Configure and Administer vSphere 6.

x Security
Oct 30, 2015

accelerate your ambition

Copyright © 2014 Dimension Data
accelerate your ambition 1
 Configure and Admin vSphere 6 Security Overview
• Configure And Admin Role based Access control
• create/clone/edit Roles
•Apply roles to users and groups
• Enable SSO and Active Directory Integration
• Configure and Manage VMCA
• Configure Active Directory
• Add ESXi host to Active Directory
• Secure ESXi, vCenter Server and VMs
• Harden ESXi hosts
• Harden vCenter
• Harden VM access

Copyright © 2014 Dimension Data

accelerate your ambition 2
 Configure And Admin Role based Access control
Roles
A Role is a group of specific permissions that
can be granted to users in vCenter and other
Vmware products.

A role is created from the Administration

menu in the web Client. To create a new role
click on the Green + sign. Give it a name and
check marks next to the permissions this role
will have.

Once the role is created it will be available as

an object to be added to resources through
out the SSO Domain.

A Role can be copied to a new role by

clicking on the copy button to the right of the
green +. A new name will be required and it
can be edited as needed.

Copyright © 2014 Dimension Data

accelerate your ambition 3
 Configure And Admin Role based Access control
Apply permissions

Permissions can be added to the

PSC Globally through the Global
permissions menu or to specific
Vmware objects in specific vCenters
attached to the SSO domain.

To add a permission you need to click

on the Green + icon. On the Right
you will select a role and on the right
you will click add to find the users or
groups that will be assigned to the
role.

Copyright © 2014 Dimension Data

accelerate your ambition 4
 Enable SSO and Active Directory Integration
Configure and Manage VMCA

The new PSC design includes a Certificate authority that will issue all the certificates
for the Vmware infrastructure. It CANNOT issue certificates for any NON-Vmware
infrastructure.

Each PSC creates its own VMCA.

The VMCA can be configured to be a Subordinate CA and issue certificates

accordingly. The PSC have a new tool (certificate-manager) to manage the certificates.

VI 6.0u1 has a new GUI to help verify the Certificate configuration and the Identity
source configuration https://<pscname>/psc login with the SSO domain admin creds.

A maximum of 10 PSCs can be in a given SSO domain. They can manage up to 10

registered Vmware products (vCenters)

The PSCs replicate the SSO domain config between all the nodes.

How to build PSCs and configure the VMCA as a subordinate CA:

https://wiki-eng.opsource.net/pages/viewpage.action?pageId=39896270

Copyright © 2014 Dimension Data

accelerate your ambition 5
 Configure Active Directory

• The PCSs are a replacement technology for the VI 5.x SSO servers.
• Active Directory is 1 of the 4 types of identity sources that can be configured
( vSphere.local, PSC Local OS, Active Directory, LDAP)
• Active Directory can be configured with either Integrated authentication or as
an LDAP source. The Integrated authentication requires that the PSCs are
Windows hosts and joined to the Domain.
• Using Active Directory as an identity source allows you to use the Users and
groups that already exist in the organization to manage vCenter.

• Configuring Active Directory process:

https://wiki-
eng.opsource.net/display/CPP/Vmware+6.0+GF+Configure+Active+Directory+a
s+an+Identity+source+for+VMware+SSO

Copyright © 2014 Dimension Data

accelerate your ambition 6
 Add ESXi host to Active Directory
ESXi hosts users can be managed through active Directory. This is helpful because it allows us to
restrict Root user access and to track user activity on the ESXi hosts.

• Adding ESXi hosts to Active Directory has several advantages

• The Domain Controllers become the Default time source. No need to configure NTP
• Domain users that have been granted access can use their creds to ssh into the ESXi hosts.
This activity is tracked in the auth.log This improves security auditing.

• The process of adding ESXi hosts to AD can be scripted. A powerCLI code example can be found
in the Security Guide on the top of page 133.

Copyright © 2014 Dimension Data

accelerate your ambition 7
 Secure ESXi, vCenter Server and VMs
Harden ESXi hosts
The ESXi hosts can be hardened for additional security. The basic hardening techniques are similar
to other Operating Systems. They follow these guide lines

• Disable ssh (This is disabled by Default) We turn this on in production to speed troubleshooting.
• Use the ESX host firewall to close all ports not specifically required. This is also done by default
but additional firewall ports can be opened as needed.
• By Default ESXi hosts get server certificates issued by the VMCA on the PSCs, this ensures
encrypted communication between vCenter and the ESXi hosts.
• The ESXi firewall can be managed through the CLI using the esxcli network firewall command set
• VI 6.0 has 2 versions of the lockdown mode
• Normal Lockdown Mode
• Strict Lockdown Mode
• Separate vmKernel, vMotion and other Mangement traffic from Virtual Machine traffic.

Copyright © 2014 Dimension Data

accelerate your ambition 8
 Harden vCenter
vCenter can either be installed on a Windows host or you can use the provided Linux appliance.
To harden vCenter on the windows hosts, follow the Windows OS best practices.
• Fully patch the Windows host
• Use Named user accounts for all logins
• Do not login/RDP directly to the vCenter server use a management host or Web Client from
your workstation
• Enable the Windows firewall. Set Rules for ports to the ESX hosts, SQL servers, Domain
controllers, and Syslog server
• Use vCenter Roles to limit user access to the vCenter management enviorment
• Limit the use of Linux Clients. The Linux version of the clients do not perform certificate
validation by default.
• Install Anti Virus on the Windows host.
• Set the RDP authentication level to the maximum you can support.
• Use the vSphere appliance as often as possible.

Copyright © 2014 Dimension Data

accelerate your ambition 9
 Harden VM access
Hardening Virtual Machines is a 2 part process. The Guest OS should be hardened properly and then
access to the VM through vCenter must be properly managed as well.

• Secure the Guest OS through the normal hardening process for your OS
• Vmware specific guide lines
• Remove any unneccesary virtual devices like serial ports, Floppy Drives and USB bus
• Configure VMs to have ONLY the virtual resources they need this could help prevent a DOS
attack.
• Ensure your ESX host network config properly handles BPDU packets that could cause STP
to shut off switch ports.
• Disable HGFS transfers This could allow attackers to transfer files into the Guest OS
• Disable Copy/Paste through the console.
• Limit or remove user access to vCenter itself. If Console access is required create a minimal
role for that specific task, assign users as needed.
• Use templates that are properly configured to deploy VMs. Don’t custom build VMs if not
required

Copyright © 2014 Dimension Data

accelerate your ambition 10