6 Replies Latest reply on Jul 19, 2018 4:49 AM by vXav

vSphere 6.5 Security Configuration Guide (née Hardening Guide) Release Candidate

mikefoley Apr 14, 2017 9:12 AM

Attached is the Release Candidate of the vSphere 6.5 Security Configuration Guide. Yes, it's no longer called the "Hardening Guide" because only a subset of it is actual "hardening".

I'm about to post a blog article on this release at https://blogs.vmware.com/vsphere that explains in more detail. This post is a landing spot for the guide so folks can download it. We have the GA version next week and at that time it will get uploaded to its regular home.

Please post your feedback here or as a reply to the blog. As I mentioned, I'm looking to have the GA version next Thursday (April 13th).

mike

[Update 14 April 2017] The GA of the guide is now available at Security Hardening Guides - VMware Security

Message was edited by: mikefoley

1. Re: vSphere 6.5 Security Configuration Guide (née Hardening Guide) Release Candidate

jcporsche Apr 7, 2017 8:52 PM (in response to mikefoley)

HI Mike,
What were the basis for the security config guide, did you follow some directives, guidance ?
Thanks for the time
Like Show 0 Likes(0)

Actions
2. Re: vSphere 6.5 Security Configuration Guide (née Hardening Guide) Release Candidate

mikefoley Apr 9, 2017 7:03 AM (in response to jcporsche)

The guide has been around for around a decade and Pre-dates directives such as PCI. In fact, most PCI, HIPAA & DISA type directives use this guide as the basis for their requirements. This guide would be considered "vendor best practices" or something similar.
Like Show 0 Likes(0)

Actions
3. Re: vSphere 6.5 Security Configuration Guide (née Hardening Guide) Release Candidate

goodgrief May 19, 2017 8:24 AM (in response to mikefoley)

Hi,
Applying guide settings but found a typo under heading Vulnerability Discussion for Guideline ID "VM.Enable-VGA-Only-Mode". The description is taken from the previous 3 settings "VM.disconnect-devices-serial" etc. IT starts "Ensure that no device is connected to a virtual machine if it is not required" but doesn't describe why VGA only should be used.
Thanks
Michael.
Like Show 0 Likes(0)

Actions
4. Re: vSphere 6.5 Security Configuration Guide (née Hardening Guide) Release Candidate

mikefoley May 22, 2017 7:26 AM (in response to goodgrief)

Thanks for catching this. I'll update the vulnerability discussion and it will come out in the next update of the guide.

The updated Vulnerability Discussion will be:

Many Server-class virtual machines need only a standard VGA console (typically a Unix/Linux server system). Enabling this setting removes additional unnecessary (for a server workload) functionality beyond disabling 3D.

Thanks again,

mike
Like Show 0 Likes(0)

Actions
5. Re: vSphere 6.5 Security Configuration Guide (née Hardening Guide) Release Candidate

kevinstiegler May 31, 2018 7:34 AM (in response to mikefoley)

Post hardening, what NESSUS Audit Profiles are we running against the 6.5 architecture to ensure it is meeting compliance?
Like Show 0 Likes(0)

Actions
6. Re: vSphere 6.5 Security Configuration Guide (née Hardening Guide) Release Candidate

vXav Jul 19, 2018 4:49 AM (in response to mikefoley)

Hi Mike,

In vRops 6.7 I get the "ESXi.config-ntp - NTP firewall rule is not configured" alert because the firewall of the NTP service is set to allow "ALL".

vRops 6.7 security compliance "ESXi.config-ntp - NTP firewall rule is not configured"

Though I can't find a mention to this anywhere in the security guide. Do you have some extra info about it? What's recommended and what's not?

Cheers,

[edit] By the way in the SCG the default value of Security.AccountLockFailures is set to 10. The value in a fresh ESXi 6.5 install is 5.
Like Show 0 Likes(0)

Actions

Go to original post

VMTN

vSphere 6.5 Security Configuration Guide (née Hardening Guide) Release Candidate

1. Re: vSphere 6.5 Security Configuration Guide (née Hardening Guide) Release Candidate

2. Re: vSphere 6.5 Security Configuration Guide (née Hardening Guide) Release Candidate

3. Re: vSphere 6.5 Security Configuration Guide (née Hardening Guide) Release Candidate

4. Re: vSphere 6.5 Security Configuration Guide (née Hardening Guide) Release Candidate

5. Re: vSphere 6.5 Security Configuration Guide (née Hardening Guide) Release Candidate

6. Re: vSphere 6.5 Security Configuration Guide (née Hardening Guide) Release Candidate

Actions

More Like This

Share This Page

Legend

VMware Technology

Company Information

News & Events

Community

VMware Technology

Company Information

News & Events

Community

Follow VMware