Documente Academic
Documente Profesional
Documente Cultură
x Security
Oct 30, 2015
The new PSC design includes a Certificate authority that will issue all the certificates
for the Vmware infrastructure. It CANNOT issue certificates for any NON-Vmware
infrastructure.
VI 6.0u1 has a new GUI to help verify the Certificate configuration and the Identity
source configuration https://<pscname>/psc login with the SSO domain admin creds.
The PSCs replicate the SSO domain config between all the nodes.
• The PCSs are a replacement technology for the VI 5.x SSO servers.
• Active Directory is 1 of the 4 types of identity sources that can be configured
( vSphere.local, PSC Local OS, Active Directory, LDAP)
• Active Directory can be configured with either Integrated authentication or as
an LDAP source. The Integrated authentication requires that the PSCs are
Windows hosts and joined to the Domain.
• Using Active Directory as an identity source allows you to use the Users and
groups that already exist in the organization to manage vCenter.
• The process of adding ESXi hosts to AD can be scripted. A powerCLI code example can be found
in the Security Guide on the top of page 133.
• Disable ssh (This is disabled by Default) We turn this on in production to speed troubleshooting.
• Use the ESX host firewall to close all ports not specifically required. This is also done by default
but additional firewall ports can be opened as needed.
• By Default ESXi hosts get server certificates issued by the VMCA on the PSCs, this ensures
encrypted communication between vCenter and the ESXi hosts.
• The ESXi firewall can be managed through the CLI using the esxcli network firewall command set
• VI 6.0 has 2 versions of the lockdown mode
• Normal Lockdown Mode
• Strict Lockdown Mode
• Separate vmKernel, vMotion and other Mangement traffic from Virtual Machine traffic.
• Secure the Guest OS through the normal hardening process for your OS
• Vmware specific guide lines
• Remove any unneccesary virtual devices like serial ports, Floppy Drives and USB bus
• Configure VMs to have ONLY the virtual resources they need this could help prevent a DOS
attack.
• Ensure your ESX host network config properly handles BPDU packets that could cause STP
to shut off switch ports.
• Disable HGFS transfers This could allow attackers to transfer files into the Guest OS
• Disable Copy/Paste through the console.
• Limit or remove user access to vCenter itself. If Console access is required create a minimal
role for that specific task, assign users as needed.
• Use templates that are properly configured to deploy VMs. Don’t custom build VMs if not
required