vSphere Security Update 2 ESXi 6.0 vCenter Server 6.0 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new edition. To check for more recent editions of this document, see http://www.vmware.com/support/pubs.
vSphere Security You can find the most up-to-date technical documentation on the VMware Web site at: http://www.vmware.com/support/ The VMware Web site also provides the latest product updates. If you have comments about this documentation, submit your feedback to: docfeedback@vmware.com Copyright © 2009–2016 VMware, Inc. All rights reserved. Copyright and trademark information. VMware, Inc. 3401 Hillview Ave. Palo Alto, CA 94304 www.vmware.com 2 VMware, Inc.
Contents About vSphere Security 7 Updated Information 9 1 Security in the vSphere Environment 11 Securing the ESXi Hypervisor 11 Securing vCenter Server Systems and Associated Services 13 Securing Virtual Machines 14 Securing the Virtual Networking Layer 14 Passwords in Your vSphere Environment 16 Security Best Practices and Resources 17 2 vSphere Authentication with vCenter Single Sign-On 19 Understanding vCenter Single Sign-On 20 Configuring vCenter Single Sign-On Identity Sources 29 vCenter Server
vSphere Security Required Privileges for Common Tasks 150 5 Securing ESXi Hosts 153 Use Scripts to Manage Host Configuration Settings 154 Configure ESXi Hosts with Host Profiles 155 General ESXi Security Recommendations 156 Certificate Management for ESXi Hosts 160 Customizing Hosts with the Security Profile 173 Assigning Permissions for ESXi 187 Using Active Directory to Manage ESXi Users 189 Using vSphere Authentication Proxy 192 Configuring Smart Card Authentication for ESXi 196 ESXi SSH Keys 199 Usin
Contents Verify That Sending Host Performance Data to Guests is Disabled Setting Timeouts for the ESXi Shell and vSphere Web Client 252 253 10 Defined Privileges 255 Alarms Privileges 256 Auto Deploy and Image Profile Privileges 257 Certificates Privileges 257 Content Library Privileges 258 Datacenter Privileges 259 Datastore Privileges 260 Datastore Cluster Privileges 260 Distributed Switch Privileges 261 ESX Agent Manager Privileges 261 Extension Privileges 262 Folder Privileges 262 Global Privileges
vSphere Security 6 VMware, Inc.
About vSphere Security ® ® vSphere Security provides information about securing your vSphere environment for VMware vCenter Server and VMware ESXi. ® To help you protect your vSphere environment, this documentation describes available security features and the measures that you can take to safeguard your environment from attack. In addition to this document, VMware publishes a Hardening Guide for each release of vSphere, accessible at http://www.vmware.com/security/hardening-guides.html.
vSphere Security 8 VMware, Inc.
Updated Information This vSphere Security documentation is updated with each release of the product or when necessary. This table provides the update history of the vSphere Security documentation. Revision Description EN-001949-04 n Fixed error with parameter name in “Verify that SSL Certificate Validation Over Network File Copy Is Enabled,” on page 214.
vSphere Security 10 VMware, Inc.
Security in the vSphere Environment 1 The components of a vSphere environment are secured out of the box by a number of features such as certificates, authorization, a firewall on each ESXi, limited access, and so on. You can modify the default setup in many ways - for example, you can set permissions on vCenter objects, open firewall ports, or change the default certificates. This results in maximum flexibility in securing vCenter Server systems, ESXi hosts, and virtual machines.
vSphere Security Users who can access the ESXi host must have permissions to manage the host. You set permissions on the host object from vCenter Server that manages the host. Use Named Users and Least Privilege Many tasks can be performed by the root user by default. Instead of allowing administrators to log in to the ESXi host using the root user account, you can apply different host configuration privileges to different named users from the vCenter Server permissions management interface.
Chapter 1 Security in the vSphere Environment See “Configuring Smart Card Authentication for ESXi,” on page 196. ESXi Account Lockout Starting with vSphere 6.0, account locking is supported for access through SSH and through the vSphere Web Services SDK. The Direct Console Interface (DCUI) and the ESXi Shell do not support account lockout. By default, a maximum of ten failed attempts is allowed before the account is locked. The account is unlocked after two minutes by default.
vSphere Security See “Synchronizing Clocks on the vSphere Network,” on page 247. Securing Virtual Machines To secure your virtual machines, keep the guest operating systems patched and protect your environment just as you would protect a physical machine. Consider disabling unnecessary functionality, minimize the use of the virtual machine console, and follow other best practices.
Chapter 1 Security in the vSphere Environment See “ESXi Networking Security Recommendations,” on page 159. Use Firewalls to Secure Virtual Network Elements You can open and close firewall ports and secure each element in the virtual network separately. Firewall rules associate services with corresponding firewalls and can open and close the ESXi firewall according to the status of the service. See “ESXi Firewall Configuration,” on page 173.
vSphere Security Passwords in Your vSphere Environment Password restrictions, lockout, and expiration in your vSphere environment depend on the system that the user targets, who the user is, and how policies are set. ESXi Passwords ESXi password restrictions are determined by the Linux PAM module pam_passwdqc. See “ESXi Passwords and Account Lockout,” on page 157.
Chapter 1 Security in the vSphere Environment Security Best Practices and Resources If you follow best practices, your ESXi and vCenter Server can be as secure as or even more secure than an environment that does not include virtualization. This manual includes best practices for the different components of your vSphere infrastructure. Table 1‑1.
vSphere Security 18 VMware, Inc.
vSphere Authentication with vCenter Single Sign-On 2 vCenter Single Sign-On is an authentication broker and security token exchange infrastructure. When a user or a solution user can authenticate to vCenter Single Sign-On, that user receives SAML token. Going forward, the user can use the SAML token to authenticate to vCenter services. The user can then perform the actions that user has privileges for.
vSphere Security Understanding vCenter Single Sign-On To effectively manage vCenter Single Sign-On, you need to understand the underlying architecture and how it affects installation and upgrades. vCenter Single Sign-On 6.0 Domains and Sites (http://link.brightcove.
Chapter 2 vSphere Authentication with vCenter Single Sign-On 4 The vSphere Web Client passes the token to the vCenter Server system. 5 vCenter Server checks with the vCenter Single Sign-On server that the token is valid and not expired. 6 ThevCenter Single Sign-On server returns the token to the vCenter Server system, leveraging thevCenter Server Authorization Framework to allow user access. The user can now authenticate, and can view and modify any objects that the user's role has privileges for.
vSphere Security vCenter Single Sign-On Components vCenter Single Sign-On includes the Security Token Service (STS), an administration server, and vCenter Lookup Service, as well as the VMware Directory Service (vmdir). The VMware Directory Service is also used for certificate management. During installation, the components are deployed as part an embedded deployment, or as part of the Platform Services Controller.
Chapter 2 vSphere Authentication with vCenter Single Sign-On Starting with vSphere 6.0, vCenter Single Sign-On is either included in an embedded deployment, or part of the Platform Services Controller. The Platform Services Controller contains all of the services that are necessary for the communication between vSphere components including vCenter Single Sign-On, VMware Certificate Authority, VMware Lookup Service, and the licensing service. The order of installation is important.
vSphere Security Who Can Log In After Upgrade of a Simple Install If you upgrade an environment that you provisioned using the Simple Install option, the result is always an installation with an embedded Platform Services Controller. Which users are authorized to log in depends on whether the source environment includes vCenter Single Sign-On. Table 2‑2. Login Privileges After Upgrade of Simple Install Environment Source version Login access for Notes vSphere 5.
Chapter 2 vSphere Authentication with vCenter Single Sign-On Table 2‑3. Login Privileges After Upgrade of Custom Install Environment Source version Login access for Notes vSphere 5.0 vCenter Single Sign-On recognizes local operating system users for the machine where the Platform Services Controller is installed, but not for the machine where vCenter Server is installed. Note Using local operating users for administration is not recommended, especially in federated environments. administrator@vsphere.
vSphere Security After installation, the administrator@vsphere.local user has administrator access to both vCenter Single Sign-On and vCenter Server. That user can then add identity sources, set the default identity source, and manage users and groups in the vCenter Single Sign-On domain (vsphere.local). All users that can authenticate to vCenter Single Sign-On can reset their password, even if the password has expired, as long as they know the password.
Chapter 2 vSphere Authentication with vCenter Single Sign-On n Users who are in a domain that is not a vCenter Single Sign-On identity source cannot log in to vCenter Server. If the domain that you add to vCenter Single Sign-On is part of a domain hierarchy, Active Directory determines whether users of other domains in the hierarchy are authenticated or not.
vSphere Security Table 2‑4. Groups in the vsphere.local Domain (Continued) Privilege Description SystemConfiguration.Administrators Members of the SystemConfiguration.Administrators group can view and manage the system configuration in the vSphere Web Client. These users can view, start and restart services, troubleshoot services, see the available nodes and manage those nodes. DCClients This group is used internally to allow the management node access to data in VMware Directory Service.
Chapter 2 vSphere Authentication with vCenter Single Sign-On See “ESXi Passwords and Account Lockout,” on page 157 for a discussion of passwords of ESXi local users. Configuring vCenter Single Sign-On Identity Sources When a user logs in, vCenter Single Sign-On checks in the default identity source whether that user can authenticate. You can add identity sources, remove identity sources, and change the default. You configure vCenter Single Sign-On from the vSphere Web Client.
vSphere Security Types of Identity Sources vCenter Server versions earlier than version 5.1 supported Active Directory and local operating system users as user repositories. As a result, local operating system users could always authenticate to the vCenter Server system. vCenter Server version 5.1 and version 5.5 uses vCenter Single Sign-On for authentication. See the vSphere 5.1 documentation for a list of supported identity sources with vCenter Single Sign-On 5.1. vCenter Single Sign-On 5.
Chapter 2 vSphere Authentication with vCenter Single Sign-On n n Including the domain, for example, user1@mydomain.com Users who are in a domain that is not a vCenter Single Sign-On identity source cannot log in to vCenter Server. If the domain that you add to vCenter Single Sign-On is part of a domain hierarchy, Active Directory determines whether users of other domains in the hierarchy are authenticated or not. Procedure 1 Log in to the vSphere Web Client as administrator@vsphere.
vSphere Security 4 Select the type of identity source and enter the identity source settings. Option Description Active Directory (Integrated Windows Authentication) Use this option for native Active Directory implementations. The machine on which the vCenter Single Sign-Onservice is running must be in an Active Directory domain if you want to use this option. See “Active Directory Identity Source Settings,” on page 32.
Chapter 2 vSphere Authentication with vCenter Single Sign-On Select Use machine account to speed up configuration. If you expect to rename the local machine on which vCenter Single Sign-On runs, specifying an SPN explicitly is preferable. Note In vSphere 5.5, vCenter Single Sign-On uses the machine account even if you specify the SPN. See VMware Knowledge Base article 2087978. Table 2‑5. Add Identity Source Settings Text Box Description Domain name FDQN of the domain name, for example, mydomain.com.
vSphere Security Table 2‑6. Active Directory as an LDAP Server and OpenLDAP Settings (Continued) Field Description Base DN for groups The base Distinguished Name for groups. Primary Server URL Primary domain controller LDAP server for the domain. Use the format ldap://hostname:port or ldaps://hostname:port. The port is typically 389 for ldap: connections and 636 for ldaps: connections.
Chapter 2 vSphere Authentication with vCenter Single Sign-On Option Description OpenLDAP Use this option for an OpenLDAP identity source. See “Active Directory LDAP Server and OpenLDAP Server Identity Source Settings,” on page 33. LocalOS Use this option to add the local operating system as an identity source. You are prompted only for the name of the local operating system.
vSphere Security vCenter Server Two-Factor Authentication vCenter Single Sign-On allows you to authenticate by using the name and password of a user in an identity source that is known to vCenter Single Sign-On, or using Windows session authentication for Active Directory identity sources. Starting with vSphere 6.0 Update 2, you can also authenticate by using a smart card (UPN-based Common Access Card or CAC), or by using an RSA SecurID token.
Chapter 2 vSphere Authentication with vCenter Single Sign-On Configuring Smart Card Authentication for vCenter Single Sign-On You can set up your environment to require smart card authentication when a user connects to a vCenter Server or associated Platform Services Controller from the vSphere Web Client. Smart Card Authentication Login A smart card is a small plastic card with an embedded integrated circuit chip.
vSphere Security If login from the vSphere Web Client is not working, and if user name and password authentication is turned off, a root or administrator user can turn user name and password authentication back on from the Platform Services Controller command line by running the following command. The example is for Windows; for Linux, use sso-config.sh. sso-config.bat -set_authn_policy -pwdAuthn true Prerequisites n Verify that your environment uses Platform Services Controller version 6.
Chapter 2 vSphere Authentication with vCenter Single Sign-On 2 On each Platform Services Controller node, configure smart card authentication settings by using the sso-config CLI. a b Go to the directory where the sso-config script is located. Option Description Windows C:\Program Files\VMware\VCenter server\VMware Identity Services Appliance /opt/vmware/bin Run the following command: sso-config.[bat|sh] -set_tc_cert_authn -switch true -cacerts [FirstTrustedCA.cer,SecondTrustedCA.cer,...
vSphere Security Use the Platform Services Controller Web Interface to Manage Smart Card Authentication You can enable and disable smart card authentication, customize the login banner, and set up the revocation policy from the Platform Services Controller Web interface. When you configure smart card authentication from the command line, you always set up the Platform Services Controller using the sso-config command first.
Chapter 2 vSphere Authentication with vCenter Single Sign-On Procedure 1 Obtain the certificates and copy them to a folder that the sso-config utility can see. Option Description Windows Log in to the Platform Services Controller Windows installation and use WinSCP or a similar utility to copy the files. Appliance a b c d Log in to the appliance console, either directly or by using SSH. Enable the appliance shell, as follows. shell.
vSphere Security 8 To specify the authentication configuration, click Edit next to Authentication Configuration and select or deselect authentication methods. You cannot enable or disable RSA SecurID authentication from this Web interface. However, if RSA SecurID has been enabled from the command line, the status appears in the Web interface.
Chapter 2 vSphere Authentication with vCenter Single Sign-On n Verify that the Platform Services Controller Web interface certificate is trusted by the end user’s workstation; otherwise, the browser does not attempt the authentication. n Configure an Active Directory identity source and add it to vCenter Single Sign-On as an identity source. n Assign the vCenter Server Administrator role to one or more users in the Active Directory identity source.
vSphere Security Procedure 1 2 Change to the directory where the sso-config script is located. Option Description Windows C:\Program Files\VMware\VCenter server\VMware Identity Services Appliance /opt/vmware/bin To enable RSA SecurID authentication, run the following command. sso-config.[sh|bat] -t tenantName -set_authn_policy –securIDAuthn true tenantName is the name of the vCenter Single Sign-On domain, vsphere.local by default.
Chapter 2 vSphere Authentication with vCenter Single Sign-On For example: sso-config.sh -set_rsa_userid_attr_map -t vsphere.local -idsName ssolabs.com -ldapAttr userPrincipalName 7 To display the current settings, run the following command. sso-config.sh -t tenantName -get_rsa_config If user name and password authentication is disabled and SecurID token authentication is enabled, users must log in with their user name and SecureID token. User name and password login is no longer possible.
vSphere Security Required Setup You have to perform integration tasks for both vCenter Single Sign-On and the service that is using vCenter Single Sign-On. 1 Export the vCenter Single Sign-On metadata and register vCenter Single Sign-On as an identity provider into the other service provider. 2 Export the metadata of the other service provider and import them into vCenter Single Sign-On. If you are using vRealize Automation as the service provider, see the vRealize Automation documentation for details.
Chapter 2 vSphere Authentication with vCenter Single Sign-On 3 4 Export the vCenter Single Sign-On metadata. a In the Metadata for your SAML service provider field, click Download. b Specify a file location. Go to the SAML service provider, for example VMware vRealize Automation 7.0 or later, and follow the instructions for your SAML service provider to add the vCenter Single Sign-On metadata to that service provider. See the vRealize Automation documentation for details on importing the metadata.
vSphere Security Country = US Name = STS Organization = ExampleInc OrgUnit = ExampleInc Dev State = Indiana Locality = Indianapolis IPAddress = 10.0.1.32 Email = chen@exampleinc.com Hostname = homecenter.exampleinc.local 4 Generate the key. /usr/lib/vmware-vmca/bin/certool --server localhost --genkey --privkey=/root/newsts/sts.key --pubkey=/root/newsts/sts.pub 5 Generate the certificate /usr/lib/vmware-vmca/bin/certool --gencert --cert=/root/newsts/newsts.cer -privkey=/root/newsts/sts.
Chapter 2 vSphere Authentication with vCenter Single Sign-On 3 Open your copy of the certool.cfg file and edit it to use the local Platform Services Controller IP address and hostname. The country is required and has to be two characters. The following sample illustrates this. # # Template file for a CSR request # # Country is needed and has to be 2 characters Country = US Name = STS Organization = ExampleInc OrgUnit = ExampleInc Dev State = Indiana Locality = Indianapolis IPAddress = 10.0.1.
vSphere Security Refresh the STS Root Certificate The vCenter Single Sign-On server includes a Security Token Service (STS). The Security Token Service is a Web service that issues, validates, and renews security tokens. You can manually refresh the existing Security Token Service certificate from the vSphere Web Client when the certificate expires or changes. To acquire a SAML token, a user presents the primary credentials to the Secure Token Server (STS).
Chapter 2 vSphere Authentication with vCenter Single Sign-On 3 Add the certificate. a Click Browse to browse to the key store JKS file that contains the new certificate and click Open b Type the password when prompted. c Click the top of the STS alias chain and click OK. d Type the password again when prompted 4 Click OK. 5 Restart the Platform Services Controller node to start both the STS service and the vSphere Web Client.
vSphere Security 2 Browse to Administration > Single Sign-On > Configuration. 3 Click the Policies tab and select Password Policies. 4 Click Edit. 5 Edit the password policy parameters. 6 Option Description Description Password policy description. Maximum lifetime Maximum number of days that a password can exist before the user must change it. Restrict reuse Number of the user's previous passwords that cannot be selected.
Chapter 2 vSphere Authentication with vCenter Single Sign-On 2 Browse to Administration > Single Sign-On > Configuration. 3 Click the Policies tab and select Lockout Policy. 4 Click Edit. 5 Edit the parameters. 6 Option Description Description Optional description of the lockout policy. Max number of failed login attempts Maximum number of failed login attempts that are allowed before the account is locked.
vSphere Security 5 Option Description Maximum bearer token lifetime Bearer tokens provide authentication based only on possession of the token. Bearer tokens are intended for short-term, single-operation use. A bearer token does not verify the identity of the user or entity that is sending the request. This value specifies the lifetime value of a bearer token before the token has to be reissued.
Chapter 2 vSphere Authentication with vCenter Single Sign-On n Delete vCenter Single Sign-On Solution Users on page 58 vCenter Single Sign-On displays solution users. A solution user is a collection of services. Several vCenter Server solution users are predefined and authenticate to vCenter Single Sign-On as part of installation. In troubleshooting situations, for example, if an uninstall did not complete cleanly, you can delete individual solution users from the vSphere Web Client.
vSphere Security Prerequisites You must be a member of the vCenter Single Sign-On Administrators group to disable and enable vCenter Single Sign-On users. Procedure 1 Log in to the vSphere Web Client as administrator@vsphere.local or as another user with vCenter Single Sign-On administrator privileges. Users with vCenter Single Sign-On administrator privileges are in the Administrators group in the vsphere.local domain. 2 Click Home, and browse to Administration > Single Sign-On > Users and Groups.
Chapter 2 vSphere Authentication with vCenter Single Sign-On 3 Click the Users tab. 4 Right-click the user and select Edit User. 5 Make changes to the user. You cannot change the user name of the user. The password must meet the password policy requirements for the system. 6 Click OK. Add a vCenter Single Sign-On Group In the vCenter Single Sign-On, groups listed on the Groups tab are internal to vCenter Single Sign-On.
vSphere Security 5 Select the identity source that contains the member to add to the group. 6 (Optional) Enter a search term and click Search. 7 Select the member and click Add. You can simultaneously add multiple members. 8 Click OK. Remove Members from a vCenter Single Sign-On Group You can remove members from a vCenter Single Sign-On group from the vSphere Web Client. When you remove a member (user or group) from a local group, you do not delete the member from the system.
Chapter 2 vSphere Authentication with vCenter Single Sign-On The services associated with the solution user no longer have access to vCenter Server and cannot function as vCenter Server services. Change Your vCenter Single Sign-On Password Users in the vsphere.local domain can change their vCenter Single Sign-On passwords from the vSphere Web Client. Users in other domains change their passwords following the rules for that domain.
vSphere Security Troubleshooting vCenter Single Sign-On Configuring vCenter Single Sign-On can be a complex process. The following topics provide a starting point for troubleshooting vCenter Single Sign-On. Search this documentation center and the VMware Knowledge Base system for additional pointers. Determining the Cause of a Lookup Service Error vCenter Single Sign-On installation displays an error referring to the vCenter Server or the vSphere Web Client.
Chapter 2 vSphere Authentication with vCenter Single Sign-On Message Cause and solution Unexpected status code: 404. SSO Server failed during initialization Restart vCenter Single Sign-On. If this does not correct the problem, see the Recovery section of the vSphere Troubleshooting Guide. The error shown in the UI begins with Could not connect to vCenter Single Sign-on. You also see the return code SslHandshakeFailed. This is an uncommon error.
vSphere Security b For each domain controller, verify forward and reverse resolution by running the following command: # dig my-controller.my-ad.com The relevant addresses are in the answer section, as in the following example: ;; ANSWER SECTION: my-controller.my-ad.com (...) IN A controller IP address ... # dig -x The relevant addresses are in the answer section, as in the following example: ;; ANSWER SECTION: IP-in-reverse.in-addr.arpa. (...) IN PTR my-controller.my-ad.com ...
Chapter 2 vSphere Authentication with vCenter Single Sign-On Cause During normal operation, changes to a VMware Directory Service (vmdir) instance in one Platform Services Controller instance (node) show up in its direct replication partner within about 60 seconds. Depending on the replication topology, changes in one node might have to propagate through intermediate nodes before they arrive at each vmdir instance in each node.
vSphere Security 64 VMware, Inc.
vSphere Security Certificates 3 vSphere components use SSL to communicate securely with each other and with ESXi. SSL communications ensure data confidentiality and integrity. Data is protected, and cannot be modified in transit without detection. Certificates are also used by vCenter Server services such as the vSphere Web Client for initial authentication to vCenter Single Sign-On.
vSphere Security Certificate Management Overview The impact of the new certificate infrastructure depends on the requirements in your environment, on whether you are performing a fresh install or an upgrade, and on whether you are considering ESXi or vCenter Server. Administrators Who Do Not Replace VMware Certificates If you are an administrator who does not currently replace VMware certificates, VMCA can handle all certificate management for you.
Chapter 3 vSphere Security Certificates vCenter Certificate Interfaces For vCenter Server, you can view and replace certificates with the following tools and interfaces. vSphere Certificate Manager utility Perform all common certificate replacement tasks from the command-line. Certificate management CLIs Perform all certificate management tasks with dir-cli, certool, and vecscli. vSphere Web Client certificate management View certificates, including expiration information.
vSphere Security Figure 3‑1. Certificates Signed by VMCA Are Stored in VECS VMCA Signed CA-Cert Machine-Cert VECS Make VMCA an Intermediate CA You can replace the VMCA root certificate with a certificate that is signed by an enterprise CA or third-party CA. VMCA signs the custom root certificate each time it provisions certificates, making VMCA an intermediate CA.
Chapter 3 vSphere Security Certificates Figure 3‑3. External Certificates are Stored Directly in VECS VMware vSphere VMCA Signed Unused External CA (Commercial or Enterprise) Machine-Cert VECS Hybrid Deployment You can have VMCA supply some of the certificates, but use custom certificates for other parts of your infrastructure. For example, because solution user certificates are used only to authenticate to vCenter Single Sign-On, consider having VMCA provision those certificates.
vSphere Security Table 3‑2. Certificates in vSphere 6.0 (Continued) Certificate Provisioned by Stored vCenter Single Sign-On SSL signing certificate Provisioned during installation. Manage this certificate from the vSphere Web Client. Do not change this certificate in the filesystem or unpredictable behavior results. VMware Directory Service (vmdir) SSL certificate Provisioned during installation. In certain corner cases, you might have to replace this certificate.
Chapter 3 vSphere Security Certificates The following solution user certificate stores are included in VECS on each management node and each embedded deployment: n machine: Used by component manager, license server, and the logging service. Note The machine solution user certificate has nothing to do with the machine SSL certificate. The machine solution user certificate is used for the SAML token exchange; the machine SSL certificate is used for secure SSL connections for a machine.
vSphere Security n Contains the following Key Usages: Digital Signature, Non Repudiation, Key Encipherment Note The algorithms md2WithRSAEncryption 1.2.840.113549.1.1.2, md5WithRSAEncryption 1.2.840.113549.1.1.4 , and sha1WithRSAEncryption 1.2.840.113549.1.1.5 are not recommended. The algorithm RSASSA-PSS with OID 1.2.840.113549.1.1.10 is not supported. VMCA and VMware Core Identity Services Core identity services are part of every embedded deployment and every platform services node.
Chapter 3 vSphere Security Certificates Table 3‑4. Stores in VECS Store Description Machine SSL store (MACHINE_SSL_CERT) Used by the reverse proxy service on every vSphere node. n Used by the VMware Directory Service (vmdir) on embedded deployments and on each Platform Services Controller node. All services in vSphere 6.0 communicate through a reverse proxy, which uses the machine SSL certificate. For backward compatibility, the 5.x services still use specific ports.
vSphere Security The vCenter Single Sign-On service stores the token signing certificate and its SSL certificate on disk. You can change the token signing certificate from the vSphere Web Client. Note Do not change any certificate files on disk unless instructed by VMware documentation or Knowledge Base Articles. Unpredictable behavior might result otherwise. Some certificates are stored on the filesystem, either temporarily during startup or permanently. Do not change the certificates on the file system.
Chapter 3 vSphere Security Certificates n “Replace Machine SSL Certificates With Custom Certificates,” on page 114 Replacement of Solution User Certificates in Environments with Multiple Management Nodes If your environment includes multiple management nodes and a single Platform Services Controller, follow these steps for certificate replacement. Note When you list solution user certificates in large deployments, the output of dir-cli list includes all solution users from all nodes.
vSphere Security Certificate Replacement in Environments that Include External Solutions Some solutions, such as VMware vCenter Site Recovery Manager or VMware vSphere Replication are always installed on a different machine than the vCenter Server system or Platform Services Controller. If you replace the default machine SSL certificate on the vCenter Server system or the Platform Services Controller, a connection error results if the solution attempts to connect to the vCenter Server system.
Chapter 3 vSphere Security Certificates Explore Certificate Stores from the Platform Services Controller Web Interface A VMware Endpoint Certificate Store (VECS) instance is included on each Platform Services Controller node and each vCenter Server node. You can explore the different stores inside the VMware Endpoint Certificate Store from the Platform Services Controller web interface. See “VMware Endpoint Certificate Store Overview,” on page 72 for details on the different stores inside VECS.
vSphere Security 2 Specify the user name and password for administrator@vsphere.local or another member of the vCenter Single Sign-On Administrators group. If you specified a different domain during installation, log in as administrator@mydomain. 3 Under Certificates, select Certificate Management and specify the IP address or host name for the Platform Services Controller and the user name and password of the administrator of the local domain (administrator@vsphere.local by default), and click Submit.
Chapter 3 vSphere Security Certificates Prerequisites 1 Generate the CSR. 2 Edit the certificate that you receive, and place the current VMCA root certificate at the bottom. “Generate Certificate Signing Requests with vSphere Certificate Manager (Intermediate CA),” on page 85 explains both steps.
vSphere Security What to do next Restart services on the Platform Services Controller. You can either restart the Platform Services Controller, or run the following commands from the command line: Windows vCenter Server Appliance On Windows, the service-control command is located at VCENTER_INSTALL_PATH\bin.
Chapter 3 vSphere Security Certificates 3 Select option 1 to generate the CSR, answer the prompts and exit Certificate Manager. As part of the process, you have to provide a directory. Certificate Manager places the certificate and key files in the directory. 4 If you also want to replace all solution user certificates, restart Certificate Manager. 5 Select option 5. 6 Supply the password and the Platform Services Controller IP address or host name if prompted.
vSphere Security Add Custom Certificates from the Platform Services Controller You can add custom Machine SSL certificates and custom solution user certificates to the certificate store from the Platform Services Controller. In most cases, replacing the machine SSL certificate for each component is sufficient. The solution user certificate remains behind a proxy. Prerequisites Generate certificate signing requests (CSRs) for each certificate that you want to replace.
Chapter 3 vSphere Security Certificates What to do next Restart services on the Platform Services Controller. You can either restart the Platform Services Controller, or run the following commands from the command line: Windows vCenter Server Appliance On Windows, the service-control command is located at VCENTER_INSTALL_PATH\bin.
vSphere Security 4 Make VMCA an Intermediate Certificate Authority (Certificate Manager) on page 85 You can make VMCA an Intermediate CA by following the prompts from Certificate Manager utility. After you complete the process, VMCA signs all new certificates with the full chain. If you want, you can use Certificate Manager to replace all existing certificates with new VMCA-signed certificates.
Chapter 3 vSphere Security Certificates n Locality n IP address (optional) n Email n Host name, that is, the fully qualified domain name of the machine for which you want to replace the certificate n IP address of Platform Services Controller if you are running the command on a management node Prerequisites You must know the FQDN of the machine for which you want to generate a new VMCA-signed certificate. All other properties default to the predefined values. The IP address is optional.
vSphere Security 5 In a text editor, combine the certificates to have the initial VMCA root certificate at the top and the CA root certificate at the bottom. -----BEGIN CERTIFICATE----VMCA Certificate -----END CERTIFICATE---------BEGIN CERTIFICATE----CA intermediate certificates -----END CERTIFICATE---------BEGIN CERTIFICATE----Root CA certificate -----END CERTIFICATE----- 6 Save the file as root_signing_chain.cer. What to do next Replace the existing root certificate with the chained root certificate.
Chapter 3 vSphere Security Certificates n Gather the information you will need. n Password for administrator@vsphere.local. n Valid custom certificate for Root (.crt file). n Valid custom key for Root (.key file). Procedure 1 Start vSphere Certificate Manager on an embedded installation or on an external Platform Services Controller and select option 2. 2 Select option 2 to start certificate replacement and respond to the prompts. a Specify the full path to the root certificate when prompted.
vSphere Security n IP address (optional) n Email n Host name, that is, the fully qualified domain name of the machine for which you want to replace the certificate. If the host name does not match the FQDN, certificate replacement does not complete correctly and your environment might end up in an unstable state.
Chapter 3 vSphere Security Certificates Replace All Certificates with Custom Certificate (Certificate Manager) You can use the vSphere Certificate Manager utility to replace all certificates with custom certificates. Before you start the process, you must send CSRs to your CA. You can use Certificate Manager to generate the CSRs. One option is to only replace the machine SSL certificate, and to use the solution user certificates that are provisioned by VMCA.
vSphere Security 7 Select option 1 to generate the CSRs, answer the prompts and exit Certificate Manager. As part of the process, you have to provide a directory. Certificate Manager places the certificate and key files in the directory. On each Platform Services Controller node, Certificate Manager generates one certificate and key pair. On each vCenter Server node, Certificate Manager generates four certificate and key pairs. What to do next Perform certificate replacement.
Chapter 3 vSphere Security Certificates n If you are upgrading from a vSphere 5.x environment, you might have to replace the vCenter Single Sign-On certificate inside vmdir. See “Replace the VMware Directory Service Certificate in Mixed Mode Environments,” on page 101 Replace Solution User Certificates with Custom Certificates When you select this option, vSphere Certificate Manager prompts you for replacement certificates for the existing solution user certificates.
vSphere Security Manual Certificate Replacement For some special cases, for example, if you want to replace only one type of solution user certificate, you cannot use the vSphere Certificate Manager utility. In that case, you can use the CLIs included with your installation for certificate replacement. Understanding Starting and Stopping of Services For certain parts of manual certificate replacement, you must stop all services and then start only the services that manage the certificate infrastructure.
Chapter 3 vSphere Security Certificates 4 Replace the VMware Directory Service Certificate in Mixed Mode Environments on page 101 During upgrade, your environment might temporarily include both vCenter Single Sign-On version 5.5 and vCenter Single Sign-On version 6.0, you have to perform additional steps to replace the VMware Directory Service SSL certificate if you replace the SSL certificate of the node on which the vCenter Single Sign-On service is running.
vSphere Security n On a management node (external installation): C:\>"C:\Program Files\VMware\vCenter Server\vmcad\"certool --getrootca --server= The output looks similar to this: output: Certificate: Data: Version: 3 (0x2) Serial Number: cf:2d:ff:49:88:50:e5:af ... 2 (Optional) List the VECS TRUSTED_ROOTS store and compare the certificate serial number there with the output from Step 1.
Chapter 3 vSphere Security Certificates Procedure 1 Make one copy of certool.cfg for each machine that needs a new certificate. You can find certool.cfg in the following locations: 2 Windows C:\Program Files\VMware\vCenter Server\vmcad Linux /usr/lib/vmware-vmca/share/config/ Edit the custom configuration file for each machine to include that machine's FDQN. Run NSLookup against the machine’s IP address to see the DNS listing of the name, and use that name for the Hostname field in the file.
vSphere Security 2 Generate a key pair for the machine SSL certificate. Run this command on each management node and Platform Services Controller node; it does not require a --server option. C:\>"C:\Program Files\VMware\vCenter Server\vmcad\"certool --genkey --privkey=ssl-key.priv -pubkey=ssl-key.pub The ssl-key.priv and ssl-key.pub files are created in the current directory. 3 Generate the new machine SSL certificate. This certificate is signed by VMCA.
Chapter 3 vSphere Security Certificates What to do next You can also replace the certificates for your ESXi hosts. See “Certificate Management for ESXi Hosts,” on page 160. After replacing the root certificate in a multi-node deployment, you must restart services on all vCenter Server with external Platform Services Controller nodes. Replace Solution User Certificates With New VMCA-Signed Certificates After you replace the machine SSL certificates, you can replace all solution user certificates.
vSphere Security 4 Stop all services and start the services that handle certificate creation, propagation, and storage. The service names differ on Windows and the vCenter Server Appliance.
Chapter 3 vSphere Security Certificates 2 Generate solution user certificates that are signed by the new VMCA root certificate for the machine solution user on each Platform Services Controller and each management node and for each additional solution user (vpxd, vpxd-extension, vsphere-webclient) on each management node. Note The --Name parameter has to be unique.
vSphere Security d Replace the vpxd-extension solution user certificate on each management node. C:\>"C:\Program Files\VMware\vCenter Server\vmafdd\"vecs-cli entry delete --store vpxdextension --alias vpxd-extension C:\>"C:\Program Files\VMware\vCenter Server\vmafdd\"vecs-cli entry create --store vpxdextension --alias vpxd-extension --cert new-vpxd-extension.crt --key vpxd-extensionkey.priv e Replace the vsphere-webclient solution user certificate on each management node. C:\>"C:\Program Files\VMware\vC
Chapter 3 vSphere Security Certificates f Replace the vsphere-webclient solution user certificate on each management node. For example, if vsphere-webclient-6fd7f140-60a9-11e4-9e28-005056895a69 is the vsphere-webclient solution user ID, run this command: C:\>"C:\Program Files\VMware\vCenter Server\vmafdd\"dir-cli service update --name vsphere-webclient-6fd7f140-60a9-11e4-9e28-005056895a69 --cert new-vsphere-webclient.
vSphere Security Use VMCA as an Intermediate Certificate Authority You can replace the VMCA root certificate with a third-party CA-signed certificate that includes VMCA in the certificate chain. Going forward, all certificates that VMCA generates include the full chain. You can replace existing certificates with newly generated certificates. This approach combines the security of thirdparty CA-signed certificate with the convenience of automated certificate management.
Chapter 3 vSphere Security Certificates Procedure 1 Generate a CSR and send it to your CA. Follow your CA's instructions. 2 Prepare a certificate file that includes the signed VMCA certificate along with the full CA chain of your third party CA or enterprise CA, and save the file, for example, as rootca1.crt. You can accomplish this by copying all CA certificates in PEM format into a single file. You have to start with the VMCA certificate root and end with the root CA PEM certificate.
vSphere Security Example: Replacing the Root Certificate Replace the VMCA root certificate with the custom CA root certificate using the certool command with the --rootca option. C:\>"C:\Program Files\VMware\vCenter Server\vmcad\certool" --rootca --cert=C:\customcerts\root.pem -–privkey=C:\custom-certs\root.key When you run this command, it: n Adds the new custom root certificate to the certificate location in the file system. n Appends the custom root certificate to the TRUSTED_ROOTS store in VECS.
Chapter 3 vSphere Security Certificates 4 Stop all services and start the services that handle certificate creation, propagation, and storage. The service names differ on Windows and the vCenter Server Appliance.
vSphere Security 4 (Optional) List the content of VECS. "C:\Program Files\VMware\vCenter Server\vmafdd\"vecs-cli store list n Output on Platform Services Controller: MACHINE_SSL_CERT TRUSTED_ROOTS TRUSTED_ROOT_CRLS machine n Output on vCenter Server: output (on vCenter): MACHINE_SSL_CERT TRUSTED_ROOTS TRUSTED_ROOT_CRLS machine vpxd vpxd-extension vsphere-webclient sms 5 Replace the Machine SSL certificate in VECS with the new Machine SSL certificate.
Chapter 3 vSphere Security Certificates Prerequisites Each solution user certificate must have a different Subject. Consider, for example, including the solution user name (such as vpxd) or other unique identifier. Procedure 1 Make one copy of certool.cfg, remove the Name, IP address, DNS name, and email fields, and rename the file, for example, to sol_usr.cfg. You can name the certificates from the command line as part of generation. The other information is not needed for solution users.
vSphere Security 5 Replace the existing certificate in vmdir and then in VECS. For solution users, you must add the certificates in that order. For example: dir-cli service update --name --cert ./vpxd.crt vecs-cli entry delete --store vpxd --alias vpxd vecs-cli entry create --store vpxd --alias vpxd --cert vpxd.crt --key vpxd.priv Note Solution users cannot log in to vCenter Single Sign-On if you don't replace the certificate in vmdir. 6 Restart all services.
Chapter 3 vSphere Security Certificates c Generate a certificate for the vpxd solution user on each management node. C:\>"C:\Program Files\VMware\vCenter Server\vmcad\"certool --gencert --cert=new-vpxd.crt --privkey=vpxd-key.priv --Name=vpxd --server= d Generate a certificate for the vpxd-extensions solution user on each management node. C:\>"C:\Program Files\VMware\vCenter Server\vmcad\"certool --gencert --cert=new-vpxdextension.crt --privkey=vpxd-extension-key.
vSphere Security 4 Update VMware Directory Service (vmdir) with the new solution user certificates. You are prompted for a vCenter Single Sign-On administrator password. a Run dir-cli service list to get the unique service ID suffix for each solution user. You can run this command on a Platform Services Controller or a vCenter Server system. C:\>"C:\Program Files\VMware\vCenter Server\vmafdd\"dir-cli>dir-cli service list output: 1. machine-29a45d00-60a7-11e4-96ff-00505689639a 2.
Chapter 3 vSphere Security Certificates Prerequisites Request a certificate for vmdir for your third-party or enterprise CA. Procedure 1 2 3 Stop vmdir. Linux service-control --stop vmdird Windows service-control --stop VMWareDirectoryService Copy the certificate and key that you just generated to the vmdir location. Linux cp vmdir.crt /usr/lib/vmware-vmdir/share/config/vmdircert.pem cp vmdir.priv /usr/lib/vmware-vmdir/share/config/vmdirkey.pem Windows copy vmdir.crt C:\programdata\vmware\vCenter
vSphere Security 2 3 On the node on which the vCenter Single Sign-On 5.5 service runs, set up the environment so the vCenter Single Sign-On 6.0 service is known. a Back up all files C:\ProgramData\VMware\CIS\cfg\vmdird. b Make a copy of the vmdircert.pem file on the 6.0 node, and rename it to .pem, where is the FQDN of the 6.0 node. c Copy the renamed certificate to C:\ProgramData\VMware\CIS\cfg\vmdird to replace the existing replication certificate.
Chapter 3 vSphere Security Certificates Request Certificates and Import a Custom Root Certificate If company policy does not allow an intermediate CA, VMCA cannot generate the certificates for you. You use custom certificates from an enterprise or third-party CA. Prerequisites The certificate must meet the following requirements: n Key size: 2048 bits or more (PEM encoded) n PEM format. VMware supports PKCS8 and PKCS1 (RSA keys).
vSphere Security 4 Publish the custom root certificat, which is the signing certificate from the third-party CA. dir-cli trustedcert publish --cert If you do not specify a user name and password on the command line, you are prompted. 5 Restart all services. service-control --start --all What to do next You can remove the original VMCA root certificate from the certificate store if company policy requires it.
Chapter 3 vSphere Security Certificates Procedure 1 Stop all services and start the services that handle certificate creation, propagation, and storage. The service names differ on Windows and the vCenter Server Appliance.
vSphere Security You replace the machine solution user certificate on each management node and on each Platform Services Controller node. You replace the other solution user certificates only on each management node. Use the --server parameter to point to the Platform Services Controller when you run commands on a management node with an external Platform Services Controller.
Chapter 3 vSphere Security Certificates 4 Restart all services. service-control --start --all Replace the VMware Directory Service Certificate If you decide to use a new VMCA root certificate, and you unpublish the VMCA root certificate that was used when you provisioned your environment, you must replace the machine SSL certificates, solution user certificates, and certificates for some internal services.
vSphere Security n You plan to replace the default VMCA-signed certificates with custom certificates for the node on which the vCenter Single Sign-On 6.0 service runs. Note In most other cases, upgrading the complete environment before restarting the services is best practice. Teplacing the VMware Directory Service certificate is not usually recommended. Procedure 1 On the node on which the vCenter Single Sign-On 6.0 service runs, replace the vmdird SSL certificate and key.
Chapter 3 vSphere Security Certificates /usr/lib/vmware-vmafd/bin/dir-cli /usr/lib/vmware-vmca/bin/certool On Linux, the service-control command does not require that you specify the path. If you run commands from a management node with an external Platform Services Controller, you can specify the Platform Services Controller with the --server parameter.
vSphere Security Changing certool Configuration When you run certool --gencert and certain other certificate initialization or management commands, the CLI reads all the values from a configuration file. You can edit the existing file, override the default configuration file (certool.cfg) by using the -–config= option, or override different values on the command line.
Chapter 3 vSphere Security Certificates Option Description --initcsr Required for generating CSRs. --privkey Name of the private key file. --pubkey Name of the public key file. --csrfile File name for the CSR file to be sent to the CA provider. --config Optional name of the configuration file. Defaults to certool.cfg.
vSphere Security Option Description --privkey Name of the private key file. This file must be in PEM encoded format. --server Optional name of the VMCA server. By default, the command uses localhost. Example: certool --rootca --cert=root.cert --privkey=privatekey.pem certool --getdc Returns the default domain name that is used by vmdir. Option Description --server Optional name of the VMCA server. By default, the command uses localhost.
Chapter 3 vSphere Security Certificates certool --publish-roots Forces an update of root certificates. This command requires administrative privileges. Option Description --server Optional name of the VMCA server. By default, the command uses localhost. Example: certool --publish-roots certool Management Commands Reference The certool management commands allow you to view, generate, and revoke certificates and to view information about certificates.
vSphere Security certool --getrootca Prints the current root CA certificate in human-readable form. If you are running this command from a management node, use the machine name of the Platform Services Controller node to retrieve the root CA. This output is not usable as a certificate, it is changed to be human readable. Option Description --getrootca Required for printing the root certificate. --server Optional name of the VMCA server. By default, the command uses localhost.
Chapter 3 vSphere Security Certificates Option Description --status Required to check the status of a certificate. --cert Optional name of the configuration file. Defaults to certool.cfg. --server Optional name of the VMCA server. By default, the command uses localhost. Example: certool --status --cert= certool --genselfcacert Generates a self-signed certificate based on the values in the configuration file.
vSphere Security vecs-cli store list List certificate stores. VECS includes the following stores. Table 3‑6. Stores in VECS Store Description Machine SSL store (MACHINE_SSL_CERT) n Trusted root store (TRUSTED_ROOTS) Contains all trusted root certificates. Solution user stores n machine n vpxd n vpxd-extensions n vsphere-webclient VECS includes one store for each solution user.
Chapter 3 vSphere Security Certificates Table 3‑6. Stores in VECS (Continued) Store Description vSphere Certificate Manager Utility backup store (BACKUP_STORE) Used by VMCA (VMware Certificate Manager) to support certificate revert. Only the most recent state is stored as a backup, you cannot go back more than one step. Other stores Other stores might be added by solutions. For example, the Virtual Volumes solution adds an SMS store.
vSphere Security Option Description --store Name of the certificate store. --text Displays a human-readable version of the certificate. vecs-cli entry getcert Retrieve a certificate from VECS. You can send the certificate to an output file or display it as humanreadable text. Option Description --store Name of the certificate store. --alias Alias of the certificate. --output File to write the certificate to.
Chapter 3 vSphere Security Certificates Option Description --name Name of the solution user to create --cert Path to the certificate file. This can be a certificate signed by VMCA or a third-party certificate. --login By default, administrator@vsphere.local. That administrator can add other users to the CAAdmins vCenter Single Sign-On group to give them administrator privileges. --password Password of the administrator user.
vSphere Security dir-cli user create Creates a regular user inside vmdir. This command can be used for human users who authenticate to vCenter Single Sign-On with a user name and password. Use this command only during prototyping. Option Description --account Name of the vCenter Single Sign-On user to create. --user-password Initial password for the user. --first-name First name for the user. --last-name Last name for the user.
Chapter 3 vSphere Security Certificates Option Description --name Optional name of the group in vmdir. This option allows you to check whether a group exists. --login By default, administrator@vsphere.local. That administrator can add other users to the CAAdmins vCenter Single Sign-On group to give them administrator privileges. --password Password of the administrator user. If you do not specify the password, you are prompted.
vSphere Security dir-cli trustedcert get Retrieves a trusted root certificate from vmdir and writes it to a specified file. Option Description --id ID of the certificate to retrieve. The ID is displayed in the dir-cli trustedcert list command. --outcert Path to write the certificate file to. --outcrl Path to write the CRL file to. Not currently used. --login By default, administrator@vsphere.local.
Chapter 3 vSphere Security Certificates Option Description --account Account name. --current Current password of the user who owns the account. --new New password of the user who owns the account. View vCenter Certificates with the vSphere Web Client You can view the certificates known to the vCenter Certificate Authority (VMCA) to see whether active certificates are about to expire, to check on expired certificates, and to see the status of the root certificate.
vSphere Security 134 VMware, Inc.
vSphere Permissions and User Management Tasks 4 vCenter Single Sign-On supports authentication, which means it determines whether a user can access vSphere components at all. In addition, each user must be authorized to view or manipulate vSphere objects. vSphere supports several different authorization mechanisms, discussed in “Understanding Authorization in vSphere,” on page 136. The focus of the information in this section is the vCenter Server permission model and how to perform user management tasks.
vSphere Security Understanding Authorization in vSphere The primary way of authorizing a user or group in vSphere is the vCenter Server permissions. Depending on the task you want to perform, you might require other authorization. vSphere 6.0 and later allows privileged users to give other users permissions to perform tasks in the following ways.
Chapter 4 vSphere Permissions and User Management Tasks Roles Roles allow you to assign permissions on an object based on a typical set of tasks that users perform. Default roles, such as Administrator, are predefined on vCenter Server and cannot be changed. Other roles, such as Resource Pool Administrator, are predefined sample roles. You can create custom roles either from scratch or by cloning and modifying sample roles. Privileges Privileges are fine-grained access controls.
vSphere Security Hierarchical Inheritance of Permissions When you assign a permission to an object, you can choose whether the permission propagates down the object hierarchy. You set propagation for each permission. Propagation is not universally applied. Permissions defined for a child object always override the permissions that are propagated from parent objects. The figure illustrates the inventory hierarchy and the paths by which permissions can propagate.
Chapter 4 vSphere Permissions and User Management Tasks Most inventory objects inherit permissions from a single parent object in the hierarchy. For example, a datastore inherits permissions from either its parent datastore folder or parent data center. Virtual machines inherit permissions from both the parent virtual machine folder and the parent host, cluster, or resource pool simultaneously.
vSphere Security If multiple group permissions are defined on the same object and a user belongs to two or more of those groups, two situations are possible: n If no permission is defined for the user on that object, the user is assigned the set of privileges assigned to the groups for that object. n If a permission is defined for the user on that object, the user's permission takes precedence over all group permissions.
Chapter 4 vSphere Permissions and User Management Tasks Figure 4‑4. Example 2: Child Permissions Overriding Parent Permissions group A + role 1 VM Folder user 1 has privileges of role 1 only VM A group B + role 2 VM B user 1 has privileges of role 2 only Example 3: User Role Overriding Group Role This example illustrates how the role assigned directly to an individual user overrides the privileges associated with a role assigned to a group.
vSphere Security To manage permissions from the vSphere Web Client, you need to understand the following concepts: Permissions Each object in the vCenter Server object hierarchy has associated permissions. Each permission specifies for one group or user which privileges that group or user has on the object. Users and Groups On vCenter Server systems, you can assign privileges only to authenticated users or groups of authenticated users. Users are authenticated through vCenter Single Sign-On.
Chapter 4 vSphere Permissions and User Management Tasks 5 d (Optional) Click Check Names to verify that the user or group exists in the identity source. e Click OK. Select a role from the Assigned Role drop-down menu. The roles that are assigned to the object appear in the menu. The privileges contained in the role are listed in the section below the role title. 6 (Optional) To limit propagation, deselect the Propagate to Child Objects check box.
vSphere Security Change Permission Validation Settings vCenter Server periodically validates its user and group lists against the users and groups in the user directory. It then removes users or groups that no longer exist in the domain. You can disable validation or change the interval between validations. If you have domains with thousands of users or groups, or if searches take a long time to complete, consider adjusting the search settings. For vCenter Server versions before vCenter Server 5.
Chapter 4 vSphere Permissions and User Management Tasks If you assign a global and do not select Propagate, the users or groups associated with this permission do not have access to the objects in the hierarchy. They only have access to some global functionality such as creating roles. Important Use global permissions with care. Verify that you really want to assign permissions to all objects in all inventory hierarchies.
vSphere Security Permissions on Tag Objects In the vCenter Server object hierarchy, tag objects are not children of vCenter Server but are created at the vCenter Server root level. In environments with multiple vCenter Server instances, tag objects are shared across vCenter Server instances. Permissions for tag objects work differently than permissions for other objects in the vCenter Server object hierarchy.
Chapter 4 vSphere Permissions and User Management Tasks Table 4‑3. Global Permissions Extend Tag-Level Permissions Global Permission Tag-Level Permission Effective Permission Lee has Assign or Unassign vSphere Tag privilege. Lee has Delete vSphere Tag privilege. Lee has the Assign vSphere Tag privilege and the Delete vSphere Tag privilege for the tag. No tagging privileges assigned. Lee has Delete vSphere Tag privilege assigned for the tag. Lee has the Delete vSphere Tag privilege for the tag.
vSphere Security When you manage a host using vCenter Server, the permissions associated with that host are created through vCenter Server and stored on vCenter Server. If you connect directly to a host, only the roles that are created directly on the host are available. Note When you add a custom role and do not assign any privileges to it, the role is created as a Read Only role with three system-defined privileges: System.Anonymous, System.View, and System.Read.
Chapter 4 vSphere Permissions and User Management Tasks Create a Custom Role You can create vCenter Server custom roles to suit the access control needs of your environment. If you create or edit a role on a vCenter Server system that is part of the same vCenter Single Sign-On domain as other vCenter Server systems, the VMware Directory Service (vmdir) propagates the changes that you make to all other vCenter Server systems in the group.
vSphere Security Procedure 1 Log in to vCenter Server with the vSphere Web Client. 2 Select Home, click Administration, and click Roles. 3 Select a role and click the Edit role action button. 4 Select or deselect privileges for the role and click OK. Best Practices for Roles and Permissions Use best practices for roles and permissions to maximize the security and manageability of your vCenter Server environment.
Chapter 4 vSphere Permissions and User Management Tasks n Moving an object in the inventory hierarchy requires appropriate privileges on the object itself, the source parent object (such as a folder or cluster), and the destination parent object. n Each host and cluster has its own implicit resource pool that contains all the resources of that host or cluster. Deploying a virtual machine directly to a host or cluster requires the Resource.Assign Virtual Machine to Resource Pool privilege. Table 4‑4.
vSphere Security Table 4‑4. Required Privileges for Common Tasks (Continued) Task Required Privileges Applicable Role Install a guest operating system on a virtual machine On the virtual machine or folder of virtual machines: n Virtual machine.Interaction.Answer question n Virtual machine.Interaction.Console interaction n Virtual machine.Interaction.Device connection n Virtual machine.Interaction.
Securing ESXi Hosts 5 The ESXi hypervisor architecture has many built-in security features such as CPU isolation, memory isolation, and device isolation. You can configure additional features such as lockdown mode, certificate replacement, and smart card authentication for enhanced security. An ESXi host is also protected with a firewall. You can open ports for incoming and outgoing traffic as needed, but should restrict access to services and ports.
vSphere Security Use Scripts to Manage Host Configuration Settings In environments with many hosts, managing hosts with scripts is faster and less error prone than managing the hosts from the vSphere Web Client. vSphere includes several scripting languages for host management. See the vSphere Command-Line Documentation and the vSphere API/SDK Documentation for reference information and programming tips and VMware Communities for additional tips about scripted management.
Chapter 5 Securing ESXi Hosts 3 Write scripts to perform parameter checking or modification, and run them. For example, you can check or set the shell interactive timeout of a host as follows: Language Commands vCLI (ESXCLI) esxcli system settings advanced get /UserVars/ESXiShellTimeOut esxcli --formatter=csv --format-param=fields="Path,Int Value" system settings advanced list | grep /UserVars/ESXiShellTimeOut PowerCLI #List UserVars.
vSphere Security General ESXi Security Recommendations To protect an ESXi host against unauthorized intrusion and misuse, VMware imposes constraints on several parameters, settings, and activities. You can loosen the constraints to meet your configuration needs. If you do, make sure that you are working in a trusted environment and that you have taken enough other security measures to protect the network as a whole and the devices connected to the host.
Chapter 5 Securing ESXi Hosts Use the vSphere Client or VMware CLIs or APIs to administer standalone ESXi hosts Use the vSphere Client, one of the VMware CLIs or APIs to administer your ESXi hosts. Access the host from the DCUI or the ESXi Shell as the root user only for troubleshooting. If you decide to use the ESXi Shell, limit the accounts with access and set timeouts. Use only VMware sources to upgrade ESXi components.
vSphere Security n xQaTEh2: Ends with a number, reducing the effective number of character classes to two. The minimum number of required character classes is three. ESXi Pass Phrase Instead of a password, you can also use a pass phrase; however, pass phrases are disabled by default. You can change this default or other settings, by using the Security.PasswordQualityControl advanced option from the vSphere Web Client. For example, you can change the option to the following.
Chapter 5 Securing ESXi Hosts ESXi Networking Security Recommendations Isolation of network traffic is essential to a secure ESXi environment. Different networks require different access and level of isolation. Your ESXi host uses several networks. Use appropriate security measures for each network, and isolate traffic for specific applications and functions. For example, ensure that vSphere vMotion traffic does not travel over networks where virtual machines are located. Isolation prevents snooping.
vSphere Security Disabling remote access with authorized keys might limit your ability to run commands remotely on a host without providing a valid login. For example, this can prevent you from running an unattended remote script. Certificate Management for ESXi Hosts In vSphere 6.0 and later, the VMware Certificate Authority (VMCA) provisions each new ESXi host with a signed certificate that has VMCA as the root certificate authority by default.
Chapter 5 Securing ESXi Hosts ESXi Provisioning and VMCA When you boot an ESXi host from installation media, the host initially has an autogenerated certificate. When the host is added to the vCenter Server system, it is provisioned with a certificate that is signed by VMCA as the root CA. The process is similar for hosts that are provisioned with Auto Deploy. However, because those host do not store any state, the signed certificate is stored by the Auto Deploy server in its local certificate store.
vSphere Security Host Upgrades and Certificates If you upgrade an ESXi host to ESXi 6.0 or later, the upgrade process replaces self-signed certificates with VMCA-signed certificates. The process retains custom certificates even if those certificates are expired or invalid. The recommended upgrade workflow depends on the current certificates.
Chapter 5 Securing ESXi Hosts Table 5‑3. CSR Settings (Continued) Parameter Default Value Advanced Option Common Name Name of the host if the host was added to vCenter Server by host name. IP address of the host if the host was added to vCenter Server by IP address. N.A. Country USA vpxd.certmgmt.certs.cn.country Email address vmca@vmware.com vpxd.certmgmt.certs.cn.email Locality (City) Palo Alto vpxd.certmgmt.certs.cn.localityName Organization Unit Name VMware Engineering vpxd.certmgmt.
vSphere Security 3 Select Certificate Valid To, click OK, and scroll to the right if necessary. The certificate information displays when the certificate expires. If a host is added to vCenter Server or reconnected after a disconnect, vCenter Server renews the certificate if the status is Expired, Expiring, Expiring shortly, or Expiration imminent.
Chapter 5 Securing ESXi Hosts Procedure 1 Browse to the host in the vSphere Web Client inventory. 2 Click the Manage tab and click Settings. 3 Select System, and click Certificate. You can view detailed information about the selected host's certificate. 4 5 Click Renew or Refresh CA Certificates. Option Description Renew Retrieves a fresh signed certificate for the host from VMCA.
vSphere Security Table 5‑4. Certificate Modes for ESXi Hosts Certificate Mode Description VMware Certificate Authority (default) By default, the VMware Certificate Authority is used as the CA for ESXi host certificates. VMCA is the root CA by default, but it can be set up as the intermediary CA to another CA. In this mode, users can manage certificates from the vSphere Web Client. Also used if VMCA is a subordinate certificate.
Chapter 5 Securing ESXi Hosts Switching from Thumbprint Mode to VMCA Mode If you use thumbprint mode and you want to start using VMCA-signed certificates, the switch requires some planning. The recommended workflow is as follows. 1 Remove all hosts from the vCenter Server system. 2 Switch to VMCA certificate mode. See “Change the Certificate Mode,” on page 167. 3 Add the hosts to the vCenter Server system. Note Any other workflow for this mode switch might result in unpredictable behavior.
vSphere Security Replacing ESXi SSL Certificates and Keys Your company's security policy might require that you replace the default ESXi SSL certificate with a thirdparty CA-signed certificate on each host. By default, vSphere components use the VMCA-signed certificate and key that are created during installation. If you accidentally delete the VMCA-signed certificate, remove the host from its vCenter Server system, and add it back.
Chapter 5 Securing ESXi Hosts Replace the Default Certificate and Key from the ESXi Shell You can replace the default VMCA-signed ESXi certificates from the ESXi Shell. Prerequisites n If you want to use third-party CA-signed certificates, generate the certificate request, send it to the certificate authority, and store the certificates on each ESXi host. n If necessary, enable the ESXi Shell or enable SSH traffic from the vSphere Web Client.
vSphere Security 3 When you have the certificate, use the vifs command to upload the certificate to the appropriate location on the host from an SSH connection to the host. vifs --server hostname --username username --put rui.crt /host/ssl_cert vifs --server hostname --username username --put rui.key /host/ssl_key 4 Restart the host. What to do next Update the vCenter Server TRUSTED_ROOTS store. See “Update the vCenter Server TRUSTED_ROOTS Store (Custom Certificates),” on page 170.
Chapter 5 Securing ESXi Hosts Procedure 1 Log in to the vCenter Server system that manages the ESXi hosts. Log in to the Windows system on which you installed the software, or log in to the vCenter Server Appliance shell. 2 Run vecs-cli to add the new certificates to the TRUSTED_ROOTS store, for example: /usr/lib/vmware-vmafd/bin/vecs-cli entry create --store TRUSTED_ROOTS --alias custom1.crt -cert /etc/vmware/ssl/custom1.
vSphere Security 2 From the vSphere Web Client, stop the Auto Deploy service. a Select Administration, and click System Configuration under Deployment. b Click Services. c Right-click the service you want to stop and select Stop. 3 On the system where the Auto Deploy service runs, replace rbd-ca.crt and rbd-ca.key in /etc/vmwarerbd/ssl/ with your custom certificate and key file.
Chapter 5 Securing ESXi Hosts -----BEGIN CERTIFICATE----previous cert -----END CERTIFICATE----- 2 Copy the text starting with -----BEGIN PRIVATE KEY----- and ending with -----END PRIVATE KEY----into the /etc/vmware/ssl/rui.key file. Include -----BEGIN PRIVATE KEY----- and -----END PRIVATE KEY-----. 3 Copy the text between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- into the /etc/vmware/ssl/rui.crt file. Include -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----.
vSphere Security ESXi Firewall Concepts (http://link.brightcove.com/services/player/bcpid2296383276001? bctid=ref:video_esxi_firewall_concepts) The behavior of the NFS Client rule set (nfsClient) is different from other rule sets. When the NFS Client rule set is enabled, all outbound TCP ports are open for the destination hosts in the list of allowed IP addresses. See “NFS Client Firewall Behavior,” on page 177 for more information.
Chapter 5 Securing ESXi Hosts Procedure 1 Browse to the host in the vSphere Web Client inventory. 2 Click the Manage tab and click Settings. 3 Under System, click Security Profile. 4 In the Firewall section, click Edit and select a service from the list. 5 In the Allowed IP Addresses section, deselect Allow connections from any IP address and enter the IP addresses of networks that are allowed to connect to the host. Separate IP addresses with commas.
vSphere Security Table 5‑5. Incoming Firewall Connections (Continued) Service Port Comment NSX Distributed Logical Router Service 6999 (UDP) NSX Virtual Distributed Router service. The firewall port associated with this service is opened when NSX VIBs are installed and the VDR module is created. If no VDR instances are associated with the host, the port does not have to be open. This service was called NSX Distributed Logical Router in earlier versions of the product.
Chapter 5 Securing ESXi Hosts Table 5‑6. Outgoing Firewall Connections (Continued) Service Port Comment Software iSCSI Client 3260 (TCP) Supports software iSCSI. NSX Distributed Logical Router Service 6999 (UDP) The firewall port associated with this service is opened when NSX VIBs are installed and the VDR module is created. If no VDR instances are associated with the host, the port does not have to be open.
vSphere Security n If no mounted NFS v3 datastores remain after the unmount operation, ESXi disables the nfsClient firewall rule set. NFS v4.1 Firewall Behavior When you mount the first NFS v4.1 datastore, ESXi enables the nfs41client rule set and sets its allowedAll flag to TRUE. This action opens port 2049 for all IP addresses. Unmounting an NFS v4.1 datastore does not affect the firewall state. That is, the first NFS v4.
Chapter 5 Securing ESXi Hosts Available services depend on the VIBs that are installed on the ESXi host. You cannot add services without installing a VIB. Some VMware products, for example, vSphere HA, install VIBs on hosts and make services and the corresponding firewall ports available. In a default installation, you can modify the status of the following services from the vSphere Web Client. Table 5‑8.
vSphere Security Prerequisites Connect to vCenter Server with the vSphere Web Client. Procedure 1 Browse to a host in the vSphere Web Client inventory, and select a host. 2 Click the Manage tab and click Settings. 3 Under System, select Security Profile and click Edit. 4 Scroll to the service that you wish to change.
Chapter 5 Securing ESXi Hosts Normal Lockdown Mode and Strict Lockdown Mode Starting with vSphere 6.0, you can select normal lockdown mode or strict lockdown mode, which offer different degrees of lockdown. Normal Lockdown Mode Strict Lockdown Mode In normal lockdown mode the DCUI service is not stopped.
vSphere Security Privileged users can disable lockdown mode from the vSphere Web Client. They can disable normal lockdown mode from the Direct Console Interface, but they cannot disable strict lockdown mode from the Direct Console Interface. Note If you enable or disable lockdown mode using the Direct Console User Interface, permissions for users and groups on the host are discarded. To preserve these permissions, you can enable and disable lockdown mode using the vSphere Web Client.
Chapter 5 Securing ESXi Hosts Table 5‑9. Lockdown Mode Behavior (Continued) Normal Lockdown Mode Service Normal Mode Strict Lockdown Mode ESXi Shell (if enabled) Users with administrator privileges on the host Users defined in the DCUI.Access advanced option Exception users with administrator privileges on the host Users defined in the DCUI.
vSphere Security Disable Lockdown Mode Using the vSphere Web Client Disable lockdown mode to allow configuration changes from direct connections to the ESXi host. Leaving lockdown mode enabled results in a more secure environment. In vSphere 6.0 you can disable lockdown mode as follows: From the vSphere Web Client Users can disable both normal lockdown mode and strict lockdown mode from the vSphere Web Client.
Chapter 5 Securing ESXi Hosts Specifying Accounts with Access Privileges in Lockdown Mode You can specify service accounts that can access the ESXi host directly by adding them to the Exception Users list. You can specify a single user who can access the ESXi host in case of catastrophic vCenter Server failure. What different accounts can do by default when lockdown mode is enabled, and how you can change the default behavior, depends on the version of the vSphere environment.
vSphere Security Specify Lockdown Mode Exception Users In vSphere 6.0 and later, you can add users to the Exception Users list from the vSphere Web Client. These users do not lose their permissions when the host enters lockdown mode. It makes sense to add service accounts such as a backup agent to the Exception Users list. Exception users do not lose their privileges when the host enters lockdown mode.
Chapter 5 Securing ESXi Hosts PartnerSupported VIBs with the PartnerSupported acceptance level are published by a partner that VMware trusts. The partner performs all testing. VMware does not verify the results. This level is used for a new or nonmainstream technology that partners want to enable for VMware systems. Today, driver VIB technologies such as Infiniband, ATAoE, and SSD are at this level with nonstandard hardware drivers.
vSphere Security You can add local users and define custom roles from the Management tab of the vSphere Client. See the vSphere Administration with the vSphere Client documentation. The following roles are predefined: Read Only Allows a user to view objects associated with the ESXi host but not to make any changes to objects. Administrator Administrator role. No Access No access. This is the default. You can override the default as appropriate.
Chapter 5 Securing ESXi Hosts The vCenter Server administrator can perform most of the same tasks on the host as the root user and also schedule tasks, work with templates, and so forth. However, the vCenter Server administrator cannot directly create, delete, or edit local users and groups for hosts. These tasks can only be performed by a user with Administrator permissions directly on each host. Note You cannot manage the vpxuser using Active Directory. Caution Do not change vpxuser in any way.
vSphere Security n Verify that the host machine has a valid IPv4 address. You can install vSphere Authentication Proxy on a machine in an IPv4-only or IPv4/IPv6 mixed-mode network environment, but you cannot install vSphere Authentication Proxy on a machine in an IPv6-only environment. n If you are installing vSphere Authentication Proxy on a Windows Server 2008 R2 host machine, download and install the Windows hotfix described in Windows KB Article 981506 on the support.microsoft.com Web site.
Chapter 5 Securing ESXi Hosts n Verify that the host name of ESXi is fully qualified with the domain name of the Active Directory forest. fully qualified domain name = host_name.domain_name Procedure 1 Synchronize the time between ESXi and the directory service system using NTP. See “Synchronize ESXi Clocks with a Network Time Server,” on page 247 or the VMware Knowledge Base for information about how to synchronize ESXi time with a Microsoft Domain Controller.
vSphere Security 2 Click the Manage tab and click Settings. 3 Under System, select Authentication Services. The Authentication Services page displays the directory service and domain settings. Using vSphere Authentication Proxy When you use the vSphere Authentication Proxy, you do not need to transmit Active Directory credentials to the host. Users supply the domain name of the Active Directory server and the IP address of the authentication proxy server when they add a host to a domain.
Chapter 5 Securing ESXi Hosts Gather the following information to complete the installation or upgrade: n The location to install vSphere Authentication Proxy, if you are not using the default location. n The address and credentials for the vCenter Server that vSphere Authentication Proxy will connect to: IP address or name, HTTP port, user name, and password. n The host name or IP address to identify vSphere Authentication Proxy on the network.
vSphere Security 2 If a host is not provisioned by Auto Deploy, change the default SSL certificate to a self-signed certificate or to a certificate signed by a commercial certificate authority (CA). Option Description VMCA certificate If you are using the default VMCA-signed certificates, you have to ensure that the authentication proxy host trusts the VMCA certificate. a Manually add the VMCA certificate to the Trusted Root Certificate Authorities certificate store.
Chapter 5 Securing ESXi Hosts What to do next Import the certificate to ESXi. Import a Proxy Server Certificate to ESXi To authenticate the vSphere Authentication Proxy server to ESXi, upload the proxy server certificate to ESXi. You use the vSphere Web Client user interface to upload the vSphere Authentication Proxy server certificate to the ESXi host. Prerequisites Install the vSphere Authentication Proxy service (CAM service) on a host.
vSphere Security Procedure 1 Browse to the host in the vSphere Web Client and click the Manage tab. 2 Click Settings and select Authentication Services. 3 Click Join Domain. 4 Enter a domain. Use the form name.tld or name.tld/container/path. 5 Select Using Proxy Server. 6 Enter the IP address of the authentication proxy server. 7 Click OK.
Chapter 5 Securing ESXi Hosts Enable Smart Card Authentication Enable smart card authentication to prompt for smart card and PIN combination to log in to the ESXi DCUI. Prerequisites n Set up the infrastructure to handle smart card authentication, such as accounts in the Active Directory domain, smart card readers, and smart cards. n Configure ESXi to join an Active Directory domain that supports smart card authentication.
vSphere Security Authenticating User Credentials in Case of Connectivity Problems If the Active Directory (AD) domain server is not reachable, you can log in to the ESXi DCUI by using user name and password authentication to perform emergency actions on the host. In exceptional circumstances, the AD domain server is not reachable to authenticate the user credentials on the smart card because of connectivity problems, network outage, or disasters.
Chapter 5 Securing ESXi Hosts Monitor configuration files Although most ESXi configuration settings are controlled with an API, a limited number of configuration files affects the host directly. These files are exposed through the vSphere file transfer API, which uses HTTPS. If you make changes to these files, you must also perform the corresponding administrative action such as making a configuration change. Note Do not attempt to monitor files that are NOT exposed via this filetransfer API.
vSphere Security Enabling SSH and adding SSH keys to the host has inherent risks and is not recommended in a hardened environment. See “Disable Authorized (SSH) Keys,” on page 159. Note For ESXi 5.0 and earlier, a user with an SSH key can access the host even when the host is in lockdown mode. This is fixed in ESXi 5.1. SSH Security You can use SSH to remotely log in to the ESXi Shell and perform troubleshooting tasks for the host. SSH configuration in ESXi is enhanced to provide a high security level.
Chapter 5 Securing ESXi Hosts Upload an SSH Key Using HTTPS PUT You can use authorized keys to log in to a host with SSH. You can upload authorized keys with HTTPS PUT. Authorized keys allow you to authenticate remote access to a host. When users or scripts try to access a host with SSH, the key provides authentication without a password. With authorized keys you can automate authentication, which is useful when you write scripts to perform routine tasks.
vSphere Security n Use the vSphere Web Client to Enable Access to the ESXi Shell on page 202 You can use the vSphere Web Client to enable local and remote (SSH) access to the ESXi Shell and to set the idle timeout and availability timeout. n Use the Direct Console User Interface (DCUI) to Enable Access to the ESXi Shell on page 203 The Direct Console User Interface (DCUI) allows you to interact with the host locally using text-based menus.
Chapter 5 Securing ESXi Hosts Create a Timeout for ESXi Shell Availability in the vSphere Web Client The ESXi Shell is disabled by default. You can set an availability timeout for the ESXi Shell to increase security when you enable the shell. The availability timeout setting is the amount of time that can elapse before you must log in after the ESXi Shell is enabled. After the timeout period, the service is disabled and users are not allowed to log in.
vSphere Security Procedure 1 From the Direct Console User Interface, press F2 to access the System Customization menu. 2 Select Troubleshooting Options and press Enter. 3 From the Troubleshooting Mode Options menu, select a service to enable. n Enable ESXi Shell n Enable SSH 4 Press Enter to enable the service. 5 Press Esc until you return to the main menu of the Direct Console User Interface. What to do next Set the availability and idle timeouts for the ESXi Shell.
Chapter 5 Securing ESXi Hosts 2 Enter the idle timeout, in seconds. You must restart the SSH service and the ESXi Shell service for the timeout to take effect. 3 Press Enter and press Esc until you return to the main menu of the Direct Console User Interface. If the session is idle, users are logged out after the timeout period elapses. Log in to the ESXi Shell for Troubleshooting Perform ESXi configuration tasks with the vSphere Web Client. the vSphere CLI, or vSphere PowerCLI.
vSphere Security vSphere Auto Deploy Security Considerations To best protect your environment, be aware of security risks that might exist when you use Auto Deploy with host profiles. Networking Security Secure your network as you would for any other PXE-based deployment method. vSphere Auto Deploy transfers data over SSL to prevent casual interference and snooping. However, the authenticity of the client or of the Auto Deploy server is not checked during a PXE boot.
Chapter 5 Securing ESXi Hosts Configure Syslog on ESXi Hosts All ESXi hosts run a syslog service (vmsyslogd), which logs messages from the VMkernel and other system components to log files. You can use the vSphere Web Client or the esxcli system syslog vCLI command to configure the syslog service. For more information about using vCLI commands, see Getting Started with vSphere Command-Line Interfaces. Procedure 1 In the vSphere Web Client inventory, select the host. 2 Click the Manage tab.
vSphere Security ESXi Log File Locations ESXi records host activity in log files, using a syslog facility. Component Location Purpose VMkernel /var/log/vmkernel.log Records activities related to virtual machines and ESXi. VMkernel warnings /var/log/vmkwarning.log Records activities related to virtual machines. VMkernel summary /var/log/vmksummary.log Used to determine uptime and availability statistics for ESXi (comma separated). ESXi host agent log /var/log/hostd.
Securing vCenter Server Systems 6 Securing vCenter Server includes ensuring security of the host where vCenter Server is running, following best practices for assigning privileges and roles, and verifying the integrity of the clients that connect to vCenter Server.
vSphere Security Minimize Access Avoid allowing users to log directly in to the vCenter Server host machine. Users who are logged in to the vCenter Server can potentially cause harm, either intentionally or unintentionally, by altering settings and modifying processes. They also have potential access to vCenter credentials, such as the SSL certificate. Allow only those users who have legitimate tasks to perform to log in to the system and ensure that login events are audited.
Chapter 6 Securing vCenter Server Systems Use High RDP Encryption Levels On each Windows computer in the infrastructure, ensure that Remote Desktop Host Configuration settings are set to ensure the highest level of encryption appropriate for your environment. Verify vSphere Web Client Certificates Instruct users of one of thevSphere Web Client or other client applications to never ignore certificate verification warnings. Without certificate verification, the user might be subject of a MiTM attack.
vSphere Security Limiting vCenter Server Network Connectivity For improved security, avoid putting the vCenter Server system on any network other than a management network, and ensure that vSphere management traffic is on a restricted network. By limiting network connectivity, you limit certain types of attack. vCenter Server requires access to a management network only.
Chapter 6 Securing vCenter Server Systems Examine Installed Plug-Ins vSphere Web Client extensions run at the same privilege level as the user who is logged in. A malicious extension can masquerade as a useful plug-in and perform harmful operations such as stealing credentials or changing the system configuration. To increase security, use a vSphere Web Client installation that includes only authorized extensions from trusted sources.
vSphere Security Procedure 1 Browse to the vCenter Server system in the vSphere Web Client object navigator. 2 Select the Manage tab, click Settings, and click General. 3 Click Edit. 4 Click SSL Settings. 5 If any of your ESXi 5.5 or earlier hosts require manual validation, compare the thumbprints listed for the hosts to the thumbprints in the host console. To obtain the host thumbprint, use the Direct Console User Interface (DCUI).
Chapter 6 Securing vCenter Server Systems vCenter Server TCP and UDP Ports vCenter Server is accessed through predetermined TCP and UDP ports. If you manage network components from outside a firewall, you might be required to reconfigure the firewall to allow access on the appropriate ports. The table lists TCP and UDP ports, and the purpose and the type of each. Ports that are open by default at installation time are indicated by (Default).
vSphere Security Table 6‑1. vCenter Server TCP and UDP Ports (Continued) Port Purpose 15007 vService Manager (VSM). This service registers vCenter Server extensions. Open this port only if required by extensions that you intend to use. 50100-60099 The Client Integration Plug-in uses a local loopback hostname, and uses port 8093 and random ports in the range 50100 to 60099. The Client Integration Plug-in uses this port range only for local communication. The port can remain blocked by the firewall.
Securing Virtual Machines 7 The guest operating system that runs in the virtual machine is subject to the same security risks as a physical system. Secure virtual machines as you would secure physical machines.
vSphere Security Prevent Virtual Disk Shrinking Nonadministrative users in the guest operating system are able to shrink virtual disks. Shrinking a virtual disk reclaims the disk's unused space. However, if you shrink a virtual disk repeatedly, the disk can become unavailable and cause a denial of service. To prevent this, disable the ability to shrink virtual disks. Prerequisites n Turn off the virtual machine. n Verify that you have root or administrator privileges on the virtual machine.
Chapter 7 Securing Virtual Machines n Prevent Virtual Machines from Taking Over Resources on page 220 When one virtual machine consumes so much of the host resources that other virtual machines on the host cannot perform their intended functions, a Denial of Service (DoS) might occur. To prevent a virtual machine from causing a DoS, use host resource management features such as setting Shares and using resource pools.
vSphere Security Procedure u Provide templates for virtual machine creation that contain hardened, patched, and properly configured operating system deployments. If possible, deploy applications in templates as well. Ensure that the applications do not depend on information specific to the virtual machine to be deployed. What to do next For more information about templates, see the vSphere Virtual Machine Administration documentation.
Chapter 7 Securing Virtual Machines Disable Unnecessary Functions Inside Virtual Machines Any service running in a virtual machine provides the potential for attack. By disabling unnecessary system components that are not necessary to support the application or service running on the system, you reduce the number of components that can be attacked. Virtual machines do not usually require as many services or functions as physical servers.
vSphere Security Disable Unused Display Features Attackers can use an unused display feature as a vector for inserting malicious code into your environment. Disable features that are not in use in your environment. Procedure 1 Find the virtual machine in the vSphere Web Client inventory. a Select a data center, folder, cluster, resource pool, or host. b Click the Related Objects tab and click Virtual Machines. 2 Right-click the virtual machine and click Edit Settings. 3 Select VM Options.
Chapter 7 Securing Virtual Machines 6 n isolation.tools.ghi.autologon.disable n isolation.bios.bbs.disable n isolation.tools.hgfsServerSet.disable Click OK. Disable HGFS File Transfers Certain operations such as automated tools upgrades use a component in the hypervisor called host guest file system (HGFS). In high-security environments, you can disable this component to minimize the risk that an attacker can use HGFS to transfer files inside the guest operating system.
vSphere Security 5 Click OK. 6 (Optional) If you made changes to the configuration parameters, restart the virtual machine. Limiting Exposure of Sensitive Data Copied to the Clipboard Copy and paste operations are disabled by default for hosts to prevent exposing sensitive data that has been copied to the clipboard. When copy and paste is enabled on a virtual machine running VMware Tools, you can copy and paste between the guest operating system and remote console.
Chapter 7 Securing Virtual Machines Prevent a Virtual Machine User or Process from Disconnecting Devices Users and processes without root or administrator privileges within virtual machines have the capability to connect or disconnect devices, such as network adaptors and CD-ROM drives, and the ability to modify device settings. To increase virtual machine security, remove these devices.
vSphere Security Prevent Guest Operating System Processes from Sending Configuration Messages to the Host You can prevent guests from writing any name-value pairs to the configuration file. This is appropriate when guest operating systems must be prevented from modifying configuration settings. Prerequisites Turn off the virtual machine. Procedure 1 Find the virtual machine in the vSphere Web Client inventory. a Select a data center, folder, cluster, resource pool, or host.
Securing vSphere Networking 8 Securing vSphere Networking is an essential part of protecting your environment. You secure different vSphere components in different ways. See the vSphere Networking documentation for detailed information about networking in the vSphere environment.
vSphere Security Because host-based firewalls can slow performance, balance your security needs against performance goals before you install host-based firewalls on virtual machines elsewhere in the virtual network. See “Securing the Network with Firewalls,” on page 228. Segmentation Keep different virtual machine zones within a host on different network segments.
Chapter 8 Securing vSphere Networking n Firewalls between one virtual machine and another—for example, between a virtual machine acting as an external Web server and a virtual machine connected to your company’s internal network. n Firewalls between a physical machine and a virtual machine, such as when you place a firewall between a physical network adapter card and a virtual machine.
vSphere Security Connecting to vCenter Server Through a Firewall vCenter Server uses TCP port 443 to listen for data transfer from its clients. If you have a firewall between vCenter Server and its clients, you must configure a connection through which vCenter Server can receive data from the clients. Open TCP port 443 in the firewall to enable vCenter Server to receive data from the vSphere Web Client.
Chapter 8 Securing vSphere Networking If you are using the vSphere Web Client and connecting to a browser-based virtual machine console, the following access must be possible: n The firewall must allow vSphere Web Client to access vCenter Server on port 9443. n The firewall must allow vCenter Server to access the ESXi host on port 902.
vSphere Security Securing Standard Switch Ports With Security Policies As with physical network adapters, a virtual machine network adapter can send frames that appear to be from a different machine or impersonate another machine so that it can receive network frames that are intended for that machine. Also, like physical network adapters, a virtual machine network adapter can be configured so that it receives frames targeted for other machines. Both scenarios present a security risk.
Chapter 8 Securing vSphere Networking n MAC address changes (see “MAC Address Changes,” on page 233) n Forged transmits (see “Forged Transmits,” on page 233) You can view and change the default settings by selecting the virtual switch associated with the host from the vSphere Web Client. See the vSphere Networking documentation. MAC Address Changes The security policy of a virtual switch includes a MAC address changes option. This option affects traffic that a virtual machine receives.
vSphere Security Secure vSphere Distributed Switches and Distributed Port Groups Administrators have several options for securing a vSphere Distributed Switches in their vSphere environment. Procedure 1 For distributed port groups with static binding, verify that the Auto Expand feature is disabled. Auto Expand is enabled by default in vSphere 5.1 and later.
Chapter 8 Securing vSphere Networking VLANs let you segment a physical network so that two machines in the network are unable to transmit packets back and forth unless they are part of the same VLAN. For example, accounting records and transactions are among a company’s most sensitive internal information.
vSphere Security Secure VLANs Administrators have several options for securing the VLANs in their vSphere environment. Procedure 1 Ensure that port groups are not configured to VLAN values that are reserved by upstream physical switches Do not set VLAN IDs to values reserved for the physical switch. 2 Ensure that port groups are not configured to VLAN 4095 unless you are using for Virtual Guest Tagging (VGT).
Chapter 8 Securing vSphere Networking n Virtual Machine 2 runs a Web server, and Virtual Machine 3 runs as an application server. Both of these virtual machines are connected to one virtual switch. The Web server and application server occupy the DMZ between the two firewalls. The conduit between these elements is Standard Switch 2, which connects the firewalls with the servers.
vSphere Security In the figure, the system administrator configured a host into three distinct virtual machine zones: FTP server, internal virtual machines, and DMZ. Each zone serves a unique function. FTP server Virtual Machine 1 is configured with FTP software and acts as a holding area for data sent to and from outside resources such as forms and collateral localized by a vendor. This virtual machine is associated with an external network only.
Chapter 8 Securing vSphere Networking By capitalizing on virtual machine isolation, correctly configuring virtual switches, and maintaining network separation, the system administrator can house all three virtual machine zones in the same ESXi host and be confident that there will be no data or resource breaches.
vSphere Security Procedure u At the command prompt, enter the command esxcli network ip ipsec sa add with one or more of the following options. Option Description --sa-source= source address Required. Specify the source address. --sa-destination= destination address Required. Specify the destination address. --sa-mode= mode Required. Specify the mode, either transport or tunnel. --sa-spi= security parameter index Required. Specify the security parameter index.
Chapter 8 Securing vSphere Networking List Available IPsec Security Policies You can list available security policies using the ESXCLI vSphere CLI command. Procedure u At the command prompt, enter the command esxcli network ip ipsec sp list The host displays a list of all available security policies. Create an IPSec Security Policy Create a security policy to determine when to use the authentication and encryption parameters set in a security association.
vSphere Security Example: New Security Policy Command The following example includes extra line breaks for readability. esxcli network ip ipsec add --sp-source=2001:db8:1::/64 --sp-destination=2002:db8:1::/64 --source-port=23 --destination-port=25 --upper-layer-protocol=tcp --flow-direction=out --action=ipsec --sp-mode=transport --sa-name=sa1 --sp-name=sp1 Remove an IPsec Security Policy You can remove a security policy from the ESXi host using the ESXCLI vSphere CLI command.
Chapter 8 Securing vSphere Networking Use Virtual Switches with the vSphere Network Appliance API Only If Required If you are not using products that make use of the vSphere Network Appliance API (DvFilter), do not configure your host to send network information to a virtual machine. If the vSphere Network Appliance API is enabled, an attacker might attempt to connect a virtual machine to the filter. This connection might provide access to the network of other virtual machines on the host.
vSphere Security n Ensure that port groups are not configured to the value of the native VLAN. Physical switches use VLAN 1 as their native VLAN. Frames on a native VLAN are not tagged with a 1. ESXi does not have a native VLAN. Frames with VLAN specified in the port group have a tag, but frames with VLAN not specified in the port group are not tagged. This can cause an issue because irtual machines that are tagged with a 1 end up as belonging to native VLAN of the physical switch.
Chapter 8 Securing vSphere Networking Document and Check the vSphere VLAN Environment Check your VLAN environment regularly to avoid addressing problems. Fully document the VLAN environment and ensure that VLAN IDs are used only once. Your documentation can help with troubleshooting and is essential when you want to expand the environment.
vSphere Security Enable access to management functionality in a strictly controlled manner by using one of the following approaches. n For especially sensitive environments, configure a controlled gateway or other controlled method to access the management network. For example, require that administrators connect to the management network through a VPN, and allow access only to trusted administrators. n Configure jump boxes that run management clients.
Best Practices Involving Multiple vSphere Components 9 Some security best practices, such as setting up NTP in your environment, affect more than one vSphere component. Consider these recommendations when configuring your environment. See Chapter 5, “Securing ESXi Hosts,” on page 153 and Chapter 7, “Securing Virtual Machines,” on page 217 for related information.
vSphere Security 2 On the Configuration tab, click Time Configuration. 3 Click Properties, and click Options. 4 Select NTP Settings. 5 Click Add. 6 In the Add NTP Server dialog box, enter the IP address or fully qualified domain name of the NTP server to synchronize with. 7 Click OK. The host time synchronizes with the NTP server.
Chapter 9 Best Practices Involving Multiple vSphere Components Add or Replace NTP Servers in the vCenter Server Appliance Configuration To set up the vCenter Server Appliance to use NTP-based time synchronization, you must add the NTP servers to the vCenter Server Appliance configuration. Procedure 1 Access the appliance shell and log in as a user who has the administrator or super administrator role. The default user with super administrator role is root.
vSphere Security Procedure 1 Access the appliance shell and log in as a user who has the administrator or super administrator role. The default user with super administrator role is root. 2 Run the command to enable NTP-based time synchronization. timesync.set --mode NTP 3 (Optional) Run the command to verify that you successfully applied the NTP synchronization. timesync.get The command returns that the time synchronization is in NTP mode.
Chapter 9 Best Practices Involving Multiple vSphere Components Protecting an iSCSI SAN When you plan your iSCSI configuration, take measures to improve the overall security of the iSCSI SAN. Your iSCSI configuration is only as secure as your IP network, so by enforcing good security standards when you set up your network, you help safeguard your iSCSI storage. The following are some specific suggestions for enforcing good security standards.
vSphere Security Using Kerberos Credentials for NFS 4.1 With NFS version 4.1, ESXi supports Kerberos authentication mechanism. Kerberos is an authentication service that allows an NFS 4.1 client installed on ESXi to prove its identity to an NFS server before mounting an NFS share. Kerberos uses cryptography to work across an insecure network connection. The vSphere implementation of Kerberos for NFS 4.
Chapter 9 Best Practices Involving Multiple vSphere Components Setting Timeouts for the ESXi Shell and vSphere Web Client To prevent intruders from using an idle session, be sure to set timeouts for the ESXi Shell and vSphere Web Client. ESXi Shell Timeout For the ESXi Shell, you can set the following timeouts from the vSphere Web Client and from the Direct Console User Interface (DCUI).
vSphere Security 254 VMware, Inc.
Defined Privileges 10 The following tables list the default privileges that, when selected for a role, can be paired with a user and assigned to an object. The tables in this appendix use VC to indicate vCenter Server and HC to indicate host client, a standalone ESXi or Workstation host. When setting permissions, verify all the object types are set with appropriate privileges for each particular action.
vSphere Security n “Inventory Service Tagging Privileges,” on page 267 n “Network Privileges,” on page 267 n “Performance Privileges,” on page 268 n “Permissions Privileges,” on page 268 n “Profile-driven Storage Privileges,” on page 269 n “Resource Privileges,” on page 269 n “Scheduled Task Privileges,” on page 270 n “Sessions Privileges,” on page 270 n “Storage Views Privileges,” on page 270 n “Tasks Privileges,” on page 271 n “Transfer Service Privileges,” on page 271 n “VRM Polic
Chapter 10 Defined Privileges Table 10‑1. Alarms Privileges (Continued) Privilege Name Description Required On Alarms.Remove alarm Allows deletion of an alarm. Object on which an alarm is defined Alarms.Set alarm status Allows changing the status of the configured event alarm. The status can change to Normal, Warning, or Alert.
vSphere Security Content Library Privileges Content Libraries provide simple and effective management for virtual machine templates and vApps. Content library privileges control who can view or manage different aspects of content libraries. You can set this privilege at different levels in the hierarchy. For example, if you set a privilege at the folder level, you can propagate the privilege to one or more objects within the folder.
Chapter 10 Defined Privileges Table 10‑4. Content Library Privileges (Continued) Privilege Name Description Required On Content library. Update configuration settings Allows you to update the configuration settings. No vSphere Web Client user interface elements are associated with this privilege. Library Content library. Update files Allows you to upload content into the content library. Also allows you to remove files from a library item. Library Content library.
vSphere Security Datastore Privileges Datastore privileges control the ability to browse, manage, and allocate space on datastores. You can set this privilege at different levels in the hierarchy. For example, if you set a privilege at the folder level, you can propagate the privilege to one or more objects within the folder. The object listed in the Required On column must have the privilege set, either directly or inherited. Table 10‑6.
Chapter 10 Defined Privileges Distributed Switch Privileges Distributed Switch privileges control the ability to perform tasks related to the management of Distributed Switch instances. You can set this privilege at different levels in the hierarchy. For example, if you set a privilege at the folder level, you can propagate the privilege to one or more objects within the folder. The object listed in the Required On column must have the privilege set, either directly or inherited. Table 10‑8.
vSphere Security Extension Privileges Extension privileges control the ability to install and manage extensions. You can set this privilege at different levels in the hierarchy. For example, if you set a privilege at the folder level, you can propagate the privilege to one or more objects within the folder. The object listed in the Required On column must have the privilege set, either directly or inherited. Table 10‑10. Extension Privileges Privilege Name Description Required On Extension.
Chapter 10 Defined Privileges Table 10‑12. Global Privileges (Continued) Privilege Name Description Required On Global.Diagnostics Allows retrieval of a list of diagnostic files, log header, binary files, or diagnostic bundle. To avoid potential security breaches, limit this privilege to the vCenter Server Administrator role. Root vCenter Server Global.Disable methods Allows servers for vCenter Server extensions to disable certain operations on objects managed by vCenter Server.
vSphere Security Table 10‑14. Host Configuration Privileges Privilege Name Description Required On Host.Configuration.Advanced Settings Allows setting advanced host configuration options. Hosts Host.Configuration.Authentication Store Allows configuring Active Directory authentication stores. Hosts Host.Configuration.Change PciPassthru settings Allows changes to PciPassthru settings for a host. Hosts Host.Configuration.Change SNMP settings Allows changes to SNMP settings for a host.
Chapter 10 Defined Privileges Table 10‑15. Host Inventory Privileges Privilege Name Description Required On Host.Inventory.Add host to cluster Allows addition of a host to an existing cluster. Clusters Host.Inventory.Add standalone host Allows addition of a standalone host. Host folders Host.Inventory.Create cluster Allows creation of a new cluster. Host folders Host.Inventory.Modify cluster Allows changing the properties of a cluster. Clusters Host.Inventory.
vSphere Security Table 10‑16. Host Local Operations Privileges (Continued) Privilege Name Description Required On Host.Local operations.Reconfigure virtual machine Allows reconfiguring a virtual machine. Root host Host.Local operations.Relayout snapshots Allows changes to the layout of a virtual machine's snapshots. Root host Host vSphere Replication Privileges Host vSphere replication privileges control the use of virtual machine replication by VMware vCenter Site Recovery Manager™ for a host.
Chapter 10 Defined Privileges Inventory Service Provider Privileges Inventory Service Provider privileges are internal only. Do not use. Inventory Service Tagging Privileges Inventory Service Tagging privileges control the ability to create and delete tags and tag categories, and assign and remove tags on vSphere inventory objects. You can set this privilege at different levels in the hierarchy.
vSphere Security Table 10‑20. Network Privileges Privilege Name Description Required On Network.Assign network Allows assigning a network to a virtual machine. Networks, Virtual Machines Network.Configure Allows configuring a network. Networks, Virtual Machines Network.Move network Allows moving a network between folders. Privilege must be present at both the source and destination. Networks Network.Remove Allows removal of a network. This privilege is deprecated.
Chapter 10 Defined Privileges Profile-driven Storage Privileges Profile-driven storage privileges control operations related to storage profiles. You can set this privilege at different levels in the hierarchy. For example, if you set a privilege at the folder level, you can propagate the privilege to one or more objects within the folder. The object listed in the Required On column must have the privilege set, either directly or inherited. Table 10‑23.
vSphere Security Scheduled Task Privileges Scheduled task privileges control creation, editing, and removal of scheduled tasks. You can set this privilege at different levels in the hierarchy. For example, if you set a privilege at the folder level, you can propagate the privilege to one or more objects within the folder. The object listed in the Required On column must have the privilege set, either directly or inherited. Table 10‑25.
Chapter 10 Defined Privileges Tasks Privileges Tasks privileges control the ability of extensions to create and update tasks on the vCenter Server. You can set this privilege at different levels in the hierarchy. For example, if you set a privilege at the folder level, you can propagate the privilege to one or more objects within the folder. The object listed in the Required On column must have the privilege set, either directly or inherited. Table 10‑28.
vSphere Security Table 10‑29. Virtual Machine Configuration Privileges (Continued) Privilege Name Description Required On Virtual machine.Configuration.Conf igure managedBy Allows an extension or solution to mark a virtual machine as being managed by that extension or solution. Virtual machines Virtual machine.Configuration.Disk change tracking Allows enabling or disabling of change tracking for the virtual machine's disks. Virtual machines Virtual machine.Configuration.
Chapter 10 Defined Privileges Table 10‑29. Virtual Machine Configuration Privileges (Continued) Privilege Name Description Required On Virtual machine.Configuration.Setti ngs Allows changing general virtual machine settings. Virtual machines Virtual machine.Configuration.Swa pfile placement Allows changing the swapfile placement policy for a virtual machine. Virtual machines Virtual machine.Configuration.Unlo ck virtual machine Allows decrypting a virtual machine.
vSphere Security You can set this privilege at different levels in the hierarchy. For example, if you set a privilege at the folder level, you can propagate the privilege to one or more objects within the folder. The object listed in the Required On column must have the privilege set, either directly or inherited. Table 10‑31. Virtual Machine Interaction Privilege Name Descri ption Required On Virtual machine.Interaction.
Chapter 10 Defined Privileges Table 10‑31. Virtual Machine Interaction (Continued) Privilege Name Descri ption Required On Virtual machine.Interaction.Create screenshot Allows creatio n of a virtual machin e screen shot. Virtual machines Virtual machine.Interaction.Defragment all disks Allows defrag ment operati ons on all disks of the virtual machin e. Virtual machines Virtual machine.Interaction.
vSphere Security Table 10‑31. Virtual Machine Interaction (Continued) Privilege Name Descri ption Required On Virtual machine.Interaction.Drag and Drop Allows drag and drop of files betwee na virtual machin e and a remote client. Virtual machines Virtual machine.Interaction.Enable Fault Tolerance Allows enablin g the Second ary virtual machin e for a virtual machin e using Fault Toleran ce. Virtual machines Virtual machine.Interaction.
Chapter 10 Defined Privileges Table 10‑31. Virtual Machine Interaction (Continued) Privilege Name Descri ption Required On Virtual machine.Interaction.Perform wipe or shrink operations Allows perfor ming wipe or shrink operati ons on the virtual machin e. Virtual machines Virtual machine.Interaction.Power Off Allows poweri ng off a powere d-on virtual machin e. This operati on powers down the guest operati ng system. Virtual machines Virtual machine.Interaction.
vSphere Security Table 10‑31. Virtual Machine Interaction (Continued) Privilege Name Descri ption Required On Virtual machine.Interaction.Replay session on Virtual Machine Allows replayi ng of a recorde d session on a virtual machin e. Virtual machines Virtual machine.Interaction.Reset Allows resettin g of a virtual machin e and reboots the guest operati ng system. Virtual machines Virtual machine.Interaction..Resume Fault Tolerance Allows resumi ng of fault toleran ce for a virtual machin e.
Chapter 10 Defined Privileges Table 10‑31. Virtual Machine Interaction (Continued) Privilege Name Descri ption Required On Virtual machine.Interaction.Test failover Allows testing of Fault Toleran ce failover by making the Second ary virtual machin e the Primar y virtual machin e. Virtual machines Virtual machine.Interaction.Test restart Secondary VM Allows termin ation of a Second ary virtual machin e for a virtual machin e using Fault Toleran ce. Virtual machines Virtual machine.Interaction.
vSphere Security Table 10‑31. Virtual Machine Interaction (Continued) Descri ption Privilege Name Required On Virtual machine.Interaction.Turn On Fault Tolerance Allows turning on Fault Toleran ce for a virtual machin e. Virtual machines Virtual machine.Interaction.VMware Tools install Allows mounti ng and unmou nting the VMwar e Tools CD installe r as a CDROM for the guest operati ng system.
Chapter 10 Defined Privileges Table 10‑32. Virtual Machine Inventory Privileges (Continued) Privilege Name Description Required On Virtual machine.Inventory.Remove Allows deletion of a virtual machine. Deletion removes the virtual machine's underlying files from disk. To have permission to perform this operation, a user or group must have this privilege assigned in both the object and its parent object. Virtual machines Virtual machine.Inventory.
vSphere Security Table 10‑33. Virtual Machine Provisioning Privileges (Continued) Privilege Name Description Required On Virtual machine.Provisioning.Mark as virtual machine Allows marking an existing template as a virtual machine. Templates Virtual machine.Provisioning.Modif y customization specification Allows creation, modification, or deletion of customization specifications. Root vCenter Server Virtual machine.Provisioning.
Chapter 10 Defined Privileges Table 10‑35. Virtual Machine State Privileges Privilege Name Description Required On Virtual machine.Snapshot management. Create snapshot Allows creation of a snapshot from the virtual machine’s current state. Virtual machines Virtual machine.Snapshot management.Remove Snapshot Allows removal of a snapshot from the snapshot history. Virtual machines Virtual machine.Snapshot management.
vSphere Security Table 10‑37. Distributed Virtual Port Group Privileges (Continued) Privilege Name Description Required On dvPort group.Policy operation Allows setting the policy of a distributed virtual port group. Virtual port groups dvPort group.Scope operation Allows setting the scope of a distributed virtual port group. Virtual port groups vApp Privileges vApp privileges control operations related to deploying and configuring a vApp.
Chapter 10 Defined Privileges Table 10‑38. vApp Privileges (Continued) Privilege Name Description Required On vApp.vApp managedBy configuration Allows an extension or solution to mark a vApp as being managed by that extension or solution. No vSphere Web Client user interface elements are associated with this privilege. vApps vApp.vApp resource configuration Allows modification of a vApp's resource configuration.
vSphere Security 286 VMware, Inc.
Index Numerics 3D features 222 3rd party root certificate 101, 111, 117 A access, privileges 255 Active Directory 189–191, 193, 195 Active Directory domain, authentication with vCenter Server Appliance 61 Active Directory identity source 32 Active Directory LDAP Server identity source 33 Administrator role 148 administrator user, setting for vCenter Server 22 alarms, privileges 256 allowed IP addresses, firewall 174 anti-spyware 14 antivirus software, installing 219 assign global permissions 145 authentic
vSphere Security custom certificates auto deploy 171 ESXi 170 custom roles 147 D data centers, privileges 259 datastore clusters, privileges 260 datastores, privileges 260 dcui 189 DCUI Access 185 dcui user privileges, dcui 189 DCUI.Access 185 DCUI.
Index firewalls access for management agents 174 access for services 174 floppy disks 221 folders, privileges 262 forged transmissions 232, 233 G generating CSRs 80, 85, 89 generating certificate requests 93, 102, 104 generating STS signing certificate, vCenter Server appliance 47 generating STS signing certificate on Windows 48 genselfcacert 92 global permissions, assign 145 global privileges 262 groups add members 57 adding 57 local 57 searching 144 guest operating systems copy and paste 224 disabling l
vSphere Security different product versions 185 direct console user interface 184 enabling 183, 184 vSphere Web Client 183 lockdown mode exception users 180 lockdown mode, disable 184 lockdown mode,vSphere 6.
Index Auto Deploy 257 categories 267 certificate 257 certificate management 119 configuration 263 content library 258 data center 259 datastore clusters 260 datastores 260 Distributed Switches 261 dvPort group 283 ESX Agent Manager 261 extension 262 folder 262 global 262 host CIM 263 host inventory 264 host local operations 265 host profiles 266, 269 host vSphere replication 266 image profile 257 inventory service 267 network 267 performance 268 permission 268 plug-ins 262 resource 269 scheduled tasks 270
vSphere Security securing vCenter Server Appliance 213 security best practices 247 certification 17 DMZ in single host 236, 237 host 156 iSCSI storage 250 permissions 141 standard switch ports 232 vCenter Server 13 virtual machines with VLANs 234 virtual networking layer 14 virtualization layer 11 VLAN hopping 235 VMware policy 17 security policies available 241 creating 241 listing 241 removing 242 security profile 173, 179 security token service (STS), vCenter Single Sign-On 50 security and PCI devices 1
Index T V tag object permissions 146 tags, privileges 267 tasks, privileges 271 TCP ports 215 templates, host security 219 terms and conditions 45 third-party CA 113 third-party certificates 112 third-party root certificate 101, 111, 117 third-party software support policy 17 thumbprint certificates 162 thumbprints, hosts 213 time synchronization NTP-based 249 VMware Tools-based 248 time synchronization settings 248 timeout, ESXi Shell 203, 204 timeout for ESXi Shell availability 204 timeouts ESXi Shell
vSphere Security virtual machine service configuration, privileges 282 virtual machines configuration privileges 271 copy and paste 224 disable copy and paste 223 disabling logging 226 guest operations privileges 273 interaction privileges 273 inventory privileges 280 isolation 236, 237 limiting variable information size 225 preventing device disconnection in the vSphere Web Client 225 provisioning privileges 281 securing 217, 226 snapshot management privileges 282 vSphere replication privileges 283 virtua
