vSphere Security 17 APR 2018 VMware vSphere 6.7 VMware ESXi 6.7 vCenter Server 6.
vSphere Security You can find the most up-to-date technical documentation on the VMware website at: https://docs.vmware.com/ If you have comments about this documentation, submit your feedback to docfeedback@vmware.com VMware, Inc. 3401 Hillview Ave. Palo Alto, CA 94304 www.vmware.com Copyright © 2009–2018 VMware, Inc. All rights reserved. Copyright and trademark information. VMware, Inc.
Contents About vSphere Security 7 1 Security in the vSphere Environment 9 Securing the ESXi Hypervisor 9 Securing vCenter Server Systems and Associated Services Securing Virtual Machines 11 12 Securing the Virtual Networking Layer 13 Passwords in Your vSphere Environment Security Best Practices and Resources 15 16 2 vSphere Permissions and User Management Tasks 18 Understanding Authorization in vSphere 19 Managing Permissions for vCenter Components Global Permissions 25 28 Using Roles to Ass
vSphere Security 5 Securing Virtual Machines 126 Enable or Disable UEFI Secure Boot for a Virtual Machine 126 Limit Informational Messages From Virtual Machines to VMX Files Prevent Virtual Disk Shrinking 127 128 Virtual Machine Security Best Practices 129 6 Virtual Machine Encryption 139 How vSphere Virtual Machine Encryption Protects Your Environment vSphere Virtual Machine Encryption Components Encryption Process Flow Virtual Disk Encryption 140 142 143 145 Prerequisites and Required Privileg
vSphere Security 9 Securing Windows Guest Operating Systems with Virtualization-based Security 186 Virtualization-based Security Best Practices 186 Enable Virtualization-based Security on a Virtual Machine 187 Enable Virtualization-based Security on an Existing Virtual Machine 188 Enable Virtualization-based Security on the Guest Operating System Disable Virtualization-based Security 189 190 Identify VBS-Enabled Virtual Machines 190 10 Securing vSphere Networking 192 Introduction to vSphere Ne
vSphere Security Auto Deploy and Image Profile Privileges Certificates Privileges 243 Content Library Privileges 244 Cryptographic Operations Privileges Datacenter Privileges 245 247 Datastore Privileges 247 Datastore Cluster Privileges 248 Distributed Switch Privileges 249 ESX Agent Manager Privileges Extension Privileges 249 250 External Stats Provider Privileges Folder Privileges 250 Global Privileges 251 250 Health Update Provider Privileges Host CIM Privileges 252 252 Host Conf
About vSphere Security ® ® vSphere Security provides information about securing your vSphere environment for VMware vCenter Server and VMware ESXi. ® To help you protect your vSphere environment, this documentation describes available security features and the measures that you can take to safeguard your environment from attack. Table 1.
vSphere Security Related Documentation A companion document, Platform Services Controller Administration, explains how you can use the Platform Services Controller services, for example, to manage authentication with vCenter Single Sign-On and to manage certificates in your vSphere environment. In addition to these documents, VMware publishes a Hardening Guide for each release of vSphere, accessible at http://www.vmware.com/security/hardening-guides.html.
Security in the vSphere Environment 1 The components of a vSphere environment are secured out of the box by several features such as authentication, authorization, a firewall on each ESXi host, and so on. You can modify the default setup in many ways. For example, you can set permissions on vCenter objects, open firewall ports, or change the default certificates.
vSphere Security Users who can access the ESXi host must have permissions to manage the host. You set permissions on the host object from the vCenter Server system that manages the host. Use named users and least privilege By default, the root user can perform many tasks. Do not allow administrators to log in to the ESXi host using the root user account. Instead, create named administrator users from vCenter Server and assign those users the Administrator role.
vSphere Security Manage ESXi certificates In vSphere 6.0 and later, the VMware Certificate Authority (VMCA) provisions each ESXi host with a signed certificate that has VMCA as the root certificate authority by default. If company policy requires it, you can replace the existing certificates with certificates that are signed by a thirdparty or an enterprise CA. See Certificate Management for ESXi Hosts. Consider Smart card authentication Starting with vSphere 6.
vSphere Security For additional protection, explicitly remove expired or revoked certificates and failed installations. Configure vCenter Single Sign-On vCenter Server and associated services are protected by the vCenter Single Sign-On authentication framework. When you first install the software, you specify a password for the administrator of the vCenter Single Sign-On domain, administrator@vsphere.local by default. Only that domain is initially available as an identity source.
vSphere Security Use templates and scripted management VM templates enable you to set up the operating system so that it meets your requirements, and to create other VMs with the same settings. If you want to change VM settings after initial deployment, consider using scripts, for example, PowerCLI. This documentation explains how to perform tasks using the GUI. Consider using scripts instead of the GUI to keep your environment consistent.
vSphere Security See ESXi Networking Security Recommendations. Use firewalls to secure virtual network elements You can open and close firewall ports and secure each element in the virtual network separately. For ESXi hosts, firewall rules associate services with corresponding firewalls and can open and close the firewall according to the status of the service. See ESXi Firewall Configuration. You can also open ports on Platform Services Controller and vCenter Server instances explicitly.
vSphere Security See Storage Security Best Practices. Evaluate the use of IPSec ESXi supports IPSec over IPv6. You cannot use IPSec over IPv4. See Internet Protocol Security. In addition, evaluate whether VMware NSX for vSphere is a good solution for securing the networking layer in your environment.
vSphere Security vCenter Single Sign-On supports one default identity source. Users can log in to the corresponding domain with the vSphere Web Client with just their user names. If users want to log in to a non-default domain, they can include the domain name, that is, specify user@domain or domain\user. The domain password parameters apply to each domain.
vSphere Security Table 1‑2. VMware Security Resources on the Web Topic Resource VMware security policy, up-to-date security alerts, security downloads, and focus discussions of security topics. http://www.vmware.com/go/security Corporate security response policy http://www.vmware.com/support/policies/security_response.html VMware is committed to helping you maintain a secure environment. Security issues are corrected in a timely manner.
vSphere Permissions and User Management Tasks 2 Authentication and authorization govern access. vCenter Single Sign-On supports authentication, which means it determines whether a user can access vSphere components at all. Each user must also be authorized to view or manipulate vSphere objects. vSphere supports several different authorization mechanisms, discussed in Understanding Authorization in vSphere.
vSphere Security Understanding Authorization in vSphere vSphere supports several models with fine-grained control for determining whether a user is allowed to perform a task. vCenter Single Sign-On uses group membership in a vCenter Single Sign-On group to decide what you are allowed to do. Your role on an object or your global permission determines whether you're allowed to perform other tasks in vSphere. Authorization Overview vSphere 6.
vSphere Security Understanding the Object-Level Permission Model You authorize a user or group to perform tasks on vCenter objects by using permissions on the object. The vSphere permission model relies on assigning permissions to objects in the vSphere object hierarchy. Each permission gives one user or group a set of privileges, that is, a role for the selected object. For example, a group of users might have the ReadOnly role on one VM and the Administrator role on another VM.
vSphere Security 2 Select the group or user that should have privileges on the object. 3 Select individual privileges or a role, that is a set of privileges, that the group or user should have on the object. By default, permissions propagate, that is the group or user has the selected role on the selected object and its child objects. vCenter Server offers predefined roles, which combine frequently used privilege sets. You can also create custom roles by combining a set of roles.
vSphere Security Figure 2‑2.
vSphere Security Permissions take several forms in the hierarchy: Managed entities Global entities Privileged users can define permissions on managed entities. n Clusters n Data centers n Datastores n Datastore clusters n Folders n Hosts n Networks (except vSphere Distributed Switches) n Distributed port groups n Resource pools n Templates n Virtual machines n vSphere vApps You cannot modify permissions on entities that derive permissions from the root vCenter Server system.
vSphere Security If multiple group permissions are defined on the same object and a user belongs to two or more of those groups, two situations are possible: n No permission for the user is defined directly on the object. In that case, the user has the privileges that the groups have on that object. n A permission for the user is defined directly on the object. In that case, the user's permission takes precedence over all group permissions.
vSphere Security User 1, who belongs to groups A and B, logs on. Because Role 2 is assigned at a lower point in the hierarchy than Role 1, it overrides Role 1 on VM B. User 1 can power on VM A, but not take snapshots. User 1 can take snapshots of VM B, but not power it on. Figure 2‑4.
vSphere Security To manage permissions from the vSphere Web Client, you need to understand the following concepts: Permissions Each object in the vCenter Server object hierarchy has associated permissions. Each permission specifies for one group or user which privileges that group or user has on the object. Users and Groups On vCenter Server systems, you can assign privileges only to authenticated users or groups of authenticated users. Users are authenticated through vCenter Single Sign-On.
vSphere Security 4 Select the user or group that will have the privileges defined by the selected role. a From the Domain drop-down menu, select the domain for the user or group. b Type a name in the Search box or select a name from the list. The system searches user names, group names, and descriptions. c Select the user or group and click Add. The name is added to either the Users or Groups list. 5 d (Optional) Click Check Names to verify that the user or group exists in the identity source.
vSphere Security Change User Validation Settings vCenter Server periodically validates its user and group lists against the users and groups in the user directory. It then removes users or groups that no longer exist in the domain. You can disable validation or change the interval between validations. If you have domains with thousands of users or groups, or if searches take a long time to complete, consider adjusting the search settings. For vCenter Server versions before vCenter Server 5.
vSphere Security Each solution has a root object in its own object hierarchy. The global root object acts as a parent object to the root objects for all solutions. You can assign global permissions to users or groups, and decide on the role for each user or group. The role determines the set of privileges that the user or group has for all objects in the hierarchy. You can assign a predefined role or create custom roles. See Using Roles to Assign Privileges.
vSphere Security 4 d (Optional) Click Check Names to verify that the user or group exists in the identity source. e Click OK. Select a role from the Assigned Role drop-down menu. The roles that are assigned to the object appear in the menu. The privileges contained in the role are listed in the section below the role title. 5 Decide whether to leave the Propagate to children check box selected.
vSphere Security Global Permissions Complement Tag Object Permissions Global permissions, that is, permissions that are assigned on the root object, complement permissions on tag objects when the permissions on the tag objects are more restrictive. The vCenter Server permissions do not affect the tag objects. For example, assume that you assign the Delete vSphere Tag privilege to user Robin at the root level by using global permissions.
vSphere Security vCenter Server provides system roles and sample roles by default. System roles System roles are permanent. You cannot edit the privileges associated with these roles. Sample roles VMware provides sample roles for certain frequently performed combination of tasks. You can clone, modify, or remove these roles. Note To avoid losing the predefined settings in a sample role, clone the role first and make modifications to the clone. You cannot reset the sample to its default settings.
vSphere Security You can create or edit a role on a vCenter Server system that is part of the same vCenter Single Sign-On domain as other vCenter Server systems. The VMware Directory Service (vmdir) propagates the role changes that you make to all other vCenter Server systems in the group. Assignments of roles to specific users and objects are not shared across vCenter Server systems. Prerequisites Verify that you are logged in as a user with Administrator privileges.
vSphere Security If you create a rule, it does not inherit privileges from any of the system roles. Administrator Role Users with the Administrator role for an object are allowed to view and perform all actions on the object. This role also includes all privileges of the Read Only role. If you have the Administrator role on an object, you can assign privileges to individual users and groups.
vSphere Security VMware recommends the following best practices when configuring roles and permissions in your vCenter Server environment: n Where possible, assign a role to a group rather than individual users. n Grant permissions only on the objects where they are needed, and assign privileges only to users or groups that must have them. Use the minimum number of permissions to make it easier to understand and manage your permissions structure.
vSphere Security n Moving an object in the inventory hierarchy requires appropriate privileges on the object itself, the source parent object (such as a folder or cluster), and the destination parent object. n Each host and cluster has its own implicit resource pool that contains all the resources of that host or cluster. Deploying a virtual machine directly to a host or cluster requires the Resource.Assign Virtual Machine to Resource Pool privilege. Table 2‑4.
vSphere Security Table 2‑4. Required Privileges for Common Tasks (Continued) Task Required Privileges Applicable Role Move a virtual machine into a resource pool On the virtual machine or folder of virtual machines: Administrator n Resource.Assign virtual machine to resource pool n Virtual machine .Inventory.Move On the destination resource pool: Administrator Resource.
vSphere Security Table 2‑4. Required Privileges for Common Tasks (Continued) Task Move a host into a cluster Required Privileges Applicable Role On the destination datastore: Datastore.Allocate space Datastore Consumer or Administrator On the host: Administrator Host.Inventory.Add host to cluster On the destination cluster: Administrator Host.Inventory.Add host to cluster Encrypt a virtual machine Encryption tasks are possible only in environments that include vCenter Server.
Securing ESXi Hosts 3 The ESXi hypervisor architecture has many built-in security features such as CPU isolation, memory isolation, and device isolation. You can configure additional features such as lockdown mode, certificate replacement, and smart card authentication for enhanced security. An ESXi host is also protected with a firewall. You can open ports for incoming and outgoing traffic as needed, but should restrict access to services and ports.
vSphere Security Built-In Security Features Risks to the hosts are mitigated out of the box as follows: n ESXi Shell and SSH are disabled by default. n Only a limited number of firewall ports are open by default. You can explicitly open additional firewall ports that are associated with specific services. n ESXi runs only services that are essential to managing its functions. The distribution is limited to the features required to run ESXi.
vSphere Security If you manage hosts with a scripting interface or API, do not target the host directly. Instead, target the vCenter Server system that manages the host and specify the host name. Use DCUI only for troubleshooting Access the host from the DCUI or the ESXi Shell as the root user only for troubleshooting. Use one of the GUI clients, or one of the VMware CLIs or APIs to administer your ESXi hosts. If you use the ESXi Shell or SSH, limit the accounts that have access and set timeouts.
vSphere Security vSphere includes several scripting languages for host management. See the vSphere Command-Line Documentation and the vSphere API/SDK Documentation for reference information and programming tips and VMware Communities for additional tips about scripted management. The vSphere Administrator documentation focuses on using the vSphere Web Client for management. vSphere PowerCLI VMware vSphere PowerCLI is a Windows PowerShell interface to the vSphere API.
vSphere Security 3 Write scripts to perform parameter checking or modification, and run them. For example, you can check or set the shell interactive timeout of a host as follows: Language vCLI (ESXCLI) Commands esxcli system settings advanced get /UserVars/ESXiShellTimeOut esxcli --formatter=csv --format-param=fields="Path,Int Value" system settings advanced list | grep /UserVars/ESXiShellTimeOut PowerCLI #List UserVars.
vSphere Security n By default, password length is more than 7 and less than 40. n Passwords cannot contain a dictionary word or part of a dictionary word. Note An uppercase character that begins a password does not count toward the number of character classes used. A number that ends a password does not count toward the number of character classes used. Example ESXi Passwords The following password candidates illustrate potential passwords if the option is set as follows.
vSphere Security You can change the default, for example, to require a minimum of 15 characters and a minimum number of four words, as follows: retry=3 min=disabled,disabled,15,7,7 passphrase=4 See the man page for pam_passwdqc for details. Note Not all possible combinations of the options for pam_passwdqc have been tested. Perform additional testing after you change the default password settings. ESXi Account Lockout Behavior Starting with vSphere 6.
vSphere Security You can copy the SSH key to the host by using the vifs vSphere CLI command. See Getting Started with vSphere Command-Line Interfaces for information on installing and using the vSphere CLI command set. You can also use HTTPS PUT to copy the SSK key to the host. Instead of generating the keys externally and uploading them, you can create the keys on the ESXi host and download them. See VMware Knowledge Base article 1002866. Enabling SSH and adding SSH keys to the host has inherent risks.
vSphere Security Procedure u At the command line or an administration server, use the vifs command to upload the SSH key to an appropriate location on the ESXi host. vifs --server hostname --username username --put filename /host/ssh_host_dsa_key_pub Type of key Location Authorized key files for the root user /host/ssh_root_authorized keys You must have full administrator privileges to upload this file.
vSphere Security PCI and PCIe Devices and ESXi Using the VMware DirectPath I/O feature to pass through a PCI or PCIe device to a virtual machine results in a potential security vulnerability. The vulnerability can be triggered when buggy or malicious code, such as a device driver, is running in privileged mode in the guest OS. Industry-standard hardware and firmware do not currently have sufficient error containment support to protect ESXi hosts from the vulnerability.
vSphere Security ESXi Networking Security Recommendations Isolation of network traffic is essential to a secure ESXi environment. Different networks require different access and level of isolation. Your ESXi host uses several networks. Use appropriate security measures for each network, and isolate ® traffic for specific applications and functions. For example, ensure that VMware vSphere vMotion traffic does not travel over networks where virtual machines are located. Isolation prevents snooping.
vSphere Security n To protect against misuse of ESXi services, most internal ESXi services are accessible only through port 443, the port used for HTTPS transmission. Port 443 acts as a reverse proxy for ESXi. You can see a list of services on ESXi through an HTTP welcome page, but you cannot directly access the Storage Adapters services without proper authorization. You can change this configuration so that individual services are directly accessible through HTTP connections.
vSphere Security CIM is an open standard that defines a framework for agent-less, standards-based monitoring of hardware resources for ESXi hosts. This framework consists of a CIM object manager, often called a CIM broker, and a set of CIM providers. CIM providers support management access to device drivers and underlying hardware. Hardware vendors, including server manufacturers and hardware device vendors, can write providers that monitor and manage their devices.
vSphere Security Table 3‑1. Certificate Modes for ESXi Hosts Certificate Mode Description VMware Certificate Authority (default) Use this mode if VMCA provisions all ESXi hosts, either as the top-level CA or as an intermediate CA. By default, VMCA provisions ESXi hosts with certificates. In this mode, you can refresh and renew certificates from the vSphere Web Client.
vSphere Security Required Privileges for ESXi Certificate Management For certificate management for ESXi hosts, you must have the Certificates.Manage Certificates privilege. You can set that privilege from the vSphere Web Client. Host Name and IP Address Changes In vSphere 6.0 and later, a host name or IP address change might affect whether vCenter Server considers a host certificate valid. How you added the host to vCenter Server affects whether manual intervention is necessary.
vSphere Security The recommended upgrade workflow depends on the current certificates. Host Provisioned with Thumbprint Certificates If your host is currently using thumbprint certificates, it is automatically assigned VMCA certificates as part of the upgrade process. Note You cannot provision legacy hosts with VMCA certificates. You must upgrade those hosts to ESXi 6.0 later.
vSphere Security Certificate Mode Description VMware Certificate Authority (default) By default, the VMware Certificate Authority is used as the CA for ESXi host certificates. VMCA is the root CA by default, but it can be set up as the intermediary CA to another CA. In this mode, users can manage certificates from the vSphere Web Client. Also used if VMCA is a subordinate certificate. Custom Certificate Authority Some customers might prefer to manage their own external certificate authority.
vSphere Security Switching from Thumbprint Mode to VMCA Mode If you use thumbprint mode and you want to start using VMCA-signed certificates, the switch requires some planning. The recommended workflow is as follows. 1 Remove all hosts from the vCenter Server system. 2 Switch to VMCA certificate mode. See Change the Certificate Mode. 3 Add the hosts to the vCenter Server system. Note Any other workflow for this mode switch might result in unpredictable behavior.
vSphere Security Table 3‑3. ESXi CSR Settings Parameter Default Value Advanced Option Key Size 2048 N.A. Key Algorithm RSA N.A. Certificate Signature Algorithm sha256WithRSAEncryption N.A. Common Name Name of the host if the host was added to vCenter Server by host name. N.A. IP address of the host if the host was added to vCenter Server by IP address. Country USA vpxd.certmgmt.certs.cn.country Email address vmca@vmware.com vpxd.certmgmt.certs.cn.email Locality (City) Palo Alto vpxd.
vSphere Security Procedure 1 In the vSphere Web Client, select the vCenter Server system that manages the hosts. 2 Click Configure, and click Advanced Settings. 3 In the Filter box, enter certmgmt to display only certificate management parameters. 4 Change the value of the existing parameters to follow company policy and click OK.
vSphere Security View Certificate Details for a Single ESXi Host For ESXi 6.0 and later hosts that are in VMCA mode or custom mode, you can view certificate details from the vSphere Web Client. The information about the certificate can be helpful for debugging. Procedure 1 Browse to the host in the vSphere Web Client inventory. 2 Select Configure. 3 Under System, click Certificate. You can examine the following information. This information is available only in the single-host view.
vSphere Security 3 Under System, click Certificate. You can view detailed information about the selected host's certificate. 4 5 Click Renew or Refresh CA Certificates. Option Description Renew Retrieves a fresh signed certificate for the host from VMCA. Refresh CA Certificates Pushes all certificates in the TRUSTED_ROOTS store in the vCenter Server VECS store to the host. Click Yes to confirm.
vSphere Security The default certificates are in the same location as the vSphere 5.5 certificates. You can replace the default certificates with trusted certificates in various ways. Note You can also use the vim.CertificateManager and vim.host.CertificateManager managed objects in the vSphere Web Services SDK. See the vSphere Web Services SDK documentation.
vSphere Security n Contains the following Key Usages: Digital Signature, Non Repudiation, Key Encipherment n Start time of one day before the current time n CN (and SubjectAltName) set to the host name (or IP address) that the ESXi host has in the vCenter Server inventory. Replace the Default Certificate and Key from the ESXi Shell You can replace the default VMCA-signed ESXi certificates from the ESXi Shell.
vSphere Security n If necessary, enable the ESXi Shell or enable SSH traffic from the vSphere Web Client. n All file transfers and other communications occur over a secure HTTPS session. The user who is used to authenticate the session must have the privilege Host.Config.AdvancedConfig on the host. Procedure 1 Back up the existing certificates. 2 Generate a certificate request following the instructions from the certificate authority. See Requirements for ESXi Certificate Signing Requests.
vSphere Security 2 In your upload application, process each file as follows: a Open the file. b Publish the file to one of these locations. Option Description Certificates https://hostname/host/ssl_cert Keys https://hostname/host/ssl_key The location /host/ssl_cert and host/ssl_key link to the certificate files in /etc/vmware/ssl. 3 Restart the host. What to do next Update the vCenter Server TRUSTED_ROOTS store. See Update the vCenter Server TRUSTED_ROOTS Store (Custom Certificates).
vSphere Security What to do next Set certificate mode to Custom. If certificate mode is VMCA, the default, and you perform a certificate refresh, your custom certificates are replaced with VMCA-signed certificates. See Change the Certificate Mode. Use Custom Certificates With Auto Deploy By default, the Auto Deploy server provisions each host with certificates that are signed by VMCA. You can set up the Auto Deploy server to provision all hosts with custom certificates that are not signed by VMCA.
vSphere Security 4 On the system where the Auto Deploy service runs, update the TRUSTED_ROOTS store in VECS to use your new certificates. Option Windows Linux 5 Description cd C:\Program Files\VMware\vCenter Server\vmafdd\vecs-cli.exe vecs-cli entry delete --store TRUSTED_ROOTS --alias rbd_cert vecs-cli entry create --store TRUSTED_ROOTS --alias rbd_cert --cert /etc/vmware-rbd/ssl/rbd-ca.
vSphere Security Procedure 1 On the ESXi host, locate the file /etc/vmware/ssl/rui.bak. The file has the following format. # # Host private key and certificate backup from 2014-06-20 08:02:49.961 # -----BEGIN PRIVATE KEY----previous key -----END PRIVATE KEY---------BEGIN CERTIFICATE----previous cert -----END CERTIFICATE----- 2 Copy the text starting with -----BEGIN PRIVATE KEY----- and ending with -----END PRIVATE KEY----- into the /etc/vmware/ssl/rui.key file.
vSphere Security As you open ports on the firewall, consider that unrestricted access to services running on an ESXi host can expose a host to outside attacks and unauthorized access. Reduce the risk by configuring the ESXi firewall to allow access only from authorized networks. Note The firewall also allows Internet Control Message Protocol (ICMP) pings and communication with DHCP and DNS (UDP only) clients.
vSphere Security 4 In the Firewall section, click Edit. The display shows firewall rule sets, which include the name of the rule and the associated information. 5 6 7 Select the rule sets to enable, or deselect the rule sets to disable. Column Description Incoming Ports and Outgoing Ports The ports that the vSphere Web Client opens for the service Protocol Protocol that a service uses. Daemon Status of daemons associated with the service For some services, you can manage service details.
vSphere Security n 6 fd3e:29a6:0a81:e478::/64 Click OK. Incoming and Outgoing Firewall Ports for ESXi Hosts The vSphere Web Client and the VMware Host Client allow you to open and close firewall ports for each service or to allow traffic from selected IP addresses. The following table lists the firewalls for services that are installed by default. If you install other VIBs on your host, additional services and firewall ports might become available.
vSphere Security Table 3‑4. Incoming Firewall Connections (Continued) Port Protoc ol Service Description 8000 TCP vMotion Required for virtual machine migration with vMotion. ESXi hosts listen on port 8000 for TCP connections from remote ESXi hosts for vMotion traffic. 902, 443 TCP vSphere Web Client Client connections 8080 TCP vsanvp vSAN VASA Vendor Provider.
vSphere Security Table 3‑5. Outgoing Firewall Connections (Continued) Port Protocol Service Description 5671 TCP rabbitmqproxy A proxy running on the ESXi host. This proxy allows applications that are running inside virtual machines to communicate with the AMQP brokers that are running in the vCenter network domain. The virtual machine does not have to be on the network, that is, no NIC is required. Ensure that outgoing connection IP addresses include at least the brokers in use or future.
vSphere Security n If the nfsClient rule set is enabled, the state of the rule set and the allowed IP address policy are not changed. The IP address of the NFS server is added to the allowed list of outgoing IP addresses. Note If you manually enable the nfsClient rule set or manually set the Allow All IP Addresses policy, either before or after you add an NFS v3 datastore to the system, your settings are overridden when the last NFS v3 datastore is unmounted.
vSphere Security Table 3‑7. Firewall Commands (Continued) Command Description esxcli network firewall ruleset set --allowed-all Set to true to allow all access to all IPs. Set to false to use a list of allowed IP addresses. esxcli network firewall ruleset set --enabled -ruleset-id= Set enabled to true to enable the specified ruleset. Set enabled to false to disable the specified ruleset. esxcli network firewall ruleset allowedip list List the allowed IP addresses of the specified rule set.
vSphere Security Table 3‑8. ESXi Services in the Security Profile Service Default Description Direct Console UI Running The Direct Console User Interface (DCUI) service allows you to interact with an ESXi host from the local console host using text-based menus. ESXi Shell Stopped The ESXi Shell is available from the Direct Console User Interface and includes a set of fully supported commands and a set of commands for troubleshooting and remediation.
vSphere Security Procedure 1 Browse to a host in the vSphere Web Client inventory, and select a host. 2 Click Configure. 3 Under System, select Security Profile and click Edit. 4 Scroll to the service that you wish to change. 5 In the Service Details pane, select Start, Stop, or Restart for a one-time change to the host's status, or select from the Startup Policy menu to change the status of the host across reboots.
vSphere Security Lockdown Mode Behavior In lockdown mode, some services are disabled, and some services are accessible only to certain users. Lockdown Mode Services for Different Users When the host is running, available services depend on whether lockdown mode is enabled, and on the type of lockdown mode. n In strict and normal lockdown mode, privileged users can access the host through vCenter Server, either from the vSphere Web Client or by using the vSphere Web Services SDK.
vSphere Security Table 3‑9. Lockdown Mode Behavior (Continued) Service Normal Mode Normal Lockdown Mode Strict Lockdown Mode ESXi Shell Users with administrator privileges on the host Users defined in the DCUI.Access advanced option Users defined in the DCUI.Access advanced option (if enabled) Exception users with administrator privileges on the host SSH (if enabled) Users with administrator privileges on the host Users defined in the DCUI.
vSphere Security 5 6 Click Lockdown Mode and select one of the lockdown mode options. Option Description Normal The host can be accessed through vCenter Server. Only users who are on the Exception Users list and have administrator privileges can log in to the Direct Console User Interface. If SSH or the ESXi Shell is enabled, access might be possible. Strict The host can only be accessed through vCenter Server. If SSH or the ESXi Shell is enabled, running sessions for accounts in the DCUI.
vSphere Security n Users defined in the DCUI.Access advanced option for the host. This option can be used to enable access in case of catastrophic failure. For ESXi 6.0 and later, user permissions are preserved when you enable lockdown mode. User permissions are restored when you disable lockdown mode from the Direct Console Interface. Note If you upgrade a host that is in lockdown mode to ESXi version 6.
vSphere Security Add Users to the DCUI.Access Advanced Option If there is a catastrophic failure, the DCUI.Access advanced option allows you to exit lockdown mode when you cannot access the host from vCenter Server. You add users to the list by editing the Advanced Settings for the host from the vSphere Web Client. Note Users in the DCUI.Access list can change lockdown mode settings regardless of their privileges. The ability to change lockdown modes can impact the security of your host.
vSphere Security 4 In the Lockdown Mode panel, click Edit. 5 Click Exception Users and click the plus icon to add exception users. Manage the Acceptance Levels of Hosts and VIBs The acceptance level of a VIB depends on the amount of certification of that VIB. The acceptance level of the host depends on the level of the lowest VIB. You can change the acceptance level of the host if you want to allow lower-level VIBs. You can remove CommunitySupported VIBs to be able to change the host acceptance level.
vSphere Security PartnerSupported VIBs with the PartnerSupported acceptance level are published by a partner that VMware trusts. The partner performs all testing. VMware does not verify the results. This level is used for a new or nonmainstream technology that partners want to enable for VMware systems. Today, driver VIB technologies such as Infiniband, ATAoE, and SSD are at this level with nonstandard hardware drivers.
vSphere Security Assigning Permissions to ESXi Hosts That Are Managed by vCenter Server If your ESXi host is managed by a vCenter Server, perform management tasks through the vSphere Web Client. You can select the ESXi host object in the vCenter Server object hierarchy and assign the administrator role to a limited number of users. Those users can then perform direct management on the ESXi host. See Using Roles to Assign Privileges.
vSphere Security Predefined Privileges If your environment does not include a vCenter Server system, the following users are predefined. root User By default each ESXi host has a single root user account with the Administrator role. That root user account can be used for local administration and to connect the host to vCenter Server. Assigning root user privileges can make it easier to break into an ESXi host because the name is already known.
vSphere Security Using Active Directory to Manage ESXi Users You can configure ESXi to use a directory service such as Active Directory to manage users. Creating local user accounts on each host presents challenges with having to synchronize account names and passwords across multiple hosts. Join ESXi hosts to an Active Directory domain to eliminate the need to create and maintain local user accounts.
vSphere Security 2 Ensure that the DNS servers that you configured for the host can resolve the host names for the Active Directory controllers. a Browse to the host in the vSphere Web Client object navigator. b Click Configure. c Under Networking, click TCP/IP configuration. d Under TCP/IP Stack: Default, click DNS and verify that the host name and DNS server information for the host are correct. What to do next Use the vSphere Web Client to join a directory service domain.
vSphere Security Procedure 1 Browse to the host in the vSphere Web Client inventory. 2 Click Configure. 3 Under System, select Authentication Services. The Authentication Services page displays the directory service and domain settings. Using vSphere Authentication Proxy You can add ESXi hosts to an Active Directory domain by using vSphere Authentication Proxy instead of adding the hosts explicitly to the Active Directory domain.
vSphere Security Enable vSphere Authentication Proxy The vSphere Authentication Proxy service is available on each vCenter Server system. By default, the service is not running. If you want to use vSphere Authentication Proxy in your environment, you can start the service from the vSphere Web Client or from the command line. The vSphere Authentication Proxy service binds to an IPv4 address for communication with vCenter Server, and does not support IPv6.
vSphere Security 4 Enter the name of the domain that vSphere Authentication Proxy will add hosts to, and the name of a user who has Active Directory privileges to add hosts to the domain. The other fields in this dialog are for information only. 5 Click the ellipsis icon to add and confirm the password for the user, and click OK.
vSphere Security 5 If you later want to remove the domain and user information from vSphere Authentication Proxy, run the following command. camconfig remove-domain -d domain Use vSphere Authentication Proxy to Add a Host to a Domain The Auto Deploy server adds all hosts that it provisions to vSphere Authentication Proxy, and vSphere Authentication Proxy adds those hosts to the domain.
vSphere Security Enable Client Authentication for vSphere Authentication Proxy By default, vSphere Authentication Proxy adds any host if it has the IP address of that host in its access control list. For additional security, you can enable client authentication. If client authentication is enabled, vSphere Authentication Proxy also checks the certificate of the host. Prerequisites n Verify that the vCenter Server system trusts the host.
vSphere Security Prerequisites n n Upload the vSphere Authentication Proxy certificate to the ESXi host. You can find the certificate in the following location. vCenter Server Appliance /var/lib/vmware/vmcam/ssl/rui.crt vCenter Server Windows C:\ProgramData\VMware\vCenterServer\data\vmcamd\ssl\rui.c rt Verify that the UserVars.ActiveDirectoryVerifyCAMCertificate ESXi advanced setting is set to 1 (the default). Procedure 1 In the vSphere Web Client, select the ESXi host and click Configure.
vSphere Security 3 Generate the new private key in /var/lib/vmware/vmcam/ssl/. /usr/lib/vmware-vmca/bin/certool --genkey --privkey=/var/lib/vmware/vmcam/ssl/rui.key -pubkey=/tmp/vmcam.pub --server=localhost For localhost, supply the FQDN of the Platform Services Controller. 4 Generate the new certificate in /var/lib/vmware/vmcam/ssl/ using the key and vmcam.cfg file that you created in Step 1 and Step 2.
vSphere Security Procedure 1 Generate a CSR for vSphere Authentication Proxy. a Create a configuration file, /var/lib/vmware/vmcam/ssl/vmcam.cfg, as in the following example. [ req ] distinguished_name = req_distinguished_name encrypt_key = no prompt = no string_mask = nombstr req_extensions = v3_req [ v3_req ] basicConstraints = CA:false keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectAltName = DNS:olearyf-static-1.csl.vmware.
vSphere Security 4 Stop the vSphere Authentication Proxy service. Tool Steps vSphere Web Client a Click Administration, and click System Configuration under Deployment. b Click Services, click the VMware vSphere Authentication Proxy service, and stop the service. CLI 5 service-control --stop vmcam Replace the existing rui.crt certificate and rui.key files with the files that you received from your CA. 6 Restart the vSphere Authentication Proxy service.
vSphere Security Prerequisites n Set up the infrastructure to handle smart card authentication, such as accounts in the Active Directory domain, smart card readers, and smart cards. n Configure ESXi to join an Active Directory domain that supports smart card authentication. For more information, see Using Active Directory to Manage ESXi Users. n Use the vSphere Web Client to add root certificates. See Certificate Management for ESXi Hosts. Procedure 1 In the vSphere Web Client, browse to the host.
vSphere Security In exceptional circumstances, the AD domain server is not reachable to authenticate the user credentials on the smart card because of connectivity problems, network outage, or disasters. In that case, you can log in to the ESXi DCUI by using the credentials of a local ESXi Administrator user. After logging in, you can perform diagnostics or other emergency actions. The fallback to user name and password login is logged.
vSphere Security n Use the Direct Console User Interface (DCUI) to Enable Access to the ESXi Shell The Direct Console User Interface (DCUI) allows you to interact with the host locally using textbased menus. Evaluate carefully whether the security requirements of your environment support enabling the Direct Console User Interface. n Log in to the ESXi Shell for Troubleshooting Perform ESXi configuration tasks with the vSphere Web Client, the vSphere CLI, or vSphere PowerCLI.
vSphere Security Create a Timeout for ESXi Shell Availability in the vSphere Web Client The ESXi Shell is disabled by default. You can set an availability timeout for the ESXi Shell to increase security when you enable the shell. The availability timeout setting is the amount of time that can elapse before you must log in after the ESXi Shell is enabled. After the timeout period, the service is disabled and users are not allowed to log in.
vSphere Security Use the Direct Console User Interface (DCUI) to Enable Access to the ESXi Shell The Direct Console User Interface (DCUI) allows you to interact with the host locally using text-based menus. Evaluate carefully whether the security requirements of your environment support enabling the Direct Console User Interface. You can use the Direct Console User Interface to enable local and remote access to the ESXi Shell.
vSphere Security Prerequisites Enable the ESXi Shell. See Use the Direct Console User Interface (DCUI) to Enable Access to the ESXi Shell. Procedure 1 Log in to the ESXi Shell. 2 From the Troubleshooting Mode Options menu, select Modify ESXi Shell and SSH timeouts and press Enter. 3 Enter the idle timeout (in seconds) or the availability timeout. You must restart the SSH service and the ESXi Shell service for the timeout to take effect.
vSphere Security UEFI Secure Boot Overview ESXi version 6.5 and later supports UEFI secure boot at each level of the boot stack. Note Before you use UEFI Secure Boot on a host that was upgraded to ESXi 6.5, check for compatibility by following the instructions in Run the Secure Boot Validation Script on an Upgraded ESXi Host. If you upgrade an ESXi host by using esxcli commands, the upgrade does not update the bootloader. In that case, you cannot perform a secure boot on that system. Figure 3‑1.
vSphere Security The error message depends on the hardware vendor and on the level at which verification did not succeed. n If you attempt to boot with a bootloader that is unsigned or has been tampered with, an error during the boot sequence results. The exact message depends on the hardware vendor. It might look like the following error, but might look different. UEFI0073: Unable to boot PXE Device...
vSphere Security n In rare cases, VMware might drop ongoing development of a specific VIB without providing a new VIB that replaces or obsoletes it, so the old VIB remains on the system after upgrade. Note UEFI secure boot also requires an up-to-date bootloader. This script does not check for an up-todate bootloader. Prerequisites n Verify that the hardware supports UEFI secure boot. n Verify that all VIBs are signed with an acceptance level of at least PartnerSupported.
vSphere Security 3 Verify the host's authenticity. vCenter Server verifies the authenticity of the signed quote, infers the software versions, and determines the trustworthiness of said software versions. If vCenter Server determines the signed quote is invalid, remote attestation fails and the host is not trusted. To use a TPM 2.0 chip, your vCenter Server environment must meet these requirements: n vCenter Server 6.7 n ESXi 6.7 host with TPM 2.
vSphere Security 2 If the error message is Host secure boot was disabled, you must re-enable secure boot to resolve the problem. 3 For all other error messages, contact Customer Support. ESXi Log Files Log files are an important component of troubleshooting attacks and obtaining information about breaches. Logging to a secure, centralized log server can help prevent log tampering. Remote logging also provides a long-term audit record.
vSphere Security 5 To set up logging globally, select the setting to change and click Edit. Option Description Syslog.global.defaultRotate Maximum number of archives to keep. You can set this number globally and for individual subloggers. Syslog.global.defaultSize Default size of the log, in KB, before the system rotates logs. You can set this number globally and for individual subloggers. Syslog.global.LogDir Directory where logs are stored. The directory can be on mounted NFS or VMFS volumes.
vSphere Security Component Location Purpose Shell log /var/log/shell.log Contains a record of all commands typed into the ESXi Shell as well as shell events (for example, when the shell was enabled). Authentication /var/log/auth.log Contains all events related to authentication for the local system. System messages /var/log/syslog.log Contains all general log messages and can be used for troubleshooting. This information was formerly located in the messages log file.
Securing vCenter Server Systems 4 Securing vCenter Server includes ensuring security of the host where vCenter Server is running, following best practices for assigning privileges and roles, and verifying the integrity of the clients that connect to vCenter Server.
vSphere Security n Make sure that applications use unique service accounts when connecting to a vCenter Server system. Monitor Privileges of vCenter Server Administrator Users Not all administrator users must have the Administrator role. Instead, create a custom role with the appropriate set of privileges and assign it to other administrators. Users with the vCenter Server Administrator role have privileges on all objects in the hierarchy.
vSphere Security Check Privileges After vCenter Server Restart Check for privilege reassignment when you restart vCenter Server. If the user or group that has the Administrator role on the root folder cannot be validated during a restart, the role is removed from that user or group. In its place, vCenter Server grants the Administrator role to the vCenter Single Sign-On administrator, administrator@vsphere.local by default. This account can then act as the vCenter Server administrator.
vSphere Security Protecting the vCenter Server Windows Host Protect the Windows host where vCenter Server is running against vulnerabilities and attacks by ensuring that the host environment is as secure as possible. n Maintain a supported operating system, database, and hardware for the vCenter Server system. If vCenter Server is not running on a supported operating system, it might not run properly, making vCenter Server vulnerable to attacks. n Keep the vCenter Server system properly patched.
vSphere Security Evaluate the Use of Linux Clients with CLIs and SDKs Communications between client components and a vCenter Server system or ESXi hosts are protected by SSL-based encryption by default. Linux versions of these components do not perform certificate validation. Consider restricting the use of these clients. To improve security, you can replace the VMCA-signed certificates on the vCenter Server system and on the ESXi hosts with certificates that are signed by an enterprise or third-party CA.
vSphere Security 3 Examine the list of client plug-ins. vCenter Server Appliance Security Best Practices Follow all best practices for securing a vCenter Server system to secure your vCenter Server Appliance. Additional steps help you make your appliance more secure. Configure NTP Ensure that all systems use the same relative time source. This time source must be in sync with an agreed-upon time standard such as Coordinated Universal Time (UTC).
vSphere Security vCenter Server Passwords In vCenter Server, password requirements are dictated by vCenter Single Sign-On or by the configured identity source, which can be Active Directory, OpenLDAP. vCenter Single Sign-On Lockout Behavior Users are locked out after a preset number of consecutive failed attempts. By default, users are locked out after five consecutive failed attempts in three minutes and a locked account is unlocked automatically after five minutes.
vSphere Security 6 If any of your ESXi 5.5 or earlier hosts require manual validation, compare the thumbprints listed for the hosts to the thumbprints in the host console. To obtain the host thumbprint, use the Direct Console User Interface (DCUI). a Log in to the direct console and press F2 to access the System Customization menu. b Select View Support Information. The host thumbprint appears in the column on the right. 7 If the thumbprint matches, select the Verify check box next to the host.
vSphere Security Required Ports for vCenter Server and Platform Services Controller The vCenter Server system, both on Windows and in the appliance, must be able to send data to every managed host and receive data from the vSphere Web Client and the Platform Services Controller services. To enable migration and provisioning activities between managed hosts, the source and destination hosts must be able to receive data from each other.
vSphere Security Table 4‑1. Ports Required for Communication Between Components (Continued) Port Protocol Description Required for 80 TCP vCenter Server requires port 80 for direct HTTP connections. Port 80 redirects requests to HTTPS port 443. This redirection is useful if you accidentally use http://server instead of https://server. Windows installations and appliance deployments of WS-Management (also requires port 443 to be open).
vSphere Security Table 4‑1. Ports Required for Communication Between Components (Continued) Port Protocol Description Required for 443 TCP The default port that the vCenter Server system uses to listen for connections from the vSphere Web Client. To enable the vCenter Server system to receive data from the vSphere Web Client, open port 443 in the firewall.
vSphere Security Table 4‑1. Ports Required for Communication Between Components (Continued) Used for Node-to-Node Communication Port Protocol Description Required for 902 TCP/UDP The default port that the vCenter Server system uses to send data to managed hosts. Managed hosts also send a regular heartbeat over UDP port 902 to the vCenter Server system. This port must not be blocked by firewalls between the server and the hosts or between hosts.
vSphere Security Table 4‑1. Ports Required for Communication Between Components (Continued) Port Protocol Description Required for 2020 TCP/UDP Authentication framework management Windows installations and appliance deployments of Important You can change this port number during the vCenter Server and Platform Services Controller installations on Windows. 5480 TCP Appliance Management Interface Open endpoint serving all HTTPS, XMLRPS and JSON-RPC requests over HTTPS.
vSphere Security Table 4‑1. Ports Required for Communication Between Components (Continued) Used for Node-to-Node Communication Port Protocol Description Required for 9084 TCP vSphere Update Manager Web Server Port Appliance deployments of vCenter Server No Appliance deployments of vCenter Server No Windows installations and appliance deployments of vCenter Server No The HTTP port used by ESXi hosts to access host patch files from vSphere Update Manager server.
vSphere Security Table 4‑2. vCenter Server TCP and UDP Ports (Continued) Port Protocol Description 15007, 15008 TCP vService Manager (VSM). This service registers vCenter Server extensions. Open this port only if required by extensions that you intend to use. 31031, 44046 (Default) TCP vSphere Replication. 5355 UDP The systemd-resolve process uses this port to resolve domain names, IPv4 and IPv6 addresses, DNS resource records and services. The following ports are used only internally.
vSphere Security Table 4‑3. vCenter Server TCP and UDP Ports (Continued) Port Description 12080 License service internal port. 12346, 12347, 4298 Internal port for VMware Cloud Management SDKs (vAPI). 13080, 6070 Used internally by the Performance Charts service. 14080 Used internally by the syslog service. 15005, 15006 ESX Agent Manager internal port. 16666, 16667 Content Library ports. 18090 Content Manager internal port. 18091 Component Manager internal port.
Securing Virtual Machines 5 The guest operating system that runs in the virtual machine is subject to the same security risks as a physical system. Secure virtual machines just like physical machines, and follow best practices discussed in this document and in the Hardening Guide.
vSphere Security For Linux virtual machines, VMware Host-Guest Filesystem is not supported in secure boot mode. Remove VMware Host-Guest Filesystem from VMware Tools before you enable secure boot. Note If you turn on secure boot for a virtual machine, you can load only signed drivers into that virtual machine. Prerequisites You can enable secure boot only if all prerequisites are met. If prerequisites are not met, the check box is not visible in the vSphere Client.
vSphere Security The virtual machine configuration file (VMX file) limit is 1 MB by default. This capacity is usually sufficient, but you can change this value if necessary. For example, you might increase the limit if you store large amounts of custom information in the file. Note Consider carefully how much information you require. If the amount of information exceeds datastore capacity, a DoS can result. The default limit of 1 MB is applied even when the tools.setInfo.
vSphere Security 6 Click OK. When you disable this feature, you cannot shrink virtual machine disks when a datastore runs out of space. Virtual Machine Security Best Practices Following virtual machine security best practices helps ensure the integrity of your vSphere deployment. n General Virtual Machine Protection A virtual machine is, in most respects, the equivalent of a physical server. Employ the same security measures in virtual machines that you do for physical systems.
vSphere Security Follow these best practices to protect your virtual machine: Patches and other protection Keep all security measures up-to-date, including applying appropriate patches. It is especially important to keep track of updates for dormant virtual machines that are powered off, because it can be easy to overlook them. For example, ensure that anti-virus software, anti-spy ware, intrusion detection, and other protection are enabled for every virtual machine in your virtual infrastructure.
vSphere Security What to do next For more information about templates, see the vSphere Virtual Machine Administration documentation. Minimize Use of the Virtual Machine Console The virtual machine console provides the same function for a virtual machine that a monitor provides on a physical server. Users with access to the virtual machine console have access to virtual machine power management and removable device connectivity controls.
vSphere Security Disable Unnecessary Functions Inside Virtual Machines Any service that is running in a virtual machine provides the potential for attack. By disabling system components that are not necessary to support the application or service that is running on the system, you reduce the potential. Virtual machines do not usually require as many services or functions as physical servers. When you virtualize a system, evaluate whether a particular service or function is necessary.
vSphere Security 3 Disable hardware devices that are not required. Include checks for the following devices: n Floppy drives n Serial ports n Parallel ports n USB controllers n CD-ROM drives Disable Unused Display Features Attackers can use an unused display feature as a vector for inserting malicious code into your environment. Disable features that are not in use in your environment. Procedure 1 Log in to a vCenter Server system using the vSphere Web Client and find the virtual machine.
vSphere Security Procedure 1 Log in to a vCenter Server system using the vSphere Web Client and find the virtual machine. a In the Navigator, select VMs and Templates. b Find the virtual machine in the hierarchy. 2 Right-click the virtual machine and click Edit Settings. 3 Select VM Options. 4 Click Advanced and click Edit Configuration. 5 Set the following parameters to TRUE by adding or editing them. 6 n isolation.tools.unity.push.update.disable n isolation.tools.ghi.launchmenu.
vSphere Security 6 (Optional) Verify that the isolation.tools.hgfs.disable parameter is set to TRUE. A setting of TRUE disables the unused VMware Shared Folders feature for sharing host files to the virtual machine. Disable Copy and Paste Operations Between Guest Operating System and Remote Console Copy and paste operations between the guest operating system and remote console are disabled by default. For a secure environment, retain the default setting.
vSphere Security When copy and paste is enabled on a virtual machine running VMware Tools, you can copy and paste between the guest operating system and remote console. When the console window gains focus, processes running in the virtual machine and non-privileged users can access the virtual machine console clipboard. If a user copies sensitive information to the clipboard before using the console, the use might expose sensitive data to the virtual machine.
vSphere Security Prevent a Virtual Machine User or Process From Disconnecting Devices Users and processes without root or Administrator privileges within virtual machines can connect or disconnect devices, such as network adapters and CD-ROM drives, and can modify device settings. To increase virtual machine security, remove these devices. If you do not want to remove a device, you can change guest operating system settings to prevent virtual machine users or processes from changing the device status.
vSphere Security 2 Right-click the virtual machine and click Edit Settings. 3 Select VM Options. 4 Click Advanced and click Edit Configuration. 5 Click Add Row and type the following values in the Name and Value columns. 6 Column Value Name isolation.tools.setinfo.disable Value true Click OK to close the Configuration Parameters dialog box, and click OK again.
Virtual Machine Encryption 6 Starting with vSphere 6.5, you can take advantage of virtual machine encryption. Encryption protects not only your virtual machine but also virtual machine disks and other files. You set up a trusted connection between vCenter Server and a key management server (KMS). vCenter Server can then retrieve keys from the KMS as needed. You manage different aspects of virtual machine encryption in different ways.
vSphere Security How vSphere Virtual Machine Encryption Protects Your Environment With vSphere Virtual Machine Encryption, you can create encrypted virtual machines and encrypt existing virtual machines. Because all virtual machine files with sensitive information are encrypted, the virtual machine is protected. Only administrators with encryption privileges can perform encryption and decryption tasks. What Keys Are Used Two types of keys are used for encryption.
vSphere Security You can use the vSphere API to perform either a shallow recrypt operation with a new KEK or deep recrypt operation with a new internal key. Core dumps Core dumps on an ESXi host that has encryption mode enabled are always encrypted. See vSphere Virtual Machine Encryption and Core Dumps. Note Core dumps on the vCenter Server system are not encrypted. Be sure to protect access to the vCenter Server system.
vSphere Security Table 6‑1. Interfaces for Performing Cryptographic Operations Interface Operations Information vSphere Web Client Create encrypted virtual machine This book. Encrypt and decrypt virtual machines vSphere Web Services SDK Create encrypted virtual machine Encrypt and decrypt virtual machines Perform a deep recrypt of a virtual machine (use a different DEK).
vSphere Security If your environment uses different KMS vendors in different environments, you can add a KMS cluster for each KMS and specify a default KMS cluster. The first cluster that you add becomes the default cluster. You can explicitly specify the default later. As a KMIP client, vCenter Server uses the Key Management Interoperability Protocol (KMIP) to make it easy to use the KMS of your choice. vCenter Server Only vCenter Server has the credentials for logging in to the KMS.
vSphere Security Figure 6‑2. vSphere Virtual Encryption Architecture Third-Party Key Management Server Managed VM Keys vSphere vCenter Server Managed VM key IDs ESXi Managed VM keys protect internal encryption keys Encrypted VM During the encryption process, different vSphere components interact as follows. 1 When the user performs an encryption task, for example, creating an encrypted virtual machine, vCenter Server requests a new key from the default KMS. This key will be used as the KEK.
vSphere Security Virtual Disk Encryption When you create an encrypted virtual machine from the vSphere Web Client, all virtual disks are encrypted. You can later add disks and set their encryption policies. You cannot add an encrypted disk to a virtual machine that is not encrypted, and you cannot encrypt a disk if the virtual machine is not encrypted. Encryption for a virtual machine and its disks is controlled through storage policies.
vSphere Security Prerequisites and Required Privileges for Encryption Tasks Encryption tasks are possibly only in environments that include vCenter Server. In addition, the ESXi host must have encryption mode enabled for most encryption tasks. The user who performs the task must have the appropriate privileges. A set of Cryptographic Operations privileges allows fine-grained control. If virtual machine encryption tasks require a change to the host encryption mode, additional privileges are required.
vSphere Security Assume that a cluster has three ESXi hosts, host A, B, and C. You add an encrypted virtual machine to host A. What happens depends on several factors. n If hosts A, B, and C already have encryption enabled, you need only Cryptographic operations.Encrypt new privileges to create the virtual machine. n If hosts A and B are enabled for encryption and C is not enabled, the system proceeds as follows. n Assume that you have both the Cryptographic operations.
vSphere Security Encrypted vSphere vMotion States For virtual machines that are not encrypted, you can set encrypted vSphere vMotion to one of the following states. The default is Opportunistic. Disabled Do not use encrypted vSphere vMotion. Opportunistic Use encrypted vSphere vMotion if source and destination hosts support it. Only ESXi versions 6.5 and later use encrypted vSphere vMotion. Required Allow only encrypted vSphere vMotion.
vSphere Security n Do not edit VMX files and VMDK descriptor files. These files contain the encryption bundle. It is possible that your changes make the virtual machine unrecoverable, and that the recovery problem cannot be fixed. n The encryption process encrypts data on the host before it is written to storage. Backend storage features such as deduplication and compression might not be effective for encrypted virtual machines. Consider storage tradeoffs when using vSphere Virtual Machine Encryption.
vSphere Security n You are responsible for keeping track of keys and for performing remediation if keys for existing virtual machines are not in the Active state. The KMIP standard defines the following states for keys. n Pre-Active n Active n Deactivated n Compromised n Destroyed n Destroyed Compromised vSphere Virtual Machine Encryption uses only Active keys for encryption. If a key is Pre-Active, vSphere Virtual Machine Encryption activates it.
vSphere Security Performance Best Practices n Encryption performance depends on the CPU and storage speed. n Encrypting existing virtual machines is more time consuming than encrypting a virtual machine during creation. Encrypt a virtual machine when you create it if possible. Storage Policy Best Practices Do not modify the bundled VM Encryption sample storage policy. Instead, clone the policy and edit the clone. Note No automated way of returning VM Encryption Policy to its original settings exists.
vSphere Security n OVF Export is not supported for an encrypted virtual machine. n Using the VMware Host Client to register an encrypted virtual machine is not supported. Virtual Machine Locked State If the virtual machine key or one or more of the virtual disk keys are missing, the virtual machine enters a locked state. In a locked state, you cannot perform virtual machine operations. n When you encrypt both a virtual machine and its disks from the vSphere Client, the same key is used for both.
vSphere Security n Migration with vMotion of an encrypted virtual machine to a different vCenter Server instance. Encrypted migration with vMotion of an unencrypted virtual machine is supported. n vSphere Replication n Content Library n Not all backup solutions that use VMware vSphere Storage API - Data Protection (VADP) for virtual disk backup are supported. n VADP SAN backup solutions are not supported.
Use Encryption in Your vSphere Environment 7 Using encryption in your vSphere environment requires some preparation. After your environment is set up, you can create encrypted virtual machines and virtual disks and encrypt existing virtual machines and disks. You can perform additional tasks by using the API and by using the crypto-util CLI. See the vSphere Web Services SDK Programming Guide for API documentation and the crypto-util command-line help for details about that tool.
vSphere Security Set up the Key Management Server Cluster Before you can start with virtual machine encryption tasks, you must set up the key management server (KMS) cluster. That task includes adding the KMS and establishing trust with the KMS. When you add a cluster, you are prompted to make it the default. You can explicitly change the default cluster. vCenter Server provisions keys from the default cluster. The KMS must support the Key Management Interoperability Protocol (KMIP) 1.1 standard.
vSphere Security Procedure 1 Log in to the vCenter Server system with the vSphere Client (HTML5-based client). 2 Browse the inventory list and select the vCenter Server instance. 3 Click Configure and click Key Management Servers. 4 Click Add, specify the KMS information in the wizard, and click OK. 5 Click Trust. The wizard displays that vCenter Server trusts the KMS with a green check mark. 6 Click Make KMS Trust vCenter.
vSphere Security n If your environment includes multiple KMS clusters, and you delete the default cluster, you must set the default explicitly. See Set the Default KMS Cluster. Prerequisites n Verify that the key server is in the vSphere Compatibility Matrixes and is KMIP 1.1 compliant, and that it can be a symmetric key foundry and server. n Verify that you have the required privileges: Cryptographic operations.Manage key servers. n You can configure the KMS with IPv6 addresses.
vSphere Security Procedure 1 Log in to the vSphere Web Client, and select a vCenter Server system. 2 Click Configure and select Key Management Servers. 3 Select the KMS instance with which you want to establish a trusted connection. 4 Click Establish trust with KMS. 5 Select the option appropriate for your server and complete the steps. Option See Root CA certificate Use the Root CA Certificate Option to Establish a Trusted Connection.
vSphere Security What to do next Finalize the certificate exchange. See Complete the Trust Setup. Use the Certificate Option to Establish a Trusted Connection Some KMS vendors such as Vormetric require that you upload the vCenter Server certificate to the KMS. After the upload, the KMS accepts traffic that comes from a system with that certificate. vCenter Server generates a certificate to protect connections with the KMS.
vSphere Security 5 In the dialog box, copy the full certificate in the text box to the clipboard or download it as a file, and click OK. Use the Generate new CSR button in the dialog box only if you explicitly want to generate a CSR. Using that option makes any signed certificates that are based on the old CSR invalid. 6 Follow the instructions from your KMS vendor to submit the CSR.
vSphere Security Prerequisites As a best practice, verify that the Connection Status in the Key Management Servers tab shows Normal and a green check mark. Procedure 1 Log in to the vSphere Web Client and select a vCenter Server system. 2 Click the Configure tab and click Key Management Servers under More. 3 Select the cluster and click Set KMS cluster as default. Do not select the server. The menu to set the default is available only for the cluster. 4 Click Yes.
vSphere Security Set up Separate KMS Clusters for Different Users You can set up your environment with different KMS connections for different users of the same KMS instance. Having multiple KMS connections is helpful, for example, if you want to grant different departments in your company access to different sets of KMS keys. Using multiple KMS clusters allows you to use the same KMS to segregate keys. Having separate sets of keys is essential for use cases like different BUs or different customers.
vSphere Security Prerequisites n Set up the connection to the KMS. Although you can create a VM Encryption storage policy without the KMS connection in place, you cannot perform encryption tasks until trusted connection with the KMS server is established. n Required privileges: Cryptographic operations.Manage encryption policies. Procedure 1 Log in to the vCenter Server by using the vSphere Web Client. 2 Select Home, click Policies and Profiles, and click VM Storage Policies.
vSphere Security 4 Under System, click Security Profile. 5 Scroll down to Host Encryption Mode and click Edit. 6 Select Enabled and click OK. Disable Host Encryption Mode Host encryption mode is enabled automatically when you perform an encryption task. After host encryption mode is enabled, all core dumps are encrypted to avoid the release of sensitive information to support personnel. If you no longer use virtual machine encryption with an ESXi host, you can disable encryption mode.
vSphere Security 2 Select an object in the inventory that is a valid parent object of a virtual machine, for example, an ESXi host or a cluster. 3 Create the virtual machine. 4 n vSphere Client: Right-click the object and select New Virtual Machine. n vSphere Web Client: Right-click the object, select New Virtual Machine > New Virtual Machine. Follow the prompts to create an encrypted virtual machine. Option Action Select a creation type Create a new virtual machine.
vSphere Security Procedure 1 Connect to vCenter Server by using either the vSphere Client (HTML5-based client) or the vSphere Web Client. 2 Select an object in the inventory that is a valid parent object of a virtual machine, for example, an ESXi host or a cluster. 3 To create a clone of an encrypted machine, right-click the virtual machine, and follow the prompts. 4 Option Action Select a name and folder Specify a name and target location for the clone.
vSphere Security n Verify that you have the required privileges: n Cryptographic operations.Encrypt new n If the host encryption mode is not Enabled, you also need Cryptographic operations.Register host. Procedure 1 Connect to vCenter Server by using either the vSphere Client (HTML5-based client) or the vSphere Web Client. 2 Right-click the virtual machine that you want to change and select VM Policies > Edit VM Storage Policies.
vSphere Security All encrypted virtual machines require encrypted vMotion. During virtual machine decryption, the Encrypted vMotion setting remains. To change this setting so that Encrypted vMotion is no longer used, change the setting explicitly. This task explains how to perform decryption using storage policies. For virtual disks, you can also perform decryption using the Edit Settings menu. Prerequisites n The virtual machine must be encrypted.
vSphere Security 5 d To decrypt a virtual disk but not the virtual machine, deselect the disk. e Click OK. (Optional) You can change the Encrypted vMotion setting. a Right-click the virtual machine and click Edit Settings. b Click VM Options, and open Encryption. c Set the Encrypted vMotion value. Change the Encryption Policy for Virtual Disks When you create an encrypted virtual machine from the vSphere Web Client, any virtual disks that you add during virtual machine creation are encrypted.
vSphere Security n To encrypt the VM but not the virtual disks, select the encryption storage policy for VM Home and other storage policies for the virtual disks, and click Apply. You cannot encrypt the virtual disk of an unencrypted VM. 4 If you prefer, you can change the storage policy from the Edit Settings menu. a Right-click the virtual machine and select Edit Settings. b Select the Virtual Hardware tab, expand a hard disk, and choose an encryption policy from the drop-down menu. c Click OK.
vSphere Security After each reboot, an ESXi host must be able to reach vCenter Server. vCenter Server requests the key with the corresponding ID from the KMS and makes it available to ESXi. If, after restoring connection to the KMS cluster, the virtual machine remains locked, see Unlock Locked Virtual Machines. 2 If the connection is restored, register the virtual machine. If an error results when you attempt to register the virtual machine, verify that you have the Cryptographic operations.
vSphere Security Unlock Locked Virtual Machines A vCenter Server alarm notifies you when an encrypted virtual machine is in a locked state. You can unlock a locked encrypted virtual machine by using the vSphere Client (HTML5-based client) after taking the necessary steps to make the required keys available on the KMS. Prerequisites n Verify that you have the required privileges: Cryptographic operations.RegisterVM n Other privileges might be required for optional tasks such as enabling host encryption.
vSphere Security Procedure 1 If the problem is the connection between the vCenter Server system and the KMS cluster, an alarm is generated and the following message appears in the event log: Host requires encryption mode enabled and the KMS cluster is not available. You must manually check for the keys in the KMS cluster, and restore the connection to the KMS cluster.
vSphere Security 6 Click Yes. Set Key Management Server Certificate Expiration Threshold By default, vCenter Server notifies you 30 days before your Key Management Server (KMS) certificates expire. You can change this default value. KMS certificates have an expiration date. When the threshold for the expiration date is reached, an alarm notifies you. vCenter Server and KMS clusters exchange two types of certificates: server and client.
vSphere Security Table 7‑1. Core Dump Encryption Keys Core Dump Type Encryption Key (ESXi 6.5) Encryption Key (ESXi 6.7 and Later) ESXi Kernel Host Key Host Key User World (hostd) Host Key Host Key Encrypted Virtual Machine (VM) Host Key Virtual Machine Key What you can do after an ESXi host reboot depends on several factors. n In most cases, vCenter Server retrieves the key for the host from the KMS and attempts to push the key to the ESXi host after reboot.
vSphere Security Prerequisites Inform your support representative that host encryption mode is enabled for the ESXi host. Your support representative might ask you to decrypt core dumps and extract relevant information. Note Core dumps can contain sensitive information. Follow your organization's security and privacy policy to protect sensitive information such as host keys. Procedure 1 Log in to the vCenter Server system with the vSphere Web Client.
vSphere Security e Provide the password that you specified when you created the vm-support package. f Remove the encrypted core dumps, and compress the package again. vm-support --reconstruct 8 Remove any files that contain confidential information. Exporting Host Support Bundles With Passwords (http://link.brightcove.
vSphere Security 3 Decrypt the core dump, depending on its type. Option Monitor core dump zdump file VMware, Inc. Description crypto-util envelope extract vmmcores.
Securing Virtual Machines with Virtual Trusted Platform Module 8 The Virtual Trusted Platform Module (vTPM) feature lets you add a TPM 2.0 virtual cryptoprocessor to a virtual machine. Virtual Trusted Platform Module Overview vTPMs perform cryptographic coprocessor capabilities in software. When added to a virtual machine, a vTPM enables the guest operating system to create and store keys that are private. These keys are not exposed to the guest operating system itself.
vSphere Security Requirements for vTPM To use a vTPM, your vSphere environment must meet these requirements: n n n Virtual machine requirements: n EFI firmware n Hardware version 14 Component requirements: n vCenter Server 6.7. n Virtual machine encryption (to encrypt the virtual machine home files). n Key Management Server (KMS) configured for vCenter Server (virtual machine encryption depends on KMS). See Set up the Key Management Server Cluster.
vSphere Security Add a Virtual Trusted Platform Module to a Virtual Machine You can add a Virtual Trusted Platform Module (vTPM) to a virtual machine to provide enhanced security to the guest operating system. You must set up the KMS before you can add a vTPM. You can enable a vTPM for virtual machines running on vSphere 6.7 and later. The VMware virtual TPM is compatible with TPM 2.0 and creates a TPM-enabled virtual chip for use by the virtual machine and the guest OS it hosts.
vSphere Security Enable Virtual Trusted Platform Module for an Existing Virtual Machine You can add a Virtual Trusted Platform Module (vTPM) to an existing virtual machine to provide enhanced security to the guest operating system. You must set up the KMS before you can add a vTPM. You can enable a vTPM for virtual machines running on vSphere 6.7 and later. The VMware virtual TPM is compatible with TPM 2.0, and creates a TPM-enabled virtual chip for use by the virtual machine and the guest OS it hosts.
vSphere Security 3 In the Edit Settings dialog box, locate the Trusted Platform Module entry in the Virtual Hardware tab. 4 Move your cursor over the device and click the Remove icon. This icon appears only for virtual hardware that you can safely remove. 5 Click Delete to confirm you want to remove the device. The vTPM device is marked for removal. 6 Click OK. Verify that the Virtual Trusted Platform Module entry no longer appears in the virtual machine Summary tab in the VM Hardware pane.
vSphere Security Prerequisites You must have a vTPM-enabled virtual machine in your environment. Procedure 1 Connect to vCenter Server by using the vSphere Client. 2 Select an object in the inventory that is a valid parent object of a virtual machine, for example, an ESXi host or a cluster. 3 Select the vTPM-enabled virtual machine whose certificate information you want to view. 4 Click the Configure tab. 5 Under TPM, select Certificates. 6 Select the certificate to view its information.
vSphere Security 8 Get a certificate issued by a third-party certificate authority (CA) against the certificate signing request (CSR) you exported. You can use any test CA that you might have in your IT environment. 9 When you have the new certificate, replace the existing certificate. a Right-click the virtual machine in the inventory whose certificate you want to replace and select Edit Settings. b In the Edit Settings dialog box, expand Trusted Platform Module. The certificates appear.
Securing Windows Guest Operating Systems with Virtualization-based Security 9 Starting with vSphere 6.7, you can enable Microsoft virtualization-based security (VBS) on supported Windows guest operating systems. About Virtualization-based Security Microsoft VBS, a feature of Windows 10 and Windows Server 2016 operating systems, uses hardware and software virtualization to enhance system security by creating an isolated, hypervisor-restricted, specialized subsystem.
vSphere Security Avoid problems by following these best practices. VBS Hardware Use the following Intel hardware for VBS: n Haswell CPU or later. For best performance, use the Skylake-EP CPU or later. n The Ivybridge CPU is acceptable. n The Sandybridge CPU might cause some slow performance. Not all VBS functionality is available on AMD CPUs. For more information, see the VMware KB article https://kb.vmware.com/s/article/53003. Windows Guest OS Compatibility In vSphere 6.
vSphere Security Prerequisites Intel hosts are recommended. See Virtualization-based Security Best Practices for acceptable CPUs. Create a virtual machine that uses hardware version 14 or later and one of the following supported guest operating systems: n Windows 10 (64 bit) n Windows Server 2016 (64 bit) Procedure 1 Connect to vCenter Server by using the vSphere Client. 2 Select an object in the inventory that is a valid parent object of a virtual machine, for example, an ESXi host or a cluster.
vSphere Security Enabling VBS is a process that involves first enabling VBS in the virtual machine then enabling VBS in the guest OS. Note New virtual machines configured for Windows 10 and Windows Server 2016 on hardware versions less than version 14 are created using Legacy BIOS by default. If you change the virtual machine's firmware type from Legacy BIOS to UEFI, you must reinstall the guest operating system. Prerequisites Intel hosts are recommended.
vSphere Security Procedure 1 In Microsoft Windows, edit the group policy to turn on VBS and choose other VBS-related security options. 2 (Optional) For Microsoft Windows versions less than Redstone 4, in the Windows Features control panel, enable the Hyper-V platform. 3 Reboot the guest operating system. Disable Virtualization-based Security If you no longer use virtualization-based security (VBS) with a virtual machine, you can disable VBS.
vSphere Security 4 In the list of virtual machines, click the down arrow in a column header to show/hide columns, and select the VBS check box. The VBS column appears. 5 Scan for Present in the VBS column. VMware, Inc.
Securing vSphere Networking 10 Securing vSphere Networking is an essential part of protecting your environment. You secure different vSphere components in different ways. See the vSphere Networking documentation for detailed information about networking in the vSphere environment.
vSphere Security Host-based firewalls can slow performance. Balance your security needs against performance goals before you install host-based firewalls on VMs elsewhere in the virtual network. See Securing the Network With Firewalls. Segmentation Keep different virtual machine zones within a host on different network segments. If you isolate each virtual machine zone on its own network segment, you minimize the risk of data leakage from one zone to the next.
vSphere Security Firewalls control access to devices within their perimeter by closing all ports except for ports that the administrator explicitly or implicitly designates as authorized. The ports that administrators open allow traffic between devices on different sides of the firewall. Important The ESXi firewall in ESXi 5.5 and later does not allow per-network filtering of vMotion traffic.
vSphere Security n If your users access virtual machines through a Web browser, between the Web browser and the ESXi host. n If your users access virtual machines through the vSphere Web Client, between the vSphere Web Client and the ESXi host. This connection is in addition to the connection between the vSphere Web Client and vCenter Server, and it requires a different port. n Between vCenter Server and the ESXi hosts. n Between the ESXi hosts in your network.
vSphere Security The firewall requirements for standalone hosts are similar to requirements when a vCenter Server is present. n Use a firewall to protect your ESXi layer or, depending on your configuration, your clients, and the ESXi layer. This firewall provides basic protection for your network. n Licensing in this type of configuration is part of the ESXi package that you install on each of the hosts. Because licensing is resident to ESXi, a separate License Server with a firewall is not required.
vSphere Security The VMware Host Client uses port 902 to provide a connection for guest operating system MKS activities on virtual machines. It is through this port that users interact with the guest operating systems and applications of the virtual machine. VMware does not support configuring a different port for this function. Secure the Physical Switch Secure the physical switch on each ESXi host to prevent attackers from gaining access to the host and its virtual machines.
vSphere Security The security policy determines how strongly you enforce protection against impersonation and interception attacks on VMs. To correctly use the settings in the security profile, see the Security Policy section in the vSphere Networking publication. This section explains: n How VM network adapters control transmissions.
vSphere Security MAC Address Changes The security policy of a virtual switch includes a MAC address changes option. This option affects traffic that a virtual machine receives. When the Mac address changes option is set to Accept, ESXi accepts requests to change the effective MAC address to a different address than the initial MAC address.
vSphere Security Although promiscuous mode can be useful for tracking network activity, it is an insecure mode of operation, because any adapter in promiscuous mode has access to the packets even if some of the packets are received only by a particular network adapter. This means that an administrator or root user within a virtual machine can potentially view traffic destined for other guest or host operating systems.
vSphere Security VMware standard switches drop any double-encapsulated frames that a virtual machine attempts to send on a port configured for a specific VLAN. Therefore, they are not vulnerable to this type of attack. Multicast brute-force attacks Involve sending large numbers of multicast frames to a known VLAN almost simultaneously to overload the switch so that it mistakenly allows some of the frames to broadcast to other VLANs.
vSphere Security 3 If you are using VLAN tagging on a dvPortgroup, VLAN IDs must correspond to the IDs on external VLAN-aware upstream switches. If VLAN IDs are not tracked correctly, mistaken reuse of IDs might allow unintended traffic. Similarly, wrong or missing VLAN IDs might lead to traffic not passing between physical and virtual machines. 4 Ensure that no unused ports exist on a virtual port group associated with a vSphere Distributed Switch. 5 Label all vSphere Distributed Switches.
vSphere Security VLANs let you segment a physical network so that two machines in the network are unable to transmit packets back and forth unless they are part of the same VLAN. For example, accounting records and transactions are among a company’s most sensitive internal information. In a company whose sales, shipping, and accounting employees all use virtual machines in the same physical network, you might protect the virtual machines for the accounting department by setting up VLANs. Figure 10‑1.
vSphere Security ESXi features a complete IEEE 802.1q-compliant VLAN implementation. VMware cannot make specific recommendations on how to set up VLANs, but there are factors to consider when using a VLAN deployment as part of your security enforcement policy. Secure VLANs Administrators have several options for securing the VLANs in their vSphere environment.
vSphere Security Figure 10‑2.
vSphere Security Because Virtual Machine 1 does not share a virtual switch or physical network adapter with any virtual machines in the host, the other resident virtual machines cannot transmit packets to or receive packets from the Virtual Machine 1 network. This restriction prevents sniffing attacks, which require sending network traffic to the victim. More importantly, an attacker cannot use the natural vulnerability of FTP to access any of the host’s other virtual machines.
vSphere Security The company enforces isolation among the virtual machine groups by using multiple internal and external networks and making sure that the virtual switches and physical network adapters for each group are completely separate from those of other groups. Because none of the virtual switches straddle virtual machine zones, the system administrator succeeds in eliminating the risk of packet leakage from one zone to another.
vSphere Security ESXi displays a list of all available security associations. Add an IPsec Security Association Add a security association to specify encryption parameters for associated IP traffic. You can add a security association using the esxcli vSphere CLI command. Procedure u At the command prompt, enter the command esxcli network ip ipsec sa add with one or more of the following options. Option Description --sa-source= source address Required. Specify the source address.
vSphere Security Remove an IPsec Security Association You can remove a security association using the ESXCLI vSphere CLI command. Prerequisites Verify that the security association you want to use is not currently in use. If you try to remove a security association that is in use, the removal operation fails.
vSphere Security Option Description --upper-layer-protocol= protocol Specify the upper layer protocol using one of the following parameters. n tcp n udp n icmp6 n any --flow-direction= direction Specify the direction in which you want to monitor traffic using either in or out. --action= action Specify the action to take when traffic with the specified parameters is encountered using one of the following parameters. n none: Take no action n discard: Do not allow data in or out.
vSphere Security Procedure u At the command prompt, enter the command esxcli network ip ipsec sp remove --sa-name security policy name. To remove all security policies, enter the command esxcli network ip ipsec sp remove --remove-all. Ensure Proper SNMP Configuration If SNMP is not properly configured, monitoring information can be sent to a malicious host. The malicious host can then use this information to plan an attack. SNMP must be configured on each ESXi host.
vSphere Security n Ensure that only authorized administrators have access to virtual networking components by using the role-based access controls. For example, give virtual machine administrators only access to port groups in which their virtual machines reside. Give network administrators access to all virtual networking components but no access to virtual machines.
vSphere Security Labeling Networking Components Identifying the different components of your networking architecture is critical and helps ensure that no errors are introduced as your network grows. Follow these best practices: n Ensure that port groups are configured with a clear network label. These labels serve as a functional descriptor for the port group and help you identify each port group's function as the network becomes more complex.
vSphere Security 4 Verify that VLAN trunk links are connected only to physical switch ports that function as trunk links. When connecting a virtual switch to a VLAN trunk port, you must properly configure both the virtual switch and the physical switch at the uplink port. If the physical switch is not properly configured, frames with the VLAN 802.1q header are forwarded to a switch that not expecting their arrival.
vSphere Security Isolate vMotion Traffic vMotion migration information is transmitted in plain text. Anyone with access to the network over which this information flows can view it. Potential attackers can intercept vMotion traffic to obtain the memory contents of a VM. They might also stage a MiTM attack in which the contents are modified during migration. Separate vMotion traffic from production traffic on an isolated network.
Best Practices Involving Multiple vSphere Components 11 Some security best practices, such as setting up NTP in your environment, affect more than one vSphere component. Consider these recommendations when configuring your environment. See Chapter 3 Securing ESXi Hosts and Chapter 5 Securing Virtual Machines for related information.
vSphere Security This task explains how to set up NTP from the VMware Host Client. You can instead use the vicfg-ntp vCLI command. See the vSphere Command-Line Interface Reference. Procedure 1 Start the VMware Host Client, and connect to the ESXi host. 2 Click Configure. 3 Under System, click Time Configuration, and click Edit. 4 Select Use Network Time Protocol (Enable NTP client).
vSphere Security 2 Run the command to enable VMware Tools time synchronization. timesync.set --mode host 3 (Optional) Run the command to verify that you successfully applied the VMware Tools time synchronization. timesync.get The command returns that the time synchronization is in host mode. The time of the appliance is synchronized with the time of the ESXi host.
vSphere Security 4 (Optional) Run the command to verify that you successfully applied the new NTP configuration settings. ntp.get The command returns a space-separated list of the servers configured for NTP synchronization. If the NTP synchronization is enabled, the command returns that the NTP configuration is in Up status. If the NTP synchronization is disabled, the command returns that the NTP configuration is in Down status.
vSphere Security Securing iSCSI Storage The storage you configure for a host might include one or more storage area networks (SANs) that use iSCSI. When you configure iSCSI on a host, you can take measures to minimize security risks. iSCSI supports accessing SCSI devices and exchanging data by using TCP/IP over a network port rather than through a direct connection to a SCSI device.
vSphere Security Take additional measures to prevent attackers from easily seeing iSCSI data. Neither the hardware iSCSI adapter nor ESXi iSCSI initiator encrypts the data that they transmit to and from the targets, making the data more vulnerable to sniffing attacks. Allowing your virtual machines to share standard switches and VLANs with your iSCSI configuration potentially exposes iSCSI traffic to misuse by a virtual machine attacker.
vSphere Security The RPCSEC_GSS Kerberos mechanism is an authentication service. It allows an NFS 4.1 client installed on ESXi to prove its identity to an NFS server before mounting an NFS share. The Kerberos security uses cryptography to work across an insecure network connection. The ESXi implementation of Kerberos for NFS 4.1 provides two security models, krb5 and krb5i, that offer different levels of security. n Kerberos for authentication only (krb5) supports identity verification.
vSphere Security Verify That Sending Host Performance Data to Guests Is Disabled vSphere includes virtual machine performance counters on Windows operating systems where VMware Tools is installed. Performance counters allow virtual machine owners to do accurate performance analysis within the guest operating system. By default, vSphere does not expose host information to the guest virtual machine. By default, the capability to send host performance data to a virtual machine is disabled.
vSphere Security ESXi Shell Timeout For the ESXi Shell, you can set the following timeouts from the vSphere Web Client and from the Direct Console User Interface (DCUI). Availability Timeout The availability timeout setting is the amount of time that can elapse before you must log in after the ESXi Shell is enabled. After the timeout period, the service is disabled and users are not allowed to log in.
Managing TLS Protocol Configuration with the TLS Configurator Utility 12 Starting with vSphere 6.7, only TLS 1.2 is enabled by default. TLS 1.0 and TLS 1.1 are disabled by default. Whether you do a fresh install, upgrade, or migration, vSphere 6.7 disables TLS 1.0 and TLS 1.1. You can use the TLS Configurator utility to enable older versions of the protocol temporarily on vSphere 6.7 systems. You can then disable the older less secure versions after all connections use TLS 1.2.
vSphere Security Table 12‑1. vCenter Server and Platform Services Controller Affected by the TLS Configurator Utility Service Windows-based vCenter Server vCenter Server Virtual Appliance Port VMware HTTP Reverse Proxy rhttpproxy vmware-rhttpproxy 443 VMware vCenter Server Service vpxd vmware-vpxd 443 VMware Directory Service VMWareDirectoryService vmdird 636 VMware Syslog Collector vmwaresyslogcollector rsyslogd (*) 1514 VMware Appliance Management Interface N.A.
vSphere Security n You cannot use a TLS 1.2 only connection to an external Oracle database. See VMware Knowledge Base article 2149745. n Do not disable TLS 1.0 on a vCenter Server or Platform Services Controller instance that is running on Windows Server 2008. Windows 2008 supports only TLS 1.0. See the Microsoft TechNet Article TLS/SSL Settings in the Server Roles and Technologies Guide. n If you change the TLS protocols, you must restart the ESXi host to apply the changes.
vSphere Security OS Backup Directory Windows c:\users\current_user\appdata\local\temp\yearmonthdayTtime Linux /tmp/yearmonthdayTtime Procedure 1 Change directory to VcTlsReconfigurator. OS Command Windows cd %VMWARE_CIS_HOME%\TlsReconfigurator\VcTlsReconfigurator Linux 2 cd /usr/lib/vmware-TlsReconfigurator/VcTlsReconfigurator To make a backup to a specific directory, run the following command. OS Command Windows directory_path\VcTlsReconfigurator> reconfigureVc backup -d backup_directory
vSphere Security Enable or Disable TLS Versions on vCenter Server Systems You can use the TLS Configuration utility to enable or disable TLS versions on vCenter Server systems with an external Platform Services Controller and on vCenter Server systems with an embedded Platform Services Controller. As part of the process, you can disable TLS 1.0, and enable TLS 1.1 and TLS 1.2. Or, you can disable TLS 1.0 and TLS 1.1, and enable only TLS 1.2.
vSphere Security 4 If your environment includes other vCenter Server systems, repeat the process on each vCenter Server system. 5 Repeat the configuration on each ESXi host and each Platform Services Controller. Enable or Disable TLS Versions on ESXi Hosts You can use the TLS Configuration utility to enable or disable TLS versions on an ESXi host. As part of the process, you can disable TLS 1.0, and enable TLS 1.1 and TLS 1.2. Or, you can disable TLS 1.0 and TLS 1.1, and enable only TLS 1.2.
vSphere Security 3 On a host that is part of a cluster, run one of the following commands. n To disable TLS 1.0 and enable both TLS 1.1 and TLS 1.2 on all hosts in a cluster, run the following command. OS Windows Linux n Command reconfigureEsx vCenterCluster -c Cluster_Name -u Administrative_User -p TLSv1.1 TLSv1.2 ./reconfigureEsx vCenterCluster -c Cluster_Name -u Administrative_User -p TLSv1.1 TLSv1.2 To disable TLS 1.0 and TLS 1.1, and enable only TLS 1.
vSphere Security 4 On an individual host, run one of the following commands. n To disable TLS 1.0 and enable both TLS 1.1 and TLS 1.2 on an individual host, run the following command. OS Windows Linux Command reconfigureEsx vCenterHost -h ESXi_Host_Name -u Administrative_User -p TLSv1.1 TLSv1.2 ./reconfigureEsx vCenterHost -h ESXi_Host_Name -u Administrative_User -p TLSv1.1 TLSv1.
vSphere Security Prerequisites Ensure that the applications, hosts, and services that connect to the Platform Services Controller are eligible or configured to communicate by using a version of TLS that remains enabled. Because the Platform Services Controller handles authentication and certificate management, consider carefully which services might be affected. For services that communicate only using unsupported protocols, connectivity becomes unavailable.
vSphere Security Procedure 1 Log in to the vCenter Server system. OS Procedure Windows a Log in as a user with Administrator privileges. b Go to the VcTlsReconfigurator directory. cd %VMWARE_CIS_HOME%\TlsReconfigurator\VcTlsReconfigurator Linux a Connect to the appliance using SSH and log in as a user who has privileges to run scripts. b If the Bash shell is not currently enabled, run the following commands. shell.set --enabled true shell c Go to the VcTlsReconfigurator directory.
vSphere Security 2 Log in to the system where you want to revert changes. Option Description Windows a Log in as a user with Administrator privileges. b Go to the VcTlsReconfigurator directory. cd %VMWARE_CIS_HOME%\TlsReconfigurator\VcTlsReconfigurator Linux a Connect to the appliance using SSH and log in as a user who has privileges to run scripts. b If the Bash shell is not currently enabled, run the following commands. shell.
vSphere Security 4 Run one of the following commands to perform a restore. Option Description Windows reconfigureVc restore -d Directory_path_from_previous_step For example: reconfigureVc restore -d c:\users\username\appdata\local\temp\20161108T171539 Linux reconfigureVc restore -d Directory_path_from_previous_step For example: reconfigureVc restore -d /tmp/20161117T172920 5 Repeat the procedure on any other vCenter Server instances.
vSphere Security Procedure 1 Stop the vSphere Update Manager service. 2 Navigate to the Update Manager installation directory, which is different for vSphere 6.0 and vSphere 6.5 and later. Version Location vSphere 6.0 C:\Program Files (x86)\VMware\Infrastructure\Update Manager vSphere 6.5 and later C:\Program Files\VMware\Infrastructure\Update Manager 3 Make a backup of the jetty-vum-ssl.xml file and open the file. 4 Disable earlier versions of TLS by changing the file.
vSphere Security 2 Navigate to the Update Manager installation directory, which is different for 6.0 and 6.5 and later. Version Location vSphere 6.0 C:\Program Files (x86)\VMware\Infrastructure\Update Manager vSphere 6.5 and later C:\Program Files\VMware\Infrastructure\Update Manager 3 Make a backup of the vci-integrity.xml file and open the file. 4 Edit the vci-integrity.xml file and add a tag.
vSphere Security 3 Make a backup of the jetty-vum-ssl.xml file and open the file. 4 Remove the TLS tag that corresponds to the TLS protocol version that you want to enable. For example, remove - TLSv1.1
in the jetty-vum-ssl.xml file to enable TLSv1.1. 5 Save the file. 6 Restart the vSphere Update Manager service.
Defined Privileges 13 The following tables list the default privileges that, when selected for a role, can be paired with a user and assigned to an object. When setting permissions, verify all the object types are set with appropriate privileges for each particular action. Some operations require access permission at the root folder or parent folder in addition to access to the object being manipulated. Some operations require access or performance permission at a parent folder and a related object.
vSphere Security n Host Inventory n Host Local Operations Privileges n Host vSphere Replication Privileges n Host Profile Privileges n Network Privileges n Performance Privileges n Permissions Privileges n Profile-driven Storage Privileges n Resource Privileges n Scheduled Task Privileges n Sessions Privileges n Storage Views Privileges n Tasks Privileges n Transfer Service Privileges n Virtual Machine Configuration Privileges n Virtual Machine Guest Operations Privileges n
vSphere Security Table 13‑1. Alarms Privileges Privilege Name Description Required On Alarms.Acknowledge alarm Allows suppression of all alarm actions on all triggered alarms. Object on which an alarm is defined Alarms.Create alarm Allows creation of a new alarm. Object on which an alarm is defined When creating alarms with a custom action, privilege to perform the action is verified when the user creates the alarm. Alarms.
vSphere Security Table 13‑2. Auto Deploy Privileges (Continued) Descripti on Privilege Name Required On Auto Deploy.Rule.Create Allows creation of Auto Deploy rules. vCenter Server Auto Deploy.Rule.Delete Allows deletion of Auto Deploy rules. vCenter Server Auto Deploy.Rule.Edit Allows editing of Auto Deploy rules. vCenter Server Auto Deploy.RuleSet.Activate Allows activation of Auto Deploy rule sets. vCenter Server Auto Deploy.RuleSet.Edit Allows editing of Auto Deploy rule sets.
vSphere Security Content Library Privileges Content Libraries provide simple and effective management for virtual machine templates and vApps. Content library privileges control who can view or manage different aspects of content libraries. You can set this privilege at different levels in the hierarchy. For example, if you set a privilege at the folder level, you can propagate the privilege to one or more objects within the folder.
vSphere Security Table 13‑4. Content Library Privileges (Continued) Privilege Name Description Required On Content library.Sync library item Allows synchronization of library items. Library. Set this permission to propagate to all library items. Content library.Sync subscribed library Allows synchronization of subscribed libraries. Library Content library.Type introspection Allows a solution user or API to introspect the type support plugins for the content library service.
vSphere Security Table 13‑5. Cryptographic Operations Privileges (Continued) Privilege Name Description Required On Cryptographic operations.Clone Allows users to clone an encrypted virtual machine. Virtual machine Cryptographic operations.Decrypt Allows users to decrypt a virtual machine or disk. Virtual machine Cryptographic operations.Encrypt Allows users to encrypt a virtual machine or a virtual machine disk. Virtual machine Cryptographic operations.
vSphere Security Table 13‑5. Cryptographic Operations Privileges (Continued) Privilege Name Description Required On Cryptographic operations.Register VM Allows users to register an encrypted virtual machine with an ESXi host. Virtual machine folder Cryptographic operations.Register host Allows users to enable encryption on a host. You can enable encryption on a host explicitly, or the virtual machine creation process can enable it.
vSphere Security You can set this privilege at different levels in the hierarchy. For example, if you set a privilege at the folder level, you can propagate the privilege to one or more objects within the folder. The object listed in the Required On column must have the privilege set, either directly or inherited. Table 13‑7. Datastore Privileges Privilege Name Description Required On Datastore.
vSphere Security Distributed Switch Privileges Distributed Switch privileges control the ability to perform tasks related to the management of Distributed Switch instances. You can set this privilege at different levels in the hierarchy. For example, if you set a privilege at the folder level, you can propagate the privilege to one or more objects within the folder. The object listed in the Required On column must have the privilege set, either directly or inherited. Table 13‑9.
vSphere Security Table 13‑10. ESX Agent Manager Privilege Name Description Required On ESX Agent Manager.Config Allows deployment of an agent virtual machine on a host or cluster. Virtual machines ESX Agent Manager.Modify Allows modifications to an agent virtual machine such as powering off or deleting the virtual machine. Virtual machines ESX Agent View.View Allows viewing of an agent virtual machine.
vSphere Security Table 13‑12. Folder Privileges (Continued) Privilege Name Description Required On Folder.Move folder Allows moving a folder. Folders Privilege must be present at both the source and destination. Folder.Rename folder Allows changing the name of a folder. Folders Global Privileges Global privileges control global tasks related to tasks, scripts, and extensions. You can set this privilege at different levels in the hierarchy.
vSphere Security Table 13‑13. Global Privileges (Continued) Privilege Name Description Required On Global.Set custom attribute Allows viewing, creating, or removing custom attributes for a managed object. Any object Global.Settings Allows reading and modifying runtime vCenter Server configuration settings. Root vCenter Server Global.System tag Allows adding or removing system tags.
vSphere Security Table 13‑15. Host Configuration Privileges (Continued) Privilege Name Description Required On Host.Configuration.Change date and time settings Allows changes to date and time settings on the host. Hosts Host.Configuration.Change settings Allows setting of lockdown mode on ESXi hosts. Hosts Host.Configuration.Connection Allows changes to the connection status of a host (connected or disconnected). Hosts Host.Configuration.Firmware Allows updates to the ESXi host's firmware.
vSphere Security Table 13‑16. Host Inventory Privileges Privilege Name Description Required On Host.Inventory.Add host to cluster Allows addition of a host to an existing cluster. Clusters Host.Inventory.Add standalone host Allows addition of a standalone host. Host folders Host.Inventory.Create cluster Allows creation of a new cluster. Host folders Host.Inventory.Modify cluster Allows changing the properties of a cluster. Clusters Host.Inventory.
vSphere Security Table 13‑17. Host Local Operations Privileges (Continued) Privilege Name Description Required On Host.Local operations.Manage user groups Allows management of local accounts on a host. Root host Host.Local operations.Reconfigure virtual machine Allows reconfiguring a virtual machine. Root host Host vSphere Replication Privileges Host vSphere replication privileges control the use of virtual machine replication by VMware vCenter Site Recovery Manager™ for a host.
vSphere Security You can set this privilege at different levels in the hierarchy. For example, if you set a privilege at the folder level, you can propagate the privilege to one or more objects within the folder. The object listed in the Required On column must have the privilege set, either directly or inherited. Table 13‑20. Network Privileges Privilege Name Description Required On Network.Assign network Allows assigning a network to a virtual machine. Networks, Virtual Machines Network.
vSphere Security Table 13‑22. Permissions Privileges Privilege Name Description Required On Permissions.Modify permission Allows defining one or more permission rules on an entity, or updating rules if rules are already present for the given user or group on the entity. Any object plus parent object To have permission to perform this operation, a user or group must have this privilege assigned in both the object and its parent object. Permissions.
vSphere Security Table 13‑24. Resource Privileges (Continued) Privilege Name Description Required On Resource.Assign virtual machine to resource pool Allows assignment of a virtual machine to a resource pool. Resource pools Resource.Create resource pool Allows creation of resource pools. Resource pools, clusters Resource.Migrate powered off virtual machine Allows migration of a powered off virtual machine to a different resource pool or host. Virtual machines Resource.
vSphere Security You can set this privilege at different levels in the hierarchy. For example, if you set a privilege at the folder level, you can propagate the privilege to one or more objects within the folder. The object listed in the Required On column must have the privilege set, either directly or inherited. Table 13‑26. Session Privileges Privilege Name Description Required On Sessions.Impersonate user Allow impersonation of another user. This capability is used by extensions.
vSphere Security Table 13‑28. Tasks Privileges Privilege Name Description Required On Tasks.Create task Allows an extension to create a user-defined task. Root vCenter Server No vSphere Web Client user interface elements are associated with this privilege. Tasks.Update task Allows an extension to update a user-defined task. Root vCenter Server No vSphere Web Client user interface elements are associated with this privilege.
vSphere Security Table 13‑29. Virtual Machine Configuration Privileges (Continued) Privilege Name Description Required On Virtual machine.Configuration.Disk lease Allows disk lease operations for a virtual machine. Virtual machines Virtual machine.Configuration.Display connection settings Allows configuration of virtual machine remote console options. Virtual machines Virtual machine.Configuration.Extend virtual disk Allows expansion of the size of a virtual disk.
vSphere Security Table 13‑29. Virtual Machine Configuration Privileges (Continued) Privilege Name Description Required On Virtual machine.Configuration.Swapfile placement Allows changing the swapfile placement policy for a virtual machine. Virtual machines Allows upgrade of the virtual machine’s virtual machine compatibility version. Virtual machines Virtual machine.Configuration.Toggle fork parent Virtual machine.Configuration.
vSphere Security Table 13‑30. Virtual Machine Guest Operations (Continued) Privilege Name Description Effective on Object Virtual machine.Guest Operations.Guest Operation Program Execution Allows virtual machine guest operations that involve executing a program in the virtual machine. Virtual machines No vSphere Web Client user interface elements are associated with this privilege. Virtual machine.Guest Operations.
vSphere Security Table 13‑31. Virtual Machine Interaction Privilege Name Descri ption Required On Virtual machine.Interaction .Answer question Allows resoluti on of issues with virtual machin e state transiti ons or runtime errors. Virtual machines Virtual machine.Interaction .Backup operation on virtual machine Allows perfor mance of backup operati ons on virtual machin es. Virtual machines Virtual machine .Interaction .Configure CD media Allows configu ration of a virtual DVD or CDROM device.
vSphere Security Table 13‑31. Virtual Machine Interaction (Continued) Privilege Name Descri ption Required On Virtual machine .Interaction .Console interaction Allows interact ion with the virtual machin e’s virtual mouse, keyboa rd, and screen. Virtual machines Virtual machine .Interaction .Create screenshot Allows creatio n of a virtual machin e screen shot. Virtual machines Virtual machine .Interaction .Defragment all disks Allows defrag ment operati ons on all disks of the virtual machin e.
vSphere Security Table 13‑31. Virtual Machine Interaction (Continued) Privilege Name Descri ption Required On Virtual machine .Interaction .Drag and Drop Allows drag and drop of files betwee na virtual machin e and a remote client. Virtual machines Virtual machine .Interaction .Guest operating system management by VIX API Allows manag ement of the virtual machin e's operati ng system throug h the VIX API. Virtual machines Virtual machine .Interaction .
vSphere Security Table 13‑31. Virtual Machine Interaction (Continued) Privilege Name Descri ption Required On Virtual machine .Interaction .Perform wipe or shrink operations Allows perfor ming wipe or shrink operati ons on the virtual machin e. Virtual machines Virtual machine .Interaction .Power Off Allows poweri ng off a powere d-on virtual machin e. This operati on powers down the guest operati ng system . Virtual machines Virtual machine .Interaction .
vSphere Security Table 13‑31. Virtual Machine Interaction (Continued) Privilege Name Descri ption Required On Virtual machine .Interaction .Record session on Virtual Machine Allows recordi ng a sessio n on a virtual machin e. Virtual machines Virtual machine .Interaction .Replay session on Virtual Machine Allows replayi ng of a record ed sessio n on a virtual machin e. Virtual machines Virtual machine .Interaction .
vSphere Security Table 13‑31. Virtual Machine Interaction (Continued) Privilege Name Descri ption Required On Virtual machine .Interaction .Suspend Allows suspen ding a powere d-on virtual machin e. This operati on puts the guest in standb y mode. Virtual machines Virtual machine .Interaction .Suspend Fault Tolerance Allows suspen sion of fault toleran ce for a virtual machin e. Virtual machines Virtual machine .Interaction .
vSphere Security Table 13‑31. Virtual Machine Interaction (Continued) Privilege Name Descri ption Required On Virtual machine .Interaction .Test restart Secondary VM Allows termina tion of a Secon dary virtual machin e for a virtual machin e using Fault Toleran ce. Virtual machines Virtual machine .Interaction .Turn Off Fault Tolerance Allows turning off Fault Toleran ce for a virtual machin e. Virtual machines VMware, Inc.
vSphere Security Table 13‑31. Virtual Machine Interaction (Continued) Descri ption Privilege Name Required On Virtual machine .Interaction .Turn On Fault Tolerance Allows turning on Fault Toleran ce for a virtual machin e. Virtual machines Virtual machine .Interaction .VMware Tools install Allows mounti ng and unmou nting the VMwar e Tools CD installe r as a CDROM for the guest operati ng system .
vSphere Security Table 13‑32. Virtual Machine Inventory Privileges (Continued) Privilege Name Description Required On Virtual machine .Inventory.Registe r Allows adding an existing virtual machine to a vCenter Server or host inventory. Clusters, Hosts, Virtual machine folders Virtual machine .Inventory.Remov e Allows deletion of a virtual machine. Deletion removes the virtual machine's underlying files from disk. Virtual machines Virtual machine .Inventory.
vSphere Security Table 13‑33. Virtual Machine Provisioning Privileges (Continued) Privilege Name Description Required On Virtual machine .Provisioning.Create template from virtual machine Allows creation of a new template from a virtual machine. Virtual machines Virtual machine .Provisioning.Custo mize Allows customization of a virtual machine’s guest operating system without moving the virtual machine. Virtual machines Virtual machine .Provisioning.
vSphere Security Table 13‑34. Virtual machine Service Configuration Privileges (Continued) Privilege Name Description Virtual Machine. Service configuration. Manage service configurations Allows creating, modifying, and deleting virtual machine services. Virtual Machine. Service configuration. Modify service configuration Allows modification of existing virtual machine service configuration. Virtual Machine. Service configuration.
vSphere Security You can set this privilege at different levels in the hierarchy. For example, if you set a privilege at the folder level, you can propagate the privilege to one or more objects within the folder. The object listed in the Required On column must have the privilege set, either directly or inherited. Table 13‑36. Virtual Machine vSphere Replication Privilege Name Description Required On Virtual machine .vSphere Replication.
vSphere Security Table 13‑38. vApp Privileges Privilege Name Description Required On vApp.Add virtual machine Allows adding a virtual machine to a vApp. vApps vApp.Assign resource pool Allows assigning a resource pool to a vApp. vApps vApp.Assign vApp Allows assigning a vApp to another vApp vApps vApp.Clone Allows cloning of a vApp. vApps vApp.Create Allows creation of a vApp. vApps vApp.Delete Allows deletion a vApp.
vSphere Security You can set this privilege at different levels in the hierarchy. For example, if you set a privilege at the folder level, you can propagate the privilege to one or more objects within the folder. The object listed in the Required On column must have the privilege set, either directly or inherited. Table 13‑39. vServices Privilege Name Description Required On vService.Create dependency Allows creation of a vService dependency for a virtual machine or vApp.
vSphere Security Table 13‑40. vSphere Tagging Privileges (Continued) Privilege Name Description Required On vSphere Tagging.Modify UsedBy Field for Category Allows changing the UsedBy field for a tag category. Any object vSphere Tagging.Modify UsedBy Field for Tag Allows changing the UsedBy field for a tag. Any object VMware, Inc.
