Virtual Machines Therecommendationsinthissectionapplytothewayyouconfigurevirtualmachinesandthewaysyou interactwithvirtualmachines. Secure Virtual Machines as You Would Secure Physical Machines Akeytounderstandingthesecurityrequirementsofavirtualizedenvironmentistherecognitionthatavirtual machineis,inmostrespects,theequivalentofaphysicalserver.Hencetheguestoperatingsystemthatruns inthevirtualmachineissubjecttothesamesecurityrisksasaphysicalsystem.Therefore,itiscriticalthatyou employthesamesecuritymeasuresinvirtualmachinesthatyouwouldforphysicalservers. Ensurethatantivirus,antispyware,intrusiondetection,andotherprotectionareenabledforeveryvirtual machineinyourvirtualinfrastructure.Makesuretokeepallsecuritymeasuresuptodate,includingapplying appropriatepatches.Itisespeciallyimportanttokeeptrackofupdatesfordormantvirtualmachinesthatare poweredoff,becauseitcouldbeeasytooverlookthem. Disable Unnecessary or Superfluous Functions Bydisablingunnecessarysystemcomponentsthatarenotneededtosupporttheapplicationorservice runningonthesystem,youreducethenumberofpartsthatcanbeattacked.Someofthesestepsinclude: Disableunusedservicesintheoperatingsystem.Forexample,ifthesystemrunsafileserver,makesure toturnoffanyWebservices. Disconnectunusedphysicaldevices,suchasCD/DVDdrives,floppydrives,andUSBadapters.Thisis describedinthesectionRemovingUnnecessaryHardwareDevicesintheESXServer3Configuration Guide. Turnoffanyscreensavers.IfusingaLinux,BSD,orSolarisguestoperatingsystem,donotruntheX Windowsystemunlessitisnecessary. Take Advantage of Templates Bycapturingahardenedbaseoperatingsystemimage(withnoapplicationsinstalled)inatemplate,youcan ensurethatallyourvirtualmachinesarecreatedwithaknownbaselinelevelofsecurity.Youcanthenusethis templatetocreateother,applicationspecifictemplates,oryoucanusetheapplicationtemplatetodeploy virtualmachines.Makesuretokeeppatchesandsecuritymeasuresuptodateintemplates.InVMware Infrastructure3,youcanconvertatemplatetoavirtualmachineandbackagainquickly,whichmakes updatingtemplatesquiteeasy.VMwareUpdateManageralsoprovidestheabilitytopatchtheoperating systemandcertainapplicationsinatemplateautomatically,thusensuringthattheyremainuptodate. Prevent Virtual Machines from Taking Over Resources ByusingtheresourcemanagementcapabilitiesofESX/ESXi,suchassharesandlimits,youcancontrolthe serverresourcesthatavirtualmachineconsumes.Youcanusethismechanismtopreventadenialofservice thatcausesonevirtualmachinetoconsumesomuchofthehostsresourcesthatothervirtualmachinesonthe samehostcannotperformtheirintendedfunctions.Bydefault,allvirtualmachinesonanESX/ESXihostshare theresourcesequally.Bearinmind,however,thatavirtualmachinethatexhibitsunusualmemoryandstorage accesspatternsmightstillhavethepotentialtocauseperformancedegradationonothervirtualmachines.It isrecommendedthatyoumonitorallvirtualmachinesforunusualorunexpectedperformancetobeawareof suchsituations. Copyright 2008 VMware, Inc. All rights reserved. 3 Security Hardening
Isolate Virtual Machine Networks Althoughthevirtualhardwareofonevirtualmachineisisolatedfromthatofothervirtualmachines,virtual machinesalsoaretypicallyconnectedtosharednetworks.Anyvirtualmachineorgroupofvirtualmachines connectedtoacommonnetworkcancommunicateacrossthosenetworklinksandcan,therefore,stillbethe targetofnetworkattacksfromothervirtualmachinesonthenetwork.Asaresult,youshouldapplynetwork bestpracticestohardenthenetworkinterfacesofvirtualmachinesConsiderisolatingsetsofvirtualmachines ontheirownnetworksegmentstominimizetherisksofdataleakagefromonevirtualmachinezonetothe nextacrossthenetwork. Networksegmentationmitigatestheriskofseveraltypesofnetworkattacks,includingAddressResolution Protocol(ARP)addressspoofing,inwhichanattackermanipulatestheARPtabletoremapMACandIP addressestoredirectnetworktraffictoandfromagivenhosttoanotherunintendeddestination.Attackersuse ARPspoofingtogeneratedenialsofservice,hijackthetargetsystem,andotherwisedisruptthevirtual network. Segmentationhastheaddedbenefitofmakingcomplianceauditsmucheasier,becauseitgivesyouaclear viewofwhichvirtualmachinesarelinkedbyanetwork. Youcanimplementsegmentationusingeitheroftwoapproaches,eachofwhichhasitsownbenefits: Useseparatephysicalnetworkadaptersforvirtualmachinezonesbycreatingseparatevirtualswitches foreachone.Maintainingseparatephysicalnetworkadaptersforvirtualmachinezonesislessproneto misconfigurationafteryouinitiallycreatesegments. Setupvirtuallocalareanetworks(VLANs)tohelpsafeguardyournetwork.BecauseVLANsprovide almostallofthesecuritybenefitsinherentinimplementingphysicallyseparatenetworkswithoutthe hardwareoverhead,theyofferaviablesolutionthatcansaveyouthecostofdeployingandmaintaining additionaldevices,cabling,andsoforth,whilealsoallowingforredundancyoptions. FormoreinformationonusingVLANswithvirtualmachines,seethesectionSecuringVirtualMachineswith VLANsintheESXServer3ConfigurationGuide. Minimize Use of the VI Console TheVIConsoleallowsyoutoconnecttotheconsoleofavirtualmachine,ineffectseeingwhatamonitorona physicalserverwouldshow.However,theVIConsolealsoprovidespowermanagementandremovable deviceconnectivitycontrols,whichcouldpotentiallyallowamalicioususertobringdownavirtualmachine. Inaddition,italsohasaperformanceimpactontheserviceconsole,especiallyifmanyVIConsolesessionsare opensimultaneously.InsteadofVIConsole,usenativeremotemanagementservices,suchasterminalservices andssh,tointeractwithvirtualmachines. Copyright 2008 VMware, Inc. All rights reserved. 4 Security Hardening
Virtual Machine Files and Settings Virtualmachinesareencapsulatedinasmallnumberoffiles.Oneoftheimportantistheconfigurationfile (.vmx),whichgovernsthebehaviorofthevirtualhardwareandothersettings.Youcanviewandmodifythe configurationsettingsbyviewingthe.vmxfiledirectlyinatexteditororbycheckingthesettingsintheVI Client,usingthefollowingprocedure: 1 Choosethevirtualmachineintheinventorypanel. 2 ClickEditsettings.ClickOptions>Advanced/General. 3 ClickConfigurationParameterstoopentheConfigurationParametersdialogbox. WhetheryouchangeavirtualmachinessettingsintheVIClientorusingatexteditor,youmustrestartthe virtualmachineformostchangestotakeeffect. Avirtualmachinealsoincludesoneormore.vmdkfiles,whichrepresentthevirtualdisksusedbytheguest operatingsystem. Thefollowingsectionsprovideguidelinesyoushouldobservewhendealingwiththeseandothervirtual machinefiles. Disable Copy and Paste Operations Between the Guest Operating System and Remote Console WhenVMwareToolsrunsinavirtualmachine,bydefaultyoucancopyandpastebetweentheguestoperating systemandthecomputerwheretheremoteconsoleisrunning.Assoonastheconsolewindowgainsfocus, nonprivilegedusersandprocessesrunninginthevirtualmachinecanaccesstheclipboardforthevirtual machineconsole.Ifausercopiessensitiveinformationtotheclipboardbeforeusingtheconsole,the userperhapsunknowinglyexposessensitivedatatothevirtualmachine.Itisrecommendedthatyou disablecopyandpasteoperationsfortheguestoperatingsystembycreatingtheparametersshowninTable1. Limit Data Flow from the Virtual Machine to the Datastore Virtualmachinescanwritetroubleshootinginformationtoavirtualmachinelogfile(vmware.log)storedon theVMwareVMFSvolumeusedtostoreotherfilesforthevirtualmachine.Virtualmachineusersand processescanbeconfiguredtoabusetheloggingfunction,eitherintentionallyorinadvertently,sothatlarge amountsofdatafloodthelogfile.Overtime,thelogfilecanconsumesomuchoftheESX/ESXihostsfile systemspacethatitfillstheharddisk,causinganeffectivedenialofserviceasthedatastorecannolonger acceptnewwrites. Topreventthisproblem,considermodifyingtheloggingsettingsforvirtualmachines.Youcanusethese settingstolimitthetotalsizeandnumberoflogfiles.Normallyanewlogfileiscreatedonlywhenahostis rebooted,sothefilecangrowtobequitelarge,butyoucanensurenewlogfilesarecreatedmorefrequently bylimitingthemaximumsizeofthelogfiles.Ifyouwanttorestrictthetotalsizeofloggingdata,VMware recommendssaving10logfiles,eachonelimitedto100KB.Thesevaluesaresmallenoughthatthelogfiles shouldnotconsumeanundueamountofdiskspaceonthehost,yettheamountofdatastoredshouldcapture sufficientinformationtodebugmostproblems. Table 1. Configuration Settings to Disable Copy and Paste Name Value isolation.tools.copy.disable true isolation.tools.paste.disable true isolation.tools.setGUIOptions.enable false Copyright 2008 VMware, Inc. All rights reserved. 5 Security Hardening
Eachtimeanentryiswrittentothelog,thesizeofthelogischecked,andifitisoverthelimit,thenextentry iswrittentoanewlog.Ifthemaximumnumberoflogfilesalreadyexists,whenanewoneiscreated,theoldest logfileisdeleted.Adenialofserviceattackthatavoidstheselimitscouldbeattemptedbywritingan enormouslogentry,buteachlogentryislimitedto4KB,sonologfilesareevermorethan4KBlargerthanthe configuredlimit.Table2showswhichparameterstosetandtheirrecommendedvalues: Asecondoptionistodisableloggingforthevirtualmachine.Disablingloggingforavirtualmachinemakes troubleshootingchallengingandsupportdifficult,soyoushouldnotconsiderdisablingloggingunlessthelog filerotationapproachprovesinsufficient.Todisablelogging,settheparametershowninTable3. Disablinglogginginthismannerdoesnotcompletelydisableallloggingmessages.TheVMXprocess,which runsontheESXhostandispartlyresponsibleforprovidingvirtualizationservicesforthevirtualmachine, continuestowriteloggingmessagestothevirtualmachinelogfile.However,thevolumeofmessagesfrom thissourceisverylowandcannotbeexploitedfromwithinthevirtualmachine,soitisnotnormally consideredapotentialsourceofdataflooding. Ifyouneverthelesswanttopreventallformsoflogging,youcandisableallmessagesbysettingtheparameter showninTable4.Howeverthisisnotrecommendedinanormalproductionenvironment. Inadditiontologging,guestoperatingsystemprocessescansendinformationalmessagestotheESX/ESXi hostthroughVMwareTools.Thesemessages,knownassetinfomessages,arewrittentothevirtualmachines configurationfile(.vmx).Theytypicallycontainnamevaluepairsthatdefinevirtualmachinecharacteristics oridentifiersthatthehoststoresforexample,ipaddress=10.17.87.224.Asetinfomessagehasno predefinedformatandcanbeanylength.Therefore,theamountofdatapassedtothehostinthiswayis unlimited.AnunrestricteddataflowprovidesanopportunityforanattackertostageaDOSattackbywriting softwarethatmimicsVMwareToolsandfloodingthehostwithpackets,thusconsumingresourcesneededby thevirtualmachines. Topreventthisproblem,theconfigurationfilecontainingthesenamevaluepairsislimitedtoasizeof1MB. This1MBcapacityshouldbesufficientformostcases,butyoucanchangethisvalue,ifnecessary.Youmight increasethisvalueiflargeamountsofcustominformationarebeingstoredintheconfigurationfile. TomodifytheGuestInfofilememorylimit,setthetools.setInfo.sizeLimitparameterinthe.vmxfile. Thedefaultlimitis1MB,andthislimitisappliedevenwhenthesizeLimitparameterisnotlistedinthe.vmx file.TheexampleinTable5setsthesizelimitto1MB. Table 2. Configuration Settings to Limit Log File Size and Number of Log Files Name Recommended Value log.rotateSize 100000 log.keepOld 10 Table 3. Configuration Setting to Disable Virtual Machine Logging Name Recommended Value Isolation.tools.log.disable true Table 4. Configuration Setting to Disable Virtualization Service Logging Name Recommended Value logging false Table 5. Configuration Setting to Limit Size of GuestInfo File Name Recommended Value tools.setInfo.sizeLimit 1048576 Copyright 2008 VMware, Inc. All rights reserved. 6 Security Hardening
Youmayalsoentirelypreventguestoperatingsystemsfromwritinganynamevaluepairstotheconfiguration file,usingthesettinginTable6.Thisisappropriatewhenguestoperatingsystemsmustbepreventedfrom modifyingconfigurationsettings. Do Not Use Nonpersistent Disks Thesecurityissuewithnonpersistentdiskmodeisthatattackersmayundoorremoveanytracesthatthey wereeveronthemachinewithasimpleshutdownorreboot.Oncethevirtualmachinehasbeenshutdown, thevulnerabilityusedtoaccessthevirtualmachinewillstillbepresent,andtheattackersmayaccessthe virtualmachineinthefutureatatimeoftheirchoice.Thedangeristhatadministratorsmayneverknowif theyhavebeenattackedorhacked.Tosafeguardagainstthisrisk,youshouldusenonpersistentdiskmode onlyfortestanddevelopmentvirtualmachines.Youshouldsetproductionvirtualmachinestousepersistent diskmodeonly.Toverify,makesurethattheparameterscsiX:Y.modeisnotpresent,whereXandYaresingle digits,orthatifitispresent,thevalueisnotindependent-nonpersistent.Youcanconfigurethisoptionin theVIClientforeachindividualdiskonavirtualmachine.Youcanmakechangesonlywhenthevirtual machineisnotpoweredon.Toreviewandmodifythesesettings: 1 LogintotheVIClientandchoosetheserverfromtheinventorypanel. Thehardwareconfigurationpagefortheserverappears. 2 Expandtheinventoryasneededandchoosethevirtualmachineyouwanttocheck. 3 ClicktheEditSettingslinkintheCommandspaneltodisplaytheVirtualMachinePropertiesdialogbox. 4 ClicktheHardwaretab. 5 ClicktheappropriateharddiskinHardwarelist. Ensure Unauthorized Devices are Not Connected Besidesdisablingunnecessaryvirtualdevicesfromwithinthevirtualmachine,youshouldensurethatno deviceisconnectedtoavirtualmachineifitdoesnotneedtobethere.Forexample,serialandparallelports arerarelyusedforvirtualmachinesinadatacenterenvironment,andCD/DVDdrivesareusuallyconnected onlytemporarilyduringsoftwareinstallation. Forlesscommonlyuseddevices,Table7showsthe.vmxparametersthatspecifywhetherthedeviceis availableforavirtualmachinetouse.Ifthedeviceisnotneeded,eithertheparametershouldnotbepresent oritsvaluemustbeFALSE.TheparameterslistedinTable7arenotsufficienttoensurethatadeviceisusable, becauseotherparametersareneededtoindicatespecificallyhoweachdeviceisinstantiated. Prevent Unauthorized Removal or Connection of Devices Normalusersandprocessesthatisusersandprocesseswithoutrootoradministratorprivilegeswithin virtualmachineshavethecapabilitytoconnectordisconnectdevices,suchasnetworkadaptersandCDROM drives. Table 6. Configuration Setting to Prevent Writing SetInfo Data to Configuration File Name Value isolation.tools.setinfo.disable true Table 7. Configuration Parameters that Specify Certain Devices Device Configuration file parameter (where <x> is an integer 0 or greater) Floppydrive floppy<X>.present Serialport serial<X>.present Parallelport parallel<X>.present Copyright 2008 VMware, Inc. All rights reserved. 7 Security Hardening
Forexample,bydefault,arogueuserwithinavirtualmachinecan: ConnectadisconnectedCDROMdriveandaccesssensitiveinformationonthemedialeftinthedrive Disconnectanetworkadaptertoisolatethevirtualmachinefromitsnetwork,whichisadenialofservice Ingeneral,youshouldusethevirtualmachinesettingseditororConfigurationEditortoremoveany unneededorunusedhardwaredevices.However,youmaywanttousethedeviceagain,soremovingitisnot alwaysagoodsolution.Inthatcase,youcanpreventauserorrunningprocessinthevirtualmachinefrom connectingordisconnectingadevicefromwithintheguestoperatingsystembyaddingtheparametershown inTable8. Avoid Denial of Service Caused by Virtual Disk Modification Operations Shrinkingavirtualdiskreclaimsunusedspaceinthevirtualdisk.Ifthereisemptyspaceinthedisk,this processreducestheamountofspacethevirtualdiskoccupiesonthehostdrive.Normalusersand processesthatisusersandprocesseswithoutrootoradministratorprivilegeswithinvirtualmachineshave thecapabilitytoinvokethisprocedure.However,ifthisisdonerepeatedly,thevirtualdiskcanbecome unavailable,effectivelycausingadenialofservice.Inmostdatacenterenvironments,diskshrinkingisnot done,soyoushoulddisablethisfeaturebysettingtheparameterslistedinTable9. Specify the Guest Operating System Correctly Choosingthecorrectguestoperatingsystemintheconfigurationforeachvirtualmachineisimportant.ESX optimizescertaininternalconfigurationsonthebasisofthischoice.Thecorrectguestoperatingsettingcanaid thechosenoperatingsystemgreatlyandmaycausesignificantperformancedegradationifthereisamismatch betweenthesettingandtheoperatingsystemactuallyrunninginthevirtualmachine.Theperformance degradationmaybesimilartorunninganunsupportedoperatingsystemonESX.Choosingthewrongguest operatingsystemisnotlikelytocauseavirtualmachinetorunincorrectly,butitcoulddegradethevirtual machinesperformance. TheparameterthatspecifiestheguestoperatingsystemisguestOS.Verifythatthespecifiedoperatingsystem andmatchestheoperatingsystemactuallyrunninginthevirtualmachine,whichyoucandetermineby checkingthevirtualmachinedirectly. Verify Proper File Permissions for Virtual Machine Files Besurepermissionsforthevirtualmachinesfilesaresetaccordingtotheguidelinesinthissection. Permissionsfortheconfigurationfile(.vmx),shouldberead,write,execute(rwx)forowner,andreadand execute(r-x)forgroup(755).Permissionsforthevirtualmachinesvirtualdisk(.vmdk)shouldbereadand write(rw-)forowner(600).Forallofthesefiles,boththeuserandgroupshouldberoot. Configuring the Service Console in ESX 3.5 Whetheryouuseamanagementclientorthecommandline,allconfigurationtasksforESX3.5areperformed throughtheserviceconsole,includingconfiguringstorage,controllingaspectsofvirtualmachinebehavior, andsettingupvirtualswitchesorvirtualnetworks.Aswithanintelligentplatformmanagementinterface (IPMI)orserviceprocessoronaphysicalserver,someoneloggedintotheserviceconsolewithprivileged permissionshastheabilitytomodify,shutdown,orevendestroyvirtualmachinesonthathost.Thedifference isthat,insteadofasinglephysicalserver,thiscanaffectmanyvirtualmachines.AlthoughESX3.5 Table 8. Configuration Setting to Prevent Device Removal or Connection Name Value Isolation.tools.connectable.disable true Table 9. Configuration Settings to Prevent Virtual Disk Shrinking Name Value isolation.tools.diskWiper.disable True isolation.tools.diskShrink.disable True Copyright 2008 VMware, Inc. All rights reserved. 8 Security Hardening
managementclientsuseauthenticationandencryptiontopreventunauthorizedaccesstotheserviceconsole, otherservicesmightnotofferthesameprotection.Ifattackersgainaccesstotheserviceconsole,theyarefree toreconfiguremanyattributesoftheESXhost.Forexample,theycouldchangetheentirevirtualswitch configurationorchangeauthorizationmethods.BecausetheserviceconsoleisthepointofcontrolforESX, safeguardingitfrommisuseiscrucial. Configure the Firewall for Maximum Security ESX3.5includesafirewallbetweentheserviceconsoleandthenetwork.Bydefault,theserviceconsole firewallisconfiguredatahighsecuritysetting,withbothincomingandoutgoingtrafficblockedbydefault exceptforalimitedsetofportsusedbyservicesthatareenabled.Thefirewallcontainsalistofknownservices forwhichtheappropriateincomingandoutgoingportsareknown,anditautomaticallyopensportsfor enabledservicesandclosesthemwhenaserviceisdisabled.Thissectionliststheservicesthatareenabledby defaultwhenyouinstallESX3.5.YoucanseethelistofcurrentlyenabledservicesonanESXhostandthe associatedportsintheVIClient: 1 Choosethehost. 2 ClicktheConfigurationtab,thenchoosetheSecurityProfileitemundertheSoftwareheading. 3 ClickFirewallProperties. Itisbesttoleavethedefaultsecurityfirewallsettings,whichblockallincomingandoutgoingtrafficthatisnot associatedwithanenabledservices,thenusethefirewallsbuiltinserviceregistrytoenableanddisable services.Ifyouhaveaparticularserviceoragentthatisnotpartofthebuiltinlist,youcanopenindividual portsusingtheserviceconsolecommandesxcfg-firewall.Ifyoudoopenports,makesuretodocumentthe changes,includingthepurposeforopeningeachport.Formoreinformationonhowtousethe esxcfg-firewallcommand,seethesectionChangingtheServiceConsoleSecurityLevelintheESXServer 3ConfigurationGuideortypeman esxcfg-firewallonthecommandline. Limit the Software and Services Running in the Service Console AlthoughtheserviceconsoleisbasedonLinuxandiscapableofrunningmostLinuxbasedsoftware,you shouldavoidrunninganyadditionalsoftwareorservicesinsideitwhereverpossible.Eachadditional componentthatisrunningrepresentsanadditionalattackvectorandalsoincreasesthepotentialfor misconfiguration.Foranyservicethatyourunintheserviceconsole,considerwhetheritisreallyneededand whethertheequivalentfunctionalitycanbeprovidedbyanexternalagentthatcommunicateswiththeESX hostusingthestandardbuiltinAPIs. TheservicesthatareonbydefaultintheESX3.5serviceconsoleandtheportstheyusearedescribedinTable 10.Thesecondcolumnofthetableshowsthestringusedtoidentifytheservicewhenusingthe esxcfg-firewallcommandforexamplewhenrunningesxcfg-firewall --querytoshowthecurrent status.Thetablealsoindicateswhenitisappropriatetodisableaservice.Forexample,ifyouarenotusing NFStomountnetworksharesintheserviceconsole,youshoulddisablethisservice.ConfiguretheFirewall forMaximumSecurityonpage 8describeshowtousetheVIClienttoviewwhichservicesareenabled.You canusethesamepropertiesdialogboxtodisableservicesaswellasviewthem. Table 10. Default Services in the ESX 3.5 Service Console Service Identification in esxcfg-firewall command Port Traffic Type When to disable CIMService Location Protocol CIMSLP 427 Incomingand outgoingUDPand TCP IfnotusingCIMbasedsoftwarefor monitoringormanagement NFSclient nfsClient 111,2049 OutgoingTCPand UDP IfnotmountingNFSbasedstoragein theserviceconsole VMware Consolidated Backup VCB 443,902 OutgoingTCP IfnotusingVCBforbackup Copyright 2008 VMware, Inc. All rights reserved. 9 Security Hardening
Additionalsoftwarethatmightrunintheserviceconsoleincludesmanagementagentsandbackupagents. Althoughthissoftwaremighthavealegitimatepurpose,themorecomponentsyouhaverunninginthe serviceconsole,themorepotentialobjectsaresusceptibletosecurityvulnerabilities.Inaddition,these componentsoftenrequirespecificnetworkportstobeopeninordertofunction,thusfurtherincreasingthe avenuesofattack. Formoreinformationandrecommendationsonrunningthirdpartysoftwareintheserviceconsole,see http://www.vmware.com/vmtn/resources/516. Use VI Client and VirtualCenter to Administer the Hosts Instead of Service Console Thebestmeasuretopreventsecurityincidentsintheserviceconsoleistoavoidaccessingitifatallpossible. YoucanperformmanyofthetasksnecessarytoconfigureandmaintaintheESXhostusingtheVIClient,either connecteddirectlytothehostor,betteryet,goingthroughVirtualCenter.TheVIClientcommunicatesusing awelldefinedAPI,whichlimitswhatcanbedone.Thisissaferthandirectexecutionofarbitrarycommands. GoingthroughVirtualCenterhastheaddedbenefitthatauthorizationandauthenticationareperformedvia yourstandardcentralActiveDirectoryservice,insteadofusingspeciallocalaccountsintheserviceconsole. Inaddition,rolesandusersarestoredinadatabase,providinganeasywaytoviewthecurrentpermissions aswellastakeasnapshotofthem.VirtualCenteralsokeepstrackofeverytaskinvokedthroughit,providing anautomaticaudittrail. Anotheralternativeistousearemotescriptinginterface,suchastheVIPerlToolkitortheremotecommand lineinterface(RemoteCLI).TheseinterfacesarebuiltonthesameAPIthatVIClientandVirtualCenteruse, soanyscriptusingthemautomaticallyenjoysthesamebenefitsofauthentication,authorization,andauditing. InESX3.5,someadvancedtasks,suchasinitialconfigurationforpasswordpolicies,cannotbeperformedvia theVIClient.Forthesetasks,youmustlogintotheserviceconsole.Also,ifyouloseyourconnectiontothe host,executingcertainofthesecommandsthroughthecommandlineinterfacemaybeyouronly recourseforexample,ifthenetworkconnectionfailsandyouarethereforeunabletoconnectusingVIClient. ThesetasksaredescribedinAppendixAoftheESXServer3ConfigurationGuide. Use a Directory Service for Authentication AdvancedconfigurationandtroubleshootingofanESXhostmayrequirelocalprivilegedaccesstotheservice console.Forthesetasks,youshouldsetupindividualhostlocalizeduseraccountsandgroupsforthefew administratorswithoverallresponsibilityforyourvirtualinfrastructure.Ideally,theseaccountsshould correspondtorealindividualsandnotbeaccountssharedbymultiplepeople.Althoughyoucancreateonthe CIMoverHTTP CIMHttpServer 5988 IncomingTCP IfnotusingCIMbasedsoftwarefor monitoringormanagement CIMover HTTPS CIMHttpsServer 5989 IncomingTCP IfnotusingCIMbasedsoftwarefor monitoringormanagement Licensing LicenseClient 27000,27010 OutgoingTCP Ifusingonlyhostbasedlicensing SSHServer sshServer 22 IncomingTCP Ifallmanagementisdonevia VirtualCenter,VIClient,orother remotemeans VirtualCenter Agent vpxHeartbeats 902 OutgoingUDP IfnotmanagedbyVirtualCenter VIAPI n/a 443 Incomingand outgoingTCP Mustalwaysbeavailable Secureaccess redirect n/a 80 IncomingTCP Mustalwaysbeavailable Table 10. Default Services in the ESX 3.5 Service Console Service Identification in esxcfg-firewall command Port Traffic Type When to disable Copyright 2008 VMware, Inc. All rights reserved. 10 Security Hardening
If you have comments about this documentation, submit your feedback to: docfeedback@vmware.com VMware, Inc. 3401 Hillview Ave., Palo Alto, CA 94304 www.vmware.com Copyright 2008 VMware, Inc. All rights reserved. Protected by one or more of U.S. Patent Nos. 6,397,242, 6,496,847, 6,704,925, 6,711,672, 6,725,289, 6,735,601, 6,785,886, 6,789,156, 6,795,966, 6,880,022, 6,944,699, 6,961,806, 6,961,941, 7,069,413, 7,082,598, 7,089,377, 7,111,086, 7,111,145, 7,117,481, 7,149, 843, 7,155,558, 7,222,221, 7,260,815, 7,260,820, 7,269,683, 7,275,136, 7,277,998, 7,277,999, 7,278,030, 7,281,102, 7,290,253, and 7,356,679; patents pending. VMware, the VMware boxes logo and design, Virtual SMP and VMotion are registered trademarks or trademarks of VMware, Inc. in the United States and/or other jurisdictions. All other marks and names mentioned herein may be trademarks of their respective companies. Revision 20080708 Item: BP-012-PRD-02-01 About the Author CharuChaubalisaseniorarchitectinthetechnicalmarketingdepartmentatVMware.Hisareasofexpertise includevirtualizationsecurityandvirtualinfrastructuremanagement.ChaubalreceivedaBachelorofScience inEngineeringfromtheUniversityofPennsylvaniaandaPh.D.fromtheUniversityofCaliforniaatSanta Barbara,wherehestudiedthenumericalmodelingofcomplexfluids.Previously,heworkedatSun Microsystems,wherehehadmorethansevenyearsexperiencewithdesigninganddevelopingdistributed resourcemanagementandgridinfrastructuresoftwaresolutions.Heistheauthorofnumerouspublications andseveralpatentsinthefieldsofdatacenterautomationandnumericalpriceoptimization. Acknowledgements TheauthorwouldliketothankBradHarris,KirkLarsen,RobRandell,BrianCoskerSwerkske,andPetr Vandrovecfortheirvaluablecontributions.