Vi35 Security Hardening WP

Best Practices
Copyright 2008 VMware, Inc. All rights reserved. 1

Security Hardening
VMware Infrastructure 3 (VMware ESX 3.5 and VMware VirtualCenter 2.5)
ByintroducingalayerofabstractionbetweenthephysicalhardwareandvirtualizedsystemsrunningIT
services,virtualizationtechnologyprovidesapowerfulmeanstodelivercostsavingsviaserverconsolidation
aswellasincreasedoperationalefficiencyandflexibility.However,theaddedfunctionalityintroducesa
virtualizationlayerthatitselfbecomesapotentialavenueofattackforthevirtualservicesbeinghosted.
Becauseasinglehostsystemcanhousemultiplevirtualmachines,thesecurityofthathostbecomesevenmore
important.
Becauseitisbasedonalightweightkerneloptimizedforvirtualization,VMwareESXandVMwareESXiare
lesssusceptibletovirusesandotherproblemsthataffectgeneralpurposeoperatingsystems.However,
ESX/ESXiisnotimpervioustoattack,andyoushouldtakepropermeasurestohardenit,aswellasthe
VMwareVirtualCentermanagementserver,againstmaliciousactivityorunintendeddamage.Thispaper
providesrecommendationsforstepsyoucantaketoensurethatyourVMwareInfrastructure3environment
isproperlysecured.Thepaperalsoexplainsindetailthesecurityrelatedconfigurationoptionsofthe
componentsofVMwareInfrastructure3andtheconsequencesforsecurityofenablingcertaincapabilities.
ForadditionaluptodateinformationonthesecurityofVMwareproducts,gototheVMwareSecurityCenter.
SeeReferencesonpage 30foralink.TheVMwareSecurityCenterprovideslinkstosecurityadvisories,
alerts,andupdates,aswellassecurityutilitiesandothersecurityrelatedpapers.
TheinformationinthispaperappliestoESX3.5/ESXi3.5andVirtualCenter2.5.Itisdividedintosections
baseduponthecomponentsofVMwareInfrastructure3.Thesectionsonvirtualmachines,VirtualCenter,and
clientcomponentsapplytobothESX3.5andESXi3.5.Hostconfigurationissuesarediscussedinseparate
sectionsforESX3.5andESXi3.5.BesuretoconsultthesectionsthatapplytotheVMwareInfrastructure
softwareyouareusing.
Thepapercoversthefollowingtopics:
VirtualMachinesonpage 2
VirtualMachineFilesandSettingsonpage 4
ConfiguringtheServiceConsoleinESX3.5onpage 7
ConfiguringHostlevelManagementinESXi3.5onpage 16
ConfiguringtheESX/ESXiHostonpage 20
VirtualCenteronpage 24
VirtualCenterAddonComponentsonpage 27
ClientComponentsonpage 28
Referencesonpage 30
AbouttheAuthoronpage 31
Security Hardening

Virtual Machines
Therecommendationsinthissectionapplytothewayyouconfigurevirtualmachinesandthewaysyou
interactwithvirtualmachines.
Secure Virtual Machines as You Would Secure Physical Machines
Akeytounderstandingthesecurityrequirementsofavirtualizedenvironmentistherecognitionthatavirtual
machineis,inmostrespects,theequivalentofaphysicalserver.Hencetheguestoperatingsystemthatruns
inthevirtualmachineissubjecttothesamesecurityrisksasaphysicalsystem.Therefore,itiscriticalthatyou
employthesamesecuritymeasuresinvirtualmachinesthatyouwouldforphysicalservers.
Ensurethatantivirus,antispyware,intrusiondetection,andotherprotectionareenabledforeveryvirtual
machineinyourvirtualinfrastructure.Makesuretokeepallsecuritymeasuresuptodate,includingapplying
appropriatepatches.Itisespeciallyimportanttokeeptrackofupdatesfordormantvirtualmachinesthatare
poweredoff,becauseitcouldbeeasytooverlookthem.
Disable Unnecessary or Superfluous Functions
Bydisablingunnecessarysystemcomponentsthatarenotneededtosupporttheapplicationorservice
runningonthesystem,youreducethenumberofpartsthatcanbeattacked.Someofthesestepsinclude:
Disableunusedservicesintheoperatingsystem.Forexample,ifthesystemrunsafileserver,makesure
toturnoffanyWebservices.
Disconnectunusedphysicaldevices,suchasCD/DVDdrives,floppydrives,andUSBadapters.Thisis
describedinthesectionRemovingUnnecessaryHardwareDevicesintheESXServer3Configuration
Guide.
Turnoffanyscreensavers.IfusingaLinux,BSD,orSolarisguestoperatingsystem,donotruntheX
Windowsystemunlessitisnecessary.
Take Advantage of Templates
Bycapturingahardenedbaseoperatingsystemimage(withnoapplicationsinstalled)inatemplate,youcan
ensurethatallyourvirtualmachinesarecreatedwithaknownbaselinelevelofsecurity.Youcanthenusethis
templatetocreateother,applicationspecifictemplates,oryoucanusetheapplicationtemplatetodeploy
virtualmachines.Makesuretokeeppatchesandsecuritymeasuresuptodateintemplates.InVMware
Infrastructure3,youcanconvertatemplatetoavirtualmachineandbackagainquickly,whichmakes
updatingtemplatesquiteeasy.VMwareUpdateManageralsoprovidestheabilitytopatchtheoperating
systemandcertainapplicationsinatemplateautomatically,thusensuringthattheyremainuptodate.
Prevent Virtual Machines from Taking Over Resources
ByusingtheresourcemanagementcapabilitiesofESX/ESXi,suchassharesandlimits,youcancontrolthe
serverresourcesthatavirtualmachineconsumes.Youcanusethismechanismtopreventadenialofservice
thatcausesonevirtualmachinetoconsumesomuchofthehostsresourcesthatothervirtualmachinesonthe
samehostcannotperformtheirintendedfunctions.Bydefault,allvirtualmachinesonanESX/ESXihostshare
theresourcesequally.Bearinmind,however,thatavirtualmachinethatexhibitsunusualmemoryandstorage
accesspatternsmightstillhavethepotentialtocauseperformancedegradationonothervirtualmachines.It
isrecommendedthatyoumonitorallvirtualmachinesforunusualorunexpectedperformancetobeawareof
suchsituations.
Security Hardening

Isolate Virtual Machine Networks
Althoughthevirtualhardwareofonevirtualmachineisisolatedfromthatofothervirtualmachines,virtual
machinesalsoaretypicallyconnectedtosharednetworks.Anyvirtualmachineorgroupofvirtualmachines
connectedtoacommonnetworkcancommunicateacrossthosenetworklinksandcan,therefore,stillbethe
targetofnetworkattacksfromothervirtualmachinesonthenetwork.Asaresult,youshouldapplynetwork
bestpracticestohardenthenetworkinterfacesofvirtualmachinesConsiderisolatingsetsofvirtualmachines
ontheirownnetworksegmentstominimizetherisksofdataleakagefromonevirtualmachinezonetothe
nextacrossthenetwork.
Networksegmentationmitigatestheriskofseveraltypesofnetworkattacks,includingAddressResolution
Protocol(ARP)addressspoofing,inwhichanattackermanipulatestheARPtabletoremapMACandIP
addressestoredirectnetworktraffictoandfromagivenhosttoanotherunintendeddestination.Attackersuse
ARPspoofingtogeneratedenialsofservice,hijackthetargetsystem,andotherwisedisruptthevirtual
network.
Segmentationhastheaddedbenefitofmakingcomplianceauditsmucheasier,becauseitgivesyouaclear
viewofwhichvirtualmachinesarelinkedbyanetwork.
Youcanimplementsegmentationusingeitheroftwoapproaches,eachofwhichhasitsownbenefits:
Useseparatephysicalnetworkadaptersforvirtualmachinezonesbycreatingseparatevirtualswitches
foreachone.Maintainingseparatephysicalnetworkadaptersforvirtualmachinezonesislessproneto
misconfigurationafteryouinitiallycreatesegments.
Setupvirtuallocalareanetworks(VLANs)tohelpsafeguardyournetwork.BecauseVLANsprovide
almostallofthesecuritybenefitsinherentinimplementingphysicallyseparatenetworkswithoutthe
hardwareoverhead,theyofferaviablesolutionthatcansaveyouthecostofdeployingandmaintaining
additionaldevices,cabling,andsoforth,whilealsoallowingforredundancyoptions.
FormoreinformationonusingVLANswithvirtualmachines,seethesectionSecuringVirtualMachineswith
VLANsintheESXServer3ConfigurationGuide.
Minimize Use of the VI Console
TheVIConsoleallowsyoutoconnecttotheconsoleofavirtualmachine,ineffectseeingwhatamonitorona
physicalserverwouldshow.However,theVIConsolealsoprovidespowermanagementandremovable
deviceconnectivitycontrols,whichcouldpotentiallyallowamalicioususertobringdownavirtualmachine.
Inaddition,italsohasaperformanceimpactontheserviceconsole,especiallyifmanyVIConsolesessionsare
opensimultaneously.InsteadofVIConsole,usenativeremotemanagementservices,suchasterminalservices
andssh,tointeractwithvirtualmachines.
Security Hardening

Virtual Machine Files and Settings
Virtualmachinesareencapsulatedinasmallnumberoffiles.Oneoftheimportantistheconfigurationfile
(.vmx),whichgovernsthebehaviorofthevirtualhardwareandothersettings.Youcanviewandmodifythe
configurationsettingsbyviewingthe.vmxfiledirectlyinatexteditororbycheckingthesettingsintheVI
Client,usingthefollowingprocedure:
1 Choosethevirtualmachineintheinventorypanel.
2 ClickEditsettings.ClickOptions>Advanced/General.
3 ClickConfigurationParameterstoopentheConfigurationParametersdialogbox.
WhetheryouchangeavirtualmachinessettingsintheVIClientorusingatexteditor,youmustrestartthe
virtualmachineformostchangestotakeeffect.
Avirtualmachinealsoincludesoneormore.vmdkfiles,whichrepresentthevirtualdisksusedbytheguest
operatingsystem.
Thefollowingsectionsprovideguidelinesyoushouldobservewhendealingwiththeseandothervirtual
machinefiles.
Disable Copy and Paste Operations Between the Guest Operating System and
Remote Console
WhenVMwareToolsrunsinavirtualmachine,bydefaultyoucancopyandpastebetweentheguestoperating
systemandthecomputerwheretheremoteconsoleisrunning.Assoonastheconsolewindowgainsfocus,
nonprivilegedusersandprocessesrunninginthevirtualmachinecanaccesstheclipboardforthevirtual
machineconsole.Ifausercopiessensitiveinformationtotheclipboardbeforeusingtheconsole,the
userperhapsunknowinglyexposessensitivedatatothevirtualmachine.Itisrecommendedthatyou
disablecopyandpasteoperationsfortheguestoperatingsystembycreatingtheparametersshowninTable1.
Limit Data Flow from the Virtual Machine to the Datastore
Virtualmachinescanwritetroubleshootinginformationtoavirtualmachinelogfile(vmware.log)storedon
theVMwareVMFSvolumeusedtostoreotherfilesforthevirtualmachine.Virtualmachineusersand
processescanbeconfiguredtoabusetheloggingfunction,eitherintentionallyorinadvertently,sothatlarge
amountsofdatafloodthelogfile.Overtime,thelogfilecanconsumesomuchoftheESX/ESXihostsfile
systemspacethatitfillstheharddisk,causinganeffectivedenialofserviceasthedatastorecannolonger
acceptnewwrites.
Topreventthisproblem,considermodifyingtheloggingsettingsforvirtualmachines.Youcanusethese
settingstolimitthetotalsizeandnumberoflogfiles.Normallyanewlogfileiscreatedonlywhenahostis
rebooted,sothefilecangrowtobequitelarge,butyoucanensurenewlogfilesarecreatedmorefrequently
bylimitingthemaximumsizeofthelogfiles.Ifyouwanttorestrictthetotalsizeofloggingdata,VMware
recommendssaving10logfiles,eachonelimitedto100KB.Thesevaluesaresmallenoughthatthelogfiles
shouldnotconsumeanundueamountofdiskspaceonthehost,yettheamountofdatastoredshouldcapture
sufficientinformationtodebugmostproblems.
Table 1. Configuration Settings to Disable Copy and Paste
Name Value
isolation.tools.copy.disable true
isolation.tools.paste.disable true
isolation.tools.setGUIOptions.enable false
Security Hardening

Eachtimeanentryiswrittentothelog,thesizeofthelogischecked,andifitisoverthelimit,thenextentry
iswrittentoanewlog.Ifthemaximumnumberoflogfilesalreadyexists,whenanewoneiscreated,theoldest
logfileisdeleted.Adenialofserviceattackthatavoidstheselimitscouldbeattemptedbywritingan
enormouslogentry,buteachlogentryislimitedto4KB,sonologfilesareevermorethan4KBlargerthanthe
configuredlimit.Table2showswhichparameterstosetandtheirrecommendedvalues:
Asecondoptionistodisableloggingforthevirtualmachine.Disablingloggingforavirtualmachinemakes
troubleshootingchallengingandsupportdifficult,soyoushouldnotconsiderdisablingloggingunlessthelog
filerotationapproachprovesinsufficient.Todisablelogging,settheparametershowninTable3.
Disablinglogginginthismannerdoesnotcompletelydisableallloggingmessages.TheVMXprocess,which
runsontheESXhostandispartlyresponsibleforprovidingvirtualizationservicesforthevirtualmachine,
continuestowriteloggingmessagestothevirtualmachinelogfile.However,thevolumeofmessagesfrom
thissourceisverylowandcannotbeexploitedfromwithinthevirtualmachine,soitisnotnormally
consideredapotentialsourceofdataflooding.
Ifyouneverthelesswanttopreventallformsoflogging,youcandisableallmessagesbysettingtheparameter
showninTable4.Howeverthisisnotrecommendedinanormalproductionenvironment.
Inadditiontologging,guestoperatingsystemprocessescansendinformationalmessagestotheESX/ESXi
hostthroughVMwareTools.Thesemessages,knownassetinfomessages,arewrittentothevirtualmachines
configurationfile(.vmx).Theytypicallycontainnamevaluepairsthatdefinevirtualmachinecharacteristics
oridentifiersthatthehoststoresforexample,ipaddress=10.17.87.224.Asetinfomessagehasno
predefinedformatandcanbeanylength.Therefore,theamountofdatapassedtothehostinthiswayis
unlimited.AnunrestricteddataflowprovidesanopportunityforanattackertostageaDOSattackbywriting
softwarethatmimicsVMwareToolsandfloodingthehostwithpackets,thusconsumingresourcesneededby
thevirtualmachines.
Topreventthisproblem,theconfigurationfilecontainingthesenamevaluepairsislimitedtoasizeof1MB.
This1MBcapacityshouldbesufficientformostcases,butyoucanchangethisvalue,ifnecessary.Youmight
increasethisvalueiflargeamountsofcustominformationarebeingstoredintheconfigurationfile.
TomodifytheGuestInfofilememorylimit,setthetools.setInfo.sizeLimitparameterinthe.vmxfile.
Thedefaultlimitis1MB,andthislimitisappliedevenwhenthesizeLimitparameterisnotlistedinthe.vmx
file.TheexampleinTable5setsthesizelimitto1MB.
Table 2. Configuration Settings to Limit Log File Size and Number of Log Files
Name Recommended Value
log.rotateSize 100000
log.keepOld 10
Table 3. Configuration Setting to Disable Virtual Machine Logging
Isolation.tools.log.disable true
Table 4. Configuration Setting to Disable Virtualization Service Logging
logging false
Table 5. Configuration Setting to Limit Size of GuestInfo File
tools.setInfo.sizeLimit 1048576
Security Hardening

Youmayalsoentirelypreventguestoperatingsystemsfromwritinganynamevaluepairstotheconfiguration
file,usingthesettinginTable6.Thisisappropriatewhenguestoperatingsystemsmustbepreventedfrom
modifyingconfigurationsettings.
Do Not Use Nonpersistent Disks
Thesecurityissuewithnonpersistentdiskmodeisthatattackersmayundoorremoveanytracesthatthey
wereeveronthemachinewithasimpleshutdownorreboot.Oncethevirtualmachinehasbeenshutdown,
thevulnerabilityusedtoaccessthevirtualmachinewillstillbepresent,andtheattackersmayaccessthe
virtualmachineinthefutureatatimeoftheirchoice.Thedangeristhatadministratorsmayneverknowif
theyhavebeenattackedorhacked.Tosafeguardagainstthisrisk,youshouldusenonpersistentdiskmode
onlyfortestanddevelopmentvirtualmachines.Youshouldsetproductionvirtualmachinestousepersistent
diskmodeonly.Toverify,makesurethattheparameterscsiX:Y.modeisnotpresent,whereXandYaresingle
digits,orthatifitispresent,thevalueisnotindependent-nonpersistent.Youcanconfigurethisoptionin
theVIClientforeachindividualdiskonavirtualmachine.Youcanmakechangesonlywhenthevirtual
machineisnotpoweredon.Toreviewandmodifythesesettings:
1 LogintotheVIClientandchoosetheserverfromtheinventorypanel.
Thehardwareconfigurationpagefortheserverappears.
2 Expandtheinventoryasneededandchoosethevirtualmachineyouwanttocheck.
3 ClicktheEditSettingslinkintheCommandspaneltodisplaytheVirtualMachinePropertiesdialogbox.
4 ClicktheHardwaretab.
5 ClicktheappropriateharddiskinHardwarelist.
Ensure Unauthorized Devices are Not Connected
Besidesdisablingunnecessaryvirtualdevicesfromwithinthevirtualmachine,youshouldensurethatno
deviceisconnectedtoavirtualmachineifitdoesnotneedtobethere.Forexample,serialandparallelports
arerarelyusedforvirtualmachinesinadatacenterenvironment,andCD/DVDdrivesareusuallyconnected
onlytemporarilyduringsoftwareinstallation.
Forlesscommonlyuseddevices,Table7showsthe.vmxparametersthatspecifywhetherthedeviceis
availableforavirtualmachinetouse.Ifthedeviceisnotneeded,eithertheparametershouldnotbepresent
oritsvaluemustbeFALSE.TheparameterslistedinTable7arenotsufficienttoensurethatadeviceisusable,
becauseotherparametersareneededtoindicatespecificallyhoweachdeviceisinstantiated.
Prevent Unauthorized Removal or Connection of Devices
Normalusersandprocessesthatisusersandprocesseswithoutrootoradministratorprivilegeswithin
virtualmachineshavethecapabilitytoconnectordisconnectdevices,suchasnetworkadaptersandCDROM
drives.
Table 6. Configuration Setting to Prevent Writing SetInfo Data to Configuration File
Name Value
isolation.tools.setinfo.disable true
Table 7. Configuration Parameters that Specify Certain Devices
Device Configuration file parameter (where <x> is an integer 0 or greater)
Floppydrive floppy<X>.present
Serialport serial<X>.present
Parallelport parallel<X>.present
Security Hardening

Forexample,bydefault,arogueuserwithinavirtualmachinecan:
ConnectadisconnectedCDROMdriveandaccesssensitiveinformationonthemedialeftinthedrive
Disconnectanetworkadaptertoisolatethevirtualmachinefromitsnetwork,whichisadenialofservice
Ingeneral,youshouldusethevirtualmachinesettingseditororConfigurationEditortoremoveany
unneededorunusedhardwaredevices.However,youmaywanttousethedeviceagain,soremovingitisnot
alwaysagoodsolution.Inthatcase,youcanpreventauserorrunningprocessinthevirtualmachinefrom
connectingordisconnectingadevicefromwithintheguestoperatingsystembyaddingtheparametershown
inTable8.
Avoid Denial of Service Caused by Virtual Disk Modification Operations
Shrinkingavirtualdiskreclaimsunusedspaceinthevirtualdisk.Ifthereisemptyspaceinthedisk,this
processreducestheamountofspacethevirtualdiskoccupiesonthehostdrive.Normalusersand
processesthatisusersandprocesseswithoutrootoradministratorprivilegeswithinvirtualmachineshave
thecapabilitytoinvokethisprocedure.However,ifthisisdonerepeatedly,thevirtualdiskcanbecome
unavailable,effectivelycausingadenialofservice.Inmostdatacenterenvironments,diskshrinkingisnot
done,soyoushoulddisablethisfeaturebysettingtheparameterslistedinTable9.
Specify the Guest Operating System Correctly
Choosingthecorrectguestoperatingsystemintheconfigurationforeachvirtualmachineisimportant.ESX
optimizescertaininternalconfigurationsonthebasisofthischoice.Thecorrectguestoperatingsettingcanaid
thechosenoperatingsystemgreatlyandmaycausesignificantperformancedegradationifthereisamismatch
betweenthesettingandtheoperatingsystemactuallyrunninginthevirtualmachine.Theperformance
degradationmaybesimilartorunninganunsupportedoperatingsystemonESX.Choosingthewrongguest
operatingsystemisnotlikelytocauseavirtualmachinetorunincorrectly,butitcoulddegradethevirtual
machinesperformance.
TheparameterthatspecifiestheguestoperatingsystemisguestOS.Verifythatthespecifiedoperatingsystem
andmatchestheoperatingsystemactuallyrunninginthevirtualmachine,whichyoucandetermineby
checkingthevirtualmachinedirectly.
Verify Proper File Permissions for Virtual Machine Files
Besurepermissionsforthevirtualmachinesfilesaresetaccordingtotheguidelinesinthissection.
Permissionsfortheconfigurationfile(.vmx),shouldberead,write,execute(rwx)forowner,andreadand
execute(r-x)forgroup(755).Permissionsforthevirtualmachinesvirtualdisk(.vmdk)shouldbereadand
write(rw-)forowner(600).Forallofthesefiles,boththeuserandgroupshouldberoot.
Configuring the Service Console in ESX 3.5
Whetheryouuseamanagementclientorthecommandline,allconfigurationtasksforESX3.5areperformed
throughtheserviceconsole,includingconfiguringstorage,controllingaspectsofvirtualmachinebehavior,
andsettingupvirtualswitchesorvirtualnetworks.Aswithanintelligentplatformmanagementinterface
(IPMI)orserviceprocessoronaphysicalserver,someoneloggedintotheserviceconsolewithprivileged
permissionshastheabilitytomodify,shutdown,orevendestroyvirtualmachinesonthathost.Thedifference
isthat,insteadofasinglephysicalserver,thiscanaffectmanyvirtualmachines.AlthoughESX3.5
Table 8. Configuration Setting to Prevent Device Removal or Connection
Name Value
Isolation.tools.connectable.disable true
Table 9. Configuration Settings to Prevent Virtual Disk Shrinking
Name Value
isolation.tools.diskWiper.disable True
isolation.tools.diskShrink.disable True
Security Hardening

managementclientsuseauthenticationandencryptiontopreventunauthorizedaccesstotheserviceconsole,
otherservicesmightnotofferthesameprotection.Ifattackersgainaccesstotheserviceconsole,theyarefree
toreconfiguremanyattributesoftheESXhost.Forexample,theycouldchangetheentirevirtualswitch
configurationorchangeauthorizationmethods.BecausetheserviceconsoleisthepointofcontrolforESX,
safeguardingitfrommisuseiscrucial.
Configure the Firewall for Maximum Security
ESX3.5includesafirewallbetweentheserviceconsoleandthenetwork.Bydefault,theserviceconsole
firewallisconfiguredatahighsecuritysetting,withbothincomingandoutgoingtrafficblockedbydefault
exceptforalimitedsetofportsusedbyservicesthatareenabled.Thefirewallcontainsalistofknownservices
forwhichtheappropriateincomingandoutgoingportsareknown,anditautomaticallyopensportsfor
enabledservicesandclosesthemwhenaserviceisdisabled.Thissectionliststheservicesthatareenabledby
defaultwhenyouinstallESX3.5.YoucanseethelistofcurrentlyenabledservicesonanESXhostandthe
associatedportsintheVIClient:
1 Choosethehost.
2 ClicktheConfigurationtab,thenchoosetheSecurityProfileitemundertheSoftwareheading.
3 ClickFirewallProperties.
Itisbesttoleavethedefaultsecurityfirewallsettings,whichblockallincomingandoutgoingtrafficthatisnot
associatedwithanenabledservices,thenusethefirewallsbuiltinserviceregistrytoenableanddisable
services.Ifyouhaveaparticularserviceoragentthatisnotpartofthebuiltinlist,youcanopenindividual
portsusingtheserviceconsolecommandesxcfg-firewall.Ifyoudoopenports,makesuretodocumentthe
changes,includingthepurposeforopeningeachport.Formoreinformationonhowtousethe
esxcfg-firewallcommand,seethesectionChangingtheServiceConsoleSecurityLevelintheESXServer
3ConfigurationGuideortypeman esxcfg-firewallonthecommandline.
Limit the Software and Services Running in the Service Console
AlthoughtheserviceconsoleisbasedonLinuxandiscapableofrunningmostLinuxbasedsoftware,you
shouldavoidrunninganyadditionalsoftwareorservicesinsideitwhereverpossible.Eachadditional
componentthatisrunningrepresentsanadditionalattackvectorandalsoincreasesthepotentialfor
misconfiguration.Foranyservicethatyourunintheserviceconsole,considerwhetheritisreallyneededand
whethertheequivalentfunctionalitycanbeprovidedbyanexternalagentthatcommunicateswiththeESX
hostusingthestandardbuiltinAPIs.
TheservicesthatareonbydefaultintheESX3.5serviceconsoleandtheportstheyusearedescribedinTable
10.Thesecondcolumnofthetableshowsthestringusedtoidentifytheservicewhenusingthe
esxcfg-firewallcommandforexamplewhenrunningesxcfg-firewall --querytoshowthecurrent
status.Thetablealsoindicateswhenitisappropriatetodisableaservice.Forexample,ifyouarenotusing
NFStomountnetworksharesintheserviceconsole,youshoulddisablethisservice.ConfiguretheFirewall
forMaximumSecurityonpage 8describeshowtousetheVIClienttoviewwhichservicesareenabled.You
canusethesamepropertiesdialogboxtodisableservicesaswellasviewthem.
Table 10. Default Services in the ESX 3.5 Service Console
Service
Identification in
esxcfg-firewall
command Port Traffic Type When to disable
CIMService
Location
Protocol
CIMSLP 427 Incomingand
outgoingUDPand
TCP
IfnotusingCIMbasedsoftwarefor
monitoringormanagement
NFSclient nfsClient 111,2049 OutgoingTCPand
UDP
IfnotmountingNFSbasedstoragein
theserviceconsole
VMware
Consolidated
Backup
VCB 443,902 OutgoingTCP IfnotusingVCBforbackup
Security Hardening

Additionalsoftwarethatmightrunintheserviceconsoleincludesmanagementagentsandbackupagents.
Althoughthissoftwaremighthavealegitimatepurpose,themorecomponentsyouhaverunninginthe
serviceconsole,themorepotentialobjectsaresusceptibletosecurityvulnerabilities.Inaddition,these
componentsoftenrequirespecificnetworkportstobeopeninordertofunction,thusfurtherincreasingthe
avenuesofattack.
Formoreinformationandrecommendationsonrunningthirdpartysoftwareintheserviceconsole,see
http://www.vmware.com/vmtn/resources/516.
Use VI Client and VirtualCenter to Administer the Hosts Instead of Service
Console
Thebestmeasuretopreventsecurityincidentsintheserviceconsoleistoavoidaccessingitifatallpossible.
YoucanperformmanyofthetasksnecessarytoconfigureandmaintaintheESXhostusingtheVIClient,either
connecteddirectlytothehostor,betteryet,goingthroughVirtualCenter.TheVIClientcommunicatesusing
awelldefinedAPI,whichlimitswhatcanbedone.Thisissaferthandirectexecutionofarbitrarycommands.
GoingthroughVirtualCenterhastheaddedbenefitthatauthorizationandauthenticationareperformedvia
yourstandardcentralActiveDirectoryservice,insteadofusingspeciallocalaccountsintheserviceconsole.
Inaddition,rolesandusersarestoredinadatabase,providinganeasywaytoviewthecurrentpermissions
aswellastakeasnapshotofthem.VirtualCenteralsokeepstrackofeverytaskinvokedthroughit,providing
anautomaticaudittrail.
Anotheralternativeistousearemotescriptinginterface,suchastheVIPerlToolkitortheremotecommand
lineinterface(RemoteCLI).TheseinterfacesarebuiltonthesameAPIthatVIClientandVirtualCenteruse,
soanyscriptusingthemautomaticallyenjoysthesamebenefitsofauthentication,authorization,andauditing.
InESX3.5,someadvancedtasks,suchasinitialconfigurationforpasswordpolicies,cannotbeperformedvia
theVIClient.Forthesetasks,youmustlogintotheserviceconsole.Also,ifyouloseyourconnectiontothe
host,executingcertainofthesecommandsthroughthecommandlineinterfacemaybeyouronly
recourseforexample,ifthenetworkconnectionfailsandyouarethereforeunabletoconnectusingVIClient.
ThesetasksaredescribedinAppendixAoftheESXServer3ConfigurationGuide.
Use a Directory Service for Authentication
AdvancedconfigurationandtroubleshootingofanESXhostmayrequirelocalprivilegedaccesstotheservice
console.Forthesetasks,youshouldsetupindividualhostlocalizeduseraccountsandgroupsforthefew
administratorswithoverallresponsibilityforyourvirtualinfrastructure.Ideally,theseaccountsshould
correspondtorealindividualsandnotbeaccountssharedbymultiplepeople.Althoughyoucancreateonthe
CIMoverHTTP CIMHttpServer 5988 IncomingTCP IfnotusingCIMbasedsoftwarefor
CIMover
HTTPS
CIMHttpsServer 5989 IncomingTCP IfnotusingCIMbasedsoftwarefor
Licensing LicenseClient 27000,27010 OutgoingTCP Ifusingonlyhostbasedlicensing
SSHServer sshServer 22 IncomingTCP Ifallmanagementisdonevia
VirtualCenter,VIClient,orother
remotemeans
VirtualCenter
Agent
vpxHeartbeats 902 OutgoingUDP IfnotmanagedbyVirtualCenter
VIAPI n/a 443 Incomingand
outgoingTCP
Mustalwaysbeavailable
Secureaccess
redirect
n/a 80 IncomingTCP Mustalwaysbeavailable
Table 10. Default Services in the ESX 3.5 Service Console
Service
Identification in
esxcfg-firewall
command Port Traffic Type When to disable
Security Hardening

serviceconsoleofeachhostlocalaccountsthatcorrespondtoeachglobalaccount,thispresentstheproblem
ofhavingtomanageusernamesandpasswordsinmultipleplaces.Itismuchbettertouseadirectoryservice,
suchasNISorLDAP,todefineandauthenticateusersontheserviceconsole,soyoudonothavetocreatelocal
useraccounts.
Inthedefaultinstallation,ESX3.5cannotuseActiveDirectorytodefineuseraccounts.However,itcanuse
ActiveDirectorytoauthenticateusers.Inotherwords,youcandefineindividualuseraccountsonthehost,
thenusethelocalActiveDirectorydomaintomanagethepasswordsandaccountstatus.Youmustcreatea
localaccountforeachuserthatrequireslocalaccessontheserviceconsole.Thisshouldnotbeseenasaburden;
ingeneral,onlyrelativelyfewpeopleshouldhaveaccesstotheserviceconsole,soitisbetterthatthedefault
isfornoonetohaveaccessunlessyouhavecreatedanaccountexplicitlyforthatuser.
Authenticationontheserviceconsoleiscontrolledbythecommandesxcfg-auth.Youcanfindinformation
onthiscommandinitsmanpage.Typeman esxcfg-authatthecommandlinewhenloggedintotheservice
console.ForinformationonauthenticationwithActiveDirectory,seethetechnicalnoteat
http://www.vmware.com/vmtn/resources/582.
Itisalsopossibletousethirdpartypackages,suchasWinbindorCentrify,toprovidetighterintegrationwith
ActiveDirectory.Consultthedocumentationforthosesolutionsforguidanceonhowtodeploythemsecurely.
Strictly Control Root Privileges
Becausetherootuseroftheserviceconsolehasalmostunlimitedcapabilities,securingthisaccountisthemost
importantstepyoucantaketosecuretheESXhost.Bydefault,allinsecureprotocols,suchasFTP,Telnet,and
HTTP,aredisabled.RemoteaccessviaSSHisenabled,butnotfortherootaccount.Youcancopyfilesremotely
toandfromtheserviceconsoleusinganscp(securecp)client,suchasWinSCP.
EnablingremoterootaccessoverSSHoranyotherprotocolisnotrecommended,becauseitopensthesystem
tonetworkbasedattackshouldsomeoneobtaintherootpassword.Abetterapproachistologinremotely
usingaregularuseraccount,thenusesudotoperformprivilegedcommands.Thesudocommandenhances
securitybecauseitgrantsrootprivilegesonlyforselectactivities,incontrastwiththesucommand,which
grantsrootprivilegesforallactivities.Usingsudoalsoprovidessuperioraccountabilitybecauseallsudo
activitiesarelogged,whereasifyouusesu,ESXlogsonlythefactthattheuserswitchedtorootbywayofsu.
Thesudocommandalsoprovidesawayforyoutograntorrevokeexecutionrightstocommandsonan
asneededbasis.
YoucangoastepfurtheranddisallowrootaccessevenontheconsoleoftheESXhostthatis,whenyoulog
inusingascreenandkeyboardattachedtotheserveritself,ortoaremotesessionattachedtotheservers
console.Thisapproachforcesanyonewhowantstoaccessthesystemtofirstloginusingaregularuser
account,thenusesudoorsutoperformtasks.Ideally,onlyalimitedsetofindividualsneedpermissiontorun
suinordertoperformarbitraryadministrativetasks.Ifyoudecidetodisallowrootloginontheconsole,you
shouldfirstcreateanonprivilegedaccountonthehosttoenablelogins,otherwiseyoucouldfindyourself
lockedoutofthehost.Thisnonprivilegedaccountshouldbealocalaccountthatis,onethatdoesnotrequire
remoteauthenticationsothatifthenetworkconnectiontothedirectoryserviceislost,accesstothehostis
stillpossible.Youcanassurethisaccessbydefiningalocalpasswordforthisaccount,usingthepasswd
command.Thelocalpasswordoverridesauthenticationviadirectoryservices(asdiscussedintheprevious
section).Theneteffectisthatadministratorscancontinuetoaccessthesystem,buttheyneverhavetologin
asroot.Instead,theyusesudotoperformparticulartasksorsutoperformarbitrarycommands.
Topreventdirectrootloginontheconsole,modifythefile/etc/securettytobeempty.Whileloggedinas
root,enterthefollowingcommand:
cat /dev/null > /etc/securetty
Afteryoudothis,onlynonprivilegedaccountsareallowedtologinattheconsole.Notethatthisalsocan
disableremoteconsolecapabilities,suchasiLOandDRAC.
Security Hardening

Control Access to Privileged Capabilities
Becausesuissuchapowerfulcommand,youshouldlimitaccesstoit.Bydefault,onlyusersthataremembers
ofthewheelgroupintheserviceconsolehavepermissiontorunsu.Ifauserattemptstorunsu -togainroot
privilegesandthatuserisnotamemberofthewheelgroup,thesu -attemptfailsandtheeventislogged.
Besidescontrollingwhohasaccesstothesucommand,throughthepluggableauthenticationmodule(PAM)
infrastructure,youcanspecifywhattypeofauthenticationisrequiredtosuccessfullyexecutethecommand.
Inthecaseofthesucommand,therelevantPAMconfigurationfileis/etc/pam.d/su.Toallowonlymembers
ofthewheelgrouptoexecutethesucommand,andthenonlyafterauthenticatingwithapassword,findthe
linebeginningwithauth requiredandremovetheleadingpoundsign(#)soitreads:
auth required /lib/security/$ISA/pam_wheel.so use_uid
Thesudoutilityshouldbeusedtocontrolwhatprivilegedcommandsuserscanrunwhileloggedintothe
serviceconsole.Amongthecommandsyoushouldregulatearealloftheesxcfg-*commandsaswellasthose
thatconfigurenetworkingandotherhardwareontheESXhost.Youshoulddecidewhatsetofcommands
shouldbeavailabletomorejunioradministratorsandwhatcommandsyoushouldallowonlysenior
administratorstoexecute.Youcanalsousesudotorestrictaccesstothesucommand.
Usethefollowingtipstohelpyouconfiguresudo:
Configurelocalandremotesudologging(seeMaintainProperLoggingonpage 12).
Createaspecialgroup,suchasvi_admins,andallowonlymembersofthatgrouptousesudo.
Usesudoaliasestodeterminetheauthorizationscheme,thenaddandremoveusersinthealias
definitionsinsteadofinthecommandsspecification.
Becarefultopermitonlytheminimumnecessaryoperationstoeachuserandalias.Permitveryfewusers
torunthesucommand,becausesuopensashellthathasfullrootprivilegesbutisnotauditable.
Ifyouhaveconfiguredauthenticationusingadirectoryservice,sudousesitbydefaultforitsown
authentication.Thisbehavioriscontrolledbythe/etc/pam.d/sudofile,onthelineforauth.Thedefault
settingservice=system-authtellssudotousewhateverauthenticationschemehasbeensetglobally
usingtheesxcfg-authcommand.
Requireuserstoentertheirownpasswordswhenperformingoperations.Thisisthedefaultsetting.Do
notrequiretherootpassword,becausethispresentsasecurityrisk,anddonotdisablepassword
checking.Insudotheauthenticationpersistsforabriefperiodoftimebeforesudoasksforapassword
again.
Forfurtherinformationandguidelinesforusingsudo,seehttp://www.gratisoft.us/sudo/.
Establish a Password Policy for Local User Accounts
Foranylocaluseraccounts,theserviceconsoleprovidespasswordcontrolsontwolevelstohelpyouenforce
passwordpoliciestolimittheriskofpasswordcracking:
PasswordagingThesecontrolsgovernhowlongauserpasswordcanbeactivebeforetheuseris
requiredtochangeit.Theyhelpensurethatpasswordschangeoftenenoughthatifanattackerobtainsa
passwordthroughsniffingorsocialengineering,theattackercannotcontinuetoaccesstheESXhost
indefinitely.
PasswordcomplexityThesecontrolsensurethatuserscreatepasswordsthatarehardforpassword
generatorstodetermine.Insteadofusingwords,acommontechniqueforensuringpasswordcomplexity
istouseamemorablephrase,thenderiveapasswordfromitforexample,byusingthefirstletterofeach
word.
BothofthesepoliciesaredescribedinthesectionPasswordRestrictionsintheESXServer3Configuration
Guide.
Thedefaultpam_cracklib.sopluginprovidessufficientpasswordstrengthenforcementformost
environments.However,ifthepam_cracklib.sopluginisnotstringentenoughforyourneeds,youcanuse
thepam_passwdqc.soplugininstead.Youchangethepluginusingtheesxcfg-authcommand.
Security Hardening

Forfurtherprotection,youcanenforceaccountlockoutaftertoomanyunsuccessfulloginattempts.To
configuretheESXserviceconsoletodisabletheaccountafterthreeunsuccessfulloginattempts,addthe
followinglinesto/etc/pam.d/system-auth:
auth required /lib/security/pam_tally.so no_magic_root
account required /lib/security/pam_tally.so deny=3
no_magic_root
Tocreatethefileforloggingfailedloginattempts,executethefollowingcommands:
touch /var/log/faillog
chown root:root /var/log/faillog
chmod 600 /var/log/faillog
Do Not Manage the Service Console as a Linux Host
TheserviceconsoleisgeneratedfromaRedHatLinuxdistributionthathasbeenmodifiedtoprovideexactly
thefunctionalitynecessarytocommunicatewithandallowmanagementoftheVMkernel.Anyadditional
softwareinstalledshouldnotmakeassumptionsaboutwhatRPMpackagesarepresent,northatthesoftware
canmodifythem.Inseveralcases,thepackagesthatdoexisthavebeenmodifiedespeciallyforESX.
ItisparticularlyimportantthatyounottreattheserviceconsolelikeaLinuxhostwhenitcomestopatching.
NeverapplypatchesissuedbyRedHatoranyotherthirdpartyvendor.Applyonlypatchesthatarepublished
byVMwarespecificallyfortheversionsofESXthatyouhaveinuse.Thesearepublishedfordownload
periodically,aswellasonanasneededbasisforsecurityfixes.Youcanreceivenotificationsfor
securityrelatedpatchesbysigningupforemailnotificationsathttp://www.vmware.com/security.
Similarly,youshouldneveruseascannertoanalyzethesecurityoftheserviceconsoleunlessthescanneris
specificallydesignedtoworkwithyourversionofESX.Inparticular,scannersthatassumetheserviceconsole
isastandardRedHatLinuxdistributionroutinelyyieldfalsepositives.Thesescannerstypicallylookonlyfor
stringsinthenamesofsoftware,andthereforedonotaccountforthefactthatVMwarereleasescustom
versionsofpackageswithspecialnameswhenprovidingsecurityfixes.Becausethesespecialnamesare
unknowntothescanners,theyflagthemasvulnerabilitieswheninrealitytheyarenot.Youshoulduseonly
scannersthatspecificallytreattheESXserviceconsoleasauniquetarget.Formoreinformation,seethesection
SecurityPatchesandSecurityVulnerabilityScanningSoftwareinthechapterServiceConsoleSecurityof
theESXServer3ConfigurationGuide.
Inaddition,youshouldnotmanagetheserviceconsoleasifitwereatraditionalLinuxhost.Theusual
redhat-config-*commandsarenotpresent,norareothercomponentssuchastheXserver.Instead,you
managetheESXhostusingaseriesofpurposebuiltcommands,suchasvmkfstoolsandtheesxcfg-*
commands.ManyofthesecommandsshouldbeusedonlyuponinstructionfromVMwareTechnicalSupport,
ornotinvokedmanuallyatall,butafewprovidefunctionalitythatisnotavailableviatheVIClient,suchas
authenticationmanagementandadvancedstorageconfiguration.
Ifyoufollowthebestpracticeofisolatingthenetworkfortheserviceconsole,thereisnoreasontorunany
antivirusorothersuchsecurityagents,andtheiruseisnotnecessarilyrecommended.However,ifyour
environmentrequiresthatsuchagentsbeused,useaversiondesignedtorunonRedHatEnterpriseLinux3,
Update6.
Formoreinformationonthespecialadministrativecommandsintheserviceconsole,seeESXTechnical
SupportCommandsandUsingvmkfstoolsintheappendicesoftheESXServer3ConfigurationGuide.
Maintain Proper Logging
Properandthoroughloggingallowsyoutokeeptrackofanyunusualactivitythatmightbeaprecursortoan
attackandalsoallowsyoutodoapostmortemonanycompromisedsystemsandlearnhowtopreventattacks
fromhappeninginthefuture.
Security Hardening

ThesyslogdaemonperformsthesystemlogginginESX.Youcanaccessthelogfilesintheserviceconsoleby
goingtothe/var/log/directory.SeveraltypesoflogfilesgeneratedbyESXareshowninTable11.
Thelogfilesprovideanimportanttoolfordiagnosingsecuritybreachesaswellasothersystemissues.They
alsoprovidekeysourcesofauditinformation.Inadditiontostoringloginformationinfilesonthelocalfile
system,youcansendthisloginformationtoaremotesystem.Thesyslogprogramistypicallyusedfor
computersystemmanagementandsecurityauditing,anditcanservethesepurposeswellforESXhosts.You
canselectindividualserviceconsolecomponentsforwhichyouwantthelogssenttoaremotesystem.
Thefollowingtipsprovidebestpracticesforlogging:
Ensureaccuratetimekeeping.
Byensuringthatallsystemsusethesamerelativetimesource(includingtherelevantlocalizationoffset),
andthattherelativetimesourcecanbecorrelatedtoanagreedupontimestandard(suchasCoordinated
UniversalTimeUTC),youcanmakeitsimplertotrackandcorrelateanintrudersactionswhen
reviewingtherelevantlogfiles.Intheserviceconsole,yousetthetimesourceusingtheNTP(Network
TimeProtocol)system.ForinstructionsonhowtoconfigureNTP,seeVMwareknowledgebasearticle
1339(http://kb.vmware.com/kb/1339).
Controlgrowthoflogfiles.
Inordertopreventthelogfilefromfillingupthediskpartitiononwhichitresides,configurelogfile
rotation.Thisautomaticallycreatesabackupofthelogfileafteritreachesacertainspecifiedsizeand
keepsonlyaspecifiednumberofolderbackupfilesbeforeautomaticallydeletingthem,thuslimitingthe
totaldiskusageforlogging.Thelogrotationbehaviorisspecifiedforeachcomponentinconfiguration
fileslocatedinthedirectory/etc/logrotate.daswellasinthefile/etc/logrotate.conf.
Forthethreefilesin/etc/logrotate.dvmkernel,vmksummary,andvmkwarningitisrecommend
thattheconfigurationbemodifiedto:
Increasethesizeofthelogfileto4096k.
Enablecompressionbysettingthelinecompressinsteadofnocompress.
Table 11. Key Log Files Generated by ESX
Component Location Purpose
Vmkernel /var/log/vmkernel Recordsactivitiesrelatedtothevirtual
machinesandESX
VMkernelwarnings /var/log/vmkwarning Recordsactivitieswiththevirtualmachines
VMkernelsummary /var/log/vmksummary Usedtodetermineuptimeandavailability
statisticsforESX;humanreadablesummary
foundin/var/log/vmksummary.txt
ESXhostagentlog /var/log/vmware/hostd.log Containsinformationontheagentthatmanages
andconfigurestheESXhostanditsvirtual
machines
Virtualmachines Thesamedirectoryastheaffectedvirtual
machinesconfigurationfiles;named
vmware.logandvmware-*.log
Containinformationwhenavirtualmachine
crashesorendsabnormally
VirtualCenteragent /var/log/vmware/vpx Containsinformationontheagentthat
communicateswithVirtualCenter
Webaccess Filesin/var/log/vmware/webAccess RecordsinformationonWebbasedaccessto
ESX
Serviceconsole /var/log/messages Containallgenerallogmessagesusedto
troubleshootvirtualmachinesorESX
Authenticationlog /var/log/secure Containsrecordsofconnectionsthatrequire
authentication,suchasVMwaredaemonsand
actionsinitiatedbythexinetddaemon.
Security Hardening

Thisallowsgreaterlogginginthesamefilesystemspace.Formoreinformationonconfiguringlogfile
rotation,seeman logrotate.
Useremotesysloglogging.
Remoteloggingtoacentralhostprovidesawaytogreatlyincreaseadministrationcapabilities.By
gatheringlogfilesontoacentralhost,youcaneasilymonitorallhostswithasingletoolaswellasdo
aggregateanalysisandsearchingtolookforsuchthingsascoordinatedattacksonmultiplehosts.
Animportantpointtoconsideristhatthelogmessagesarenotencryptedwhensenttotheremotehost,
soitisimportantthatthenetworkfortheserviceconsolebestrictlyisolatedfromothernetworks.
Syslogbehavioriscontrolledbytheconfigurationfile/etc/syslog.conf.Forlogsyouwanttosendto
aremoteloghost,addalinewith@<loghost.company.com>afterthemessagetype,where
<loghost.company.com>isthenameofahostconfiguredtorecordremotelogfiles.Makesurethatthis
hostnamecanbeproperlyresolved,puttinganentryinthenameservicemapsifneeded.
Example:
local6.warning @<loghost.company.com>
Aftermodifyingthefile,tellthesyslogdaemontorereaditbyissuingthefollowingcommand:
kill -SIGHUP `cat /var/run/syslogd.pid`
Displaydifferentloglevelmessagesondifferentscreens.
Anoptionforsyslogistologtoanalternateconsole,whichcanbedisplayedfromtheterminaloftheESX
host.ESXhasthecapabilityattheconsoletodisplayanumberofvirtualterminals.Thisgivesyouthe
capabilitytohavecritical,error,andwarningmessagesdisplayedondifferentscreens,enablingyouto
quicklydifferentiatetypesoferrors.
Toenablethisseparationoflogmessagedisplay,addthefollowinglinestothe/etc/syslog.conffile:
*.crit /dev/tty2
Alllogitemsatthecriticallevelorhigherareloggedtothevirtualterminalattty2.PressAltF2attheESX
consoletoviewtheselogs.
*.err /dev/tty3
Alllogitemsattheerrorlevelorhigherareloggedtothevirtualterminalattty3.PressAltF3attheESX
consoletoviewtheselogs
*.warning /dev/tty4
Alllogitemsatthewarninglevelorhigherareloggedtothevirtualterminalattty4.PressAltF4atthe
ESXServerconsoletoviewtheselogs.
Whenyouarefinished,issuethecommandforrereadingtheconfigurationfile:
kill -SIGHUP `cat /var/run/syslogd.pid`
Uselocalandremotesudologging.
Ifyouhaveconfiguredsudotoenablecontrolledexecutionofprivilegedcommands,youcanbenefitfrom
usingsyslogtoaudituseofthesecommands.Bydefault,allinvocationsofsudoareloggedto
/var/log/secure.Bymodifyingthelinecontainingthisfilenameinthesyslogconfigurationfileas
describedabove,youcanhavealltheselogmessagesalsosenttoaremotesyslogserver.
Establish and Maintain File System Integrity
Theserviceconsolehasanumberoffilesthatspecifyitsconfigurations:
/etc/profile
/etc/ssh/sshd_config
/etc/pam.d/system-auth
Security Hardening

/etc/grub.conf
/etc/krb.conf
/etc/krb5.conf
/etc/krb.realms
/etc/login.defs
/etc/openldap/ldap.conf
/etc/nscd.conf
/etc/ntp
/etc/ntp.conf
/etc/passwd
/etc/group
/etc/nsswitch.conf
/etc/resolv.conf
/etc/sudoers
/etc/shadow
Inaddition,ESXconfigurationfileslocatedinthe/etc/vmwaredirectorystorealltheVMkernelinformation.
Allofthesefilesshouldbemonitoredforintegrityandunauthorizedtampering,usingacommercialtoolsuch
asTripwireorConfiguresoft,orbyusingachecksumtoolsuchassha1sum,whichisincludedintheservice
console.Thesefilesshouldalsobebackedupregularly,eitherusingbackupagentsorbydoingbackupsbased
onfilecopying.NotallofthesefilesareactuallyusedbyyourparticularESXdeployment,butallthefilesare
listedforcompleteness.
Anotherchecktoperformistomakesurethatthefilepermissionsofimportantfilesandutilitycommands
havenotbeenchangedfromthedefault.Somefilesinparticulartocheckinclude:
The/usr/sbin/esxcfg-*commands,whichareallinstalledbydefaultwithpermissions500,exceptfor
esxcfg-authwhichhaspermissions544.
Thelogfilesdiscussedintheprevioussection,whichallhavepermissions600,exceptforthedirectory
/var/log/vmware/webAccess,whichhaspermissions755,andthevirtualmachinelogfiles,whichhave
permissions644.
CertainsystemcommandsthathavetheSUIDbit.ThesecommandsarelistedinTable123oftheESX
Server3ConfigurationGuide.
Forallofthesefiles,theuserandgroupownershouldberoot.
Secure the SNMP Configuration
ESX3.5providesanSNMPagenttomonitorfaultsandsystemstatus.ItsupportsSNMPversions1,2c,and3.
WhenanSNMPagentisenabledinESX,networkmanagementtoolscanlistenfornotificationsorpollfor
statusinformationabouttheconfigurationofvirtualmachinesandthestateofthenetwork,CPU,disk,and
installedsoftware.
ItisrecommendedthatyouconfigureESX3.5touseSNMPversion3,whichprovidesforauthenticationand
privacyofmessagesbetweentheagentandmanagementstation.Consultthesnmpd.confmanpageformore
informationonconfiguringSNMP.
Security Hardening

Protect against the Root File System Filling Up
WhenyouinstallESX3.5,youshouldaccepttherecommendeddiskpartitioningforthemosteffective
installation.Ifyouchoosetopartitionthediskmanually,youshouldensurethatyouhavecreatedseparate
partitionsforthedirectories/home,/tmp,and/var/log.Thesearealldirectoriesthathavethepotentialtofill
up,andiftheyarenotisolatedfromtherootpartition,youcouldexperienceadenialofserviceiftheroot
partitionisfullandunabletoacceptanymorewrites.DatastorePartitioning,anappendixoftheInstallation
andUpgradeGuide,coversdiskpartitionsinmoredetail.
Disable Automatic Mounting of USB Devices
ExternalUSBdrivescanbeconnectedtotheESXhostandbeloadedautomaticallyontheserviceconsole.The
USBdrivemustbemountedbeforeyoucanuseit,butdriversareloadedtorecognizethedevice.Malicious
usersmaybeabletorunmaliciouscodeontheESXhostandgoundetectedbecausetheUSBdriveisexternal.
Bydefault,automaticUSBdrivemountingisenabled,butitisrecommendedthatyoudisablethisfeatureby
editingtheserviceconsolefile/etc/modules.confandcommentingoutthelinecontainingalias
usb-controllerbyplacingapoundsign(#)atthebeginning.
Configuring Host-level Management in ESXi 3.5
EventhoughESXi3.5doesnotshipwithaserviceconsole,therearesomeaspectsofhostlevelmanagement
thatyoucanconfigureandmonitor.SomeoftheseoptionsarenewtotheESXiarchitecture,andsomeare
analogoustooptionsavailableinESX3.5.
Strictly Control Root Privileges
YoumightwanttoavoidmanagingESXihostsdirectly,butinsteadprefertorequirethatallmanagementbe
donethroughVirtualCenter.Thisenforcestheuseofacentralauthenticationmodel(typicallyActive
Directory)andallowspermissionstobesetglobally.Italsoallowsalltaskstobeloggedinoneplace,the
VirtualCenterdatabase,whichmakesauditingeasier.
LockdownmodeisavailableonanyESXi3.5hostthatyouhaveaddedtoaVirtualCenterServer.Enabling
lockdownmodedisablesallremoterootaccesstoESXi3.5machines.Anysubsequentlocalchangestothehost
mustbemade:
InaVIClientsessionorusingRemoteCLIcommandstoVirtualCenter.
InaVIClientsessionorusingRemoteCLIcommandsdirecttotheESXi3.5systemusingalocaluser
accountdefinedonthehost.Bydefault,nolocaluseraccountsexistontheESXisystem.Youmustcreate
thoseaccountsbeforeenablinglockdownmodeandmustcreatetheminaVIClientsessionconnected
directlytotheESXisystem.Changestoahostarelimitedtothosethatcanbemadewiththeprivileges
grantedtoaparticularuserlocallyonthathost.
ItisrecommendedthatyouenablelockdownmodeforyourESXi3.5hosts.Youcanenableanddisable
lockdownmodeeitherusingaVIClientloggedintoVirtualCenterorusingthedirectconsoleuserinterface
(DCUI).Fordetailsonhowtodothis,seethechapterSecurityDeploymentsandRecommendationsinthe
ESXServer3iConfigurationGuide.
Control Access to Privileged Capabilities
Ideally,youmanageuserswhoaccesstheESXi3.5systemwiththeusermanagementfeaturesofVirtualCenter.
Incertaincases,however,youneedtomanageahostdirectlyforexample:
YouhavenotpurchasedVirtualCenterperhapsbecauseyouarejuststartingoutwithESXiorbecause
youhaveaverysmalldeployment
YouwanttoprovideforadministrativeaccesstothesystemincaseVirtualCenterisdownorotherwise
unavailable,oriftheVirtualCenteragentonthehostisnotworkingproperly
YouneedtouseRemoteCLIcommands,suchasthoseforbackingupandrestoringtheconfigurationof
thesystem,thatmustberundirectlyonthehost,notthroughVirtualCenter
Security Hardening

Securitybestpracticesdictatethattherootpasswordshouldbeknowntoasfewindividualsaspossible,and
therootaccountshouldnotbeusedifanyalternativeispossible,becauseitisananonymousaccountand
activitybytherootusercannotbedefinitivelyassociatedwithaspecificindividual.Therootpasswordis
initiallyblank,sooneofyourfirststepsinconfiguringtheservershouldbetocreateastrongpasswordforthe
rootaccount.
ESXi3.5allowsyoutocreatelocalusersandgroupsonthesystem.Definitionsfortheseusersandgroupsare
storedlocallyoneachindividualESXihost,andthedefinitionsforeachhostaretotallyindependentofother
hosts.YoucannotuseActiveDirectoryoranyotherdirectoryservicetoidentifyorauthenticatethelocalusers.
Furthermore,theuserandgrouplistsmaintainedbyVirtualCenterarecompletelyseparatefromthelists
maintainedbyESXihosts.EvenifthelistsmaintainedbyahostandVirtualCenterappeartohavecommon
users(forinstance,ausercalleddevuser),youmusttreattheseusersasseparateuserswhohappentohave
thesamename.TheattributesofdevuserinVirtualCenter,includingpermissionsandpasswords,areseparate
fromtheattributesofdevuserontheESXihost.IfyoulogontoVirtualCenterasdevuser,youmighthave
permissiontoviewanddeletefilesfromadatastore,whereasifyoulogontoanESXihostasdevuser,you
mightnot.
Becauseoftheconfusionthatduplicatenamingcancause,VMwarerecommendsthatyoucheckthe
VirtualCenteruserlistbeforeyoucreateESXihostuserssoyoucanavoidcreatinghostusersthathavethe
samenamesasVirtualCenterusers.TocheckforVirtualCenterusers,reviewtheWindowsdomainlist.
Youcangrantvariouslevelsofpermissionstolocalusers.TheprivilegemodelforanESXihostmirrorsthatof
VirtualCenter,exceptitlacksobjectssuchasdatacentersandclusters,whichhavenomeaningforan
individualhost.Youcancreatecustomrolesthatgrantspecificprivileges,thenassignthemtocertainusers.
Theseprivilegesaffectwhataparticularusercando,bothinaVIClientandusingtheRemoteCLI.Youshould
createadifferentlocaluseraccountforanypersonwhomightneeddirectaccesstothehostandgrantthat
userparticularprivilegestolimittheuserscapabilities.Youcanuselocalgroupdefinitionstosimplifythis
assignment.
Oneparticularbuiltinlocalgrouphasspecialmeaning.Ifyougiveausermembershipinthelocaladmin
group,thatuserhastheabilitytologintotheDCUI,whichistheinterfaceavailableattheconsoleofanESXi
hostthatallowsforbasichostconfigurationmodifyingnetworkingsettingsandtherootpassword,for
example.AssignmenttothisgroupenablesanadministrativeusertoperformtasksontheDCUIwithout
logginginasroot.However,thisisaverypowerfulprivilege,becauseaccesstotheDCUIallowssomeoneto
changetherootpasswordorevenpoweroffthehost.Therefore,onlythemosttrustedadministratorsshould
begrantedmembershiptothelocaladmingroup.
FormoreinformationonlocalusersandprivilegesinESXi,seethechapterAuthenticationandUser
ManagementintheServer3iConfigurationGuide.
Maintain Proper Logging
ESXi3.5maintainsalogofactivityinlogfiles.Itusesasyslogfacility,justasESX3.5does.However,ESXi
maintainsasmallernumberoflogfiles.Thefollowinglogsareavailable:
hostd.log
messages
vpxa.log(onlyifthehosthasbeedjoinedtoaVirtualCenterinstance)
Thereareseveralwaystoviewthecontentsoftheselogfiles.
ToviewthelogsinaVIClient,takethefollowingsteps:
1 LogindirectlytotheESXihostusingVIClientandmakesurethehostisselectedintheInventory.
2 ClickAdministration,thenclicktheSystemLogstab.
3 Choosethelogfileyouwanttoviewinthedropdownmenuintheupperleft.
ToviewthelogsinaWebbrowser,entertheURLhttps://<hostname>/host,where<hostname>isthehost
nameorIPaddressofthemanagementinterfaceoftheESXihost,thenchoosefromthelistoffilespresented.
Security Hardening

YoucanusetheRemoteCLIcommandvifstodownloadthelogfilestoyourlocalsystem.
Youcanalsoconfiguresyslogtosendlogmessagestoaremotesystem.
AswithESX3.5,youshouldconfigureNTPonthehosttoensureaccuratetimekeeping.
YoucanfindmoreinformationonconfiguringsyslogandNTPforESXihostsinthefollowingdocuments:
TheSystemLogFilesandHostConfigurationforESXServerandVirtualCentersectionsofthe
SystemConfigurationchapterintheBasicSystemAdministrationGuide.
TheappendixRemoteCommandLineInterfaceReferenceintheESXServer3iConfigurationGuide.
Establish and Maintain Configuration File Integrity
AswithESX,ESXimaintainsitsconfigurationstateinasetofconfigurationfiles.However,onESXithesefiles
canbeaccessedonlyusingtheremotefileaccessAPI,andtherearefarfewerfilesinvolved.Thesefiles
normallyarenotmodifieddirectly.Instead,theircontentsnormallychangeindirectlybecauseofsomeaction
invokedonthehost.However,thefileaccessAPIdoesallowfordirectmodificationofthesefiles,andsome
modificationsmightbewarrantedinspecialcircumstances.Therefore,youshouldmonitorallofthesefilesfor
integrityandunauthorizedtampering,eitherbyperiodicallydownloadingthemandtrackingtheircontents
orbyusingacommercialtooldesignedtodothis.TheaccessibleandrelevantconfigurationfilesinESXi3.5
are:
esx.conf
hostAgentConfig.xml
hosts
license.cfg
motd
openwsman.conf
proxy.xml
snmp.xml
ssl_cert
ssl_key
syslog.conf
vmware_config
vmware_configrules
vmware.lic
vpxa.cfg
ToviewtheconfigurationfilesinaWebbrowser,entertheURLhttps://<hostname>/hostwhere
<hostname>isthehostnameorIPaddressofthemanagementinterfaceoftheESXihost,thenchoosefrom
thelistoffilespresented.
YoucanusetheRemoteCLIcommandvifstodownloadtheconfigurationfilestoyourlocalsystem,aswell
astouploadnewversionsofthesefiles.Althoughinsomecasesthenewsettingstakeeffectimmediately,you
shouldalwaysrestarttheESXhostaftermakingchangesdirectlytotheconfigurationfiles(asopposedto
makingconfigurationchangesviatheVIClient,VirtualCenter,ortheRemoteCLI).
Security Hardening

Secure the SNMP Configuration
ESXi3.5containsadifferentSNMPagentfromthatinESX3.5,anditsupportsonlyversions1and2c.It
providesthesamenotificationsasESX3.5andaddsnotificationsforhardwarerelatedsensors.UnlikeESX3.5,
itsupportsonlytheSNMPv2MIBandsupportsitonlyfordiscovery,inventory,anddiagnosticsoftheSNMP
agent.
SNMPmessagescontainafieldcalledthecommunitystring,whichconveyscontextandusuallyidentifiesthe
sendingsystemfornotifications.ThisfieldalsoprovidescontextfortheinstanceofaMIBmoduleonwhich
thehostshouldreturninformation.ESX/ESXiSNMPagentsallowmultiplecommunitystringspernotification
targetaswellasforpolling.Keepinmindthatcommunitystringsarenotmeanttofunctionaspasswords,but
onlyasamethodforlogicalseparation.
SNMPv1andv2ctrafficisnotencrypted,whichmeansthatmessagescanbesnooped,andtheycouldbe
modifiedinflightwithoutthereceiverknowingaboutit.Waystomitigatethisriskinclude:
RunSNMPontrustednetworks,useroutingandlayer2filteringtolockdownMACaddressestolayer2
ports,androuteSNMPtraffictotrustedservers.
RunSNMPinaVPN/IPsectunnelonyouredgeroutersforSNMPtraffic.
Ensure Secure Access to CIM
TheCommonInformationModel(CIM)systemprovidesaninterfacethatenableshardwarelevel
managementfromremoteapplicationsviaasetofstandardAPIs.ToensurethattheCIMinterfaceissecure,
followtheserecommendations:
DonotproviderootcredentialstoremoteapplicationstoaccesstheCIMinterface.Instead,createaservice
accountspecifictotheseapplications.ReadonlyaccesstoCIMinformationisgrantedtoanylocalaccount
definedontheESXisystem.
IftheapplicationrequireswriteaccesstotheCIMinterface,onlytwolocalprivilegesarerequired.Itis
recommendedthatyoucreatealocalroletoapplytotheserviceaccountwithonlytheseprivileges:
Host>Config>SystemManagement
Host>CIM>CIMInteraction
Audit or Disable Technical Support Mode
ESXihasaspecialtechnicalsupportmode,whichisaninteractivecommandlineavailableonlyontheconsole
oftheserver.TechnicalsupportmodeisunsupportedunlessusedinconsultationwithVMwareTechnical
Supportandmustbeactivatedbeforeitcanbeused.Accesstothismoderequirestherootpasswordofthe
serverinadditiontoaccesstotheconsoleoftheserver,eitherphysicallyorthrougharemoteKVMoriLO
interface.
Technicalsupportmodeisdesignedtobeusedonlyincasesofemergency,whenmanagementagentsthat
providetheremoteinterfacesareinoperableandtheycannotberestartedthroughtheDCUI.Thereisno
reasontousetechnicalsupportmodeforanyotherpurposeapartfromtechnicalsupport.Technicalsupport
modeisonbydefault,butyoucandisableitentirely.
Technicalsupportmodeissecuredinthefollowingways:
Itisaccessibleonlyonthelocalconsole;unlikeSSHorTelnet,itcannotbeaccessedremotely.Thus,
physicalaccesstothehostorsomethingequivalenttophysicalaccess,suchasHPILO,DellDRAC,IBM
RSA,orasimilarremoteconsoletoolisabsolutelyrequiredforaccesstotechnicalsupportmode.Most
organizationshavesufficientformsofprotectiononphysical(orphysicalequivalent)accesstothehost
(forexample,doorlocks,keycards,andauthenticationfortheremoteconsole).
Itrequirestherootpasswordbeforeaccessisgranted.Anyindividualswhohavebothphysical(or
console)accessandtherootpasswordarealreadyfullyprivilegedandcandoanythingtheywantonthe
system.Thepresenceoftechnicalsupportmodedoesnotaugmentorreducethisrisk.
Security Hardening

Youcanaudittechnicalsupportmodeusingthefollowinginformation:
Wheneversomeoneactivatestechnicalsupportmode,thetimeanddateofactivationaresenttothe
systemlogmessagesfile.
Allunsuccessfulattemptstoaccesstechnicalsupportmode(thatis,someoneenterstheincorrectroot
password)arerecordedinthesystemlog.
Thetimeanddateofallsuccessfulaccessestotechnicalsupportmodearesenttothesystemlog
Toensureaccurateandreliablesystemlogs,youshouldconfigureremotesyslogontheserver,sologmessages
arekeptonanoutsidesystemandcannotbealteredfromtheserver.Actionsperformedwhileintechnical
supportmodearenotlogged.Anyaccesstotechnicalsupportmodeshouldbecorrelatedwithaspecificcall
toVMwareTechnicalSupport.Ifthereisnocorrespondingsupportsession,youshouldimmediatelysuspect
maliciousactivityandinspectthesystemfortampering.
Ifyouareunabletoaudittechnicalsupportmodetoadegreethatmatchesyoursecurityriskposture,you
shoulddisableitforallofyourESXihosts.Fordetailsondisablingtechnicalsupportmode,seeVMware
knowledgebasearticle1003677(http://kb.vmware.com/kb/1003677).
Configuring the ESX/ESXi Host
ThefollowingrecommendationsapplytothewaytheESX/ESXihostitselfisconfigured.Manyofthe
recommendationsapplytotheconfigurationofthenetworkstowhichvirtualmachinesareattached,because
mostsecurityattacksoccurthroughnetworkconnections.OtherspertaintotheoperationoftheESX/ESXi
softwareitself.
Isolate the Infrastructure-related Networks
SeveralcapabilitiesofVMwareInfrastructureinvolvecommunicationamongcomponentsoveranetwork.
Management.Thisincludesthefollowingtypesofcommunication:
BetweenESX/ESXiandVirtualCenter
AmongstESX/ESXihostsforexample,forVMwareHighAvailabilitycoordination
BetweenESX/ESXiorVirtualCenterandsystemsrunningclientsoftwaresuchastheVIClientoraVI
SDKapplication
BetweenESX/ESXiandancillarymanagementservices,suchasDNS,NTP,syslog,andtheuser
authenticationservice
BetweenESX/ESXiandthirdpartymanagementtools,suchashardwaremonitoring,systems
management,andbackuptools
BetweenVirtualCenterandsupportingservices,suchastheVirtualCenterdatabaseandtheuser
authenticationservice
BetweenVirtualCenterandoptionaladdoncomponentssuchasVMwareUpdateManagerand
VMwareConverterEnterprise,iftheyareinstalledonseparateservers
VMotion.ThisinvolvestransferringtheliverunningstateofavirtualmachinefromoneESX/ESXihostto
another.
Storage.Thisincludesanynetworkbasedstorage,suchasiSCSIandNFS.
AllofthenetworksusedforthesecommunicationsprovidedirectaccesstocorefunctionalityofVMware
Infrastructure,ThemanagementnetworkprovidesaccesstotheVMwareInfrastructuremanagement
interfaceoneachcomponent,andanyremoteattackwouldmostlikelybeginwithgainingentrytothis
network.VMotiontrafficisnotencrypted,sotheentirestateofavirtualmachinecouldpotentiallybesnooped
fromthisnetwork.Finally,accesstothestoragenetworkpotentiallyallowssomeonetoreadthecontentsof
Security Hardening

virtualdisksresidingonsharedstorage.Therefore,allofthesenetworksshouldbeisolatedandstrongly
securedfromallothertraffic,especiallyanytrafficgoingtoandfromvirtualmachines.Theexceptionisifone
ofthecomponentslistedaboveactuallyrunsinavirtualmachine.Inthatcase,thisvirtualmachinenaturally
hasaninterfaceonthemanagementnetworkandthusshouldnothaveaninterfaceonanyothernetwork.
VMwarerecommendsthatyouisolatenetworksusingoneofthesemethods:
CreateaseparateVLANforeachnetwork.
Configurenetworkaccessforeachnetworkthroughitsownvirtualswitchandoneormoreuplinkports.
Ineithercase,youshouldconsiderusingNICteamingforthevirtualswitchestoprovideredundancy.
IfyouuseVLANs,youneedfewerphysicalNICstoprovidetheisolation,afactorthatisespeciallyimportant
inenvironmentswithconstrainedhardwaresuchasblades.VMwarevirtualswitchesarebydesignimmune
tocertaintypesofattacksthathavetraditionallytargetedVLANfunctionality.Fordetails,seethechapter
SecuringanESXServer3ConfigurationintheESXServer3ConfigurationGuide.Ingeneral,VMwarebelieves
thatVLANtechnologyismatureenoughthatitcanbeconsideredaviableoptionforprovidingnetwork
isolation.
ESX/ESXidoesnotsupportvirtualswitchportgroupsconfiguredtoVLAN1.Ifthephysicalswitchportto
whichtheESX/ESXihostisconnectedisconfiguredwithVLAN1,ESX/ESXidropsallpackets.Youcan
configuretheESX/ESXivirtualswitchportgroupswithanyvaluebetween2and4094.UtilizingVLAN1
causesadenialofservicebecauseESX/ESXidropsthistraffic.Itisrecommendedthatyoucheckthephysical
networkhardwareconfigurationtoverifytheportstowhichtheESX/ESXihostconnectsarenotconfiguredto
VLAN1.Inaddition,VLANID4095specifiesthattheportgroupshouldusetrunkmodeorVGTmode,which
allowstheguestoperatingsystemtomanageitsownVLANtags.Guestoperatingsystemstypicallydonot
managetheirVLANmembershiponnetworks,soifthisvalueisset,ensurethatthereisalegitimatereason
fordoingso.
IfyoudonotuseVLANs,eitherbecauseyouhavenoVLANsupportinyourenvironmentorbecauseyoudo
notconsiderVLANsstrongenoughforisolation,youcancombinethethreetypesofinfrastructurerelated
networksontotwoorfewervirtualswitches.However,youshouldstillkeepthevirtualmachinenetworks
separatefromtheinfrastructurenetworksbyusingseparatevirtualswitcheswithseparateuplinks.
Configure Encryption for Communication between Clients and ESX/ESXi
ClientsessionswiththeESX/ESXihostmaybeinitiatedfromanyVIAPIclient,suchasVIClient,
VirtualCenter,andtheRemoteCommandLineInterface.SSLencryptionprotectstheconnectionbetweenthe
VIClientandESX/ESXi,butthedefaultcertificatesusedtosecureyourVirtualCenterandVIWebAccess
sessionsarenotsignedbyatrustedcertificateauthorityand,therefore,donotprovidetheauthentication
securityyoumightneedinaproductionenvironment.Theseselfsignedcertificatesarevulnerableto
maninthemiddleattacks,andclientsreceiveawarningaboutthem.Ifyouintendtouseencryptedremote
connectionsexternally,considerpurchasingacertificatefromatrustedcertificateauthorityoruseyourown
securitycertificateforyourSSLconnections.Enablingcertificatecheckingandinstallationofnewcertificates
aredescribedinthechapterAuthenticationandUserManagementintheESXServer3ConfigurationGuide.
Label Virtual Networks Clearly
Labelallyourvirtualnetworksappropriatelytopreventconfusionorsecuritycompromises.Thislabeling
preventsoperatorerrorcausedbyattachingavirtualmachinetoanetworkitisnotauthorizedforortoa
networkthatcouldallowtheleakageofsensitiveinformation.
Do Not Create a Default Port Group
DuringESX/ESXiinstallation,youhavetheoptionofcreatingadefaultvirtualmachineport.However,this
optioncreatesavirtualmachineportgrouponthesamenetworkinterfaceastheserviceconsole.Ifthissetting
isleftunchanged,itcouldallowvirtualmachinestodetectsensitiveandoftenunencryptedinformation.
Becausetheserviceconsoleshouldalwaysbeonaseparate,privatenetwork,thisoptionshouldneverbeused
exceptinatestenvironment.
Security Hardening

Do Not Use Promiscuous Mode on Network Interfaces
ESX/ESXicanrunvirtualnetworkadaptersinpromiscuousmode.Youcanenablepromiscuousmodeon
virtualswitchesthatareboundtoaphysicalnetworkadapter(vmnic)andvirtualswitchesthatdonotbindto
aphysicalnetworkadapter(vmnet).Whenpromiscuousmodeisenabledforavmnicswitch,allvirtual
machinesconnectedtothevirtualswitchhavethepotentialofreadingallpacketssentacrossthatnetwork,
fromothervirtualmachinesaswellasanyphysicalmachinesorothernetworkdevices.Whenpromiscuous
modeisenabledforavmnetswitch,allvirtualmachinesconnectedtothevmnetswitchhavethepotentialof
readingallpacketsacrossthatnetworkthatis,trafficamongthevirtualmachinesconnectedtothatvmnet
switch.
Althoughpromiscuousmodecanbeusefulfortrackingnetworkactivity,itisaninsecuremodeofoperation
becauseanyadapterinpromiscuousmodehasaccesstopacketsregardlessofwhethersomeofthepackets
shouldbereceivedonlybyaparticularnetworkadapter.Thismeansthatanadministratororrootuserwithin
avirtualmachinecanpotentiallyviewtrafficdestinedforotherguestoperatingsystems.Youshoulduse
promiscuousmodeonlyforsecuritymonitoringforexample,foranIDSsystem,debugging,or
troubleshooting.
Bydefault,promiscuousmodeissettoReject.Youcanchangethisoptionbymodifyingthesecuritypolicyon
anindividualportgrouporontheentirevirtualswitch,asdescribedinthesectionLayer2SecurityPolicy
intheESXServer3ConfigurationGuide.Settingthispolicyperportgroupallowsyoutohaveoneormore
privilegedvirtualmachinesonaportgroupthatallowspromiscuousmode,whileotherportgroupsonthe
sameswitchdonotgrantthisprivilege.
Protect against MAC Address Spoofing
EachvirtualnetworkadapterinavirtualmachinehasitsowninitialMACaddressassignedwhentheadapter
iscreated.Inaddition,eachadapterhasaneffectiveMACaddressthatfiltersoutincomingnetworktraffic
withadestinationMACaddressdifferentfromtheeffectiveMACaddress.
Whenitiscreated,anetworkadapterseffectiveMACaddressandinitialMACaddressarethesame.
However,thevirtualmachinesoperatingsystemcanaltertheeffectiveMACaddresstoanothervalueatany
time.IfanoperatingsystemchangestheeffectiveMACaddress,itsnetworkadapterthenreceivesnetwork
trafficdestinedforthenewMACaddress.Theoperatingsystemcansendframeswithanimpersonatedsource
MACaddressatanytime.Thus,anoperatingsystemcanstagemaliciousattacksonthedevicesinanetwork
byimpersonatinganetworkadapterauthorizedbythereceivingnetwork.Youcanusevirtualswitchsecurity
profilesonESX/ESXihoststoprotectagainstthistypeofattackbysettingtwooptions,whichyoushouldset
foreachvirtualswitch:
MACaddresschangesBydefault,thisoptionissettoAccept,meaningthatESX/ESXiacceptsrequests
tochangetheeffectiveMACaddresstoavalueotherthantheinitialMACaddress.TheMACAddress
Changesoptionsettingaffectstrafficreceivedbyavirtualmachine.
ToprotectagainstMACimpersonation,youcansetthisoptiontoReject.Ifyoudo,ESX/ESXidoesnot
honorrequeststochangetheeffectiveMACaddresstoanythingotherthantheinitialMACaddress.
Instead,theportthatthevirtualadapterusedtosendtherequestisdisabled.Asaresult,thevirtual
adapterdoesnotreceiveanymoreframesuntilitchangestheeffectiveMACaddresstomatchtheinitial
MACaddress.TheguestoperatingsystemdoesnotdetectthattheMACaddresschangehasnotbeen
honored.
ForgedtransmissionsBydefault,thisoptionissettoAccept,meaningESX/ESXidoesnotcompare
sourceandeffectiveMACaddresses.TheForgedTransmitsoptionsettingaffectstraffictransmittedfrom
avirtualmachine.
IfyousetthisoptiontoReject,ESX/ESXicomparesthesourceMACaddressbeingtransmittedbythe
operatingsystemwiththeeffectiveMACaddressforitsadaptertoseeiftheymatch.Iftheaddressesdo
notmatch,ESX/ESXidropsthepacket.Theguestoperatingsystemdoesnotdetectthatitsvirtualnetwork
adaptercannotsendpacketsusingtheimpersonatedMACaddress.ESX/ESXiinterceptsanypacketswith
impersonatedaddressesbeforetheyaredelivered,andtheguestoperatingsystemmightassumethatthe
packetshavebeendropped.
Security Hardening

ItisrecommendedthatyousetbothoftheseoptionstoRejectformaximalsecurity.
Youcanalsosetthesesecuritypoliciesonaperportgroupbasis,whichletsyouoverridethevirtualswitch
settingforthatparticularportgroup.Ifyouneedtoconfigureadifferentpolicyforaparticularvirtual
machineforexample,ifyouhaveanintrusiondetectionvirtualappliancethatneedstomonitoralltrafficon
avirtualswitchyoucancreateaspecialportgroupforthis(andonlythis)virtualappliancewiththe
modifiedsettings.
Tolearnhowtheseoptionsareconfigured,seethesectionLayer2SecurityPolicyintheESXServer3
ConfigurationGuide.
Secure the ESX/ESXi Host Console
EvenifyouhavelockeddownESX/ESXitoprotectitfromattacksthatarriveoverthenetwork,anyonewith
accesstotheconsoleofthehostmightstillcauseproblems.Althoughphysicalharmtothehostcannotbe
prevented,itstillmightbepossible,forexample,toinfluencethehostsothatitbehavesimproperly,perhaps
inamannerthatishardtodetect.
ForESX3.5,whichrunsaserviceconsole,onewaytoguardagainstthisistousegrubpasswordstoprevent
usersfrombootingintosingleusermodeorpassingoptionstothekernelduringboot.Unlessthepasswordis
entered,theserverbootsonlythekernelwiththedefaultoptions.Formoreinformationongrubpasswords,
seetheGNUGrubManualathttp://www.gnu.org/software/grub/manual/html_node/index.html.This
techniquedoesnotapplytoESXi3.5,becausethereisnoserviceconsoleavailableattheconsoleofthehost.
Mask and Zone SAN Resources Appropriately
ZoningprovidesaccesscontrolinaSANtopology.Itdefineswhichhostbusadapters(HBAs)canconnectto
whichSANdeviceserviceprocessors.WhenaSANisconfiguredusingzoning,thedevicesoutsideazoneare
notvisibletothedevicesinsidethezone.Inaddition,SANtrafficwithineachzoneisisolatedfromtheother
zones.WithinacomplexSANenvironment,SANswitchesprovidezoning,whichdefinesandconfiguresthe
necessarysecurityandaccessrightsfortheentireSAN.
LUNmaskingiscommonlyusedforpermissionmanagement.LUNmaskingisalsoreferredtoasselective
storagepresentation,accesscontrol,andpartitioning,dependingonthevendor.LUNmaskingisperformed
atthestorageprocessororserverlevel.ItmakesaLUNinvisiblewhenatargetisscanned.Theadministrator
configuresthediskarraysoeachserverorgroupofserverscanseeonlycertainLUNs.Maskingcapabilities
foreachdiskarrayarevendorspecific,asarethetoolsformanagingLUNmasking.
YoushouldusezoningandLUNmaskingtosegregateSANactivity.Forexample,youmanagezonesdefined
fortestingindependentlywithintheSANsotheydonotinterferewithactivityintheproductionzones.
Similarly,youcouldsetupdifferentzonesfordifferentdepartments.Zoningmusttakeintoaccountanyhost
groupsthathavebeensetupontheSANdevice.
Secure iSCSI Devices through Authentication
OnemeansofsecuringiSCSIdevicesfromunwantedintrusionistorequirethattheESX/ESXihost,orinitiator,
beauthenticatedbytheiSCSIdevice,ortarget,wheneverthehostattemptstoaccessdataonthetargetLUN.
Thegoalofauthenticationistoprovethattheinitiatorhastherighttoaccessatarget,arightgrantedwhen
youconfigureauthentication.
YouhavetwochoiceswhenyousetupauthenticationforiSCSISANsontheESX/ESXihost:
ChallengeHandshakeAuthenticationProtocol(CHAP)YoucanconfiguretheiSCSISANtouse
CHAPauthentication.ESX/ESXisupportsonewayCHAPauthenticationforiSCSI.Itdoesnotsupport
bidirectionalCHAP.InonewayCHAPauthentication,thetargetauthenticatestheinitiator,butthe
initiatordoesnotauthenticatethetarget.Theinitiatorhasonlyonesetofcredentials,andalloftheiSCSI
targetsusethem.ESX/ESXisupportsCHAPauthenticationattheHBAlevelonly.Itdoesnotsupport
pertargetCHAPauthentication,whichenablesyoutoconfiguredifferentcredentialsforeachtargetto
achievegreatertargetrefinement.
Security Hardening

DisabledYoucanconfiguretheiSCSISANtousenoauthentication.Communicationsbetweenthe
initiatorandtargetareauthenticatedinarudimentaryway,becausetheiSCSItargetdevicesaretypically
setuptocommunicatewithspecificinitiatorsonly.
Choosingnottoenforcemorestringentauthenticationcanmakesenseifyoucreateadedicatednetworkor
VLANtoserviceallyouriSCSIdevices.BecausetheiSCSIfacilityisisolatedfromgeneralnetworktraffic,itis
lessvulnerabletoexploit.
ESX/ESXidoesnotsupportKerberos,SecureRemoteProtocol(SRP),orpublickeyauthenticationmethodsfor
iSCSI.Additionally,itdoesnotsupportIPsecauthenticationandencryption.
Forinformationonhowtodeterminewhetherauthenticationiscurrentlybeingperformedandtoconfigure
theauthenticationmethod,seethechapterSecuringanESXServer3ConfigurationintheESXServer3
ConfigurationGuide.
VirtualCenter
VirtualCenterprovidesapowerfulwaytomanageandcontrolyourVMwareInfrastructureenvironmentfrom
acentralpointandenablesmoresophisticatedoperationsthroughtoolsthatworkthroughitsSDK.Itis
extremelypowerfulandthereforeshouldbesubjecttothestrictestsecuritystandards.
Set Up the Windows Host for VirtualCenter with Proper Security
BecauseVirtualCenterrunsonaWindowshost,itisespeciallycriticaltoprotectthishostagainst
vulnerabilitiesandattacks.Thestandardsetofrecommendationsapplies,asitwouldforanyhost:install
antivirusagents,spywarefilters,intrusiondetectionsystems,andanyothersecuritymeasures.Makesureto
keepallsecuritymeasuresuptodate,includingapplicationofpatches.
ThepasswordthatVirtualCenterusestoaccessitsdatabaseisstoredintheWindowsregistryinanencoded
format.Althoughthepasswordcannotbereaddirectly,itisnotprotectedbyencryption,soyoushouldprotect
theregistryontheVirtualCenterhosttopreventunauthorizedaccesstotheVirtualCenterdatabase.
Ingeneral,youshouldhardenandlockdowntheVirtualCenterhostaccordingtoindustrystandard
configurationguides,suchastheDISASTIGorCISBenchmark.
Limit Administrative Access
VirtualCenterrunsasauserthatrequireslocaladministratorprivilegesandmustbeinstalledbyalocal
administrativeuser.Tolimitthescopeofadministrativeaccess,avoidusingtheWindowsAdministratoruser
torunVirtualCenterafteryouinstallit.Instead,useadedicatedVirtualCenteradministratoraccount.Toset
uptheadministrativeaccount,takethefollowingsteps:
1 CreatealocalaccountforanordinaryuserontheWindowshost.ThisistheaccounttheVirtualCenter
administratorshouldusetomanageVirtualCenter.
2 InVirtualCenter,logonastheWindowsAdministrator,thengrantVirtualCenterrootadministrator
accesstothenewlycreatedaccount
3 LogoutofVirtualCenter,thenmakesureyoucanlogintoVirtualCenterasthenewuserandthatthisuser
isabletoperformalltasksavailabletoaVirtualCenteradministrator
4 RemovethepermissionsinVirtualCenterforthelocalAdministratorsgroup.
Byconfiguringaccountsinthisway,youavoidautomaticallygivingadministrativeaccesstodomain
administrators,whotypicallybelongtothelocalAdministratorsgroup.Thisalsoprovidesawayoflogging
intoVirtualCenterwhenthedomaincontrollerisdown,becausethelocalVirtualCenteradministrator
accountdoesnotrequireremoteauthentication.
Security Hardening

Limit Network Connectivity to VirtualCenter
TheonlynetworkconnectionVirtualCenterrequiresistothemanagementnetworkdescribedinIsolate
VirtualMachineNetworksonpage 3.YoushouldavoidputtingtheVirtualCenterserveronanyother
network,suchasyourproductionorstoragenetwork.Specifically,VirtualCenterdoesnotneedaccesstothe
networkonwhichVMotiontakesplace.Bylimitingthenetworkconnectivity,youcutdownonthepossible
avenuesofattack.
Usethefollowingguidelinestolimitnetworkconnectivity:
Firewalls
YoushouldprotecttheVirtualCenterserverusingafirewall.Thisfirewallmaysitbetweentheclientsand
theVirtualCenterserver,orboththeVirtualCenterServerandtheclientsmaysitbehindthefirewall,
dependingonyourdeployment.Themainconsiderationisensuringthatafirewallispresentatwhatyou
considertobeanentrypointforthesystemasawhole.
UsefirewallstorestrictwhichsystemscanaccessVirtualCenterbyIPaddress.
FormoreinformationonthepossiblelocationsforfirewallsusedwithVirtualCenter,seethesection
FirewallsforConfigurationswithaVirtualCenterServerintheESXServer3ConfigurationGuide.
TCPandUDPportsformanagementaccess
NetworksconfiguredwithaVirtualCenterservercanreceivecommunicationsfromseveraltypesof
clients:theVIClient,VIWebAccess,asystemwiththeRemoteCLIoroneoftheVIToolkitsforscripting
installed,orthirdpartynetworkmanagementclientsthatusetheSDKtointeractwiththehost.During
normaloperation,VirtualCenterlistensondesignatedportsfordatafromthehostsitismanagingand
fromclients.VirtualCenteralsoassumesthatthehostsitismanaginglistenfordatafromVirtualCenter
ondesignatedports.Ifafirewallispresentbetweenanyofthesecomponents,youmustensurethatthe
appropriateportsareopentosupportdatatransferthroughthefirewall.
ThesectionTCPandUDPPortsforManagementAccessintheESXServer3ConfigurationGuidelistsall
thepredeterminedTCPandUDPportsusedformanagementaccesstoyourVirtualCenterserver,ESX
hosts,andothernetworkcomponents.Studythissectioncarefullytodeterminehowtoconfigureyour
firewallstomaintainmaximumsecuritywhilestillallowingrequiredmanagementoperations.
Use Proper Security Measures when Configuring the Database for VirtualCenter
YoushouldinstalltheVirtualCenterdatabaseonaseparateserverorvirtualmachineandsubjectittothesame
securitymeasuresasanyproductiondatabase.Youshouldalsocarefullyconfigurethepermissionsusedfor
accesstothedatabasetotheminimumnecessary.Usetheguidelinesappropriatetoyourdatabase.
MicrosoftSQLServer
Duringinstallationandupgrade,theVirtualCenteraccountmusthavetheDBOwnerrole.Duringnormal
operations,youmayfurtherrestrictpermissionstothefollowing:
Invoke/executestoredprocedures
Select,update,insert
Delete
Oracle
TheprivilegesrequiredfortheVirtualCenteraccountarelistedinthesectionPreparingthe
VirtualCenterServerDatabaseofthechapterInstallingVMwareInfrastructureManagementinthe
ESXServer3InstallationGuide.
NOTEYoumightnotbeabletoopenaVIClientremoteconsolewhenyournetworkisconfiguredsuch
thatafirewallusingNATstandsbetweentheESXhostandthecomputerrunningVIClient.SeeVMware
knowledgebasearticle749640(http://kb.vmware.com/kb/749640)foraworkaroundforthisissue.
Security Hardening

Enable Full and Secure Use of Certificate-based Encryption
Forenvironmentsthatrequirestrongsecurity,VMwarerecommendsthatadministratorsreplacealldefault
selfsignedcertificatesgeneratedatinstallationtimewithlegitimatecertificatessignedbytheirlocalroot
certificateauthorityorpublic,thirdpartycertificatesavailablefrommultiplepubliccertificateauthorities.You
shouldalsoenableservercertificateverificationonallVIClientinstallationsandtheVirtualCenterhost.This
involvesamodificationtotheWindowsregistryonallclienthosts.
ForbackgroundandinformationonreplacingVirtualCenterServercertificates,seethetechnicalnote
ReplacingVirtualCenterServerCertificates(http://www.vmware.com/vmtn/resources/658).For
informationonenablingservercertificateverificationforVIClientinstallations,includinghowtopretrust
certificatesandhowtomodifytheWindowsregistryforclienthosts,seeVMwareknowledgebasearticle
4646606(http://kb.vmware.com/kb/4646606).
Use VirtualCenter Custom Roles
Beginningwithversion2.0,VirtualCenterprovidesasophisticatedsystemofrolesandpermissions.These
rolesandpermissionsallowfinegraineddeterminationofauthorizationforadministrativeandusertasks,
basedonuserorgroupandinventoryitem,suchasclusters,resourcepools,andhosts.Youshouldtake
advantageofthissystemtoassurethatonlytheminimumnecessaryprivilegesareassignedtopeopleinorder
topreventunauthorizedaccessormodification.Somerecommendationsare:
Createrolesthatenableonlythenecessarytasks.Forexample,auserwhoisonlygoingtomakeuseofan
assignedvirtualmachinemightneedpermissiononlytopowerthemachineonoroff,andnotnecessarily
toattachaCDorfloppydevice.
Assignrolestoaslimitedascopeasnecessary.Forexample,youcangiveausercertainpermissionsona
resourcepoolinsteadofadiscretehost,andyoucanusefolderstocontainthescopeofaprivilege.
FormoreinformationonVirtualCenterroles,seethepaperManagingVirtualCenterRolesandPermissions
(http://www.vmware.com/resources/techresources/826).
Document and Monitor Changes to the Configuration
AlthoughmostofaVMwareInfrastructureenvironmentisdefinedbyinformationcontainedinthe
VirtualCenterdatabase,certainimportantconfigurationinformationresidesonlyontheVirtualCenterServer
hostslocalfilesystem.Thisincludesthemainconfigurationfilevpxd.cfg,variouslogfiles,and,implicitly,
theWindowsregistrysettingsthatpertaintoVirtualCenter.
Forcomplianceandauditing,itisimportantthatyouhavearecordoftheseconfigurationsovertime.One
convenientwaytocaptureeverythinginoneplaceistousetheGenerateVirtualCenterServerlogbundle
command,intheVMwareprogramfilemenuontheVirtualCenterhost.Thistoolisdesignedtocapture
informationtobeusedfortroubleshootinganddebugging,buttheresultingarchivefileservesasaconvenient
waytomaintainahistoricalrecord.
TheresultingZIParchiveincludesfilesthatcontainthevaluesofrelevantWindowsregistryentries,
configurationfilesforVirtualCenterandanyaddoncomponents,andlogfilesforVirtualCenter,thelicense
server,andanyaddoncomponents.Byperformingthistaskonaregularbasis,youcankeeptrackofall
changesthataffectyourVirtualCenterinstallation.
NOTEYouneedtoreplacethedefaultVirtualCenterServercertificatebeforeenablingservercertificate
verification.
Security Hardening

Ifyouwanttomonitorthelogfilesdirectly,useTable12todeterminewhichfilestowatch:
VirtualCenter Add-on Components
Beginningwithversion2.5,VirtualCenterincludesaframeworkthatenablesyoutoaddcomponentsto
VirtualCentertoextenditsfunctionality.Thesecomponentstypicallyrunasseparateservices,whichare
installedontheVirtualCenterserverorinsomecasesaonseparatehostorinavirtualmachine.Threeofthese
componentsarebundledwithVirtualCenter:
VMwareUpdateManager:managesandautomatespatchmanagementandtrackingofESXhostsand
virtualmachines,includingturnedoffvirtualmachinesandvirtualmachinetemplates
VMwareConverterEnterpriseforVirtualCenter:providesanintegratedsolutionformigratingboth
physicalandvirtualmachinestoVMwareInfrastructure.
VMwareGuidedConsolidation:automaticallydiscoversphysicalservers,helpsanalyzetheir
performance,andtriggerstheconversionofphysicaltovirtualmachinesplacedintelligentlyonasuitable
host.
VMware Update Manager
YoushouldconsiderVMwareUpdateManageranessentialcomponentofanyVMwareInfrastructure
deployment.Theabilitytomakesurethatcriticaloperatingsystempatchesareappliedtoallvirtualmachines,
especiallyofflinevirtualmachinesandtemplates,addressesoneofthemostimportantaspectsofsecurityina
virtualizedenvironment.Furthermore,theabilitytoautomatethepatchingofESXhostsgreatlyincreasesthe
likelihoodthatyouareprotectedagainstanyvulnerabilitiesthatmaybediscoveredforthisplatform.
InordertomaintainisolationoftheVirtualCenterhost,itisrecommendedthatyouinstallVMwareUpdate
Manageronaseparatehostorinavirtualmachine.ThishostneedstohaveaccesstotheVirtualCenterusing
theVIAPIinterface(availablebydefaultonTCPport443).Inthedefaultinstallation,thehostwhereyou
installVMwareUpdateManageralsoneedsaccesstotheInternetinordertodownloadpatchesandpatch
information.YoucanconfigureittouseaWebproxy,astepyoushouldtakeifaWebproxyisavailable.For
highestsecurity,youcaninstalltheUpdateManagerDownloadServiceonaseparateserver,andthepatches
andinformationthatitdownloadscanbetransferredmanuallytotheUpdateManagerhostforexample,
usingaUSBkeyorscheduled,securefiletransfer.ThisavoidshavingtheUpdateManagerhostitself
connectedtoanexternalnetwork.FormoreinformationoninstallingUpdateManagerandtheUpdate
ManagerDownloadService,seethechapterWorkingwithUpdateManagerintheUpdateManager
AdministrationGuide.
VMware Converter Enterprise
AswithUpdateManager,youshouldinstallConverteronaseparatesysteminordertomaintainisolationof
theVirtualCenterhost.ConverterandthesourcesystemneedaccesstoVirtualCenterusingtheVIAPI
interface(TCPport443bydefault)andtheVIAPIinterfaceofanydestinationESXhost.However,the
informationfromtheharddiskofthesourcesystemistransferredtothedestinationESXhostoverport902.
Inaddition,theConverterserverneedsaccesstoport139onthesourcesystem.
TheuseofConverterhasthepotentialforintroducingsomesecurityrisks.Whenmigratingphysicalorvirtual
machinestoVMwareInfrastructure,youruntheriskofimportingacompromisedorinfectedserver.Because
theimportoccurswithlittlemodificationtothesource,youcouldbeintroducingavulnerabilitydirectlyinto
yourenvironment.YoumightwanttoconsiderusingConverteronlyintestorstagingenvironments.
Table 12. Paths to Key VirtualCenter Log Files
Component Default path to file
VirtualCenter C:\Documents and Settings\All Users\Application Data\VMware\VMware
VirtualCenter\Logs\*
Webservercomponent
ofVirtualCenter
C:\Program Files\VMware\Infrastructure\VirtualCenter Server\tomcat\logs\*
Licensemanager C:\WINDOWS\Temp\lmgrd.log
Security Hardening

VMware Guided Consolidation
GuidedConsolidationautomatestheprocessofdiscoveringandanalyzingexistingservers(virtualor
physical)forsuitabilityofconversiontovirtualmachines,andchoosingthedestinationESXhostontowhich
tomigratethem.ItthenautomaticallyinvokesConvertertoperformtheactualmigrationprocess.
GuidedConsolidationisnotanoptionalcomponent,andyoucannotinstallitonaseparatehost.Itisalways
runningasaserviceontheVirtualCenterServerhost.GuidedConsolidationrequiresaccesstotheportsfor
WMI,Perfmon,andRemoteRegistryports135,137,138,139,and445.Theseportsmustbeopenonboththe
VirtualCenterhostandthetargetserver.TheGuidedConsolidationservicemustberunasauserwith
VirtualCenterAdministratorprivileges,aswellaswiththenecessaryWindowsprivilegestoqueryActive
Directoryforserversintheenvironment.Inaddition,administratorcredentialsarerequiredforeachtarget
systemtobeanalyzed,sothatperformancedatacanbecollectedfromthem.Youcanenteradefaultsetof
targetsystemcredentialsandoverridethisdefaultforindividualtargetsystemsthatmightdeviatefromthe
default.
TheGuidedConsolidationservicereliesonConvertertoimporttargetserver,soallrecommendationsfor
ConverterapplytoGuidedConsolidation,aswell.ItisrecommendedthatyounotuseGuidedConsolidation
inhighersecurityenvironments.
General Considerations
Withanyaddoncomponent,observethefollowing:
Hardenandlockdowntheserveronwhichthecomponentisinstalledaccordingtotheindustrybest
practicesforthehostsoperatingsystem.
ThesecomponentsoftenrequireyoutoprovidecredentialsofauseraccountwithfullVMware
Infrastructureadministratorprivileges.Toreduceexposureandhaveawayofrestrictingaccessincasea
problemisfound,createauniqueaccountforeachcomponent.Then,ifavulnerabilityorotherproblem
isdiscovered,youcanreduceoreliminateprivilegesonthataccountuntilthesituationisresolved.Donot
providethecredentialsoftheVirtualCenterhostsAdministratoraccountorofanactualuser.
Thesecomponentsusuallyhavetheirownlogfiles.Table13showsthelogfilesforthecomponentsthat
arebundledwithVirtualCenter:
Client Components
TherecommendationsinthissectionapplytoclientsthatconnecttoVirtualCenterorESX.
Restrict the use of Linux-based Clients
AlthoughSSLbasedencryptionisusedtoprotectedcommunicationbetweenclientcomponentsand
VirtualCenterorESX,theLinuxversionsofthesecomponentsdonotperformcertificatevalidation.Therefore,
evenifyouhavereplacedtheselfsignedcertificatesonVirtualCenterandESXwithlegitimatecertificates
signedbyyourlocalrootcertificateauthorityorathirdparty,communicationswithLinuxclientsarestill
vulnerabletomaninthemiddleattacks.ThecomponentsthatarevulnerablewhenrunningonLinuxinclude:
AnyRemoteCLIcommand
AnyVIPerlToolkitscript
Table 13. Paths to Log Files for Bundled VirtualCenter Components
Component Default path to file
VMwareUpdateManager C:\Documents and Settings\All Users\Application Data\VMware\VMware
Update Manager\Logs\*
VMwareEnterprise
Converter
C:\Documents and Settings\All Users\Application Data\VMware\VMware
Converter Enterprise\Logs\*
VMwareGuided
Consolidation
C:\Documents and Settings\All Users\Application Data\VMware\VMware
Capacity Planner\Logs\*
Security Hardening

VirtualmachineconsoleaccessinitiatedfromaLinuxbasedWebAccessbrowsersession
AnyprogramwrittenusingtheVISDK
ThemanagementinterfacesofVirtualCenterandESXshouldbeavailableonlyontrustednetworks,but
providingencryptionandcertificatevalidationaddextralayersofdefenseagainstanattack.Ifyouareableto
mitigateagainstsystemsonthemanagementnetworkinterposingthemselvesonnetworktraffic,orcantrust
thatsuchsystemswillnotappearonthenetwork,theuseofLinuxbasedclientswouldnotincreasethe
securityrisk.
Verify the Integrity of VI Client
Beginningwithversion2.5,VirtualCenterincludesaVIClientextensibilityframework,whichprovidesthe
abilitytoextendtheVMwareInfrastructureClient(VIClient)withmenuselectionsortoolbariconsthat
provideaccesstoVirtualCenteraddoncomponentsorexternal,Webbasedfunctionality.Withtheflexibility,
customization,andinnovationthatthisentails,thereisalsotheriskofintroducingVIClientcapabilitiesthat
werenotintended.Forexample,aplugincouldbesurreptitiouslyinstalledonanadministratorsVIClient
instance,thenexecutearbitrarycommandswiththeprivilegelevelofthatadministrator.Ifauserwithlowor
noprivilegesweretousesuchaclient,therewouldbenoaddedrisk,becausetheplugincaninteractwith
VirtualCenterorESXonlywiththepermissionsoftheuserrunningtheclient.
Theintegrityofclientsoftwareisacommonconcernacrossallclientserverplatformsinwhichtheclientcould
berunningonaninsecurehost,buttheVIClientextensibilityframeworkreducestheeffortneededto
compromisetheclientsoftware.Toprotectagainstsuchcompromises,usersofVIClient,especiallythosewith
powerfulprivileges,shouldnotinstallanypluginsthatdonotcomefromatrustedsource.Youcancheckto
seewhichpluginsareactuallyinstalledforagivenVIClientbygoingtothemenuitemPlugins>Manage
PluginsandclickingtheInstalledPluginstab.
Monitor the Usage of VI Client Instances
AlthoughactionsperformedwithinVIClientareloggedintheVirtualCenterEventstable,insomecasesyou
mightbeinterestedinknowingwhatoccurredontheclientside.Forexample,youmightwanttoknowthe
servertowhichtheclienthadrecentlyconnectedandwhichuseraccountwasused.VIClientmaintainslog
filesofitsactivitiesontheclientsystem,andyoucanretrieveandinspectorevenmonitorthemregularlyfor
specificevents.ThelogfilesarelocatedinvariousdirectoriesfoundunderthefolderC:\Documents and
Settings\<username>\Local Settings\Application Data\VMware.BecausetheVIClientplugin
frameworkallowsforcommunicationwithvariouscomponents,eachcouldpotentiallyhaveitsownsetof
logs.Forexample,thedirectoryvpxcontainslogsforinteractionwithVirtualCenter,andthedirectoryVMware
Converter Enterprise\LogscontainslogsforinteractionwiththeConverterEnterpriseserver.
Avoid the Use of Plain-Text Passwords
AnumberofscriptingframeworkscanbeusedtoconfigureandmonitoryourVMwareInfrastructure3
deployment.Inparticular,theVIPerlToolkitandtheRemoteCLIletyouruncommandsandscriptsfroma
remotesystemtomodifyVMwareInfrastructure3configurations,performactionssuchastakingsnapshots
ofvirtualmachinesorrebootinganESXhost,andmonitorperformanceandotherdata.
TheRemoteCLIisimplementedasaseriesofcommandswrittenusingtheVIPerlToolkit.BothRemoteCLI
commandsandVIPerlToolkitscriptsneedvalidcredentialsintheformofusernameandpasswordtowork
successfully.ThesecredentialsmustbeacceptedoneithertheVirtualCenterhostortheESXhost,depending
onwherethecommandisdirected.Notonlydoestheuserneedtobeauthenticated,buttheusermustalso
havesufficientprivilegestoexecutethespecificcommandortask.
Bothoftheseframeworksallowyoutospecifypasswordsinplaintextascommandlineoptions,ina
configurationfile,orasenvironmentvariables.However,useofplaintextpasswordspresentsasecurityrisk,
becausesomeonecouldreadpasswordsintheconfigurationfileitself,inshellhistoryfiles,inbackupfiles,or
inotherways.Whenrunningcommandsandscriptsinteractively,itisrecommendedthatyouavoid
specifyingthepasswordaheadoftime.Thecommandstypicallypromptyouforthepassword,whichisthen
notechoedtothescreenwhenyoutypeit.Ifyouusethisapproach,youavoidhavingthepasswordexiston
thefilesysteminplaintext.
Security Hardening

Ifyouneedtoruncommandsnoninteractivelyforexample,inscriptsyoushouldusesessionfiles.This
mechanismallowsyoutoprovideyourcredentialsonceinteractively.Thesystemthengeneratesafilethat
containsanauthenticationtoken.Thistokendoesnotcontainanypasswordinformation,anditremainsvalid
forupto30minutes.Thesessionfilemaybeusedinlieuofcredentialstoauthenticatecommands.Ascript
thatreferencesthesessionfilecanthenrunnoninteractively.
Becausethesessionfileauthenticatesanycommandthatreferencesit,itisimportantthatthisfileitselfbe
closelyguardedduringitslifetime.Itshouldbegeneratedonlyasneeded,thendeletedassoonasitisno
longerneeded.Makesurenottoinadvertentlyallowaccesstothisfilebyotherusers.
Formoreinformationontheuseofsessionfiles,seethesectionUsingRemoteCommandLineInterfacesin
theappendixoftheESXServer3iConfigurationGuide.
References
AccessingVMwareESXServer3securelyusingSSHandSUDO
http://www.xtravirt.com/index.php?option=com_remository&Itemid=75&func=startdown&id=10
BasicSystemAdministration
http://www.vmware.com/pdf/vi3_35/esx_3/r35/vi3_35_25_admin_guide.pdf
EnablingActiveDirectoryAuthenticationwithESXServer
http://www.vmware.com/vmtn/resources/582
EnablingServerCertificateVerificationforVirtualInfrastructureClients
http://kb.vmware.com/kb/4646606
ESXServer3ConfigurationGuide
http://www.vmware.com/pdf/vi3_35/esx_3/r35/vi3_35_25_3_server_config.pdf
ESXServer3iConfigurationGuide
http://www.vmware.com/pdf/vi3_35/esx_3i_e/r35/vi3_35_25_3i_server_config.pdf
ESXServer3InstallationGuide
http://www.vmware.com/pdf/vi3_35/esx_3/r35/vi3_35_25_installation_guide.pdf
ESXServer3iEmbeddedSetupGuide
http://www.vmware.com/pdf/vi3_35/esx_3i_e/r35/vi3_35_25_3i_setup.pdf
ESXServer3iInstallableSetupGuide
http://www.vmware.com/pdf/vi3_35/esx_3i_i/r35/vi3_35_25_3i_i_setup.pdf
GNUGrubManual
http://www.gnu.org/software/grub/manual/html_node/index.html
InstallingandConfiguringNTPonVMwareESXServer
RedHatLinuxSecurityGuide,Chapter4.WorkstationSecurity
http://www.redhat.com/docs/manuals/linux/RHL9Manual/securityguide/chwstation.html
ReplacingVirtualCenterCertificates
SudoMainPage
http://www.gratisoft.us/sudo
VirtualInfrastructureclientcannotopenRemoteConsolesession
VMwareESXServer:ThirdPartySoftwareintheServiceConsole
VMwareSecurityCenter
http://www.vmware.com/security
31
Security Hardening

If you have comments about this documentation, submit your feedback to: docfeedback@vmware.com
VMware, Inc. 3401 Hillview Ave., Palo Alto, CA 94304 www.vmware.com
Copyright 2008 VMware, Inc. All rights reserved. Protected by one or more of U.S. Patent Nos. 6,397,242, 6,496,847, 6,704,925, 6,711,672, 6,725,289, 6,735,601, 6,785,886,
6,789,156, 6,795,966, 6,880,022, 6,944,699, 6,961,806, 6,961,941, 7,069,413, 7,082,598, 7,089,377, 7,111,086, 7,111,145, 7,117,481, 7,149, 843, 7,155,558, 7,222,221, 7,260,815,
7,260,820, 7,269,683, 7,275,136, 7,277,998, 7,277,999, 7,278,030, 7,281,102, 7,290,253, and 7,356,679; patents pending. VMware, the VMware boxes logo and design,
Virtual SMP and VMotion are registered trademarks or trademarks of VMware, Inc. in the United States and/or other jurisdictions. All other marks and names mentioned
herein may be trademarks of their respective companies.
Revision 20080708 Item: BP-012-PRD-02-01
About the Author
CharuChaubalisaseniorarchitectinthetechnicalmarketingdepartmentatVMware.Hisareasofexpertise
includevirtualizationsecurityandvirtualinfrastructuremanagement.ChaubalreceivedaBachelorofScience
inEngineeringfromtheUniversityofPennsylvaniaandaPh.D.fromtheUniversityofCaliforniaatSanta
Barbara,wherehestudiedthenumericalmodelingofcomplexfluids.Previously,heworkedatSun
Microsystems,wherehehadmorethansevenyearsexperiencewithdesigninganddevelopingdistributed
resourcemanagementandgridinfrastructuresoftwaresolutions.Heistheauthorofnumerouspublications
andseveralpatentsinthefieldsofdatacenterautomationandnumericalpriceoptimization.
Acknowledgements
TheauthorwouldliketothankBradHarris,KirkLarsen,RobRandell,BrianCoskerSwerkske,andPetr
Vandrovecfortheirvaluablecontributions.

Vi35 Security Hardening WP

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Vi35 Security Hardening WP

Uploaded by

Copyright:

Available Formats

Best Practices

Copyright 2008 VMware, Inc. All rights reserved. 1

You might also like