHostHba # Use desired parameters here

# Enable lockdown mode for each host Get-VMHost | Foreach { $_.EnterLockdownMode() }

N/A

# Set Syslog.global.logHost for each host Get-VMHost | Foreach { Set-VMHostAdvancedConfiguration -VMHost $_ -Name Syslog.global.logHost -Value "NewLocation" }

N/A

# Create a new host user account -Host Local connection requiredNew-VMHostAccount -ID ServiceUser -Password pass -UserAccount

N/A

N/A

N/A

# Set Remove UserVars.ESXiShellTimeOut to 900 on all hosts Get-VMHost | Foreach { Set-VMHostAdvancedConfiguration -VMHost $_ -Name UserVars.ESXiShellTimeOut -Value 900 }

# Set the Chap settings for the Iscsi Adapter Get-VMHost | Get-VMHostHba | Where {$_.Type -eq "Iscsi"} | Set-VMHostHba # Use desired parameters here

# Set the Software AcceptanceLevel for each host Foreach ($VMHost in Get-VMHost ) { $ESXCli = Get-EsxCli -VMHost $VMHost $ESXCli.software.acceptance.Set("VMwareCertified") }

# Set the Software AcceptanceLevel for each host Foreach ($VMHost in Get-VMHost ) { $ESXCli = Get-EsxCli -VMHost $VMHost $ESXCli.software.acceptance.Set("VMwareCertified") }

# Set the Software AcceptanceLevel for each host Foreach ($VMHost in Get-VMHost ) { $ESXCli = Get-EsxCli -VMHost $VMHost $ESXCli.software.acceptance.Set("VMwareCertified") }

N/A

N/A

# Set Remove Net.DVFilterBindIpAddress to null on all hosts Get-VMHost HOST1 | Foreach { Set-VMHostAdvancedConfiguration -VMHost $_ -Name Net.DVFilterBindIpAddress -Value "" }

N/A

# To disable a module: $ESXCli = Get-EsxCli -VMHost MyHost $ESXCli.system.module.set($false, $false, "MyModuleName")

# Set the vCenter Password Expiration Value to 10 Get-AdvancedSetting -Entity $defaultVIServer -Name "VirtualCenter.VimPasswordExpirationInDays" | Set-AdvancedSetting -Value 10

N/A

Negative Functional Impact

The MOB will no longer be available for diagnostics. Some 3rd party tools use this interface to gather information. Testing should be done after disabling the MOB to verify 3rd party applications are still functioning as expected. To re-enable the MOB: ~ # vim-cmd proxysvc/add_np_service "/mob" httpsWithRedirect /var/run/vmware/proxy-mob

Using SSL may reduce performance of actions involving NFC, such as VM clone or migration. It has also not been extensively tested and may cause HA and other operations to fail in certain circumstances.

Disabling the SSH "authorized_keys" access may limit your ability to remotely run commands on a host without providing a valid login (e.g. prevent the ability to run unattended remote scripting).

Third party VIBs tested by VMware partners are not allowed on the host. This could include some device drivers, CIM modules, and other add-on software. Host customization using custom VIBs is not allowed.

No VMware partner VIBs are allowed on the host, to include non-VMware written device drivers, CIM modules, and other third party software. Host customization using custom VIBs is not allowed.

Host customization using custom VIBs is not allowed.

This will prevent a dvfilter-based network security appliance from functioning

Reference

Able to set using Host Profile?

http://pubs.vmware.com/vsphere50/topic/com.vmware.vsphere.update_manager.doc_50/ GUID-EF6BEE4C-4583-4A8C-81B9-5B074CA2E272.html No

http://pubs.vmware.com/vsphere50/topic/com.vmware.vsphere.security.doc_50/GUIDDD4322FF-3DC4-4716-8819-6688938F99D7.html

Yes

http://pubs.vmware.com/vsphere50/topic/com.vmware.vcli.examples.doc_50/cli_manage_ networks.11.8.html Yes

http://kb.vmware.com/kb/1033696

Yes

http://pubs.vmware.com/vsphere50/topic/com.vmware.vsphere.monitoring.doc_50/GUID8EF36D7D-59B6-4C74-B1AA-4A9D18AB6250.html Yes

TBD

Yes

http://kb.vmware.com/kb/1017910

Yes

http://kb.vmware.com/kb/1016039

No

http://pubs.vmware.com/vsphere50/topic/com.vmware.vsphere.security.doc_50/GUID12E27BF3-3769-4665-8769-DA76C2BC9FFE.html

Yes

http://pubs.vmware.com/vsphere50/topic/com.vmware.vsphere.security.doc_50/GUID25A5EB3B-7BB1-4B0B-9323-926AE6F0667F.html

Yes

http://pubs.vmware.com/vsphere50/topic/com.vmware.vsphere.security.doc_50/GUID084B74BD-40A5-4A4B-A82C-0C9912D580DC.html

Yes

http://pubs.vmware.com/vsphere50/topic/com.vmware.vsphere.storage.doc_50/GUIDAC65D747-728F-4109-96DD-49B433E2F266.html

No

http://kb.vmware.com/kb/1008077

No

http://kb.vmware.com/kb/2010332

No

http://pubs.vmware.com/vsphere50/topic/com.vmware.vsphere.install.doc_50/GUID471EFE67-9035-473E-8217-6B67E493A518.html

Yes

http://pubs.vmware.com/vsphere50/topic/com.vmware.vsphere.solutions.doc_50/GUID37AAEDFE-EF2E-45FC-B0C6-44841E4FB302.html

No

http://pubs.vmware.com/vsphere50/topic/com.vmware.cimsdk.smashpg.doc_50/CIM_SMA SH_PG_Use_Cases.5.1.html No

http://pubs.vmware.com/vsphere50/topic/com.vmware.vsphere.storage.doc_50/GUID6029358F-8EE8-4143-9BB0-16ABB3CA0FE3.html

No

http://pubs.vmware.com/vsphere50/topic/com.vmware.vsphere.security.doc_50/GUID392ADDE9-FD3B-49A2-BF64-4ACBB60EB149.html http://pubs.vmware.com/vsphere50/topic/com.vmware.vsphere.security.doc_50/GUID942E8E23-D2CE-49B0-8B39-F31EF6D0519B.html

No

No

http://kb.vmware.com/kb/2004746

No

http://pubs.vmware.com/vsphere50/topic/com.vmware.vsphere.storage.doc_50/GUIDAC65D747-728F-4109-96DD-49B433E2F266.html

No

http://pubs.vmware.com/vsphere50/topic/com.vmware.vsphere.install.doc_50/GUID56600593-EC2E-4125-B1A0-065BDD16CF2D.html

No

http://pubs.vmware.com/vsphere50/topic/com.vmware.vsphere.install.doc_50/GUID56600593-EC2E-4125-B1A0-065BDD16CF2D.html

No

http://pubs.vmware.com/vsphere50/topic/com.vmware.vsphere.install.doc_50/GUID56600593-EC2E-4125-B1A0-065BDD16CF2D.html

No

http://kb.vmware.com/kb/1025569

No

Backing up Config Files: http://pubs.vmware.com/vsphere50/topic/com.vmware.vcli.examples.doc_50/cli_manage_ hosts.4.4.html Host Profiles: http://pubs.vmware.com/vsphere50/topic/com.vmware.vsphere.hostprofiles.doc_50/GUID78BB234A-D735-4356-9CCF-19DD55DB8060.html No

http://www.vmware.com/go/vmsafe/

No

http://kb.vmware.com/kb/1537

No

http://pubs.vmware.com/vsphere50/topic/com.vmware.vsphere.security.doc_50/GUIDE9B71B85-FBA3-447C-8A60-DEE2AE1A405A.html

No

http://pubs.vmware.com/vsphere50/topic/com.vmware.vsphere.storage.doc_50/GUID050C0FEE-2C75-4356-B9E0-CC802333FF41.html

No

http://pubs.vmware.com/vsphere50/topic/com.vmware.vsphere.security.doc_50/GUID20FA4157-F371-4922-92E8-63822FA808FA.html

No

http://pubs.vmware.com/vsphere50/topic/com.vmware.vsphere.security.doc_50/GUID20FA4157-F371-4922-92E8-63822FA808FA.html

No

ID

Product

Version

Component

disable-dvportgroup-autoexpand

vSphere

5.0

vNetwork

disable-stp

vSphere

5.0

vNetwork

document-pvlans

vSphere

5.0

vNetwork

document-vlans

vSphere

5.0

vNetwork

document-vlans-vds

vSphere

5.0

vNetwork

isolate-mgmt-network-airgap

vSphere

5.0

vNetwork

isolate-mgmt-network-vlan

vSphere

5.0

vNetwork

isolate-storage-network-airgap

vSphere

5.0

vNetwork

isolate-storage-network-vlan

vSphere

5.0

vNetwork

isolate-vmotion-network-airgap

vSphere

5.0

vNetwork

isolate-vmotion-network-vlan

vSphere

5.0

vNetwork

label-portgroups

vSphere

5.0

vNetwork

label-vswitches

vSphere

5.0

vNetwork

limit-administrator-scope

vSphere

5.0

vNetwork

no-native-vlan-1

vSphere

5.0

vNetwork

no-reserved-vlans

vSphere

5.0

vNetwork

no-unused-dvports

vSphere

5.0

vNetwork

no-vgt-vlan-4095

vSphere

5.0

vNetwork

reject-forged-transmit

vSphere

5.0

vNetwork

reject-forged-transmit-dvportgroup

vSphere

5.0

vNetwork

reject-mac-change-dvportgroup

vSphere

5.0

vNetwork

reject-mac-changes

vSphere

5.0

vNetwork

reject-promiscuous-mode

vSphere

5.0

vNetwork

reject-promiscuous-mode-dvportgroup

vSphere

5.0

vNetwork

restrict-mgmt-network-access-gateway

vSphere

5.0

vNetwork

restrict-mgmt-network-access-jumpbox vSphere

5.0

vNetwork

set-non-negotiate

vSphere

5.0

vNetwork

upstream-bpdu-stp

vSphere

5.0

vNetwork

verify-vlan-id

vSphere

5.0

vNetwork

verify-vlan-trunk

vSphere

5.0

vNetwork

Subcomponent

Title

VDS

Verify that the autoexpand option for VDS dvPortgroups is disabled

Physical

Ensure that physical switch ports are configured with spanning tree disabled.

VDS

Ensure that all dvSwitches' Private VLAN ID's are fully documented

vSwitch

Ensure that all vSwitch and VLANS ID's are fully documented

VDS

Ensure that all dvPortgroup VLAN ID's are fully documented

Architecture

Ensure that vSphere management traffic is on a restricted network.

Architecture

Ensure that vSphere management traffic is on a restricted network.

Architecture

Ensure that IP-based storage traffic is isolated.

Architecture

Ensure that IP-based storage traffic is isolated.

Architecture

Ensure that vMotion traffic is isolated.

Architecture

Ensure that vMotion traffic is isolated.

vSwitch

Ensure that port groups are configured with a clear network label.

vSwitch

Ensure that all virtual switches have a clear network label.

vSwitch

Ensure that only authorized administrators have access to virtual networking components.

VLAN

Ensure that port groups are not configured to the value of the native VLAN. Ensure that port groups are not configured to VLAN values reserved by upstream physical switches

VLAN

VDS

Ensure that there are no unused ports on a distributed virtual port group.

VLAN

Ensure that port groups are not configured to VLAN 4095 except for Virtual Guest Tagging (VGT).

vSwitch

Ensure that the Forged Transmits policy is set to reject.

VDS

Ensure that the Forged Transmits policy is set to reject.

VDS

Ensure that the MAC Address Change policy is set to reject.

vSwitch

Ensure that the MAC Address Change policy is set to reject.

vSwitch

Ensure that the Promiscuous Mode policy is set to reject.

VDS

Ensure that the Promiscuous Mode policy is set to reject.

Architecture

Strictly control access to management network.

Architecture

Strictly control access to management network.

Physical

Ensure that the non-negotiate option is configured for trunk links between external physical switches and virtual switches in VST mode.

Physical

Verify that for virtual machines that route or bridge traffic, spanning tree protocol is enabled and BPDU guard and Portfast are disabled on the upstream physical switch port.

VLAN

Ensure that all virtual switch VLAN's are fully documented and have all required and only required VLAN's.

Physical

Verify that VLAN trunk links are connected only to physical switch ports that function as trunk links.

Vulnerability Discussion

If the "no-unused-dvports" guideline is followed, there should be only the amount of ports on a VDS that are actually needed. The Autoexpand feature on VDS dvPortgroups can override that limit. The feature allows dvPortgroups to automatically add 10 virtual distributed switch ports to a dvPortgroup that has run out of available ports. The risk is that maliciously or inadvertently, a virtual machine that is not supposed to be part of that portgroup is able to affect confidentiality, integrity or authenticity of data of other virtual machines on that portgroup. To reduce the risk of inappropriate dvPortgroup access, the autoexpand option on VDS should be disabled. By default the option is disabled, but regular monitoring should be implemented to verify this has not been changed. Due to the integration of the ESXi Server into the physical network, the physical network adaptors must have spanning tree disabled or portfast configured for external switches, because VMware virtual switches do not support STP. Virtual switch uplinks do not create loops within the physical switch network. If these are not set, potential performance and connectivity issues might arise.

dvSwitch Private VLANs (PVLANs) require primary and secondary VLAN ID's. These need to correspond to the ID's on external PVLAN-aware upstream switches if any. If VLAN ID's are not tracked completely, mistaken re-use of ID's could allow for traffic to be allowed between inappropriate physical and virtual machines. Similarly, wrong or missing PVLAN ID's may lead to traffic not passing between appropriate physical and virtual machines. If you are using VLAN tagging on a vSwitch, these need to correspond to the ID's on external VLANaware upstream switches if any. If VLAN ID's are not tracked completely, mistaken re-use of ID's could allow for traffic to be allowed between inappropriate physical and virtual machines. Similarly, wrong or missing VLAN ID's may lead to traffic not passing between appropriate physical and virtual machines.

If you are using VLAN tagging on a dvPortgroup these need to correspond to the ID's on external VLAN-aware upstream switches if any. If VLAN ID's are not tracked completely, mistaken re-use of ID's could allow for traffic to be allowed between inappropriate physical and virtual machines. Similarly, wrong or missing VLAN ID's may lead to traffic not passing between appropriate physical and virtual machines.

The vSphere management network provides access to the vSphere management interface on each component. Services running on the management interface provide an opportunity for an attacker to gain privileged access to the systems. Any remote attack most likely would begin with gaining entry to this network.

The vSphere management network provides access to the vSphere management interface on each component. Services running on the management interface provide an opportunity for an attacker to gain privileged access to the systems. Any remote attack most likely would begin with gaining entry to this network.

Virtual machines might share virtual switches and VLANs with the IP-based storage configurations. IPbased storage includes iSCSI and NFS. This type of configuration might expose IP-based storage traffic to unauthorized virtual machine users. IP-based storage frequently is not encrypted. It can be viewed by anyone with access to this network. To restrict unauthorized users from viewing the IP-based storage traffic, the IP-based storage network should be logically separated from the production traffic. Configuring the IP-based storage adaptors on separate VLANs or network segments from the VMkernel management and service console network will limit unauthorized users from viewing the Virtual machines might share virtual switches and VLANs with the IP-based storage configurations. IPbased storage includes iSCSI and NFS. This type of configuration might expose IP-based storage traffic to unauthorized virtual machine users. IP-based storage frequently is not encrypted. It can be viewed by anyone with access to this network. To restrict unauthorized users from viewing the IP-based storage traffic, the IP-based storage network should be logically separated from the production traffic. Configuring the IP-based storage adaptors on separate VLANs or network segments from the VMkernel management and service console network will limit unauthorized users from viewing the The security issue with vMotion migrations is that information is transmitted in plain text, and anyone with access to the network over which this information flows can view it. Potential attackers can intercept vMotion traffic to obtain memory contents of a virtual machine. They might also potentially stage a MiTM attack in which the contents are modified during migration. Ensure that vMotion traffic is separate from production traffic on an isolated network. This network should be nonroutable (no layer-3 router spanning this and other networks), which will prevent any outside access to the The security issue with vMotion migrations is that information is transmitted in plain text, and anyone with access to the network over which this information flows can view it. Potential attackers can intercept vMotion traffic to obtain memory contents of a virtual machine. They might also potentially stage a MiTM attack in which the contents are modified during migration. Ensure that vMotion traffic is separate from production traffic on an isolated network. This network should be nonroutable (no layer-3 router spanning this and other networks), which will prevent any outside access to the

A network label identifies each port group with a name. These names are important because they serve as a functional descriptor for the port group. Without these descriptions, identifying port groups and their functions becomes difficult as the network becomes more complex. Virtual switches within the ESXi Server require a field for the name of the switch. This label is important because it serves as a functional descriptor for the switch, just as physical switches require a host name. Labeling virtual switches will indicate the function or the IP subnet of the virtual switch. For instance, labeling the virtual switch as internal or some variation will indicate that the virtual switch is only for internal networking between a virtual machines private virtual switch with no physical network adaptors bound to it.

This control mitigates the risk of misconfiguration, whether accidental or malicious, and enforces key security concepts of separation of duties and least privilege. It is important to leverage the role-based access controls within vSphere to ensure that only authorized administrators have access to the different virtual networking components. For example, VM administrators should have access only to port groups in which their VMs reside. Network administrators should have permissions to all virtual networking components but not have access to VMs. These controls will depend very much on the organization's policy on separation of duties, least privilege, and the responsibilities of the administrators within the organization. ESXi does not use the concept of native VLAN. Frames with VLAN specified in the port group will have a tag, but frames with VLAN not specified in the port group are not tagged and therefore will end up as belonging to native VLAN of the physical switch. For example, frames on VLAN 1 from a Cisco physical switch will be untagged, because this is considered as the native VLAN. However, frames from ESXi specified as VLAN 1 will be tagged with a 1; therefore, traffic from ESXi that is destined for the native VLAN will not be correctly routed (because it is tagged with a 1 instead of being untagged), and traffic from the physical switch coming from the native VLAN will not be visible (because it is not tagged). If the ESXi virtual switch port group uses the native VLAN ID, traffic from those VMs will not be visible to the native VLAN on the switch, because the switch is expecting Certain physical switches reserve certain VLAN IDs for internal purposes and often disallow traffic configured to these values. For example, Cisco Catalyst switches typically reserve VLANs 10011024 and 4094, while Nexus switches typically reserve 39684047 and 4094. Check with the documentation for your specific switch. Using a reserved VLAN might result in a denial of service on

The number of ports available on a vdSwitch distributed port group can be adjusted to exactly match the number of virtual machine vNICs that need to be assigned to that dvPortgroup. Limiting the number of ports to just what is needed limits the potential for an administrator, either accidentally or maliciously, to move a virtual machine to an unauthorized network. This is especially relevant if the management network is on a dvPortgroup, because it could help prevent someone from putting a rogue virtual machine on this network. When a port group is set to VLAN 4095, this activates VGT mode. In this mode, the vSwitch passes all network frames to the guest VM without modifying the VLAN tags, leaving it up to the guest to deal with them. VLAN 4095 should be used only if the guest has been specifically configured to manage VLAN tags itself. If VGT is enabled inappropriately, it might cause denial of service or allow a guest VM to interact with traffic on an unauthorized VLAN.

If the virtual machine operating system changes the MAC address, the operating system can send frames with an impersonated source MAC address at any time. This allows an operating system to stage malicious attacks on the devices in a network by impersonating a network adaptor authorized by the receiving network. Forged transmissions should be set to accept by default. This means the virtual switch does not compare the source and effective MAC addresses. To protect against MAC address impersonation, all virtual switches should have forged transmissions set to reject.

If the virtual machine operating system changes the MAC address, the operating system can send frames with an impersonated source MAC address at any time. This allows an operating system to stage malicious attacks on the devices in a network by impersonating a network adaptor authorized by the receiving network. Forged transmissions should be set to accept by default. This means the dvPortgroup does not compare the source and effective MAC addresses. To protect against MAC address impersonation, all virtual switches should have forged transmissions set to reject.

If the virtual machine operating system changes the MAC address, it can send frames with an impersonated source MAC address at any time. This allows it to stage malicious attacks on the devices in a network by impersonating a network adaptor authorized by the receiving network. This will prevent VMs from changing their effective MAC address. It will affect applications that require this functionality. An example of an application like this is Microsoft Clustering, which requires systems to effectively share a MAC address. This will also affect how a layer 2 bridge will operate. This will also affect applications that require a specific MAC address for licensing. An exception should be made for the dvPortgroups that these applications are connected to.

If the virtual machine operating system changes the MAC address, it can send frames with an impersonated source MAC address at any time. This allows it to stage malicious attacks on the devices in a network by impersonating a network adaptor authorized by the receiving network. This will prevent VMs from changing their effective MAC address. It will affect applications that require this functionality. An example of an application like this is Microsoft Clustering, which requires systems to effectively share a MAC address. This will also affect how a layer 2 bridge will operate. This will also affect applications that require a specific MAC address for licensing. An exception should be made for the port groups that these applications are connected to.

When promiscuous mode is enabled for a virtual switch all virtual machines connected to the dvPortgroup have the potential of reading all packets across that network, meaning only the virtual machines connected to that dvPortgroup. Promiscuous mode is disabled by default on the ESX Server, and this is the recommended setting. However, there might be a legitimate reason to enable it for debugging, monitoring or troubleshooting reasons. Security devices might require the ability to see all packets on a vSwitch. An exception should be made for the dvPortgroups that these applications are connected to, in order to allow for full-time visibility to the traffic on that dvPortgroup.

When promiscuous mode is enabled for a dvPortgroup, all virtual machines connected to the dvPortgroup have the potential of reading all packets across that network, meaning only the virtual machines connected to that dvPortgroup. Promiscuous mode is disabled by default on the ESX Server, and this is the recommended setting. However, there might be a legitimate reason to enable it for debugging, monitoring or troubleshooting reasons. Security devices might require the ability to see all packets on a vSwitch. An exception should be made for the dvPortgroups that these applications are connected to, in order to allow for full-time visibility to the traffic on that dvPortgroup. The management network should be protected at the security level of the most secure virtual machine running on a host/cluster. If an attacker gains access to the management network, it provides the staging ground for further attack. No matter how the management network is restricted, there will always be a need for administrators to access this network to configure VMware vCenter Server and the VMware ESX/ESXi hosts. Instead of allowing client systems on this network, there are ways to enable access to management functionality in a strictly controlled manner.

The management network should be protected at the security level of the most secure virtual machine running on a host/cluster. If an attacker gains access to the management network, it provides the staging ground for further attack. No matter how the management network is restricted, there will always be a need for administrators to access this network to configure VMware vCenter Server and the VMware ESX/ESXi hosts. Instead of allowing client systems on this network, there are ways to enable access to management functionality in a strictly controlled manner. In order to communicate with virtual switches in VST mode, external switch ports must be configured as trunk ports. VST mode does not support Dynamic Trunking Protocol (DTP), so the trunk must be static and unconditional. The auto or desirable physical switch settings do not work with the ESXi Server because the physical switch communicates with the ESXi Server using DTP. The non-negotiate and on options unconditionally enable VLAN trunking on the physical switch and create a VLAN trunk link between the ESXi Server and the physical switch. The difference between non-negotiate and on options is that on mode still sends out DTP frames, whereas the non-negotiate option does not. The non-negotiate option should be used for all VLAN trunks, to minimize unnecessary network traffic for virtual switches in VST mode. In the scenario where the ESXi host has a guest VM that is configured to perform bridging function, the VM will generate BPDU frames and send out to the VDS. The VDS then forwards the BPDU frames through the network adapter to the physical switch port. When the switch port configured with BPDU guard receives the BPDU frame, the switch disables the port and the VM looses connectivity. To avoid this network failure scenario while running software-bridging function on an ESXI host, customers should disable the portfast and BPDU guard configuration on the port and run the spanning tree protocol.

When defining a physical switch port for trunk mode, care must be taken to ensure that only specified VLANs are configured. It is considered best practice to restrict only those VLANs required on the VLAN trunk link. The risk with not fully documenting all VLANs on the vSwitch is that it is possible that a physical trunk port might be configured without needed VLANs, or with unneeded VLANs, potentially enabling an administrator to either accidentally or maliciously connect a VM to an unauthorized VLAN. When connecting a virtual switch to a VLAN trunk port, you must be careful to properly configure both the virtual switch and the physical switch at the uplink port. If the physical switch is not properly configured, frames with the VLAN 802.1q header would be forwarded to a switch not expecting their arrival. The vSphere administrator should always ensure that virtual switch uplinks, acting as VLAN trunk links, are connected only to physical switch ports that function as trunk links. Misconfiguration of the physical switch ports might lead to undesirable performance, including frames being dropped or misdirected.

Profile Control Type

1,2 Configuration

1,2,3 Operational

1,2,3 Operational

1,2,3 Operational

1,2,3 Operational

1 Configuration

2,3 Configuration

1 Configuration

2,3 Configuration

1 Configuration

2,3 Configuration

1,2,3 Operational

1,2,3 Operational

1,2,3 Operational

1,2,3 Configuration

1,2,3 Configuration

1,2 Configuration

1,2,3 Configuration

1,2,3 Configuration

1,2,3 Configuration

1,2,3 Configuration

1,2,3 Configuration

1,2,3 Configuration

1,2,3 Configuration

1 Configuration

2,3 Configuration

1,2,3 Operational

1,2,3 Operational

1,2,3 Operational

1,2,3 Operational

Assessment Procedure As this guideline is used in conjunction with no-unused-dvports, there should be no extra ports available on all VDS dvPortgroups. 1. Monitor when port count is automatically increased by email or an SNMP trap. a. At the distributed portgroup level, click on the Alarms tab of the portgroup and create a new alarm. b. Under the Event, add a new trigger called dvPort group reconfigured. c. Click on "Advanced Conditions" and select configSpec.autoExpand and set the equal to to true. 2. At an interval suitable to your organization policies or industry best practices, verify that another virtual machine cannot be attached to each vSwitch and dvPortgroup in question. You should get an error indicating no free ports are available.3. Regularly audit alerts or manually audit this setting, at a frequency acceptable to your organization's published guidelines or industry standards.

Log in to the physical switch and ensure that spanning tree protocol is disabled and/or portfast is configured for all physical ports connected to ESXi hosts.

From the vSphere Client log into vCS. Home > Inventory > Networking. Select dvSwitch and Edit Settings. Verify and record PVLAN labels. Verify by using the vSphere Client to connect to the vCenter Server and as administrator: 1. Go to "Home > Inventory > Hosts and Clusters". 2. Select each ESXi host with virtual switches connected to active VM's requiring securing. 3. Go to "Configuration > Network > vSwitch(?) > Properties > Ports > [?Portgroup Name?] > VLAN ID" 4. Verify and record VLAN ID's in a tracking system approved by your organization or following industry best practices.

From the vSphere Client log into vCS. Home > Inventory > Networking. Select dvSwitch and dvPortgroup and "Edit Settings > Policies > VLAN > VLAN ID". Verify and record VLAN ID's in a tracking system approved by your organization or following industry best practices.

The vSphere management port group should be on a management-only vSwitch. Doing so avoids dependency on VLANs for isolation, which might be appropriate for certain environments. Check that the management-only vSwitch does not contain any nonmanagement port groups. The vSphere management port group should be in a dedicated VLAN on a common vSwitch. The vSwitch can be shared with production (virtual machine) traffic, as long as the vSphere management port groups VLAN is not used by production virtual machines. Check that the network segment is not routed, except possibly to networks where other management-related entities are found. In particular, make sure that production virtual machine traffic cannot be routed to this network.

Storage port groups should be on a management-only vSwitch. Doing so avoids dependency on VLANs for isolation, which might be appropriate for certain environments. Check that the vMotion port group vSwitch does not contain any nonmanagement port groups. Check that the physical network is not accessed by any other nonmanagement entity. Check that the storage port group vSwitch does not contain any nonmanagement port groups. Check that the physical network is not accessed by any other nonmanagement entity.

Storage port groups should be in a dedicated VLAN on a common vSwitch. The vSwitch can be shared with production (virtual machine) traffic, as long as the storage port groups VLAN is not used by production virtual machines. Check for usage of the VLAN ID on non-storage port groups. Check that the VLAN is isolated and not routed in the physical network. The vMotion port group should be on a management-only vSwitch. Doing so avoids dependency on VLANs for isolation, which might be appropriate for certain environments. Check that the vMotion port group vSwitch does not contain any nonmanagement port groups. Check that the physical network is not accessed by any other nonmanagement entity. The vMotion port group should be in a dedicated VLAN on a common vSwitch. The vSwitch can be shared with production (virtual machine) traffic, as long as the vMotion port groups VLAN is not used by production virtual machines. Check for usage of the VLAN ID on non-vMotion port groups. Check that the VLAN is isolated and not routed in the physical network. 1. From the vSphere Client, check the names of the different port groups. To check the port group names in the vSphere client, connect to the vCenter server and navigate to Home > Inventory > Networking . You will be able to view all the different port groups and determine if the port group names are clearly labeled or might be renamed with a meaningful name.

With the vSphere Client, connect to the vCenter server and navigate to Home > Inventory > Networking . You will be able to view all the different vSwitches and dvSwitches in that vCenter and determine if the switches are clearly labeled.

Ensure that vSphere permissions to specific port groups are granted only to those individuals who need it. 1. Log into the vCenter Server using the vSphere Client as a user with full Administrator Role rights to the Inventory object you are checking. 2. Select "[Inventory Object] > Permissions". Verify that the users assigned to this Inventory object have the appropriate Role.

If the default value of 1 for the native VLAN is being used, the ESXi Server virtual switch port groups should be configured with any value between 2 and 4094. Otherwise, ensure that the port group is not configured to use whatever value is set for the native VLAN.

VLAN ID setting on all port groups should not be set to reserved values of the physical switch.

Verify that the following three things are done. 1. Limit Port Number on dvSwitch portgroup: a. Connect to vCenter Server with vSphere Client. b. In the Home > Inventory > Networking view, find all dvSwitch es. c. For any dvSwitches with dvPortgroups, edit the settings for that dvPortgroup. Limit the number of ports in that port group to the number of allowed VM NIC's connecting to that port group.

VLAN ID setting on all port groups should not be set to 4095 unless VGT is required.

Verify by using the vSphere Client to connect to the vCenter Server and as administrator: 1. Go to "Home > Inventory > Hosts and clusters". 2. Select each ESXi host with active virtual switches connected to active VM's requiring securing. 3. Go to tab "Configuration > Network > vSwitch(?) > Properties > Ports > vSwitch > Default Policies > Security" 4. "Forged Transmits" = "Reject"

Verify by using the vSphere Client to connect to the vCenter Server and as administrator: 1. Go to "Home > Inventory > Networking". 2. Select each dvPortgroup connected to active VM's requiring securing. 3. Go to tab "Summary > Edit Settings > Policies > Security". 4. "Forged Transmits" = "Reject"

Verify by using the vSphere Client to connect to the vCenter Server and as administrator: 1. Go to "Home > Inventory > Networking". 2. Select each dvPortgroup connected to active VM's requiring securing. 3. Go to tab "Summary > Edit Settings > Policies > Security". 4. "Mac Address Changes" = "Reject"

Verify by using the vSphere Client to connect to the vCenter Server and as administrator: 1. Go to "Home > Inventory > Hosts and clusters". 2. Select each ESXi host with active virtual switches connected to active VM's requiring securing. 3. Go to tab "Configuration > Network > vSwitch(?) > Properties > Ports > vSwitch > Default Policies > Security" 4. "Mac Address Changes" = "Reject"

Verify by using the vSphere Client to connect to the vCenter Server and as administrator: 1. Go to "Home > Inventory > Hosts and clusters". 2. Select each ESXi host with active virtual switches connected to active VM's requiring securing. 3. Go to tab "Configuration > Network > vSwitch(?) > Properties > Ports > vSwitch > Default Policies > Security" 4. "Promiscuous Mode" = "Reject"

Verify by using the vSphere Client to connect to the vCenter Server and as administrator: 1. Go to "Home > Inventory > Networking". 2. Select each dvPortgroup connected to active VM's requiring securing. 3. Go to tab "Summary > Edit Settings > Policies > Security". 4. "Promiscuous Mode" = "Reject"

Configure a controlled gateway or other controlled method to access the management network. For example, require that administrators connect to it via a VPN, and allow access only by trusted administrators.

Configure jump boxes that run vSphere Client and other management clients (e.g. VSphere Management Assistant). There are different industry-accepted ways to configure a jump box. The particular method should be chosen based upon a local risk assessment.

Log in to the physical switch and ensure that DTP is not enabled on the physical switch ports connected to the ESXi Host.

Routinely check that for virtual machines that perform bridging or routing, the first upstream physical switch port is configured with BPDU Guard and Portfast disabled and Spanning Tree Protocol enabled. Both standard and distributed vSwitch configurations can be viewed in the vSphere Client. For vSwitch: Home > Inventory > Hosts and Clusters , then select an ESXi host in Inventory panel on left. In the Configuration tab, Hardware window, under Networking , select each vSwitch, and for each port group on the vSwitch, verify and record the VLAN ID's used. For dvSwitches, go to Home > Inventory > Networking and for each dvSwitch in the inventory, and for each dvPortGroup in each dvSwitch, select Edit Settings > Policies > VLAN and verify and record the VLAN ID's. From the command-line, For a standard vSwitch, "esxcfg-vswitch -l" will list all port groups and their VLAN association. Compare this list with the physical switch configuration.

Routinely check physical switch ports to ensure that they are properly configured as trunk ports if connected to virtual switch VLAN trunking ports.

Configuration File

Configuration Parameter

Desired Value

Change Type

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

Is desired value the default?

vSphere API

ESXi Shell Command Assessment

N/A

http://www.vmware.com/support/developer/vcsdk/visdk41pubs/ApiReference/vim.dvs.Distribut edVirtualPortgroup.html http://www.vmware.com/support/developer/vcsdk/visdk41pubs/ApiReference/vim.alarm.Alarm Manager.html N/A

N/A

N/A

N/A

N/A

http://www.vmware.com/support/developer/vcsdk/visdk41pubs/ApiReference/vim.dvs.Vmware DistributedVirtualSwitch.ConfigInfo.html N/A

N/A

# esxcli network vswitch standard portgroup list

N/A

http://pubs.vmware.com/vsphere50/index.jsp?topic=%2Fcom.vmware.wssdk.apire f.doc_50%2Fvim.dvs.VmwareDistributedVirtualS witch.VlanSpec.html N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

http://www.vmware.com/support/developer/vcsdk/visdk41pubs/ApiReference/vim.host.PortGro # esxcli network vswitch up.html standard portgroup list

N/A

http://www.vmware.com/support/developer/vcsdk/visdk41pubs/ApiReference/vim.host.PortGro # esxcli network vswitch up.html standard list

N/A

http://pubs.vmware.com/vsphere50/index.jsp?topic=%2Fcom.vmware.wssdk.apire f.doc_50%2Fvim.AuthorizationManager.html N/A

N/A

N/A

http://pubs.vmware.com/vsphere50/index.jsp?topic=%2Fcom.vmware.wssdk.apire f.doc_50%2Fvim.host.PortGroup.Specification.ht ml http://pubs.vmware.com/vsphere50/index.jsp?topic=%2Fcom.vmware.wssdk.apire f.doc_50%2Fvim.host.PortGroup.Specification.ht ml

# esxcli network vswitch standard portgroup list

# esxcli network vswitch standard portgroup list

N/A

http://pubs.vmware.com/vsphere50/index.jsp?topic=%2Fcom.vmware.wssdk.apire f.doc_50%2Fvim.dvs.DistributedVirtualPortgroup .html N/A http://pubs.vmware.com/vsphere50/index.jsp?topic=%2Fcom.vmware.wssdk.apire f.doc_50%2Fvim.host.PortGroup.Specification.ht # esxcli network vswitch ml standard portgroup list

N/A

N/A

http://pubs.vmware.com/vsphere50/index.jsp?topic=%2Fcom.vmware.wssdk.apire # esxcli network vswitch f.doc_50%2Fvim.host.NetworkPolicy.SecurityPoli standard policy security get cy.html v [VSWITCH]

N/A

http://pubs.vmware.com/vsphere50/index.jsp?topic=%2Fcom.vmware.wssdk.apire f.doc_50%2Fvim.dvs.VmwareDistributedVirtualS witch.SecurityPolicy.html N/A

N/A

http://pubs.vmware.com/vsphere50/index.jsp?topic=%2Fcom.vmware.wssdk.apire f.doc_50%2Fvim.dvs.VmwareDistributedVirtualS witch.SecurityPolicy.html N/A

N/A

http://pubs.vmware.com/vsphere50/index.jsp?topic=%2Fcom.vmware.wssdk.apire # esxcli network vswitch f.doc_50%2Fvim.host.NetworkPolicy.SecurityPoli standard policy security get cy.html v [VSWITCH]

N/A

http://pubs.vmware.com/vsphere50/index.jsp?topic=%2Fcom.vmware.wssdk.apire # esxcli network vswitch f.doc_50%2Fvim.host.NetworkPolicy.SecurityPoli standard policy security get cy.html v [VSWITCH]

N/A

http://pubs.vmware.com/vsphere50/index.jsp?topic=%2Fcom.vmware.wssdk.apire f.doc_50%2Fvim.dvs.VmwareDistributedVirtualS witch.SecurityPolicy.html N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

http://www.vmware.com/support/developer/vcsdk/visdk41pubs/ApiReference/vim.host.PortGro # esxcli network vswitch up.Specification.html standard portgroup list

N/A

N/A

N/A

ESXi Shell Command Remediation

vCLI Command Assessment

vCLI Command Remediation

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

# esxcli <conn_options> network vswitch standard portgroup list N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

# esxcli <conn_options> network vswitch standard portgroup list N/A

N/A

# esxcli <conn_options> network vswitch standard list N/A

N/A

N/A

N/A

N/A

# esxcli <conn_options> network vswitch standard portgroup list N/A # esxcli <conn_options> network vswitch standard portgroup list N/A

N/A

N/A

N/A

N/A

N/A

# esxcli <conn_options> network vswitch standard portgroup list N/A

# esxcli <conn_options> # esxcli network vswitch network vswitch standard standard policy security policy security get -v set -v vSwitch2 -f false [VSWITCH]

# esxcli <conn_options> vswitch standard policy security set -v vSwitch2 -f false

N/A

N/A

N/A

N/A

N/A

N/A

# esxcli <conn_options> # esxcli network vswitch network vswitch standard standard policy security policy security get -v set -v vSwitch2 -m false [VSWITCH]

# esxcli <conn_options> vswitch standard policy security set -v vSwitch2 -m false

# esxcli <conn_options> # esxcli network vswitch network vswitch standard standard policy security policy security get -v set -v vSwitch2 -p false [VSWITCH]

# esxcli <conn_options> vswitch standard policy security set -v vSwitch2 -p false

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

# esxcli <conn_options> network vswitch standard portgroup list N/A

N/A

N/A

N/A

PowerCLI Command Assessment

PowerCLI Command Remediation

# Check if auto expand is enabled on vDS Get-VirtualPortGroup -Distributed | Select Name, @{N="AutoExpand";E={$_.ExtensionData.Config.AutoExpa nd}}

# List all dvSwitches and their Portgroups, VLAN Type and Ids Foreach ($dPG in (Get-VirtualPortGroup -Distributed)) { Switch ((($dPG.ExtensionData.Config.DefaultPortConfig.Vlan).Get Type()).Name) { VmwareDistributedVirtualSwitchPvlanSpec { $Type = "Private VLAN" $VLAN = $dPG.ExtensionData.Config.DefaultPortConfig.Vlan.pVlanI D } VmwareDistributedVirtualSwitchTrunkVlanSpec { $Type = "VLAN Trunk" $VLAN = ($dPG.ExtensionData.Config.DefaultPortConfig.Vlan.VlanID | Select Start, End) } VmwareDistributedVirtualSwitchVlanIdSpec { $Type = "VLAN" $VLAN = $dPG.ExtensionData.Config.DefaultPortConfig.Vlan.vlanID } default { $Type = (($dPG.ExtensionData.Config.DefaultPortConfig.Vlan).GetT

# List all vSwitches, their Portgroups and VLAN Ids Get-VirtualPortGroup -Standard | Select virtualSwitch, Name, VlanID

# List all dvSwitches and their Portgroups, VLAN Type and Ids Foreach ($dPG in (Get-VirtualPortGroup -Distributed)) { Switch ((($dPG.ExtensionData.Config.DefaultPortConfig.Vlan).Get Type()).Name) { VmwareDistributedVirtualSwitchPvlanSpec { $Type = "Private VLAN" $VLAN = $dPG.ExtensionData.Config.DefaultPortConfig.Vlan.pVlanI D } VmwareDistributedVirtualSwitchTrunkVlanSpec { $Type = "VLAN Trunk" $VLAN = ($dPG.ExtensionData.Config.DefaultPortConfig.Vlan.VlanID | Select Start, End) } VmwareDistributedVirtualSwitchVlanIdSpec { $Type = "VLAN" $VLAN = $dPG.ExtensionData.Config.DefaultPortConfig.Vlan.vlanID } default { $Type = (($dPG.ExtensionData.Config.DefaultPortConfig.Vlan).GetT

# List all Portgroups Get-VirtualPortGroup

# List all vSwitches Get-VirtualSwitch

# List all vSwitches, their Portgroups and VLAN Ids Get-VirtualPortGroup -Standard | Select virtualSwitch, Name, VlanID # List all vSwitches, their Portgroups and VLAN Ids Get-VirtualPortGroup -Standard | Select virtualSwitch, Name, VlanID

# Check for the number of free ports on all VDS PortGroups Function Get-FreeVDSPort { Param ( [parameter(Mandatory=$true,ValueFromPipeline=$true)] $VDSPG ) Process { $nicTypes = "VirtualE1000","VirtualE1000e","VirtualPCNet32","VirtualV mxnet","VirtualVmxnet2","VirtualVmxnet3" $ports = @{} $VDSPG.ExtensionData.PortKeys | Foreach { $ports.Add($_,$VDSPG.Name) } $VDSPG.ExtensionData.Vm | Foreach { $VMView = Get-View $_ $nic = $VMView.Config.Hardware.Device | where {$nicTypes -contains $_.GetType().Name -and $_.Backing.GetType().Name -match "Distributed"} $nic | where {$_.Backing.Port.PortKey} | Foreach {$ports.Remove($_.Backing.Port.PortKey)} }

# List all vSwitches, their Portgroups and VLAN Ids Get-VirtualPortGroup -Standard | Select virtualSwitch, Name, VlanID

# List all vSwitches and their Security Settings Get-VirtualSwitch -Standard | Select VMHost, Name, ` @{N="MacChanges";E={if ($_.ExtensionData.Spec.Policy.Security.MacChanges) { "Accept" } Else { "Reject"} }}, ` @{N="PromiscuousMode";E={if ($_.ExtensionData.Spec.Policy.Security.PromiscuousMode) { "Accept" } Else { "Reject"} }}, ` @{N="ForgedTransmits";E={if ($_.ExtensionData.Spec.Policy.Security.ForgedTransmits) { "Accept" } Else { "Reject"} }} # List all dvPortGroups and their Security Settings Get-VirtualPortGroup -Distributed | Select Name, ` @{N="MacChanges";E={if ($_.ExtensionData.Config.DefaultPortConfig.SecurityPolicy. MacChanges.Value) { "Accept" } Else { "Reject"} }}, ` @{N="PromiscuousMode";E={if ($_.ExtensionData.Config.DefaultPortConfig.SecurityPolicy. AllowPromiscuous.Value) { "Accept" } Else { "Reject"} }}, ` @{N="ForgedTransmits";E={if ($_.ExtensionData.Config.DefaultPortConfig.SecurityPolicy. ForgedTransmits.Value) { "Accept" } Else { "Reject"} }}

# List all dvPortGroups and their Security Settings Get-VirtualPortGroup -Distributed | Select Name, ` @{N="MacChanges";E={if ($_.ExtensionData.Config.DefaultPortConfig.SecurityPolicy. MacChanges.Value) { "Accept" } Else { "Reject"} }}, ` @{N="PromiscuousMode";E={if ($_.ExtensionData.Config.DefaultPortConfig.SecurityPolicy. AllowPromiscuous.Value) { "Accept" } Else { "Reject"} }}, ` @{N="ForgedTransmits";E={if ($_.ExtensionData.Config.DefaultPortConfig.SecurityPolicy. ForgedTransmits.Value) { "Accept" } Else { "Reject"} }}

# List all vSwitches and their Security Settings Get-VirtualSwitch -Standard | Select VMHost, Name, ` @{N="MacChanges";E={if ($_.ExtensionData.Spec.Policy.Security.MacChanges) { "Accept" } Else { "Reject"} }}, ` @{N="PromiscuousMode";E={if ($_.ExtensionData.Spec.Policy.Security.PromiscuousMode) { "Accept" } Else { "Reject"} }}, ` @{N="ForgedTransmits";E={if ($_.ExtensionData.Spec.Policy.Security.ForgedTransmits) { "Accept" } Else { "Reject"} }} # List all vSwitches and their Security Settings Get-VirtualSwitch -Standard | Select VMHost, Name, ` @{N="MacChanges";E={if ($_.ExtensionData.Spec.Policy.Security.MacChanges) { "Accept" } Else { "Reject"} }}, ` @{N="PromiscuousMode";E={if ($_.ExtensionData.Spec.Policy.Security.PromiscuousMode) { "Accept" } Else { "Reject"} }}, ` @{N="ForgedTransmits";E={if ($_.ExtensionData.Spec.Policy.Security.ForgedTransmits) { "Accept" } Else { "Reject"} }} # List all dvPortGroups and their Security Settings Get-VirtualPortGroup -Distributed | Select Name, ` @{N="MacChanges";E={if ($_.ExtensionData.Config.DefaultPortConfig.SecurityPolicy. MacChanges.Value) { "Accept" } Else { "Reject"} }}, ` @{N="PromiscuousMode";E={if ($_.ExtensionData.Config.DefaultPortConfig.SecurityPolicy. AllowPromiscuous.Value) { "Accept" } Else { "Reject"} }}, ` @{N="ForgedTransmits";E={if ($_.ExtensionData.Config.DefaultPortConfig.SecurityPolicy. ForgedTransmits.Value) { "Accept" } Else { "Reject"} }}

# List all vSwitches, their Portgroups and VLAN Ids Get-VirtualPortGroup -Standard | Select virtualSwitch, Name, VlanID

Negative Functional Impact

Reference

http://kb.vmware.com/kb/1022312

http://kb.vmware.com/KB/1010691

At least one additional physical network adaptor must be dedicated to management (more if network adaptor teaming is used). This might greatly increase the cost of the physical networking infrastructure required. In resource-constrained environments (such as blades), this might not be possible to achieve.

At least one additional physical network adaptor must be dedicated to management (more if network adaptor teaming is used). This might greatly increase the cost of the physical networking infrastructure required. In resource-constrained environments (such as blades), this might not be possible to achieve.

At least one additional physical network adaptor must be dedicated to management (more if network adaptor teaming is used). This might greatly increase the cost of the physical networking infrastructure required. In resource-constrained environments (such as blades), this might not be possible to achieve.

http://kb.vmware.com/kb/1020757

The vswitch or dvPortgroup on the VDS will not have any extra available port capacity.

This will prevent VMs from changing their effective MAC address. This will affect applications that require this functionality. An example of an application like this is Microsoft Clustering, which requires systems to effectively share a MAC address. This will also affect how a layer 2 bridge will operate. This will also affect applications that require a specific MAC address for licensing. An exception should be made for the port groups that these applications are connected to.

This will prevent VMs from changing their effective MAC address. This will affect applications that require this functionality. An example of an application like this is Microsoft Clustering, which requires systems to effectively share a MAC address. This will also affect how a layer 2 bridge will operate. This will also affect applications that require a specific MAC address for licensing. An exception should be made for the dvPortgroups that these applications are connected to.

This will prevent VMs from changing their effective MAC address. It will affect applications that require this functionality. An example of an application like this is Microsoft Clustering, which requires systems to effectively share a MAC address. This will also affect how a layer 2 bridge will operate. This will also affect applications that require a specific MAC address for licensing. An exception should be made for the dvPortgroups that these applications are connected to.

This will prevent VMs from changing their effective MAC address. It will affect applications that require this functionality. An example of an application like this is Microsoft Clustering, which requires systems to effectively share a MAC address. This will also affect how a layer 2 bridge will operate. This will also affect applications that require a specific MAC address for licensing. An exception should be made for the port groups that these applications are connected to.

Security devices that require the ability to see all packets on a vSwitch will not operate properly if the Promiscuous Mode parameter is set to Reject.

Security devices that require the ability to see all packets on a vSwitch will not operate properly if the Promiscuous Mode parameter is set to Reject.

http://kb.vmware.com/KB/1008127

ID

Product Version

Component

Subcomponent

apply-os-patches

vSphere 5.0

vCenter

Host

apply-vum-os-patches

vSphere 5.0

vCenter

VUM

avoid-vum-self-management

vSphere 5.0

vCenter

VUM

block-unused-ports

vSphere 5.0

vCenter

Communication

check-privilege-reassignment

vSphere 5.0

vCenter

Access

disable-datastore-browser

vSphere 5.0

vCenter

Communication

disable-mob

vSphere 5.0

vCenter

Communication

install-with-service-account

vSphere 5.0

vCenter

Host

isolate-vum-airgap

vSphere 5.0

vCenter

VUM

isolate-vum-proxy

vSphere 5.0

vCenter

VUM

isolate-vum-webserver

vSphere 5.0

vCenter

VUM

limit-user-login

vSphere 5.0

vCenter

Host

limit-vum-server-user-login

vSphere 5.0

vCenter

VUM

monitor-admin-assignment

vSphere 5.0

vCenter

Access

monitor-certificate-access

vSphere 5.0

vCenter

Host

no-self-signed-certs

vSphere 5.0

vCenter

Communication

no-vum-self-signed-certs

vSphere 5.0

vCenter

VUM

remove-expired-certificates

vSphere 5.0

vCenter

Host

remove-failed-install-logs

vSphere 5.0

vCenter

Host

remove-revoked-certificates

vSphere 5.0

vCenter

Host

restrict-admin-privilege

vSphere 5.0

vCenter

Access

restrict-admin-role

vSphere 5.0

vCenter

Access

restrict-certificate-access

vSphere 5.0

vCenter

Host

restrict-guest-control

vSphere 5.0

vCenter

Access

restrict-Linux-clients

vSphere 5.0

vCenter

Client

restrict-network-access

vSphere 5.0

vCenter

Communication

restrict-vcs-db-user

vSphere 5.0

vCenter

Database

restrict-vum-db-user

vSphere 5.0

vCenter

VUM

secure-vcenter-os

vSphere 5.0

vCenter

Host

secure-vum-os

vSphere 5.0

vCenter

VUM

thick-client-timeout

vSphere 5.0

vCenter

Client

use-supported-system

vSphere 5.0

vCenter

Host

verify-client-plugins

vSphere 5.0

vCenter

Client

verify-ssl-certificates

vSphere 5.0

vCenter

Client

Title

Keep vCenter Server system properly patched.

Keep Update Manager system properly patched.

Do not configure Update Manager to manage its own VM or the VM of its vCenter Server.

Block access to ports not being used by vCenter.

Check for privilege re-assignment after vCenter Server restarts.

Disable datastore browser.

Disable managed object browser.

Install vCenter Server using a service account instead of a builtin Windows account.

Limit the connectivity between Update Manager and public patch repositories. Limit the connectivity between Update Manager and public patch repositories. Limit the connectivity between Update Manager and public patch repositories.

Avoid unneeded user login to vCenter Server system.

Avoid user login to Update Manager system.

Monitor that vCenter Server administrative users have the correct Roles assigned.

Monitor access to SSL certificates.

Do not use default self-signed certificates.

Do not use default self-signed certificates.

Remove expired certificates from vCenter Server.

Clean up log files after failed installations of vCenter Server

Remove revoked certificates from vCenter Server.

Secure the vSphere Administrator role and assign it to specific users.

Secure the vSphere Administrator role and assign it to specific users.

Restrict access to SSL certificates.

Restrict unauthorized vSphere users from being able to execute commands within the guest virtual machine.

Restrict the use of Linux-based clients.

Restrict network access to vCenter Server system.

Use least privileges for the vCenter Server database user.

Use least privileges for the Update Manager database user. Provide Windows system protection on the vCenter Server host. Provide Windows system protection on the Update Manager system.

Set a timeout for thick-client login without activity.

Maintain supported operating system, database, and hardware for vCenter.

Verify vSphere Client plugins

Always verify SSL certificates.

Vulnerability Discussion

Profile

By staying up to date on Windows patches, vulnerabilities in the OS can be mitigated. If an attacker can obtain access and elevate privileges on the vCenter Server system, they can then take over the entire vSphere deployment. 1,2,3

By staying up to date on Windows patches, vulnerabilities in the OS can be mitigated. If an attacker can obtain access and elevate privileges on the Update Manager system, it can compromise the patching process.

1,2,3

Although you can install both Update Manager and vCenter Server on VMs and place them on the same ESXi host, you should not configure Update Manager to manage the updates on those VMs. Upon scanning and remediation, the virtual machine on which Update Manager and vCenter Server are installed can reboot and the whole deployment system will shut down. 1,2,3 Blocking unneeded ports can militate against general attacks on the Windows system. A local firewall on the Windows system of vCenter, or a network firewall, can be used to block access to ports not specifically being used by vCenter. Here is a partial list of examples of where ports might be blocked: (636/TCP) If the vCenter will not be part of a linked-mode vCenter group; (1521/TCP) If the vCenter DB is not Oracle. 1,2

During a restart of vCenter Server, if the user or user group that is assigned Administrator Role on the root folder could not be verified as a valid user/group during the restart, the user/group's permission as Administrator will be removed. In its place, vCenter Server grants the Administrator role to the local Windows administrators group, to act as a new vCenter Server administrator. Since it is not recommended to grant vCenter Server Administrator rights to Windows Administrators, this results in a situation that should be rectified by reestablishing a legitimate administrator account. 1,2

The datastore browser enables you to view all the datastores associated with the vSphere deployment, including all folders and files contained in them, such as VM files. This is governed by the users permissions on vCenter Server. In some cases, you might want to disable the datastore browser to eliminate the risk of having an open interface that is not being used. 1 The managed object browser provides a way to explore the object model used by the vCenter to manage the vSphere environment; it enables configurations to be changed as well. This interface is used primarily for debugging the vSphere SDK. This interface might potentially be used to perform malicious configuration changes or actions. 1,2 You can use the Microsoft Windows built-in system account or a user account to run vCenter Server. With a user account, you can enable Windows authentication for SQL Server; it also provides more security. The user account must be an administrator on the local machine. In the installation wizard, you specify the account name as DomainName\Username. If you are using SQL Server for the vCenter database, you must configure the SQL Server database to allow the domain account access to SQL Server. Even if you do not plan to use Microsoft Windows authentication for SQL Server, or if you are using an Oracle database, you might want to set up a local user account for the vCenter Server system. In this case, the only requirement is that the user account is an administrator on the local machine. The Microsoft Windows built-in system account has more permissions and rights on the server than the vCenter Server system requires, which can contribute to security problems. 1,2

In a typical deployment, Update Manager connects to public patch repositories on the Internet to download patches. This connection should be limited as much as possible to prevent access from the outside to the Update Manager system. Any channel to the Internet represents a threat. 1 In a typical deployment, Update Manager connects to public patch repositories on the Internet to download patches. This connection should be limited as much as possible to prevent access from the outside to the Update Manager system. Any channel to the Internet represents a threat. 3 In a typical deployment, Update Manager connects to public patch repositories on the Internet to download patches. This connection should be limited as much as possible to prevent access from the outside to the Update Manager system. Any channel to the Internet represents a threat. 2 After someone has logged in to the vCenter Server system, it becomes more difficult to prevent what they can do. In general, logging in to the vCenter Server system should be limited to very privileged administrators, and then only for the purpose of administering vCenter Server or the host OS. Anyone logged in to the vCenter Server can potentially cause harm, either intentionally or unintentionally, by altering settings and modifying processes. They also have potential access to vCenter credentials, such as the SSL certificate. 1,2,3 After someone has logged in to the Update Manager system, it becomes more difficult to prevent what they can do. In general, logging in to the Update Manager system should be limited to very privileged administrators, and then only for the purpose of administering Update Manager or the host OS. Anyone logged in to the Update Manager can potentially cause harm, either intentionally or unintentionally, by altering settings and modifying processes.

1,2,3

Monitor that administrative users are only assigned privileges they require. Least Privilege requires that these privileges should only be assigned if needed, to reduce risk of confidentiality, availability or integrity loss. At an interval suitable to industry best practices or your organization's standards, verify in vCenter Server using the vSphere Client: 1. That a non-guest access role was created without these privileges. 2. This role is assigned to users who need administrator privileges excluding those allowing file and program interaction within the guests. 1,2 The directory that contains the SSL certificates only needs to be accessed by the service account user on a regular basis. Occasionally, the vCenter Server system administrator might need to access it for support purposes. The SSL certificate can be used to impersonate vCenter and decrypt the vCenter database password. 1,2

Self-signed certificates are automatically generated by vCenter Server during the installation process, are not signed by a commercial CA, and might not provide strong security. Replace default self-signed certificates with those from a trusted certification authority, either a commercial CA or an organizational CA. The use of default certificates leaves the SSL connection open to MiTM attacks. Changing the default certificates to trusted CA-signed certificates mitigates the potential for MiTM attacks. 1,2,3 Self-signed certificates are automatically generated by Update Manager during the installation process, are not signed by a commercial CA, and might not provide strong security. Replace default self-signed certificates with those from a trusted certification authority, either a commercial CA or an organizational CA. The use of default certificates leaves the SSL connection open to MiTM attacks. Changing the default certificates to trusted CA-signed certificates mitigates the potential for MiTM attacks. 1,2,3
If expired certificates are not removed from the vCenter Server, the user can be subject to a MiTM attack, which potentially might enable compromise through impersonation with the users credentials to the vCenter Server system.

1,2,3

In certain cases, if the vCenter installation fails, a log file (with a name of the form hs_err_pidXXXX) is created that contains the database password in plain text. An attacker who breaks into the vCenter Server could potentially steal this password and access the vCenter Database. 1,2,3

If revoked certificates are not removed from the vCenter Server, the user can be subject to a MiTM attack, which potentially might enable compromise through impersonation with the users credentials to the vCenter Server system.

1,2,3

By default, vCenter Server grants full administrative rights to the local administrators account, which can be accessed by domain administrators. Separation of duties dictates that full vSphere administrative rights should be granted only to those administrators who are required to have it. This privilege should not be granted to any group whose membership is not strictly controlled. Therefore, administrative rights should be removed from the local Windows administrator account and instead be given to a special-purpose local vSphere administrator account. This account should be used to create individual user accounts. 3

By default, vCenter Server grants full administrative rights to the local administrators account, which can be accessed by domain administrators. Separation of duties dictates that full vSphere administrative rights should be granted only to those administrators who are required to have it. This privilege should not be granted to any group whose membership is not strictly controlled. Therefore, administrative rights should be removed from the local Windows administrator account and instead be given to a special-purpose local vSphere administrator account. This account should be used to create individual user accounts. 1,2 The SSL certificate can be used to impersonate vCenter and decrypt the vCenter database password. By default, only the service user account and the vCenter Server administrators can access the directory containing the SSL certificates. The directory that contains the SSL certificates only needs to be accessed by the service account user on a regular basis. Occasionally, when collecting data for support purposes, the vCenter Server system administrator might need to access it. The permissions should be checked on a regular basis to ensure they have not been changed to add unauthorized users. 1

By default, vCenter Server "Administrator" role allows users to interact with files and programs inside a virtual machine's guest operating system. Least Privilege requires that this privilege should not be granted to any users who are not authorized, to reduce risk of Guest confidentiality, availability or integrity loss. To prevent such loss, a non-guest access role should be created without these privileges. This role can be used by users who need administrator privileges excluding those allowing file and program interaction within the guests. 1,2

Although SSL-based encryption is used to protect communication between client components and vCenter Server or ESXi, the Linux versions of these components do not perform certificate validation. Even if you have replaced the self-signed certificates on vCenter and ESXi with legitimate certificates signed by your local root certificate authority or a third party, communications with Linux clients are still vulnerable to MiTM attacks. With proper controls, this restriction can be relaxed if deemed appropriate. These controls include: - Restriction of management network access only to authorized systems - Use of firewalls to restrict access to vCenter only by authorized hosts - Use of jump-box systems for exclusive access to vCenter Options include: Instruct administrators, especially those who have high levels of privileges, not to use Linux-based clients when connecting to vCenter Server. Make use of a jump-box architecture so that the only Linux clients are those behind the jump box. 1,2 Restrict access to only those essential components required to communicate with vCenter. Blocking access by unnecessary systems reduces the potential for general attacks on the operating system. Restricting access to only those essential components required to communicate with vCenter, minimizes risk. 1,2

vCenter requires only certain specific privileges on the database. Furthermore, certain privileges are required only for installation and upgrade, and can be removed during normal operation. These privileges should be added again if another upgrade must be performed. Least privileges mitigates attacks if the vCenter database account is compromised.

1,2,3

Update Manager requires certain privileges on its database user in order to install, and the installer automatically checks for these. These are documented in the VMware Update Manager Administration Guide. However, after installation, only a small number of privileges are required for operation. The privileges on the VUM database user can be reduced during normal operation. These privileges should be added again if an upgrade or uninstall must be performed. Least privileges mitigates attacks if the Update Manager database account is compromised. 1,2,3 By providing OS-level protection, vulnerabilities in the OS can be mitigated. This protection includes antivirus, antimalware, and similar measures. If an attacker can obtain access and elevate privileges on the vCenter Server system, they can then take over the entire vSphere deployment. 1,2,3 By providing OS-level protection, vulnerabilities in the OS can be mitigated. This protection includes antivirus, antimalware, and similar measures. If an attacker can obtain access and elevate privileges on the vCenter Server system, they can then take over the entire vSphere deployment. 1,2,3 You can set an inactivity timeout for the vSphere Client (Thick client). This clientside setting can be changed by the user, so this must be set by default and reaudited for. Closing sessions automatically reduces the potential for unauthorized access to vCenter, minimizing risk. 1,2,3

vCenter Server resides on a Windows-based operating system and therefore requires a supported version of Windows. If vCenter is not running on a supported OS, it might not run properly. An attacker might be able to take advantage of this to perform a DoS attack or worse.

1,2,3

vCenter Server includes a vSphere Client extensibility framework, which provides the ability to extend the vSphere Client with menu selections or toolbar icons that provide access to vCenter Server add-on components or external, Webbased functionality. vSphere Client plugins or extensions run at the same privilege level as the user logged in. A malicious extension might masquerade as something useful but then do harmful things such as stealing credentials or misconfiguring the system. 1,2,3

Without certificate verification, the user can be subject to a MiTM attack, which potentially might enable compromise through impersonation with the users credentials to the vCenter Server system. When connecting to vCenter Server using vSphere Client, the client checks to see if the certificate being presented can be verified by a trusted third party. If it cannot be, the user is presented with a warning and the option to ignore this check. This warning should not be ignored; if an administrator is presented with this warning, they should inquire further about it before proceeding. 1,2,3

Control Type

Operational

Operational

Configuration

Configuration

Operational

Parameter

Parameter

Configuration

Configuration

Configuration

Configuration

Operational

Operational

Operational

Operational

Configuration

Configuration

Operational

Operational

Operational

Operational

Operational

Configuration

Operational

Operational

Operational

Configuration

Configuration

Operational

Operational

Parameter

Configuration

Operational

Operational

Assessment Procedure

Employ a system to keep the vCenter Server system up to date with patches in accordance with industry-standard guidelines, or internal guidelines where appropriate.

Employ a system to keep the Update Manager system up to date with patches in accordance with industry-standard guidelines, or internal guidelines where appropriate.

Verify that Update Manager does not manage the patching of the VM on which it runs, nor the VM on which the associated vCenter Server runs.

Verify that unused network protocol/port pairs are blocked to/from the vCenter Server. A list of ports used by vCenter can be found in this VMware Knowledge Base article: http://kb.vmware.com/kb/1012382. Make sure not to block any ports for functionality that is actually in use in your environment.

Any time that vCenter Server restarts, the log file should be scanned to ensure that no privileges were re-assigned. For the location of vCenter Server log files, please see this KB: http://kb.vmware.com/kb/1021804. In the Windows Application log, look for an entry like: Log Name: Application Source: VMware VirtualCenter Server Date: M/DD/YYYY H:MM:SS PM Event ID: 1000 Task Category: None Level: Warning Keywords: Classic User: N/A Computer: [vCenter Server] Description: Removing permission for entity "<group name>", group "DOMAIN\Account", role -1. Reason: User or group not found.

To verify the datastore browser is disabled, edit the vpxd.cfg file and ensure that the following element is set: <enableHttpDatastoreAccess>false</enableHttpDatastoreAccess> This should be the only occurrence of this element, and it should be within the <vpxd>...</vpxd> element in vpxd.cfg Also verify there was a restart of the vCenter Service to make the config file change apply. This may restart other related VMware services. Verify the managed object browser is disabled by viewing/editing the vpxd.cfg file, and checking that the following element is set: <enableDebugBrowse>false<enableDebugBrowse/> . This should be the only occurrence of this element, and it should be within the <vpxd> ... </vpxd> element in vpxd.cfg

Verify that vCenter Server was installed using a special-purpose user account on the Windows host with only a local administrator role. This account should have "Act as part of the operating system" privilege, and write access to the local file system

Verify Update Manager is configured to use the Download Service. Verify that there are enforced policies in place to use physical media to transfer update files to the Update Manager server (air-gap model). Ensure that the Download Service is functioning and that the Update Manager server does not obtain patches directly from the Internet. Verify that there is a Web proxy between Update Manager and the Internet. Check the proxy settings for Update Manager to make sure they are correct. Proxy settings are given in the "Installing and Administering VMware vSphere Update Manager" guide > Configuring Update Manager chapter > Configure Update Manager Proxy Settings section. Verify Update Manager is configured to use the Download Service, and configure a Web server to transfer the files to the Update Manager server (semi-air-gap model). Ensure that the Download Service is functioning and that the Update Manager server does not obtain patches directly from the Internet.

Verify that policies are in place and enforced to restrict login to the vCenter System only to those personnel who have legitimate tasks to perform in it. Ensure that they log in only when necessary, and audit these events.

Restrict login to the Update Manager to only those personnel who have legitimate tasks to perform in it. Ensure that they log in only when necessary, and audit these events. Monitor that Roles are created in vCenter with required granularity of privilege for your organization's administrator types, and that these roles are assigned to the correct users. 1. Log into the vCenter Server System using the vSphere Client as a vCenter Server System Administrator. 2. Go to "Home > Administration > Roles" and verify that a Role exists for each of the administrator privilege sets your organization requires and allows. 3. Right click on each Role name and select "Edit". Verify that under "All Privileges > Virtual Machines" that only required checkboxes are selected. A list of privileges and in vCenter for vSphere 5.0 is available at: http://pubs.vmware.com/vsphere-50/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server501-privileges.pdf

Use event log monitoring to alert on nonservice account access to certificates directory.

Ensure that any certificates presented by the host can be verified by a trusted certification authority.

Verify that self-signed certificates on Update Manager have been changed to certificates from a trusted certification authority.

Verify you have removed expired certificates from your vCenter Server.

If at any time a vCenter Server installation fails, only the log files of format "hs_err_pid.". should be deleted securely before putting the host into production.

Verify you have removed revoked certificates from your vCenter Server.

Observe the assigned permissions in vSphere. Make sure that Administrator or any other account or group does not have any privileges except users created as follows: 1. Create an ordinary user account that will be used to manage vCenter (example vi-admin). 2. Make sure the user does not belong to any local groups, such as administrator. 3. On the top-level hosts and clusters context, log onto vCenter as the Windows administrator; then grant the role of administrator (global vCenter administrator) to the account created in step "1". 4. Log out of vCenter and log into vCenter with the account created in step "1"; verify that user is able to perform all tasks available to a vCenter administrator. 5. Remove the permissions in the vCenter for the local administrator group. Observe the assigned permissions in vSphere. Make sure that Administrator or any other account or group does not have any privileges except users created as follows: 1. Create an ordinary user account that will be used to manage vCenter (example vi-admin). 2. Make sure the user does not belong to any local groups, such as administrator. 3. On the top-level hosts and clusters context, log onto vCenter as the Windows administrator; then grant the role of administrator (global vCenter administrator) to the account created in step "1". 4. Log out of vCenter and log into vCenter with the account created in step "1"; verify that user is able to perform all tasks available to a vCenter administrator. 5. Remove the permissions in the vCenter for the local administrator group. 6. Protect the vi-admin account from regular usage and instead rely upon accounts tied to specific individuals. This should be done as follows: a. Logged in as vi-admin, grant full administrative rights to the minimum number of individuals required, typically senior IT staff. b. Log out as vi-admin, and then protect the password. There are numerous ways in which the password can be protected; for example, use a very strong password and then lock the printout in a safe, or employ a system by which two individuals each must type one half of a password, the other half of which is mutually unknown by the other individual. Check that the Windows file permission on the SSL certificate directory files are set so that only the vCenter service account and authorized vCenter Server Administrators can access them. Verify that the directory and all files within are only accessible to the service user (System) and authorized vCenter Server administrators. The location by default for vCenter this is C:\ProgramData\VMware\VMware VirtualCenter\SSL and for the Inventory Service SSL certificate is C:\Program Files\VMware\Infrastructure\Inventory Service\ssl.

Verify that there is a Role that will be used to manage vCenter without the Guest Access Control (example "Administrator No Guest Access"), and that this role is assigned to administrators who should not have Guest file and program interaction privileges. 1. Log into the vCenter Server System using the vSphere Client as a vCenter Server System Administrator. 2. Go to "Home > Administration > Roles" and verify that a Role exists for administrators with Guest access removed. 3. Right click on the Role name and select "Edit". Verify that under "All Privileges > Virtual Machines" the "Guest Operations" checkbox is unchecked. 4. Verify that users requiring Administrator privileges without Guest access privileges are assigned to that role and not the default Administrator role.

Verify that the operating system of the client you are connecting to vCenter or ESXi host with is not Linux. You should protect the vCenter Server by using a local firewall on the Windows system of vCenter, or by using a network firewall. This protection should include IP-based access restrictions, so that only necessary components can communicate with the vCenter Server system. Verify that only the privileges needed for your current vCenter state, on either Oracle and Microsoft SQL Server, are assigned. These privileges are listed in the vSphere Upgrade Guide, Upgrading to vCenter Server 5.0 chapter, Prerequisites for All vCenter Server Databases section. This document can be found here: http://pubs.vmware.com/vsphere-50/topic/com.vmware.ICbase/PDF/vsphereesxi-vcenter-server-50-upgrade-guide.pdf NOTE: This section indicates which privileges are needed for installation and upgrade, and which are needed just for ongoing operation.

Verify that only the following permissions are allowed to the VUM DB user after installation. For Oracle: After installation, only the following permissions are needed for normal operation: create session, create any table, drop any table . For SQL Server: After installation, the dba_owner role or sysadmin role can be removed from the MSDB database (it is still required, however, for the Update Manager database). Please check the latest VMware Update Manager Administration Guide for any updates to these configurations. Verify that Windows system protection is applied, such as antivirus, in accordance with industrystandard guidelines, or internal guidelines where appropriate. Verify protections applied do not interfere with vCenter Server function. Verify that Windows system protection is applied, such as antivirus, in accordance with industrystandard guidelines, or internal guidelines where appropriate. Verify protections applied do not interfere with Update Manager function. On each Windows computer with the vSphere Client installed either: 1. Verify that a timeout is set to the requirement of your organization or industry best practices. The login idle timeout is a parameter that can be set in the vpxClient.exe.config. OR 2. Verify that users are starting the vSphere Client executable with timeout set as an execution flag. An example of this is: "vpxClient.exe inactivityTimeout 5". The "5" stands for 5 minutes. Verify that vCenter Server is running on supported OS, hardware and database. For vCenter Server OS compatibility, see the Host OS Guide : https://www.vmware.com/resources/compatibility/search.php?deviceCategory=software&testConfig =17. For hardware requirements, see the ESX and vCenter Server Installation Guide white paper: http://pubs.vmware.com/vsphere-50/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-50installation-setup-guide.pdf. For supported database server versions, see the VMware Product Interoperability Matrix at: http://www.vmware.com/resources/compatibility/sim/interop_matrix.php.

Make sure that the vSphere Client installation used by administrators includes only authorized extensions from trusted sources. You can check to see which plug-ins are actually installed for a given vSphere Client by going to the menu item Plug-ins > Manage Plug-ins and clicking the Installed Plugins tab.

Instruct any user of vSphere Client to never ignore certificate verification warnings.

Configuration File

Configuration Parameter

Desired Value

Change Type

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A N/A N/A N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

Is desired value the default?

vSphere API

ESXi Shell Command Remediation

vCLI Command Assessment

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

vCLI Comment Remediation

N/A

N/A

PowerCLI Command Assessment # List All Patches for your vCenter Server, Administrator Privileges will be needed on your # vCenter server for this to complete Get-WmiObject -ComputerName $DefaultVIServer Win32_QuickFixEngineering | select Description, Hotfixid # List All Patches for your VUM Server, Administrator Privileges will be needed on your # VUMserver for this to complete Get-WmiObject -ComputerName "VUMServerName" Win32_QuickFixEngineering | select Description, Hotfixid

PowerCLI Command Remediation

N/A

N/A

N/A

# List all vCenter Application log entries for VMware VirtualCenter Get-EventLog -ComputerName MyvCenter LogName Application -Source "VMware VirtualCenter Server" -EntryType "Warning"

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

# List all Roles and Accounts with access to the root Datacenters folder Get-Folder Datacenters | Get-VIPrivilege

N/A

N/A

function Test-WebServerSSL { # Function original location: http://enus.sysadmins.lv/Lists/Posts/Post.aspx?List=3 32991f0-bfed-4143-9eeaf521167d287c&ID=60 [CmdletBinding()] param( [Parameter(Mandatory = $true, ValueFromPipeline = $true, Position = 0)] [string]$URL, [Parameter(Position = 1)] [ValidateRange(1,65535)] [int]$Port = 443, [Parameter(Position = 2)] [Net.WebProxy]$Proxy, [Parameter(Position = 3)] [int]$Timeout = 15000, [switch]$UseUserContext ) Add-Type @" using System; using System.Net; using System.Security.Cryptography.X509Certifica tes; namespace PKI {

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

# List all Roles and Accounts with access to the root Datacenters folder Get-Folder Datacenters | Get-VIPrivilege

N/A

# List all Roles and Accounts with access to the root Datacenters folder Get-Folder Datacenters | Get-VIPrivilege

N/A

N/A

# List the existing roles Get-VIRole

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

# List the version of vCenter OS and Service Pack Get-WmiObject Win32_OperatingSystem computer $DefaultVIServer | select CSName, Caption, CSDVersion # List Plugins Installed $ServiceInstance = get-view ServiceInstance $EM = Get-View $ServiceInstance.Content.ExtensionManage r $EM.ExtensionList | Select @{N="Name";E={$_.Description.Label}}, Company, Version, @{N="Summary";E={$_.Description.Summar y}}

N/A

N/A

function Test-WebServerSSL { # Function original location: http://enus.sysadmins.lv/Lists/Posts/Post.aspx?List=3 32991f0-bfed-4143-9eeaf521167d287c&ID=60 [CmdletBinding()] param( [Parameter(Mandatory = $true, ValueFromPipeline = $true, Position = 0)] [string]$URL, [Parameter(Position = 1)] [ValidateRange(1,65535)] [int]$Port = 443, [Parameter(Position = 2)] [Net.WebProxy]$Proxy, [Parameter(Position = 3)] [int]$Timeout = 15000, [switch]$UseUserContext ) Add-Type @" using System; using System.Net; using System.Security.Cryptography.X509Certifica tes; namespace PKI {

Negative Functional Impact

Reference

Any blocked ports will have to be unblocked for functionality relying on them to work.

http://kb.vmware.com/kb/1012382

http://kb.vmware.com/kb/1021804 You will no longer be able to browse and view datastore files using a Web browser connected to vCenter Server. REST API commands relying on web access to the datastore of the vCenter Server will not work. NOTE: The datastore browser available on each ESXi host is unaffected by this setting; it can be disabled separately using a host-level setting.

The managed object browser will no longer be available for diagnostics.

http://pubs.vmware.com/vsphere50/topic/com.vmware.vsphere.update_ manager.doc_50/GUID-1F5292F1-904D4607-871A-AE426EF9BD3F.html http://pubs.vmware.com/vsphere50/topic/com.vmware.vsphere.update_ manager.doc_50/GUID-975192DB-B2A7485A-9D11-0D9CD29F1D7F.html http://pubs.vmware.com/vsphere50/topic/com.vmware.vsphere.update_ manager.doc_50/GUID-47CDC301-C46F4191-AB99-D2859F3BA54B.html

http://pubs.vmware.com/vsphere50/topic/com.vmware.ICbase/PDF/vsphe re-esxi-vcenter-server-501-privileges.pdf

http://www.vmware.com/resources/tech resources/10124

http://kb.vmware.com/kb/1021804

Supportability limitations: Will prevent a complete support log from being collected when the vc-support script is issued. Will prevent the administrator from being able to change the vCenter database password

Only systems in the IP whitelist/ACL will be able to connect to vCenter Server.

Thick client will be logged out of by the client at the specified time and the user will have to login again.