VSOS6 M02 vSphereSecurity

vSphere Security
Module 2
2015 VMware Inc. All rights reserved.

You Are Here
1. Course Introduction 7. Storage Scalability
2. vSphere Security 8. Storage Optimization
3. VMware Management 9. CPU Optimization

Resources
10. Memory Optimization
4. Performance in a Virtualized
11. Virtual Machine and Cluster
Environment
Optimization
5. Network Scalability
12. Host and Management
6. Network Optimization Scalability
VMware vSphere: Optimize and Scale 2-2

Importance
VMware Platform Services Controller coordinates VMware vCenter
Single Sign-On and other services in a VMware vSphere
environment.
When multiple users are accessing the vSphere environment, a best
practice is to give each user only the necessary permissions and nothing
more. VMware vCenter Server allows flexible assignment of
permissions.
You harden your vSphere environment against security threats by
controlling settings for vCenter Server systems, VMware ESXi hosts,
virtual machines, and the vSphere network.

Module Lessons
Lesson 1: Platform Services Controller and vCenter Single Sign-
On
Lesson 2: Upgrading vCenter Server
Lesson 3: Configuring ESXi Host Access and Authentication
Lesson 4: Configuring Roles and Permissions
Lesson 5: Securing vSphere

Lesson 1:
Platform Services Controller and
vCenter Single Sign-On
3-5
Learner Objectives
By the end of this lesson, you should be able to meet the following
objectives:
Describe vSphere components used in vCenter Single Sign-On
List supported identity store technologies used with vCenter Single Sign-On
Describe the Platform Services Controller
Discuss vCenter Server deployment modes

About vCenter Single Sign-On
vCenter Single Sign-On enables vSphere components to communicate
with one another for authentication purposes instead of requiring users
to authenticate separately with each component.
vSphere Web Client

vUSER1
2 1
3
4
vCenter
Single Sign-On Server
vCenter Server
Kerberos
5
Certificate
Authority
6
VMware
Directory
Service

Supported Identity Store Technologies
You can use identity stores to attach one or more domains for use by
vCenter Single Sign-On.
Using identity stores enables administrators from user-defined domains
to administer vCenter Server.
vCenter Single Sign-On authentication can use the following identity
store technologies:
Windows Active Directory (AD)
Active Directory over LDAP
OpenLDAP
Local operating system users
vCenter Single Sign-On system users

About the Platform Services Controller
New in vSphere 6, the Platform Services Controller improves
accessibility and scalability by hosting services used across the vSphere
enterprise.
Virtual or Physical Machine
Platform Services Controller
vCenter Single
Lookup Service
Sign-On
VMware CA License Service
Directory Service

vCenter Deployment Modes
vCenter Server instances can be deployed in various modes, depending
on the location of Platform Services Controllers:
vCenter Server with an embedded Platform Services Controller
vCenter Server with an external Platform Services Controller
Enhanced Linked Mode
VMware does not recommend using these deployment modes in
combination with one another.
In vSphere 6, vCenter Server for Windows and VMware vCenter
Server Appliance can be used in the same deployment.
Multiple Platform Services Controllers can be used together when used
with a load balancer approved by VMware.

vCenter Server with an Embedded Platform Services Controller
All services bundled with the Platform Services Controller can be

embedded on the same host machine as vCenter Server:
This model is suitable for small deployments.
This model is suitable when vCenter Server is the only solution integrated with
single sign-on.
vCenter Server

vCenter Server with an External Platform Services Controller
You can deploy a single Platform Services Controller external to a
vCenter Server system. Multiple vCenter Server systems can be
attached to the same Platform Services Controller.
Virtual or Physical
Machine
vCenter Server

Enhanced Link Mode
Enhanced Linked Mode enables multiple vCenter Server instances with
a single or multiple Platform Services Controllers to be managed using a
single point of contact.
The Lookup Service uses VMdir replication to coordinate authentication
services between vCenter Server instances.
VMware recommends using external Platform Services Controllers with
Enhanced Linked Mode. A load balancer can provide high availability.
Virtual or Physical Machine Virtual or Physical Machine

VMdir Replication
Platform Services Platform Services
Controller Controller
Virtual or Physical Virtual or Physical Virtual or Physical Virtual or Physical

Machine Machine Machine Machine
vCenter Server vCenter Server vCenter Server vCenter Server

vCenter Server Deployment Recommendations
Sites that will not use Enhanced Linked Mode should use an embedded
Platform Services Controller:
An embedded Platform Services Controller enables simplicity in the
environment and reduces administrative overhead.
High availability is provided by VMware vSphere High Availability.
Sites that will use Enhanced Linked Mode should use an external
Platform Services Controller:
Load balancers are recommended for high availability.
The number of Platform Services Controllers is determined by the size of the
environment:
Between 2 and 4 VMware solutions: Use a single Platform Services Controller, or two
Platform Services Controllers behind a single load balancer to provide high
availability.
Between 4 and 8 VMware solutions: Use two Platform Services Controllers, or four
Platform Services Controllers behind two load balancers for high availability.
Between 8 and 10 VMware solutions: Use three Platform Services Controllers, or six
Platform Services Controllers behind three load balancers for high availability.

vCenter Deployment Scalability Maximums
Scalability maximums in a vCenter environment depend on the
deployment configuration used.
Scalability Item Maximum
Number of Platform Services Controllers per domain 8

Maximum Platform Services Controllers per vSphere site, behind
4
a single load balancer
Maximum objects in a vSphere domain 1,000,000
Maximum number of VMware solutions connected to a single
4
Maximum number of VMware products/solutions per
10
vSphere domain

Review of Learner Objectives
You should be able to meet the following objectives:
Describe vSphere components used in vCenter Single Sign-On
List supported identity store technologies used with vCenter Single Sign-On
Describe the Platform Services Controller
Discuss vCenter Server deployment modes

Lesson 2:
Upgrading vCenter Server
3-17
Learner Objectives
objectives:
Explain the requirements for upgrading a vSphere environment to the current
vSphere version
List the necessary steps to prepare for upgrading vCenter Server
Outline the process for upgrading vCenter Server
List the necessary operations to perform after upgrading vCenter Server

vSphere Upgrade Requirements
Requirements for several vSphere components must be met before
upgrading to the current version of vSphere:
vCenter Server for Windows has a preinstallation checker that verifies host and
environment requirements at the beginning of the upgrade.
VMware vCenter Server Appliance can be upgraded only from version 5.5
or later.
ESXi hosts must meet hardware and software standards for RAM, boot
devices, and storage and must have at least two cores.
vSphere networks must be Gigabit or 10 Gb.
vCenter Server should be on a host with a fixed IP address. Reverse name
lookup on the vCenter Server instance should return an fully qualified domain
name.
The database version must be supported by the new version of vCenter Server
or vCenter Server Appliance.

Preparing for vCenter Server Upgrade
Prepare your system for vCenter Server upgrade by verifying
compatibility and performing necessary database, networking, or other
preparation tasks:
Verify that all components meet basic compatibility requirements.
Prepare and back up databases and ensure that you have the necessary
credentials.
Verify that network connectivity is fully operational for all vSphere systems that
will communicate with one another.
Verify that vCenter Server can communicate with a local database.
Verify that ESXi hosts are at version 5.x.
Ensure that SSL, custom, or thumbprint certificates are properly prepared for
all hosts.
Synchronize all system clocks on the vSphere network.

Upgrading vCenter Server
The vCenter Server upgrade includes a database schema upgrade, a
migration of Single Sign-On to VMware Platform Services Controller,
and an upgrade of the vCenter Server software. Platform Services
Controller must be upgraded before upgrading the vCenter Server
system.
Embedded vCenter Server systems are upgraded to an embedded
Platform Services Controller deployment.
Existing, externally deployed vCenter Single Sign-On is upgraded to an
external Platform Services Controller using the vCenter Server for
Windows installer.
vCenter Server Appliance can be upgraded, or can be a new install. The
network identify of the appliance can be imported after a new installation.

After You Upgrade vCenter Server
After you upgrade vCenter Server, consider the postupgrade options and
requirements:
Review database upgrade logs to verify success.
Complete any component service updates that are required.
Ensure that you understand the authentication process and identity sources.
Upgrade additional modules that run with vCenter Server, such as VMware
vSphere Update Manager.
Upgrade or migrate ESXi hosts to match the vCenter Server version.

Explain the requirements for upgrading a vSphere environment to the current
vSphere version
List the necessary steps to prepare for upgrading vCenter Server
Outline the process for upgrading vCenter Server
List the necessary operations to perform after upgrading vCenter Server

Lesson 3:
Configuring ESXi Host Access
and Authentication
3-24
Learner Objectives
objectives:
Configure the ESXi firewall by enabling and disabling services
Enable and disable lockdown mode on an ESXi host
Configure user logins to authenticate with directory services

About Host System Properties
Properties for individual ESXi hosts are configured through VMware
vSphere Web Client.

Configuring Security Profile Services
The Services tab shows the name and status of any daemon that is
stopped or running.

Configuring the ESXi Firewall
The ESXi management interface is protected by a service-oriented,
stateless firewall. The firewall can be configured using the vSphere Web
Client or at the command line with VMware vSphere ESXi Shell
commands.

Enabling and Disabling Lockdown Mode
To increase the security of your ESXi hosts, you can put your hosts in
lockdown mode.
When you enable lockdown mode, no users other than vpxuser have
authentication permissions. Users also cannot perform operations
against the host directly.

Strict Lockdown Mode
In strict lockdown mode, the DCUI service is also stopped.
If the connection to the vCenter Server system is lost and the vSphere
Web Client is no longer available, the ESXi host becomes unavailable.
The host can be accessed in this situation only if the vSphere ESXi Shell
and SSH services are enabled and exception list users are defined.

Integrating ESXi with AD
You can configure an ESXi host to join an AD domain so that a user
trying to access the host is authenticated against the centralized vCenter
Single Sign-On user directory.

Configure the ESXi firewall by enabling and disabling services
Enable and disable lockdown mode on an ESXi host
Configure user logins to authenticate with directory services

Lesson 4:
Configuring Roles and
Permissions
3-33
Learner Objectives
objectives:
Define a permission
Describe the rules for applying permissions
Create a custom role
Create a permission

Access Control Overview
The access control system enables the vCenter Server administrator to
define a users privileges to access objects in the inventory.
Key concepts:
Role
Privilege: Defines an
action that can be
performed
Role: A set of privileges
Permission
Object: The target of the
action
User/Group Object
User/group: Indicates
who can perform the
action
Together, a role, a user or group, and an object define a permission.

About Users and Groups
vCenter Server or ESXi users/groups can be local users or AD domain
users.
AD services provides authentication for all local services:
VMware vSphere Client
vSphere Web Client
Direct Console User Interface
Technical support mode (local and remote)
Access through the VMware vSphere API
Users who are in the AD group ESX Admins are automatically assigned
the Administrator role.

About Roles
Roles are collections of

privileges:
They allow users to
perform tasks.
They are grouped in
categories.
Roles include system roles,
sample roles, and custom-
built roles.

About Objects
Objects are entities on which actions are performed:
Objects include data centers, folders, resource pools, clusters, hosts,
datastores, networks, and virtual machines.
All objects have a Permissions tab:
The Permissions tab shows which user or group and role are associated with
the selected object.

Assigning Permissions
Add permissions to a user or group by selecting a role in the role list. You
can also choose to propagate the permission to all child objects.

Viewing Roles and Assignments
The Roles pane shows which users are assigned the selected role on a
particular object.

Applying Permissions: Scenario 1
A permission can propagate down the object hierarchy to all subobjects
or it can apply only to an immediate object.
Greg: Read-Only
Greg: Administrator

When a user is a member of multiple groups with permissions on the
same object, the user is assigned the union of privileges assigned to the
groups for that object.
Group1: VM_Power_On (Custom Role)

Group2: Take_Snapshots (Custom Role)
Members of Group1: Members of Group2:

Greg Greg
Susan Carla

When a user is a member of multiple groups with permissions on
different objects, for each object on which the group has permissions, the
same permissions apply as if they were granted directly to the user.
Group1: Administrator
Group2: Read-Only

Greg Greg
Susan Carla

Permissions defined explicitly for the user on an object take precedence
over all group permissions on that same object.
Group1: VM_Power_On (Custom Role)

Group2: Take_Snapshots (Custom Role)
Greg: Read-Only

Greg Greg
Susan Carla

Global Permissions
Global permissions support assigning privileges across solutions
from a global root object:
Global permissions span solutions such as vCenter Server and vCenter
Orchestrator.
Global permissions give a user or group privileges for all objects in all
object hierarchies.
Global Root Object
vCenter Server Instance
Content Library Data Center Folder Tag Category
Library Item Data Center Tag

Creating a Role
Create roles that enable only the Virtual Machine Creator role:
necessary tasks: Datastore > Allocate space
Example: Virtual Machine Creator
Network > Assign network
Use folders to contain the scope
of permissions: Resource > Assign virtual machine to
resource pool
For example, assign the Virtual
Machine Creator role to user Virtual machine > Inventory > Create new
Nancy and apply it to the Finance
folder. Virtual machine > Configuration > Add
new disk
Virtual machine > Configuration > Add or

remove device

Lab 1: Adding Active Directory Services and Creating Custom Roles
Configure an identity source for vCenter Single Sign-On and create a

custom role
1. Log In to the Student Desktop
2. License the vCenter Server System and the ESXi Host
3. Create a Custom Role in vCenter Server
4. Use vSphere Web Client to Add the Domain Admins Group to Administrators
5. Create a Custom Role in vCenter Server
6. Assign Permissions on vCenter Server Inventory Objects
7. Verify Permission Usability

Define a permission
Describe the rules for applying permissions
Create a custom role
Create a permission

Lesson 5:
Securing vSphere
3-49
Learner Objectives
objectives:
Summarize methods for hardening vCenter Server systems
Discuss recommendations for ESXi host security
Discuss general virtual machine protection
Summarize strategies to secure the vSphere network

About Securing vSphere
Securing vSphere involves aspects of security for the vCenter Server
system, ESXi hosts, virtual machines, and the vSphere network. The
VMware Support Web site provides many security resources.
Topic Resource
VMware security
http://www.vmware.com/security/
policy
Corporate security http://www.vmware.com/support/policies/security_response
response .html
Virtualization and
http://www.vmware.com/go/security/
security
http://www.vmware.com/support/support-resources/hardeni
Hardening guides
ng-guides.html
Third-party
http://www.vmware.com/support/policies/
software support

Hardening vCenter Server Systems
The most effective way to harden vCenter Server systems against attack
is to ensure that the operating system of the host is secure:
Maintain supported operating system, database, and hardware versions on the
vCenter Server system.
Keep the vCenter Server system properly patched.
Provide the operating system with antivirus and antimalware software.
Ensure that Remote Desktop Protocol host configuration settings are set to
their highest encryption level.

Securing ESXi Hosts
VMware constrains vSphere parameters and settings in order to secure
ESXi hosts. Use caution when loosening constraints in order to maintain
ESXi host security:
Limit user access.
Use the vSphere Client for standalone ESXi host administration.
Use the vSphere Web Client to administer ESXi hosts managed by a vCenter
Server instance.
Use only VMware sources to upgrade ESXi components.
Implement a firewall on all ESXi hosts.

Virtual Machine Protection Overview
Employ the same security measures for a virtual machine as you would
for an equivalent physical server:
Keep all security measures current and patched.
Install antivirus and antimalware software.
Disable unnecessary functions in virtual machines.
Disable copy-and-paste operations between guest operating systems and the
remote console.
Restrict users from running commands in a virtual machine.
Use templates to deploy virtual machines.

vSphere Network Security Overview
Securing vSphere networks resembles securing physical networks but
also has some special characteristics:
Balance firewall usage against virtual machine performance.
Secure physical switches that the vSphere network uses.
Secure standard switch ports and vSphere distributed switches with security
policies.
Use VLANs to improve network security.
Create multiple networks in a single ESXi host.
Use virtual switches only if required.

Summarize methods for hardening vCenter Server systems
Discuss recommendations for ESXi host security
Discuss general virtual machine protection
Summarize strategies to secure the vSphere network

Key Points
The Platform Services Controller implements vCenter Single Sign-On for a
vSphere environment.
A permission is a combination of a user or group and a role that is applied to
an object in the inventory.
As a best practice, define a role using the smallest number of privileges
possible for better security and added control.
Hardening a vSphere environment to be more secure involves setting and
adjusting configuration for the vCenter Server system, ESXi hosts, virtual
machines, and the vSphere network.
Questions?


VSOS6 M02 vSphereSecurity

Transféré par

Informations du document

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

VSOS6 M02 vSphereSecurity

Transféré par

Droits d'auteur :

Formats disponibles

vSphere Security

2015 VMware Inc. All rights reserved.

1. Course Introduction 7. Storage Scalability

2. vSphere Security 8. Storage Optimization

3. VMware Management 9. CPU Optimization

VMware vSphere: Optimize and Scale 2-2

VMware vSphere: Optimize and Scale 2-3

VMware vSphere: Optimize and Scale 2-4

VMware vSphere: Optimize and Scale 2-6

vSphere Web Client

VMware vSphere: Optimize and Scale 2-7

VMware vSphere: Optimize and Scale 2-8

Platform Services Controller

VMware CA License Service

VMware vSphere: Optimize and Scale 2-9

VMware vSphere: Optimize and Scale 2-10

All services bundled with the Platform Services Controller can be

Virtual or Physical Machine

Platform Services Controller

VMware vSphere: Optimize and Scale 2-11

Virtual or Physical Machine

Platform Services Controller

VMware vSphere: Optimize and Scale 2-12

Virtual or Physical Machine Virtual or Physical Machine

Virtual or Physical Virtual or Physical Virtual or Physical Virtual or Physical

vCenter Server vCenter Server vCenter Server vCenter Server

VMware vSphere: Optimize and Scale 2-13

VMware vSphere: Optimize and Scale 2-14

Scalability Item Maximum

Number of Platform Services Controllers per domain 8

VMware vSphere: Optimize and Scale 2-15

VMware vSphere: Optimize and Scale 2-16

VMware vSphere: Optimize and Scale 2-18

VMware vSphere: Optimize and Scale 2-19

VMware vSphere: Optimize and Scale 2-20

VMware vSphere: Optimize and Scale 2-21

VMware vSphere: Optimize and Scale 2-22

VMware vSphere: Optimize and Scale 2-23

VMware vSphere: Optimize and Scale 2-25

VMware vSphere: Optimize and Scale 2-26

VMware vSphere: Optimize and Scale 2-27

VMware vSphere: Optimize and Scale 2-28

VMware vSphere: Optimize and Scale 2-29

VMware vSphere: Optimize and Scale 2-30

VMware vSphere: Optimize and Scale 2-31

VMware vSphere: Optimize and Scale 2-32

VMware vSphere: Optimize and Scale 2-34

VMware vSphere: Optimize and Scale 2-35

VMware vSphere: Optimize and Scale 2-36

Roles are collections of

VMware vSphere: Optimize and Scale 2-37

VMware vSphere: Optimize and Scale 2-38

VMware vSphere: Optimize and Scale 2-39

VMware vSphere: Optimize and Scale 2-40

VMware vSphere: Optimize and Scale 2-41

Group1: VM_Power_On (Custom Role)

Members of Group1: Members of Group2:

VMware vSphere: Optimize and Scale 2-42

Members of Group1: Members of Group2:

VMware vSphere: Optimize and Scale 2-43

Group1: VM_Power_On (Custom Role)

Members of Group1: Members of Group2:

VMware vSphere: Optimize and Scale 2-44