vSphere Security Update 1 Modified 03 NOV 2017 VMware vSphere 6.5 VMware ESXi 6.5 vCenter Server 6.
vSphere Security You can find the most up-to-date technical documentation on the VMware website at: https://docs.vmware.com/ If you have comments about this documentation, submit your feedback to docfeedback@vmware.com VMware, Inc. 3401 Hillview Ave. Palo Alto, CA 94304 www.vmware.com Copyright © 2009–2017 VMware, Inc. All rights reserved. Copyright and trademark information. VMware, Inc.
Contents About vSphere Security Updated Information 7 9 1 Security in the vSphere Environment 10 Securing the ESXi Hypervisor 10 Securing vCenter Server Systems and Associated Services Securing Virtual Machines 12 13 Securing the Virtual Networking Layer 14 Passwords in Your vSphere Environment Security Best Practices and Resources 16 17 2 vSphere Permissions and User Management Tasks 19 Understanding Authorization in vSphere 20 Managing Permissions for vCenter Components Global Permissions 2
vSphere Security Additional vCenter Server TCP and UDP Ports 125 5 Securing Virtual Machines 128 Enable or Disable UEFI Secure Boot for a Virtual Machine 128 Limit Informational Messages From Virtual Machines to VMX Files Prevent Virtual Disk Shrinking 130 130 Virtual Machine Security Best Practices 131 6 Virtual Machine Encryption 141 How vSphere Virtual Machine Encryption Protects Your Environment vSphere Virtual Machine Encryption Components Encryption Process Flow Virtual Disk Encryption 142
vSphere Security vSphere Networking Security Best Practices 195 9 Best Practices Involving Multiple vSphere Components 200 Synchronizing Clocks on the vSphere Network Storage Security Best Practices 200 204 Verify That Sending Host Performance Data to Guests is Disabled Setting Timeouts for the ESXi Shell and vSphere Web Client 207 208 10 Managing TLS Protocol Configuration with the TLS Configurator Utility 209 Ports That Support Disabling TLS Versions Disabling TLS Versions in vSphere 211 Instal
vSphere Security Profile-driven Storage Privileges Resource Privileges 242 Scheduled Task Privileges Sessions Privileges 243 244 Storage Views Privileges Tasks Privileges 242 244 244 Transfer Service Privileges 245 Virtual Machine Configuration Privileges 245 Virtual Machine Guest Operations Privileges Virtual Machine Interaction Privileges Virtual Machine Inventory Privileges 247 248 256 Virtual Machine Provisioning Privileges 257 Virtual Machine Service Configuration Privileges 258 Vi
About vSphere Security ® ® vSphere Security provides information about securing your vSphere environment for VMware vCenter Server and VMware ESXi. ® To help you protect your vSphere environment, this documentation describes available security features and the measures that you can take to safeguard your environment from attack. Table 1.
vSphere Security In addition to these documents, VMware publishes a Hardening Guide for each release of vSphere, accessible at http://www.vmware.com/security/hardening-guides.html. The Hardening Guide is a spreadsheet with entries for different potential security issues. It includes items for three different risk profiles. This vSphere Security document does not include information for Risk Profile 1 (highest security environment such as top-secret government).
Updated Information This vSphere Security document is updated with each release of the product or when necessary. This table provides the update history of the vSphere Security documentation. Revision Description 03 NOV 2017 n 04 OCT 2017 EN-002563-00 VMware, Inc. Added clarification to Encrypted vSphere vMotion. n Added caveat about shared disk requirement to Encrypted vSphere vMotion.
Security in the vSphere Environment 1 The components of a vSphere environment are secured out of the box by several features such as authentication, authorization, a firewall on each ESXi host, and so on. You can modify the default setup in many ways. For example, you can set permissions on vCenter objects, open firewall ports, or change the default certificates.
vSphere Security Users who can access the ESXi host must have permissions to manage the host. You set permissions on the host object from the vCenter Server system that manages the host. Use named users and least privilege By default, the root user can perform many tasks. Do not allow administrators to log in to the ESXi host using the root user account. Instead, create named administrator users from vCenter Server and assign those users the Administrator role.
vSphere Security Manage ESXi certificates In vSphere 6.0 and later, the VMware Certificate Authority (VMCA) provisions each ESXi host with a signed certificate that has VMCA as the root certificate authority by default. If company policy requires it, you can replace the existing certificates with certificates that are signed by a thirdparty or an enterprise CA. See Certificate Management for ESXi Hosts Consider Smart card authentication Starting with vSphere 6.
vSphere Security For additional protection, explicitly remove expired or revoked certificates and failed installations. Configure vCenter Single Sign-On vCenter Server and associated services are protected by the vCenter Single Sign-On authentication framework. When you first install the software, you specify a password for the administrator of the vCenter Single Sign-On domain, administrator@vsphere.local by default. Only that domain is initially available as an identity source.
vSphere Security Use templates and scripted management VM templates enable you to set up the operating system so that it meets your requirements, and to create other VMs with the same settings. If you want to change VM settings after initial deployment, consider using scripts, for example, PowerCLI. This documentation explains how to perform tasks using the GUI. Consider using scripts instead of the GUI to keep your environment consistent.
vSphere Security See ESXi Networking Security Recommendations. Use firewalls to secure virtual network elements You can open and close firewall ports and secure each element in the virtual network separately. For ESXi hosts, firewall rules associate services with corresponding firewalls and can open and close the firewall according to the status of the service. See ESXi Firewall Configuration. You can also open ports on Platform Services Controller and vCenter Server instances explicitly.
vSphere Security See Storage Security Best Practices. Evaluate the use of IPSec ESXi supports IPSec over IPv6. You cannot use IPSec over IPv4. See Internet Protocol Security. In addition, evaluate whether VMware NSX for vSphere is a good solution for securing the networking layer in your environment.
vSphere Security vCenter Single Sign-On supports one default identity source. Users can log in to the corresponding domain with the vSphere Web Client with just their user names. If users want to log in to a non-default domain, they can include the domain name, that is, specify user@domain or domain\user. The domain password parameters apply to each domain.
vSphere Security Table 1‑2. VMware Security Resources on the Web Topic Resource VMware security policy, up-to-date security alerts, security downloads, and focus discussions of security topics. http://www.vmware.com/go/security Corporate security response policy http://www.vmware.com/support/policies/security_response.html VMware is committed to helping you maintain a secure environment. Security issues are corrected in a timely manner.
vSphere Permissions and User Management Tasks 2 Authentication and authorization govern access. vCenter Single Sign-On supports authentication, which means it determines whether a user can access vSphere components at all. Each user must also be authorized to view or manipulate vSphere objects. vSphere supports several different authorization mechanisms, discussed in Understanding Authorization in vSphere.
vSphere Security Understanding Authorization in vSphere You authorize a user or group to perform tasks on vCenter objects by using permissions on the object. vSphere 6.0 and later allows privileged users to give other users permissions to perform tasks. You can use global permissions, or you can use local vCenter Server permissions to authorize other users for individual vCenter Server instances.
vSphere Security Understanding the vCenter Server Permission Model The permission model for vCenter Server systems relies on assigning permissions to objects in the vSphere object hierarchy. Each permission gives one user or group a set of privileges, that is, a role for the selected object. The following concepts are important. Permissions Each object in the vCenter Server object hierarchy has associated permissions.
vSphere Security 3 Select individual privileges or a role, that is a set of privileges, that the group or user should have on the object. By default, permissions propagate, that is the group or user has the selected role on the selected object and its child objects. vCenter Server offers predefined roles, which combine frequently used privilege sets. You can also create custom roles by combining a set of roles. Permissions must often be defined on both a source object and a destination object.
vSphere Security Figure 2‑2.
vSphere Security Permissions take several forms in the hierarchy: Managed entities Global entities Privileged users can define permissions on managed entities. n Clusters n Data centers n Datastores n Datastore clusters n Folders n Hosts n Networks (except vSphere Distributed Switches) n Distributed port groups n Resource pools n Templates n Virtual machines n vSphere vApps You cannot modify permissions on entities that derive permissions from the root vCenter Server system.
vSphere Security If multiple group permissions are defined on the same object and a user belongs to two or more of those groups, two situations are possible: n No permission for the user is defined directly on the object. In that case, the user has the privileges that the groups have on that object. n A permission for the user is defined directly on the object. In that case, the user's permission takes precedence over all group permissions.
vSphere Security User 1, who belongs to groups A and B, logs on. Because Role 2 is assigned at a lower point in the hierarchy than Role 1, it overrides Role 1 on VM B. User 1 can power on VM A, but not take snapshots. User 1 can take snapshots of VM B, but not power it on. Figure 2‑4.
vSphere Security To manage permissions from the vSphere Web Client, you need to understand the following concepts: Permissions Each object in the vCenter Server object hierarchy has associated permissions. Each permission specifies for one group or user which privileges that group or user has on the object. Users and Groups On vCenter Server systems, you can assign privileges only to authenticated users or groups of authenticated users. Users are authenticated through vCenter Single Sign-On.
vSphere Security 3 Click the Add icon, and click Add. 4 Select the user or group that will have the privileges defined by the selected role. a From the Domain drop-down menu, select the domain for the user or group. b Type a name in the Search box or select a name from the list. The system searches user names, group names, and descriptions. c Select the user or group and click Add. The name is added to either the Users or Groups list.
vSphere Security Procedure 1 Browse to the object in the vSphere Web Client object navigator. 2 Click the Configure tab and select Permissions. 3 Click a row to select a permission. 4 Click the Remove permission icon. Change User Validation Settings vCenter Server periodically validates its user and group lists against the users and groups in the user directory. It then removes users or groups that no longer exist in the domain.
vSphere Security Global Permissions Global permissions are applied to a global root object that spans solutions, for example, both vCenter Server and vRealize Orchestrator. Use global permissions to give a user or group privileges for all objects in all object hierarchies. Each solution has a root object in its own object hierarchy. The global root object acts as a parent object to the root objects for all solutions.
vSphere Security 3 Select the user or group that will have the privileges defined by the selected role. a From the Domain drop-down menu, select the domain for the user or group. b Type a name in the Search box or select a name from the list. The system searches user names, group names, and descriptions. c Select the user or group and click Add. The name is added to either the Users or Groups list. 4 d (Optional) Click Check Names to verify that the user or group exists in the identity source.
vSphere Security Table 2‑1. How Global Permissions and Tag Object Permissions Affect What Users Can Do Global Permission Tag-Level Permission vCenter Server ObjectLevel Permission Effective Permission No tagging privileges assigned Dana has Assign or Unassign vSphere Tag privileges for the tag. Dana has Delete vSphere Tag privileges on ESXi host TPA Dana has Assign or Unassign vSphere Tag privileges for the tag. Dana has Assign or Unassign vSphere Tag privileges.
vSphere Security Using Roles to Assign Privileges A role is a predefined set of privileges. Privileges define rights to perform actions and read properties. For example, the Virtual Machine Administrator role allows a user to read and change virtual machine attributes. When you assign permissions, you pair a user or group with a role and associate that pairing with an inventory object. A single user or group can have different roles for different objects in the inventory.
vSphere Security When you manage a host using vCenter Server, the permissions associated with that host are created through vCenter Server and stored on vCenter Server. If you connect directly to a host, only the roles that are created directly on the host are available. Note When you add a custom role and do not assign any privileges to it, the role is created as a Read Only role with three system-defined privileges: System.Anonymous, System.View, and System.Read.
vSphere Security The administrator of the vCenter Single Sign-On domain, administrator@vsphere.local by default, the root user, and vpxuser are assigned the Administrator role by default. Other users are assigned the No Access role by default. Read Only Role Users with the Read Only role for an object are allowed to view the state of the object and details about the object.
vSphere Security Prerequisites Verify that you are logged in as a user with Administrator privileges. Procedure 1 Log in to vCenter Server with the vSphere Web Client. 2 Select Home, click Administration, and click Roles. 3 Select a role, and click the Clone role action icon. 4 Type a name for the cloned role. 5 Select or deselect privileges for the role and click OK. Edit a Role When you edit a role, you can change the privileges selected for that role.
vSphere Security n If you assign a restrictive role to a group, check that the group does not contain the Administrator user or other users with administrative privileges. Otherwise, you might unintentionally restrict administrators' privileges in the parts of the inventory hierarchy where you have assigned that group the restrictive role. n Use folders to group objects.
vSphere Security Table 2‑4. Required Privileges for Common Tasks Task Create a virtual machine Required Privileges Applicable Role On the destination folder or data center: Administrator n Virtual machine .Inventory.Create new n Virtual machine.Configuration.Add new disk (if creating a new virtual disk) n Virtual machine.Configuration.Add existing disk (if using an existing virtual disk) n Virtual machine.Configuration.
vSphere Security Table 2‑4. Required Privileges for Common Tasks (Continued) Task Required Privileges Applicable Role Install a guest operating system on a virtual machine On the virtual machine or folder of virtual machines: Virtual Machine Power User or Administrator n Virtual machine.Interaction .Answer question n Virtual machine .Interaction .Console interaction n Virtual machine .Interaction .Device connection n Virtual machine .Interaction .Power Off n Virtual machine .Interaction .
vSphere Security Table 2‑4. Required Privileges for Common Tasks (Continued) Task Required Privileges Applicable Role Move a host into a cluster On the host: Administrator Host.Inventory.Add host to cluster On the destination cluster: Administrator Host.Inventory.Add host to cluster VMware, Inc.
Securing ESXi Hosts 3 The ESXi hypervisor architecture has many built-in security features such as CPU isolation, memory isolation, and device isolation. You can configure additional features such as lockdown mode, certificate replacement, and smart card authentication for enhanced security. An ESXi host is also protected with a firewall. You can open ports for incoming and outgoing traffic as needed, but should restrict access to services and ports.
vSphere Security Configure ESXi Hosts with Host Profiles Host profiles allow you to set up standard configurations for your ESXi hosts and automate compliance to these configuration settings. Host profiles allow you to control many aspects of host configuration including memory, storage, networking, and so on. You can configure host profiles for a reference host from the vSphere Web Client and apply the host profile to all hosts that share the characteristics of the reference host.
vSphere Security n Insecure services such as FTP and Telnet are not installed, and the ports for these services are closed by default. Because more secure services such as SSH and SFTP are easily available, avoid using these insecure services and use their safer alternatives. For example, use Telnet with SSL to access virtual serial ports if SSH is unavailable and you must use Telnet.
vSphere Security Use Scripts to Manage Host Configuration Settings In environments with many hosts, managing hosts with scripts is faster and less error prone than managing the hosts from the vSphere Web Client. vSphere includes several scripting languages for host management. See the vSphere Command-Line Documentation and the vSphere API/SDK Documentation for reference information and programming tips and VMware Communities for additional tips about scripted management.
vSphere Security 3 Write scripts to perform parameter checking or modification, and run them. For example, you can check or set the shell interactive timeout of a host as follows: Language vCLI (ESXCLI) Commands esxcli system settings advanced get /UserVars/ESXiShellTimeOut esxcli --formatter=csv --format-param=fields="Path,Int Value" system settings advanced list | grep /UserVars/ESXiShellTimeOut PowerCLI #List UserVars.
vSphere Security n By default, password length is more than 7 and less than 40. n Passwords cannot contain a dictionary word or part of a dictionary word. Note An uppercase character that begins a password does not count toward the number of character classes used. A number that ends a password does not count toward the number of character classes used. Example ESXi Passwords The following password candidates illustrate potential passwords if the option is set as follows.
vSphere Security You can change the default, for example, to require a minimum of 15 characters and a minimum number of four words, as follows: retry=3 min=disabled,disabled,15,7,7 passphrase=4 See the manpage for pam_passwdqc for details. Note Not all possible combinations of the options for pam_passwdqc have been tested. Perform additional testing after you change the default password settings. ESXi Account Lockout Behavior Starting with vSphere 6.
vSphere Security ESXi SSH Keys SSH keys can restrict, control, and secure access to an ESXi host. An SSH key can allow a trusted user or script to log in to a host without specifying a password. You can copy the SSH key to the host by using the vifs vSphere CLI command. See Getting Started with vSphere Command-Line Interfaces for information on installing and using the vSphere CLI command set. You can also use HTTPS PUT to copy the SSK key to the host.
vSphere Security Procedure u At the command line or an administration server, use the vifs command to upload the SSH key to an appropriate location on the ESXi host. vifs --server hostname --username username --put filename /host/ssh_host_dsa_key_pub Type of key Location Authorized key files for the root user /host/ssh_root_authorized keys You must have full administrator privileges to upload this file.
vSphere Security PCI and PCIe Devices and ESXi Using the VMware DirectPath I/O feature to pass through a PCI or PCIe device to a virtual machine results in a potential security vulnerability. The vulnerability can be triggered when buggy or malicious code, such as a device driver, running in privileged mode in the guest OS. Industry-standard hardware and firmware do not currently have sufficient error containment support to protect ESXi hosts from the vulnerability.
vSphere Security ESXi Networking Security Recommendations Isolation of network traffic is essential to a secure ESXi environment. Different networks require different access and level of isolation. Your ESXi host uses several networks. Use appropriate security measures for each network, and isolate ® traffic for specific applications and functions. For example, ensure that VMware vSphere vMotion traffic does not travel over networks where virtual machines are located. Isolation prevents snooping.
vSphere Security n To protect against misuse of ESXi services, most internal ESXi services are accessible only through port 443, the port used for HTTPS transmission. Port 443 acts as a reverse proxy for ESXi. You can see a list of services on ESXi through an HTTP welcome page, but you cannot directly access the Storage Adapters services without proper authorization. You can change this configuration so that individual services are directly accessible through HTTP connections.
vSphere Security Control Access for CIM-Based Hardware Monitoring Tools The Common Information Model (CIM) system provides an interface that enables hardware-level management from remote applications using a set of standard APIs. To ensure that the CIM interface is secure, provide only the minimum access necessary to these remote applications. If you provision a remote application with a root or Administrator account, and if the application is compromised, the virtual environment can be compromised.
vSphere Security Certificates in vSphere 5.5 and in vSphere 6.x When ESXi and vCenter Server communicate, they use TLS/SSL for almost all management traffic. In vSphere 5.5 and earlier, the TLS/SSL endpoints are secured only by a combination of user name, password, and thumbprint. Users can replace the corresponding self-signed certificates with their own certificates. See the vSphere 5.5 Documentation Center. In vSphere 6.0 and later, vCenter Server supports the following certificate modes for ESXi hosts.
vSphere Security ESXi Provisioning and VMCA When you boot an ESXi host from installation media, the host initially has an autogenerated certificate. When the host is added to the vCenter Server system, it is provisioned with a certificate that is signed by VMCA as the root CA. The process is similar for hosts that are provisioned with Auto Deploy. However, because those hosts do not store any state, the signed certificate is stored by the Auto Deploy server in its local certificate store.
vSphere Security The recommended upgrade workflow depends on the current certificates. Host Provisioned with Thumbprint Certificates If your host is currently using thumbprint certificates, it is automatically assigned VMCA certificates as part of the upgrade process. Note You cannot provision legacy hosts with VMCA certificates. You must upgrade those hosts to ESXi 6.0 later.
vSphere Security Certificate Mode Description VMware Certificate Authority (default) By default, the VMware Certificate Authority is used as the CA for ESXi host certificates. VMCA is the root CA by default, but it can be set up as the intermediary CA to another CA. In this mode, users can manage certificates from the vSphere Web Client. Also used if VMCA is a subordinate certificate. Custom Certificate Authority Some customers might prefer to manage their own external certificate authority.
vSphere Security Switching from Thumbprint Mode to VMCA Mode If you use thumbprint mode and you want to start using VMCA-signed certificates, the switch requires some planning. The recommended workflow is as follows. 1 Remove all hosts from the vCenter Server system. 2 Switch to VMCA certificate mode. See Change the Certificate Mode. 3 Add the hosts to the vCenter Server system. Note Any other workflow for this mode switch might result in unpredictable behavior.
vSphere Security Table 3‑3. ESXi CSR Settings Parameter Default Value Advanced Option Key Size 2048 N.A. Key Algorithm RSA N.A. Certificate Signature Algorithm sha256WithRSAEncryption N.A. Common Name Name of the host if the host was added to vCenter Server by host name. N.A. IP address of the host if the host was added to vCenter Server by IP address. Country USA vpxd.certmgmt.certs.cn.country Email address vmca@vmware.com vpxd.certmgmt.certs.cn.email Locality (City) Palo Alto vpxd.
vSphere Security Procedure 1 In the vSphere Web Client, select the vCenter Server system that manages the hosts. 2 Click Configure, and click Advanced Settings. 3 In the Filter box, enter certmgmt to display only certificate management parameters. 4 Change the value of the existing parameters to follow company policy and click OK.
vSphere Security View Certificate Details for a Single ESXi Host For ESXi 6.0 and later hosts that are in VMCA mode or custom mode, you can view certificate details from the vSphere Web Client. The information about the certificate can be helpful for debugging. Procedure 1 Browse to the host in the vSphere Web Client inventory. 2 Select Configure. 3 Under System, click Certificate. You can examine the following information. This information is available only in the single-host view.
vSphere Security 3 Under System, click Certificate. You can view detailed information about the selected host's certificate. 4 5 Click Renew or Refresh CA Certificates. Option Description Renew Retrieves a fresh signed certificate for the host from VMCA. Refresh CA Certificates Pushes all certificates in the TRUSTED_ROOTS store in the vCenter Server VECS store to the host. Click Yes to confirm.
vSphere Security The default certificates are in the same location as the vSphere 5.5 certificates. You can replace the default certificates with trusted certificates in a number of ways. Note You can also use the vim.CertificateManager and vim.host.CertificateManager managed objects in the vSphere Web Services SDK. See the vSphere Web Services SDK documentation.
vSphere Security n CN (and SubjectAltName) set to the host name (or IP address) that the ESXi host has in the vCenter Server inventory. Replace the Default Certificate and Key from the ESXi Shell You can replace the default VMCA-signed ESXi certificates from the ESXi Shell. Prerequisites n If you want to use third-party CA-signed certificates, generate the certificate request, send it to the certificate authority, and store the certificates on each ESXi host.
vSphere Security n If necessary, enable the ESXi Shell or enable SSH traffic from the vSphere Web Client. See the vSphere Security publication for information on enabling access to the ESXi Shell. n All file transfers and other communications occur over a secure HTTPS session. The user who is used to authenticate the session must have the privilege Host.Config.AdvancedConfig on the host. See the vSphere Security publication for information on assigning privileges through roles.
vSphere Security 2 In your upload application, process each file as follows: a Open the file. b Publish the file to one of these locations. Option Description Certificates https://hostname/host/ssl_cert Keys https://hostname/host/ssl_key The location /host/ssl_cert and host/ssl_key link to the certificate files in /etc/vmware/ssl. 3 Restart the host. What to do next Update the vCenter Server TRUSTED_ROOTS store. See Update the vCenter Server TRUSTED_ROOTS Store (Custom Certificates).
vSphere Security What to do next Set certificate mode to Custom. If certificate mode is VMCA, the default, and you perform a certificate refresh, your custom certificates are replaced with VMCA-signed certificates. See Change the Certificate Mode. Use Custom Certificates With Auto Deploy By default, the Auto Deploy server provisions each host with certificates that are signed by VMCA. You can set up the Auto Deploy server to provision all hosts with custom certificates that are not signed by VMCA.
vSphere Security 4 On the system where the Auto Deploy service runs, update the TRUSTED_ROOTS store in VECS to use your new certificates. Option Windows Linux 5 Description cd C:\Program Files\VMware\vCenter Server\vmafdd\vecs-cli.exe vecs-cli entry delete --store TRUSTED_ROOTS --alias rbd_cert vecs-cli entry create --store TRUSTED_ROOTS --alias rbd_cert --cert /etc/vmware-rbd/ssl/rbd-ca.
vSphere Security Procedure 1 On the ESXi host, locate the file /etc/vmware/ssl/rui.bak. The file has the following format. # # Host private key and certificate backup from 2014-06-20 08:02:49.961 # -----BEGIN PRIVATE KEY----previous key -----END PRIVATE KEY---------BEGIN CERTIFICATE----previous cert -----END CERTIFICATE----- 2 Copy the text starting with -----BEGIN PRIVATE KEY----- and ending with -----END PRIVATE KEY----- into the /etc/vmware/ssl/rui.key file.
vSphere Security As you open ports on the firewall, consider that unrestricted access to services running on an ESXi host can expose a host to outside attacks and unauthorized access. Reduce the risk by configuring the ESXi firewall to allow access only from authorized networks. Note The firewall also allows Internet Control Message Protocol (ICMP) pings and communication with DHCP and DNS (UDP only) clients.
vSphere Security 4 In the Firewall section, click Edit. The display shows firewall rule sets, which include the name of the rule and the associated information. 5 6 7 Select the rule sets to enable, or deselect the rule sets to disable. Column Description Incoming Ports and Outgoing Ports The ports that the vSphere Web Client opens for the service Protocol Protocol that a service uses. Daemon Status of daemons associated with the service For some services, you can manage service details.
vSphere Security n 6 fd3e:29a6:0a81:e478::/64 Click OK. Incoming and Outgoing Firewall Ports for ESXi Hosts The vSphere Web Client and the VMware Host Client allow you to open and close firewall ports for each service or to allow traffic from selected IP addresses. The following table lists the firewalls for services that are installed by default. If you install other VIBs on your host, additional services and firewall ports might become available.
vSphere Security Table 3‑4. Incoming Firewall Connections (Continued) Port Protoc ol Service Description 8000 TCP vMotion Required for virtual machine migration with vMotion. ESXi hosts listen on port 8000 for TCP connections from remote ESXi hosts for vMotion traffic. 902, 443 TCP vSphere Web Client Client connections 8080 TCP vsanvp vSAN VASA Vendor Provider.
vSphere Security Table 3‑5. Outgoing Firewall Connections (Continued) Port Protocol Service Description 5671 TCP rabbitmqproxy A proxy running on the ESXi host. This proxy allows applications that are running inside virtual machines to communicate with the AMQP brokers that are running in the vCenter network domain. The virtual machine does not have to be on the network, that is, no NIC is required. Ensure that outgoing connection IP addresses include at least the brokers in use or future.
vSphere Security n If the nfsClient rule set is enabled, the state of the rule set and the allowed IP address policy are not changed. The IP address of the NFS server is added to the allowed list of outgoing IP addresses. Note If you manually enable the nfsClient rule set or manually set the Allow All IP Addresses policy, either before or after you add an NFS v3 datastore to the system, your settings are overridden when the last NFS v3 datastore is unmounted.
vSphere Security Table 3‑7. Firewall Commands (Continued) Command Description esxcli network firewall ruleset set --allowed-all Set to true to allow all access to all IPs. Set to false to use a list of allowed IP addresses. esxcli network firewall ruleset set --enabled -ruleset-id= Set enabled to true to enable the specified ruleset. Set enabled to false to disable the specified ruleset. esxcli network firewall ruleset allowedip list List the allowed IP addresses of the specified rule set.
vSphere Security Table 3‑8. ESXi Services in the Security Profile Service Default Description Direct Console UI Running The Direct Console User Interface (DCUI) service allows you to interact with an ESXi host from the local console host using text-based menus. ESXi Shell Stopped The ESXi Shell is available from the Direct Console User Interface and includes a set of fully supported commands and a set of commands for troubleshooting and remediation.
vSphere Security Procedure 1 Browse to a host in the vSphere Web Client inventory, and select a host. 2 Click Configure. 3 Under System, select Security Profile and click Edit. 4 Scroll to the service that you wish to change. 5 In the Service Details pane, select Start, Stop, or Restart for a one-time change to the host's status, or select from the Startup Policy menu to change the status of the host across reboots.
vSphere Security Lockdown Mode Behavior In lockdown mode, some services are disabled, and some services are accessible only to certain users. Lockdown Mode Services for Different Users When the host is running, available services depend on whether lockdown mode is enabled, and on the type of lockdown mode. n In strict and normal lockdown mode, privileged users can access the host through vCenter Server, either from the vSphere Web Client or by using the vSphere Web Services SDK.
vSphere Security Table 3‑9. Lockdown Mode Behavior (Continued) Service Normal Mode Normal Lockdown Mode Strict Lockdown Mode ESXi Shell Users with administrator privileges on the host Users defined in the DCUI.Access advanced option Users defined in the DCUI.Access advanced option (if enabled) Exception users with administrator privileges on the host SSH (if enabled) Users with administrator privileges on the host Users defined in the DCUI.
vSphere Security 5 6 Click Lockdown Mode and select one of the lockdown mode options. Option Description Normal The host can be accessed through vCenter Server. Only users who are on the Exception Users list and have administrator privileges can log in to the Direct Console User Interface. If SSH or the ESXi Shell is enabled, access might be possible. Strict The host can only be accessed through vCenter Server. If SSH or the ESXi Shell is enabled, running sessions for accounts in the DCUI.
vSphere Security n Users defined in the DCUI.Access advanced option for the host. This option can be used to enable access in case of catastrophic failure. For ESXi 6.0 and later, user permissions are preserved when you enable lockdown mode. User permissions are restored when you disable lockdown mode from the Direct Console Interface. Note If you upgrade a host that is in lockdown mode to ESXi version 6.
vSphere Security Add Users to the DCUI.Access Advanced Option The main purpose of the DCUI.Access advanced option is to allow you to exit lockdown mode in case of catastrophic failure, when you cannot access the host from vCenter Server. You add users to the list by editing the Advanced Settings for the host from the vSphere Web Client. Note Users in the DCUI.Access list can change lockdown mode settings regardless of their privileges. This can impact the security of your host.
vSphere Security 4 In the Lockdown Mode panel, click Edit. 5 Click Exception Users and click the plus icon to add exception users. Manage the Acceptance Levels of Hosts and VIBs The acceptance level of a VIB depends on the amount of certification of that VIB. The acceptance level of the host depends on the level of the lowest VIB. You can change the acceptance level of the host if you want to allow lower-level VIBs. You can remove CommunitySupported VIBs to be able to change the host acceptance level.
vSphere Security PartnerSupported VIBs with the PartnerSupported acceptance level are published by a partner that VMware trusts. The partner performs all testing. VMware does not verify the results. This level is used for a new or nonmainstream technology that partners want to enable for VMware systems. Today, driver VIB technologies such as Infiniband, ATAoE, and SSD are at this level with nonstandard hardware drivers.
vSphere Security You can select the ESXi host object in the vCenter Server object hierarchy and assign the administrator role to a limited number of users. Those users can then perform direct management on the ESXi host. See Using Roles to Assign Privileges. Best practice is to create at least one named user account, assign it full administrative privileges on the host, and use this account instead of the root account.
vSphere Security This common root account can make it easier to break into an ESXi host because the name is already known. Having a common root account also makes it harder to match actions to users. For better auditing, create individual accounts with Administrator privileges. Set a highly complex password for the root account and limit the use of the root account, for example, for use when adding a host to vCenter Server. Do not remove the root account.
vSphere Security Using Active Directory to Manage ESXi Users You can configure ESXi to use a directory service such as Active Directory to manage users. Creating local user accounts on each host presents challenges with having to synchronize account names and passwords across multiple hosts. Join ESXi hosts to an Active Directory domain to eliminate the need to create and maintain local user accounts.
vSphere Security 2 Ensure that the DNS servers that you configured for the host can resolve the host names for the Active Directory controllers. a Browse to the host in the vSphere Web Client object navigator. b Click Configure.. c Under Networking, click TCP/IP configuration. d Under TCP/IP Stack: Default, click DNS and verify that the host name and DNS server information for the host are correct. What to do next Use the vSphere Web Client to join a directory service domain.
vSphere Security View Directory Service Settings You can view the type of directory server, if any, that the host uses to authenticate users and the directory server settings. Procedure 1 Browse to the host in the vSphere Web Client inventory. 2 Click Configure. 3 Under System, select Authentication Services. The Authentication Services page displays the directory service and domain settings.
vSphere Security In that case, you add the host's IP address to the vSphere Authentication Proxy access control list, and vSphere Authentication Proxy authorizes the host based on its IP address by default. You can enable client authentication to have vSphere Authentication Proxy check the host's certificate. Note You cannot use vSphere Authentication Proxy in an environment that supports only IPv6.
vSphere Security Add a Domain to vSphere Authentication Proxy with the vSphere Web Client You can add a domain to vSphere Authentication Proxy from the vSphere Web Client or by using the camconfig command. You can add a domain to vSphere Authentication Proxy only after you enable the proxy. After you add the domain, vSphere Authentication Proxy adds all hosts that you provision with Auto Deploy to that domain.
vSphere Security 3 4 Go to the directory where the camconfig script is located. OS Location vCenter Server Appliance /usr/lib/vmware-vmcam/bin/ vCenter Server Windows C:\Program Files\VMware\CIS\vmcamd\ Run the following command to add the domain and user Active Directory credentials to the Authentication Proxy configuration. camconfig add-domain -d domain -u user You are prompted for a password. vSphere Authentication Proxy caches that username and password.
vSphere Security Procedure 1 Connect to a vCenter Server system with the vSphere Web Client. 2 Browse to the host in the vSphere Web Client and click Configure. 3 Under Settings, select Authentication Services. 4 Click Join Domain. 5 Enter a domain. Use the form name.tld, for example mydomain.com, or name.tld/container/path, for example, mydomain.com/organizational_unit1/organizational_unit2. 6 Select Using Proxy Server.
vSphere Security 4 Run the following command to enable client authentication. camconfig ssl-cliAuth -e Going forward, vSphere Authentication Proxy checks the certificate of each host that is added. 5 If you later want to disable client authentication again, run the following command. camconfig ssl-cliAuth -n Import the vSphere Authentication Proxy Certificate to ESXi Host By default, ESXi hosts require explicit verification of the vSphere Authentication Proxy certificate.
vSphere Security Procedure 1 Make a copy of certool.cfg. cp /usr/lib/vmware-vmca/share/config/certool.cfg /var/lib/vmware/vmcam/ssl/vmcam.cfg 2 Edit the copy with some information about your organization, as in the following example. Country = IE Name = vmcam Organization = VMware OrgUnit = vTSU State = Cork Locality = Cork Hostname = test-cam-1.test1.vmware.com 3 Generate the new private key in /var/lib/vmware/vmcam/ssl/.
vSphere Security Procedure 1 Generate a CSR for vSphere Authentication Proxy. a Create a configuration file, /var/lib/vmware/vmcam/ssl/vmcam.cfg, as in the following example. [ req ] distinguished_name = req_distinguished_name encrypt_key = no prompt = no string_mask = nombstr req_extensions = v3_req [ v3_req ] basicConstraints = CA:false keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectAltName = DNS:olearyf-static-1.csl.vmware.
vSphere Security 4 Stop the vSphere Authentication Proxy service. Tool Steps vSphere Web Client a Click Administration, and click System Configuration under Deployment. b Click Services, click the VMware vSphere Authentication Proxy service, and stop the service. CLI 5 service-control --stop vmcam Replace the existing rui.crt certificate and rui.key files with the files that you received from your CA. 6 Restart the vSphere Authentication Proxy service.
vSphere Security Enable Smart Card Authentication Enable smart card authentication to prompt for smart card and PIN combination to log in to the ESXi DCUI. Prerequisites n Set up the infrastructure to handle smart card authentication, such as accounts in the Active Directory domain, smart card readers, and smart cards. n Configure ESXi to join an Active Directory domain that supports smart card authentication. For more information, see Using Active Directory to Manage ESXi Users.
vSphere Security Authenticating With User Name and Password in Case of Connectivity Problems If the Active Directory (AD) domain server is not reachable, you can log in to the ESXi DCUI by using user name and password authentication to perform emergency actions on the host. In exceptional circumstances, the AD domain server is not reachable to authenticate the user credentials on the smart card because of connectivity problems, network outage, or disasters.
vSphere Security See vSphere Security. Direct Console UI (DCUI) When you enable this service while running in lockdown mode, you can log in locally to the direct console user interface as the root user and disable lockdown mode. You can then access the host using a direct connection to the VMware Host Client or by enabling the ESXi Shell. The root user and users with the Administrator role can access the ESXi Shell.
vSphere Security 5 6 Select a service from the list. n ESXi Shell n SSH n Direct Console UI Click Service Details and select the startup policy Start and stop manually. When you select Start and stop manually, the service does not start when you reboot the host. If you want the service to start when you reboot the host, select Start and stop with host. 7 Select Start to enable the service. 8 Click OK. What to do next Set the availability and idle timeouts for the ESXi Shell.
vSphere Security Create a Timeout for Idle ESXi Shell Sessions in the vSphere Web Client If a user enables the ESXi Shell on a host, but forgets to log out of the session, the idle session remains connected indefinitely. The open connection can increase the potential for someone to gain privileged access to the host. You can prevent this by setting a timeout for idle sessions. The idle timeout is the amount of time that can elapse before a user is logged out of an idle interactive session.
vSphere Security What to do next Set the availability and idle timeouts for the ESXi Shell. See Create a Timeout for ESXi Shell Availability in the Direct Console User Interface and Create a Timeout for Idle ESXi Shell Sessions. Create a Timeout for ESXi Shell Availability in the Direct Console User Interface The ESXi Shell is disabled by default. You can set an availability timeout for the ESXi Shell to increase security when you enable the shell.
vSphere Security Log in to the ESXi Shell for Troubleshooting Perform ESXi configuration tasks with the vSphere Web Client, the vSphere CLI, or vSphere PowerCLI. Log in to the ESXi Shell (formerly Tech Support Mode or TSM) for troubleshooting purposes only. Procedure 1 2 Log in to the ESXi Shell using one of the following methods. n If you have direct access to the host, press Alt+F1 to open the login page on the machine's physical console.
vSphere Security Figure 3‑1. UEFI Secure Boot Management apps (hostd, dcui, etc.) Drivers and modules ESXi base system VMware public key Secure boot VIB verifier VMkernel 1 Root of trust 2 VMware public key bootloader UEFI CA public key UEFI firmware 1 UEFI secure boot enabled machine With secure boot enabled, the boot sequence proceeds as follows. 1 Starting with vSphere 6.5, the ESXi bootloader contains a VMware public key.
vSphere Security n If a package (VIB or driver) has been tampered with, a purple screen with the following message appears. UEFI Secure Boot failed: Failed to verify signatures of the following vibs (XX) To resolve issues with secure boot, follow these steps. 1 Reboot the host with secure boot disabled. 2 Run the secure boot verification script (see Run the Secure Boot Validation Script on an Upgraded ESXi Host). 3 Examine the information in the /var/log/esxupdate.log file.
vSphere Security Procedure 1 Upgrade the ESXi and run the following command. /usr/lib/vmware/secureboot/bin/secureBoot.py -c 2 Check the output. The output either includes Secure boot can be enabled or Secure boot CANNOT be enabled. ESXi Log Files Log files are an important component of troubleshooting attacks and obtaining information about breaches. Logging to a secure, centralized log server can help prevent log tampering. Remote logging also provides a long-term audit record.
vSphere Security 5 To set up logging globally, select the setting to change and click Edit. Option Description Syslog.global.defaultRotate Maximum number of archives to keep. You can set this number globally and for individual subloggers. Syslog.global.defaultSize Default size of the log, in KB, before the system rotates logs. You can set this number globally and for individual subloggers. Syslog.global.LogDir Directory where logs are stored.
vSphere Security Component Location Purpose Shell log /var/log/shell.log Contains a record of all commands typed into the ESXi Shell as well as shell events (for example, when the shell was enabled). Authentication /var/log/auth.log Contains all events related to authentication for the local system. System messages /var/log/syslog.log Contains all general log messages and can be used for troubleshooting. This information was formerly located in the messages log file.
Securing vCenter Server Systems 4 Securing vCenter Server includes ensuring security of the host where vCenter Server is running, following best practices for assigning privileges and roles, and verifying the integrity of the clients that connect to vCenter Server.
vSphere Security n Make sure that applications use unique service accounts when connecting to a vCenter Server system. Monitor Privileges of vCenter Server Administrator Users Not all administrator users must have the Administrator role. Instead, create a custom role with the appropriate set of privileges and assign it to other administrators. Users with the vCenter Server Administrator role have privileges on all objects in the hierarchy.
vSphere Security Check Privileges After vCenter Server Restart Check for privilege reassignment when you restart vCenter Server. If the user or group that has the Administrator role on the root folder cannot be validated during a restart, the role is removed from that user or group. In its place, vCenter Server grants the Administrator role to the vCenter Single Sign-On administrator, administrator@vsphere.local by default. This account can then act as the vCenter Server administrator.
vSphere Security Protecting the vCenter Server Windows Host Protect the Windows host where vCenter Server is running against vulnerabilities and attacks by ensuring that the host environment is as secure as possible. n Maintain a supported operating system, database, and hardware for the vCenter Server system. If vCenter Server is not running on a supported operating system, it might not run properly, making vCenter Server vulnerable to attacks. n Keep the vCenter Server system properly patched.
vSphere Security Evaluate the Use of Linux Clients with CLIs and SDKs Communications between client components and a vCenter Server system or ESXi hosts are protected by SSL-based encryption by default. Linux versions of these components do not perform certificate validation. Consider restricting the use of these clients. To improve security, you can replace the VMCA-signed certificates on the vCenter Server system and on the ESXi hosts with certificates that are signed by an enterprise or third-party CA.
vSphere Security 3 Examine the list of client plug-ins. vCenter Server Appliance Security Best Practices Follow all best practices for securing a vCenter Server system to secure your vCenter Server Appliance. Additional steps help you make your appliance more secure. Configure NTP Ensure that all systems use the same relative time source. This time source must be in syn with an agreed-upon time standard such as Coordinated Universal Time (UTC).
vSphere Security vCenter Server Passwords In vCenter Server, password requirements are dictated by vCenter Single Sign-On or by the configured identity source, which can be Active Directory, OpenLDAP. vCenter Single Sign-On Lockout Behavior Users are locked out after a preset number of consecutive failed attempts. By default, users are locked out after five consecutive failed attempts in three minutes and a locked account is unlocked automatically after five minutes.
vSphere Security 6 If any of your ESXi 5.5 or earlier hosts require manual validation, compare the thumbprints listed for the hosts to the thumbprints in the host console. To obtain the host thumbprint, use the Direct Console User Interface (DCUI). a Log in to the direct console and press F2 to access the System Customization menu. b Select View Support Information. The host thumbprint appears in the column on the right. 7 If the thumbprint matches, select the Verify check box next to the host.
vSphere Security Required Ports for vCenter Server and Platform Services Controller The vCenter Server system, both on Windows and in the appliance, must be able to send data to every managed host and receive data from the vSphere Web Client and the Platform Services Controller services. To enable migration and provisioning activities between managed hosts, the source and destination hosts must be able to receive data from each other.
vSphere Security Table 4‑1. Ports Required for Communication Between Components (Continued) Port Protocol Description Required for 80 TCP vCenter Server requires port 80 for direct HTTP connections. Port 80 redirects requests to HTTPS port 443. This redirection is useful if you accidentally use http://server instead of https://server. Windows installations and appliance deployments of WS-Management (also requires port 443 to be open).
vSphere Security Table 4‑1. Ports Required for Communication Between Components (Continued) Port Protocol Description Required for 443 TCP The default port that the vCenter Server system uses to listen for connections from the vSphere Web Client. To enable the vCenter Server system to receive data from the vSphere Web Client, open port 443 in the firewall.
vSphere Security Table 4‑1. Ports Required for Communication Between Components (Continued) Used for Node-to-Node Communication Port Protocol Description Required for 902 TCP/UDP The default port that the vCenter Server system uses to send data to managed hosts. Managed hosts also send a regular heartbeat over UDP port 902 to the vCenter Server system. This port must not be blocked by firewalls between the server and the hosts or between hosts.
vSphere Security Table 4‑1. Ports Required for Communication Between Components (Continued) Port Protocol Description Required for 2020 TCP/UDP Authentication framework management Windows installations and appliance deployments of Important You can change this port number during the vCenter Server and Platform Services Controller installations on Windows. 5480 TCP Appliance Management Interface Open endpoint serving all HTTPS, XMLRPS and JSON-RPC requests over HTTPS.
vSphere Security Table 4‑1. Ports Required for Communication Between Components (Continued) Port Protocol Description Required for 7444 TCP Secure Token Service Windows installations and appliance deployments of Platform Services Controller For backward compatibility with vSphere 5.5 only. 8084 TCP vSphere Update Manager SOAP port The port used by vSphere Update Manager client plug-in to connect to the vSphere Update Manager SOAP server.
vSphere Security Table 4‑1. Ports Required for Communication Between Components (Continued) Used for Node-to-Node Communication Port Protocol Description Required for 11711 TCP vCenter Single Sign-On LDAP Windows installations and appliance deployments of Platform Services Controller During upgrade from vSphere 5.5 only. Windows installations and appliance deployments of Platform Services Controller During upgrade from vSphere 5.5 only. For backward compatibility with vSphere 5.5 only.
vSphere Security Table 4‑2. vCenter Server TCP and UDP Ports (Continued) Port Protocol Description 15007, 15008 TCP vService Manager (VSM). This service registers vCenter Server extensions. Open this port only if required by extensions that you intend to use. 31031, 44046 (Default) TCP vSphere Replication. 5355 UDP The systemd-resolve process uses this port to resolve domain names, IPv4 and IPv6 addresses, DNS resource records and services. The following ports are used only internally.
vSphere Security Table 4‑3. vCenter Server TCP and UDP Ports (Continued) Port Description 12080 License service internal port. 12346, 12347, 4298 Internal port for VMware Cloud Management SDKs (vAPI) 13080, 6070 Used internally by the Performance Charts service. 14080 Used internally by the syslog service. 15005, 15006 ESX Agent Manager internal port. 16666, 16667 Content Library ports 18090 Content Manager internal port. 18091 Component Manager internal port.
Securing Virtual Machines 5 The guest operating system that runs in the virtual machine is subject to the same security risks as a physical system. Secure virtual machines just like physical machines, and follow best practices discussed in this document and in the Hardening Guide.
vSphere Security For Linux virtual machines, VMware Host-Guest Filesystem is not supported in secure boot mode. Remove VMware Host-Guest Filesystem from VMware Tools before you enable secure boot. Note If you turn on secure boot for a virtual machine, you can load only signed drivers into that virtual machine. Prerequisites You can enable secure boot only if all prerequisites are met. If prerequisites are not met, the check box is not visible in the vSphere Web Client.
vSphere Security Limit Informational Messages From Virtual Machines to VMX Files Limit informational messages from the virtual machine to the VMX file to avoid filling the datastore and causing a Denial of Service (DoS). A DoS can occur when you do not control the size of a virtual machine's VMX file and the amount of information exceeds datastore capacity. The virtual machine configuration file (VMX file) limit is 1 MB by default.
vSphere Security 2 Right-click the virtual machine and click Edit Settings. 3 Select VM Options. 4 Click Advanced and click Edit Configuration. 5 Add or edit the following parameters. 6 Name Value isolation.tools.diskWiper.disable TRUE isolation.tools.diskShrink.disabl e TRUE Click OK. When you disable this feature, you cannot shrink virtual machine disks when a datastore runs out of space.
vSphere Security General Virtual Machine Protection A virtual machine is, in most respects, the equivalent of a physical server. Employ the same security measures in virtual machines that you do for physical systems. Follow these best practices to protect your virtual machine: Patches and other protection Keep all security measures up-to-date, including applying appropriate patches.
vSphere Security Procedure u Provide templates for virtual machine creation that contain hardened, patched, and properly configured operating system deployments. If possible, deploy applications in templates as well. Ensure that the applications do not depend on information specific to the virtual machine to be deployed. What to do next For more information about templates, see the vSphere Virtual Machine Administration documentation.
vSphere Security 4 In each resource pool, leave Shares set to the default to ensure that each virtual machine in the pool receives approximately the same resource priority. With this setting, a single virtual machine cannot use more than other virtual machines in the resource pool. What to do next See the vSphere Resource Management documentation for information about shares and limits.
vSphere Security Procedure 1 Log in to a vCenter Server system using the vSphere Web Client. 2 Right-click the virtual machine and click Edit Settings. 3 Disable hardware devices that are not required. Include checks for the following devices: n Floppy drives n Serial ports n Parallel ports n USB controllers n CD-ROM drives Disable Unused Display Features Attackers can use an unused display feature as a vector for inserting malicious code into your environment.
vSphere Security Disable Unexposed Features VMware virtual machines can work both in a vSphere environment and on hosted virtualization platforms such as VMware Workstation and VMware Fusion. Certain virtual machine parameters do not need to be enabled when you run a virtual machine in a vSphere environment. Disable these parameters to reduce the potential for vulnerabilities. Prerequisites Turn off the virtual machine.
vSphere Security 3 Select VM Options. 4 Click Advanced and click Edit Configuration. 5 Verify that the isolation.tools.hgfsServerSet.disable parameter is set to TRUE. When you make this change, the VMX process no longer responds to commands from the tools process. APIs that use HGFS to transfer files to and from the guest operating system, such as some VIX commands or the VMware Tools auto-upgrade utility, no longer work.
vSphere Security Limiting Exposure of Sensitive Data Copied to the Clipboard Copy and paste operations are disabled by default for hosts to prevent exposing sensitive data that has been copied to the clipboard. When copy and paste is enabled on a virtual machine running VMware Tools, you can copy and paste between the guest operating system and remote console.
vSphere Security What to do next Select the vCenter Server system or the host and assign a permission that pairs the user or group that should have the new privileges to the newly created role. Remove those users from the Administrator role. Prevent a Virtual Machine User or Process From Disconnecting Devices Users and processes without root or Administrator privileges within virtual machines can connect or disconnect devices, such as network adapters and CD-ROM drives, and can modify device settings.
vSphere Security Procedure 1 Log in to a vCenter Server system using the vSphere Web Client and find the virtual machine. a In the Navigator, select VMs and Templates. b Find the virtual machine in the hierarchy. 2 Right-click the virtual machine and click Edit Settings. 3 Select VM Options. 4 Click Advanced and click Edit Configuration. 5 Click Add Row and type the following values in the Name and Value columns. 6 Column Value Name isolation.tools.setinfo.
Virtual Machine Encryption 6 Starting with vSphere 6.5, you can take advantage of virtual machine encryption. Encryption protects not only your virtual machine but also virtual machine disks and other files. You set up a trusted connection between vCenter Server and a key management server (KMS). vCenter Server can then retrieve keys from the KMS as needed. You manage different aspects of virtual machine encryption in different ways.
vSphere Security How vSphere Virtual Machine Encryption Protects Your Environment With vSphere Virtual Machine Encryption, you can create encrypted virtual machines and encrypt existing virtual machines. Because all virtual machine files with sensitive information are encrypted, the virtual machine is protected. Only administrators with encryption privileges can perform encryption and decryption tasks. What Keys Are Used Two types of keys are used for encryption.
vSphere Security You can use the vSphere API to perform either a shallow recrypt operation with a new KEK or deep recrypt operation with a new internal key. Core dumps Core dumps on an ESXi host that has encryption mode enabled are always encrypted. See vSphere Virtual Machine Encryption and Core Dumps. Note Core dumps on the vCenter Server system are not encrypted. Be sure to protect access to the vCenter Server system.
vSphere Security Table 6‑1. Interfaces for Performing Cryptographic Operations Interface Operations Information vSphere Web Client Create encrypted virtual machine This book. Encrypt and decrypt virtual machines vSphere Web Services SDK Create encrypted virtual machine Encrypt and decrypt virtual machines Perform a deep recrypt of a virtual machine (use a different DEK).
vSphere Security If your environment uses different KMS vendors in different environments, you can add a KMS cluster for each KMS and specify a default KMS cluster. The first cluster that you add becomes the default cluster. You can explicitly specify the default later. As a KMIP client, vCenter Server uses the Key Management Interoperability Protocol (KMIP) to make it easy to use the KMS of your choice. vCenter Server Only vCenter Server has the credentials for logging in to the KMS.
vSphere Security Figure 6‑2. vSphere Virtual Encryption Architecture Third-Party Key Management Server Managed VM Keys vSphere vCenter Server Managed VM key IDs ESXi Managed VM keys protect internal encryption keys Encrypted VM During the encryption process, different vSphere components interact as follows. 1 When the user performs an encryption task, for example, creating an encrypted virtual machine, vCenter Server requests a new key from the default KMS. This key will be used as the KEK.
vSphere Security Virtual Disk Encryption When you create an encrypted virtual machine from the vSphere Web Client, all virtual disks are encrypted. You can later add disks and set their encryption policies. You cannot add an encrypted disk to a virtual machine that is not encrypted, and you cannot encrypt a disk if the virtual machine is not encrypted. Encryption for a virtual machine and its disks is controlled through storage policies.
vSphere Security Prerequisites and Required Privileges for Encryption Tasks Encryption tasks are possibly only in environments that include vCenter Server. In addition, the ESXi host must have encryption mode enabled for most encryption tasks. The user who performs the task must have the appropriate privileges. A set of Cryptographic Operations privileges allows fine-grained control. If virtual machine encryption tasks require a change to the host encryption mode, additional privileges are required.
vSphere Security Assume that a cluster has three ESXi hosts, host A, B, and C. You add an encrypted virtual machine to host A. What happens depends on several factors. n If hosts A, B, and C already have encryption enabled, you need only Cryptographic operations.Encrypt new privileges to create the virtual machine. n If hosts A and B are enabled for encryption and C is not enabled, the system proceeds as follows. n Assume that you have both the Cryptographic operations.
vSphere Security Encrypted vSphere vMotion States For virtual machines that are not encrypted, you can set encrypted vSphere vMotion to one of the following states. The default is Opportunistic. Disabled Do not use encrypted vSphere vMotion. Opportunistic Use encrypted vSphere vMotion if source and destination hosts support it. Only ESXi versions 6.5 and later use encrypted vSphere vMotion. Required Allow only encrypted vSphere vMotion.
vSphere Security n Do not edit VMX files and VMDK descriptor files. These files contain the encryption bundle. It is possible that your changes make the virtual machine unrecoverable, and that the recovery problem cannot be fixed. n The encryption process encrypts data on the host before it is written to storage. Backend storage features such as deduplication and compression might not be effective for encrypted virtual machines. Consider storage tradeoffs when using vSphere Virtual Machine Encryption.
vSphere Security The KMIP standard defines the following states for keys. n Pre-Active n Active n Deactivated n Compromised n Destroyed n Destroyed Compromised vSphere Virtual Machine Encryption uses only Active keys for encryption. If a key is Pre-Active, vSphere Virtual Machine Encryption activates it. If the key state is Deactivated, Compromised, Destroyed, Destroyed Compromised, you cannot encrypt a virtual machine or disk with that key.
vSphere Security Storage Policy Best Practices Do not modify the VM Encryption sample storage policy. Instead, clone the policy and edit the clone. Note No automated way of returning VM Encryption Policy to its original settings exists. See the vSphere Storage documentation for details customizing storage policies. Virtual Machine Encryption Caveats Review Virtual Machine Encryption caveats to avoid problems later.
vSphere Security Virtual Machine Locked State If the virtual machine key or one or more of the virtual disk keys are missing, the virtual machine enters a locked state. In a locked state, you cannot perform virtual machine operations. n When you encrypt both a virtual machine and its disks from the vSphere Web Client, the same key is used for both. n When you perform the encryption using the API, you can use different encryption keys for the virtual machine and for disks.
vSphere Security n Migration with vMotion of an encrypted virtual machine to a different vCenter Server instance. Encrypted migration with vMotion of an unencrypted virtual machine is supported. n vSphere Replication n Content Library n Not all backup solutions that use VMware vSphere Storage API - Data Protection (VADP) for virtual disk backup are supported. n VADP SAN backup solutions are not supported.
Use Encryption in Your vSphere Environment 7 Using encryption in your vSphere environment requires some preparation. After your environment is set up, you can create encrypted virtual machines and virtual disks and encrypt existing virtual machines and disks. You can perform additional tasks by using the API and by using the crypto-util CLI. See the vSphere Web Services SDK Programming Guide for API documentation and the crypto-util command-line help for details about that tool.
vSphere Security You can find information about VMware certified KMS vendors in the VMware Compatibility Guide under Platform and Compute. If you select Compatibility Guides, you can open the Key Management Server (KMS) compatibility documentation. This documentation is updated frequently. Virtual Machine Encryption Key Management Server Setup (http://link.brightcove.
vSphere Security Option Value Server address IP address or FQDN of the KMS. Server port Port on which vCenter Server connects to the KMS. Proxy address Optional proxy address for connecting to the KMS. Proxy port Optional proxy port for connecting to the KMS. User name Some KMS vendors allow users to isolate encryption keys that are used by different users or groups by specifying a user name and password.
vSphere Security Use the Root CA Certificate Option to Establish a Trusted Connection Some KMS vendors such as SafeNet require that you upload your root CA certificate to the KMS. All certificates that are signed by your root CA are then trusted by this KMS. The root CA certificate that vSphere Virtual Machine Encryption uses is a self-signed certificate that is stored in a separate store in the VMware Endpoint Certificate Store (VECS) on the vCenter Server system.
vSphere Security 4 Select Certificate and click OK. The Download Certificate dialog box is populated with the root certificate that vCenter Server uses for encryption. This certificate is stored in VECS. Note Do not generate a new certificate unless you want to replace existing certificates. 5 Copy the certificate to the clipboard or download it as a file. 6 Follow the instructions from your KMS vendor to upload the certificate to the KMS. What to do next Finalize the trust relationship.
vSphere Security Use the Upload Certificate and Private Key Option to Establish a Trusted Connection Some KMS vendors such as HyTrust require that you upload the KMS server certificate and private key to the vCenter Server system. Some KMS vendors generate a certificate and private key for the connection and make them available to you. After you upload the files, the KMS trusts your vCenter Server instance. Prerequisites n Request a certificate and private key from the KMS vendor.
vSphere Security 4 Click Yes. The word default appears next to the cluster name. Complete the Trust Setup Unless the Add Server dialog box prompted you to trust the KMS, you must explicitly establish trust after certificate exchange is complete. You can complete the trust setup, that is, make vCenter Server trust the KMS, either by trusting the KMS or by uploading a KMS certificate. You have two options: n Trust the certificate explicitly by using the Refresh KMS certificate option.
vSphere Security Figure 7‑1. Connecting from vCenter Server to the KMS for Two Different Users vCenter Server KMS Cluster C1 KMS Cluster C2 KMS C1 username/pwd C1 keys C2 username/pwd C2 keys Prerequisites Set up the connection with the KMS. See Set up the Key Management Server Cluster. Procedure 1 Create the two users with corresponding user names and passwords, for example C1 and C2, on the KMS. 2 Log in to vCenter Server and create the first KMS cluster.
vSphere Security 4 Specify the storage policy values. a Enter a storage policy name and optional description and click Next. b If you are new to this wizard, review the Policy structure information, and click Next. c Select the Use common rules in the VM storage policy check box. d Click Add component and select Encryption > Default Encryption Properties and click Next. The default properties are appropriate in most cases.
vSphere Security Disable Host Encryption Mode Host encryption mode is enabled automatically when you perform an encryption task. After host encryption mode is enabled, all core dumps are encrypted to avoid the release of sensitive information to support personnel. If you no longer use virtual machine encryption with an ESXi host, you can disable encryption mode. Procedure 1 Unregister all encrypted virtual machines from the host 2 Unregister the host from vCenter Server. 3 Reboot the host.
vSphere Security 3 Right-click the object, select New Virtual Machine > New Virtual Machine, and follow the prompts to create an encrypted virtual machine. Option Action Select a creation type Create a virtual machine. Select a name and folder Specify a name and target location. Select a compute resource Specify an object for which you have privileges to create encrypted virtual machines. See Prerequisites and Required Privileges for Encryption Tasks.
vSphere Security 3 Right-click the virtual machine, and follow the prompts to create the clone of an encrypted virtual machine. Option Action Select a name and folder Specify a name and target location for the clone. Select a compute resource Specify an object for which you have privileges to create encrypted virtual machines. See Prerequisites and Required Privileges for Encryption Tasks. Select storage Make a selection in the Select virtual disk format menu and select a datastore.
vSphere Security 4 (Optional) If you prefer, you can encrypt virtual disks from the Edit Settings menu. a Right-click the virtual machine and select Edit Settings b Leave Virtual Hardware selected. c Open the virtual disk for which you want to change the storage policy and make a selection from the VM Storage Policy pull-down menu. d Click OK. Decrypt an Encrypted Virtual Machine or Virtual Disk You can decrypt a virtual machine by changing its storage policy.
vSphere Security Change the Encryption Policy for Virtual Disks When you create an encrypted virtual machine from the vSphere Web Client, any virtual disks that you add during virtual machine creation are encrypted. You can decrypt virtual disks that are encrypted by using the Edit VM Storage Policies option. Note An encrypted virtual machine can have virtual disks that are not encrypted. However, an unencrypted virtual machine cannot have encrypted virtual disks. See Virtual Disk Encryption.
vSphere Security Note that losing the connection to the KMS does not automatically lock the virtual machine. The virtual machine only enters a locked state if the following conditions are met: n The key has to be validated. n The key is not available on the ESXi host. n The ESXi host cannot retrieve the key from the vCenter Server system. After each reboot, an ESXi host must be able to reach vCenter Server and retrieve keys.
vSphere Security Core Dumps on ESXi Hosts When an ESXi host crashes, and encryption mode is enabled for that host, an encrypted core dump is generated and the host reboots. The core dump is encrypted with the host key that is in the ESXi key cache. This key comes from the KMS and is an AES-256 key, see How vSphere Virtual Machine Encryption Protects Your Environment for some background information. What you can do next depends on several factors.
vSphere Security Prerequisites Inform your support representative that host encryption mode is enabled for the ESXi host. Your support representative might ask you to decrypt core dumps and extract relevant information. Note Core dumps can contain sensitive information. Follow your organization's security and privacy policy to protect sensitive information such as host keys. Procedure 1 Log in to the vCenter Server system with the vSphere Web Client.
vSphere Security e Provide the password that you specified when you created the vm-support package. f Remove the encrypted core dumps, and compress the package again. vm-support --reconstruct 8 Remove any files that contain confidential information. Exporting Host Support Bundles With Passwords (http://link.brightcove.
vSphere Security 3 Decrypt the core dump, depending on its type. Option Monitor core dump zdump file VMware, Inc. Description crypto-util envelope extract vmmcores.
Securing vSphere Networking 8 Securing vSphere Networking is an essential part of protecting your environment. You secure different vSphere components in different ways. See the vSphere Networking documentation for detailed information about networking in the vSphere environment.
vSphere Security Host-based firewalls can slow performance. Balance your security needs against performance goals before you install host-based firewalls on VMs elsewhere in the virtual network. See Securing the Network With Firewalls. Segmentation Keep different virtual machine zones within a host on different network segments. If you isolate each virtual machine zone on its own network segment, you minimize the risk of data leakage from one zone to the next.
vSphere Security Securing the Network With Firewalls Security administrators use firewalls to safeguard the network or selected components in the network from intrusion. Firewalls control access to devices within their perimeter by closing all ports except for ports that the administrator explicitly or implicitly designates as authorized. The ports that administrators open allow traffic between devices on different sides of the firewall. Important The ESXi firewall in ESXi 5.
vSphere Security You might also include firewalls at other access points in the network, depending on network usage and on the level of security that clients require. Select the locations for your firewalls based on the security risks for your network configuration. The following firewall locations are commonly used. n Between the vSphere Web Client or a third-party network-management client and vCenter Server.
vSphere Security n One of the vSphere command-line interfaces n vSphere Web Services SDK or vSphere Automation SDKs n Third-party clients The firewall requirements for standalone hosts are similar to requirements when a vCenter Server is present. n Use a firewall to protect your ESXi layer or, depending on your configuration, your clients, and the ESXi layer. This firewall provides basic protection for your network.
vSphere Security Connecting to ESXi Hosts Directly with the VMware Host Client You can use the VMware Host Client virtual machine console if you connect directly to an ESXi host. Note Do not use the VMware Host Client to connect directly to hosts that are managed by a vCenter Server system. If you make changes to such hosts from the VMware Host Client, instability in your environment results.
vSphere Security Securing Standard Switch Ports with Security Policies The VMkernel port group or virtual machine port group on a standard switch has a configurable security policy. The security policy determines how strongly you enforce protection against impersonation and interception attacks on VMs. Just like physical network adapters, virtual machine network adapters can impersonate another VM. Impersonation is a security risk.
vSphere Security When sending packets through a network adapter, the guest operating system typically places its own adapter effective MAC address in the source MAC address field of the Ethernet frames. It places the MAC address for the receiving network adapter in the destination MAC address field. The receiving adapter accepts packets only if the destination MAC address in the packet matches its own effective MAC address. An operating system can send frames with an impersonated source MAC address.
vSphere Security Forged Transmits The Forged transmits option affects traffic that is transmitted from a virtual machine. When the Forged transmits option is set to Accept, ESXi does not compare source and effective MAC addresses. To protect against MAC impersonation, you can set the Forged transmits option to Reject. If you do, the host compares the source MAC address being transmitted by the guest operating system with the effective MAC address for its virtual machine adapter to see if they match.
vSphere Security Standard switches and VLANs can protect against the following types of attacks. MAC flooding Floods a switch with packets that contain MAC addresses tagged as having come from different sources. Many switches use a content-addressable memory table to learn and store the source address for each packet. When the table is full, the switch can enter a fully open state in which every incoming packet is broadcast on all ports, letting the attacker see all of the switch’s traffic.
vSphere Security Spanning-tree attacks Target Spanning-Tree Protocol (STP), which is used to control bridging between parts of the LAN. The attacker sends Bridge Protocol Data Unit (BPDU) packets that attempt to change the network topology, establishing themselves as the root bridge. As the root bridge, the attacker can sniff the contents of transmitted frames. VMware standard switches do not support STP and are not vulnerable to this type of attack.
vSphere Security 5 Label all vSphere Distributed Switches. vSphere Distributed Switches associated with an ESXi host require a text box for the name of the switch. This label serves as a functional descriptor for the switch, just like the host name associated with a physical switch. The label on the vSphere Distributed Switch indicates the function or the IP subnet of the switch.
vSphere Security Figure 8‑1.
vSphere Security Secure VLANs Administrators have several options for securing the VLANs in their vSphere environment. Procedure 1 Ensure that port groups are not configured to VLAN values that are reserved by upstream physical switches Do not set VLAN IDs to values reserved for the physical switch. 2 Ensure that port groups are not configured to VLAN 4095 unless you are using for Virtual Guest Tagging (VGT).
vSphere Security Creating Multiple Networks Within a Single ESXi Host The ESXi system is designed so that you can connect some groups of virtual machines to the internal network, others to the external network, and still others to both—all on the same host. This capability is an outgrowth of basic virtual machine isolation coupled with a well-planned use of virtual networking features. Figure 8‑2.
vSphere Security Because Virtual Machine 1 does not share a virtual switch or physical network adapter with any virtual machines in the host, the other resident virtual machines cannot transmit packets to or receive packets from the Virtual Machine 1 network. This restriction prevents sniffing attacks, which require sending network traffic to the victim. More importantly, an attacker cannot use the natural vulnerability of FTP to access any of the host’s other virtual machines.
vSphere Security The company enforces isolation among the virtual machine groups by using multiple internal and external networks and making sure that the virtual switches and physical network adapters for each group are completely separate from those of other groups. Because none of the virtual switches straddle virtual machine zones, the system administrator succeeds in eliminating the risk of packet leakage from one zone to another.
vSphere Security ESXi displays a list of all available security associations. Add an IPsec Security Association Add a security association to specify encryption parameters for associated IP traffic. You can add a security association using the esxcli vSphere CLI command. Procedure u At the command prompt, enter the command esxcli network ip ipsec sa add with one or more of the following options. Option Description --sa-source= source address Required. Specify the source address.
vSphere Security Remove an IPsec Security Association You can remove a security association using the ESXCLI vSphere CLI command. Prerequisites Verify that the security association you want to use is not currently in use. If you try to remove a security association that is in use, the removal operation fails.
vSphere Security Option Description --upper-layer-protocol= protocol Specify the upper layer protocol using one of the following parameters. n tcp n udp n icmp6 n any --flow-direction= direction Specify the direction in which you want to monitor traffic using either in or out. --action= action Specify the action to take when traffic with the specified parameters is encountered using one of the following parameters. n none: Take no action n discard: Do not allow data in or out.
vSphere Security Procedure u At the command prompt, enter the command esxcli network ip ipsec sp remove --sa-name security policy name. To remove all security policies, enter the command esxcli network ip ipsec sp remove --remove-all. Ensure Proper SNMP Configuration If SNMP is not properly configured, monitoring information can be sent to a malicious host. The malicious host can then use this information to plan an attack. SNMP must be configured on each ESXi host.
vSphere Security n Ensure that only authorized administrators have access to virtual networking components by using the role-based access controls. For example, give virtual machine administrators only access to port groups in which their virtual machines reside. Give network administrators access to all virtual networking components but no access to virtual machines.
vSphere Security Labeling Networking Components Identifying the different components of your networking architecture is critical and helps ensure that no errors are introduced as your network grows. Follow these best practices: n Ensure that port groups are configured with a clear network label. These labels serve as a functional descriptor for the port group and help you identify each port group's function as the network becomes more complex.
vSphere Security 4 Verify that VLAN trunk links are connected only to physical switch ports that function as trunk links. When connecting a virtual switch to a VLAN trunk port, you must properly configure both the virtual switch and the physical switch at the uplink port. If the physical switch is not properly configured, frames with the VLAN 802.1q header are forwarded to a switch that not expecting their arrival.
vSphere Security Isolate vMotion Traffic vMotion migration information is transmitted in plain text. Anyone with access to the network over which this information flows can view it. Potential attackers can intercept vMotion traffic to obtain the memory contents of a VM. They might also stage a MiTM attack in which the contents are modified during migration. Separate vMotion traffic from production traffic on an isolated network.
Best Practices Involving Multiple vSphere Components 9 Some security best practices, such as setting up NTP in your environment, affect more than one vSphere component. Consider these recommendations when configuring your environment. See Chapter 3 Securing ESXi Hosts and Chapter 5 Securing Virtual Machines for related information.
vSphere Security Synchronize ESXi Clocks with a Network Time Server Before you install vCenter Server or deploy the vCenter Server Appliance, make sure all machines on your vSphere network have their clocks synchronized. This task explains how to set up NTP from the VMware Host Client. You can instead use the vicfg-ntp vCLI command. See the vSphere Command-Line Interface Reference. Procedure 1 Start the VMware Host Client, and connect to the ESXi host. 2 Click Configure.
vSphere Security Use VMware Tools Time Synchronization You can set up the vCenter Server Appliance to use VMware Tools time synchronization. Procedure 1 Access the appliance shell and log in as a user who has the administrator or super administrator role. The default user with super administrator role is root. 2 Run the command to enable VMware Tools time synchronization. timesync.
vSphere Security 3 (Optional) To delete old NTP servers and add new ones to the vCenter Server Appliance configuration, run the ntp.server.set command. For example, run the following command: ntp.server.set --servers IP-addresses-or-host-names Here IP-addresses-or-host-names is a comma-separated list of IP addresses or host names of the NTP servers. This command deletes old NTP servers from the configuration and sets the input NTP servers in the configuration.
vSphere Security 3 (Optional) Run the command to verify that you successfully applied the NTP synchronization. timesync.get The command returns that the time synchronization is in NTP mode. Storage Security Best Practices Follow best practices for storage security, as outlined by your storage security provider. You can also take advantage of CHAP and mutual CHAP to secure iSCSI storage, mask and zone SAN resources, and configure Kerberos credentials for NFS 4.1.
vSphere Security Protecting an iSCSI SAN When you plan your iSCSI configuration, take measures to improve the overall security of the iSCSI SAN. Your iSCSI configuration is only as secure as your IP network, so by enforcing good security standards when you set up your network, you help safeguard your iSCSI storage. The following are some specific suggestions for enforcing good security standards.
vSphere Security Masking and Zoning SAN Resources You can use zoning and LUN masking to segregate SAN activity and restrict access to storage devices. You can protect access to storage in your vSphere environment by using zoning and LUN masking with your SAN resources. For example, you might manage zones defined for testing independently within the SAN so they do not interfere with activity in the production zones. Similarly, you might set up different zones for different departments.
vSphere Security Table 9‑1. Types of Kerberos Security (Continued) Kerberos for authentication and data integrity (krb5i) Integrity checksum for RPC header ESXi 6.0 ESXi 6.5 No krb5i Yes with AES Integrate checksum for RPC data Yes with AES When you use Kerberos authentication, the following considerations apply: n ESXi uses Kerberos with the Active Directory domain. n As a vSphere administrator, you specify Active Directory credentials to provide access to NFS 4.
vSphere Security You cannot retrieve performance information about the host from inside the guest virtual machine. Setting Timeouts for the ESXi Shell and vSphere Web Client To prevent intruders from using an idle session, be sure to set timeouts for the ESXi Shell and vSphere Web Client. ESXi Shell Timeout For the ESXi Shell, you can set the following timeouts from the vSphere Web Client and from the Direct Console User Interface (DCUI).
Managing TLS Protocol Configuration with the TLS Configurator Utility 10 By default, the TLS protocol versions 1.0, 1.1, and 1.2 are enabled in vSphere. You can use the TLS Configurator Utility to enable or disable TLS protocol versions. You can disable TLS 1.0, or you can disable both TLS 1.0 and TLS 1.1. Before you perform reconfiguration, consider your environment.
vSphere Security Table 10‑1. vCenter Server and Platform Services Controller Affected by the TLS Configurator Utility Service Name on Windows Name on Linux Port VMware HTTP Reverse Proxy rhttpproxy vmware-rhttpproxy 443 VMware Directory Service VMWareDirectoryService vmdird 636 VMware Syslog Collector (*) vmwaresyslogcollector (*) rsyslogd 1514 VMware Appliance Management Interface N.A.
vSphere Security n You cannot use a TLS 1.2 only connection to an external Microsoft SQL Server or an external Oracle database. n Do not disable TLS 1.0 on a vCenter Server or Platform Services Controller instance that is running on Windows Server 2008. Windows 2008 supports only TLS 1.0. See the Microsoft TechNet Article TLS/SSL Settings in the Server Roles and Technologies Guide. n Under the following circumstances, you have to restart host services after applying TLS configuration changes.
vSphere Security Install the TLS Configuration Utility You can download the TLS Configuration utility from MyVMware.com and install it on your local machine. After installation, two scripts are available. One script is for configuration of vCenter Server and Platform Services Controller, and one script is for ESXi configuration. On the vCenter Server Appliance, vSphere Update Manager ports are updated by the script. On vCenter Server, you edit vSphere Update Manager configuration files.
vSphere Security 4 Upload the file to vCenter Server and install the scripts. In environments with an external Platform Services Controller, you also upload the file to the Platform Services Controller. OS Procedure Windows a b Log in as a user with Administrator privileges. Copy the VMware-vSphereTlsReconfigurator-versionbuild_number.x86_64.msi file that you just downloaded. Linux c Install the MSI file. a Connect to the appliance using SSH and log in as a user who has privileges to run scripts.
vSphere Security Procedure 1 Change directory to vSphereTlsReconfigurator, and then to the VcTlsReconfigurator subdirectory. OS Windows Linux 2 C:\Program Files\VMware\CIS\vSphereTlsReconfigurator\ cd VcTlsReconfigurator cd /usr/lib/vmware-vSphereTlsReconfigurator/ cd VcTlsReconfigurator Run the following command to make a backup to a specific directory. OS Windows Linux 3 Command Command directory_path\VcTlsReconfigurator> reconfigureVc backup -d backup_directory_path directory_path/VcTlsRecon
vSphere Security Disable TLS Versions on vCenter Server Systems You can use the TLS Configuration utility to disable TLS versions on vCenter Server systems. As part of the process, you can either enable both TLS 1.1 and TLS 1.2, or enable only TLS 1.2. Prerequisites Ensure that the hosts and services that the vCenter Server manages can communicate using a version of TLS that remains enabled. For products that communicate only using TLS 1.0, connectivity becomes unavailable.
vSphere Security Disable TLS Versions on ESXi Hosts You can use the TLS Configuration utility to disable TLS versions on an ESXi host. As part of the process, you can either enable both TLS 1.1 and TLS 1.2, or enable only TLS 1.2. For ESXi hosts, you use a different script than for the other components of your vSphere environment. Note The script disables both TLS 1.0 and TLS 1.1 unless you specify the -p option.
vSphere Security 2 On a host that is part of a cluster, run one of the following commands. n To disable TLS 1.0 and enable both TLS 1.1 and TLS 1.2 on all hosts in a cluster, run the following command. OS Windows Linux n Windows Linux ./reconfigureEsx vCenterCluster -c Cluster_Name -u Administrative_User -p TLSv1.1 TLSv1.2 Command reconfigureEsx vCenterCluster -c Cluster_Name -u Administrative_User -p TLSv1.2 ./reconfigureEsx vCenterCluster -c Cluster_Name -u Administrative_User -p TLSv1.
vSphere Security Disable TLS Versions on Platform Services Controller Systems If your environment includes one or more Platform Services Controller systems, you can use the TLS Configuration utility to change which versions of TLS are supported. If your environment uses only an embedded Platform Services Controller, you do not have to perform this task. Note Proceed with this task only after you confirm that each vCenter Server system is running a compatible version of TLS.
vSphere Security 2 You can perform the task on Platform Services Controller on Windows or on the Platform Services Controller appliance. n To disable TLS 1.0 and enable both TLS 1.1 and TLS 1.2, run the following command. OS Command Windows directory_path\VcTlsReconfigurator> reconfigureVc update -p TLSv1.1 TLSv1.2 Linux n directory_path\VcTlsReconfigurator> ./reconfigureVc update -p TLSv1.1 TLSv1.2 To disable TLS 1.0 and TLS 1.1, and enable only TLS 1.2, run the following command.
vSphere Security 2 Log in to the system where you want to revert changes. OS Procedure Windows 1 Log in as a user with Administrator privileges. 2 Go to the VcTlsReconfigurator directory. cd C:\Program Files\VMware\CIS\vSphereTlsReconfigurator\VcTlsReconfigurator Linux 1 Connect to the appliance using SSH and log in as a user who has privileges to run scripts. 2 If the Bash shell is not currently enabled, run the following commands. shell.
vSphere Security 5 Repeat the procedure on any other vCenter Server instances. 6 Repeat the procedure on any other Platform Services Controller instances. Disable TLS Versions on vSphere Update Manager In vSphere Update Manager 6.0 Update 3, and later, the TLS protocol versions 1.0, 1.1, and 1.2 are all enabled by default. You can disable TLS version 1.0 and TLS version 1.1, but you cannot disable TLS version 1.2.
vSphere Security 4 Disable earlier versions of TLS by changing the file. Option Description Disable TLS 1.0. Leave TLS 1.1 and TLS 1.2 enabled. - TLSv1
Disable TLS 1.0 and TLS 1.1. Leave TLS 1.2 enabled. - TLSv1
- TLSv1.1
5 Save the file. 6 Restart the vSphere Update Manager service.
vSphere Security ssl/rui.key ssl/rui.crt sslOptions_value 5 Depending on the TLS version that you want to disable, use one of the following decimal values in the tag. n To disable only TLSv1.0, use the decimal value 117587968. n To disable TLSv1.0 and TLSv1.1, use the decimal value 386023424 6 Save the file. 7 Restart the vSphere Update Manager service.
vSphere Security 2 Navigate to the Update Manager installation directory which is different for 6.0 and 6.5. Version Location vSphere 6.0 C:\Program Files (x86)\VMware\Infrastructure\Update Manager vSphere 6.5 C:\Program Files\VMware\Infrastructure\Update Manager 3 Make a backup of the vci-integrity.xml file and open the file. 4 Change the decimal value that is used in the tag, or delete the tag to allow all versions of TLS. n To enable TLS 1.1 but leave TLS 1.
Defined Privileges 11 The following tables list the default privileges that, when selected for a role, can be paired with a user and assigned to an object. The tables in this appendix use VC to indicate vCenter Server and HC to indicate host client, a standalone ESXi or Workstation host. When setting permissions, verify all the object types are set with appropriate privileges for each particular action.
vSphere Security n Host Local Operations Privileges n Host vSphere Replication Privileges n Host Profile Privileges n Network Privileges n Performance Privileges n Permissions Privileges n Profile-driven Storage Privileges n Resource Privileges n Scheduled Task Privileges n Sessions Privileges n Storage Views Privileges n Tasks Privileges n Transfer Service Privileges n Virtual Machine Configuration Privileges n Virtual Machine Guest Operations Privileges n Virtual Machine In
vSphere Security Table 11‑1. Alarms Privileges Privilege Name Description Required On Alarms.Acknowledge alarm Allows suppression of all alarm actions on all triggered alarms. Object on which an alarm is defined Alarms.Create alarm Allows creation of a new alarm. Object on which an alarm is defined When creating alarms with a custom action, privilege to perform the action is verified when the user creates the alarm. Alarms.
vSphere Security Table 11‑2. Auto Deploy Privileges (Continued) Descripti on Privilege Name Required On Auto Deploy.Rule.Create Allows creation of Auto Deploy rules. vCenter Server Auto Deploy.Rule.Delete Allows deletion of Auto Deploy rules. vCenter Server Auto Deploy.Rule.Edit Allows editing of Auto Deploy rules. vCenter Server Auto Deploy.RuleSet.Activate Allows activation of Auto Deploy rule sets. vCenter Server Auto Deploy.RuleSet.Edit Allows editing of Auto Deploy rule sets.
vSphere Security Content Library Privileges Content Libraries provide simple and effective management for virtual machine templates and vApps. Content library privileges control who can view or manage different aspects of content libraries. You can set this privilege at different levels in the hierarchy. For example, if you set a privilege at the folder level, you can propagate the privilege to one or more objects within the folder.
vSphere Security Table 11‑4. Content Library Privileges (Continued) Privilege Name Description Required On Content library.Sync library item Allows synchronization of library items. Library. Set this permission to propagate to all library items. Content library.Sync subscribed library Allows synchronization of subscribed libraries. Library Content library.Type introspection Allows a solution user or API to introspect the type support plugins for the content library service.
vSphere Security Table 11‑5. Cryptographic Operations Privileges (Continued) Privilege Name Description Required On Cryptographic operations.Clone Allows users to clone an encrypted virtual machine. Virtual machine Cryptographic operations.Decrypt Allows users to decrypt a virtual machine or disk. Virtual machine Cryptographic operations.Encrypt Allows users to encrypt a virtual machine or a virtual machine disk. Virtual machine Cryptographic operations.
vSphere Security Table 11‑5. Cryptographic Operations Privileges (Continued) Privilege Name Description Required On Cryptographic operations.Register VM Allows users to register an encrypted virtual machine with an ESXi host. Virtual machine folder Cryptographic operations.Register host Allows users to enable encryption on a host. You can enable encryption on a host explicitly, or the virtual machine creation process can enable it.
vSphere Security Datastore Privileges Datastore privileges control the ability to browse, manage, and allocate space on datastores. You can set this privilege at different levels in the hierarchy. For example, if you set a privilege at the folder level, you can propagate the privilege to one or more objects within the folder. The object listed in the Required On column must have the privilege set, either directly or inherited. Table 11‑7.
vSphere Security Table 11‑8. Datastore Cluster Privileges Privilege Name Description Required On Datastore cluster.Configure a datatstore cluster Allows creation of and configuration of settings for datastore clusters for Storage DRS. Datastore clusters Distributed Switch Privileges Distributed Switch privileges control the ability to perform tasks related to the management of Distributed Switch instances. You can set this privilege at different levels in the hierarchy.
vSphere Security ESX Agent Manager Privileges ESX Agent Manager privileges control operations related to ESX Agent Manager and agent virtual machines. The ESX Agent Manager is a service that lets you install management virtual machines, which are tied to a host and not affected by VMware DRS or other services that migrate virtual machines. You can set this privilege at different levels in the hierarchy.
vSphere Security Table 11‑12. Folder Privileges Privilege Name Description Required On Folder.Create folder Allows creation of a new folder. Folders Folder.Delete folder Allows deletion of a folder. Folders To have permission to perform this operation, a user or group must have this privilege assigned in both the object and its parent object. Folder.Move folder Allows moving a folder. Folders Privilege must be present at both the source and destination. Folder.
vSphere Security Table 11‑13. Global Privileges (Continued) Privilege Name Description Required On Global.Proxy Allows access to an internal interface for adding or removing endpoints to or from the proxy. Root vCenter Server Global.Script action Allows scheduling a scripted action in conjunction with an alarm. Any object Global.Service managers Allows use of the resxtop command in the vSphere CLI. Root host or vCenter Server Global.
vSphere Security Table 11‑15. Host Configuration Privileges (Continued) Privilege Name Description Required On Host.Configuration.Change date and time settings Allows changes to date and time settings on the host. Hosts Host.Configuration.Change settings Allows setting of lockdown mode on ESXi hosts. Hosts Host.Configuration.Connection Allows changes to the connection status of a host (connected or disconnected). Hosts Host.Configuration.Firmware Allows updates to the ESXi host's firmware.
vSphere Security Table 11‑16. Host Inventory Privileges Privilege Name Description Required On Host.Inventory.Add host to cluster Allows addition of a host to an existing cluster. Clusters Host.Inventory.Add standalone host Allows addition of a standalone host. Host folders Host.Inventory.Create cluster Allows creation of a new cluster. Host folders Host.Inventory.Modify cluster Allows changing the properties of a cluster. Clusters Host.Inventory.
vSphere Security Table 11‑17. Host Local Operations Privileges (Continued) Privilege Name Description Required On Host.Local operations.Manage user groups Allows management of local accounts on a host. Root host Host.Local operations.Reconfigure virtual machine Allows reconfiguring a virtual machine. Root host Host vSphere Replication Privileges Host vSphere replication privileges control the use of virtual machine replication by VMware vCenter Site Recovery Manager™ for a host.
vSphere Security Network Privileges Network privileges control tasks related to network management. You can set this privilege at different levels in the hierarchy. For example, if you set a privilege at the folder level, you can propagate the privilege to one or more objects within the folder. The object listed in the Required On column must have the privilege set, either directly or inherited. Table 11‑20. Network Privileges Privilege Name Description Required On Network.
vSphere Security Table 11‑22. Permissions Privileges Privilege Name Description Required On Permissions.Modify permission Allows defining one or more permission rules on an entity, or updating rules if rules are already present for the given user or group on the entity. Any object plus parent object To have permission to perform this operation, a user or group must have this privilege assigned in both the object and its parent object. Permissions.
vSphere Security Table 11‑24. Resource Privileges (Continued) Privilege Name Description Required On Resource.Assign virtual machine to resource pool Allows assignment of a virtual machine to a resource pool. Resource pools Resource.Create resource pool Allows creation of resource pools. Resource pools, clusters Resource.Migrate powered off virtual machine Allows migration of a powered off virtual machine to a different resource pool or host. Virtual machines Resource.
vSphere Security Sessions Privileges Sessions privileges control the ability of extensions to open sessions on the vCenter Server system. You can set this privilege at different levels in the hierarchy. For example, if you set a privilege at the folder level, you can propagate the privilege to one or more objects within the folder. The object listed in the Required On column must have the privilege set, either directly or inherited. Table 11‑26.
vSphere Security Table 11‑28. Tasks Privileges Privilege Name Description Required On Tasks.Create task Allows an extension to create a user-defined task. Root vCenter Server No vSphere Web Client user interface elements are associated with this privilege. Tasks.Update task Allows an extension to update a user-defined task. Root vCenter Server No vSphere Web Client user interface elements are associated with this privilege.
vSphere Security Table 11‑29. Virtual Machine Configuration Privileges (Continued) Privilege Name Description Required On Virtual machine.Configuration.Disk lease Allows disk lease operations for a virtual machine. Virtual machines Virtual machine.Configuration.Display connection settings Allows configuration of virtual machine remote console options. Virtual machines Virtual machine.Configuration.Extend virtual disk Allows expansion of the size of a virtual disk.
vSphere Security Table 11‑29. Virtual Machine Configuration Privileges (Continued) Privilege Name Description Required On Virtual machine.Configuration.Swapfile placement Allows changing the swapfile placement policy for a virtual machine. Virtual machines Allows upgrade of the virtual machine’s virtual machine compatibility version. Virtual machines Virtual machine.Configuration.Toggle fork parent Virtual machine.Configuration.
vSphere Security Table 11‑30. Virtual Machine Guest Operations (Continued) Privilege Name Description Effective on Object Virtual machine.Guest Operations.Guest Operation Program Execution Allows virtual machine guest operations that involve executing a program in the virtual machine. Virtual machines No vSphere Web Client user interface elements are associated with this privilege. Virtual machine.Guest Operations.
vSphere Security Table 11‑31. Virtual Machine Interaction Privilege Name Descri ption Required On Virtual machine.Interaction .Answer question Allows resoluti on of issues with virtual machin e state transiti ons or runtime errors. Virtual machines Virtual machine.Interaction .Backup operation on virtual machine Allows perfor mance of backup operati ons on virtual machin es. Virtual machines Virtual machine .Interaction .Configure CD media Allows configu ration of a virtual DVD or CDROM device.
vSphere Security Table 11‑31. Virtual Machine Interaction (Continued) Privilege Name Descri ption Required On Virtual machine .Interaction .Console interaction Allows interact ion with the virtual machin e’s virtual mouse, keyboa rd, and screen. Virtual machines Virtual machine .Interaction .Create screenshot Allows creatio n of a virtual machin e screen shot. Virtual machines Virtual machine .Interaction .Defragment all disks Allows defrag ment operati ons on all disks of the virtual machin e.
vSphere Security Table 11‑31. Virtual Machine Interaction (Continued) Privilege Name Descri ption Required On Virtual machine .Interaction .Drag and Drop Allows drag and drop of files betwee na virtual machin e and a remote client. Virtual machines Virtual machine .Interaction .Guest operating system management by VIX API Allows manag ement of the virtual machin e's operati ng system throug h the VIX API. Virtual machines Virtual machine .Interaction .
vSphere Security Table 11‑31. Virtual Machine Interaction (Continued) Privilege Name Descri ption Required On Virtual machine .Interaction .Perform wipe or shrink operations Allows perfor ming wipe or shrink operati ons on the virtual machin e. Virtual machines Virtual machine .Interaction .Power Off Allows poweri ng off a powere d-on virtual machin e. This operati on powers down the guest operati ng system . Virtual machines Virtual machine .Interaction .
vSphere Security Table 11‑31. Virtual Machine Interaction (Continued) Privilege Name Descri ption Required On Virtual machine .Interaction .Record session on Virtual Machine Allows recordi ng a sessio n on a virtual machin e. Virtual machines Virtual machine .Interaction .Replay session on Virtual Machine Allows replayi ng of a record ed sessio n on a virtual machin e. Virtual machines Virtual machine .Interaction .
vSphere Security Table 11‑31. Virtual Machine Interaction (Continued) Privilege Name Descri ption Required On Virtual machine .Interaction .Suspend Allows suspen ding a powere d-on virtual machin e. This operati on puts the guest in standb y mode. Virtual machines Virtual machine .Interaction .Suspend Fault Tolerance Allows suspen sion of fault toleran ce for a virtual machin e. Virtual machines Virtual machine .Interaction .
vSphere Security Table 11‑31. Virtual Machine Interaction (Continued) Privilege Name Descri ption Required On Virtual machine .Interaction .Test restart Secondary VM Allows termina tion of a Secon dary virtual machin e for a virtual machin e using Fault Toleran ce. Virtual machines Virtual machine .Interaction .Turn Off Fault Tolerance Allows turning off Fault Toleran ce for a virtual machin e. Virtual machines VMware, Inc.
vSphere Security Table 11‑31. Virtual Machine Interaction (Continued) Descri ption Privilege Name Required On Virtual machine .Interaction .Turn On Fault Tolerance Allows turning on Fault Toleran ce for a virtual machin e. Virtual machines Virtual machine .Interaction .VMware Tools install Allows mounti ng and unmou nting the VMwar e Tools CD installe r as a CDROM for the guest operati ng system .
vSphere Security Table 11‑32. Virtual Machine Inventory Privileges (Continued) Privilege Name Description Required On Virtual machine .Inventory.Registe r Allows adding an existing virtual machine to a vCenter Server or host inventory. Clusters, Hosts, Virtual machine folders Virtual machine .Inventory.Remov e Allows deletion of a virtual machine. Deletion removes the virtual machine's underlying files from disk. Virtual machines Virtual machine .Inventory.
vSphere Security Table 11‑33. Virtual Machine Provisioning Privileges (Continued) Privilege Name Description Required On Virtual machine .Provisioning.Create template from virtual machine Allows creation of a new template from a virtual machine. Virtual machines Virtual machine .Provisioning.Custo mize Allows customization of a virtual machine’s guest operating system without moving the virtual machine. Virtual machines Virtual machine .Provisioning.
vSphere Security Table 11‑34. Virtual machine Service Configuration Privileges (Continued) Privilege Name Description Virtual Machine. Service configuration. Manage service configurations Allows creating, modifying, and deleting virtual machine services. Virtual Machine. Service configuration. Modify service configuration Allows modification of existing virtual machine service configuration. Virtual Machine. Service configuration.
vSphere Security Virtual Machine vSphere Replication Privileges Virtual Machine vSphere replication privileges control the use of replication by VMware vCenter Site Recovery Manager™ for virtual machines. You can set this privilege at different levels in the hierarchy. For example, if you set a privilege at the folder level, you can propagate the privilege to one or more objects within the folder. The object listed in the Required On column must have the privilege set, either directly or inherited.
vSphere Security vApp Privileges vApp privileges control operations related to deploying and configuring a vApp. You can set this privilege at different levels in the hierarchy. For example, if you set a privilege at the folder level, you can propagate the privilege to one or more objects within the folder. The object listed in the Required On column must have the privilege set, either directly or inherited. Table 11‑38. vApp Privileges Privilege Name Description Required On vApp.
vSphere Security Table 11‑38. vApp Privileges (Continued) Privilege Name Description Required On vApp.vApp managedBy configuration Allows an extension or solution to mark a vApp as being managed by that extension or solution. vApps No vSphere Web Client user interface elements are associated with this privilege. vApp.vApp resource configuration Allows modification of a vApp's resource configuration.
vSphere Security Table 11‑40. vSphere Tagging Privileges (Continued) Privilege Name Description Required On vSphere Tagging.Create vSphere Tag Category Allows creation of a tag category. Any object vSphere Tagging.Create vSphere Tag Scope Allows creation of a tag scope. Any object vSphere Tagging.Delete vSphere Tag Allows deletion of a tag category. Any object vSphere Tagging.Delete vSphere Tag Category Allows deletion of a tag category. Any object vSphere Tagging.
