Vi35 Security Hardening WP PDF

Best Practices
Security Hardening
VMware Infrastructure 3 (VMware ESX 3.5 and VMware VirtualCenter 2.5)
ByintroducingalayerofabstractionbetweenthephysicalhardwareandvirtualizedsystemsrunningIT
services,virtualizationtechnologyprovidesapowerfulmeanstodelivercostsavingsviaserverconsolidation
aswellasincreasedoperationalefficiencyandflexibility.However,theaddedfunctionalityintroducesa
virtualizationlayerthatitselfbecomesapotentialavenueofattackforthevirtualservicesbeinghosted.
Becauseasinglehostsystemcanhousemultiplevirtualmachines,thesecurityofthathostbecomesevenmore
important.
Becauseitisbasedonalightweightkerneloptimizedforvirtualization,VMwareESXandVMwareESXiare
lesssusceptibletovirusesandotherproblemsthataffectgeneralpurposeoperatingsystems.However,
ESX/ESXiisnotimpervioustoattack,andyoushouldtakepropermeasurestohardenit,aswellasthe
VMwareVirtualCentermanagementserver,againstmaliciousactivityorunintendeddamage.Thispaper
providesrecommendationsforstepsyoucantaketoensurethatyourVMwareInfrastructure3environment
isproperlysecured.Thepaperalsoexplainsindetailthesecurityrelatedconfigurationoptionsofthe
componentsofVMwareInfrastructure3andtheconsequencesforsecurityofenablingcertaincapabilities.
ForadditionaluptodateinformationonthesecurityofVMwareproducts,gototheVMwareSecurityCenter.
SeeReferencesonpage 30foralink.TheVMwareSecurityCenterprovideslinkstosecurityadvisories,
alerts,andupdates,aswellassecurityutilitiesandothersecurityrelatedpapers.
TheinformationinthispaperappliestoESX3.5/ESXi3.5andVirtualCenter2.5.Itisdividedintosections
baseduponthecomponentsofVMwareInfrastructure3.Thesectionsonvirtualmachines,VirtualCenter,and
clientcomponentsapplytobothESX3.5andESXi3.5.Hostconfigurationissuesarediscussedinseparate
sectionsforESX3.5andESXi3.5.BesuretoconsultthesectionsthatapplytotheVMwareInfrastructure
softwareyouareusing.
Thepapercoversthefollowingtopics:
VirtualMachinesonpage 2
VirtualMachineFilesandSettingsonpage 4
ConfiguringtheServiceConsoleinESX3.5onpage 7
ConfiguringHostlevelManagementinESXi3.5onpage 16
ConfiguringtheESX/ESXiHostonpage 20
VirtualCenteronpage 24
VirtualCenterAddonComponentsonpage 27
ClientComponentsonpage 28
Referencesonpage 30
AbouttheAuthoronpage 31
Copyright 2008 VMware, Inc. All rights reserved. 1

Security Hardening
Virtual Machines
Therecommendationsinthissectionapplytothewayyouconfigurevirtualmachinesandthewaysyou
interactwithvirtualmachines.
Secure Virtual Machines as You Would Secure Physical Machines

Akeytounderstandingthesecurityrequirementsofavirtualizedenvironmentistherecognitionthatavirtual
machineis,inmostrespects,theequivalentofaphysicalserver.Hencetheguestoperatingsystemthatruns
inthevirtualmachineissubjecttothesamesecurityrisksasaphysicalsystem.Therefore,itiscriticalthatyou
employthesamesecuritymeasuresinvirtualmachinesthatyouwouldforphysicalservers.
Ensurethatantivirus,antispyware,intrusiondetection,andotherprotectionareenabledforeveryvirtual
machineinyourvirtualinfrastructure.Makesuretokeepallsecuritymeasuresuptodate,includingapplying
appropriatepatches.Itisespeciallyimportanttokeeptrackofupdatesfordormantvirtualmachinesthatare
poweredoff,becauseitcouldbeeasytooverlookthem.
Disable Unnecessary or Superfluous Functions

Bydisablingunnecessarysystemcomponentsthatarenotneededtosupporttheapplicationorservice
runningonthesystem,youreducethenumberofpartsthatcanbeattacked.Someofthesestepsinclude:
Disableunusedservicesintheoperatingsystem.Forexample,ifthesystemrunsafileserver,makesure
toturnoffanyWebservices.
Disconnectunusedphysicaldevices,suchasCD/DVDdrives,floppydrives,andUSBadapters.Thisis
describedinthesectionRemovingUnnecessaryHardwareDevicesintheESXServer3Configuration
Guide.
Turnoffanyscreensavers.IfusingaLinux,BSD,orSolarisguestoperatingsystem,donotruntheX
Windowsystemunlessitisnecessary.
Take Advantage of Templates

Bycapturingahardenedbaseoperatingsystemimage(withnoapplicationsinstalled)inatemplate,youcan
ensurethatallyourvirtualmachinesarecreatedwithaknownbaselinelevelofsecurity.Youcanthenusethis
templatetocreateother,applicationspecifictemplates,oryoucanusetheapplicationtemplatetodeploy
virtualmachines.Makesuretokeeppatchesandsecuritymeasuresuptodateintemplates.InVMware
Infrastructure3,youcanconvertatemplatetoavirtualmachineandbackagainquickly,whichmakes
updatingtemplatesquiteeasy.VMwareUpdateManageralsoprovidestheabilitytopatchtheoperating
systemandcertainapplicationsinatemplateautomatically,thusensuringthattheyremainuptodate.
Prevent Virtual Machines from Taking Over Resources

ByusingtheresourcemanagementcapabilitiesofESX/ESXi,suchassharesandlimits,youcancontrolthe
serverresourcesthatavirtualmachineconsumes.Youcanusethismechanismtopreventadenialofservice
thatcausesonevirtualmachinetoconsumesomuchofthehostsresourcesthatothervirtualmachinesonthe
samehostcannotperformtheirintendedfunctions.Bydefault,allvirtualmachinesonanESX/ESXihostshare
theresourcesequally.Bearinmind,however,thatavirtualmachinethatexhibitsunusualmemoryandstorage
accesspatternsmightstillhavethepotentialtocauseperformancedegradationonothervirtualmachines.It
isrecommendedthatyoumonitorallvirtualmachinesforunusualorunexpectedperformancetobeawareof
suchsituations.

Security Hardening
Isolate Virtual Machine Networks

Althoughthevirtualhardwareofonevirtualmachineisisolatedfromthatofothervirtualmachines,virtual
machinesalsoaretypicallyconnectedtosharednetworks.Anyvirtualmachineorgroupofvirtualmachines
connectedtoacommonnetworkcancommunicateacrossthosenetworklinksandcan,therefore,stillbethe
targetofnetworkattacksfromothervirtualmachinesonthenetwork.Asaresult,youshouldapplynetwork
bestpracticestohardenthenetworkinterfacesofvirtualmachinesConsiderisolatingsetsofvirtualmachines
ontheirownnetworksegmentstominimizetherisksofdataleakagefromonevirtualmachinezonetothe
nextacrossthenetwork.
Networksegmentationmitigatestheriskofseveraltypesofnetworkattacks,includingAddressResolution
Protocol(ARP)addressspoofing,inwhichanattackermanipulatestheARPtabletoremapMACandIP
addressestoredirectnetworktraffictoandfromagivenhosttoanotherunintendeddestination.Attackersuse
ARPspoofingtogeneratedenialsofservice,hijackthetargetsystem,andotherwisedisruptthevirtual
network.
Segmentationhastheaddedbenefitofmakingcomplianceauditsmucheasier,becauseitgivesyouaclear
viewofwhichvirtualmachinesarelinkedbyanetwork.
Youcanimplementsegmentationusingeitheroftwoapproaches,eachofwhichhasitsownbenefits:
Useseparatephysicalnetworkadaptersforvirtualmachinezonesbycreatingseparatevirtualswitches
foreachone.Maintainingseparatephysicalnetworkadaptersforvirtualmachinezonesislessproneto
misconfigurationafteryouinitiallycreatesegments.
Setupvirtuallocalareanetworks(VLANs)tohelpsafeguardyournetwork.BecauseVLANsprovide
almostallofthesecuritybenefitsinherentinimplementingphysicallyseparatenetworkswithoutthe
hardwareoverhead,theyofferaviablesolutionthatcansaveyouthecostofdeployingandmaintaining
additionaldevices,cabling,andsoforth,whilealsoallowingforredundancyoptions.
FormoreinformationonusingVLANswithvirtualmachines,seethesectionSecuringVirtualMachineswith
VLANsintheESXServer3ConfigurationGuide.
Minimize Use of the VI Console

TheVIConsoleallowsyoutoconnecttotheconsoleofavirtualmachine,ineffectseeingwhatamonitorona
physicalserverwouldshow.However,theVIConsolealsoprovidespowermanagementandremovable
deviceconnectivitycontrols,whichcouldpotentiallyallowamalicioususertobringdownavirtualmachine.
Inaddition,italsohasaperformanceimpactontheserviceconsole,especiallyifmanyVIConsolesessionsare
opensimultaneously.InsteadofVIConsole,usenativeremotemanagementservices,suchasterminalservices
andssh,tointeractwithvirtualmachines.

Security Hardening
Virtual Machine Files and Settings

Virtualmachinesareencapsulatedinasmallnumberoffiles.Oneoftheimportantistheconfigurationfile
(.vmx),whichgovernsthebehaviorofthevirtualhardwareandothersettings.Youcanviewandmodifythe
configurationsettingsbyviewingthe.vmxfiledirectlyinatexteditororbycheckingthesettingsintheVI
Client,usingthefollowingprocedure:
1 Choosethevirtualmachineintheinventorypanel.
2 ClickEditsettings.ClickOptions>Advanced/General.
3 ClickConfigurationParameterstoopentheConfigurationParametersdialogbox.
WhetheryouchangeavirtualmachinessettingsintheVIClientorusingatexteditor,youmustrestartthe
virtualmachineformostchangestotakeeffect.
Avirtualmachinealsoincludesoneormore.vmdkfiles,whichrepresentthevirtualdisksusedbytheguest
operatingsystem.
Thefollowingsectionsprovideguidelinesyoushouldobservewhendealingwiththeseandothervirtual
machinefiles.
Disable Copy and Paste Operations Between the Guest Operating System and
Remote Console
WhenVMwareToolsrunsinavirtualmachine,bydefaultyoucancopyandpastebetweentheguestoperating
systemandthecomputerwheretheremoteconsoleisrunning.Assoonastheconsolewindowgainsfocus,
nonprivilegedusersandprocessesrunninginthevirtualmachinecanaccesstheclipboardforthevirtual
machineconsole.Ifausercopiessensitiveinformationtotheclipboardbeforeusingtheconsole,the
userperhapsunknowinglyexposessensitivedatatothevirtualmachine.Itisrecommendedthatyou
disablecopyandpasteoperationsfortheguestoperatingsystembycreatingtheparametersshowninTable1.
Table 1. Configuration Settings to Disable Copy and Paste
Name Value
isolation.tools.copy.disable true
isolation.tools.paste.disable true
isolation.tools.setGUIOptions.enable false
Limit Data Flow from the Virtual Machine to the Datastore

Virtualmachinescanwritetroubleshootinginformationtoavirtualmachinelogfile(vmware.log)storedon
theVMwareVMFSvolumeusedtostoreotherfilesforthevirtualmachine.Virtualmachineusersand
processescanbeconfiguredtoabusetheloggingfunction,eitherintentionallyorinadvertently,sothatlarge
amountsofdatafloodthelogfile.Overtime,thelogfilecanconsumesomuchoftheESX/ESXihostsfile
systemspacethatitfillstheharddisk,causinganeffectivedenialofserviceasthedatastorecannolonger
acceptnewwrites.
Topreventthisproblem,considermodifyingtheloggingsettingsforvirtualmachines.Youcanusethese
settingstolimitthetotalsizeandnumberoflogfiles.Normallyanewlogfileiscreatedonlywhenahostis
rebooted,sothefilecangrowtobequitelarge,butyoucanensurenewlogfilesarecreatedmorefrequently
bylimitingthemaximumsizeofthelogfiles.Ifyouwanttorestrictthetotalsizeofloggingdata,VMware
recommendssaving10logfiles,eachonelimitedto100KB.Thesevaluesaresmallenoughthatthelogfiles
shouldnotconsumeanundueamountofdiskspaceonthehost,yettheamountofdatastoredshouldcapture
sufficientinformationtodebugmostproblems.

Security Hardening
Eachtimeanentryiswrittentothelog,thesizeofthelogischecked,andifitisoverthelimit,thenextentry
iswrittentoanewlog.Ifthemaximumnumberoflogfilesalreadyexists,whenanewoneiscreated,theoldest
logfileisdeleted.Adenialofserviceattackthatavoidstheselimitscouldbeattemptedbywritingan
enormouslogentry,buteachlogentryislimitedto4KB,sonologfilesareevermorethan4KBlargerthanthe
configuredlimit.Table2showswhichparameterstosetandtheirrecommendedvalues:
Table 2. Configuration Settings to Limit Log File Size and Number of Log Files
Name Recommended Value
log.rotateSize 100000
log.keepOld 10
Asecondoptionistodisableloggingforthevirtualmachine.Disablingloggingforavirtualmachinemakes
troubleshootingchallengingandsupportdifficult,soyoushouldnotconsiderdisablingloggingunlessthelog
filerotationapproachprovesinsufficient.Todisablelogging,settheparametershowninTable3.
Table 3. Configuration Setting to Disable Virtual Machine Logging
Isolation.tools.log.disable true
Disablinglogginginthismannerdoesnotcompletelydisableallloggingmessages.TheVMXprocess,which
runsontheESXhostandispartlyresponsibleforprovidingvirtualizationservicesforthevirtualmachine,
continuestowriteloggingmessagestothevirtualmachinelogfile.However,thevolumeofmessagesfrom
thissourceisverylowandcannotbeexploitedfromwithinthevirtualmachine,soitisnotnormally
consideredapotentialsourceofdataflooding.
Ifyouneverthelesswanttopreventallformsoflogging,youcandisableallmessagesbysettingtheparameter
showninTable4.Howeverthisisnotrecommendedinanormalproductionenvironment.
Table 4. Configuration Setting to Disable Virtualization Service Logging
logging false
Inadditiontologging,guestoperatingsystemprocessescansendinformationalmessagestotheESX/ESXi
hostthroughVMwareTools.Thesemessages,knownassetinfomessages,arewrittentothevirtualmachines
configurationfile(.vmx).Theytypicallycontainnamevaluepairsthatdefinevirtualmachinecharacteristics
oridentifiersthatthehoststoresforexample,ipaddress=10.17.87.224.Asetinfomessagehasno
predefinedformatandcanbeanylength.Therefore,theamountofdatapassedtothehostinthiswayis
unlimited.AnunrestricteddataflowprovidesanopportunityforanattackertostageaDOSattackbywriting
softwarethatmimicsVMwareToolsandfloodingthehostwithpackets,thusconsumingresourcesneededby
thevirtualmachines.
Topreventthisproblem,theconfigurationfilecontainingthesenamevaluepairsislimitedtoasizeof1MB.
This1MBcapacityshouldbesufficientformostcases,butyoucanchangethisvalue,ifnecessary.Youmight
increasethisvalueiflargeamountsofcustominformationarebeingstoredintheconfigurationfile.
TomodifytheGuestInfofilememorylimit,setthetools.setInfo.sizeLimitparameterinthe.vmxfile.
Thedefaultlimitis1MB,andthislimitisappliedevenwhenthesizeLimitparameterisnotlistedinthe.vmx
file.TheexampleinTable5setsthesizelimitto1MB.
Table 5. Configuration Setting to Limit Size of GuestInfo File
tools.setInfo.sizeLimit 1048576

Security Hardening
Youmayalsoentirelypreventguestoperatingsystemsfromwritinganynamevaluepairstotheconfiguration
file,usingthesettinginTable6.Thisisappropriatewhenguestoperatingsystemsmustbepreventedfrom
modifyingconfigurationsettings.
Table 6. Configuration Setting to Prevent Writing SetInfo Data to Configuration File
Name Value
isolation.tools.setinfo.disable true
Do Not Use Nonpersistent Disks

Thesecurityissuewithnonpersistentdiskmodeisthatattackersmayundoorremoveanytracesthatthey
wereeveronthemachinewithasimpleshutdownorreboot.Oncethevirtualmachinehasbeenshutdown,
thevulnerabilityusedtoaccessthevirtualmachinewillstillbepresent,andtheattackersmayaccessthe
virtualmachineinthefutureatatimeoftheirchoice.Thedangeristhatadministratorsmayneverknowif
theyhavebeenattackedorhacked.Tosafeguardagainstthisrisk,youshouldusenonpersistentdiskmode
onlyfortestanddevelopmentvirtualmachines.Youshouldsetproductionvirtualmachinestousepersistent
diskmodeonly.Toverify,makesurethattheparameterscsiX:Y.modeisnotpresent,whereXandYaresingle
digits,orthatifitispresent,thevalueisnotindependent-nonpersistent.Youcanconfigurethisoptionin
theVIClientforeachindividualdiskonavirtualmachine.Youcanmakechangesonlywhenthevirtual
machineisnotpoweredon.Toreviewandmodifythesesettings:
1 LogintotheVIClientandchoosetheserverfromtheinventorypanel.
Thehardwareconfigurationpagefortheserverappears.
2 Expandtheinventoryasneededandchoosethevirtualmachineyouwanttocheck.
3 ClicktheEditSettingslinkintheCommandspaneltodisplaytheVirtualMachinePropertiesdialogbox.
4 ClicktheHardwaretab.
5 ClicktheappropriateharddiskinHardwarelist.
Ensure Unauthorized Devices are Not Connected

Besidesdisablingunnecessaryvirtualdevicesfromwithinthevirtualmachine,youshouldensurethatno
deviceisconnectedtoavirtualmachineifitdoesnotneedtobethere.Forexample,serialandparallelports
arerarelyusedforvirtualmachinesinadatacenterenvironment,andCD/DVDdrivesareusuallyconnected
onlytemporarilyduringsoftwareinstallation.
Forlesscommonlyuseddevices,Table7showsthe.vmxparametersthatspecifywhetherthedeviceis
availableforavirtualmachinetouse.Ifthedeviceisnotneeded,eithertheparametershouldnotbepresent
oritsvaluemustbeFALSE.TheparameterslistedinTable7arenotsufficienttoensurethatadeviceisusable,
becauseotherparametersareneededtoindicatespecificallyhoweachdeviceisinstantiated.
Table 7. Configuration Parameters that Specify Certain Devices
Device Configuration file parameter (where <x> is an integer 0 or greater)
Floppydrive floppy<X>.present
Serialport serial<X>.present
Parallelport parallel<X>.present
Prevent Unauthorized Removal or Connection of Devices

Normalusersandprocessesthatisusersandprocesseswithoutrootoradministratorprivilegeswithin
virtualmachineshavethecapabilitytoconnectordisconnectdevices,suchasnetworkadaptersandCDROM
drives.

Security Hardening
Forexample,bydefault,arogueuserwithinavirtualmachinecan:
ConnectadisconnectedCDROMdriveandaccesssensitiveinformationonthemedialeftinthedrive
Disconnectanetworkadaptertoisolatethevirtualmachinefromitsnetwork,whichisadenialofservice
Ingeneral,youshouldusethevirtualmachinesettingseditororConfigurationEditortoremoveany
unneededorunusedhardwaredevices.However,youmaywanttousethedeviceagain,soremovingitisnot
alwaysagoodsolution.Inthatcase,youcanpreventauserorrunningprocessinthevirtualmachinefrom
connectingordisconnectingadevicefromwithintheguestoperatingsystembyaddingtheparametershown
inTable8.
Table 8. Configuration Setting to Prevent Device Removal or Connection
Name Value
Isolation.tools.connectable.disable true
Avoid Denial of Service Caused by Virtual Disk Modification Operations

Shrinkingavirtualdiskreclaimsunusedspaceinthevirtualdisk.Ifthereisemptyspaceinthedisk,this
processreducestheamountofspacethevirtualdiskoccupiesonthehostdrive.Normalusersand
processesthatisusersandprocesseswithoutrootoradministratorprivilegeswithinvirtualmachineshave
thecapabilitytoinvokethisprocedure.However,ifthisisdonerepeatedly,thevirtualdiskcanbecome
unavailable,effectivelycausingadenialofservice.Inmostdatacenterenvironments,diskshrinkingisnot
done,soyoushoulddisablethisfeaturebysettingtheparameterslistedinTable9.
Table 9. Configuration Settings to Prevent Virtual Disk Shrinking
Name Value
isolation.tools.diskWiper.disable True
isolation.tools.diskShrink.disable True
Specify the Guest Operating System Correctly

Choosingthecorrectguestoperatingsystemintheconfigurationforeachvirtualmachineisimportant.ESX
optimizescertaininternalconfigurationsonthebasisofthischoice.Thecorrectguestoperatingsettingcanaid
thechosenoperatingsystemgreatlyandmaycausesignificantperformancedegradationifthereisamismatch
betweenthesettingandtheoperatingsystemactuallyrunninginthevirtualmachine.Theperformance
degradationmaybesimilartorunninganunsupportedoperatingsystemonESX.Choosingthewrongguest
operatingsystemisnotlikelytocauseavirtualmachinetorunincorrectly,butitcoulddegradethevirtual
machinesperformance.
TheparameterthatspecifiestheguestoperatingsystemisguestOS.Verifythatthespecifiedoperatingsystem
andmatchestheoperatingsystemactuallyrunninginthevirtualmachine,whichyoucandetermineby
checkingthevirtualmachinedirectly.
Verify Proper File Permissions for Virtual Machine Files

Besurepermissionsforthevirtualmachinesfilesaresetaccordingtotheguidelinesinthissection.
Permissionsfortheconfigurationfile(.vmx),shouldberead,write,execute(rwx)forowner,andreadand
execute(r-x)forgroup(755).Permissionsforthevirtualmachinesvirtualdisk(.vmdk)shouldbereadand
write(rw-)forowner(600).Forallofthesefiles,boththeuserandgroupshouldberoot.
Configuring the Service Console in ESX 3.5

Whetheryouuseamanagementclientorthecommandline,allconfigurationtasksforESX3.5areperformed
throughtheserviceconsole,includingconfiguringstorage,controllingaspectsofvirtualmachinebehavior,
andsettingupvirtualswitchesorvirtualnetworks.Aswithanintelligentplatformmanagementinterface
(IPMI)orserviceprocessoronaphysicalserver,someoneloggedintotheserviceconsolewithprivileged
permissionshastheabilitytomodify,shutdown,orevendestroyvirtualmachinesonthathost.Thedifference
isthat,insteadofasinglephysicalserver,thiscanaffectmanyvirtualmachines.AlthoughESX3.5

Security Hardening
managementclientsuseauthenticationandencryptiontopreventunauthorizedaccesstotheserviceconsole,
otherservicesmightnotofferthesameprotection.Ifattackersgainaccesstotheserviceconsole,theyarefree
toreconfiguremanyattributesoftheESXhost.Forexample,theycouldchangetheentirevirtualswitch
configurationorchangeauthorizationmethods.BecausetheserviceconsoleisthepointofcontrolforESX,
safeguardingitfrommisuseiscrucial.
Configure the Firewall for Maximum Security

ESX3.5includesafirewallbetweentheserviceconsoleandthenetwork.Bydefault,theserviceconsole
firewallisconfiguredatahighsecuritysetting,withbothincomingandoutgoingtrafficblockedbydefault
exceptforalimitedsetofportsusedbyservicesthatareenabled.Thefirewallcontainsalistofknownservices
forwhichtheappropriateincomingandoutgoingportsareknown,anditautomaticallyopensportsfor
enabledservicesandclosesthemwhenaserviceisdisabled.Thissectionliststheservicesthatareenabledby
defaultwhenyouinstallESX3.5.YoucanseethelistofcurrentlyenabledservicesonanESXhostandthe
associatedportsintheVIClient:
1 Choosethehost.
2 ClicktheConfigurationtab,thenchoosetheSecurityProfileitemundertheSoftwareheading.
3 ClickFirewallProperties.
Itisbesttoleavethedefaultsecurityfirewallsettings,whichblockallincomingandoutgoingtrafficthatisnot
associatedwithanenabledservices,thenusethefirewallsbuiltinserviceregistrytoenableanddisable
services.Ifyouhaveaparticularserviceoragentthatisnotpartofthebuiltinlist,youcanopenindividual
portsusingtheserviceconsolecommandesxcfg-firewall.Ifyoudoopenports,makesuretodocumentthe
changes,includingthepurposeforopeningeachport.Formoreinformationonhowtousethe
esxcfg-firewallcommand,seethesectionChangingtheServiceConsoleSecurityLevelintheESXServer
3ConfigurationGuideortypeman esxcfg-firewallonthecommandline.
Limit the Software and Services Running in the Service Console

AlthoughtheserviceconsoleisbasedonLinuxandiscapableofrunningmostLinuxbasedsoftware,you
shouldavoidrunninganyadditionalsoftwareorservicesinsideitwhereverpossible.Eachadditional
componentthatisrunningrepresentsanadditionalattackvectorandalsoincreasesthepotentialfor
misconfiguration.Foranyservicethatyourunintheserviceconsole,considerwhetheritisreallyneededand
whethertheequivalentfunctionalitycanbeprovidedbyanexternalagentthatcommunicateswiththeESX
hostusingthestandardbuiltinAPIs.
TheservicesthatareonbydefaultintheESX3.5serviceconsoleandtheportstheyusearedescribedinTable
10.Thesecondcolumnofthetableshowsthestringusedtoidentifytheservicewhenusingthe
esxcfg-firewallcommandforexamplewhenrunningesxcfg-firewall --querytoshowthecurrent
status.Thetablealsoindicateswhenitisappropriatetodisableaservice.Forexample,ifyouarenotusing
NFStomountnetworksharesintheserviceconsole,youshoulddisablethisservice.ConfiguretheFirewall
forMaximumSecurityonpage 8describeshowtousetheVIClienttoviewwhichservicesareenabled.You
canusethesamepropertiesdialogboxtodisableservicesaswellasviewthem.
Table 10. Default Services in the ESX 3.5 Service Console
Identification in
esxcfg-firewall
Service command Port Traffic Type When to disable
CIMService CIMSLP 427 Incomingand IfnotusingCIMbasedsoftwarefor

Location outgoingUDPand monitoringormanagement
Protocol TCP
NFSclient nfsClient 111,2049 OutgoingTCPand IfnotmountingNFSbasedstoragein

UDP theserviceconsole
VMware VCB 443,902 OutgoingTCP IfnotusingVCBforbackup

Consolidated
Backup

Security Hardening
Table 10. Default Services in the ESX 3.5 Service Console

Identification in
esxcfg-firewall
Service command Port Traffic Type When to disable
CIMoverHTTP CIMHttpServer 5988 IncomingTCP IfnotusingCIMbasedsoftwarefor

monitoringormanagement
CIMover CIMHttpsServer 5989 IncomingTCP IfnotusingCIMbasedsoftwarefor

HTTPS monitoringormanagement
Licensing LicenseClient 27000,27010 OutgoingTCP Ifusingonlyhostbasedlicensing
SSHServer sshServer 22 IncomingTCP Ifallmanagementisdonevia

VirtualCenter,VIClient,orother
remotemeans
VirtualCenter vpxHeartbeats 902 OutgoingUDP IfnotmanagedbyVirtualCenter

Agent
VIAPI n/a 443 Incomingand Mustalwaysbeavailable

outgoingTCP
Secureaccess n/a 80 IncomingTCP Mustalwaysbeavailable

redirect
Additionalsoftwarethatmightrunintheserviceconsoleincludesmanagementagentsandbackupagents.
Althoughthissoftwaremighthavealegitimatepurpose,themorecomponentsyouhaverunninginthe
serviceconsole,themorepotentialobjectsaresusceptibletosecurityvulnerabilities.Inaddition,these
componentsoftenrequirespecificnetworkportstobeopeninordertofunction,thusfurtherincreasingthe
avenuesofattack.
Formoreinformationandrecommendationsonrunningthirdpartysoftwareintheserviceconsole,see
http://www.vmware.com/vmtn/resources/516.
Use VI Client and VirtualCenter to Administer the Hosts Instead of Service

Console
Thebestmeasuretopreventsecurityincidentsintheserviceconsoleistoavoidaccessingitifatallpossible.
YoucanperformmanyofthetasksnecessarytoconfigureandmaintaintheESXhostusingtheVIClient,either
connecteddirectlytothehostor,betteryet,goingthroughVirtualCenter.TheVIClientcommunicatesusing
awelldefinedAPI,whichlimitswhatcanbedone.Thisissaferthandirectexecutionofarbitrarycommands.
GoingthroughVirtualCenterhastheaddedbenefitthatauthorizationandauthenticationareperformedvia
yourstandardcentralActiveDirectoryservice,insteadofusingspeciallocalaccountsintheserviceconsole.
Inaddition,rolesandusersarestoredinadatabase,providinganeasywaytoviewthecurrentpermissions
aswellastakeasnapshotofthem.VirtualCenteralsokeepstrackofeverytaskinvokedthroughit,providing
anautomaticaudittrail.
Anotheralternativeistousearemotescriptinginterface,suchastheVIPerlToolkitortheremotecommand
lineinterface(RemoteCLI).TheseinterfacesarebuiltonthesameAPIthatVIClientandVirtualCenteruse,
soanyscriptusingthemautomaticallyenjoysthesamebenefitsofauthentication,authorization,andauditing.
InESX3.5,someadvancedtasks,suchasinitialconfigurationforpasswordpolicies,cannotbeperformedvia
theVIClient.Forthesetasks,youmustlogintotheserviceconsole.Also,ifyouloseyourconnectiontothe
host,executingcertainofthesecommandsthroughthecommandlineinterfacemaybeyouronly
recourseforexample,ifthenetworkconnectionfailsandyouarethereforeunabletoconnectusingVIClient.
ThesetasksaredescribedinAppendixAoftheESXServer3ConfigurationGuide.
Use a Directory Service for Authentication

AdvancedconfigurationandtroubleshootingofanESXhostmayrequirelocalprivilegedaccesstotheservice
console.Forthesetasks,youshouldsetupindividualhostlocalizeduseraccountsandgroupsforthefew
administratorswithoverallresponsibilityforyourvirtualinfrastructure.Ideally,theseaccountsshould
correspondtorealindividualsandnotbeaccountssharedbymultiplepeople.Althoughyoucancreateonthe

Security Hardening
serviceconsoleofeachhostlocalaccountsthatcorrespondtoeachglobalaccount,thispresentstheproblem
ofhavingtomanageusernamesandpasswordsinmultipleplaces.Itismuchbettertouseadirectoryservice,
suchasNISorLDAP,todefineandauthenticateusersontheserviceconsole,soyoudonothavetocreatelocal
useraccounts.
Inthedefaultinstallation,ESX3.5cannotuseActiveDirectorytodefineuseraccounts.However,itcanuse
ActiveDirectorytoauthenticateusers.Inotherwords,youcandefineindividualuseraccountsonthehost,
thenusethelocalActiveDirectorydomaintomanagethepasswordsandaccountstatus.Youmustcreatea
localaccountforeachuserthatrequireslocalaccessontheserviceconsole.Thisshouldnotbeseenasaburden;
ingeneral,onlyrelativelyfewpeopleshouldhaveaccesstotheserviceconsole,soitisbetterthatthedefault
isfornoonetohaveaccessunlessyouhavecreatedanaccountexplicitlyforthatuser.
Authenticationontheserviceconsoleiscontrolledbythecommandesxcfg-auth.Youcanfindinformation
onthiscommandinitsmanpage.Typeman esxcfg-authatthecommandlinewhenloggedintotheservice
console.ForinformationonauthenticationwithActiveDirectory,seethetechnicalnoteat
http://www.vmware.com/vmtn/resources/582.
Itisalsopossibletousethirdpartypackages,suchasWinbindorCentrify,toprovidetighterintegrationwith
ActiveDirectory.Consultthedocumentationforthosesolutionsforguidanceonhowtodeploythemsecurely.
Strictly Control Root Privileges

Becausetherootuseroftheserviceconsolehasalmostunlimitedcapabilities,securingthisaccountisthemost
importantstepyoucantaketosecuretheESXhost.Bydefault,allinsecureprotocols,suchasFTP,Telnet,and
HTTP,aredisabled.RemoteaccessviaSSHisenabled,butnotfortherootaccount.Youcancopyfilesremotely
toandfromtheserviceconsoleusinganscp(securecp)client,suchasWinSCP.
EnablingremoterootaccessoverSSHoranyotherprotocolisnotrecommended,becauseitopensthesystem
tonetworkbasedattackshouldsomeoneobtaintherootpassword.Abetterapproachistologinremotely
usingaregularuseraccount,thenusesudotoperformprivilegedcommands.Thesudocommandenhances
securitybecauseitgrantsrootprivilegesonlyforselectactivities,incontrastwiththesucommand,which
grantsrootprivilegesforallactivities.Usingsudoalsoprovidessuperioraccountabilitybecauseallsudo
activitiesarelogged,whereasifyouusesu,ESXlogsonlythefactthattheuserswitchedtorootbywayofsu.
Thesudocommandalsoprovidesawayforyoutograntorrevokeexecutionrightstocommandsonan
asneededbasis.
YoucangoastepfurtheranddisallowrootaccessevenontheconsoleoftheESXhostthatis,whenyoulog
inusingascreenandkeyboardattachedtotheserveritself,ortoaremotesessionattachedtotheservers
console.Thisapproachforcesanyonewhowantstoaccessthesystemtofirstloginusingaregularuser
account,thenusesudoorsutoperformtasks.Ideally,onlyalimitedsetofindividualsneedpermissiontorun
suinordertoperformarbitraryadministrativetasks.Ifyoudecidetodisallowrootloginontheconsole,you
shouldfirstcreateanonprivilegedaccountonthehosttoenablelogins,otherwiseyoucouldfindyourself
lockedoutofthehost.Thisnonprivilegedaccountshouldbealocalaccountthatis,onethatdoesnotrequire
remoteauthenticationsothatifthenetworkconnectiontothedirectoryserviceislost,accesstothehostis
stillpossible.Youcanassurethisaccessbydefiningalocalpasswordforthisaccount,usingthepasswd
command.Thelocalpasswordoverridesauthenticationviadirectoryservices(asdiscussedintheprevious
section).Theneteffectisthatadministratorscancontinuetoaccessthesystem,buttheyneverhavetologin
asroot.Instead,theyusesudotoperformparticulartasksorsutoperformarbitrarycommands.
Topreventdirectrootloginontheconsole,modifythefile/etc/securettytobeempty.Whileloggedinas
root,enterthefollowingcommand:
cat /dev/null > /etc/securetty
Afteryoudothis,onlynonprivilegedaccountsareallowedtologinattheconsole.Notethatthisalsocan
disableremoteconsolecapabilities,suchasiLOandDRAC.

Security Hardening
Control Access to Privileged Capabilities

Becausesuissuchapowerfulcommand,youshouldlimitaccesstoit.Bydefault,onlyusersthataremembers
ofthewheelgroupintheserviceconsolehavepermissiontorunsu.Ifauserattemptstorunsu -togainroot
privilegesandthatuserisnotamemberofthewheelgroup,thesu -attemptfailsandtheeventislogged.
Besidescontrollingwhohasaccesstothesucommand,throughthepluggableauthenticationmodule(PAM)
infrastructure,youcanspecifywhattypeofauthenticationisrequiredtosuccessfullyexecutethecommand.
Inthecaseofthesucommand,therelevantPAMconfigurationfileis/etc/pam.d/su.Toallowonlymembers
ofthewheelgrouptoexecutethesucommand,andthenonlyafterauthenticatingwithapassword,findthe
linebeginningwithauth requiredandremovetheleadingpoundsign(#)soitreads:
auth required /lib/security/$ISA/pam_wheel.so use_uid
Thesudoutilityshouldbeusedtocontrolwhatprivilegedcommandsuserscanrunwhileloggedintothe
serviceconsole.Amongthecommandsyoushouldregulatearealloftheesxcfg-*commandsaswellasthose
thatconfigurenetworkingandotherhardwareontheESXhost.Youshoulddecidewhatsetofcommands
shouldbeavailabletomorejunioradministratorsandwhatcommandsyoushouldallowonlysenior
administratorstoexecute.Youcanalsousesudotorestrictaccesstothesucommand.
Usethefollowingtipstohelpyouconfiguresudo:
Configurelocalandremotesudologging(seeMaintainProperLoggingonpage 12).
Createaspecialgroup,suchasvi_admins,andallowonlymembersofthatgrouptousesudo.
Usesudoaliasestodeterminetheauthorizationscheme,thenaddandremoveusersinthealias
definitionsinsteadofinthecommandsspecification.
Becarefultopermitonlytheminimumnecessaryoperationstoeachuserandalias.Permitveryfewusers
torunthesucommand,becausesuopensashellthathasfullrootprivilegesbutisnotauditable.
Ifyouhaveconfiguredauthenticationusingadirectoryservice,sudousesitbydefaultforitsown
authentication.Thisbehavioriscontrolledbythe/etc/pam.d/sudofile,onthelineforauth.Thedefault
settingservice=system-authtellssudotousewhateverauthenticationschemehasbeensetglobally
usingtheesxcfg-authcommand.
Requireuserstoentertheirownpasswordswhenperformingoperations.Thisisthedefaultsetting.Do
notrequiretherootpassword,becausethispresentsasecurityrisk,anddonotdisablepassword
checking.Insudotheauthenticationpersistsforabriefperiodoftimebeforesudoasksforapassword
again.
Forfurtherinformationandguidelinesforusingsudo,seehttp://www.gratisoft.us/sudo/.
Establish a Password Policy for Local User Accounts

Foranylocaluseraccounts,theserviceconsoleprovidespasswordcontrolsontwolevelstohelpyouenforce
passwordpoliciestolimittheriskofpasswordcracking:
PasswordagingThesecontrolsgovernhowlongauserpasswordcanbeactivebeforetheuseris
requiredtochangeit.Theyhelpensurethatpasswordschangeoftenenoughthatifanattackerobtainsa
passwordthroughsniffingorsocialengineering,theattackercannotcontinuetoaccesstheESXhost
indefinitely.
PasswordcomplexityThesecontrolsensurethatuserscreatepasswordsthatarehardforpassword
generatorstodetermine.Insteadofusingwords,acommontechniqueforensuringpasswordcomplexity
istouseamemorablephrase,thenderiveapasswordfromitforexample,byusingthefirstletterofeach
word.
BothofthesepoliciesaredescribedinthesectionPasswordRestrictionsintheESXServer3Configuration
Guide.
Thedefaultpam_cracklib.sopluginprovidessufficientpasswordstrengthenforcementformost
environments.However,ifthepam_cracklib.sopluginisnotstringentenoughforyourneeds,youcanuse
thepam_passwdqc.soplugininstead.Youchangethepluginusingtheesxcfg-authcommand.

Security Hardening
Forfurtherprotection,youcanenforceaccountlockoutaftertoomanyunsuccessfulloginattempts.To
configuretheESXserviceconsoletodisabletheaccountafterthreeunsuccessfulloginattempts,addthe
followinglinesto/etc/pam.d/system-auth:
auth required /lib/security/pam_tally.so no_magic_root
account required /lib/security/pam_tally.so deny=3
no_magic_root
Tocreatethefileforloggingfailedloginattempts,executethefollowingcommands:
touch /var/log/faillog
chown root:root /var/log/faillog
chmod 600 /var/log/faillog
Do Not Manage the Service Console as a Linux Host

TheserviceconsoleisgeneratedfromaRedHatLinuxdistributionthathasbeenmodifiedtoprovideexactly
thefunctionalitynecessarytocommunicatewithandallowmanagementoftheVMkernel.Anyadditional
softwareinstalledshouldnotmakeassumptionsaboutwhatRPMpackagesarepresent,northatthesoftware
canmodifythem.Inseveralcases,thepackagesthatdoexisthavebeenmodifiedespeciallyforESX.
ItisparticularlyimportantthatyounottreattheserviceconsolelikeaLinuxhostwhenitcomestopatching.
NeverapplypatchesissuedbyRedHatoranyotherthirdpartyvendor.Applyonlypatchesthatarepublished
byVMwarespecificallyfortheversionsofESXthatyouhaveinuse.Thesearepublishedfordownload
periodically,aswellasonanasneededbasisforsecurityfixes.Youcanreceivenotificationsfor
securityrelatedpatchesbysigningupforemailnotificationsathttp://www.vmware.com/security.
Similarly,youshouldneveruseascannertoanalyzethesecurityoftheserviceconsoleunlessthescanneris
specificallydesignedtoworkwithyourversionofESX.Inparticular,scannersthatassumetheserviceconsole
isastandardRedHatLinuxdistributionroutinelyyieldfalsepositives.Thesescannerstypicallylookonlyfor
stringsinthenamesofsoftware,andthereforedonotaccountforthefactthatVMwarereleasescustom
versionsofpackageswithspecialnameswhenprovidingsecurityfixes.Becausethesespecialnamesare
unknowntothescanners,theyflagthemasvulnerabilitieswheninrealitytheyarenot.Youshoulduseonly
scannersthatspecificallytreattheESXserviceconsoleasauniquetarget.Formoreinformation,seethesection
SecurityPatchesandSecurityVulnerabilityScanningSoftwareinthechapterServiceConsoleSecurityof
theESXServer3ConfigurationGuide.
Inaddition,youshouldnotmanagetheserviceconsoleasifitwereatraditionalLinuxhost.Theusual
redhat-config-*commandsarenotpresent,norareothercomponentssuchastheXserver.Instead,you
managetheESXhostusingaseriesofpurposebuiltcommands,suchasvmkfstoolsandtheesxcfg-*
commands.ManyofthesecommandsshouldbeusedonlyuponinstructionfromVMwareTechnicalSupport,
ornotinvokedmanuallyatall,butafewprovidefunctionalitythatisnotavailableviatheVIClient,suchas
authenticationmanagementandadvancedstorageconfiguration.
Ifyoufollowthebestpracticeofisolatingthenetworkfortheserviceconsole,thereisnoreasontorunany
antivirusorothersuchsecurityagents,andtheiruseisnotnecessarilyrecommended.However,ifyour
environmentrequiresthatsuchagentsbeused,useaversiondesignedtorunonRedHatEnterpriseLinux3,
Update6.
Formoreinformationonthespecialadministrativecommandsintheserviceconsole,seeESXTechnical
SupportCommandsandUsingvmkfstoolsintheappendicesoftheESXServer3ConfigurationGuide.
Maintain Proper Logging

Properandthoroughloggingallowsyoutokeeptrackofanyunusualactivitythatmightbeaprecursortoan
attackandalsoallowsyoutodoapostmortemonanycompromisedsystemsandlearnhowtopreventattacks
fromhappeninginthefuture.

Security Hardening
ThesyslogdaemonperformsthesystemlogginginESX.Youcanaccessthelogfilesintheserviceconsoleby
goingtothe/var/log/directory.SeveraltypesoflogfilesgeneratedbyESXareshowninTable11.
Table 11. Key Log Files Generated by ESX
Component Location Purpose
Vmkernel /var/log/vmkernel Recordsactivitiesrelatedtothevirtual

machinesandESX
VMkernelwarnings /var/log/vmkwarning Recordsactivitieswiththevirtualmachines
VMkernelsummary /var/log/vmksummary Usedtodetermineuptimeandavailability

statisticsforESX;humanreadablesummary
foundin/var/log/vmksummary.txt
ESXhostagentlog /var/log/vmware/hostd.log Containsinformationontheagentthatmanages

andconfigurestheESXhostanditsvirtual
machines
Virtualmachines Thesamedirectoryastheaffectedvirtual Containinformationwhenavirtualmachine

machinesconfigurationfiles;named crashesorendsabnormally
vmware.logandvmware-*.log
VirtualCenteragent /var/log/vmware/vpx Containsinformationontheagentthat

communicateswithVirtualCenter
Webaccess Filesin/var/log/vmware/webAccess RecordsinformationonWebbasedaccessto

ESX
Serviceconsole /var/log/messages Containallgenerallogmessagesusedto

troubleshootvirtualmachinesorESX
Authenticationlog /var/log/secure Containsrecordsofconnectionsthatrequire

authentication,suchasVMwaredaemonsand
actionsinitiatedbythexinetddaemon.
Thelogfilesprovideanimportanttoolfordiagnosingsecuritybreachesaswellasothersystemissues.They
alsoprovidekeysourcesofauditinformation.Inadditiontostoringloginformationinfilesonthelocalfile
system,youcansendthisloginformationtoaremotesystem.Thesyslogprogramistypicallyusedfor
computersystemmanagementandsecurityauditing,anditcanservethesepurposeswellforESXhosts.You
canselectindividualserviceconsolecomponentsforwhichyouwantthelogssenttoaremotesystem.
Thefollowingtipsprovidebestpracticesforlogging:
Ensureaccuratetimekeeping.
Byensuringthatallsystemsusethesamerelativetimesource(includingtherelevantlocalizationoffset),
andthattherelativetimesourcecanbecorrelatedtoanagreedupontimestandard(suchasCoordinated
UniversalTimeUTC),youcanmakeitsimplertotrackandcorrelateanintrudersactionswhen
reviewingtherelevantlogfiles.Intheserviceconsole,yousetthetimesourceusingtheNTP(Network
TimeProtocol)system.ForinstructionsonhowtoconfigureNTP,seeVMwareknowledgebasearticle
1339(http://kb.vmware.com/kb/1339).
Controlgrowthoflogfiles.
Inordertopreventthelogfilefromfillingupthediskpartitiononwhichitresides,configurelogfile
rotation.Thisautomaticallycreatesabackupofthelogfileafteritreachesacertainspecifiedsizeand
keepsonlyaspecifiednumberofolderbackupfilesbeforeautomaticallydeletingthem,thuslimitingthe
totaldiskusageforlogging.Thelogrotationbehaviorisspecifiedforeachcomponentinconfiguration
fileslocatedinthedirectory/etc/logrotate.daswellasinthefile/etc/logrotate.conf.
Forthethreefilesin/etc/logrotate.dvmkernel,vmksummary,andvmkwarningitisrecommend
thattheconfigurationbemodifiedto:
Increasethesizeofthelogfileto4096k.
Enablecompressionbysettingthelinecompressinsteadofnocompress.

Security Hardening
Thisallowsgreaterlogginginthesamefilesystemspace.Formoreinformationonconfiguringlogfile
rotation,seeman logrotate.
Useremotesysloglogging.
Remoteloggingtoacentralhostprovidesawaytogreatlyincreaseadministrationcapabilities.By
gatheringlogfilesontoacentralhost,youcaneasilymonitorallhostswithasingletoolaswellasdo
aggregateanalysisandsearchingtolookforsuchthingsascoordinatedattacksonmultiplehosts.
Animportantpointtoconsideristhatthelogmessagesarenotencryptedwhensenttotheremotehost,
soitisimportantthatthenetworkfortheserviceconsolebestrictlyisolatedfromothernetworks.
Syslogbehavioriscontrolledbytheconfigurationfile/etc/syslog.conf.Forlogsyouwanttosendto
aremoteloghost,addalinewith@<loghost.company.com>afterthemessagetype,where
<loghost.company.com>isthenameofahostconfiguredtorecordremotelogfiles.Makesurethatthis
hostnamecanbeproperlyresolved,puttinganentryinthenameservicemapsifneeded.
Example:
local6.warning @<loghost.company.com>
Aftermodifyingthefile,tellthesyslogdaemontorereaditbyissuingthefollowingcommand:
kill -SIGHUP `cat /var/run/syslogd.pid`
Displaydifferentloglevelmessagesondifferentscreens.
Anoptionforsyslogistologtoanalternateconsole,whichcanbedisplayedfromtheterminaloftheESX
host.ESXhasthecapabilityattheconsoletodisplayanumberofvirtualterminals.Thisgivesyouthe
capabilitytohavecritical,error,andwarningmessagesdisplayedondifferentscreens,enablingyouto
quicklydifferentiatetypesoferrors.
Toenablethisseparationoflogmessagedisplay,addthefollowinglinestothe/etc/syslog.conffile:
*.crit /dev/tty2
Alllogitemsatthecriticallevelorhigherareloggedtothevirtualterminalattty2.PressAltF2attheESX
consoletoviewtheselogs.
*.err /dev/tty3
Alllogitemsattheerrorlevelorhigherareloggedtothevirtualterminalattty3.PressAltF3attheESX
consoletoviewtheselogs
*.warning /dev/tty4
Alllogitemsatthewarninglevelorhigherareloggedtothevirtualterminalattty4.PressAltF4atthe
ESXServerconsoletoviewtheselogs.
Whenyouarefinished,issuethecommandforrereadingtheconfigurationfile:
kill -SIGHUP `cat /var/run/syslogd.pid`
Uselocalandremotesudologging.
Ifyouhaveconfiguredsudotoenablecontrolledexecutionofprivilegedcommands,youcanbenefitfrom
usingsyslogtoaudituseofthesecommands.Bydefault,allinvocationsofsudoareloggedto
/var/log/secure.Bymodifyingthelinecontainingthisfilenameinthesyslogconfigurationfileas
describedabove,youcanhavealltheselogmessagesalsosenttoaremotesyslogserver.
Establish and Maintain File System Integrity

Theserviceconsolehasanumberoffilesthatspecifyitsconfigurations:
/etc/profile
/etc/ssh/sshd_config
/etc/pam.d/system-auth

Security Hardening
/etc/grub.conf
/etc/krb.conf
/etc/krb5.conf
/etc/krb.realms
/etc/login.defs
/etc/openldap/ldap.conf
/etc/nscd.conf
/etc/ntp
/etc/ntp.conf
/etc/passwd
/etc/group
/etc/nsswitch.conf
/etc/resolv.conf
/etc/sudoers
/etc/shadow
Inaddition,ESXconfigurationfileslocatedinthe/etc/vmwaredirectorystorealltheVMkernelinformation.
Allofthesefilesshouldbemonitoredforintegrityandunauthorizedtampering,usingacommercialtoolsuch
asTripwireorConfiguresoft,orbyusingachecksumtoolsuchassha1sum,whichisincludedintheservice
console.Thesefilesshouldalsobebackedupregularly,eitherusingbackupagentsorbydoingbackupsbased
onfilecopying.NotallofthesefilesareactuallyusedbyyourparticularESXdeployment,butallthefilesare
listedforcompleteness.
Anotherchecktoperformistomakesurethatthefilepermissionsofimportantfilesandutilitycommands
havenotbeenchangedfromthedefault.Somefilesinparticulartocheckinclude:
The/usr/sbin/esxcfg-*commands,whichareallinstalledbydefaultwithpermissions500,exceptfor
esxcfg-authwhichhaspermissions544.
Thelogfilesdiscussedintheprevioussection,whichallhavepermissions600,exceptforthedirectory
/var/log/vmware/webAccess,whichhaspermissions755,andthevirtualmachinelogfiles,whichhave
permissions644.
CertainsystemcommandsthathavetheSUIDbit.ThesecommandsarelistedinTable123oftheESX
Server3ConfigurationGuide.
Forallofthesefiles,theuserandgroupownershouldberoot.
Secure the SNMP Configuration

ESX3.5providesanSNMPagenttomonitorfaultsandsystemstatus.ItsupportsSNMPversions1,2c,and3.
WhenanSNMPagentisenabledinESX,networkmanagementtoolscanlistenfornotificationsorpollfor
statusinformationabouttheconfigurationofvirtualmachinesandthestateofthenetwork,CPU,disk,and
installedsoftware.
ItisrecommendedthatyouconfigureESX3.5touseSNMPversion3,whichprovidesforauthenticationand
privacyofmessagesbetweentheagentandmanagementstation.Consultthesnmpd.confmanpageformore
informationonconfiguringSNMP.

Security Hardening
Protect against the Root File System Filling Up

WhenyouinstallESX3.5,youshouldaccepttherecommendeddiskpartitioningforthemosteffective
installation.Ifyouchoosetopartitionthediskmanually,youshouldensurethatyouhavecreatedseparate
partitionsforthedirectories/home,/tmp,and/var/log.Thesearealldirectoriesthathavethepotentialtofill
up,andiftheyarenotisolatedfromtherootpartition,youcouldexperienceadenialofserviceiftheroot
partitionisfullandunabletoacceptanymorewrites.DatastorePartitioning,anappendixoftheInstallation
andUpgradeGuide,coversdiskpartitionsinmoredetail.
Disable Automatic Mounting of USB Devices

ExternalUSBdrivescanbeconnectedtotheESXhostandbeloadedautomaticallyontheserviceconsole.The
USBdrivemustbemountedbeforeyoucanuseit,butdriversareloadedtorecognizethedevice.Malicious
usersmaybeabletorunmaliciouscodeontheESXhostandgoundetectedbecausetheUSBdriveisexternal.
Bydefault,automaticUSBdrivemountingisenabled,butitisrecommendedthatyoudisablethisfeatureby
editingtheserviceconsolefile/etc/modules.confandcommentingoutthelinecontainingalias
usb-controllerbyplacingapoundsign(#)atthebeginning.
Configuring Host-level Management in ESXi 3.5

EventhoughESXi3.5doesnotshipwithaserviceconsole,therearesomeaspectsofhostlevelmanagement
thatyoucanconfigureandmonitor.SomeoftheseoptionsarenewtotheESXiarchitecture,andsomeare
analogoustooptionsavailableinESX3.5.
Strictly Control Root Privileges

YoumightwanttoavoidmanagingESXihostsdirectly,butinsteadprefertorequirethatallmanagementbe
donethroughVirtualCenter.Thisenforcestheuseofacentralauthenticationmodel(typicallyActive
Directory)andallowspermissionstobesetglobally.Italsoallowsalltaskstobeloggedinoneplace,the
VirtualCenterdatabase,whichmakesauditingeasier.
LockdownmodeisavailableonanyESXi3.5hostthatyouhaveaddedtoaVirtualCenterServer.Enabling
lockdownmodedisablesallremoterootaccesstoESXi3.5machines.Anysubsequentlocalchangestothehost
mustbemade:
InaVIClientsessionorusingRemoteCLIcommandstoVirtualCenter.
InaVIClientsessionorusingRemoteCLIcommandsdirecttotheESXi3.5systemusingalocaluser
accountdefinedonthehost.Bydefault,nolocaluseraccountsexistontheESXisystem.Youmustcreate
thoseaccountsbeforeenablinglockdownmodeandmustcreatetheminaVIClientsessionconnected
directlytotheESXisystem.Changestoahostarelimitedtothosethatcanbemadewiththeprivileges
grantedtoaparticularuserlocallyonthathost.
ItisrecommendedthatyouenablelockdownmodeforyourESXi3.5hosts.Youcanenableanddisable
lockdownmodeeitherusingaVIClientloggedintoVirtualCenterorusingthedirectconsoleuserinterface
(DCUI).Fordetailsonhowtodothis,seethechapterSecurityDeploymentsandRecommendationsinthe
ESXServer3iConfigurationGuide.
Control Access to Privileged Capabilities

Ideally,youmanageuserswhoaccesstheESXi3.5systemwiththeusermanagementfeaturesofVirtualCenter.
Incertaincases,however,youneedtomanageahostdirectlyforexample:
YouhavenotpurchasedVirtualCenterperhapsbecauseyouarejuststartingoutwithESXiorbecause
youhaveaverysmalldeployment
YouwanttoprovideforadministrativeaccesstothesystemincaseVirtualCenterisdownorotherwise
unavailable,oriftheVirtualCenteragentonthehostisnotworkingproperly
YouneedtouseRemoteCLIcommands,suchasthoseforbackingupandrestoringtheconfigurationof
thesystem,thatmustberundirectlyonthehost,notthroughVirtualCenter

Security Hardening
Securitybestpracticesdictatethattherootpasswordshouldbeknowntoasfewindividualsaspossible,and
therootaccountshouldnotbeusedifanyalternativeispossible,becauseitisananonymousaccountand
activitybytherootusercannotbedefinitivelyassociatedwithaspecificindividual.Therootpasswordis
initiallyblank,sooneofyourfirststepsinconfiguringtheservershouldbetocreateastrongpasswordforthe
rootaccount.
ESXi3.5allowsyoutocreatelocalusersandgroupsonthesystem.Definitionsfortheseusersandgroupsare
storedlocallyoneachindividualESXihost,andthedefinitionsforeachhostaretotallyindependentofother
hosts.YoucannotuseActiveDirectoryoranyotherdirectoryservicetoidentifyorauthenticatethelocalusers.
Furthermore,theuserandgrouplistsmaintainedbyVirtualCenterarecompletelyseparatefromthelists
maintainedbyESXihosts.EvenifthelistsmaintainedbyahostandVirtualCenterappeartohavecommon
users(forinstance,ausercalleddevuser),youmusttreattheseusersasseparateuserswhohappentohave
thesamename.TheattributesofdevuserinVirtualCenter,includingpermissionsandpasswords,areseparate
fromtheattributesofdevuserontheESXihost.IfyoulogontoVirtualCenterasdevuser,youmighthave
permissiontoviewanddeletefilesfromadatastore,whereasifyoulogontoanESXihostasdevuser,you
mightnot.
Becauseoftheconfusionthatduplicatenamingcancause,VMwarerecommendsthatyoucheckthe
VirtualCenteruserlistbeforeyoucreateESXihostuserssoyoucanavoidcreatinghostusersthathavethe
samenamesasVirtualCenterusers.TocheckforVirtualCenterusers,reviewtheWindowsdomainlist.
Youcangrantvariouslevelsofpermissionstolocalusers.TheprivilegemodelforanESXihostmirrorsthatof
VirtualCenter,exceptitlacksobjectssuchasdatacentersandclusters,whichhavenomeaningforan
individualhost.Youcancreatecustomrolesthatgrantspecificprivileges,thenassignthemtocertainusers.
Theseprivilegesaffectwhataparticularusercando,bothinaVIClientandusingtheRemoteCLI.Youshould
createadifferentlocaluseraccountforanypersonwhomightneeddirectaccesstothehostandgrantthat
userparticularprivilegestolimittheuserscapabilities.Youcanuselocalgroupdefinitionstosimplifythis
assignment.
Oneparticularbuiltinlocalgrouphasspecialmeaning.Ifyougiveausermembershipinthelocaladmin
group,thatuserhastheabilitytologintotheDCUI,whichistheinterfaceavailableattheconsoleofanESXi
hostthatallowsforbasichostconfigurationmodifyingnetworkingsettingsandtherootpassword,for
example.AssignmenttothisgroupenablesanadministrativeusertoperformtasksontheDCUIwithout
logginginasroot.However,thisisaverypowerfulprivilege,becauseaccesstotheDCUIallowssomeoneto
changetherootpasswordorevenpoweroffthehost.Therefore,onlythemosttrustedadministratorsshould
begrantedmembershiptothelocaladmingroup.
FormoreinformationonlocalusersandprivilegesinESXi,seethechapterAuthenticationandUser
ManagementintheServer3iConfigurationGuide.
Maintain Proper Logging

ESXi3.5maintainsalogofactivityinlogfiles.Itusesasyslogfacility,justasESX3.5does.However,ESXi
maintainsasmallernumberoflogfiles.Thefollowinglogsareavailable:
hostd.log
messages
vpxa.log(onlyifthehosthasbeedjoinedtoaVirtualCenterinstance)
Thereareseveralwaystoviewthecontentsoftheselogfiles.
ToviewthelogsinaVIClient,takethefollowingsteps:
1 LogindirectlytotheESXihostusingVIClientandmakesurethehostisselectedintheInventory.
2 ClickAdministration,thenclicktheSystemLogstab.
3 Choosethelogfileyouwanttoviewinthedropdownmenuintheupperleft.
ToviewthelogsinaWebbrowser,entertheURLhttps://<hostname>/host,where<hostname>isthehost
nameorIPaddressofthemanagementinterfaceoftheESXihost,thenchoosefromthelistoffilespresented.

Security Hardening
YoucanusetheRemoteCLIcommandvifstodownloadthelogfilestoyourlocalsystem.
Youcanalsoconfiguresyslogtosendlogmessagestoaremotesystem.
AswithESX3.5,youshouldconfigureNTPonthehosttoensureaccuratetimekeeping.
YoucanfindmoreinformationonconfiguringsyslogandNTPforESXihostsinthefollowingdocuments:
TheSystemLogFilesandHostConfigurationforESXServerandVirtualCentersectionsofthe
SystemConfigurationchapterintheBasicSystemAdministrationGuide.
TheappendixRemoteCommandLineInterfaceReferenceintheESXServer3iConfigurationGuide.
Establish and Maintain Configuration File Integrity

AswithESX,ESXimaintainsitsconfigurationstateinasetofconfigurationfiles.However,onESXithesefiles
canbeaccessedonlyusingtheremotefileaccessAPI,andtherearefarfewerfilesinvolved.Thesefiles
normallyarenotmodifieddirectly.Instead,theircontentsnormallychangeindirectlybecauseofsomeaction
invokedonthehost.However,thefileaccessAPIdoesallowfordirectmodificationofthesefiles,andsome
modificationsmightbewarrantedinspecialcircumstances.Therefore,youshouldmonitorallofthesefilesfor
integrityandunauthorizedtampering,eitherbyperiodicallydownloadingthemandtrackingtheircontents
orbyusingacommercialtooldesignedtodothis.TheaccessibleandrelevantconfigurationfilesinESXi3.5
are:
esx.conf
hostAgentConfig.xml
hosts
license.cfg
motd
openwsman.conf
proxy.xml
snmp.xml
ssl_cert
ssl_key
syslog.conf
vmware_config
vmware_configrules
vmware.lic
vpxa.cfg
ToviewtheconfigurationfilesinaWebbrowser,entertheURLhttps://<hostname>/hostwhere
<hostname>isthehostnameorIPaddressofthemanagementinterfaceoftheESXihost,thenchoosefrom
thelistoffilespresented.
YoucanusetheRemoteCLIcommandvifstodownloadtheconfigurationfilestoyourlocalsystem,aswell
astouploadnewversionsofthesefiles.Althoughinsomecasesthenewsettingstakeeffectimmediately,you
shouldalwaysrestarttheESXhostaftermakingchangesdirectlytotheconfigurationfiles(asopposedto
makingconfigurationchangesviatheVIClient,VirtualCenter,ortheRemoteCLI).

Security Hardening
Secure the SNMP Configuration

ESXi3.5containsadifferentSNMPagentfromthatinESX3.5,anditsupportsonlyversions1and2c.It
providesthesamenotificationsasESX3.5andaddsnotificationsforhardwarerelatedsensors.UnlikeESX3.5,
itsupportsonlytheSNMPv2MIBandsupportsitonlyfordiscovery,inventory,anddiagnosticsoftheSNMP
agent.
SNMPmessagescontainafieldcalledthecommunitystring,whichconveyscontextandusuallyidentifiesthe
sendingsystemfornotifications.ThisfieldalsoprovidescontextfortheinstanceofaMIBmoduleonwhich
thehostshouldreturninformation.ESX/ESXiSNMPagentsallowmultiplecommunitystringspernotification
targetaswellasforpolling.Keepinmindthatcommunitystringsarenotmeanttofunctionaspasswords,but
onlyasamethodforlogicalseparation.
SNMPv1andv2ctrafficisnotencrypted,whichmeansthatmessagescanbesnooped,andtheycouldbe
modifiedinflightwithoutthereceiverknowingaboutit.Waystomitigatethisriskinclude:
RunSNMPontrustednetworks,useroutingandlayer2filteringtolockdownMACaddressestolayer2
ports,androuteSNMPtraffictotrustedservers.
RunSNMPinaVPN/IPsectunnelonyouredgeroutersforSNMPtraffic.
Ensure Secure Access to CIM

TheCommonInformationModel(CIM)systemprovidesaninterfacethatenableshardwarelevel
managementfromremoteapplicationsviaasetofstandardAPIs.ToensurethattheCIMinterfaceissecure,
followtheserecommendations:
DonotproviderootcredentialstoremoteapplicationstoaccesstheCIMinterface.Instead,createaservice
accountspecifictotheseapplications.ReadonlyaccesstoCIMinformationisgrantedtoanylocalaccount
definedontheESXisystem.
IftheapplicationrequireswriteaccesstotheCIMinterface,onlytwolocalprivilegesarerequired.Itis
recommendedthatyoucreatealocalroletoapplytotheserviceaccountwithonlytheseprivileges:
Host>Config>SystemManagement
Host>CIM>CIMInteraction
Audit or Disable Technical Support Mode

ESXihasaspecialtechnicalsupportmode,whichisaninteractivecommandlineavailableonlyontheconsole
oftheserver.TechnicalsupportmodeisunsupportedunlessusedinconsultationwithVMwareTechnical
Supportandmustbeactivatedbeforeitcanbeused.Accesstothismoderequirestherootpasswordofthe
serverinadditiontoaccesstotheconsoleoftheserver,eitherphysicallyorthrougharemoteKVMoriLO
interface.
Technicalsupportmodeisdesignedtobeusedonlyincasesofemergency,whenmanagementagentsthat
providetheremoteinterfacesareinoperableandtheycannotberestartedthroughtheDCUI.Thereisno
reasontousetechnicalsupportmodeforanyotherpurposeapartfromtechnicalsupport.Technicalsupport
modeisonbydefault,butyoucandisableitentirely.
Technicalsupportmodeissecuredinthefollowingways:
Itisaccessibleonlyonthelocalconsole;unlikeSSHorTelnet,itcannotbeaccessedremotely.Thus,
physicalaccesstothehostorsomethingequivalenttophysicalaccess,suchasHPILO,DellDRAC,IBM
RSA,orasimilarremoteconsoletoolisabsolutelyrequiredforaccesstotechnicalsupportmode.Most
organizationshavesufficientformsofprotectiononphysical(orphysicalequivalent)accesstothehost
(forexample,doorlocks,keycards,andauthenticationfortheremoteconsole).
Itrequirestherootpasswordbeforeaccessisgranted.Anyindividualswhohavebothphysical(or
console)accessandtherootpasswordarealreadyfullyprivilegedandcandoanythingtheywantonthe
system.Thepresenceoftechnicalsupportmodedoesnotaugmentorreducethisrisk.

Security Hardening
Youcanaudittechnicalsupportmodeusingthefollowinginformation:
Wheneversomeoneactivatestechnicalsupportmode,thetimeanddateofactivationaresenttothe
systemlogmessagesfile.
Allunsuccessfulattemptstoaccesstechnicalsupportmode(thatis,someoneenterstheincorrectroot
password)arerecordedinthesystemlog.
Thetimeanddateofallsuccessfulaccessestotechnicalsupportmodearesenttothesystemlog
Toensureaccurateandreliablesystemlogs,youshouldconfigureremotesyslogontheserver,sologmessages
arekeptonanoutsidesystemandcannotbealteredfromtheserver.Actionsperformedwhileintechnical
supportmodearenotlogged.Anyaccesstotechnicalsupportmodeshouldbecorrelatedwithaspecificcall
toVMwareTechnicalSupport.Ifthereisnocorrespondingsupportsession,youshouldimmediatelysuspect
maliciousactivityandinspectthesystemfortampering.
Ifyouareunabletoaudittechnicalsupportmodetoadegreethatmatchesyoursecurityriskposture,you
shoulddisableitforallofyourESXihosts.Fordetailsondisablingtechnicalsupportmode,seeVMware
knowledgebasearticle1003677(http://kb.vmware.com/kb/1003677).
Configuring the ESX/ESXi Host

ThefollowingrecommendationsapplytothewaytheESX/ESXihostitselfisconfigured.Manyofthe
recommendationsapplytotheconfigurationofthenetworkstowhichvirtualmachinesareattached,because
mostsecurityattacksoccurthroughnetworkconnections.OtherspertaintotheoperationoftheESX/ESXi
softwareitself.
Isolate the Infrastructure-related Networks

SeveralcapabilitiesofVMwareInfrastructureinvolvecommunicationamongcomponentsoveranetwork.
Management.Thisincludesthefollowingtypesofcommunication:
BetweenESX/ESXiandVirtualCenter
AmongstESX/ESXihostsforexample,forVMwareHighAvailabilitycoordination
BetweenESX/ESXiorVirtualCenterandsystemsrunningclientsoftwaresuchastheVIClientoraVI
SDKapplication
BetweenESX/ESXiandancillarymanagementservices,suchasDNS,NTP,syslog,andtheuser
authenticationservice
BetweenESX/ESXiandthirdpartymanagementtools,suchashardwaremonitoring,systems
management,andbackuptools
BetweenVirtualCenterandsupportingservices,suchastheVirtualCenterdatabaseandtheuser
authenticationservice
BetweenVirtualCenterandoptionaladdoncomponentssuchasVMwareUpdateManagerand
VMwareConverterEnterprise,iftheyareinstalledonseparateservers
VMotion.ThisinvolvestransferringtheliverunningstateofavirtualmachinefromoneESX/ESXihostto
another.
Storage.Thisincludesanynetworkbasedstorage,suchasiSCSIandNFS.
AllofthenetworksusedforthesecommunicationsprovidedirectaccesstocorefunctionalityofVMware
Infrastructure,ThemanagementnetworkprovidesaccesstotheVMwareInfrastructuremanagement
interfaceoneachcomponent,andanyremoteattackwouldmostlikelybeginwithgainingentrytothis
network.VMotiontrafficisnotencrypted,sotheentirestateofavirtualmachinecouldpotentiallybesnooped
fromthisnetwork.Finally,accesstothestoragenetworkpotentiallyallowssomeonetoreadthecontentsof

Security Hardening
virtualdisksresidingonsharedstorage.Therefore,allofthesenetworksshouldbeisolatedandstrongly
securedfromallothertraffic,especiallyanytrafficgoingtoandfromvirtualmachines.Theexceptionisifone
ofthecomponentslistedaboveactuallyrunsinavirtualmachine.Inthatcase,thisvirtualmachinenaturally
hasaninterfaceonthemanagementnetworkandthusshouldnothaveaninterfaceonanyothernetwork.
VMwarerecommendsthatyouisolatenetworksusingoneofthesemethods:
CreateaseparateVLANforeachnetwork.
Configurenetworkaccessforeachnetworkthroughitsownvirtualswitchandoneormoreuplinkports.
Ineithercase,youshouldconsiderusingNICteamingforthevirtualswitchestoprovideredundancy.
IfyouuseVLANs,youneedfewerphysicalNICstoprovidetheisolation,afactorthatisespeciallyimportant
inenvironmentswithconstrainedhardwaresuchasblades.VMwarevirtualswitchesarebydesignimmune
tocertaintypesofattacksthathavetraditionallytargetedVLANfunctionality.Fordetails,seethechapter
SecuringanESXServer3ConfigurationintheESXServer3ConfigurationGuide.Ingeneral,VMwarebelieves
thatVLANtechnologyismatureenoughthatitcanbeconsideredaviableoptionforprovidingnetwork
isolation.
ESX/ESXidoesnotsupportvirtualswitchportgroupsconfiguredtoVLAN1.Ifthephysicalswitchportto
whichtheESX/ESXihostisconnectedisconfiguredwithVLAN1,ESX/ESXidropsallpackets.Youcan
configuretheESX/ESXivirtualswitchportgroupswithanyvaluebetween2and4094.UtilizingVLAN1
causesadenialofservicebecauseESX/ESXidropsthistraffic.Itisrecommendedthatyoucheckthephysical
networkhardwareconfigurationtoverifytheportstowhichtheESX/ESXihostconnectsarenotconfiguredto
VLAN1.Inaddition,VLANID4095specifiesthattheportgroupshouldusetrunkmodeorVGTmode,which
allowstheguestoperatingsystemtomanageitsownVLANtags.Guestoperatingsystemstypicallydonot
managetheirVLANmembershiponnetworks,soifthisvalueisset,ensurethatthereisalegitimatereason
fordoingso.
IfyoudonotuseVLANs,eitherbecauseyouhavenoVLANsupportinyourenvironmentorbecauseyoudo
notconsiderVLANsstrongenoughforisolation,youcancombinethethreetypesofinfrastructurerelated
networksontotwoorfewervirtualswitches.However,youshouldstillkeepthevirtualmachinenetworks
separatefromtheinfrastructurenetworksbyusingseparatevirtualswitcheswithseparateuplinks.
Configure Encryption for Communication between Clients and ESX/ESXi

ClientsessionswiththeESX/ESXihostmaybeinitiatedfromanyVIAPIclient,suchasVIClient,
VirtualCenter,andtheRemoteCommandLineInterface.SSLencryptionprotectstheconnectionbetweenthe
VIClientandESX/ESXi,butthedefaultcertificatesusedtosecureyourVirtualCenterandVIWebAccess
sessionsarenotsignedbyatrustedcertificateauthorityand,therefore,donotprovidetheauthentication
securityyoumightneedinaproductionenvironment.Theseselfsignedcertificatesarevulnerableto
maninthemiddleattacks,andclientsreceiveawarningaboutthem.Ifyouintendtouseencryptedremote
connectionsexternally,considerpurchasingacertificatefromatrustedcertificateauthorityoruseyourown
securitycertificateforyourSSLconnections.Enablingcertificatecheckingandinstallationofnewcertificates
aredescribedinthechapterAuthenticationandUserManagementintheESXServer3ConfigurationGuide.
Label Virtual Networks Clearly

Labelallyourvirtualnetworksappropriatelytopreventconfusionorsecuritycompromises.Thislabeling
preventsoperatorerrorcausedbyattachingavirtualmachinetoanetworkitisnotauthorizedforortoa
networkthatcouldallowtheleakageofsensitiveinformation.
Do Not Create a Default Port Group

DuringESX/ESXiinstallation,youhavetheoptionofcreatingadefaultvirtualmachineport.However,this
optioncreatesavirtualmachineportgrouponthesamenetworkinterfaceastheserviceconsole.Ifthissetting
isleftunchanged,itcouldallowvirtualmachinestodetectsensitiveandoftenunencryptedinformation.
Becausetheserviceconsoleshouldalwaysbeonaseparate,privatenetwork,thisoptionshouldneverbeused
exceptinatestenvironment.

Security Hardening
Do Not Use Promiscuous Mode on Network Interfaces

ESX/ESXicanrunvirtualnetworkadaptersinpromiscuousmode.Youcanenablepromiscuousmodeon
virtualswitchesthatareboundtoaphysicalnetworkadapter(vmnic)andvirtualswitchesthatdonotbindto
aphysicalnetworkadapter(vmnet).Whenpromiscuousmodeisenabledforavmnicswitch,allvirtual
machinesconnectedtothevirtualswitchhavethepotentialofreadingallpacketssentacrossthatnetwork,
fromothervirtualmachinesaswellasanyphysicalmachinesorothernetworkdevices.Whenpromiscuous
modeisenabledforavmnetswitch,allvirtualmachinesconnectedtothevmnetswitchhavethepotentialof
readingallpacketsacrossthatnetworkthatis,trafficamongthevirtualmachinesconnectedtothatvmnet
switch.
Althoughpromiscuousmodecanbeusefulfortrackingnetworkactivity,itisaninsecuremodeofoperation
becauseanyadapterinpromiscuousmodehasaccesstopacketsregardlessofwhethersomeofthepackets
shouldbereceivedonlybyaparticularnetworkadapter.Thismeansthatanadministratororrootuserwithin
avirtualmachinecanpotentiallyviewtrafficdestinedforotherguestoperatingsystems.Youshoulduse
promiscuousmodeonlyforsecuritymonitoringforexample,foranIDSsystem,debugging,or
troubleshooting.
Bydefault,promiscuousmodeissettoReject.Youcanchangethisoptionbymodifyingthesecuritypolicyon
anindividualportgrouporontheentirevirtualswitch,asdescribedinthesectionLayer2SecurityPolicy
intheESXServer3ConfigurationGuide.Settingthispolicyperportgroupallowsyoutohaveoneormore
privilegedvirtualmachinesonaportgroupthatallowspromiscuousmode,whileotherportgroupsonthe
sameswitchdonotgrantthisprivilege.
Protect against MAC Address Spoofing

EachvirtualnetworkadapterinavirtualmachinehasitsowninitialMACaddressassignedwhentheadapter
iscreated.Inaddition,eachadapterhasaneffectiveMACaddressthatfiltersoutincomingnetworktraffic
withadestinationMACaddressdifferentfromtheeffectiveMACaddress.
Whenitiscreated,anetworkadapterseffectiveMACaddressandinitialMACaddressarethesame.
However,thevirtualmachinesoperatingsystemcanaltertheeffectiveMACaddresstoanothervalueatany
time.IfanoperatingsystemchangestheeffectiveMACaddress,itsnetworkadapterthenreceivesnetwork
trafficdestinedforthenewMACaddress.Theoperatingsystemcansendframeswithanimpersonatedsource
MACaddressatanytime.Thus,anoperatingsystemcanstagemaliciousattacksonthedevicesinanetwork
byimpersonatinganetworkadapterauthorizedbythereceivingnetwork.Youcanusevirtualswitchsecurity
profilesonESX/ESXihoststoprotectagainstthistypeofattackbysettingtwooptions,whichyoushouldset
foreachvirtualswitch:
MACaddresschangesBydefault,thisoptionissettoAccept,meaningthatESX/ESXiacceptsrequests
tochangetheeffectiveMACaddresstoavalueotherthantheinitialMACaddress.TheMACAddress
Changesoptionsettingaffectstrafficreceivedbyavirtualmachine.
ToprotectagainstMACimpersonation,youcansetthisoptiontoReject.Ifyoudo,ESX/ESXidoesnot
honorrequeststochangetheeffectiveMACaddresstoanythingotherthantheinitialMACaddress.
Instead,theportthatthevirtualadapterusedtosendtherequestisdisabled.Asaresult,thevirtual
adapterdoesnotreceiveanymoreframesuntilitchangestheeffectiveMACaddresstomatchtheinitial
MACaddress.TheguestoperatingsystemdoesnotdetectthattheMACaddresschangehasnotbeen
honored.
ForgedtransmissionsBydefault,thisoptionissettoAccept,meaningESX/ESXidoesnotcompare
sourceandeffectiveMACaddresses.TheForgedTransmitsoptionsettingaffectstraffictransmittedfrom
avirtualmachine.
IfyousetthisoptiontoReject,ESX/ESXicomparesthesourceMACaddressbeingtransmittedbythe
operatingsystemwiththeeffectiveMACaddressforitsadaptertoseeiftheymatch.Iftheaddressesdo
notmatch,ESX/ESXidropsthepacket.Theguestoperatingsystemdoesnotdetectthatitsvirtualnetwork
adaptercannotsendpacketsusingtheimpersonatedMACaddress.ESX/ESXiinterceptsanypacketswith
impersonatedaddressesbeforetheyaredelivered,andtheguestoperatingsystemmightassumethatthe
packetshavebeendropped.

Security Hardening
ItisrecommendedthatyousetbothoftheseoptionstoRejectformaximalsecurity.
Youcanalsosetthesesecuritypoliciesonaperportgroupbasis,whichletsyouoverridethevirtualswitch
settingforthatparticularportgroup.Ifyouneedtoconfigureadifferentpolicyforaparticularvirtual
machineforexample,ifyouhaveanintrusiondetectionvirtualappliancethatneedstomonitoralltrafficon
avirtualswitchyoucancreateaspecialportgroupforthis(andonlythis)virtualappliancewiththe
modifiedsettings.
Tolearnhowtheseoptionsareconfigured,seethesectionLayer2SecurityPolicyintheESXServer3
ConfigurationGuide.
Secure the ESX/ESXi Host Console

EvenifyouhavelockeddownESX/ESXitoprotectitfromattacksthatarriveoverthenetwork,anyonewith
accesstotheconsoleofthehostmightstillcauseproblems.Althoughphysicalharmtothehostcannotbe
prevented,itstillmightbepossible,forexample,toinfluencethehostsothatitbehavesimproperly,perhaps
inamannerthatishardtodetect.
ForESX3.5,whichrunsaserviceconsole,onewaytoguardagainstthisistousegrubpasswordstoprevent
usersfrombootingintosingleusermodeorpassingoptionstothekernelduringboot.Unlessthepasswordis
entered,theserverbootsonlythekernelwiththedefaultoptions.Formoreinformationongrubpasswords,
seetheGNUGrubManualathttp://www.gnu.org/software/grub/manual/html_node/index.html.This
techniquedoesnotapplytoESXi3.5,becausethereisnoserviceconsoleavailableattheconsoleofthehost.
Mask and Zone SAN Resources Appropriately

ZoningprovidesaccesscontrolinaSANtopology.Itdefineswhichhostbusadapters(HBAs)canconnectto
whichSANdeviceserviceprocessors.WhenaSANisconfiguredusingzoning,thedevicesoutsideazoneare
notvisibletothedevicesinsidethezone.Inaddition,SANtrafficwithineachzoneisisolatedfromtheother
zones.WithinacomplexSANenvironment,SANswitchesprovidezoning,whichdefinesandconfiguresthe
necessarysecurityandaccessrightsfortheentireSAN.
LUNmaskingiscommonlyusedforpermissionmanagement.LUNmaskingisalsoreferredtoasselective
storagepresentation,accesscontrol,andpartitioning,dependingonthevendor.LUNmaskingisperformed
atthestorageprocessororserverlevel.ItmakesaLUNinvisiblewhenatargetisscanned.Theadministrator
configuresthediskarraysoeachserverorgroupofserverscanseeonlycertainLUNs.Maskingcapabilities
foreachdiskarrayarevendorspecific,asarethetoolsformanagingLUNmasking.
YoushouldusezoningandLUNmaskingtosegregateSANactivity.Forexample,youmanagezonesdefined
fortestingindependentlywithintheSANsotheydonotinterferewithactivityintheproductionzones.
Similarly,youcouldsetupdifferentzonesfordifferentdepartments.Zoningmusttakeintoaccountanyhost
groupsthathavebeensetupontheSANdevice.
Secure iSCSI Devices through Authentication

OnemeansofsecuringiSCSIdevicesfromunwantedintrusionistorequirethattheESX/ESXihost,orinitiator,
beauthenticatedbytheiSCSIdevice,ortarget,wheneverthehostattemptstoaccessdataonthetargetLUN.
Thegoalofauthenticationistoprovethattheinitiatorhastherighttoaccessatarget,arightgrantedwhen
youconfigureauthentication.
YouhavetwochoiceswhenyousetupauthenticationforiSCSISANsontheESX/ESXihost:
ChallengeHandshakeAuthenticationProtocol(CHAP)YoucanconfiguretheiSCSISANtouse
CHAPauthentication.ESX/ESXisupportsonewayCHAPauthenticationforiSCSI.Itdoesnotsupport
bidirectionalCHAP.InonewayCHAPauthentication,thetargetauthenticatestheinitiator,butthe
initiatordoesnotauthenticatethetarget.Theinitiatorhasonlyonesetofcredentials,andalloftheiSCSI
targetsusethem.ESX/ESXisupportsCHAPauthenticationattheHBAlevelonly.Itdoesnotsupport
pertargetCHAPauthentication,whichenablesyoutoconfiguredifferentcredentialsforeachtargetto
achievegreatertargetrefinement.

Security Hardening
DisabledYoucanconfiguretheiSCSISANtousenoauthentication.Communicationsbetweenthe
initiatorandtargetareauthenticatedinarudimentaryway,becausetheiSCSItargetdevicesaretypically
setuptocommunicatewithspecificinitiatorsonly.
Choosingnottoenforcemorestringentauthenticationcanmakesenseifyoucreateadedicatednetworkor
VLANtoserviceallyouriSCSIdevices.BecausetheiSCSIfacilityisisolatedfromgeneralnetworktraffic,itis
lessvulnerabletoexploit.
ESX/ESXidoesnotsupportKerberos,SecureRemoteProtocol(SRP),orpublickeyauthenticationmethodsfor
iSCSI.Additionally,itdoesnotsupportIPsecauthenticationandencryption.
Forinformationonhowtodeterminewhetherauthenticationiscurrentlybeingperformedandtoconfigure
theauthenticationmethod,seethechapterSecuringanESXServer3ConfigurationintheESXServer3
ConfigurationGuide.
VirtualCenter
VirtualCenterprovidesapowerfulwaytomanageandcontrolyourVMwareInfrastructureenvironmentfrom
acentralpointandenablesmoresophisticatedoperationsthroughtoolsthatworkthroughitsSDK.Itis
extremelypowerfulandthereforeshouldbesubjecttothestrictestsecuritystandards.
Set Up the Windows Host for VirtualCenter with Proper Security

BecauseVirtualCenterrunsonaWindowshost,itisespeciallycriticaltoprotectthishostagainst
vulnerabilitiesandattacks.Thestandardsetofrecommendationsapplies,asitwouldforanyhost:install
antivirusagents,spywarefilters,intrusiondetectionsystems,andanyothersecuritymeasures.Makesureto
keepallsecuritymeasuresuptodate,includingapplicationofpatches.
ThepasswordthatVirtualCenterusestoaccessitsdatabaseisstoredintheWindowsregistryinanencoded
format.Althoughthepasswordcannotbereaddirectly,itisnotprotectedbyencryption,soyoushouldprotect
theregistryontheVirtualCenterhosttopreventunauthorizedaccesstotheVirtualCenterdatabase.
Ingeneral,youshouldhardenandlockdowntheVirtualCenterhostaccordingtoindustrystandard
configurationguides,suchastheDISASTIGorCISBenchmark.
Limit Administrative Access

VirtualCenterrunsasauserthatrequireslocaladministratorprivilegesandmustbeinstalledbyalocal
administrativeuser.Tolimitthescopeofadministrativeaccess,avoidusingtheWindowsAdministratoruser
torunVirtualCenterafteryouinstallit.Instead,useadedicatedVirtualCenteradministratoraccount.Toset
uptheadministrativeaccount,takethefollowingsteps:
1 CreatealocalaccountforanordinaryuserontheWindowshost.ThisistheaccounttheVirtualCenter
administratorshouldusetomanageVirtualCenter.
2 InVirtualCenter,logonastheWindowsAdministrator,thengrantVirtualCenterrootadministrator
accesstothenewlycreatedaccount
3 LogoutofVirtualCenter,thenmakesureyoucanlogintoVirtualCenterasthenewuserandthatthisuser
isabletoperformalltasksavailabletoaVirtualCenteradministrator
4 RemovethepermissionsinVirtualCenterforthelocalAdministratorsgroup.
Byconfiguringaccountsinthisway,youavoidautomaticallygivingadministrativeaccesstodomain
administrators,whotypicallybelongtothelocalAdministratorsgroup.Thisalsoprovidesawayoflogging
intoVirtualCenterwhenthedomaincontrollerisdown,becausethelocalVirtualCenteradministrator
accountdoesnotrequireremoteauthentication.

Security Hardening
Limit Network Connectivity to VirtualCenter

TheonlynetworkconnectionVirtualCenterrequiresistothemanagementnetworkdescribedinIsolate
VirtualMachineNetworksonpage 3.YoushouldavoidputtingtheVirtualCenterserveronanyother
network,suchasyourproductionorstoragenetwork.Specifically,VirtualCenterdoesnotneedaccesstothe
networkonwhichVMotiontakesplace.Bylimitingthenetworkconnectivity,youcutdownonthepossible
avenuesofattack.
Usethefollowingguidelinestolimitnetworkconnectivity:
Firewalls
YoushouldprotecttheVirtualCenterserverusingafirewall.Thisfirewallmaysitbetweentheclientsand
theVirtualCenterserver,orboththeVirtualCenterServerandtheclientsmaysitbehindthefirewall,
dependingonyourdeployment.Themainconsiderationisensuringthatafirewallispresentatwhatyou
considertobeanentrypointforthesystemasawhole.
UsefirewallstorestrictwhichsystemscanaccessVirtualCenterbyIPaddress.
FormoreinformationonthepossiblelocationsforfirewallsusedwithVirtualCenter,seethesection
FirewallsforConfigurationswithaVirtualCenterServerintheESXServer3ConfigurationGuide.
TCPandUDPportsformanagementaccess
NetworksconfiguredwithaVirtualCenterservercanreceivecommunicationsfromseveraltypesof
clients:theVIClient,VIWebAccess,asystemwiththeRemoteCLIoroneoftheVIToolkitsforscripting
installed,orthirdpartynetworkmanagementclientsthatusetheSDKtointeractwiththehost.During
normaloperation,VirtualCenterlistensondesignatedportsfordatafromthehostsitismanagingand
fromclients.VirtualCenteralsoassumesthatthehostsitismanaginglistenfordatafromVirtualCenter
ondesignatedports.Ifafirewallispresentbetweenanyofthesecomponents,youmustensurethatthe
appropriateportsareopentosupportdatatransferthroughthefirewall.
ThesectionTCPandUDPPortsforManagementAccessintheESXServer3ConfigurationGuidelistsall
thepredeterminedTCPandUDPportsusedformanagementaccesstoyourVirtualCenterserver,ESX
hosts,andothernetworkcomponents.Studythissectioncarefullytodeterminehowtoconfigureyour
firewallstomaintainmaximumsecuritywhilestillallowingrequiredmanagementoperations.
NOTEYoumightnotbeabletoopenaVIClientremoteconsolewhenyournetworkisconfiguredsuch
thatafirewallusingNATstandsbetweentheESXhostandthecomputerrunningVIClient.SeeVMware
knowledgebasearticle749640(http://kb.vmware.com/kb/749640)foraworkaroundforthisissue.
Use Proper Security Measures when Configuring the Database for VirtualCenter
YoushouldinstalltheVirtualCenterdatabaseonaseparateserverorvirtualmachineandsubjectittothesame
securitymeasuresasanyproductiondatabase.Youshouldalsocarefullyconfigurethepermissionsusedfor
accesstothedatabasetotheminimumnecessary.Usetheguidelinesappropriatetoyourdatabase.
MicrosoftSQLServer
Duringinstallationandupgrade,theVirtualCenteraccountmusthavetheDBOwnerrole.Duringnormal
operations,youmayfurtherrestrictpermissionstothefollowing:
Invoke/executestoredprocedures
Select,update,insert
Delete
Oracle
TheprivilegesrequiredfortheVirtualCenteraccountarelistedinthesectionPreparingthe
VirtualCenterServerDatabaseofthechapterInstallingVMwareInfrastructureManagementinthe
ESXServer3InstallationGuide.

Security Hardening
Enable Full and Secure Use of Certificate-based Encryption

Forenvironmentsthatrequirestrongsecurity,VMwarerecommendsthatadministratorsreplacealldefault
selfsignedcertificatesgeneratedatinstallationtimewithlegitimatecertificatessignedbytheirlocalroot
certificateauthorityorpublic,thirdpartycertificatesavailablefrommultiplepubliccertificateauthorities.You
shouldalsoenableservercertificateverificationonallVIClientinstallationsandtheVirtualCenterhost.This
involvesamodificationtotheWindowsregistryonallclienthosts.
NOTEYouneedtoreplacethedefaultVirtualCenterServercertificatebeforeenablingservercertificate
verification.
ForbackgroundandinformationonreplacingVirtualCenterServercertificates,seethetechnicalnote
ReplacingVirtualCenterServerCertificates(http://www.vmware.com/vmtn/resources/658).For
informationonenablingservercertificateverificationforVIClientinstallations,includinghowtopretrust
certificatesandhowtomodifytheWindowsregistryforclienthosts,seeVMwareknowledgebasearticle
4646606(http://kb.vmware.com/kb/4646606).
Use VirtualCenter Custom Roles

Beginningwithversion2.0,VirtualCenterprovidesasophisticatedsystemofrolesandpermissions.These
rolesandpermissionsallowfinegraineddeterminationofauthorizationforadministrativeandusertasks,
basedonuserorgroupandinventoryitem,suchasclusters,resourcepools,andhosts.Youshouldtake
advantageofthissystemtoassurethatonlytheminimumnecessaryprivilegesareassignedtopeopleinorder
topreventunauthorizedaccessormodification.Somerecommendationsare:
Createrolesthatenableonlythenecessarytasks.Forexample,auserwhoisonlygoingtomakeuseofan
assignedvirtualmachinemightneedpermissiononlytopowerthemachineonoroff,andnotnecessarily
toattachaCDorfloppydevice.
Assignrolestoaslimitedascopeasnecessary.Forexample,youcangiveausercertainpermissionsona
resourcepoolinsteadofadiscretehost,andyoucanusefolderstocontainthescopeofaprivilege.
FormoreinformationonVirtualCenterroles,seethepaperManagingVirtualCenterRolesandPermissions
(http://www.vmware.com/resources/techresources/826).
Document and Monitor Changes to the Configuration

AlthoughmostofaVMwareInfrastructureenvironmentisdefinedbyinformationcontainedinthe
VirtualCenterdatabase,certainimportantconfigurationinformationresidesonlyontheVirtualCenterServer
hostslocalfilesystem.Thisincludesthemainconfigurationfilevpxd.cfg,variouslogfiles,and,implicitly,
theWindowsregistrysettingsthatpertaintoVirtualCenter.
Forcomplianceandauditing,itisimportantthatyouhavearecordoftheseconfigurationsovertime.One
convenientwaytocaptureeverythinginoneplaceistousetheGenerateVirtualCenterServerlogbundle
command,intheVMwareprogramfilemenuontheVirtualCenterhost.Thistoolisdesignedtocapture
informationtobeusedfortroubleshootinganddebugging,buttheresultingarchivefileservesasaconvenient
waytomaintainahistoricalrecord.
TheresultingZIParchiveincludesfilesthatcontainthevaluesofrelevantWindowsregistryentries,
configurationfilesforVirtualCenterandanyaddoncomponents,andlogfilesforVirtualCenter,thelicense
server,andanyaddoncomponents.Byperformingthistaskonaregularbasis,youcankeeptrackofall
changesthataffectyourVirtualCenterinstallation.

Security Hardening
Ifyouwanttomonitorthelogfilesdirectly,useTable12todeterminewhichfilestowatch:
Table 12. Paths to Key VirtualCenter Log Files
Component Default path to file
VirtualCenter C:\Documents and Settings\All Users\Application Data\VMware\VMware

VirtualCenter\Logs\*
Webservercomponent C:\Program Files\VMware\Infrastructure\VirtualCenter Server\tomcat\logs\*

ofVirtualCenter
Licensemanager C:\WINDOWS\Temp\lmgrd.log
VirtualCenter Add-on Components

Beginningwithversion2.5,VirtualCenterincludesaframeworkthatenablesyoutoaddcomponentsto
VirtualCentertoextenditsfunctionality.Thesecomponentstypicallyrunasseparateservices,whichare
installedontheVirtualCenterserverorinsomecasesaonseparatehostorinavirtualmachine.Threeofthese
componentsarebundledwithVirtualCenter:
VMwareUpdateManager:managesandautomatespatchmanagementandtrackingofESXhostsand
virtualmachines,includingturnedoffvirtualmachinesandvirtualmachinetemplates
VMwareConverterEnterpriseforVirtualCenter:providesanintegratedsolutionformigratingboth
physicalandvirtualmachinestoVMwareInfrastructure.
VMwareGuidedConsolidation:automaticallydiscoversphysicalservers,helpsanalyzetheir
performance,andtriggerstheconversionofphysicaltovirtualmachinesplacedintelligentlyonasuitable
host.
VMware Update Manager

YoushouldconsiderVMwareUpdateManageranessentialcomponentofanyVMwareInfrastructure
deployment.Theabilitytomakesurethatcriticaloperatingsystempatchesareappliedtoallvirtualmachines,
especiallyofflinevirtualmachinesandtemplates,addressesoneofthemostimportantaspectsofsecurityina
virtualizedenvironment.Furthermore,theabilitytoautomatethepatchingofESXhostsgreatlyincreasesthe
likelihoodthatyouareprotectedagainstanyvulnerabilitiesthatmaybediscoveredforthisplatform.
InordertomaintainisolationoftheVirtualCenterhost,itisrecommendedthatyouinstallVMwareUpdate
Manageronaseparatehostorinavirtualmachine.ThishostneedstohaveaccesstotheVirtualCenterusing
theVIAPIinterface(availablebydefaultonTCPport443).Inthedefaultinstallation,thehostwhereyou
installVMwareUpdateManageralsoneedsaccesstotheInternetinordertodownloadpatchesandpatch
information.YoucanconfigureittouseaWebproxy,astepyoushouldtakeifaWebproxyisavailable.For
highestsecurity,youcaninstalltheUpdateManagerDownloadServiceonaseparateserver,andthepatches
andinformationthatitdownloadscanbetransferredmanuallytotheUpdateManagerhostforexample,
usingaUSBkeyorscheduled,securefiletransfer.ThisavoidshavingtheUpdateManagerhostitself
connectedtoanexternalnetwork.FormoreinformationoninstallingUpdateManagerandtheUpdate
ManagerDownloadService,seethechapterWorkingwithUpdateManagerintheUpdateManager
AdministrationGuide.
VMware Converter Enterprise

AswithUpdateManager,youshouldinstallConverteronaseparatesysteminordertomaintainisolationof
theVirtualCenterhost.ConverterandthesourcesystemneedaccesstoVirtualCenterusingtheVIAPI
interface(TCPport443bydefault)andtheVIAPIinterfaceofanydestinationESXhost.However,the
informationfromtheharddiskofthesourcesystemistransferredtothedestinationESXhostoverport902.
Inaddition,theConverterserverneedsaccesstoport139onthesourcesystem.
TheuseofConverterhasthepotentialforintroducingsomesecurityrisks.Whenmigratingphysicalorvirtual
machinestoVMwareInfrastructure,youruntheriskofimportingacompromisedorinfectedserver.Because
theimportoccurswithlittlemodificationtothesource,youcouldbeintroducingavulnerabilitydirectlyinto
yourenvironment.YoumightwanttoconsiderusingConverteronlyintestorstagingenvironments.

Security Hardening
VMware Guided Consolidation

GuidedConsolidationautomatestheprocessofdiscoveringandanalyzingexistingservers(virtualor
physical)forsuitabilityofconversiontovirtualmachines,andchoosingthedestinationESXhostontowhich
tomigratethem.ItthenautomaticallyinvokesConvertertoperformtheactualmigrationprocess.
GuidedConsolidationisnotanoptionalcomponent,andyoucannotinstallitonaseparatehost.Itisalways
runningasaserviceontheVirtualCenterServerhost.GuidedConsolidationrequiresaccesstotheportsfor
WMI,Perfmon,andRemoteRegistryports135,137,138,139,and445.Theseportsmustbeopenonboththe
VirtualCenterhostandthetargetserver.TheGuidedConsolidationservicemustberunasauserwith
VirtualCenterAdministratorprivileges,aswellaswiththenecessaryWindowsprivilegestoqueryActive
Directoryforserversintheenvironment.Inaddition,administratorcredentialsarerequiredforeachtarget
systemtobeanalyzed,sothatperformancedatacanbecollectedfromthem.Youcanenteradefaultsetof
targetsystemcredentialsandoverridethisdefaultforindividualtargetsystemsthatmightdeviatefromthe
default.
TheGuidedConsolidationservicereliesonConvertertoimporttargetserver,soallrecommendationsfor
ConverterapplytoGuidedConsolidation,aswell.ItisrecommendedthatyounotuseGuidedConsolidation
inhighersecurityenvironments.
General Considerations
Withanyaddoncomponent,observethefollowing:
Hardenandlockdowntheserveronwhichthecomponentisinstalledaccordingtotheindustrybest
practicesforthehostsoperatingsystem.
ThesecomponentsoftenrequireyoutoprovidecredentialsofauseraccountwithfullVMware
Infrastructureadministratorprivileges.Toreduceexposureandhaveawayofrestrictingaccessincasea
problemisfound,createauniqueaccountforeachcomponent.Then,ifavulnerabilityorotherproblem
isdiscovered,youcanreduceoreliminateprivilegesonthataccountuntilthesituationisresolved.Donot
providethecredentialsoftheVirtualCenterhostsAdministratoraccountorofanactualuser.
Thesecomponentsusuallyhavetheirownlogfiles.Table13showsthelogfilesforthecomponentsthat
arebundledwithVirtualCenter:
Table 13. Paths to Log Files for Bundled VirtualCenter Components
Component Default path to file
VMwareUpdateManager C:\Documents and Settings\All Users\Application Data\VMware\VMware

Update Manager\Logs\*
VMwareEnterprise C:\Documents and Settings\All Users\Application Data\VMware\VMware
Converter Converter Enterprise\Logs\*
VMwareGuided C:\Documents and Settings\All Users\Application Data\VMware\VMware

Consolidation Capacity Planner\Logs\*
Client Components
TherecommendationsinthissectionapplytoclientsthatconnecttoVirtualCenterorESX.
Restrict the use of Linux-based Clients

AlthoughSSLbasedencryptionisusedtoprotectedcommunicationbetweenclientcomponentsand
VirtualCenterorESX,theLinuxversionsofthesecomponentsdonotperformcertificatevalidation.Therefore,
evenifyouhavereplacedtheselfsignedcertificatesonVirtualCenterandESXwithlegitimatecertificates
signedbyyourlocalrootcertificateauthorityorathirdparty,communicationswithLinuxclientsarestill
vulnerabletomaninthemiddleattacks.ThecomponentsthatarevulnerablewhenrunningonLinuxinclude:
AnyRemoteCLIcommand
AnyVIPerlToolkitscript

Security Hardening
VirtualmachineconsoleaccessinitiatedfromaLinuxbasedWebAccessbrowsersession
AnyprogramwrittenusingtheVISDK
ThemanagementinterfacesofVirtualCenterandESXshouldbeavailableonlyontrustednetworks,but
providingencryptionandcertificatevalidationaddextralayersofdefenseagainstanattack.Ifyouareableto
mitigateagainstsystemsonthemanagementnetworkinterposingthemselvesonnetworktraffic,orcantrust
thatsuchsystemswillnotappearonthenetwork,theuseofLinuxbasedclientswouldnotincreasethe
securityrisk.
Verify the Integrity of VI Client

Beginningwithversion2.5,VirtualCenterincludesaVIClientextensibilityframework,whichprovidesthe
abilitytoextendtheVMwareInfrastructureClient(VIClient)withmenuselectionsortoolbariconsthat
provideaccesstoVirtualCenteraddoncomponentsorexternal,Webbasedfunctionality.Withtheflexibility,
customization,andinnovationthatthisentails,thereisalsotheriskofintroducingVIClientcapabilitiesthat
werenotintended.Forexample,aplugincouldbesurreptitiouslyinstalledonanadministratorsVIClient
instance,thenexecutearbitrarycommandswiththeprivilegelevelofthatadministrator.Ifauserwithlowor
noprivilegesweretousesuchaclient,therewouldbenoaddedrisk,becausetheplugincaninteractwith
VirtualCenterorESXonlywiththepermissionsoftheuserrunningtheclient.
Theintegrityofclientsoftwareisacommonconcernacrossallclientserverplatformsinwhichtheclientcould
berunningonaninsecurehost,buttheVIClientextensibilityframeworkreducestheeffortneededto
compromisetheclientsoftware.Toprotectagainstsuchcompromises,usersofVIClient,especiallythosewith
powerfulprivileges,shouldnotinstallanypluginsthatdonotcomefromatrustedsource.Youcancheckto
seewhichpluginsareactuallyinstalledforagivenVIClientbygoingtothemenuitemPlugins>Manage
PluginsandclickingtheInstalledPluginstab.
Monitor the Usage of VI Client Instances

AlthoughactionsperformedwithinVIClientareloggedintheVirtualCenterEventstable,insomecasesyou
mightbeinterestedinknowingwhatoccurredontheclientside.Forexample,youmightwanttoknowthe
servertowhichtheclienthadrecentlyconnectedandwhichuseraccountwasused.VIClientmaintainslog
filesofitsactivitiesontheclientsystem,andyoucanretrieveandinspectorevenmonitorthemregularlyfor
specificevents.ThelogfilesarelocatedinvariousdirectoriesfoundunderthefolderC:\Documents and
Settings\<username>\Local Settings\Application Data\VMware.BecausetheVIClientplugin
frameworkallowsforcommunicationwithvariouscomponents,eachcouldpotentiallyhaveitsownsetof
logs.Forexample,thedirectoryvpxcontainslogsforinteractionwithVirtualCenter,andthedirectoryVMware
Converter Enterprise\LogscontainslogsforinteractionwiththeConverterEnterpriseserver.
Avoid the Use of Plain-Text Passwords

AnumberofscriptingframeworkscanbeusedtoconfigureandmonitoryourVMwareInfrastructure3
deployment.Inparticular,theVIPerlToolkitandtheRemoteCLIletyouruncommandsandscriptsfroma
remotesystemtomodifyVMwareInfrastructure3configurations,performactionssuchastakingsnapshots
ofvirtualmachinesorrebootinganESXhost,andmonitorperformanceandotherdata.
TheRemoteCLIisimplementedasaseriesofcommandswrittenusingtheVIPerlToolkit.BothRemoteCLI
commandsandVIPerlToolkitscriptsneedvalidcredentialsintheformofusernameandpasswordtowork
successfully.ThesecredentialsmustbeacceptedoneithertheVirtualCenterhostortheESXhost,depending
onwherethecommandisdirected.Notonlydoestheuserneedtobeauthenticated,buttheusermustalso
havesufficientprivilegestoexecutethespecificcommandortask.
Bothoftheseframeworksallowyoutospecifypasswordsinplaintextascommandlineoptions,ina
configurationfile,orasenvironmentvariables.However,useofplaintextpasswordspresentsasecurityrisk,
becausesomeonecouldreadpasswordsintheconfigurationfileitself,inshellhistoryfiles,inbackupfiles,or
inotherways.Whenrunningcommandsandscriptsinteractively,itisrecommendedthatyouavoid
specifyingthepasswordaheadoftime.Thecommandstypicallypromptyouforthepassword,whichisthen
notechoedtothescreenwhenyoutypeit.Ifyouusethisapproach,youavoidhavingthepasswordexiston
thefilesysteminplaintext.

Security Hardening
Ifyouneedtoruncommandsnoninteractivelyforexample,inscriptsyoushouldusesessionfiles.This
mechanismallowsyoutoprovideyourcredentialsonceinteractively.Thesystemthengeneratesafilethat
containsanauthenticationtoken.Thistokendoesnotcontainanypasswordinformation,anditremainsvalid
forupto30minutes.Thesessionfilemaybeusedinlieuofcredentialstoauthenticatecommands.Ascript
thatreferencesthesessionfilecanthenrunnoninteractively.
Becausethesessionfileauthenticatesanycommandthatreferencesit,itisimportantthatthisfileitselfbe
closelyguardedduringitslifetime.Itshouldbegeneratedonlyasneeded,thendeletedassoonasitisno
longerneeded.Makesurenottoinadvertentlyallowaccesstothisfilebyotherusers.
Formoreinformationontheuseofsessionfiles,seethesectionUsingRemoteCommandLineInterfacesin
theappendixoftheESXServer3iConfigurationGuide.
References
AccessingVMwareESXServer3securelyusingSSHandSUDO
http://www.xtravirt.com/index.php?option=com_remository&Itemid=75&func=startdown&id=10
BasicSystemAdministration
http://www.vmware.com/pdf/vi3_35/esx_3/r35/vi3_35_25_admin_guide.pdf
EnablingActiveDirectoryAuthenticationwithESXServer
http://www.vmware.com/vmtn/resources/582
EnablingServerCertificateVerificationforVirtualInfrastructureClients
http://kb.vmware.com/kb/4646606
ESXServer3ConfigurationGuide
http://www.vmware.com/pdf/vi3_35/esx_3/r35/vi3_35_25_3_server_config.pdf
ESXServer3iConfigurationGuide
http://www.vmware.com/pdf/vi3_35/esx_3i_e/r35/vi3_35_25_3i_server_config.pdf
ESXServer3InstallationGuide
http://www.vmware.com/pdf/vi3_35/esx_3/r35/vi3_35_25_installation_guide.pdf
ESXServer3iEmbeddedSetupGuide
http://www.vmware.com/pdf/vi3_35/esx_3i_e/r35/vi3_35_25_3i_setup.pdf
ESXServer3iInstallableSetupGuide
http://www.vmware.com/pdf/vi3_35/esx_3i_i/r35/vi3_35_25_3i_i_setup.pdf
GNUGrubManual
http://www.gnu.org/software/grub/manual/html_node/index.html
InstallingandConfiguringNTPonVMwareESXServer
RedHatLinuxSecurityGuide,Chapter4.WorkstationSecurity
http://www.redhat.com/docs/manuals/linux/RHL9Manual/securityguide/chwstation.html
ReplacingVirtualCenterCertificates
SudoMainPage
http://www.gratisoft.us/sudo
VirtualInfrastructureclientcannotopenRemoteConsolesession
VMwareESXServer:ThirdPartySoftwareintheServiceConsole
VMwareSecurityCenter
http://www.vmware.com/security

Security Hardening
About the Author

CharuChaubalisaseniorarchitectinthetechnicalmarketingdepartmentatVMware.Hisareasofexpertise
includevirtualizationsecurityandvirtualinfrastructuremanagement.ChaubalreceivedaBachelorofScience
inEngineeringfromtheUniversityofPennsylvaniaandaPh.D.fromtheUniversityofCaliforniaatSanta
Barbara,wherehestudiedthenumericalmodelingofcomplexfluids.Previously,heworkedatSun
Microsystems,wherehehadmorethansevenyearsexperiencewithdesigninganddevelopingdistributed
resourcemanagementandgridinfrastructuresoftwaresolutions.Heistheauthorofnumerouspublications
andseveralpatentsinthefieldsofdatacenterautomationandnumericalpriceoptimization.
Acknowledgements
TheauthorwouldliketothankBradHarris,KirkLarsen,RobRandell,BrianCoskerSwerkske,andPetr
Vandrovecfortheirvaluablecontributions.
If you have comments about this documentation, submit your feedback to: docfeedback@vmware.com
VMware, Inc. 3401 Hillview Ave., Palo Alto, CA 94304 www.vmware.com
Copyright 2008 VMware, Inc. All rights reserved. Protected by one or more of U.S. Patent Nos. 6,397,242, 6,496,847, 6,704,925, 6,711,672, 6,725,289, 6,735,601, 6,785,886,
6,789,156, 6,795,966, 6,880,022, 6,944,699, 6,961,806, 6,961,941, 7,069,413, 7,082,598, 7,089,377, 7,111,086, 7,111,145, 7,117,481, 7,149, 843, 7,155,558, 7,222,221, 7,260,815,
7,260,820, 7,269,683, 7,275,136, 7,277,998, 7,277,999, 7,278,030, 7,281,102, 7,290,253, and 7,356,679; patents pending. VMware, the VMware boxes logo and design,
Virtual SMP and VMotion are registered trademarks or trademarks of VMware, Inc. in the United States and/or other jurisdictions. All other marks and names mentioned
herein may be trademarks of their respective companies.
Revision 20080708 Item: BP-012-PRD-02-01
31

Vi35 Security Hardening WP PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Vi35 Security Hardening WP PDF

Uploaded by

Copyright:

Available Formats

Best Practices

Copyright 2008 VMware, Inc. All rights reserved. 1

Secure Virtual Machines as You Would Secure Physical Machines

Disable Unnecessary or Superfluous Functions

Take Advantage of Templates

Prevent Virtual Machines from Taking Over Resources

Copyright 2008 VMware, Inc. All rights reserved. 2

Isolate Virtual Machine Networks

Minimize Use of the VI Console

Copyright 2008 VMware, Inc. All rights reserved. 3

Virtual Machine Files and Settings

Limit Data Flow from the Virtual Machine to the Datastore

Copyright 2008 VMware, Inc. All rights reserved. 4

Copyright 2008 VMware, Inc. All rights reserved. 5

Do Not Use Nonpersistent Disks

Ensure Unauthorized Devices are Not Connected

Prevent Unauthorized Removal or Connection of Devices

Copyright 2008 VMware, Inc. All rights reserved. 6

Avoid Denial of Service Caused by Virtual Disk Modification Operations

Specify the Guest Operating System Correctly

Verify Proper File Permissions for Virtual Machine Files

Configuring the Service Console in ESX 3.5

Copyright 2008 VMware, Inc. All rights reserved. 7

Configure the Firewall for Maximum Security

Limit the Software and Services Running in the Service Console

CIMService CIMSLP 427 Incomingand IfnotusingCIMbasedsoftwarefor

NFSclient nfsClient 111,2049 OutgoingTCPand IfnotmountingNFSbasedstoragein

VMware VCB 443,902 OutgoingTCP IfnotusingVCBforbackup

Copyright 2008 VMware, Inc. All rights reserved. 8

Table 10. Default Services in the ESX 3.5 Service Console

CIMoverHTTP CIMHttpServer 5988 IncomingTCP IfnotusingCIMbasedsoftwarefor

CIMover CIMHttpsServer 5989 IncomingTCP IfnotusingCIMbasedsoftwarefor

Licensing LicenseClient 27000,27010 OutgoingTCP Ifusingonlyhostbasedlicensing

SSHServer sshServer 22 IncomingTCP Ifallmanagementisdonevia

VirtualCenter vpxHeartbeats 902 OutgoingUDP IfnotmanagedbyVirtualCenter

VIAPI n/a 443 Incomingand Mustalwaysbeavailable

Secureaccess n/a 80 IncomingTCP Mustalwaysbeavailable

Use VI Client and VirtualCenter to Administer the Hosts Instead of Service

Use a Directory Service for Authentication

Copyright 2008 VMware, Inc. All rights reserved. 9

Strictly Control Root Privileges

Copyright 2008 VMware, Inc. All rights reserved. 10

Control Access to Privileged Capabilities

Establish a Password Policy for Local User Accounts

Copyright 2008 VMware, Inc. All rights reserved. 11

Do Not Manage the Service Console as a Linux Host

Maintain Proper Logging

Copyright 2008 VMware, Inc. All rights reserved. 12

Vmkernel /var/log/vmkernel Recordsactivitiesrelatedtothevirtual

VMkernelwarnings /var/log/vmkwarning Recordsactivitieswiththevirtualmachines

VMkernelsummary /var/log/vmksummary Usedtodetermineuptimeandavailability

ESXhostagentlog /var/log/vmware/hostd.log Containsinformationontheagentthatmanages

Virtualmachines Thesamedirectoryastheaffectedvirtual Containinformationwhenavirtualmachine

VirtualCenteragent /var/log/vmware/vpx Containsinformationontheagentthat

Webaccess Filesin/var/log/vmware/webAccess RecordsinformationonWebbasedaccessto

Serviceconsole /var/log/messages Containallgenerallogmessagesusedto

Authenticationlog /var/log/secure Containsrecordsofconnectionsthatrequire

Copyright 2008 VMware, Inc. All rights reserved. 13

Establish and Maintain File System Integrity

Copyright 2008 VMware, Inc. All rights reserved. 14

Secure the SNMP Configuration

Copyright 2008 VMware, Inc. All rights reserved. 15

Protect against the Root File System Filling Up