Professional Documents
Culture Documents
Vi35 Security Hardening WP PDF
Vi35 Security Hardening WP PDF
Security Hardening
VMware Infrastructure 3 (VMware ESX 3.5 and VMware VirtualCenter 2.5)
ByintroducingalayerofabstractionbetweenthephysicalhardwareandvirtualizedsystemsrunningIT
services,virtualizationtechnologyprovidesapowerfulmeanstodelivercostsavingsviaserverconsolidation
aswellasincreasedoperationalefficiencyandflexibility.However,theaddedfunctionalityintroducesa
virtualizationlayerthatitselfbecomesapotentialavenueofattackforthevirtualservicesbeinghosted.
Becauseasinglehostsystemcanhousemultiplevirtualmachines,thesecurityofthathostbecomesevenmore
important.
Becauseitisbasedonalightweightkerneloptimizedforvirtualization,VMwareESXandVMwareESXiare
lesssusceptibletovirusesandotherproblemsthataffectgeneralpurposeoperatingsystems.However,
ESX/ESXiisnotimpervioustoattack,andyoushouldtakepropermeasurestohardenit,aswellasthe
VMwareVirtualCentermanagementserver,againstmaliciousactivityorunintendeddamage.Thispaper
providesrecommendationsforstepsyoucantaketoensurethatyourVMwareInfrastructure3environment
isproperlysecured.Thepaperalsoexplainsindetailthesecurityrelatedconfigurationoptionsofthe
componentsofVMwareInfrastructure3andtheconsequencesforsecurityofenablingcertaincapabilities.
ForadditionaluptodateinformationonthesecurityofVMwareproducts,gototheVMwareSecurityCenter.
SeeReferencesonpage 30foralink.TheVMwareSecurityCenterprovideslinkstosecurityadvisories,
alerts,andupdates,aswellassecurityutilitiesandothersecurityrelatedpapers.
TheinformationinthispaperappliestoESX3.5/ESXi3.5andVirtualCenter2.5.Itisdividedintosections
baseduponthecomponentsofVMwareInfrastructure3.Thesectionsonvirtualmachines,VirtualCenter,and
clientcomponentsapplytobothESX3.5andESXi3.5.Hostconfigurationissuesarediscussedinseparate
sectionsforESX3.5andESXi3.5.BesuretoconsultthesectionsthatapplytotheVMwareInfrastructure
softwareyouareusing.
Thepapercoversthefollowingtopics:
VirtualMachinesonpage 2
VirtualMachineFilesandSettingsonpage 4
ConfiguringtheServiceConsoleinESX3.5onpage 7
ConfiguringHostlevelManagementinESXi3.5onpage 16
ConfiguringtheESX/ESXiHostonpage 20
VirtualCenteronpage 24
VirtualCenterAddonComponentsonpage 27
ClientComponentsonpage 28
Referencesonpage 30
AbouttheAuthoronpage 31
Virtual Machines
Therecommendationsinthissectionapplytothewayyouconfigurevirtualmachinesandthewaysyou
interactwithvirtualmachines.
Ensurethatantivirus,antispyware,intrusiondetection,andotherprotectionareenabledforeveryvirtual
machineinyourvirtualinfrastructure.Makesuretokeepallsecuritymeasuresuptodate,includingapplying
appropriatepatches.Itisespeciallyimportanttokeeptrackofupdatesfordormantvirtualmachinesthatare
poweredoff,becauseitcouldbeeasytooverlookthem.
Disableunusedservicesintheoperatingsystem.Forexample,ifthesystemrunsafileserver,makesure
toturnoffanyWebservices.
Disconnectunusedphysicaldevices,suchasCD/DVDdrives,floppydrives,andUSBadapters.Thisis
describedinthesectionRemovingUnnecessaryHardwareDevicesintheESXServer3Configuration
Guide.
Turnoffanyscreensavers.IfusingaLinux,BSD,orSolarisguestoperatingsystem,donotruntheX
Windowsystemunlessitisnecessary.
Networksegmentationmitigatestheriskofseveraltypesofnetworkattacks,includingAddressResolution
Protocol(ARP)addressspoofing,inwhichanattackermanipulatestheARPtabletoremapMACandIP
addressestoredirectnetworktraffictoandfromagivenhosttoanotherunintendeddestination.Attackersuse
ARPspoofingtogeneratedenialsofservice,hijackthetargetsystem,andotherwisedisruptthevirtual
network.
Segmentationhastheaddedbenefitofmakingcomplianceauditsmucheasier,becauseitgivesyouaclear
viewofwhichvirtualmachinesarelinkedbyanetwork.
Youcanimplementsegmentationusingeitheroftwoapproaches,eachofwhichhasitsownbenefits:
Useseparatephysicalnetworkadaptersforvirtualmachinezonesbycreatingseparatevirtualswitches
foreachone.Maintainingseparatephysicalnetworkadaptersforvirtualmachinezonesislessproneto
misconfigurationafteryouinitiallycreatesegments.
Setupvirtuallocalareanetworks(VLANs)tohelpsafeguardyournetwork.BecauseVLANsprovide
almostallofthesecuritybenefitsinherentinimplementingphysicallyseparatenetworkswithoutthe
hardwareoverhead,theyofferaviablesolutionthatcansaveyouthecostofdeployingandmaintaining
additionaldevices,cabling,andsoforth,whilealsoallowingforredundancyoptions.
FormoreinformationonusingVLANswithvirtualmachines,seethesectionSecuringVirtualMachineswith
VLANsintheESXServer3ConfigurationGuide.
1 Choosethevirtualmachineintheinventorypanel.
2 ClickEditsettings.ClickOptions>Advanced/General.
3 ClickConfigurationParameterstoopentheConfigurationParametersdialogbox.
WhetheryouchangeavirtualmachinessettingsintheVIClientorusingatexteditor,youmustrestartthe
virtualmachineformostchangestotakeeffect.
Avirtualmachinealsoincludesoneormore.vmdkfiles,whichrepresentthevirtualdisksusedbytheguest
operatingsystem.
Thefollowingsectionsprovideguidelinesyoushouldobservewhendealingwiththeseandothervirtual
machinefiles.
Disable Copy and Paste Operations Between the Guest Operating System and
Remote Console
WhenVMwareToolsrunsinavirtualmachine,bydefaultyoucancopyandpastebetweentheguestoperating
systemandthecomputerwheretheremoteconsoleisrunning.Assoonastheconsolewindowgainsfocus,
nonprivilegedusersandprocessesrunninginthevirtualmachinecanaccesstheclipboardforthevirtual
machineconsole.Ifausercopiessensitiveinformationtotheclipboardbeforeusingtheconsole,the
userperhapsunknowinglyexposessensitivedatatothevirtualmachine.Itisrecommendedthatyou
disablecopyandpasteoperationsfortheguestoperatingsystembycreatingtheparametersshowninTable1.
Table 1. Configuration Settings to Disable Copy and Paste
Name Value
isolation.tools.copy.disable true
isolation.tools.paste.disable true
isolation.tools.setGUIOptions.enable false
Topreventthisproblem,considermodifyingtheloggingsettingsforvirtualmachines.Youcanusethese
settingstolimitthetotalsizeandnumberoflogfiles.Normallyanewlogfileiscreatedonlywhenahostis
rebooted,sothefilecangrowtobequitelarge,butyoucanensurenewlogfilesarecreatedmorefrequently
bylimitingthemaximumsizeofthelogfiles.Ifyouwanttorestrictthetotalsizeofloggingdata,VMware
recommendssaving10logfiles,eachonelimitedto100KB.Thesevaluesaresmallenoughthatthelogfiles
shouldnotconsumeanundueamountofdiskspaceonthehost,yettheamountofdatastoredshouldcapture
sufficientinformationtodebugmostproblems.
Eachtimeanentryiswrittentothelog,thesizeofthelogischecked,andifitisoverthelimit,thenextentry
iswrittentoanewlog.Ifthemaximumnumberoflogfilesalreadyexists,whenanewoneiscreated,theoldest
logfileisdeleted.Adenialofserviceattackthatavoidstheselimitscouldbeattemptedbywritingan
enormouslogentry,buteachlogentryislimitedto4KB,sonologfilesareevermorethan4KBlargerthanthe
configuredlimit.Table2showswhichparameterstosetandtheirrecommendedvalues:
Table 2. Configuration Settings to Limit Log File Size and Number of Log Files
Name Recommended Value
log.rotateSize 100000
log.keepOld 10
Asecondoptionistodisableloggingforthevirtualmachine.Disablingloggingforavirtualmachinemakes
troubleshootingchallengingandsupportdifficult,soyoushouldnotconsiderdisablingloggingunlessthelog
filerotationapproachprovesinsufficient.Todisablelogging,settheparametershowninTable3.
Table 3. Configuration Setting to Disable Virtual Machine Logging
Name Recommended Value
Isolation.tools.log.disable true
Disablinglogginginthismannerdoesnotcompletelydisableallloggingmessages.TheVMXprocess,which
runsontheESXhostandispartlyresponsibleforprovidingvirtualizationservicesforthevirtualmachine,
continuestowriteloggingmessagestothevirtualmachinelogfile.However,thevolumeofmessagesfrom
thissourceisverylowandcannotbeexploitedfromwithinthevirtualmachine,soitisnotnormally
consideredapotentialsourceofdataflooding.
Ifyouneverthelesswanttopreventallformsoflogging,youcandisableallmessagesbysettingtheparameter
showninTable4.Howeverthisisnotrecommendedinanormalproductionenvironment.
Table 4. Configuration Setting to Disable Virtualization Service Logging
Name Recommended Value
logging false
Inadditiontologging,guestoperatingsystemprocessescansendinformationalmessagestotheESX/ESXi
hostthroughVMwareTools.Thesemessages,knownassetinfomessages,arewrittentothevirtualmachines
configurationfile(.vmx).Theytypicallycontainnamevaluepairsthatdefinevirtualmachinecharacteristics
oridentifiersthatthehoststoresforexample,ipaddress=10.17.87.224.Asetinfomessagehasno
predefinedformatandcanbeanylength.Therefore,theamountofdatapassedtothehostinthiswayis
unlimited.AnunrestricteddataflowprovidesanopportunityforanattackertostageaDOSattackbywriting
softwarethatmimicsVMwareToolsandfloodingthehostwithpackets,thusconsumingresourcesneededby
thevirtualmachines.
Topreventthisproblem,theconfigurationfilecontainingthesenamevaluepairsislimitedtoasizeof1MB.
This1MBcapacityshouldbesufficientformostcases,butyoucanchangethisvalue,ifnecessary.Youmight
increasethisvalueiflargeamountsofcustominformationarebeingstoredintheconfigurationfile.
TomodifytheGuestInfofilememorylimit,setthetools.setInfo.sizeLimitparameterinthe.vmxfile.
Thedefaultlimitis1MB,andthislimitisappliedevenwhenthesizeLimitparameterisnotlistedinthe.vmx
file.TheexampleinTable5setsthesizelimitto1MB.
Table 5. Configuration Setting to Limit Size of GuestInfo File
Name Recommended Value
tools.setInfo.sizeLimit 1048576
Youmayalsoentirelypreventguestoperatingsystemsfromwritinganynamevaluepairstotheconfiguration
file,usingthesettinginTable6.Thisisappropriatewhenguestoperatingsystemsmustbepreventedfrom
modifyingconfigurationsettings.
Table 6. Configuration Setting to Prevent Writing SetInfo Data to Configuration File
Name Value
isolation.tools.setinfo.disable true
1 LogintotheVIClientandchoosetheserverfromtheinventorypanel.
Thehardwareconfigurationpagefortheserverappears.
2 Expandtheinventoryasneededandchoosethevirtualmachineyouwanttocheck.
3 ClicktheEditSettingslinkintheCommandspaneltodisplaytheVirtualMachinePropertiesdialogbox.
4 ClicktheHardwaretab.
5 ClicktheappropriateharddiskinHardwarelist.
Forlesscommonlyuseddevices,Table7showsthe.vmxparametersthatspecifywhetherthedeviceis
availableforavirtualmachinetouse.Ifthedeviceisnotneeded,eithertheparametershouldnotbepresent
oritsvaluemustbeFALSE.TheparameterslistedinTable7arenotsufficienttoensurethatadeviceisusable,
becauseotherparametersareneededtoindicatespecificallyhoweachdeviceisinstantiated.
Table 7. Configuration Parameters that Specify Certain Devices
Device Configuration file parameter (where <x> is an integer 0 or greater)
Floppydrive floppy<X>.present
Serialport serial<X>.present
Parallelport parallel<X>.present
Forexample,bydefault,arogueuserwithinavirtualmachinecan:
ConnectadisconnectedCDROMdriveandaccesssensitiveinformationonthemedialeftinthedrive
Disconnectanetworkadaptertoisolatethevirtualmachinefromitsnetwork,whichisadenialofservice
Ingeneral,youshouldusethevirtualmachinesettingseditororConfigurationEditortoremoveany
unneededorunusedhardwaredevices.However,youmaywanttousethedeviceagain,soremovingitisnot
alwaysagoodsolution.Inthatcase,youcanpreventauserorrunningprocessinthevirtualmachinefrom
connectingordisconnectingadevicefromwithintheguestoperatingsystembyaddingtheparametershown
inTable8.
Table 8. Configuration Setting to Prevent Device Removal or Connection
Name Value
Isolation.tools.connectable.disable true
isolation.tools.diskShrink.disable True
TheparameterthatspecifiestheguestoperatingsystemisguestOS.Verifythatthespecifiedoperatingsystem
andmatchestheoperatingsystemactuallyrunninginthevirtualmachine,whichyoucandetermineby
checkingthevirtualmachinedirectly.
managementclientsuseauthenticationandencryptiontopreventunauthorizedaccesstotheserviceconsole,
otherservicesmightnotofferthesameprotection.Ifattackersgainaccesstotheserviceconsole,theyarefree
toreconfiguremanyattributesoftheESXhost.Forexample,theycouldchangetheentirevirtualswitch
configurationorchangeauthorizationmethods.BecausetheserviceconsoleisthepointofcontrolforESX,
safeguardingitfrommisuseiscrucial.
1 Choosethehost.
2 ClicktheConfigurationtab,thenchoosetheSecurityProfileitemundertheSoftwareheading.
3 ClickFirewallProperties.
Itisbesttoleavethedefaultsecurityfirewallsettings,whichblockallincomingandoutgoingtrafficthatisnot
associatedwithanenabledservices,thenusethefirewallsbuiltinserviceregistrytoenableanddisable
services.Ifyouhaveaparticularserviceoragentthatisnotpartofthebuiltinlist,youcanopenindividual
portsusingtheserviceconsolecommandesxcfg-firewall.Ifyoudoopenports,makesuretodocumentthe
changes,includingthepurposeforopeningeachport.Formoreinformationonhowtousethe
esxcfg-firewallcommand,seethesectionChangingtheServiceConsoleSecurityLevelintheESXServer
3ConfigurationGuideortypeman esxcfg-firewallonthecommandline.
TheservicesthatareonbydefaultintheESX3.5serviceconsoleandtheportstheyusearedescribedinTable
10.Thesecondcolumnofthetableshowsthestringusedtoidentifytheservicewhenusingthe
esxcfg-firewallcommandforexamplewhenrunningesxcfg-firewall --querytoshowthecurrent
status.Thetablealsoindicateswhenitisappropriatetodisableaservice.Forexample,ifyouarenotusing
NFStomountnetworksharesintheserviceconsole,youshoulddisablethisservice.ConfiguretheFirewall
forMaximumSecurityonpage 8describeshowtousetheVIClienttoviewwhichservicesareenabled.You
canusethesamepropertiesdialogboxtodisableservicesaswellasviewthem.
Table 10. Default Services in the ESX 3.5 Service Console
Identification in
esxcfg-firewall
Service command Port Traffic Type When to disable
Additionalsoftwarethatmightrunintheserviceconsoleincludesmanagementagentsandbackupagents.
Althoughthissoftwaremighthavealegitimatepurpose,themorecomponentsyouhaverunninginthe
serviceconsole,themorepotentialobjectsaresusceptibletosecurityvulnerabilities.Inaddition,these
componentsoftenrequirespecificnetworkportstobeopeninordertofunction,thusfurtherincreasingthe
avenuesofattack.
Formoreinformationandrecommendationsonrunningthirdpartysoftwareintheserviceconsole,see
http://www.vmware.com/vmtn/resources/516.
Anotheralternativeistousearemotescriptinginterface,suchastheVIPerlToolkitortheremotecommand
lineinterface(RemoteCLI).TheseinterfacesarebuiltonthesameAPIthatVIClientandVirtualCenteruse,
soanyscriptusingthemautomaticallyenjoysthesamebenefitsofauthentication,authorization,andauditing.
InESX3.5,someadvancedtasks,suchasinitialconfigurationforpasswordpolicies,cannotbeperformedvia
theVIClient.Forthesetasks,youmustlogintotheserviceconsole.Also,ifyouloseyourconnectiontothe
host,executingcertainofthesecommandsthroughthecommandlineinterfacemaybeyouronly
recourseforexample,ifthenetworkconnectionfailsandyouarethereforeunabletoconnectusingVIClient.
ThesetasksaredescribedinAppendixAoftheESXServer3ConfigurationGuide.
serviceconsoleofeachhostlocalaccountsthatcorrespondtoeachglobalaccount,thispresentstheproblem
ofhavingtomanageusernamesandpasswordsinmultipleplaces.Itismuchbettertouseadirectoryservice,
suchasNISorLDAP,todefineandauthenticateusersontheserviceconsole,soyoudonothavetocreatelocal
useraccounts.
Inthedefaultinstallation,ESX3.5cannotuseActiveDirectorytodefineuseraccounts.However,itcanuse
ActiveDirectorytoauthenticateusers.Inotherwords,youcandefineindividualuseraccountsonthehost,
thenusethelocalActiveDirectorydomaintomanagethepasswordsandaccountstatus.Youmustcreatea
localaccountforeachuserthatrequireslocalaccessontheserviceconsole.Thisshouldnotbeseenasaburden;
ingeneral,onlyrelativelyfewpeopleshouldhaveaccesstotheserviceconsole,soitisbetterthatthedefault
isfornoonetohaveaccessunlessyouhavecreatedanaccountexplicitlyforthatuser.
Authenticationontheserviceconsoleiscontrolledbythecommandesxcfg-auth.Youcanfindinformation
onthiscommandinitsmanpage.Typeman esxcfg-authatthecommandlinewhenloggedintotheservice
console.ForinformationonauthenticationwithActiveDirectory,seethetechnicalnoteat
http://www.vmware.com/vmtn/resources/582.
Itisalsopossibletousethirdpartypackages,suchasWinbindorCentrify,toprovidetighterintegrationwith
ActiveDirectory.Consultthedocumentationforthosesolutionsforguidanceonhowtodeploythemsecurely.
EnablingremoterootaccessoverSSHoranyotherprotocolisnotrecommended,becauseitopensthesystem
tonetworkbasedattackshouldsomeoneobtaintherootpassword.Abetterapproachistologinremotely
usingaregularuseraccount,thenusesudotoperformprivilegedcommands.Thesudocommandenhances
securitybecauseitgrantsrootprivilegesonlyforselectactivities,incontrastwiththesucommand,which
grantsrootprivilegesforallactivities.Usingsudoalsoprovidessuperioraccountabilitybecauseallsudo
activitiesarelogged,whereasifyouusesu,ESXlogsonlythefactthattheuserswitchedtorootbywayofsu.
Thesudocommandalsoprovidesawayforyoutograntorrevokeexecutionrightstocommandsonan
asneededbasis.
YoucangoastepfurtheranddisallowrootaccessevenontheconsoleoftheESXhostthatis,whenyoulog
inusingascreenandkeyboardattachedtotheserveritself,ortoaremotesessionattachedtotheservers
console.Thisapproachforcesanyonewhowantstoaccessthesystemtofirstloginusingaregularuser
account,thenusesudoorsutoperformtasks.Ideally,onlyalimitedsetofindividualsneedpermissiontorun
suinordertoperformarbitraryadministrativetasks.Ifyoudecidetodisallowrootloginontheconsole,you
shouldfirstcreateanonprivilegedaccountonthehosttoenablelogins,otherwiseyoucouldfindyourself
lockedoutofthehost.Thisnonprivilegedaccountshouldbealocalaccountthatis,onethatdoesnotrequire
remoteauthenticationsothatifthenetworkconnectiontothedirectoryserviceislost,accesstothehostis
stillpossible.Youcanassurethisaccessbydefiningalocalpasswordforthisaccount,usingthepasswd
command.Thelocalpasswordoverridesauthenticationviadirectoryservices(asdiscussedintheprevious
section).Theneteffectisthatadministratorscancontinuetoaccessthesystem,buttheyneverhavetologin
asroot.Instead,theyusesudotoperformparticulartasksorsutoperformarbitrarycommands.
Topreventdirectrootloginontheconsole,modifythefile/etc/securettytobeempty.Whileloggedinas
root,enterthefollowingcommand:
cat /dev/null > /etc/securetty
Afteryoudothis,onlynonprivilegedaccountsareallowedtologinattheconsole.Notethatthisalsocan
disableremoteconsolecapabilities,suchasiLOandDRAC.
Besidescontrollingwhohasaccesstothesucommand,throughthepluggableauthenticationmodule(PAM)
infrastructure,youcanspecifywhattypeofauthenticationisrequiredtosuccessfullyexecutethecommand.
Inthecaseofthesucommand,therelevantPAMconfigurationfileis/etc/pam.d/su.Toallowonlymembers
ofthewheelgrouptoexecutethesucommand,andthenonlyafterauthenticatingwithapassword,findthe
linebeginningwithauth requiredandremovetheleadingpoundsign(#)soitreads:
auth required /lib/security/$ISA/pam_wheel.so use_uid
Thesudoutilityshouldbeusedtocontrolwhatprivilegedcommandsuserscanrunwhileloggedintothe
serviceconsole.Amongthecommandsyoushouldregulatearealloftheesxcfg-*commandsaswellasthose
thatconfigurenetworkingandotherhardwareontheESXhost.Youshoulddecidewhatsetofcommands
shouldbeavailabletomorejunioradministratorsandwhatcommandsyoushouldallowonlysenior
administratorstoexecute.Youcanalsousesudotorestrictaccesstothesucommand.
Usethefollowingtipstohelpyouconfiguresudo:
Configurelocalandremotesudologging(seeMaintainProperLoggingonpage 12).
Createaspecialgroup,suchasvi_admins,andallowonlymembersofthatgrouptousesudo.
Usesudoaliasestodeterminetheauthorizationscheme,thenaddandremoveusersinthealias
definitionsinsteadofinthecommandsspecification.
Becarefultopermitonlytheminimumnecessaryoperationstoeachuserandalias.Permitveryfewusers
torunthesucommand,becausesuopensashellthathasfullrootprivilegesbutisnotauditable.
Ifyouhaveconfiguredauthenticationusingadirectoryservice,sudousesitbydefaultforitsown
authentication.Thisbehavioriscontrolledbythe/etc/pam.d/sudofile,onthelineforauth.Thedefault
settingservice=system-authtellssudotousewhateverauthenticationschemehasbeensetglobally
usingtheesxcfg-authcommand.
Requireuserstoentertheirownpasswordswhenperformingoperations.Thisisthedefaultsetting.Do
notrequiretherootpassword,becausethispresentsasecurityrisk,anddonotdisablepassword
checking.Insudotheauthenticationpersistsforabriefperiodoftimebeforesudoasksforapassword
again.
Forfurtherinformationandguidelinesforusingsudo,seehttp://www.gratisoft.us/sudo/.
PasswordagingThesecontrolsgovernhowlongauserpasswordcanbeactivebeforetheuseris
requiredtochangeit.Theyhelpensurethatpasswordschangeoftenenoughthatifanattackerobtainsa
passwordthroughsniffingorsocialengineering,theattackercannotcontinuetoaccesstheESXhost
indefinitely.
PasswordcomplexityThesecontrolsensurethatuserscreatepasswordsthatarehardforpassword
generatorstodetermine.Insteadofusingwords,acommontechniqueforensuringpasswordcomplexity
istouseamemorablephrase,thenderiveapasswordfromitforexample,byusingthefirstletterofeach
word.
BothofthesepoliciesaredescribedinthesectionPasswordRestrictionsintheESXServer3Configuration
Guide.
Thedefaultpam_cracklib.sopluginprovidessufficientpasswordstrengthenforcementformost
environments.However,ifthepam_cracklib.sopluginisnotstringentenoughforyourneeds,youcanuse
thepam_passwdqc.soplugininstead.Youchangethepluginusingtheesxcfg-authcommand.
Forfurtherprotection,youcanenforceaccountlockoutaftertoomanyunsuccessfulloginattempts.To
configuretheESXserviceconsoletodisabletheaccountafterthreeunsuccessfulloginattempts,addthe
followinglinesto/etc/pam.d/system-auth:
auth required /lib/security/pam_tally.so no_magic_root
account required /lib/security/pam_tally.so deny=3
no_magic_root
Tocreatethefileforloggingfailedloginattempts,executethefollowingcommands:
touch /var/log/faillog
chown root:root /var/log/faillog
chmod 600 /var/log/faillog
ItisparticularlyimportantthatyounottreattheserviceconsolelikeaLinuxhostwhenitcomestopatching.
NeverapplypatchesissuedbyRedHatoranyotherthirdpartyvendor.Applyonlypatchesthatarepublished
byVMwarespecificallyfortheversionsofESXthatyouhaveinuse.Thesearepublishedfordownload
periodically,aswellasonanasneededbasisforsecurityfixes.Youcanreceivenotificationsfor
securityrelatedpatchesbysigningupforemailnotificationsathttp://www.vmware.com/security.
Similarly,youshouldneveruseascannertoanalyzethesecurityoftheserviceconsoleunlessthescanneris
specificallydesignedtoworkwithyourversionofESX.Inparticular,scannersthatassumetheserviceconsole
isastandardRedHatLinuxdistributionroutinelyyieldfalsepositives.Thesescannerstypicallylookonlyfor
stringsinthenamesofsoftware,andthereforedonotaccountforthefactthatVMwarereleasescustom
versionsofpackageswithspecialnameswhenprovidingsecurityfixes.Becausethesespecialnamesare
unknowntothescanners,theyflagthemasvulnerabilitieswheninrealitytheyarenot.Youshoulduseonly
scannersthatspecificallytreattheESXserviceconsoleasauniquetarget.Formoreinformation,seethesection
SecurityPatchesandSecurityVulnerabilityScanningSoftwareinthechapterServiceConsoleSecurityof
theESXServer3ConfigurationGuide.
Inaddition,youshouldnotmanagetheserviceconsoleasifitwereatraditionalLinuxhost.Theusual
redhat-config-*commandsarenotpresent,norareothercomponentssuchastheXserver.Instead,you
managetheESXhostusingaseriesofpurposebuiltcommands,suchasvmkfstoolsandtheesxcfg-*
commands.ManyofthesecommandsshouldbeusedonlyuponinstructionfromVMwareTechnicalSupport,
ornotinvokedmanuallyatall,butafewprovidefunctionalitythatisnotavailableviatheVIClient,suchas
authenticationmanagementandadvancedstorageconfiguration.
Ifyoufollowthebestpracticeofisolatingthenetworkfortheserviceconsole,thereisnoreasontorunany
antivirusorothersuchsecurityagents,andtheiruseisnotnecessarilyrecommended.However,ifyour
environmentrequiresthatsuchagentsbeused,useaversiondesignedtorunonRedHatEnterpriseLinux3,
Update6.
Formoreinformationonthespecialadministrativecommandsintheserviceconsole,seeESXTechnical
SupportCommandsandUsingvmkfstoolsintheappendicesoftheESXServer3ConfigurationGuide.
ThesyslogdaemonperformsthesystemlogginginESX.Youcanaccessthelogfilesintheserviceconsoleby
goingtothe/var/log/directory.SeveraltypesoflogfilesgeneratedbyESXareshowninTable11.
Table 11. Key Log Files Generated by ESX
Component Location Purpose
Thelogfilesprovideanimportanttoolfordiagnosingsecuritybreachesaswellasothersystemissues.They
alsoprovidekeysourcesofauditinformation.Inadditiontostoringloginformationinfilesonthelocalfile
system,youcansendthisloginformationtoaremotesystem.Thesyslogprogramistypicallyusedfor
computersystemmanagementandsecurityauditing,anditcanservethesepurposeswellforESXhosts.You
canselectindividualserviceconsolecomponentsforwhichyouwantthelogssenttoaremotesystem.
Thefollowingtipsprovidebestpracticesforlogging:
Ensureaccuratetimekeeping.
Byensuringthatallsystemsusethesamerelativetimesource(includingtherelevantlocalizationoffset),
andthattherelativetimesourcecanbecorrelatedtoanagreedupontimestandard(suchasCoordinated
UniversalTimeUTC),youcanmakeitsimplertotrackandcorrelateanintrudersactionswhen
reviewingtherelevantlogfiles.Intheserviceconsole,yousetthetimesourceusingtheNTP(Network
TimeProtocol)system.ForinstructionsonhowtoconfigureNTP,seeVMwareknowledgebasearticle
1339(http://kb.vmware.com/kb/1339).
Controlgrowthoflogfiles.
Inordertopreventthelogfilefromfillingupthediskpartitiononwhichitresides,configurelogfile
rotation.Thisautomaticallycreatesabackupofthelogfileafteritreachesacertainspecifiedsizeand
keepsonlyaspecifiednumberofolderbackupfilesbeforeautomaticallydeletingthem,thuslimitingthe
totaldiskusageforlogging.Thelogrotationbehaviorisspecifiedforeachcomponentinconfiguration
fileslocatedinthedirectory/etc/logrotate.daswellasinthefile/etc/logrotate.conf.
Forthethreefilesin/etc/logrotate.dvmkernel,vmksummary,andvmkwarningitisrecommend
thattheconfigurationbemodifiedto:
Increasethesizeofthelogfileto4096k.
Enablecompressionbysettingthelinecompressinsteadofnocompress.
Thisallowsgreaterlogginginthesamefilesystemspace.Formoreinformationonconfiguringlogfile
rotation,seeman logrotate.
Useremotesysloglogging.
Remoteloggingtoacentralhostprovidesawaytogreatlyincreaseadministrationcapabilities.By
gatheringlogfilesontoacentralhost,youcaneasilymonitorallhostswithasingletoolaswellasdo
aggregateanalysisandsearchingtolookforsuchthingsascoordinatedattacksonmultiplehosts.
Animportantpointtoconsideristhatthelogmessagesarenotencryptedwhensenttotheremotehost,
soitisimportantthatthenetworkfortheserviceconsolebestrictlyisolatedfromothernetworks.
Syslogbehavioriscontrolledbytheconfigurationfile/etc/syslog.conf.Forlogsyouwanttosendto
aremoteloghost,addalinewith@<loghost.company.com>afterthemessagetype,where
<loghost.company.com>isthenameofahostconfiguredtorecordremotelogfiles.Makesurethatthis
hostnamecanbeproperlyresolved,puttinganentryinthenameservicemapsifneeded.
Example:
local6.warning @<loghost.company.com>
Aftermodifyingthefile,tellthesyslogdaemontorereaditbyissuingthefollowingcommand:
kill -SIGHUP `cat /var/run/syslogd.pid`
Displaydifferentloglevelmessagesondifferentscreens.
Anoptionforsyslogistologtoanalternateconsole,whichcanbedisplayedfromtheterminaloftheESX
host.ESXhasthecapabilityattheconsoletodisplayanumberofvirtualterminals.Thisgivesyouthe
capabilitytohavecritical,error,andwarningmessagesdisplayedondifferentscreens,enablingyouto
quicklydifferentiatetypesoferrors.
Toenablethisseparationoflogmessagedisplay,addthefollowinglinestothe/etc/syslog.conffile:
*.crit /dev/tty2
Alllogitemsatthecriticallevelorhigherareloggedtothevirtualterminalattty2.PressAltF2attheESX
consoletoviewtheselogs.
*.err /dev/tty3
Alllogitemsattheerrorlevelorhigherareloggedtothevirtualterminalattty3.PressAltF3attheESX
consoletoviewtheselogs
*.warning /dev/tty4
Alllogitemsatthewarninglevelorhigherareloggedtothevirtualterminalattty4.PressAltF4atthe
ESXServerconsoletoviewtheselogs.
Whenyouarefinished,issuethecommandforrereadingtheconfigurationfile:
kill -SIGHUP `cat /var/run/syslogd.pid`
Uselocalandremotesudologging.
Ifyouhaveconfiguredsudotoenablecontrolledexecutionofprivilegedcommands,youcanbenefitfrom
usingsyslogtoaudituseofthesecommands.Bydefault,allinvocationsofsudoareloggedto
/var/log/secure.Bymodifyingthelinecontainingthisfilenameinthesyslogconfigurationfileas
describedabove,youcanhavealltheselogmessagesalsosenttoaremotesyslogserver.
/etc/profile
/etc/ssh/sshd_config
/etc/pam.d/system-auth
/etc/grub.conf
/etc/krb.conf
/etc/krb5.conf
/etc/krb.realms
/etc/login.defs
/etc/openldap/ldap.conf
/etc/nscd.conf
/etc/ntp
/etc/ntp.conf
/etc/passwd
/etc/group
/etc/nsswitch.conf
/etc/resolv.conf
/etc/sudoers
/etc/shadow
Inaddition,ESXconfigurationfileslocatedinthe/etc/vmwaredirectorystorealltheVMkernelinformation.
Allofthesefilesshouldbemonitoredforintegrityandunauthorizedtampering,usingacommercialtoolsuch
asTripwireorConfiguresoft,orbyusingachecksumtoolsuchassha1sum,whichisincludedintheservice
console.Thesefilesshouldalsobebackedupregularly,eitherusingbackupagentsorbydoingbackupsbased
onfilecopying.NotallofthesefilesareactuallyusedbyyourparticularESXdeployment,butallthefilesare
listedforcompleteness.
Anotherchecktoperformistomakesurethatthefilepermissionsofimportantfilesandutilitycommands
havenotbeenchangedfromthedefault.Somefilesinparticulartocheckinclude:
The/usr/sbin/esxcfg-*commands,whichareallinstalledbydefaultwithpermissions500,exceptfor
esxcfg-authwhichhaspermissions544.
Thelogfilesdiscussedintheprevioussection,whichallhavepermissions600,exceptforthedirectory
/var/log/vmware/webAccess,whichhaspermissions755,andthevirtualmachinelogfiles,whichhave
permissions644.
CertainsystemcommandsthathavetheSUIDbit.ThesecommandsarelistedinTable123oftheESX
Server3ConfigurationGuide.
Forallofthesefiles,theuserandgroupownershouldberoot.
ItisrecommendedthatyouconfigureESX3.5touseSNMPversion3,whichprovidesforauthenticationand
privacyofmessagesbetweentheagentandmanagementstation.Consultthesnmpd.confmanpageformore
informationonconfiguringSNMP.
LockdownmodeisavailableonanyESXi3.5hostthatyouhaveaddedtoaVirtualCenterServer.Enabling
lockdownmodedisablesallremoterootaccesstoESXi3.5machines.Anysubsequentlocalchangestothehost
mustbemade:
InaVIClientsessionorusingRemoteCLIcommandstoVirtualCenter.
InaVIClientsessionorusingRemoteCLIcommandsdirecttotheESXi3.5systemusingalocaluser
accountdefinedonthehost.Bydefault,nolocaluseraccountsexistontheESXisystem.Youmustcreate
thoseaccountsbeforeenablinglockdownmodeandmustcreatetheminaVIClientsessionconnected
directlytotheESXisystem.Changestoahostarelimitedtothosethatcanbemadewiththeprivileges
grantedtoaparticularuserlocallyonthathost.
ItisrecommendedthatyouenablelockdownmodeforyourESXi3.5hosts.Youcanenableanddisable
lockdownmodeeitherusingaVIClientloggedintoVirtualCenterorusingthedirectconsoleuserinterface
(DCUI).Fordetailsonhowtodothis,seethechapterSecurityDeploymentsandRecommendationsinthe
ESXServer3iConfigurationGuide.
YouhavenotpurchasedVirtualCenterperhapsbecauseyouarejuststartingoutwithESXiorbecause
youhaveaverysmalldeployment
YouwanttoprovideforadministrativeaccesstothesystemincaseVirtualCenterisdownorotherwise
unavailable,oriftheVirtualCenteragentonthehostisnotworkingproperly
YouneedtouseRemoteCLIcommands,suchasthoseforbackingupandrestoringtheconfigurationof
thesystem,thatmustberundirectlyonthehost,notthroughVirtualCenter
Securitybestpracticesdictatethattherootpasswordshouldbeknowntoasfewindividualsaspossible,and
therootaccountshouldnotbeusedifanyalternativeispossible,becauseitisananonymousaccountand
activitybytherootusercannotbedefinitivelyassociatedwithaspecificindividual.Therootpasswordis
initiallyblank,sooneofyourfirststepsinconfiguringtheservershouldbetocreateastrongpasswordforthe
rootaccount.
ESXi3.5allowsyoutocreatelocalusersandgroupsonthesystem.Definitionsfortheseusersandgroupsare
storedlocallyoneachindividualESXihost,andthedefinitionsforeachhostaretotallyindependentofother
hosts.YoucannotuseActiveDirectoryoranyotherdirectoryservicetoidentifyorauthenticatethelocalusers.
Furthermore,theuserandgrouplistsmaintainedbyVirtualCenterarecompletelyseparatefromthelists
maintainedbyESXihosts.EvenifthelistsmaintainedbyahostandVirtualCenterappeartohavecommon
users(forinstance,ausercalleddevuser),youmusttreattheseusersasseparateuserswhohappentohave
thesamename.TheattributesofdevuserinVirtualCenter,includingpermissionsandpasswords,areseparate
fromtheattributesofdevuserontheESXihost.IfyoulogontoVirtualCenterasdevuser,youmighthave
permissiontoviewanddeletefilesfromadatastore,whereasifyoulogontoanESXihostasdevuser,you
mightnot.
Becauseoftheconfusionthatduplicatenamingcancause,VMwarerecommendsthatyoucheckthe
VirtualCenteruserlistbeforeyoucreateESXihostuserssoyoucanavoidcreatinghostusersthathavethe
samenamesasVirtualCenterusers.TocheckforVirtualCenterusers,reviewtheWindowsdomainlist.
Youcangrantvariouslevelsofpermissionstolocalusers.TheprivilegemodelforanESXihostmirrorsthatof
VirtualCenter,exceptitlacksobjectssuchasdatacentersandclusters,whichhavenomeaningforan
individualhost.Youcancreatecustomrolesthatgrantspecificprivileges,thenassignthemtocertainusers.
Theseprivilegesaffectwhataparticularusercando,bothinaVIClientandusingtheRemoteCLI.Youshould
createadifferentlocaluseraccountforanypersonwhomightneeddirectaccesstothehostandgrantthat
userparticularprivilegestolimittheuserscapabilities.Youcanuselocalgroupdefinitionstosimplifythis
assignment.
Oneparticularbuiltinlocalgrouphasspecialmeaning.Ifyougiveausermembershipinthelocaladmin
group,thatuserhastheabilitytologintotheDCUI,whichistheinterfaceavailableattheconsoleofanESXi
hostthatallowsforbasichostconfigurationmodifyingnetworkingsettingsandtherootpassword,for
example.AssignmenttothisgroupenablesanadministrativeusertoperformtasksontheDCUIwithout
logginginasroot.However,thisisaverypowerfulprivilege,becauseaccesstotheDCUIallowssomeoneto
changetherootpasswordorevenpoweroffthehost.Therefore,onlythemosttrustedadministratorsshould
begrantedmembershiptothelocaladmingroup.
FormoreinformationonlocalusersandprivilegesinESXi,seethechapterAuthenticationandUser
ManagementintheServer3iConfigurationGuide.
hostd.log
messages
vpxa.log(onlyifthehosthasbeedjoinedtoaVirtualCenterinstance)
Thereareseveralwaystoviewthecontentsoftheselogfiles.
ToviewthelogsinaVIClient,takethefollowingsteps:
1 LogindirectlytotheESXihostusingVIClientandmakesurethehostisselectedintheInventory.
2 ClickAdministration,thenclicktheSystemLogstab.
3 Choosethelogfileyouwanttoviewinthedropdownmenuintheupperleft.
ToviewthelogsinaWebbrowser,entertheURLhttps://<hostname>/host,where<hostname>isthehost
nameorIPaddressofthemanagementinterfaceoftheESXihost,thenchoosefromthelistoffilespresented.
YoucanusetheRemoteCLIcommandvifstodownloadthelogfilestoyourlocalsystem.
Youcanalsoconfiguresyslogtosendlogmessagestoaremotesystem.
AswithESX3.5,youshouldconfigureNTPonthehosttoensureaccuratetimekeeping.
YoucanfindmoreinformationonconfiguringsyslogandNTPforESXihostsinthefollowingdocuments:
TheSystemLogFilesandHostConfigurationforESXServerandVirtualCentersectionsofthe
SystemConfigurationchapterintheBasicSystemAdministrationGuide.
TheappendixRemoteCommandLineInterfaceReferenceintheESXServer3iConfigurationGuide.
esx.conf
hostAgentConfig.xml
hosts
license.cfg
motd
openwsman.conf
proxy.xml
snmp.xml
ssl_cert
ssl_key
syslog.conf
vmware_config
vmware_configrules
vmware.lic
vpxa.cfg
ToviewtheconfigurationfilesinaWebbrowser,entertheURLhttps://<hostname>/hostwhere
<hostname>isthehostnameorIPaddressofthemanagementinterfaceoftheESXihost,thenchoosefrom
thelistoffilespresented.
YoucanusetheRemoteCLIcommandvifstodownloadtheconfigurationfilestoyourlocalsystem,aswell
astouploadnewversionsofthesefiles.Althoughinsomecasesthenewsettingstakeeffectimmediately,you
shouldalwaysrestarttheESXhostaftermakingchangesdirectlytotheconfigurationfiles(asopposedto
makingconfigurationchangesviatheVIClient,VirtualCenter,ortheRemoteCLI).
SNMPmessagescontainafieldcalledthecommunitystring,whichconveyscontextandusuallyidentifiesthe
sendingsystemfornotifications.ThisfieldalsoprovidescontextfortheinstanceofaMIBmoduleonwhich
thehostshouldreturninformation.ESX/ESXiSNMPagentsallowmultiplecommunitystringspernotification
targetaswellasforpolling.Keepinmindthatcommunitystringsarenotmeanttofunctionaspasswords,but
onlyasamethodforlogicalseparation.
SNMPv1andv2ctrafficisnotencrypted,whichmeansthatmessagescanbesnooped,andtheycouldbe
modifiedinflightwithoutthereceiverknowingaboutit.Waystomitigatethisriskinclude:
RunSNMPontrustednetworks,useroutingandlayer2filteringtolockdownMACaddressestolayer2
ports,androuteSNMPtraffictotrustedservers.
RunSNMPinaVPN/IPsectunnelonyouredgeroutersforSNMPtraffic.
DonotproviderootcredentialstoremoteapplicationstoaccesstheCIMinterface.Instead,createaservice
accountspecifictotheseapplications.ReadonlyaccesstoCIMinformationisgrantedtoanylocalaccount
definedontheESXisystem.
IftheapplicationrequireswriteaccesstotheCIMinterface,onlytwolocalprivilegesarerequired.Itis
recommendedthatyoucreatealocalroletoapplytotheserviceaccountwithonlytheseprivileges:
Host>Config>SystemManagement
Host>CIM>CIMInteraction
Technicalsupportmodeisdesignedtobeusedonlyincasesofemergency,whenmanagementagentsthat
providetheremoteinterfacesareinoperableandtheycannotberestartedthroughtheDCUI.Thereisno
reasontousetechnicalsupportmodeforanyotherpurposeapartfromtechnicalsupport.Technicalsupport
modeisonbydefault,butyoucandisableitentirely.
Technicalsupportmodeissecuredinthefollowingways:
Itisaccessibleonlyonthelocalconsole;unlikeSSHorTelnet,itcannotbeaccessedremotely.Thus,
physicalaccesstothehostorsomethingequivalenttophysicalaccess,suchasHPILO,DellDRAC,IBM
RSA,orasimilarremoteconsoletoolisabsolutelyrequiredforaccesstotechnicalsupportmode.Most
organizationshavesufficientformsofprotectiononphysical(orphysicalequivalent)accesstothehost
(forexample,doorlocks,keycards,andauthenticationfortheremoteconsole).
Itrequirestherootpasswordbeforeaccessisgranted.Anyindividualswhohavebothphysical(or
console)accessandtherootpasswordarealreadyfullyprivilegedandcandoanythingtheywantonthe
system.Thepresenceoftechnicalsupportmodedoesnotaugmentorreducethisrisk.
Youcanaudittechnicalsupportmodeusingthefollowinginformation:
Wheneversomeoneactivatestechnicalsupportmode,thetimeanddateofactivationaresenttothe
systemlogmessagesfile.
Allunsuccessfulattemptstoaccesstechnicalsupportmode(thatis,someoneenterstheincorrectroot
password)arerecordedinthesystemlog.
Thetimeanddateofallsuccessfulaccessestotechnicalsupportmodearesenttothesystemlog
Toensureaccurateandreliablesystemlogs,youshouldconfigureremotesyslogontheserver,sologmessages
arekeptonanoutsidesystemandcannotbealteredfromtheserver.Actionsperformedwhileintechnical
supportmodearenotlogged.Anyaccesstotechnicalsupportmodeshouldbecorrelatedwithaspecificcall
toVMwareTechnicalSupport.Ifthereisnocorrespondingsupportsession,youshouldimmediatelysuspect
maliciousactivityandinspectthesystemfortampering.
Ifyouareunabletoaudittechnicalsupportmodetoadegreethatmatchesyoursecurityriskposture,you
shoulddisableitforallofyourESXihosts.Fordetailsondisablingtechnicalsupportmode,seeVMware
knowledgebasearticle1003677(http://kb.vmware.com/kb/1003677).
Management.Thisincludesthefollowingtypesofcommunication:
BetweenESX/ESXiandVirtualCenter
AmongstESX/ESXihostsforexample,forVMwareHighAvailabilitycoordination
BetweenESX/ESXiorVirtualCenterandsystemsrunningclientsoftwaresuchastheVIClientoraVI
SDKapplication
BetweenESX/ESXiandancillarymanagementservices,suchasDNS,NTP,syslog,andtheuser
authenticationservice
BetweenESX/ESXiandthirdpartymanagementtools,suchashardwaremonitoring,systems
management,andbackuptools
BetweenVirtualCenterandsupportingservices,suchastheVirtualCenterdatabaseandtheuser
authenticationservice
BetweenVirtualCenterandoptionaladdoncomponentssuchasVMwareUpdateManagerand
VMwareConverterEnterprise,iftheyareinstalledonseparateservers
VMotion.ThisinvolvestransferringtheliverunningstateofavirtualmachinefromoneESX/ESXihostto
another.
Storage.Thisincludesanynetworkbasedstorage,suchasiSCSIandNFS.
AllofthenetworksusedforthesecommunicationsprovidedirectaccesstocorefunctionalityofVMware
Infrastructure,ThemanagementnetworkprovidesaccesstotheVMwareInfrastructuremanagement
interfaceoneachcomponent,andanyremoteattackwouldmostlikelybeginwithgainingentrytothis
network.VMotiontrafficisnotencrypted,sotheentirestateofavirtualmachinecouldpotentiallybesnooped
fromthisnetwork.Finally,accesstothestoragenetworkpotentiallyallowssomeonetoreadthecontentsof
virtualdisksresidingonsharedstorage.Therefore,allofthesenetworksshouldbeisolatedandstrongly
securedfromallothertraffic,especiallyanytrafficgoingtoandfromvirtualmachines.Theexceptionisifone
ofthecomponentslistedaboveactuallyrunsinavirtualmachine.Inthatcase,thisvirtualmachinenaturally
hasaninterfaceonthemanagementnetworkandthusshouldnothaveaninterfaceonanyothernetwork.
VMwarerecommendsthatyouisolatenetworksusingoneofthesemethods:
CreateaseparateVLANforeachnetwork.
Configurenetworkaccessforeachnetworkthroughitsownvirtualswitchandoneormoreuplinkports.
Ineithercase,youshouldconsiderusingNICteamingforthevirtualswitchestoprovideredundancy.
IfyouuseVLANs,youneedfewerphysicalNICstoprovidetheisolation,afactorthatisespeciallyimportant
inenvironmentswithconstrainedhardwaresuchasblades.VMwarevirtualswitchesarebydesignimmune
tocertaintypesofattacksthathavetraditionallytargetedVLANfunctionality.Fordetails,seethechapter
SecuringanESXServer3ConfigurationintheESXServer3ConfigurationGuide.Ingeneral,VMwarebelieves
thatVLANtechnologyismatureenoughthatitcanbeconsideredaviableoptionforprovidingnetwork
isolation.
ESX/ESXidoesnotsupportvirtualswitchportgroupsconfiguredtoVLAN1.Ifthephysicalswitchportto
whichtheESX/ESXihostisconnectedisconfiguredwithVLAN1,ESX/ESXidropsallpackets.Youcan
configuretheESX/ESXivirtualswitchportgroupswithanyvaluebetween2and4094.UtilizingVLAN1
causesadenialofservicebecauseESX/ESXidropsthistraffic.Itisrecommendedthatyoucheckthephysical
networkhardwareconfigurationtoverifytheportstowhichtheESX/ESXihostconnectsarenotconfiguredto
VLAN1.Inaddition,VLANID4095specifiesthattheportgroupshouldusetrunkmodeorVGTmode,which
allowstheguestoperatingsystemtomanageitsownVLANtags.Guestoperatingsystemstypicallydonot
managetheirVLANmembershiponnetworks,soifthisvalueisset,ensurethatthereisalegitimatereason
fordoingso.
IfyoudonotuseVLANs,eitherbecauseyouhavenoVLANsupportinyourenvironmentorbecauseyoudo
notconsiderVLANsstrongenoughforisolation,youcancombinethethreetypesofinfrastructurerelated
networksontotwoorfewervirtualswitches.However,youshouldstillkeepthevirtualmachinenetworks
separatefromtheinfrastructurenetworksbyusingseparatevirtualswitcheswithseparateuplinks.
Althoughpromiscuousmodecanbeusefulfortrackingnetworkactivity,itisaninsecuremodeofoperation
becauseanyadapterinpromiscuousmodehasaccesstopacketsregardlessofwhethersomeofthepackets
shouldbereceivedonlybyaparticularnetworkadapter.Thismeansthatanadministratororrootuserwithin
avirtualmachinecanpotentiallyviewtrafficdestinedforotherguestoperatingsystems.Youshoulduse
promiscuousmodeonlyforsecuritymonitoringforexample,foranIDSsystem,debugging,or
troubleshooting.
Bydefault,promiscuousmodeissettoReject.Youcanchangethisoptionbymodifyingthesecuritypolicyon
anindividualportgrouporontheentirevirtualswitch,asdescribedinthesectionLayer2SecurityPolicy
intheESXServer3ConfigurationGuide.Settingthispolicyperportgroupallowsyoutohaveoneormore
privilegedvirtualmachinesonaportgroupthatallowspromiscuousmode,whileotherportgroupsonthe
sameswitchdonotgrantthisprivilege.
Whenitiscreated,anetworkadapterseffectiveMACaddressandinitialMACaddressarethesame.
However,thevirtualmachinesoperatingsystemcanaltertheeffectiveMACaddresstoanothervalueatany
time.IfanoperatingsystemchangestheeffectiveMACaddress,itsnetworkadapterthenreceivesnetwork
trafficdestinedforthenewMACaddress.Theoperatingsystemcansendframeswithanimpersonatedsource
MACaddressatanytime.Thus,anoperatingsystemcanstagemaliciousattacksonthedevicesinanetwork
byimpersonatinganetworkadapterauthorizedbythereceivingnetwork.Youcanusevirtualswitchsecurity
profilesonESX/ESXihoststoprotectagainstthistypeofattackbysettingtwooptions,whichyoushouldset
foreachvirtualswitch:
MACaddresschangesBydefault,thisoptionissettoAccept,meaningthatESX/ESXiacceptsrequests
tochangetheeffectiveMACaddresstoavalueotherthantheinitialMACaddress.TheMACAddress
Changesoptionsettingaffectstrafficreceivedbyavirtualmachine.
ToprotectagainstMACimpersonation,youcansetthisoptiontoReject.Ifyoudo,ESX/ESXidoesnot
honorrequeststochangetheeffectiveMACaddresstoanythingotherthantheinitialMACaddress.
Instead,theportthatthevirtualadapterusedtosendtherequestisdisabled.Asaresult,thevirtual
adapterdoesnotreceiveanymoreframesuntilitchangestheeffectiveMACaddresstomatchtheinitial
MACaddress.TheguestoperatingsystemdoesnotdetectthattheMACaddresschangehasnotbeen
honored.
ForgedtransmissionsBydefault,thisoptionissettoAccept,meaningESX/ESXidoesnotcompare
sourceandeffectiveMACaddresses.TheForgedTransmitsoptionsettingaffectstraffictransmittedfrom
avirtualmachine.
IfyousetthisoptiontoReject,ESX/ESXicomparesthesourceMACaddressbeingtransmittedbythe
operatingsystemwiththeeffectiveMACaddressforitsadaptertoseeiftheymatch.Iftheaddressesdo
notmatch,ESX/ESXidropsthepacket.Theguestoperatingsystemdoesnotdetectthatitsvirtualnetwork
adaptercannotsendpacketsusingtheimpersonatedMACaddress.ESX/ESXiinterceptsanypacketswith
impersonatedaddressesbeforetheyaredelivered,andtheguestoperatingsystemmightassumethatthe
packetshavebeendropped.
ItisrecommendedthatyousetbothoftheseoptionstoRejectformaximalsecurity.
Youcanalsosetthesesecuritypoliciesonaperportgroupbasis,whichletsyouoverridethevirtualswitch
settingforthatparticularportgroup.Ifyouneedtoconfigureadifferentpolicyforaparticularvirtual
machineforexample,ifyouhaveanintrusiondetectionvirtualappliancethatneedstomonitoralltrafficon
avirtualswitchyoucancreateaspecialportgroupforthis(andonlythis)virtualappliancewiththe
modifiedsettings.
Tolearnhowtheseoptionsareconfigured,seethesectionLayer2SecurityPolicyintheESXServer3
ConfigurationGuide.
ForESX3.5,whichrunsaserviceconsole,onewaytoguardagainstthisistousegrubpasswordstoprevent
usersfrombootingintosingleusermodeorpassingoptionstothekernelduringboot.Unlessthepasswordis
entered,theserverbootsonlythekernelwiththedefaultoptions.Formoreinformationongrubpasswords,
seetheGNUGrubManualathttp://www.gnu.org/software/grub/manual/html_node/index.html.This
techniquedoesnotapplytoESXi3.5,becausethereisnoserviceconsoleavailableattheconsoleofthehost.
LUNmaskingiscommonlyusedforpermissionmanagement.LUNmaskingisalsoreferredtoasselective
storagepresentation,accesscontrol,andpartitioning,dependingonthevendor.LUNmaskingisperformed
atthestorageprocessororserverlevel.ItmakesaLUNinvisiblewhenatargetisscanned.Theadministrator
configuresthediskarraysoeachserverorgroupofserverscanseeonlycertainLUNs.Maskingcapabilities
foreachdiskarrayarevendorspecific,asarethetoolsformanagingLUNmasking.
YoushouldusezoningandLUNmaskingtosegregateSANactivity.Forexample,youmanagezonesdefined
fortestingindependentlywithintheSANsotheydonotinterferewithactivityintheproductionzones.
Similarly,youcouldsetupdifferentzonesfordifferentdepartments.Zoningmusttakeintoaccountanyhost
groupsthathavebeensetupontheSANdevice.
YouhavetwochoiceswhenyousetupauthenticationforiSCSISANsontheESX/ESXihost:
ChallengeHandshakeAuthenticationProtocol(CHAP)YoucanconfiguretheiSCSISANtouse
CHAPauthentication.ESX/ESXisupportsonewayCHAPauthenticationforiSCSI.Itdoesnotsupport
bidirectionalCHAP.InonewayCHAPauthentication,thetargetauthenticatestheinitiator,butthe
initiatordoesnotauthenticatethetarget.Theinitiatorhasonlyonesetofcredentials,andalloftheiSCSI
targetsusethem.ESX/ESXisupportsCHAPauthenticationattheHBAlevelonly.Itdoesnotsupport
pertargetCHAPauthentication,whichenablesyoutoconfiguredifferentcredentialsforeachtargetto
achievegreatertargetrefinement.
DisabledYoucanconfiguretheiSCSISANtousenoauthentication.Communicationsbetweenthe
initiatorandtargetareauthenticatedinarudimentaryway,becausetheiSCSItargetdevicesaretypically
setuptocommunicatewithspecificinitiatorsonly.
Choosingnottoenforcemorestringentauthenticationcanmakesenseifyoucreateadedicatednetworkor
VLANtoserviceallyouriSCSIdevices.BecausetheiSCSIfacilityisisolatedfromgeneralnetworktraffic,itis
lessvulnerabletoexploit.
ESX/ESXidoesnotsupportKerberos,SecureRemoteProtocol(SRP),orpublickeyauthenticationmethodsfor
iSCSI.Additionally,itdoesnotsupportIPsecauthenticationandencryption.
Forinformationonhowtodeterminewhetherauthenticationiscurrentlybeingperformedandtoconfigure
theauthenticationmethod,seethechapterSecuringanESXServer3ConfigurationintheESXServer3
ConfigurationGuide.
VirtualCenter
VirtualCenterprovidesapowerfulwaytomanageandcontrolyourVMwareInfrastructureenvironmentfrom
acentralpointandenablesmoresophisticatedoperationsthroughtoolsthatworkthroughitsSDK.Itis
extremelypowerfulandthereforeshouldbesubjecttothestrictestsecuritystandards.
ThepasswordthatVirtualCenterusestoaccessitsdatabaseisstoredintheWindowsregistryinanencoded
format.Althoughthepasswordcannotbereaddirectly,itisnotprotectedbyencryption,soyoushouldprotect
theregistryontheVirtualCenterhosttopreventunauthorizedaccesstotheVirtualCenterdatabase.
Ingeneral,youshouldhardenandlockdowntheVirtualCenterhostaccordingtoindustrystandard
configurationguides,suchastheDISASTIGorCISBenchmark.
1 CreatealocalaccountforanordinaryuserontheWindowshost.ThisistheaccounttheVirtualCenter
administratorshouldusetomanageVirtualCenter.
2 InVirtualCenter,logonastheWindowsAdministrator,thengrantVirtualCenterrootadministrator
accesstothenewlycreatedaccount
3 LogoutofVirtualCenter,thenmakesureyoucanlogintoVirtualCenterasthenewuserandthatthisuser
isabletoperformalltasksavailabletoaVirtualCenteradministrator
4 RemovethepermissionsinVirtualCenterforthelocalAdministratorsgroup.
Byconfiguringaccountsinthisway,youavoidautomaticallygivingadministrativeaccesstodomain
administrators,whotypicallybelongtothelocalAdministratorsgroup.Thisalsoprovidesawayoflogging
intoVirtualCenterwhenthedomaincontrollerisdown,becausethelocalVirtualCenteradministrator
accountdoesnotrequireremoteauthentication.
Usethefollowingguidelinestolimitnetworkconnectivity:
Firewalls
YoushouldprotecttheVirtualCenterserverusingafirewall.Thisfirewallmaysitbetweentheclientsand
theVirtualCenterserver,orboththeVirtualCenterServerandtheclientsmaysitbehindthefirewall,
dependingonyourdeployment.Themainconsiderationisensuringthatafirewallispresentatwhatyou
considertobeanentrypointforthesystemasawhole.
UsefirewallstorestrictwhichsystemscanaccessVirtualCenterbyIPaddress.
FormoreinformationonthepossiblelocationsforfirewallsusedwithVirtualCenter,seethesection
FirewallsforConfigurationswithaVirtualCenterServerintheESXServer3ConfigurationGuide.
TCPandUDPportsformanagementaccess
NetworksconfiguredwithaVirtualCenterservercanreceivecommunicationsfromseveraltypesof
clients:theVIClient,VIWebAccess,asystemwiththeRemoteCLIoroneoftheVIToolkitsforscripting
installed,orthirdpartynetworkmanagementclientsthatusetheSDKtointeractwiththehost.During
normaloperation,VirtualCenterlistensondesignatedportsfordatafromthehostsitismanagingand
fromclients.VirtualCenteralsoassumesthatthehostsitismanaginglistenfordatafromVirtualCenter
ondesignatedports.Ifafirewallispresentbetweenanyofthesecomponents,youmustensurethatthe
appropriateportsareopentosupportdatatransferthroughthefirewall.
ThesectionTCPandUDPPortsforManagementAccessintheESXServer3ConfigurationGuidelistsall
thepredeterminedTCPandUDPportsusedformanagementaccesstoyourVirtualCenterserver,ESX
hosts,andothernetworkcomponents.Studythissectioncarefullytodeterminehowtoconfigureyour
firewallstomaintainmaximumsecuritywhilestillallowingrequiredmanagementoperations.
NOTEYoumightnotbeabletoopenaVIClientremoteconsolewhenyournetworkisconfiguredsuch
thatafirewallusingNATstandsbetweentheESXhostandthecomputerrunningVIClient.SeeVMware
knowledgebasearticle749640(http://kb.vmware.com/kb/749640)foraworkaroundforthisissue.
Use Proper Security Measures when Configuring the Database for VirtualCenter
YoushouldinstalltheVirtualCenterdatabaseonaseparateserverorvirtualmachineandsubjectittothesame
securitymeasuresasanyproductiondatabase.Youshouldalsocarefullyconfigurethepermissionsusedfor
accesstothedatabasetotheminimumnecessary.Usetheguidelinesappropriatetoyourdatabase.
MicrosoftSQLServer
Duringinstallationandupgrade,theVirtualCenteraccountmusthavetheDBOwnerrole.Duringnormal
operations,youmayfurtherrestrictpermissionstothefollowing:
Invoke/executestoredprocedures
Select,update,insert
Delete
Oracle
TheprivilegesrequiredfortheVirtualCenteraccountarelistedinthesectionPreparingthe
VirtualCenterServerDatabaseofthechapterInstallingVMwareInfrastructureManagementinthe
ESXServer3InstallationGuide.
NOTEYouneedtoreplacethedefaultVirtualCenterServercertificatebeforeenablingservercertificate
verification.
ForbackgroundandinformationonreplacingVirtualCenterServercertificates,seethetechnicalnote
ReplacingVirtualCenterServerCertificates(http://www.vmware.com/vmtn/resources/658).For
informationonenablingservercertificateverificationforVIClientinstallations,includinghowtopretrust
certificatesandhowtomodifytheWindowsregistryforclienthosts,seeVMwareknowledgebasearticle
4646606(http://kb.vmware.com/kb/4646606).
Createrolesthatenableonlythenecessarytasks.Forexample,auserwhoisonlygoingtomakeuseofan
assignedvirtualmachinemightneedpermissiononlytopowerthemachineonoroff,andnotnecessarily
toattachaCDorfloppydevice.
Assignrolestoaslimitedascopeasnecessary.Forexample,youcangiveausercertainpermissionsona
resourcepoolinsteadofadiscretehost,andyoucanusefolderstocontainthescopeofaprivilege.
FormoreinformationonVirtualCenterroles,seethepaperManagingVirtualCenterRolesandPermissions
(http://www.vmware.com/resources/techresources/826).
Forcomplianceandauditing,itisimportantthatyouhavearecordoftheseconfigurationsovertime.One
convenientwaytocaptureeverythinginoneplaceistousetheGenerateVirtualCenterServerlogbundle
command,intheVMwareprogramfilemenuontheVirtualCenterhost.Thistoolisdesignedtocapture
informationtobeusedfortroubleshootinganddebugging,buttheresultingarchivefileservesasaconvenient
waytomaintainahistoricalrecord.
TheresultingZIParchiveincludesfilesthatcontainthevaluesofrelevantWindowsregistryentries,
configurationfilesforVirtualCenterandanyaddoncomponents,andlogfilesforVirtualCenter,thelicense
server,andanyaddoncomponents.Byperformingthistaskonaregularbasis,youcankeeptrackofall
changesthataffectyourVirtualCenterinstallation.
Ifyouwanttomonitorthelogfilesdirectly,useTable12todeterminewhichfilestowatch:
Table 12. Paths to Key VirtualCenter Log Files
Component Default path to file
Licensemanager C:\WINDOWS\Temp\lmgrd.log
VMwareUpdateManager:managesandautomatespatchmanagementandtrackingofESXhostsand
virtualmachines,includingturnedoffvirtualmachinesandvirtualmachinetemplates
VMwareConverterEnterpriseforVirtualCenter:providesanintegratedsolutionformigratingboth
physicalandvirtualmachinestoVMwareInfrastructure.
VMwareGuidedConsolidation:automaticallydiscoversphysicalservers,helpsanalyzetheir
performance,andtriggerstheconversionofphysicaltovirtualmachinesplacedintelligentlyonasuitable
host.
InordertomaintainisolationoftheVirtualCenterhost,itisrecommendedthatyouinstallVMwareUpdate
Manageronaseparatehostorinavirtualmachine.ThishostneedstohaveaccesstotheVirtualCenterusing
theVIAPIinterface(availablebydefaultonTCPport443).Inthedefaultinstallation,thehostwhereyou
installVMwareUpdateManageralsoneedsaccesstotheInternetinordertodownloadpatchesandpatch
information.YoucanconfigureittouseaWebproxy,astepyoushouldtakeifaWebproxyisavailable.For
highestsecurity,youcaninstalltheUpdateManagerDownloadServiceonaseparateserver,andthepatches
andinformationthatitdownloadscanbetransferredmanuallytotheUpdateManagerhostforexample,
usingaUSBkeyorscheduled,securefiletransfer.ThisavoidshavingtheUpdateManagerhostitself
connectedtoanexternalnetwork.FormoreinformationoninstallingUpdateManagerandtheUpdate
ManagerDownloadService,seethechapterWorkingwithUpdateManagerintheUpdateManager
AdministrationGuide.
TheuseofConverterhasthepotentialforintroducingsomesecurityrisks.Whenmigratingphysicalorvirtual
machinestoVMwareInfrastructure,youruntheriskofimportingacompromisedorinfectedserver.Because
theimportoccurswithlittlemodificationtothesource,youcouldbeintroducingavulnerabilitydirectlyinto
yourenvironment.YoumightwanttoconsiderusingConverteronlyintestorstagingenvironments.
GuidedConsolidationisnotanoptionalcomponent,andyoucannotinstallitonaseparatehost.Itisalways
runningasaserviceontheVirtualCenterServerhost.GuidedConsolidationrequiresaccesstotheportsfor
WMI,Perfmon,andRemoteRegistryports135,137,138,139,and445.Theseportsmustbeopenonboththe
VirtualCenterhostandthetargetserver.TheGuidedConsolidationservicemustberunasauserwith
VirtualCenterAdministratorprivileges,aswellaswiththenecessaryWindowsprivilegestoqueryActive
Directoryforserversintheenvironment.Inaddition,administratorcredentialsarerequiredforeachtarget
systemtobeanalyzed,sothatperformancedatacanbecollectedfromthem.Youcanenteradefaultsetof
targetsystemcredentialsandoverridethisdefaultforindividualtargetsystemsthatmightdeviatefromthe
default.
TheGuidedConsolidationservicereliesonConvertertoimporttargetserver,soallrecommendationsfor
ConverterapplytoGuidedConsolidation,aswell.ItisrecommendedthatyounotuseGuidedConsolidation
inhighersecurityenvironments.
General Considerations
Withanyaddoncomponent,observethefollowing:
Hardenandlockdowntheserveronwhichthecomponentisinstalledaccordingtotheindustrybest
practicesforthehostsoperatingsystem.
ThesecomponentsoftenrequireyoutoprovidecredentialsofauseraccountwithfullVMware
Infrastructureadministratorprivileges.Toreduceexposureandhaveawayofrestrictingaccessincasea
problemisfound,createauniqueaccountforeachcomponent.Then,ifavulnerabilityorotherproblem
isdiscovered,youcanreduceoreliminateprivilegesonthataccountuntilthesituationisresolved.Donot
providethecredentialsoftheVirtualCenterhostsAdministratoraccountorofanactualuser.
Thesecomponentsusuallyhavetheirownlogfiles.Table13showsthelogfilesforthecomponentsthat
arebundledwithVirtualCenter:
Table 13. Paths to Log Files for Bundled VirtualCenter Components
Component Default path to file
Client Components
TherecommendationsinthissectionapplytoclientsthatconnecttoVirtualCenterorESX.
AnyRemoteCLIcommand
AnyVIPerlToolkitscript
VirtualmachineconsoleaccessinitiatedfromaLinuxbasedWebAccessbrowsersession
AnyprogramwrittenusingtheVISDK
ThemanagementinterfacesofVirtualCenterandESXshouldbeavailableonlyontrustednetworks,but
providingencryptionandcertificatevalidationaddextralayersofdefenseagainstanattack.Ifyouareableto
mitigateagainstsystemsonthemanagementnetworkinterposingthemselvesonnetworktraffic,orcantrust
thatsuchsystemswillnotappearonthenetwork,theuseofLinuxbasedclientswouldnotincreasethe
securityrisk.
Theintegrityofclientsoftwareisacommonconcernacrossallclientserverplatformsinwhichtheclientcould
berunningonaninsecurehost,buttheVIClientextensibilityframeworkreducestheeffortneededto
compromisetheclientsoftware.Toprotectagainstsuchcompromises,usersofVIClient,especiallythosewith
powerfulprivileges,shouldnotinstallanypluginsthatdonotcomefromatrustedsource.Youcancheckto
seewhichpluginsareactuallyinstalledforagivenVIClientbygoingtothemenuitemPlugins>Manage
PluginsandclickingtheInstalledPluginstab.
TheRemoteCLIisimplementedasaseriesofcommandswrittenusingtheVIPerlToolkit.BothRemoteCLI
commandsandVIPerlToolkitscriptsneedvalidcredentialsintheformofusernameandpasswordtowork
successfully.ThesecredentialsmustbeacceptedoneithertheVirtualCenterhostortheESXhost,depending
onwherethecommandisdirected.Notonlydoestheuserneedtobeauthenticated,buttheusermustalso
havesufficientprivilegestoexecutethespecificcommandortask.
Bothoftheseframeworksallowyoutospecifypasswordsinplaintextascommandlineoptions,ina
configurationfile,orasenvironmentvariables.However,useofplaintextpasswordspresentsasecurityrisk,
becausesomeonecouldreadpasswordsintheconfigurationfileitself,inshellhistoryfiles,inbackupfiles,or
inotherways.Whenrunningcommandsandscriptsinteractively,itisrecommendedthatyouavoid
specifyingthepasswordaheadoftime.Thecommandstypicallypromptyouforthepassword,whichisthen
notechoedtothescreenwhenyoutypeit.Ifyouusethisapproach,youavoidhavingthepasswordexiston
thefilesysteminplaintext.
Ifyouneedtoruncommandsnoninteractivelyforexample,inscriptsyoushouldusesessionfiles.This
mechanismallowsyoutoprovideyourcredentialsonceinteractively.Thesystemthengeneratesafilethat
containsanauthenticationtoken.Thistokendoesnotcontainanypasswordinformation,anditremainsvalid
forupto30minutes.Thesessionfilemaybeusedinlieuofcredentialstoauthenticatecommands.Ascript
thatreferencesthesessionfilecanthenrunnoninteractively.
Becausethesessionfileauthenticatesanycommandthatreferencesit,itisimportantthatthisfileitselfbe
closelyguardedduringitslifetime.Itshouldbegeneratedonlyasneeded,thendeletedassoonasitisno
longerneeded.Makesurenottoinadvertentlyallowaccesstothisfilebyotherusers.
Formoreinformationontheuseofsessionfiles,seethesectionUsingRemoteCommandLineInterfacesin
theappendixoftheESXServer3iConfigurationGuide.
References
AccessingVMwareESXServer3securelyusingSSHandSUDO
http://www.xtravirt.com/index.php?option=com_remository&Itemid=75&func=startdown&id=10
BasicSystemAdministration
http://www.vmware.com/pdf/vi3_35/esx_3/r35/vi3_35_25_admin_guide.pdf
EnablingActiveDirectoryAuthenticationwithESXServer
http://www.vmware.com/vmtn/resources/582
EnablingServerCertificateVerificationforVirtualInfrastructureClients
http://kb.vmware.com/kb/4646606
ESXServer3ConfigurationGuide
http://www.vmware.com/pdf/vi3_35/esx_3/r35/vi3_35_25_3_server_config.pdf
ESXServer3iConfigurationGuide
http://www.vmware.com/pdf/vi3_35/esx_3i_e/r35/vi3_35_25_3i_server_config.pdf
ESXServer3InstallationGuide
http://www.vmware.com/pdf/vi3_35/esx_3/r35/vi3_35_25_installation_guide.pdf
ESXServer3iEmbeddedSetupGuide
http://www.vmware.com/pdf/vi3_35/esx_3i_e/r35/vi3_35_25_3i_setup.pdf
ESXServer3iInstallableSetupGuide
http://www.vmware.com/pdf/vi3_35/esx_3i_i/r35/vi3_35_25_3i_i_setup.pdf
GNUGrubManual
http://www.gnu.org/software/grub/manual/html_node/index.html
InstallingandConfiguringNTPonVMwareESXServer
http://kb.vmware.com/kb/1339
RedHatLinuxSecurityGuide,Chapter4.WorkstationSecurity
http://www.redhat.com/docs/manuals/linux/RHL9Manual/securityguide/chwstation.html
ReplacingVirtualCenterCertificates
http://www.vmware.com/vmtn/resources/658
SudoMainPage
http://www.gratisoft.us/sudo
VirtualInfrastructureclientcannotopenRemoteConsolesession
http://kb.vmware.com/kb/749640
VMwareESXServer:ThirdPartySoftwareintheServiceConsole
http://www.vmware.com/vmtn/resources/516
VMwareSecurityCenter
http://www.vmware.com/security
Acknowledgements
TheauthorwouldliketothankBradHarris,KirkLarsen,RobRandell,BrianCoskerSwerkske,andPetr
Vandrovecfortheirvaluablecontributions.
If you have comments about this documentation, submit your feedback to: docfeedback@vmware.com
VMware, Inc. 3401 Hillview Ave., Palo Alto, CA 94304 www.vmware.com
Copyright 2008 VMware, Inc. All rights reserved. Protected by one or more of U.S. Patent Nos. 6,397,242, 6,496,847, 6,704,925, 6,711,672, 6,725,289, 6,735,601, 6,785,886,
6,789,156, 6,795,966, 6,880,022, 6,944,699, 6,961,806, 6,961,941, 7,069,413, 7,082,598, 7,089,377, 7,111,086, 7,111,145, 7,117,481, 7,149, 843, 7,155,558, 7,222,221, 7,260,815,
7,260,820, 7,269,683, 7,275,136, 7,277,998, 7,277,999, 7,278,030, 7,281,102, 7,290,253, and 7,356,679; patents pending. VMware, the VMware boxes logo and design,
Virtual SMP and VMotion are registered trademarks or trademarks of VMware, Inc. in the United States and/or other jurisdictions. All other marks and names mentioned
herein may be trademarks of their respective companies.
Revision 20080708 Item: BP-012-PRD-02-01
31