Knowledge
- Identify configuration files related to network security
- Identify virtual switch security characteristics
Skills and Abilities
- Add/Edit Remove users/groups on an ESX Host
- Customize SSH settings for increased security
- Enable/Disable certificate checking
- Generate ESX Host certificates
- Enable ESXi lockdown mode
- Replace default certificate with CA-signed certificate
- Configure SSL timeouts
- Secure ESX Web Proxy
- Enable strong passwords and configure password policies
- Identify methods for hardening virtual machines
- Analyze logs for security-related messages
Tools
- ESX Configuration Guide
- ESXi Configuration Guide
- vSphere Command-Line Interface Installation and Scripting Guide
- Product Documentation
- vSphere Client
- vSphere CLI
- vicfg-user
- vifs
Notes
Add/Edit Remove users/groups on an ESX Host
- You can manage this through the GUI as shown here or using the vicfg-user command
Customize SSH settings for increased security
Disabled by default for root. You can use SU to elevate to root privileges and should never allow root access via SSH.
- If needed you can enable root access as shown in VMware KB8375637.
Enable/Disable certificate checking
- You can follow the guide from VMware KB4646606 for enabling/disabling certificate checking.
Generate ESX Host certificates
Read the below section on replacing the default certificate to get guidance on generating a host certificate.
Enable ESXi lockdown mode
- Can be enabled during host addition to vCenter
- Can be set by going to Configuration->Software-Security Profile
- A good read on the topic of ESXi lockdown can be found here.
Replace default certificate with CA-signed certificate
- Check out this article from vm-help.com for an in depth instruction on replacing the default certificate with a CA signed one.
Configure SSL timeouts
From the ESX Configuration Guide
Timeout periods can be set for two types of idle connections:
- The Read Timeout setting applies to connections that have completed the SSL handshake process with port 443 of ESX.
- The Handshake Timeout setting applies to connections that have not completed the SSL handshake process with port 443 of ESX.
- Both connection timeouts are set in milliseconds. Idle connections are disconnected after the timeout period. By default, fully established SSL connections have a timeout of infinity.
- Log in to the service console and acquire root privileges.
- Change to the directory /etc/vmware/hostd/.
- Use a text editor to open the config.xml file.
- Enter the <readTimeoutMs> value in milliseconds. For example, to set the Read Timeout to 20 seconds, enter the following command.
- <readTimeoutMs>20000</readTimeoutMs>
- Enter the <handshakeTimeoutMs> value in milliseconds. For example, to set the Handshake Timeout to 20 seconds, enter the following command.
- <handshakeTimeoutMs>20000</handshakeTimeoutMs>
- Save your changes and close the file.
- Enter the following command to restart the vmware-hostd process.
- service mgmt-vmware restart
From ESXi config guide
- Use the vifs command to get a copy of the config.xml file to edit.
- For Linux systems, use this command.
- vifs –server <hostname> –username <username> –get /host/config.xml <directory>/config.xml
- For Windows systems, use this command.
- vifs –server <hostname> –username <username> –get /host/config.xml <directory>\config.xml
- For Linux systems, use this command.
- Use a text editor to open the config.xml file.
- Enter the <readTimeoutMs> value in milliseconds. For example, to set the Read Timeout to 20 seconds, enter the following command.
- <readTimeoutMs>20000</readTimeoutMs>
- Enter the <handshakeTimeoutMs> value in milliseconds. For example, to set the Handshake Timeout to 20 seconds, enter the following command.
- <handshakeTimeoutMs>20000</handshakeTimeoutMs>
- Save your changes and close the file.
- Use the vifs command to put a copy of the config.xml file on the ESXi host.
- For Linux systems, use this command.
- vifs –server <hostname> –username <username> –put <directory>/config.xml /host/config.xml
- For Windows systems, use this command.
- vifs –server <hostname> –username <username> –put <directory>\config.xml /host/config.xml
- For Linux systems, use this command.
- Use the Restart Management Agents operation through the direct console to have the settings take effect.
Secure ESX Web Proxy
Check the sections for both the ESX(i) config guides for configuring the web proxy.
Enable strong passwords and configure password policies
- For ESX you will issue the command like shown below.
- esxcfg-auth -maxpassdays=90 -minpassdays=30 -passwarnage=75
This blog article is also another good read on the topic of password complexity
http://www.vm-help.com/esx40i/password_complexity.php
Identify methods for hardening virtual machines
The vSphere security hardening guide is a great resource for this section. It is very detailed and has many options. Here are just a few from the document below.
Prevent Virtual Disk Shrinking-Rapidly inducing this from within the guest could cause a DOS attack.
Prevent other users from viewing remote console session (multiple at a time)
- RemoteDisplay.maxConnections=1
- Disable VM to VM communication through VMCI
Analyze logs for security-related messages
Some log file description here.