VMware Cloud Community
mikefoley
VMware Employee
VMware Employee

vSphere 5.5 Update 1 Hardening Guide beta release - Please comment

Hi,

Attached is the beta release of the vSphere 5.5 Update 1 Hardening Guide.

There are 4 new additions to the guide. Please review.

1. enable-VGA-Only-Mode: Used for server VM's that don't need a graphical console. e.g. Linux web servers, Windows Core, etc.

2. disable-non-essential-3D-features: Remove 3D graphic capabilities from VM's that don't need them

3. use-unique-roles: A new companion control to use-service-accounts. If you have multiple service accounts then each one should have a unique role with just enough privs to accomplish their task. This is in line with least-priv operations

4. change-sso-admin-password: A great catch. When installing Windows vCenter, you're prompted to change the password of administrator@vsphere.local. When installing the VCSA in a default manner you are not. This control reminds you to go back and do that.

The rest are formatting, spelling, clarification, etc..

I had considered removing "disable-datastore-browser" and "disable-mob". I'm holding off at the moment on those. I think they add more trouble than they protect. Feedback on these two would be GREATLY appreciated.

Your feedback is key. I really do listen! Smiley Happy

The intent is for this to GA in one week. The GA of the hardening guide will be reflected in the latest updates from the VCM team as well.

mike

mike
23 Replies
cowellja
Contributor
Contributor

Hi Mike,

In the ESXi tab for enable-nfc-ssl you have "NO" listed under the "Is desired value the default?" column. But in VMware KB: Disabling SSL for NFC data traffic in vCenter Server it says that it is turned on by default in vSphere 5.5. In that case why the discrepancy and why is it only listed for risk profile 1? Also is it correct that it's listed in the ESXi section as it's configured in vCenter? (Or is the logic that it primarily affects ESXi even if configured elsewhere)

Best regards,

Jason

Reply
0 Kudos
lorengordon
Enthusiast
Enthusiast

Hi Mike,

We're attempting to use the VCSA in the DoD space, and I previously saw KB 2047585 mentioned in the hardening guide by 'restrict-network-access', but the KB only references VCSA 5.1. Can you please verify that the KB still applies and that the steps are the same for 5.5?

Reply
0 Kudos
mikefoley
VMware Employee
VMware Employee

Yes, the KB still applies to 5.5. I had put in a request to have the KB updated. It has been updated internally (so GSS will have the right info). I'm not sure how long that takes to get rolled out externally.

Thanks!

mike

mike
Reply
0 Kudos
lorengordon
Enthusiast
Enthusiast

Ok, thanks! I also submitted feedback on the KB asking for that clarification.

We also have been using the VMware Hardened Appliance Operations Guide. It would be nice if that guide referenced the KB, as well, or even the vSphere Hardening Guide. Or perhaps the recommendations from that guide could be incorporated into this guide. Another note on that, I'm not sure who's responsible for maintaining/updating the hardened appliance guide, but we found that it has some incomplete guidance (at least for the VCSA) in the section, "Secure Shell, Administrative Accounts, and Console Access." Adding a local account to the 'wheel' group is *not* sufficient to allow ssh access; the account also needs to be a member of the 'shellaccess' group.

http://www.vmware.com/files/pdf/techpaper/VMWare-Hardened-Appliance-Operations-Guide.pdf

-Loren

Reply
0 Kudos
mikefoley
VMware Employee
VMware Employee

A GREAT catch Jason! I'll fix this so it follows the KB (which was news to me. Sigh...) and I'll move this to the vCenter tab where it should be and correct the settings. It will get renamed to "verify-nfc-ssl" as it is now just an audit of the setting.

Keep them coming!

mike

mike
Reply
0 Kudos
mikefoley
VMware Employee
VMware Employee

Hi Loren,

Please submit a bug report for the guide so that the right folks can get it fixed.

mike

mike
Reply
0 Kudos
jcwuerfl
Hot Shot
Hot Shot

Will there ever be a VMware tool like Microsoft's Best Practice Adviser tool that will scan your VMware env. and tell you things that would be Best Practice and make it more secure?

wmarusiak
Enthusiast
Enthusiast

Really great release Mike!

Best Regards, Wojciech https://wojcieh.net
Reply
0 Kudos
Ravi_V
Contributor
Contributor

Mike, this is an awesome document, will need to review in detail!!

Reply
0 Kudos
GeoffN
Enthusiast
Enthusiast

This guide is a great idea, I think you should consider removing the "disable-datastore-browser" and "disable-mob". As I agree with your comment that they add more trouble than they protect. But great work on the doc.

Thanks

Reply
0 Kudos
ScreamingSilenc

Nice guide Mike, Thank you.

Please consider marking this answer "correct" or "helpful" if you found it useful.
Reply
0 Kudos
lorengordon
Enthusiast
Enthusiast

As a follow on, we tested the firewall rules provided in the KB2047585 with VCSA 5.5 and it broke vCenter. We researched the ports required by vCenter and found a few KBs, and it appears that the list of ports specified in the firewall.txt script may be incomplete. Unfortunately, the KBs on required ports are not especially consistent among themselves and not all of them specify port, protocol and direction, so it will take a fair bit of testing to figure out exactly which additional rules are required. Below are the discrepancies I found with the firewall.txt per KB.

missing from http://kb.vmware.com/kb/2012773 (VCSA specific):

135

8090

21100

22000

22100

11711

11712

8190

8191

missing from http://kb.vmware.com/kb/1012382 (vCenter 5.x and 5.5 from list of all VMware products):

88

135

161

162

623

903

8005

8006

8009

8083

8085

8086

8087

8089

60099

8003

2012

2013

2014

7331

11711

11712

12721

49000 to 65000

missing from http://kb.vmware.com/kb/2051575 (vCenter on Windows):

88

903

2012

2013

2014

60099

7331

9875-9877

10111

11711

11712

12721

49000 to 65000

8190

8191

22000

22100

21100

Reply
0 Kudos
Texiwill
Leadership
Leadership

Hello,

I am working on something, just hard going after a while. Easy stuff is done, now working on the hard stuff.

Best regards,

Edward L. Haletky

VMware Communities User Moderator, VMware vExpert 2009, 2010, 2011,2012,2013,2014

Author of the books 'VMWare ESX and ESXi in the Enterprise: Planning Deployment Virtualization Servers', Copyright 2011 Pearson Education. 'VMware vSphere and Virtual Infrastructure Security: Securing the Virtual Environment', Copyright 2009 Pearson Education.

Virtualization and Cloud Security Analyst: The Virtualization Practice, LLC -- vSphere Upgrade Saga -- Virtualization Security Round Table Podcast

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
Reply
0 Kudos
faisalrwp
Contributor
Contributor

Nice work but if it is in interactive format, it will becomes more helpful ..

Reply
0 Kudos
mikefoley
VMware Employee
VMware Employee

Suggestions on how to do that are always welcome. Believe me, I don't relish editing Excel spreadsheets. I would love to find a better way to generate and produce a hardening guide.

mike
Reply
0 Kudos
jcwuerfl
Hot Shot
Hot Shot

Have you seen MS Best Practice Adviser Application?   Something similar to that would be great!   aka A program that will basically take a look at all of the settings and then give you what its set at currently, then the recommended setting.  Suppose it could be done via API's or maybe better via powershell so then its also extensible by the community.

Reply
0 Kudos
MKguy
Virtuoso
Virtuoso

How about some guidance regarding VMware Tools installations?

For example, keep Tools up to date (at least the security-fix updates) even when the host has not been upgraded to provide the Tools ISO yet. (Also newer Tools versions are generally supported on older ESXi hosts as shown in the VMware Product Interoperability Matrixes)

Another point to reduce the possible attack surface could be removing unnecessary VMware Tools modules, of which some are not even openly exposed during the actual installation process (like BootCamp, WYSE and Unity modules):

VMware KB:    Removing modules for VMware Tools during unattended install or upgrade 

http://www.v-front.de/2014/02/an-analysis-of-vsphere-55-vmware-tools.html

I also asked that in a feedback thread of a hardening guide for an earlier version of vSphere, but didn't really get an answer on this, so I'll ask again:

Some VMX parameters such as "disable-unexposed-features-unity" are described as not applying to vSphere environments since they are obviously features for Workstation/Player/Fusion only. However, the guide still lists a negative functional impact of "Some automated tools and process may cease to function".

Why would non-applicable features like this have a negative impact and what exactly are these "automated tools and processes" referred to here?

The text in the Vulnerability Discussion columns of all pages seems to be cut off after a certain amount of text, e.g.:

Some VMX parameters don't apply on vSphere because VMware virtual machines work on vSphere and hosted virtualization platforms such as Workstation and Fusion. Explicitly disabling these features reduces the potential for vulnerabilities because it reduces

By capturing a hardened base operating system image (with no applications installed) in a template, you can ensure that all your virtual machines are created with a known baseline level of security. You can then use this template to create other, applicat

ESXi uses the pam_passwdqc.so plug-in to set password strength and complexity.  It is important to use passwords that are not easily guessed and that are difficult for password generators to determine.  Note, ESXi imposes no restrictions on the root passw

If you are not using products that make use of the dvfilter network API (e.g. VMSafe), the host should not be configured to send network information to a VM. If the API is enabled, an attacker might attempt to connect a VM to it, thereby potentially provi

-- http://alpacapowered.wordpress.com
Reply
0 Kudos
mikefoley
VMware Employee
VMware Employee

I'm fixing the cut off text. Not sure what the heck happened there. It's going to be a real PITA to fix. (cutting and pasting from previous HG)

I hear you on the tools. I'll have to talk to that team more about that but it probably won't be for this release.

As for the negative functional impact, that's something the Tools team is looking into. At this time I can't go into further detail other than that. Smiley Sad

mike

mike
Reply
0 Kudos
Texiwill
Leadership
Leadership

Hello,

One thing to consider is that VMs do not always live on ESXi, one of the best ways to restore a VM quickly is into another hypervisor such as Fusion, Workstation, etc. If that happens and the disables for fusion and workstation are not there for whatever reason you are now at risk. So including them in the VMX is a way of having a complete security context regardless of where you run. Personally, I like this as I have found people running restores to whatever is available just to get running again.

How does this work with some backup tools I have heard that send the data to a cloud, then back, etc. Should not the context stay with the backup/replication target regardless of what it is running upon?

And yes, I do move my VMs for demo reasons, etc. My demos have to run as secure as they can, only way to show some things.

Best regards,
Edward L. Haletky
VMware Communities User Moderator, VMware vExpert 2009, 2010, 2011,2012,2013,2014

Author of the books 'VMWare ESX and ESXi in the Enterprise: Planning Deployment Virtualization Servers', Copyright 2011 Pearson Education. 'VMware vSphere and Virtual Infrastructure Security: Securing the Virtual Environment', Copyright 2009 Pearson Education.

Virtualization and Cloud Security Analyst: The Virtualization Practice, LLC -- vSphere Upgrade Saga -- Virtualization Security Round Table Podcast

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
Reply
0 Kudos